RE: Basic security on 2611

[Scott Stone <SStone@example.com>]

assuming your class C block is 198.60.59.0/24, do:

access-list 101 deny ip 198.60.59.0 0.0.0.255 any
(rest of your inbound access list)
interface serial0/0
ip access-group 101 in

and don't allow 514/udp in from the outside if the destination is the IP
address of the router.  In fact, don't allow ANYTHING from outside if the
packet's destination address is the router itself.  except maybe icmp echo
request/echo reply...

-----------------------------------------------------
Scott M. Stone <sstone@example.com>
Senior Technical Consultant - UNIX and Networking
Taos, the Sysadmin Company - Santa Clara, CA


-----Original Message-----
From: Sven Simon [mailto:sven@example.com]
Sent: Saturday, May 19, 2001 8:06 PM
To: tlug@example.com
Subject: Basic security on 2611


I actually managed to get the cisco 2611 hooked to the T1 line and to do
its job at the ISP yesterday. Now for some basic security issues...

I did a "ip route 0.0.0.0 0.0.0.0 serial0/0"
What would be the correct format to only allow packets with an IP from the
local LAN thru, in order to prevent spoofing? Is it source destination or
rather source netmask or do we use /24 netmask style?

Further, I came across a mail in a newsgroup saying the cisco's vulnerable
on the syslog UDP port 514, anybody know about this?

SVEN

-----------------------------------------------------------------------
Next Technical Meeting:  Sat, May 12 13:30- 
Next Nomikai Meeting:    Fri, June (TBA) 19:30- Tengu Tokyo Eki Mae
-----------------------------------------------------------------------
more info: http://www.tlug.gr.jp           Sponsor: Global Online Japan