Several security defense measures on cisco Routers

Nowadays, network-layer-based hacker attacks on the Internet are becoming more and more common and become a major risk of network security. In fact, vrouters are not completely powerless for such attacks. Here we will briefly introduce several defensive measures that can be achieved on the Cisco router:
　　
1. defense against D. O.S Attack
D. O.S attacks (Deny Of Service) are based on three handshakes Of TCP protocol. TCP is a reliable transmission protocol for users. Before data is transmitted, the initiator (User) sends a request and the receiver (server) receives the request, send a confirmation request to the initiator. After receiving further confirmation from the initiator, the actual data transmission starts. D. O.S Attack based on this mechanism, hackers modify their source IP addresses through software and send requests to a server. After the server sends a confirmation request to the IP address, the request is never confirmed for the third time because the address is fake, and the interruption is suspended. When hackers initiate thousands of such requests within a short period of time, all network resources will soon be exhausted. At the same time, no resources are available to respond to all normal service requests, resulting in network paralysis.
On a Cisco router, perform detection and avoidance in several ways:
1. enable service tcp-keepalive-in and schedule process-watchdog terminate. The purpose is to establish a watchdog process and check the established tcp connection. If the connection is not activated or has been suspended for a long time, the connection is interrupted.
2. When an exception has occurred on the vro, no ip source-route will be used to disable route check for the source ip address to avoid unnecessary resource occupation. (Please note that, under normal circumstances, if Source Route tracing is disabled, it is vulnerable to IP address electronic fraud .) Enable schedule interval xxx (MS ). In this way, it can be hard to specify that the same port must be interrupted for a period of time. Ensure that other requests can be provided at this interval, so that the network will not be completely paralyzed.
　　
2. Anti-IP Address Spoofing
Many network attacks rely on the source addresses of IP packets forged or spoofed by attackers. It is of great value to organize deception wherever feasible. Here, you can consider using the access control list method. There are many methods, but the purpose is simple. Discard IP packets that obviously do not belong to the Interface source. Another more effective method is to use RPF checks. The premise is that the routing is symmetric (that is, the path of the A-B must also be the path of the B-A), and must support CEF forwarding and the corresponding IOS version support. It is enabled by ip verify unicast rpf, but ip cef must be enabled before.
　　
3. disable unnecessary services on the wide area network.
On a Cisco router, there are many services that are not necessary on the wide area network, but are still enabled by default, which leads to security vulnerabilities and gives hackers a chance. Therefore, it is recommended that you manually disable it.
For example, you can use the access control list (acl) to enable only the tcp and udp ports in use. At the same time, run no service tcp-small-servers and no service udp-small-servers. These tcp and udp small services are not frequently used, but these ports are easy to use, so they should be closed. The No ip finger and finger protocols are mainly used in unix, similar to the show user in Cisco IOS. If the show user is enabled, it is easy for hackers to see the connected user and further guess the weak password for legal login. If you need to prevent the risk of password speculation, you should first disable this service on the vro.
Generally, transport input none is used on dial-up lines to close vulnerable background programs such as telnet and rlogin.
　　
4. No ip direct-broadcast
The Ping of death attack is said to have originated from Russia at the earliest. It means that many users can ping the same target at the same time, resulting in a flood attack. However, the actual effect is not obvious. Because in addition to flood, the attacker must pay the same resource. Therefore, some people have optimized this attack method. The target end of the attack is converted from a specific IP address to a CIDR Block broadcast address such as 192.10.6.255. Make all machines in the CIDR Block respond to such requests, so as to get twice the result with half the effort.
The corresponding method is: no ip direct-broadcast on the WAN interface of the router. In this way, in addition to isolating the full broadcast of 255.255.255.255, broadcast addresses of CIDR blocks similar to 192.10.6.255 are also isolated, this greatly reduces the risk of flood attacks and unnecessary traffic on the main line. Alternatively, after completing the connectivity test (ping test) on the network, use the access control list to disable echo and echo reply in ICMP.
　　
Of course, after all, a router is not a specialized network security device. All it can do is reduce the negative effects of some attacks on the network layer, but it cannot be completely immune. In addition, the above features are at the expense of some CPU and memory resources. In addition, it is completely powerless for some methods such as login attacks and all attacks based on the application layer. If such a problem occurs, you must use firewall and other specialized security devices and strictly set the system.