Application point of view: introduces Cisco Router Security Configuration

Cisco routers play a very important role in the routing industry, and there are also a lot of user groups. It is very important to understand some Cisco router security configurations. Currently, most enterprises and departments connect to the Internet. Generally, a router is connected to an ISP.

This router serves as a bridge between the external Internet and the internal network. If this router can properly set its security, therefore, it can provide a certain degree of security to the internal network or provide an additional layer of protection to the existing security. Currently, most routers are Cisco products or similar to their functions. This document manages the security configurations of Cisco routers. Considering the role and position of the router, the configuration of the router not only affects its own security, but also the security of the entire network. Currently, a vro uses Cisco as an example) and has certain security functions, such as access list and encryption. However, most of these functions are disabled by default. Manual configuration is required. What kind of configuration can best meet security needs without compromising network performance? This article describes the following parts:

Cisco Router Security Configuration. Password Management

A vro uses a password to prevent unauthorized access to the vro and is a part of the security of the vro. The best way to handle these passwords is to save them on the TACACS + or RADIUS Authentication Server. However, almost every vro requires a local password for permission access. How to maintain this part of security?

1. Use enable secret

The enable secret command is used to set a password with administrator permissions. If there is no enable secret, the password can also be used for remote access when it is set for the console TTY. This situation is not expected. Another point is that the old system uses enable password. Although its functions are similar, the encryption algorithm used by enable password is weak.

2. Use service password-encryption

This command is used to encrypt all passwords stored in the configuration file and similar data such as CHAP. This prevents plaintext data from being obtained when the configuration file is viewed by malicious users. However, the service password-encrypation encryption algorithm is a simple Virginia encryption algorithm that can be easily decrypted. This is the password set for the enable password command. The enable secret command uses the MD5 algorithm, which is difficult to crack. However, this MD5 algorithm is still incapable of dictionary attacks. So don't worry about encryption. The best way is to select a long password to prevent the configuration file from being obtained by the outside world. Set enable secret and service password-encryption.

Cisco Router Security Configuration. Controls interactive access

Important configuration information can be displayed when anyone logs on to the vro. An attacker can use a vro as a transit station for attacks. Therefore, you need to properly control the router's login access. Although most login accesses are disabled by default. However, there are some exceptions, such as directly connected console terminals.

The Console port has special permissions. Note that when a Break signal is sent to the Console port within seconds at the beginning of the vro restart, the password recovery program can easily control the entire system. In this way, if an attacker does not have the normal access permission, but has the system reboot to cut off the power or the system crashes) and the access control port through the direct connection terminal, Modem, Terminal Server) to control the entire system. Therefore, the access security of all Connection Control ports must be ensured.

In addition to logging on to a vro through the console, there are many methods, depending on the configuration and operating system version, supports Telnet, rlogin, Ssh, non-IP-based network protocols such as LAT, MOP, X.29, V.120, and Modem dialing. All of these involve TTY. Local asynchronous terminals and dial-up Modem use the standard "TTYs ". No matter what protocol is used, the remote network connection is a virtual TTYs, that is, "VTYs ". To control access to a vro, it is best to control these TTYs or VTYs, and add some authentication or use the login or no password commands to prohibit access.

1. Control TTY

By default, a remote user can connect to a TTY called "reverse Telnet", which allows the remote user to interact with the terminal or Modem connected to the TTY. However, these features allow a remote user to connect to a local asynchronous terminal port or a dial-in Modem port to construct a fake logon process to steal passwords or other illegal activities. Therefore, it is best to disable this function. You can use transport input none to set any asynchronous mode or Modem to not receive connections from network users. If possible, do not use the same Modem to dial in and out, and disable reverse Telnet to dial in.

2. Control VTY

To ensure security, any VTY should allow only the specified protocol to establish connections. Use the transport input command. If a VTY only supports the Telnet service, you can set transport input telnet as follows. If the router operating system supports SSH, it is best to only support this Protocol to avoid using the Telnet service for plaintext transmission. Set transport input ssh as follows. You can also use ip access-class to restrict the ip address range for access to VTY.

Because the number of VTYs is limited, when all VTYs are used up, remote network connections cannot be established. This may be exploited to launch Dos attacks ). Here, attackers do not have to log in. They only need to establish a connection and go to the login prompt to consume all VTYs. A good defense method for such attacks is to use the ip access-class command to restrict the access address of the last VTYs and only open it to a specific management workstation. Other VTYs are not limited, which ensures flexibility and does not affect key management work. Another method is to use the exec-timeout command to configure VTY timeout. Avoid a idle task occupying VTY all the time. Similarly, you can use service tcp-keepalives-in to ensure that the inbound connections established by Tcp are active, so as to avoid malicious attacks or unexpected crash of remote systems resulting in resource exclusive. A better way to protect VTY is to disable all non-IP-based access and use IPSec to encrypt all remote connections to vrouters.

Cisco Router Security Configuration-route security

Control Direct Broadcast

An IP address directly broadcasts a packet destined for a subnet broadcast address, but the host to be sent is not directly connected to the destination subnet. Therefore, this packet is forwarded by the router as a normal packet until the destination subnet, and then converted to link layer broadcast. Due to the characteristics of the IP address structure, only vrouters directly connected to this subnet can identify a direct broadcast packet. For this function, an attack is called "smurf". Attackers continuously send a broadcast packet with an invalid Source Address to the attacked subnet. As a result, all hosts in the subnet send responses to this illegal address, which leads to a broadcast storm on the destination network.

For such attacks, no ip directed-broadcast can be configured on the Cisco Router Security Configuration. However, this direct broadcast packet must be converted into a link layer broadcast rather than discarded by this interface, to better prevent attacks, it is best to configure no ip directed-broadcast for all routers that may be connected to the destination subnet.

Prevent route attacks

Source Route attack is a common attack method. Because some old Ip addresses encounter problems when processing the source route package, these machines may crash, so it is best to disable the source route on the router. Run the no ip source-route command. Icmp redirection attacks are also common routing attacks. An attacker sends an incorrect redirection message to the end host, causing a wrong route to the end host. This attack can be achieved by filtering all icmp redirect data on the VBR. However, this can only prevent external attackers. If the attacker and the target host are in the same network segment, there is no way.
When a vro uses dynamic protocols, attackers can forge a route package and destroy the route table of the vro. To prevent such attacks, you can use the access list distribute-list in) to limit the range of correct routing information. If possible, use the authentication mechanism. For example, Rip 2 or ospf supports authentication.