Set drop mode.

The following example configuration shows how to accomplish all of these tasks and gives comments on parameters available:

!Create an extended access list.

!TCP Intercept access lists must be extended access lists (101–199). access-list 101 permit 172.30.1.15 255.255.255.255 host 10.1.1.1

!Allow access from the single host at 172.30.1.15 to the single host at 10.1.1.1.

access-list 101 permit 172.30.2.0 255.255.255.0 host 10.1.1.2 !Allow any host on the 172.30.2.0 network to get to host 10.1.1.2. !

ip tcp intercept list 101

!Starts IP Intercept for the hosts listed as permitted in access list 101. !

!Set the intercept mode.

ip tcp intercept mode intercept

!Sets the mode to intercept. The other possible mode is watch. !

!Set the thresholds.

ip intercept connection-timeout 3600

!Connections will be reset after 3600 seconds (1 hour) of no activity. !The default is 86400 seconds (24 hours).

!

ip tcp intercept finrst-timeout 3

!Sets the time in seconds (3) after receiving a reset or FIN that the connection

!remains managed. The minimum is 1 second. The default is 5 seconds. !

ip tcp intercept max-incomplete high 900

!Sets the maximum number of half-open connections (900) before the router goes

!into aggressive behavior mode. The default is 1100. The maximum is 2147483647.

!The minimum is 1. !

ip tcp intercept max-incomplete low 700

!Sets the number of half-open connections (700) below which the router leaves

!aggressive behavior mode. The default is 900. The maximum is 2147483647. !The minimum is 1.

!

ip tcp intercept one-minute high 800

!Sets the maximum number of connection requests (800) that may be received in a

!one-minute period before the router goes into aggressive behavior mode. !The default is 1100. The maximum is 2147483647. The minimum is 1.

!

ip tcp intercept one-minute low 600

!Sets the number of connection requests (600) that may be received in a !one-minute period below which the router leaves aggressive behavior mode. !The default is 900. The maximum is 2147483647. The minimum is 1.

!

ip tcp intercept watch-timeout 20

!Sets the time in seconds (20) for a partially opened connection to complete

!the connection sequence before sending a reset command to the local host. !

!Set the drop mode.

ip tcp intercept drop-mode random

!Sets the drop mode (random) to randomly choose which half-open connection !while in aggressive behavior mode. The default (oldest) will drop the oldest

!partial connection first.

This chapter explores the basic configurations and practices that will help prevent the most obvious forms of attack from affecting your network. There are some very specific commands that most, if not all, administrators should employ, at least on their external routers.

No book can possibly tell you exactly how your routers should be configured. If there were, we would all be out of jobs. Every network is different and requires configurations that reflect the organization's unique goals and needs. Use this chapter as a guideline for the options available while setting up your routers. Some of the items discussed should be set on every router, no matter what the circumstances of your particular network. The configuration on other items will depend on the individual variatio ns within networks and what you are trying to

accomplish. Knowing the options that are available and how they operate can help administrators protect their networks from most intrusions.

A recurring theme is presented in this chapter that should be carefully considered while configuring routers: If a service is not needed, it should not be run. If a service is needed only on the internal network, do not run it on the external network. This is especially true of ICMP services. Restricting how ICMP messages a re handled might protect not only your own network, but also some other administrator's network.

To give a concise overview of the salient configurations explored in this chapter, the following sections show sample configurations that incorporate all of the suggested settings. Remember that some of these commands might not be viable on your routers because of internally used IP addresses and special circumstances within your network. However, they will still serve as a guideline for your configurations. Review the following configurations before moving on to

Chapter 3, "Overview of the Cisco Security Solution and the Cisco Secure Product Family."

Global Commands no enable password

!prevents the older non-secure enable password from being used enable secret level 7 9%ad100gbellisnon

!uses a secret password that follows the rules for passwords service router-encryption

!encrypts the passwords no cdp enable

!prevents CDP from sending information access-list 7 permit 172.30.1.45

access-list 7 permit 10.1.1.53

!sets up access list 7 for use with SNMP access-list 8 permit 172.30.1.45

access-list 8 permit 10.1.1.53 access-list 8 deny any

!sets up access list 8 for use with telnet on vty 0 through 4 snmp-server community 85tres76n RO 7

snmp-server trap-source Loopback0 snmp-server trap-authentication snmp-server enable traps config snmp-server enable traps envmon snmp-server enable traps bgp

snmp-server enable traps frame-relay !sets the SNMP traps

snmp-server contact Joe Admin [[email protected]] snmp-server location main server room router 8

!sets the contact information following the password rules snmp-server host 172.30.1.45 85tres76n

snmp-server host 10.1.1.53 85tres76n

!sets what servers may request SNMP information snmp-server tftp-server-list 7

!sets a valid SNMP TFTP server no ntp enable

!stops unneeded NTP services no service finger

!stops finger service no service pad

!old command dealing with x.25 no service udp-small-servers no service tcp-small-servers !stops the small server services no ip directed-broadcast

!stops directed broadcasts no ip proxy-arp

!prevents answering ARP requests in proxy mode for another device no ip source-route

!prevents outside entities from directing the routes a packet takes Interface Commands

!apply to both inside and outside interfaces no ip redirects

!do not send packets out the same interface they came in on no ip unreachable

!do not respond with host unreachable messages access-list 191 deny ip host 0.0.0.0 any

access-list 191 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 191 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 191 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 191 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 191 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 191 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 191 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255

access-list 191 deny ip any 255.255.255.128 0.0.0.127 access-list 191 permit ip any any

!do not route to any of the private networks vty Commands

line vty 0 4 access-class 8 in

!sets access list 8 to limit Telnet access exec-timeout 5 0

!automatically times out the Telnet connection after 5 minutes of no activity