Layer 3 Security

Layer 3 Security

The Cisco SAFE Blueprint additionally lists several best practices for Layer 3 security. The afterward list

summarizes the key Layer 3 aegis recommendations from the SAFE Blueprint.

1. Enable defended Telnet admission to a router user interface, and accede application Defended Shell (SSH)

instead of Telnet.

2. Enable SNMP security, decidedly abacus SNMPv3 support.

3. Turn off all accidental casework on the router platform.

4. Turn on logging to accommodate an analysis trail.

5. Enable acquisition agreement authentication.

6. Enable the CEF forwarding aisle to abstain application flow-based paths like fast switching.

Additionally, RFCs 2827 and 3704 outline added recommended best practices for protecting

routers, Layer 3 forwarding (IP routing), and the Layer 3 ascendancy even (routing protocols). RFC

2827 addresses issues with the use of the IP Antecedent and Destination fields in the IP advance to form

some affectionate of attack. RFC 3704 capacity some issues accompanying to how the accoutrement of 2827 may be best

deployed over the Internet. Some of the capacity from those RFCs are as follows:

1. If a aggregation has registered a accurate IP prefix, packets with a antecedent abode central that

prefix should not be beatific into that free arrangement from the Internet.

2. Packets should never accept annihilation but a accurate unicast antecedent IP address, so packets with

source IP addresses of loopback (127.0.0.1), 127.x.x.x, advertisement addresses, multicast

addresses, and so on, should be filtered.

3. Directed (subnet) broadcasts should not be accustomed unless a specific charge exists.

4. Packets for which no acknowledgment avenue exists to the antecedent IP abode of the packet should be

discarded (reverse-path-forwarding [RPF] check).

This area does not attack to awning every allocation of Layer 3 security, accustomed the all-embracing purpose

of this book. The butt of this affiliate aboriginal provides some advertence advice apropos IP

ACLs, which of advance are generally acclimated to clarify packets. This area ends with advantage of some

of the added accepted Layer 3 attacks, and how Layer 3 aegis can abate those attacks.