Protect a router

Hello

It is advisable to protect a router itself against access using access control lists?

I ve read somewhere that ACL can block all but the packages sent directly to the router, but that's obviously not true.

Consider the following scenario: I ve I used as a gateway router IOS VPN; It s located in a demilitarized zone, beside this router are some other machines as servers and other routers. The VPN gateway (and the demilitarized zone) are naturally protected by the firewall on the outside, but what happens if someone sings one of systems DMZ and starts to attack the VPN gateway? That's what I want the VPN router to protect against. So I could use the vty access classes

and so on, but why Don t just use an inbound access list on the DMZ Interface like this:

int-acl_f1/0-in extended IP access list

allow any host 192.168.1.1 esp

allow any host 192.168.1.1 eq isakmp udp

allow any host 192.168.1.1 icmp

deny ip any any journal entry

.. where 192.168.1.1 is the router itself.

So there is only allowed VPN and ICMP traffic

for the routers DMZ Interface and example

Telnet and other things are denied.

Is it a good practice to ensure a router or not

I misunderstood something?

Thank you very much for your review!

Frank, happy to be helpful.

Can you please rate the post, it contributes as others may be looking for a similar document.

Thank you / Jay

Tags: Cisco Security

Similar Questions

  • Protect internet router to ddos attack

    Hello

    I have small 2911 router connected the main internet router GSR this GSR a links of peering with Internet service providers, is route by default on 2911 send to EGS and all the user connect on 2911 2911 to GSR, the attack on 2911 ddos attack got my question how can protect against this kind of attack 2911 I have a few questions if you can help me:

    1. What is the need to access list set up to protect the example of router ICMP, HTTP 2911.for...

    2. What is the configuration of COOP to allow us to be able to access this router when attack and CPU high.

    3. I heard ASR and 7200 has some function to protect these router against ddos attack, is useful for all sorts of attack dedos

    Thanks in advance.

    Hi Steven,

    Take a look at the below mentioned link:

    DDOS protection

    DDOS protection 2

    Kind regards

    Anim Saxena

    Community Manager

    * make the rate of useful messages *.

  • Satellite Pro L300-1 b 9 cannot connect to my wireless router

    Hello!

    I activated the nw wireless on SAT L300 PRO 1 b 9 - but with a lot of struggle...
    First I had to find the switch to turn on (I never got :-)).
    Then I had to uninstall Atheros Windows and set flags on (activate) in the Windows driver.

    But in Linux and Windows, I couldn't connect to my wireless router.
    My luck was that some of my neighbors have a wireless network security-disabled, open, I could map to test.
    The test was succecfully with this network, but my wireless router was inaccessible.
    The other machine I could reach it.

    The result was:
    If I set the router to broadcast the SSID, the two OSs (Ubuntu + Windows) can use the wireless network.

    But if I turn off the broadcast (to protect my router), the network driver is unable to use my router, it does not matter I set the SSID...

    A router is WRT54G, and he works with other computers if I hide the SSID, but as Satellite Pro L300 unable to connect (with this option).

    Someone knows why? What should I do to I could hide the SSID to the bad guys?

    Thanks for any help!

    With regard to:
    DD

    I put t know what Windows operating system you use, but if you use original Vista, I think that, good WLAN driver is part of the package. For the wireless network adapter must be properly installed.

    It is not easy to say what the problem is here, but if the laptop can see and detect your WLAN network side laptop computer s everything should be OK. Try to reboot your router and check all the settings.

    In my opinion, there is a problem with the WLAN settings.

  • Delete comments off router

    How can I delete comments off wireless router?

    What "guest"? Someone who steals your service? You must secure and password protect the router. If this isn't what you're asking:

    HOW TO ASK A QUESTION:
    http://support.Microsoft.com/kb/555375

  • Protect a Linksys WRT54GL from access (ignore software config / selector)

    Hello

    hope you will be able to help.
    I have a Linksys WRT54GL - OF and my problem is,
    that someone manipulates the router.

    Is it possible to protect the router in this way
    It is not possible to reset the router

    using the reset button

    NOR by the Linksys software tool?

    Especially the software tools is the problem - I fear.
    someone reset / manipulate the router using software.
    Is there an option?

    Many thanks in advance,
    T

    1. block the router to prevent people to press the reset button.

    2. to avoid changes via the web interface defined a strong admin password.

    Otherwise, try 3rd party firmware that you can configure just about in everything you like.

