You may be better off posting this on a Cisco forum or comp.sys.dcom.cisco. This guide may be of help also. I would certainly recommend that you block source routed packets (no ip source-route) The source routing option allows an attacker to specify a route for their packets which allows them to receive a response even with a spoofed sender IP address - this does have a legitimate use for network diagnostics but on the Internet it is almost exclusively used with ill-intent. However, no detailed advice can be given without knowing the specifics of your network requirements (e.g. you are allowing GRE - do you need it?). As a general comment, I would suggest taking the approach of blocking all traffic except for certain protocols you deem "safe". This configuration seems to take the opposite approach in only blocking a couple of ports used commonly by worms - this does not therefore deal with current (and future) exploits using other ports.
okit thx bro but this site doesn't work comp.sys.dcom.cisco For the details , I juste have one pc , LAN IP : 10.0.0.1 SUb MAsk :255.0.0.0 Gateway :10.0.0.138 Router IP : 10.0.0.138 I find this acl with google what do you think plz ?? http://www.rpatrick.com/tech/acl/ And did you know a good cisco forum ?? ++
Hi kamui You might want to take a look a the following, the faq has some good info and additional links. DSLR Cisco Forum DSLR Cisco FAQ Regards, CrazyM
http://www.dslreports.com/forum/remark,10269760~mode=flat#10301093 plz help nobody answered me in the other forum
Hi kamui In the other post you mention anti spoofing rules. Does your router have an anti spoofing feature? Some do, and you could use that or acl's, but not both. Another link you might want to look at: Improving Security on Cisco Routers You refer to a list found from your google search above, did you happen to see the link there to a more complete explanation and example: Secure IOS Template Version 3.5 28 APR 2004 It has other useful links and also refers to a utility for auditing configs: NCAT (Network Config Audit Tool) and RAT (Router Audit Tool) http://ncat.sourceforge.net/ ... which you can find here: CIS Level-1 / Level-2 Benchmark and Audit Tool for Cisco IOS Routers Lots of reading, but if you want to go beyond the default config with your Cisco it is something you will have to do to ensure your configuration is correct and secure. Regards, CrazyM
It's not a website, it's a Usenet group. Use a Usenet reader to access it (Outlook Express isn't too bad for Usenet, despite its flaws as an email client) or Google Groups (comp.dcom.sys.cisco). If you decide to post there, then be sure that you follow the rules of Usenet Netiquette.
