One, the security configuration of Router access control
1, the administrator who can access the router is strictly controlled. Any maintenance needs to be documented.
2, the router is not recommended for remote access. It is recommended that you use Access control lists and high-intensity password controls, even if you require remote access routers.
3, strictly control the access to the con port. The specific measures are:
A, if you can boot the box, you can cut off the connection with the con port of the physical circuit.
B, you can change the default connection properties, such as modifying the baud rate (default is 96000, can be changed to another).
C, use the Access Control list to control access to the con port.
such as: Router (Config) #Access-list 1 Permit 192.168.0.1
Router (Config) #line con 0
Router (config-line) #Transport input None
Router (config-line) #Login Local
Router (config-line) #Exec-timeoute 5 0
Router (config-line) #access-class 1 in
Router (Config-line) #end
D, set a high strength password for the con port.
4, this port is prohibited if the AUX port is not used. The default is not enabled. Prohibit such as:
Router (Config) #line aux 0
Router (config-line) #transport input None
Router (config-line) #no exec
5, it is recommended to adopt a privilege grading strategy. Such as:
Router (Config) #username blushin privilege g00dpa55w0rd
Router (Config) #privilege EXEC level Telnet
Router (Config) #privilege EXEC level show IP access-list
6, set strong passwords for access to privileged mode. Do not use the Enable password to set the password. Instead, use the Enable secret command setting. and to enable service password-encryption.
7, control the access to the vty. If remote access is not required, it is prohibited. Be sure to set a strong password if you want. Because Vty is encrypted during the transmission of the network, it needs to be strictly controlled. Such as: Set strong password, control the number of concurrent connections, use Access list to strictly control access to the address, you can use AAA to set User access control.
8,ios upgrades and backups, as well as backup of configuration files suggest using FTP instead of TFTP. Such as:
Router (Config) #ip FTP username Blushin
Router (Config) #ip ftp password 4tppa55w0rd
Router#copy startup-config ftp:
9, timely upgrade and repair the iOS software.
[Page]
Second, the Router Network Service security Configuration
1, the CDP (Cisco Discovery Protocol) is prohibited. Such as:
Router (Config) #no CDP run
Router (CONFIG-IF) # no CDP enable
2, prohibit other TCP, UDP small service.
Router (Config) # no service tcp-small-servers
Router (Config) # no service udp-samll-servers
3, Finger service is prohibited.
Router (Config) # no IP finger
Router (Config) # no service finger
4, it is recommended that HTTP services be prohibited.
Router (Config) # no IP HTTP Server
If the HTTP service is enabled, it needs to be configured securely: Set the username and password, and use the access list for control. Such as:
Router (Config) # username Blushin Privilege G00dpa55w0rd
Router (Config) # IP HTTP auth Local
Router (Config) # no access-list 10
Router (Config) # Access-list Permit 192.168.0.1
Router (Config) # access-list deny any
Router (Config) # IP HTTP access-class 10
Router (Config) # IP HTTP Server
Router (Config) # exit
5, the BOOTP service is prohibited.
Router (Config) # no IP BOOTP server
Prevents the initial configuration file from being started and automatically downloaded from the network.
Router (Config) # no Boot network
Router (config) # no Servic config
6, prohibit IP Source Routing.
Router (Config) # no IP source-route
7, it is recommended that if the Arp-proxy service is not required, the router defaults to it.
Router (Config) # no IP proxy-arp
Router (config-if) # no IP proxy-arp
8, the explicit prohibition of IP directed broadcast.
Router (Config) # no IP directed-broadcast
9, prohibit IP classless.
Router (Config) # no IP classless
10, prohibit the ICMP protocol IP unreachables,redirects,mask replies.
Router (config-if) # no IP unreacheables
Router (config-if) # no IP redirects
Router (config-if) # no IP mask-reply
11, it is recommended that SNMP protocol services be prohibited. You must remove the default configuration for some SNMP services when prohibited. Or you need to access the list to filter. Such as:
Router (Config) # no Snmp-server Community public Ro
Router (Config) # no Snmp-server Community admin RW
Router (Config) # no Access-list 70
Router (Config) # access-list deny any
Router (Config) # Snmp-server Community Morehardpublic Ro 70
Router (Config) # no Snmp-server enable traps
Router (Config) # no Snmp-server system-shutdown
Router (Config) # no Snmp-server trap-anth
Router (Config) # no Snmp-server
Router (Config) # End
12, prohibit wins and DNS services if not necessary.
Router (Config) # no IP domain-lookup
You need to configure if needed:
Router (Config) # hostname Router
Router (Config) # IP Name-server 202.102.134.96
13, explicitly prohibit unused ports.
Router (Config) # interface ETH0/3
Router (Config) # shutdown
[Page]
Third, router routing protocol security Configuration
1, the default enabled Arp-proxy is first prohibited, which can easily cause confusion in the routing table.
Router (Config) # no IP proxy-arp or
Router (config-if) # no IP proxy-arp
2, enable the authentication of the OSPF routing protocol. The default OSPF authentication password is transmitted in clear text and it is recommended that MD5 authentication be enabled. and set a certain strength key (key, relative to the router must have the same key).
Router (Config) # Router OSPF 100
Router (config-router) # network 192.168.100.0 0.0.0.255 Area 100
! Enable MD5 authentication.
! Area Area-id Authentication enable authentication, is plaintext password authentication.
! Area Area-id Authentication Message-digest
Router (config-router) # area authentication Message-digest
Router (Config) # exit
Router (Config) # interface ETH0/1
! Enable MD5 key to Routerospfkey.
! The IP OSPF authentication-key key enables the authentication key, but it is a plaintext transmission.
! IP OSPF message-digest-key key-id (1-255) MD5 key