I have an old Cisco 1841 that I bought on EBay, for education and bandwidth/latency reasons. It performs very, very well on my 20 Mbit connection. (Comparable to a Linux router with QoS, and somewhat better on latency I think.) Implementing ACLs for port control etc. is pretty easy. However, security looked iffy enough that I took the thing down after a few days, and replaced it with the usual Linux netbook router. In short: it was making its HTTP and Telnet login prompts available to the whole Internet, with slightly tweaked "auto secure" settings. If that qualifies as hardened on Cisco routers, then I really want to get a better measure of the thing before swapping it in again. Questions: 1. Can I limit any service to one or more specific Ethernet interfaces? From what I've seen it looks like some services are per-interface, while others are enabled or disabled globally. Is this the case or am I missing something? 2. Can I block non-forwarded, inbound packets to the router, by interface? I'd like to just blanket deny administrative access from WAN, since I have no reason to want that, ever. This seems like a strict subset of anti-spoofing, but also seems difficult to do without invoking a static WAN IP address... which I don't want to do, because I have DHCP on the WAN side. 3. How can I enable SSH on this model? Supposedly I can generate an RSA key and then enable the SSH service, or something like that; but every command that could possibly be involved in SSH logins seems to be missing. (For the record, I have two books on IOS. One is Cisco IOS in a Nutshell, which is good enough as a reference, but doesn't cover some of the weirder and model-specific stuff. The other is Cisco Routers for the Desperate, which was a waste of $10.) Edit: also, bonus question 4. Can I make this thing send me logs by email? It doesn't look like it has any kind of MTA, but I'm not completely sure. Kind of weird too - even the obsolete, consumer-grade Dynex router that I no longer use was able to send log summaries by email.
Okay, updates... Points #1 and #2 turn out to be unnecessary. Any ACL will default-deny all traffic not explicitly permitted. So for restricting logins you just make the service's access-group point to an ACL that permits your LAN range (or such), and nothing else. Not sure how this meshes with anti-spoofing, but also not sure how much it matters, since logins are TCP anyway. (Oh, yes, I ran an external port scan. Everything's closed.) Point #3 is, I think, not applicable for the firmware revision on this router. Apparently I need a special version of IOS with crypto support. Sigh. Point #4, still looking into it. Probably not possible. Worst case, I can just log in every morning and look over the dropped packet logs... Edit: ah, got it. #4 is a nonissue because ACLs, again, didn't work how I thought; the NAT ACL can't do any filtering, it's all done by the inbound and outbound ACLs on each interface (duh). So anti-spoofing is dead simple. Blocking unsolicited TCP requests to the router itself seems rather more complicated, though. Downsides of stateless packet inspection... Edit 2: hmm. I should be able to blanket deny TCP SYN packets on the WAN side, one sec. Edit 3: hurray, this router actually has connection-tracking for TCP! I'll use that instead.
