UKUUG home


(the UK's Unix & Open Systems User Group)






Book Discounts

Other Discounts

Mailing lists






Hardening Cisco Routers Thomas Akin
Published by O'Reilly
173 pages
£ 17.50
Published: 8th March 2002
reviewed by Raza Rizvi
   in the May 2002 issue (pdf), (html)

This slim tome is a veritable gem of a book. It is written in a logical and clear style that permits reading from start to finish, but each specific section is complete in it's own right and as such it allows the reader to pick up the book and dip read satisfactorily. In fact I found this so easy to do that I had to discipline myself to read it the conventional way!

For many, the router is a device to which little real attention is paid. Yes some effort may be made to apply access lists to protect devices behind the router, but the actual router itself is largely ignored. Those of us who work for ISPs however, realise that attacks on a router often bring easy rewards, and this book should certainly act as a wakeup call to the network administrators who are naive enough to think that the router is an invisible cloak shielding them from harm.

The importance of the router and the need for its security is argued well in chapter 1, followed by a review of the naming scheme applied to Cisco IOS releases, since to know what vulnerabilities are present in the router operating system requires one to be able to translate the sometimes cryptic version nomenclature used by Cisco.

Chapter three sets the style for the rest of the book. The chapter covers basic access control all the way through to dialup, SSH, HTTP, and finally the use of IPSEC. It is crowded with excellent and well marked tips and warnings. The chapter is rounded off with a checklist, again a theme carried through the rest of the book.

Sensible recommendations for password implementation and security in chapter four, leads to a practical chapter on the more in-depth access and authentication controls of TACACS, RADIUS and even that academic stalwart, Kerberos.

After covering the banners one might choose to frighten off would-be attackers, the author methodically uses the following chapters to show how to tighten the services that are all too often left as default on the router and shows how to implement the other services that can assist in administration (SNMP and dynamic routing) or security (logging). I was pleased to see that the need for consistent timestamping was emphasised with a whole chapter on Network Time Protocol (NTP).

The book is completed with 5 appendices, the first sensibly collecting all the chapter recommendations, and the third dealing with incident response.

So is this book perfect? Well whilst ALL the recommendations were sensible I found only one niggling omission. It would perhaps have aided readers if the features in the book were cross-referenced against the IOS version in which they appeared. The author does recommend staying with the latest General Deployment releases but often there may be memory or licensing reasons why a site will choose not to do a major release upgrade.

I learnt things from this book, and for me that is the best recommendation I can give.

Back to reviews list

Tel: 01763 273 475
Fax: 01763 273 255
Web: Webmaster
Queries: Ask Here
Join UKUUG Today!

UKUUG Secretariat
More information

Page last modified 03 Apr 2007
Copyright © 1995-2011 UKUUG Ltd.