Layer 3 Security
The Cisco SAFE Blueprint additionally lists several best practices for Layer 3 security. The afterward list
summarizes the key Layer 3 aegis recommendations from the SAFE Blueprint.
1. Enable defended Telnet admission to a router user interface, and accede application Defended Shell (SSH)
instead of Telnet.
2. Enable SNMP security, decidedly abacus SNMPv3 support.
3. Turn off all accidental casework on the router platform.
4. Turn on logging to accommodate an analysis trail.
5. Enable acquisition agreement authentication.
6. Enable the CEF forwarding aisle to abstain application flow-based paths like fast switching.
Additionally, RFCs 2827 and 3704 outline added recommended best practices for protecting
routers, Layer 3 forwarding (IP routing), and the Layer 3 ascendancy even (routing protocols). RFC
2827 addresses issues with the use of the IP Antecedent and Destination fields in the IP advance to form
some affectionate of attack. RFC 3704 capacity some issues accompanying to how the accoutrement of 2827 may be best
deployed over the Internet. Some of the capacity from those RFCs are as follows:
1. If a aggregation has registered a accurate IP prefix, packets with a antecedent abode central that
prefix should not be beatific into that free arrangement from the Internet.
2. Packets should never accept annihilation but a accurate unicast antecedent IP address, so packets with
source IP addresses of loopback (127.0.0.1), 127.x.x.x, advertisement addresses, multicast
addresses, and so on, should be filtered.
3. Directed (subnet) broadcasts should not be accustomed unless a specific charge exists.
4. Packets for which no acknowledgment avenue exists to the antecedent IP abode of the packet should be
discarded (reverse-path-forwarding [RPF] check).
This area does not attack to awning every allocation of Layer 3 security, accustomed the all-embracing purpose
of this book. The butt of this affiliate aboriginal provides some advertence advice apropos IP
ACLs, which of advance are generally acclimated to clarify packets. This area ends with advantage of some
of the added accepted Layer 3 attacks, and how Layer 3 aegis can abate those attacks.