Press "Enter" to skip to content

Cisco 877 security hardening

Published September 9, 2009

I researched some more information how to tighten the 877 against security attacks, and usually on your dialer interface you might have this..

ip access-group 101 in

then a access list for incoming traffic via access-group 101 might look like this..

access-list 101 permit ip any any

However with having this set, means icmp, port attacks, or any other type of probing could be spoofed to gain access to your network. I have implemented the following access list filter to stop that from occuring, by blocking any internal LAN ranges from the wan side coming in via the dialer interface, and other type of bogus attacks.

access-list 101 deny   icmp any any echo                (blocks wan pings)
access-list 101 deny   tcp any any eq 139     (blocks port 139 netbios attacks used for ms fileshares)
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any  (blocks internal lan range)
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any (blocks internal lan range)
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any (blocks internal lan range)
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any  (blocks localhost spoofs)
access-list 101 deny   ip 50.0.0.0 0.255.255.255 any   (blocks unused 50.* address space which attackers may spoof)
access-list 101 deny   ip 100.0.0.0 0.255.255.255 any   (blocks unused 100.* address space which attackers may spoof)
access-list 101 deny   ip 101.0.0.0 0.255.255.255 any (blocks unused 101.* address space which attackers may spoof)
access-list 101 deny   ip host 255.255.255.255 any (blocks spoofing from this address)
access-list 101 deny   ip host 0.0.0.0 any (blocks spoofing from this address)
access-list 101 permit ip any any  (permits all other traffic)

Now once you have this in place, how do you know if you are actually getting hits from any of these rules, and if the 877 is dropping the packets if the acl matches?

There is one nice command to show that data…(need to be in priviliged mode)

cisco877#show access-lists
Extended IP access list 101
10 deny icmp any any echo (30 matches)  <30 hits on blocking wan ping from outside sources
20 deny tcp any any eq 139 log
30 deny ip 10.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any
60 deny ip 127.0.0.0 0.255.255.255 any
70 deny ip 50.0.0.0 0.255.255.255 any log
80 deny ip 100.0.0.0 0.255.255.255 any log
90 deny ip 101.0.0.0 0.255.255.255 any log
100 deny ip host 255.255.255.255 any
110 deny ip host 0.0.0.0 any
120 permit ip any any (2954091 matches) <<lots of hits being allowed in from other sources not in access list (normal ip traffic flow)

Hopefully this is useful to someone wishing to implement a bit more security to their 877 setup 🙂

Any questions post your comments.

[ad#googleadd1]

Published in Cisco 877

3 Comments

  1. S3cur3
    S3cur3 September 10, 2009

    Now if you wanted to go a little deeper you could use the details in this complete Deny Bogon ACL list:

    access-list 104 deny ip 0.0.0.0 1.255.255.255 any
    access-list 104 deny ip 2.0.0.0 0.255.255.255 any
    access-list 104 deny ip 5.0.0.0 0.255.255.255 any
    access-list 104 deny ip 10.0.0.0 0.255.255.255 any
    access-list 104 deny ip 14.0.0.0 0.255.255.255 any
    access-list 104 deny ip 23.0.0.0 0.255.255.255 any
    access-list 104 deny ip 27.0.0.0 0.255.255.255 any
    access-list 104 deny ip 31.0.0.0 0.255.255.255 any
    access-list 104 deny ip 36.0.0.0 1.255.255.255 any
    access-list 104 deny ip 39.0.0.0 0.255.255.255 any
    access-list 104 deny ip 42.0.0.0 0.255.255.255 any
    access-list 104 deny ip 100.0.0.0 3.255.255.255 any
    access-list 104 deny ip 104.0.0.0 3.255.255.255 any
    access-list 104 deny ip 127.0.0.0 0.255.255.255 any
    access-list 104 deny ip 169.254.0.0 0.0.255.255 any
    access-list 104 deny ip 172.16.0.0 0.0.255.255 any
    access-list 104 deny ip 176.0.0.0 1.255.255.255 any
    access-list 104 deny ip 181.0.0.0 0.255.255.255 any
    access-list 104 deny ip 185.0.0.0 0.255.255.255 any
    access-list 104 deny ip 192.0.2.0 0.0.0.255 any
    access-list 104 deny ip 192.168.0.0 0.0.255.255 any
    access-list 104 deny ip 198.18.0.0 0.1.255.255 any
    access-list 104 deny ip 224.0.0.0 31.255.255.255 any
    access-list 104 deny ip host 255.255.255.255 any

    Then again having long ACL’s applied will significantly degrade the performance of any 877, crippling router CPU & consequently downstream speed.

    Here’s a better tip, design the IN ACL of your dialer interface to focus on curbing invalid/malformed ICMP traffic. (Source SNAC guides NSA) i.e.

    ip access-list extended ICMP-Traffic
    remark Allowed ICMP-Traffic
    permit icmp any any source-quench
    permit icmp any any ttl-exceeded
    permit icmp any any echo-reply
    permit icmp any any parameter-problem
    deny icmp any any
    permit ip any any

    Then add this command to int dialer0 to resolve bogon ranges & spoofed IP’s.

    ip verify unicast source reachable-via rx allow-default

    Linky: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html

    Also think about configuring a suitable inspect parameter map to apply for timeouts and limiting half open connections etc. This can then be applied to your zone based rules.

  3. Grant
    Grant June 16, 2010

    I don’t agree with manually specifying bogon ranges due to the rate at which IPv4 space is being consumed, this eventually leads to out of date ACL’s causing reachability problems.

    Instead I’d suggest you subscribe to https://www.arin.net/participate/mailing_lists/arin_issued.html or some other feed of IP allocations and use a system to push out Cisco config changes.

    Either that or just drop RFC 1918 space and not worry about the bogon’s.

Comments are closed.