User:RichardJune/Hardening

From ImageStream Router Documentation

Jump to: navigation, search

Firewall rules

Make sure to explicitly disallow traffic that is classified as non-routable, and traffic which should only live on one particular interface. For example, lets assume this wan.conf:

Base configuration

!
interface Ethernet0
  ip address 1.1.1.1 255.255.255.0
  description Local LAN
!
interface Serial0
  encapsulation hdlc
  ip address 1.1.2.1 255.255.255.252
  description uplink to the internet
!
ip route add default  via 1.1.2.2

You would want this firewall ruleset:

#
# Section: Information
#
# Define information for the firewall script here.
LAN_INTERFACE="eth0"
LAN_SUBNET="1.1.1.0/24"
WAN_INTERFACE="Serial0"
WAN_SUBNET="1.1.2.0/30"

#
# Section: LAN
#
# This is the Local LAN, all traffic from this device must
# originate within the subnet on Ethernet0. Allow traffic 
# from that subnet, then silently discard everything else.
iptables -A FORWARD -i ${LAN_INTERFACE} -s ${LAN_SUBNET} -j ACCEPT
iptables -A FORWARD -i ${LAN_INTERFACE} -j DROP

#
# Section: WAN
#
# Traffic coming in on Serial0 is different, that's coming from
# the world at large. The only thing we know is that it should not
# originate from our LAN subnet or a subnet defined in RFC 1918.
iptables -A FORWARD -i ${WAN_INTERFACE} -s ${LAN_SUBNET} -j DROP
iptables -A FORWARD -i ${WAN_INTERFACE} -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -i ${WAN_INTERFACE} -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i ${WAN_INTERFACE} -s 192.168.0.0/16 -j DROP

#
# Section: Router access
#
# Next control access to the router. Allow the router full access
# to itself, and allow specific addresses access to control the router.
# Any responses to connections initiated by the router are allowed, but 
# silently drop any other traffic.
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -s 1.1.1.3 -p tcp --dport 22 -j ACCEPT
iptabels -A INPUT -i Serial0 -s 19.2.3.1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT

SNMP (Simple Network Management Protocol)

The router supports both versions one and two of the SNMP protocol. Unfortunately, neither specification allows for encryption at the protocol level. Thus, the most effective security for SNMP is to setup a VPN between the router and the device to manage it. Then restrict access to allowed IP addresses via iptables, or use the SNMP configuration file to restrict access to certain areas of the MIB. To configure SNMP, login to the router, and from the main menu, select: Option '1. Configuration; Option '5. Service Configuration'; Option '7. snmp...'; Option '1. Configure snmp'. By default SNMP will provide access to the full MIB to any system in the same subnet as the router.

rocommunity  public
rocommunity  host 192.168.42.254 .1.3.6.1.2.1.1
Personal tools
Router software releases