Without a reminder of Cisco's latest security warnings, many network administrators are not aware that their routers can be a hot spot for attacks. The router operating system is as vulnerable to hackers as the network operating system. Most SMEs do not hire router engineers or outsource this functionality as a necessity. As a result, network administrators and managers have neither the knowledge nor the time to ensure the security of the router. Here are 10 basic tips for ensuring router security.
1. Update your router operating system: Like a network operating system, the router's operating system needs to be updated to correct programming errors, software flaws, and cache overflow problems. Always check with your router manufacturer for the current update and operating system version.
2. Modify the default password: According to the Computer Emergency Response team at Carnegie Mellon University, 80% of security incidents were caused by weaker or default passwords. Avoid using common passwords and use uppercase and lowercase letters as a more powerful password rule. The following link is the common password used by the computer administrator: http://www.thenetworkadministrator.com/passwords.htm.
3. Disable HTTP settings and SNMP (Simple Network Management Protocol): The HTTP settings section of your router is easy to set up for a busy network administrator. However, this is also a security issue for routers. If your router has a command-line setting, disable the HTTP method and use this setting. If you do not use SNMP on your router, then you do not need to enable this feature. Cisco routers have an SNMP security vulnerability that is susceptible to a GRE tunneling attack.
4. Block ICMP (Internet Control Message Protocol) Ping request: Ping and other ICMP features are useful tools for both network administrators and hackers. Hackers can use the ICMP features enabled on your router to find information that can be used to attack your network.
5. Disable Telnet commands from the Internet: In most cases, you do not need an active Telnet session from the Internet interface. It would be safer to access your router settings from within.
6. Disable IP directed broadcasts: IP directed broadcasts can allow denial of service attacks on your device. The memory and CPU of a single router are hard to handle too many requests. This result can cause a cache overflow.
7. Disabling IP Routing and IP redirection: redirection allows packets to come in from one interface and then out of another. You don't need to redirect well-designed packets to a dedicated internal network.
8. Packet filtering: Packet filtering only delivers the kind of packets you allow into your network. Many companies only allow 80-port (HTTP) and 110/25-port (e-mail). In addition, you can block and allow IP addresses and ranges.
9. Review security records: by simply using some time to review your record files, you will see obvious ways of attacking, or even security vulnerabilities. You will be amazed at how many attacks you have experienced.
10. Unnecessary services: Disable unnecessary services permanently, regardless of unnecessary services on routers, servers, and workstations. Cisco's devices provide some small services via the network operating system, such as Echo, Chargen (character Generator protocol) and discard (discard protocol). These services, especially their UDP services, are rarely used for legitimate purposes. However, these services can be used to implement denial of service attacks and other attacks. Packet filtering can prevent these attacks.