  • The ping of death Protection options

    Hello

    I want to secure my network against ping of death attack. The IOS IDS allow the detection of this type of traffic, but it drops the ICMP packet? If I have any FW IOS, what are my options to protect my router, is this ACL enough:

    access-list 101 deny icmp any any fragment

    Thanks for your help and your comments!

    François

    Hello Francois,.

    You asked "could someone confirm me that the IOS IDS is also able to prevent these reach by Ping ICMP 'abandonment' of the death packages? Response will be displayed. By configuration Cisco IOS Firewall Intrusion Detection System

    http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm

    2154 Ping of death attack, Atomic

    Triggers when an IP datagram is received with the Protocol field in the header set to 1 (ICMP), IP the last Fragment is defined, and

    (Offset IP * 8) + (length of IP data) > 65535

    In other words, the offset of the intellectual property (which represents the starting position of this fragment in the original packet, and which is in units of 8 bytes) and the rest of the package exceeds the maximum size of an IP packet.

    Hope that helps! If Yes, please rate.

    Thank you

  • SG300-52. Prefer to send traffic to the default gateway rather than static route? Network stops if I disable ICMP redirects.

    I have 4 switches, each act as their own with a 26 subnet mask. They have static routes for every other switch. The firewall has a static route to each switch. If I unplug the LAN of the Firewall interface, traffic stops the flow of the switches. If I block the side LAN firewall, ICMP redirects, traffic stalls outside.

    So if you are connected to this switch, say that you pull an ip address of 192.168.122.20. Your front door is the 192.168.122.62 switch. If you try to access a server 192.168.127.142, the SG300 sends your traffic to 192.168.127.254 to get an ICMP redirect, rather than simply to communicate directly with 192.168.127.50.

    My network 'basic' is 192.168.127.0/24 vlan1 and the firewall is 192.168.127.254

    This is the route of one of my switches table (which has 192.168.122.0/26 and ports run on vlan122)

     Maximum Parallel Paths: 1 (1 after reset) IP Forwarding: enabled Codes: > - best, C - connected, S - static S 0.0.0.0/0 [1/1] via 192.168.127.254, 73:48:13, vlan 1 C 192.168.122.0/26 is directly connected, vlan 122 S 192.168.123.0/26 [1/1] via 192.168.127.123, 73:48:13, vlan 1 S 192.168.124.0/26 [1/1] via 192.168.127.124, 73:48:13, vlan 1 S 192.168.125.0/26 [1/1] via 192.168.127.125, 73:48:14, vlan 1 C 192.168.127.0/24 is directly connected, vlan 1 

    In any case, what gives? Why the switch would first try to send the stream to the firewall?

    EDIT: Here is the server routing table:

     [email protected]/* */:~$ ip route show default via 192.168.127.254 dev eth0 192.168.122.0/26 via 192.168.127.122 dev eth0 192.168.123.0/26 via 192.168.127.123 dev eth0 192.168.124.0/26 via 192.168.127.124 dev eth0 192.168.125.0/26 via 192.168.127.125 dev eth0 192.168.127.0/24 dev eth0 proto kernel scope link src 192.168.127.142 

    Hi Jonathan,.

    I'm sorry. I misunderstood the routing table you want to accomplish. Your concern seems relevant given that the matching rule more will be selected instead of one: page 275 http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/...

    ... "When the routing of traffic, the next hop is decided based on the longest match on the prefix (LPM algorithm). A destination IPv4 address might match several routes in the IPv4 static routing Table. The device uses the matching route with the higher, subnet mask that is, the longest match on the prefix. "...

    So go ahead and report it to the support team so the guys can make the laboratory, confirm it and declare additional:

    http://www.Cisco.com/c/en/us/support/Web/TSD-Cisco-small-business-suppor...

    Kind regards

    Aleksandra

  • Install HP Deskjet 3050 a. computer indicates Microsoft XPS Document Priter installed. Then whil

    After you have installed and try to print, the computer shows printer not found.  When looking at, only Microsoft XPS Document printer has been installed.

    I'm glad that you were able to understand.

    Don't forget your Deskjet 3050 a printer can connect to a network without wire using either WPS (Wi - Fi Protected Setup) or to convert a USB port, wireless installation.  See Page 31-35 of your user manual.

    http://h10032.www1.HP.com/CTG/manual/c02853536.PDF

    1. change a USB connection to a wireless network connection.

    • Install the printer using the USB cable.
    • Switch from a USB connection to a wireless network

    1. from the computer start menu, select all programs or programs, and select HP.

    2. Select the HP Deskjet 3050 a J611 series
    3. Select Printer Setup and software selection.
    4. Select convert a connected USB printer wireless. Follow the instructions on the screen.

