Step 9 of route security settings for network security protection

Source: Internet
Author: User

For most enterprise LAN, routers have become one of the most important security devices in use. Generally, most networks have a primary access point. This is the "virtual border router" that is usually used with a dedicated firewall ".

After proper configuration, the edge router can block almost all the most stubborn bad elements out of the network. If you want to, this type of router also allows good people to access the network. However, a vro without proper configuration is better than no security measures at all.

In the following guide, we will look at nine convenient steps you can use to protect network security. These steps ensure that you have a brick wall to protect your network, rather than an open door.

1. Modify the default password!

According to CERT/CC (Computer Emergency Response Team/Control Center) of Carnegie Mellon University, 80% of Security breakthroughs were caused by weak passwords. The network has a list of extensive default passwords for most vrouters. You are sure someone in some places will know your birthday. The SecurityStats.com website maintains a detailed list of available/unavailable passwords and a password reliability test.

2. Disable IP Direct Broadcast (IP Directed Broadcast)

Your server is very obedient. Let it do what it does, and no matter who sends the command. Smurf attacks are DoS attacks. In this attack, attackers use fake source addresses to send an "ICMP echo" request to your network broadcast address. This requires all hosts to respond to this broadcast request. This situation will at least reduce your network performance.

Refer to your router information file to learn how to disable IP direct broadcast. For example, the "Central (config) # no ip source-route" command will disable the IP direct broadcast address of the Cisco router.

3. If possible, disable the HTTP settings of the router.

As described in Cisco's technical description, the identity authentication protocol used by HTTP is equivalent to sending an unencrypted password to the entire network. However, unfortunately, there is no valid rule in the HTTP protocol for password verification or one-time password verification.

Although this unencrypted password may be very convenient for you to set your vro from a remote location (such as at home), other people can do the same thing you can do. Especially if you are still using the default password! If you must remotely manage the vro, make sure that you use the Protocol of SNMPv3 or later versions because it supports more strict passwords.

4. Block ICMP ping requests

The main purpose of ping is to identify the host currently in use. Therefore, ping is usually used for reconnaissance activities before large-scale collaborative attacks. By canceling the remote user's ability to receive ping requests, you can easily avoid unwanted scanning activities or defend against script kiddies that are looking for targets that are vulnerable to attacks ).

Please note that this does not actually protect your network from attacks, but it will make you less likely to be an attack target.

5. Disable IP Source Routing

The IP protocol allows a host to specify the route through your network, rather than allowing network components to determine the optimal path. The valid application of this function is used to diagnose connection faults. However, this function is rarely used. This feature is most commonly used to mirror your network for reconnaissance purposes, or for attackers to find a backdoor in your private network. This feature should be disabled unless you specify this feature for fault diagnosis only.

6. Determine your data packet filtering requirements

There are two reasons to block the port. One of them is suitable for your network based on your security requirements.

For a highly secure network, especially when storing or keeping confidential data, it is usually required to pass through the filter. In this provision, all ports and IP addresses must be blocked in addition to network functions. For example, port 80 for web communication and port 110/25 for SMTP allow access from the specified address, and all other ports and addresses can be disabled.

Most networks will enjoy an acceptable level of security by using the "filter by request rejection" solution. When using this filter policy, you can block ports that are not used in your network and ports that are commonly used by Trojans or detection activities to enhance the security of your network. For example, blocking port 139 and port 445 (TCP and UDP) makes it more difficult for hackers to attack your network. Blocking ports 31337 (TCP and UDP) makes it more difficult for the Back Orifice Trojan program to attack your network.

This work should be determined in the network planning phase. At this time, the security level requirements should meet the needs of network users. View the list of these ports to understand the normal use of these ports.


7. Establish an address filtering policy for permitted entry and exit

Create a policy on your VBR to filter inbound and outbound network violations based on IP addresses. Except in special cases, all IP addresses that attempt to access the Internet from within your network should have an IP address allocated to your LAN. For example, the IP address 192.168.0.1 may be valid for accessing the Internet through this router. However, the address 216.239.55.99 may be fraudulent and part of an attack.

On the contrary, source addresses for external communications from the Internet should not be part of your internal network. Therefore, IP addresses such as 192.168.X.X, 172.16.X.X, and 10. X must be blocked.

Finally, communication with the source address or all the communication with the destination address that cannot be routed should be allowed through this router. This includes the return address 127.0.0.1 or class E address segment 240.0.0.0-254.255.255.255.

8. Maintain the physical security of the router

From the perspective of network sniffing, routers are safer than hubs. This is because the router intelligently routes data packets based on the IP address, and data is broadcast on all nodes in the hub. If a system connected to the Hub places its network adapter in messy mode, they can receive and see all broadcasts, including passwords, POP3 communications, and Web communications.

Then, it is important to ensure that physical access to your network device is safe to prevent unauthorized laptop computers and other sniffing devices from being placed in your local subnet.

9. Spend time reviewing security records

Review your vro record (using its built-in firewall function) is the most effective way to identify security events, whether it is identifying ongoing attacks or future attacks. By using outbound records, you can also find Trojans and spyware programs that attempt to establish external connections. Careful security administrators can detect "red code" and "Nimda" virus attacks before the virus disseminators respond.

In addition, generally, the vro is located at the edge of your network and allows you to see all the communication conditions in and out of your network.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.