Notice on Network Management: Seven Sins of Route exchange security

The primary responsibility of the enterprise network administrator is to ensure the security of the Intranet. In the Intranet, route switching, especially for the core layer, is the highest security requirement, as a network administrator of small and medium-sized enterprises, how can we ensure the security of Routing Switching equipment? In actual work, I have come into contact with many network administrators, but they have more or less security risks and vulnerabilities in Routing Switching settings. Today, let's take a look at the Seven Sins of Routing Switching security.

　　One sin: Password Culture

Network administrators who have experience in Routing Switching configurations know that, by default, the enable password command is used to add management passwords to the routing switch device. However, the created passwords are not secure, it is stored in the running configuration file in plain text. We can view this information through show running, which is very insecure, therefore, we need to use another command to add an encrypted password. The specific command is -- enable secret. (1)

After executing the command, we can view the configuration file content through show running. The password is encrypted and stored in the configuration file. Of course, this information is not secure, after all, MD5 information can be cracked by brute force, and some sites also provide MD5 ciphertext lookup services. However, in any case, its security is greatly improved. (2)

 

Two sins: Password unification

Some network administrators think that passwords with more memory are confusing, so they use the same password as the server they manage When configuring the routing switch device. In fact, this is not safe, password unification will greatly increase the possibility of network devices being attacked. After all, if there are more devices, it will inevitably be attacked. Once a device is intruded, password unification will result in the disclosure of passwords of all devices. In addition, the routing switch device provides many passwords, such as the common mode password, privileged mode password, and configuration mode password, as well as the console port connection password and Telnet access password, we also need to set the mode and password to the same, not all. Different levels of passwords are used to authorize different users to avoid unauthorized access. (3)

　TIPS:

By default, network devices can use the BREAK mode during startup to access the listening ROMMON mode for password restoration. This poses a security risk, anyone who is close to the network device can reset the password through the Console port. Therefore, we can disable the password recovery mode to ensure the password memory is reliable, you can use the no service password-recovery command to disable the ROMMON listening mode.

Three sins: same password

The so-called same-level password means that different passwords are not assigned for different modes and different configuration interfaces. The management router can only use a unique password. In fact, this is also wrong. After all, it is impossible for you to access and manage the route exchange device at ordinary times. Therefore, it is very important to reasonably set the hierarchical management of passwords, and assign visit appropriately, the permissions such as monitor, system, and manage allow your security work to be easily handled. in actual application, the classification of these passwords greatly improves the security of the Core routing switch device. (4)

In addition, there is still a major problem in password management, that is, the handling of temporary passwords. In many cases, when the network fails, we may need to seek technical support from the vendor, in this case, we should not directly inform the technical support staff of the original password and set a temporary password to solve the remote or remote maintenance problem, after the maintenance is complete, remember to stop the temporary account. I found that many subordinate network administrators directly told the Administrator account when asking me for help, or even if a temporary account is created, you can log on and manage your account in a few months. These bring security risks to the routing switch equipment.

　TIPS:

By default, you do not need a password to log on to the routing switch device through the console. However, to ensure security, you should set a password for it. Run the following command to complete the process: line console 0, login, password XXXXXX, and then use the service password-encryption command to encrypt the set password.

Four sins: Casual Management

In fact, for a routing switch device, we can configure it through remote terminals, local terminals, WEB servers, TFTP servers, virtual terminals, SSH, and other methods, it is best to use a local terminal to reinforce network equipment, that is, to configure it through the Super Terminal of the PC and the Console port of the switch, because external interference should be avoided during the security reinforcement process, connecting to a vro through a local terminal can prevent the administrator from being refused to log on to the network device due to improper operations.

Of course, if we really need to use a non-local Super Terminal for management, the most standard way to manage Routing Switching devices is to use the access control list ACL to prevent unauthorized IP addresses from accessing the Routing Switching devices, in this way, even if an illegal user knows the management password, the user cannot intrude into the account because the IP address is unauthorized. In my personal experience, the Intranet can control access permissions by dividing VLAN Virtual LAN, while the Internet needs to use the ACL Access Control List to precisely assign authorization. (5)

　Five sins: Management Culture

The security defect of management culture is the most common problem in small and medium-sized enterprises. Most network administrators use telnet to manage related devices, some people use the HTTP page management mode provided by the device to complete the configuration. You must know that telnet or HTTP is not secure, anyone who connects to the Intranet and uses the sniffer tool can easily sniff the management password and configure the password. Therefore, we recommend that you use encrypted protocols such as SSH or HTTPS in management to effectively avoid sniffing by sniffer tools. We have already introduced the method of connecting to the routing and switching device through SSH in previous articles. I will not detail it here. Interested readers can refer to the relevant content.

To enable HTTPS management for a route switch device, perform the following operations: first enter the configuration mode of the route switch device, and then execute ip http server-secure, by default, HTTPS uses port 443 for management and access. We can change the default Management port through ip http secure-port XXX.

　Six sins: SNMP with low Permissions

Many network administrators manage intranet traffic for their convenience or by using third-party tools. At this time, we need to enable support for SNMP on the Core routing switch device. The problem also exists when enabling SNMP, many users use the default snmp community name and assign WRITE-readable and writable permissions. You must be aware that this is very dangerous. Many network management software can obtain SNMP data from the routing switch device, if the account name of the corresponding management community has the readable and writable permissions, intruders can easily use the SNMP protocol to obtain the configuration file of the routing switch device, and then directly steal the login password through brute force cracking and other methods. Therefore, try not to use the SNMP protocol when maintaining the routing switch device, if you must use this function, you can modify the default community name and assign a low RO read-only permission to protect the routing switch device. (6)

Seven Sins: Network unification

The last thing I want to talk about is network unification. Many enterprises seldom plan networks. After the system integrator completes implementation, the network parameters and configurations have not changed, we need to know that the unification of networks puts all network devices in the same network of an enterprise. On the one hand, this increases the number of broadcast packets and affects network communication efficiency. On the other hand, it is not conducive to the protection of private data, any computer inside an enterprise can use it as a springboard to attack all other devices after being intruded. Therefore, proper network separation is also the best solution to the above problems. In my personal experience, VLAN-based Virtual LAN is the simplest and most effective way. Of course, it should be designed based on the enterprise's network size and number of clients, the number of hosts in each VLAN should be appropriate. (7)

　　Summary:

Of course, this article only describes the minor faults that are most likely to be made during network management and maintenance, therefore, we should develop a good habit in the process of maintaining the routing switch device to fundamentally eliminate the above seven sins and make the Intranet more secure.