A ramble on the security of routers

Source: Internet
Author: User
Tags ack log md5 hash sessions snmp system log ssh

It is often easier for hackers to exploit a router's vulnerability to launch an attack. Router attacks can waste CPU cycles, mislead information traffic, and paralyze the network. The good router itself takes on a good security mechanism to protect itself, but that alone is far from enough. Securing the router also requires the network administrator to take appropriate security measures in the process of configuring and managing the router.

Blocking security vulnerabilities

Restricting physical access to the system is one of the most effective ways to ensure router security. One way to restrict system physical access is to configure the console and terminal sessions to automatically exit the system after a short idle time. It is also important to avoid connecting the modem to the secondary port of the router. Once the physical access to the router is restricted, the user must ensure that the router's security patches are up to date. Vulnerabilities are often disclosed before a vendor releases a patch, which allows the hacker to take advantage of the affected system before the vendor issues a patch, which needs to be noticed by the user.

Avoiding identity crises

Hackers often use weak passwords or default passwords to attack. Adding long passwords, and choosing a 30-60-day password lifetime, can help prevent such vulnerabilities. In addition, once an important it employee resigns, the user should change the password immediately. The user should enable password encryption on the router so that even if the hacker can browse the system's configuration file, he still needs to decipher the ciphertext password. Implement reasonable validation controls so that routers can securely transfer certificates. On most routers, users can configure protocols such as the Remote Authentication dial-in User Service, which enables the use of these protocols to provide encrypted, authenticated router access in conjunction with the authentication server. Validation control can forward a user's authentication request to a validation server that is usually on the back-end network. The authentication server can also require users to use two-factor authentication to strengthen the authentication system. The former is a token generation part of the software or hardware, and the latter is the user identity and token pass code. Other authentication solutions involve the transmission of security certificates within Secure Shell (SSH) or IPSec.

Disable do not have to service

Having many routing services is a good thing, but many recent security incidents have highlighted the importance of disabling the need for local services. It is to be noted that disabling CDP on the router may affect the performance of the router. Another factor that needs to be considered by the user is timing. Timing is essential to the efficient operation of the network. Even if the user ensures that the time is synchronized during deployment, the clock may still gradually lose synchronization after a period of time. Users can use a service called Network Time Protocol (NTP) to make sure that the devices on the network are synchronized clockwise, against effective and accurate time sources. However, the best way to ensure a network device clock synchronization is not through the router, but by placing an NTP server in the network section of the Demilitarized Zone (DMZ) protected by the firewall, configuring the server to allow only a time request to be made to the outside trusted public time source. On routers, users rarely need to run other services, such as SNMP and DHCP. Use these services only when absolutely necessary.

Restricting logical access

Restricting logical access is mainly aided by the rational disposal of access control lists. Restricting remote terminal sessions helps prevent hackers from gaining access to system logic. SSH is a preferred logical access method, but if you cannot avoid Telnet, you may wish to use Terminal access control to restrict access to trusted hosts only. As a result, users need to add an access list to the virtual terminal port that Telnet uses on the router.

Control Message Protocol (ICMP) helps troubleshoot problems, but it also provides attackers with information to browse network devices, determine local timestamps and netmask, and speculate on OS revisions. To prevent hackers from gathering this information, only the following types of ICMP traffic are allowed into the user network: The ICMP network is unreachable, the host is unreachable, the port is unreachable, the packet is too large, the source is suppressed, and the time Exceeded (TTL) is reached. In addition, logical access control should also prohibit all traffic other than ICMP traffic.

Use inbound access control to boot a specific service to the corresponding server. For example, only SMTP traffic is allowed into the mail server, DNS traffic enters the DSN server, and HTTP (HTTP/S) traffic through Secure Sockets Layer (SSL) is entered into the Web server. To prevent a router from becoming a Dos attack target, users should reject the following traffic: packets with no IP address, local host address, broadcast address, multicast address, and any fake internal address. Although users cannot eliminate Dos attacks, users can limit the harm of DOS. The user can take measures to increase the SYN ACK Queue Length and shorten the ACK timeout to protect the router from TCP SYN attacks.

Users can also use outbound access control to limit traffic from within the network. This control prevents the internal host from sending ICMP traffic, allowing only valid source address packets to leave the network. This helps prevent IP address spoofing and reduces the likelihood that hackers can exploit a user's system to attack another site.

Monitoring configuration changes

After the user changes the router configuration, it needs to be monitored. If the user uses SNMP, be sure to select a powerful common string, preferably using SNMP that provides message encryption. If you do not configure the device remotely through SNMP management, it is a good idea for users to configure the SNMP device to be read-only. By denying write access to these devices, users can prevent hackers from changing or shutting down the interface. In addition, users need to send system log messages from the router to the specified server.

To further ensure security management, users can use the encryption mechanism such as SSH to establish an encrypted remote session with the router using SSH. To enhance protection, users should also restrict SSH session negotiation, allowing only sessions to communicate with several trusted systems that users frequently use.

An important part of configuration management is ensuring that the network uses reasonable routing protocols. Avoiding the use of Routing Information Protocol (RIP), RIP can easily be spoofed and accept illegal route updates. Users can configure protocols such as the Boundary Gateway Protocol (BGP) and the Open Shortest Path Priority Protocol (OSPF) to authenticate each other by sending a MD5 hash of the password before accepting the routing update. These measures help to ensure that any route updates accepted by the system are correct.

Implementing Configuration Management

Users should implement configuration management policies that control the storage, retrieval, and updating of router configuration, and keep the configuration backup documents on a secure server to prevent users from replacing, reloading, or reverting to their original configuration if they encounter problems.

There are two ways users can store configuration documents on a router platform that supports a command-line interface (CLI). One approach is to run a script that establishes an SSH session between the configuration server to the router, logs on to the system, turns off the controller log, displays the configuration, saves the configuration to the local file, and exits the system, and another way is to configure the IPSec tunnel between the server and the router. Copy the configuration file to the server through TFTP in the secure tunnel. Users should also be clear about who can change the router configuration, when to make changes, and how to make changes. Before making any changes, develop detailed reverse operation procedures.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.