    2 requires WPS (Wifi Protected Setup) router WPS.

    • The push-button (PBC) method

    1. press the Wi - Fi Protected Setup (WPS) button on your router.
    2 hold down the button on the printer wireless until the wireless light blinks. Press and hold for 3 seconds to start the WPS button.
    NOTE: the product starts a timer for about two minutes when a wireless connection is established.

    • Method of Menu Settings wireless

    1. press the button on the printer to display the wireless wireless. If the printer is printing, in error, or to perform a State
    a critical task, wait for the task has been completed or the error cleared before you press the wireless button.
    2. Select settings in the screen of the printer wireless.
    3. select Wi - Fi Protected Setup in the screen of the printer.
    4. If you have a Wi - Fi Protected Setup (WPS) router with a WPS button, select the button, and then follow the instructions on the screen. If your router does not have a button or you are not sure if your router has a push button, select PIN and then follow the instructions on the screen.
    NOTE: the product starts a timer for about two minutes during which must be pressed the corresponding key on the network device or router PIN needs to be entered on the router configuration page.

  • I have a home wireless network that is not safe. Need step by step instructions on how to secure.

    I have a home wireless network which is not safe, the instructions need step by step how to secure.

    Password protect to avoid any other login.

    http://www.ehow.com/how_5043404_password-protect-wireless-router.html

  • 2 1 modem from comcast networks, cable ISP using 2 linksys wrt routers

    I need to have 2 separate networks my comcast cable modem.

    I expected to plug a hub 5 ports on the cable moden, then plug the wrt610n both the wrt54g in the hub. Seems that only routers will get an ip address assigned from comcast.

    Is it possible to have a cable modem ISP and create two home networks with both routers linksys, so two networks independent serperate?

    Network 1: i ' public use and family (wireless computer laptop Jane, domestic PC etc.).

    Household/enterprise network 2: private and separate from the family public network (Wireless laptop / company PC, server multimedia not secure).

    Thank you

    Your ISP only allows you to have a single public IP (i.e. a single active internet connection) at any time. This is part of your contract. If you want to use two internet connections at the same time as you need to update your contract with your ISP. Then, you can use two public IP addresses.

    Otherwise, it depends on how 'independent' you want. The best and complete separation of networks is exactly the way that you set up for the moment.

    You can get a separation in chaining the two routers. A router default configuration does NAT (network address translation) which makes it basically on the side inaccessible LAN from the internet side except if you configure the router to do otherwise (i.e. set up the forwarding port or UPnP or similar).

    So, you can connect a router to your ISP modem. The first router using LAN IP 192.168.1.1 and has the public IP address on the internet. All connected to the first router is your network 'public '.

    Then, you change the LAN IP of the router address second of 192.168.1.1 192.168.2.1. On the side of the internet, the static value IP 192.168.1.2 mask 255.255.255.0, gateway 192.168.1.1 subnet and DNS 192.168.1.1 (or your DNS servers of the ISP, for example check the first router status page). All connected to the router second is "your" private network.

    Because of NAT private network is inaccessbile from the network 'public '. Any connection to the private network must be initiated by a computer inside the private network. It's how any internet router protects the LAN from the internet.

    Of course, the 'protection' does not work the other way: anything either in the private network can try to access anything in the public network. With this type of installation you cannot protect the public network on the private network. But this kind of separation is usually enough for people.

    There is a certain security risk for the private network as all internet traffic through the public network travel and the first router. The first router should be very well protected, i.e. use a router password very strong (instead of the default "admin") and the wireless should also be very well protected (i.e. use WPA2 with AEA and a password strong). The router password is the only thing that protects the router configuration. There is no other coverage, on the side of the router LAN, for example there is no locking if you are trying to connect with the password three times. Thus, the web interface of the router with the password is vulnerable to brute force attack or dictionary. If someone is able to decipher the router password from the first router, it is possible to Flash a custom firmware to analyze all your traffic network, including the internet traffic of the network private. Maybe it's a more theoretical security threat but you should keep in mind that it is possible with this type of installation.

    If you want to have separate private network, as well from the public network, you can use three router configuration, i.e. the modem connects to the first router. First router connects to the router to second and third. Now the 'second' and 'third' LAN are entirely separate. The security risk that is mentioned on the first router remains valid.

    However, there may be some disadvantages with chained routers: first light passes through two routers. If a router is slower, then the second, it can slow down all of the network connections. For example if you have 50 Mbps internet connection and one of your routers can handle 25 Mbps internet high speed, then all through this router won't be able to use the full speed of the internet. You need to test if there is a problem in your case.

