Anyone here know Cisco IOS routers?

Discussion in 'hardware' started by Gullible Jones, Jun 12, 2016.

  1. Gullible Jones

    Gullible Jones Registered Member

    May 16, 2013
    I have an old Cisco 1841 that I bought on EBay, for education and bandwidth/latency reasons.

    It performs very, very well on my 20 Mbit connection. (Comparable to a Linux router with QoS, and somewhat better on latency I think.) Implementing ACLs for port control etc. is pretty easy. However, security looked iffy enough that I took the thing down after a few days, and replaced it with the usual Linux netbook router.

    In short: it was making its HTTP and Telnet login prompts available to the whole Internet, with slightly tweaked "auto secure" settings. If that qualifies as hardened on Cisco routers, then I really want to get a better measure of the thing before swapping it in again.


    1. Can I limit any service to one or more specific Ethernet interfaces?

    From what I've seen it looks like some services are per-interface, while others are enabled or disabled globally. Is this the case or am I missing something?

    2. Can I block non-forwarded, inbound packets to the router, by interface?

    I'd like to just blanket deny administrative access from WAN, since I have no reason to want that, ever. This seems like a strict subset of anti-spoofing, but also seems difficult to do without invoking a static WAN IP address... which I don't want to do, because I have DHCP on the WAN side.

    3. How can I enable SSH on this model?

    Supposedly I can generate an RSA key and then enable the SSH service, or something like that; but every command that could possibly be involved in SSH logins seems to be missing.

    (For the record, I have two books on IOS. One is Cisco IOS in a Nutshell, which is good enough as a reference, but doesn't cover some of the weirder and model-specific stuff. The other is Cisco Routers for the Desperate, which was a waste of $10.)

    Edit: also, bonus question

    4. Can I make this thing send me logs by email?

    It doesn't look like it has any kind of MTA, but I'm not completely sure. Kind of weird too - even the obsolete, consumer-grade Dynex router that I no longer use was able to send log summaries by email.
  2. Gullible Jones

    Gullible Jones Registered Member

    May 16, 2013
    Okay, updates...

    Points #1 and #2 turn out to be unnecessary. Any ACL will default-deny all traffic not explicitly permitted. So for restricting logins you just make the service's access-group point to an ACL that permits your LAN range (or such), and nothing else. Not sure how this meshes with anti-spoofing, but also not sure how much it matters, since logins are TCP anyway.

    (Oh, yes, I ran an external port scan. Everything's closed.)

    Point #3 is, I think, not applicable for the firmware revision on this router. Apparently I need a special version of IOS with crypto support. Sigh.

    Point #4, still looking into it. Probably not possible. Worst case, I can just log in every morning and look over the dropped packet logs...

    Edit: ah, got it. #4 is a nonissue because ACLs, again, didn't work how I thought; the NAT ACL can't do any filtering, it's all done by the inbound and outbound ACLs on each interface (duh). So anti-spoofing is dead simple.

    Blocking unsolicited TCP requests to the router itself seems rather more complicated, though. Downsides of stateless packet inspection...

    Edit 2: hmm. I should be able to blanket deny TCP SYN packets on the WAN side, one sec.

    Edit 3: hurray, this router actually has connection-tracking for TCP! I'll use that instead. :D
    Last edited: Jun 14, 2016