I purchased a 871W ISR for a small business and want to know what's best use practice when setting up security for this type of router.
At the present time I have a static IP assigned to it and can SSH into it from the outside. Is this safe? If not should I setup VPN to access it from the outside? Is there a VPN how-to (or a link) where I can learn how to set it up.
I was also thinking about blocking icmp from the outside. Is this even necessary if I setup a VPN?
Any help is greatly appreciated.
I have personally always opted to set up the ACL so that ssh is only allowed from certain source IPs. Although if you don't have a static IP from where you are the administrator that is not really an option. I would say there is not anything particularly wrong with opening ssh but you probably want a strong password. Also, it doesn't hurt to run ssh on a non-standard port.
As far as VPN, one of the main reasons it exists is to open it from the outside. For people to "VPN-IN" from home the keyword you want to look for when it comes to Cisco is "Client Initiated VPN". I think you probably need the security feature set for that if I am not mistaken. This is more money under the new licensing model. This last bit about the licensing might be misinformation though...