    Furthermore, some people have problems with disconnects or Internet unstable when you use a router chained configuration. It may be necessary to restart your routers to get again to the internet.

  • Ipv4 and ipv6 on the same ACL line vty

    Hello everyone.

    I just want to confirm if I can protect a router (telnet and ssh) put 2 ACL (an IPv4 and other IPv6) on the same line vty. Something like:

    line vty 0 4 access-class hostsIPv4 in ipv6 access-class hostsIPv6 in

    I have to use named ACL?

    Thanks in advance

    Yes,

    You can do it.

    line vty 0 4

    access-class 60 in

    class to access acl-ipv6-IPv6, in

    transport input telnet ssh

    Kind regards

    Herbert

  • Netgear router disabled the password protect and I can't put it back on!

    For some reason any my router is no longer protected by Word. I downloaded the app genius of netgear and it shows the password in it. However, even if I change it my other devices connect without requiring a password and the connection is not the small lock on what shows that it is a secure device.

    I can't find any way to activate power. Can someone help me please!

    I changed the name and the password several times this way and it still showed it as non-secure. Finally, it crashed and I couldn't even get it to connect to the internet at all.

    My solution was to order a new router NETEAR update, I received, installed and am looking forward to the updated version.

    Thanks for your help and advice. I guess that my router is just tired!

  • a router monitor can display of my purchases in a site like eBay password protected?

    a router monitor can display of my purchases in a site like eBay password protected? If not, what exactly can a router monitor (on another computer), discovered on my wireless laptop? Thanks in advance for any help with this issue!

    Hello

    1. which version of the Windows operating system is installed on the computer?

    2. What is the exact application you're talking about?

    Router monitor is a tool that allows you to control the router that you are connected to and see the other IP connected as well as other important details.  He usually don't know the details on a Web page he's been watching just the traffic lights. However, some routers have the ability to connect what websites is visited and how much time is spent and how much bandwidth has been used.

    Therefore, you can also contact the manufacturer of the software for more details on the subject.

  • My Wi - Fi Protected Setup Wizard connection dialog box in the Intel PROSet /Wireless connection utility won't let me get caught in the password for my BigPond router.

    Dialog box of connection Wi - Fi Protected Setup Wizard in the Intel PROSet /Wireless connection utility

    My Wi - Fi Protected Setup Wizard connection dialog box in the Intel PROSet /Wireless connection utility won't let me get caught in the password for my BigPond router. He let me just plug in numbers not letters. Can someone tell me how to work around this problem?

    Hello

    This can happen if the configuration of the router is configured to accept the password in numbers. You can get in touch with Bigpond support for more information on this.

    Technical assistance to BigPond

  • It is a way to password protect guess access on a router E2000 wireless?

    I want to put in place access invited to my router E2000, but only for a few friends, not my entire neighborhood. When I created originally by Cisco Connect, I was able to set up an account with a password, but it shows up in my registration non-secure wireless - you don't need the password to access. Is there a way to password protect the connection without comment thread?

    Yes, it does not appear to be unsafe, but in order to be able to surf you need generates the Cisco Connect password.

    So no, it is not open, but I think they are always connected to the router, and that's not good either.

Maybe you are looking for

  • Stealth mode

    How can I keep my quiet phone and be able to receive text messages with vibrations on my Apple Watch?

  • Some readers video loading but I can't play button pless, what is the problem?

    Some videos that I realize in general ceased to function properly. http://www.narutoget.com/watch/1101-Naruto-Shippuden-episode-327/ The first 3 tabs of these I used to be able to play, now the page load, charge downloads of video, even, but I can pr

  • Qosmio X 870-can't play Battlefield

    Hi all I got a beta key for Battlefield extremist, but I can not play. I think the problem is, it starts with the Intel HD 4000, I cannot rightlick on the .exe and start it with the NVidia card, because if I do, it opens "Battlelog"-> Google Chrome.

  • Cannot open properties Export/Import tool

    Hi all I work with NI TestStand 2014 and I try to use the "Import and Export properties" tool to tools-> Import/Export properties... but when I click it, nothing happens, no window, no warning, nothing. The option is of course on the menu, but are th

  • WRT54G2 "Invalid IP address"

    I've been using the WRT54G2 wireless router and it has stopped working all of a sudden.  I tried to re-configuration, with the help of a conversation with the support of Linksys, but I can't overcome I always get the error message "" Inavlid IP addre