A router is an important bridge between a LAN and an external network. It is an indispensable part of the network system and a leading edge in network security. However, vro maintenance is rarely valued. Imagine that if a vro does not guarantee its own security, the entire network would be completely insecure. Therefore, in terms of network security management, vrouters must be reasonably planned and configured, and necessary security measures must be taken to avoid loopholes and risks to the entire network system due to the security issues of the vro itself. Next we will introduce some router security measures and methods to make our network more secure.
1. added the authentication function for protocol exchanges between routers to improve network security.
One of the important functions of a router is the management and maintenance of routing. Currently, a certain scale of networks use dynamic routing protocols, which are commonly used: RIP, VPN, OSPF, IS-IS, and BGP. When a vro with the same routing protocol and region identifier is added to the network, the route information table on the network is learned. However, this method may cause network topology information leakage. It may also disrupt the routing information table that works normally on the network by sending its own routing information table to the network. In severe cases, the entire network may be paralyzed. The solution to this problem is to authenticate the route information exchanged between routers in the network. When the router is configured with an authentication method, it will identify the sender and receiver of the route information.
2. Physical security protection of routers
A vro control port is a port with special permissions. If an attacker attempts to physically access a vro and restarts after a power failure, the system implements the "password repair process" and then logs on to the vro to completely control the vro.
3. Protect the vro Password
In the vro configuration file backed up, even if the password is stored in encrypted form, the plaintext of the password may still be cracked. Once the password is leaked, the network is completely insecure.
4. Disable inspection of router diagnostic information
The command to close is as follows:
The following is a reference segment: no service tcp-small-servers no service udp-small-servers
5. Check the current user list of the vro.
The close command is:
The following is a reference clip: no service finger
6. disable CDP Service
On the basis of the OSI Layer 2 protocol (link layer), you can find some configuration information of the Peer router, such as the device platform, operating system version, port, and IP address. You can run the command: no cdp running or no cdp enable to disable this service.
7. Prevent the router from receiving packets with source route marks and discard the data streams with source route options.
"IP source-route" is a global configuration command that allows a router to process data streams marked with source routing options. After the source route option is enabled, the route specified by the source route information enables the data stream to bypass the default route, which may bypass the firewall. The command to close is as follows:
Reference segment: no ip source-route
8. Disable router broadcast packet forwarding.
The Sumrf D. o. S attack uses a router with a broadcast forwarding configuration as a reflector, occupying network resources and even causing network paralysis. Apply "no ip directed-broadcast" on each port to disable the router broadcast package.
9. Manage HTTP Services
The HTTP service provides Web management interfaces. "No ip http server" can stop the HTTP service. If you must use HTTP, you must use the "ip http access-class" command in the access list to strictly filter the allowed ip addresses, and use the "ip http authentication" command to set the authorization restrictions.
10. Defense Against spoofing attacks
Use the access control list to filter out all target addresses as the network broadcast address and packages that claim to be from the internal network, but actually from the outside. Configure the vro Port:
The following is a reference segment: ip access-group list in number
The access control list is as follows:
The following is a reference clip:
Access-list number deny icmp any redirect
Access-list number deny ip 127.0.0.0 0.20.255.255 any
Access-list number deny ip 224.0.0.0 31.20.255 any
Access-list number deny ip host 0.0.0.0 any
Note: the preceding four-line command will filter some data packets in the BOOTP/DHCP Application. You must be fully aware of these data packets when using these commands in a similar environment.
11. Prevent Packet sniffing
Hackers often install the sniffing software on computers that have intruded into the network, monitor network data streams, and steal passwords, including SNMP communication passwords, as well as vro logon and privileged passwords, in this way, it is difficult for the network administrator to Ensure network security. Do not log on to the vro using non-encrypted protocols on untrusted networks. If the vro supports the encryption protocol, use SSH or receivized Telnet, or use IPSec to encrypt all the management flows of the vro.
12. verify the validity of the data stream path
RPF (reverse path forwarding) is used for reverse route forwarding. Because the attacker's address is illegal, the attack packets are discarded to defend against spoofing attacks. The configuration command for RPF reverse path Forwarding is: ip verify unicast rpf. Note: you must first support CEF (Cisco Express Forwarding) Fast Forwarding.
13. Prevent SYN Attacks
Currently, some vro software platforms can enable TCP interception to prevent SYN attacks. The working mode is divided into interception and monitoring. The default mode is interception. (Interception mode: the router responds to the SYN request, and sends a SYN-ACK packet instead of the server, and then waits for the client ACK. If an ACK is received, the original SYN packet is sent to the server. Monitoring Mode: the router allows SYN requests to directly reach the server. If the session is not established within 30 seconds, the router sends an RST to clear the connection .) First, configure the access list to enable the IP address to be protected: The following is a reference segment:
Access list [1-199] [deny permit] tcp any destination-wildcard and then Enable TCP interception: ip tcp intercept mode intercept Ip tcp intercept list access list-number Ip tcp intercept mode watch
14. Use a secure SNMP Management Solution
SNMP is widely used in the monitoring and configuration of routers. SNMP Version 1 is not suitable for managing applications over the public network because of its low security. The access list allows only SNMP access from a specific workstation. This function can improve the security performance of the SNMP service. Configuration command: snmp-server community xxxxx RW xx; xx is the access control list number SNMP Version 2 using MD5 digital identity authentication method. Different vro devices are configured with different digital signature passwords, which is an effective way to improve overall security performance.
Summary
As a key device of the entire network, we need to pay special attention to the security problem. Of course, it is far from enough to protect our network by relying solely on the above settings. We also need to work with other devices to take security measures together, build our network into a secure and stable information exchange platform.