A simple security configuration scheme for routing

One, the security configuration of Router access control

1, the administrator who can access the router is strictly controlled. Any maintenance needs to be documented.

2, the router is not recommended for remote access. It is recommended that you use Access control lists and high-intensity password controls, even if you require remote access routers.

3, strictly control the access to the con port. The specific measures are:

A, if you can boot the box, you can cut off the connection with the con port of the physical circuit.

B, you can change the default connection properties, such as modifying the baud rate (default is 96000, can be changed to another).

C, use the Access Control list to control access to the con port.

such as: Router (Config) #Access-list 1 Permit 192.168.0.1

Router (Config) #line con 0

Router (config-line) #Transport input None

Router (config-line) #Login Local

Router (config-line) #Exec-timeoute 5 0

Router (config-line) #access-class 1 in

Router (Config-line) #end

D, set a high strength password for the con port.

4, this port is prohibited if the AUX port is not used. The default is not enabled. Prohibit such as:

Router (Config) #line aux 0

Router (config-line) #transport input None

Router (config-line) #no exec

5, it is recommended to adopt a privilege grading strategy. Such as:

Router (Config) #username blushin privilege g00dpa55w0rd

Router (Config) #privilege EXEC level Telnet

Router (Config) #privilege EXEC level show IP access-list

6, set strong passwords for access to privileged mode. Do not use the Enable password to set the password. Instead, use the Enable secret command setting. and to enable service password-encryption.

7, control the access to the vty. If remote access is not required, it is prohibited. Be sure to set a strong password if you want. Because Vty is encrypted during the transmission of the network, it needs to be strictly controlled. Such as: Set strong password, control the number of concurrent connections, use Access list to strictly control access to the address, you can use AAA to set User access control.

8,ios upgrades and backups, as well as backup of configuration files suggest using FTP instead of TFTP. Such as:

Router (Config) #ip FTP username Blushin

Router (Config) #ip ftp password 4tppa55w0rd

Router#copy startup-config ftp:

9, timely upgrade and repair the iOS software.

[Page]

Second, the Router Network Service security Configuration

1, the CDP (Cisco Discovery Protocol) is prohibited. Such as:

Router (Config) #no CDP run

Router (CONFIG-IF) # no CDP enable

2, prohibit other TCP, UDP small service.

Router (Config) # no service tcp-small-servers

Router (Config) # no service udp-samll-servers

3, Finger service is prohibited.

Router (Config) # no IP finger

Router (Config) # no service finger

4, it is recommended that HTTP services be prohibited.

Router (Config) # no IP HTTP Server

If the HTTP service is enabled, it needs to be configured securely: Set the username and password, and use the access list for control. Such as:

Router (Config) # username Blushin Privilege G00dpa55w0rd

Router (Config) # IP HTTP auth Local

Router (Config) # no access-list 10

Router (Config) # Access-list Permit 192.168.0.1

Router (Config) # access-list deny any

Router (Config) # IP HTTP access-class 10

Router (Config) # IP HTTP Server

Router (Config) # exit

5, the BOOTP service is prohibited.

Router (Config) # no IP BOOTP server

Prevents the initial configuration file from being started and automatically downloaded from the network.

Router (Config) # no Boot network

Router (config) # no Servic config

6, prohibit IP Source Routing.

Router (Config) # no IP source-route

7, it is recommended that if the Arp-proxy service is not required, the router defaults to it.

Router (Config) # no IP proxy-arp

Router (config-if) # no IP proxy-arp

8, the explicit prohibition of IP directed broadcast.

Router (Config) # no IP directed-broadcast

9, prohibit IP classless.

Router (Config) # no IP classless

10, prohibit the ICMP protocol IP unreachables,redirects,mask replies.

Router (config-if) # no IP unreacheables

Router (config-if) # no IP redirects

Router (config-if) # no IP mask-reply

11, it is recommended that SNMP protocol services be prohibited. You must remove the default configuration for some SNMP services when prohibited. Or you need to access the list to filter. Such as:

Router (Config) # no Snmp-server Community public Ro

Router (Config) # no Snmp-server Community admin RW

Router (Config) # no Access-list 70

Router (Config) # access-list deny any

Router (Config) # Snmp-server Community Morehardpublic Ro 70

Router (Config) # no Snmp-server enable traps

Router (Config) # no Snmp-server system-shutdown

Router (Config) # no Snmp-server trap-anth

Router (Config) # no Snmp-server

Router (Config) # End

12, prohibit wins and DNS services if not necessary.

Router (Config) # no IP domain-lookup

You need to configure if needed:

Router (Config) # hostname Router

Router (Config) # IP Name-server 202.102.134.96

13, explicitly prohibit unused ports.

Router (Config) # interface ETH0/3

Router (Config) # shutdown

[Page]

Third, router routing protocol security Configuration

1, the default enabled Arp-proxy is first prohibited, which can easily cause confusion in the routing table.

Router (Config) # no IP proxy-arp or

Router (config-if) # no IP proxy-arp

2, enable the authentication of the OSPF routing protocol. The default OSPF authentication password is transmitted in clear text and it is recommended that MD5 authentication be enabled. and set a certain strength key (key, relative to the router must have the same key).

Router (Config) # Router OSPF 100

Router (config-router) # network 192.168.100.0 0.0.0.255 Area 100

! Enable MD5 authentication.

! Area Area-id Authentication enable authentication, is plaintext password authentication.

！ Area Area-id Authentication Message-digest

Router (config-router) # area authentication Message-digest

Router (Config) # exit

Router (Config) # interface ETH0/1

！ Enable MD5 key to Routerospfkey.

！ The IP OSPF authentication-key key enables the authentication key, but it is a plaintext transmission.

！ IP OSPF message-digest-key key-id (1-255) MD5 key