Basic working principle and security settings of vro

Source: Internet
Author: User
Tags md5 hash snmp

How routers work

A router is a device that forwards data between subnets at the IP protocol network layer. The vro can be divided into control planes and data channels. On the control plane, the routing protocol can be of different types. The router switches the network topology information through the routing protocol and dynamically generates a route table based on the topology. On the data channel, after receiving an IP packet from the input line, the forwarding engine analyzes and modifies the packet header, uses the forwarding table to find the output port, and switches the data to the output line. The forwarding table is generated based on the route table. Its table items have a direct correspondence with the route table items. However, the forwarding table format is different from that of the routing table, which is more suitable for fast search. The forwarding process includes line input, packet header analysis, data storage, packet header modification, and line output.

The routing protocol dynamically generates a route table based on the network topology. The IP Protocol divides the entire network into management areas. These management areas are called autonomous regions, and the autonomous domain area codes are centrally managed across the network. In this way, the routing protocol can be divided into intra-domain and Inter-Domain protocols. Intra-domain routing protocols, such as OSPF and IS-IS, represent the link status of the network topology in the inter-vro switching management domain, and export the route table according to the link status. Data exchange between adjacent nodes of the Inter-Domain Routing Protocol. The multicast mode cannot be used, but only the specified point-to-point connection can be used.

Router Architecture

The control plane of the router runs in the general-purpose CPU system and remains unchanged for many years. In the High Availability design, master-slave backup can be performed using the dual-master to ensure the reliability of the control plane. The data tunnel of the router adopts different implementation technologies to adapt to different line speeds and different system capacities. The router architecture is differentiated Based on the implementation mechanism of the data channel forwarding engine. In short, it can be divided into a software forwarding router and a hardware forwarding router. The software forwarding router uses the CPU software technology to implement data forwarding. Based on the number of CPUs used, it is further divided into single-CPU centralized and multi-CPU distributed. A hardware forwarding router uses network processor hardware technology to forward data. Based on the number of network processors used and the location of the network processor in the device, further subdivided into single-network processor centralized, multi-network processor load sharing parallel type and center switching distributed.

Router Security Settings

It is usually easier for hackers to launch attacks by exploiting vro vulnerabilities. Vro attacks waste CPU cycles, mislead information traffic, and paralyze the network. A good router uses a good security mechanism to protect itself, but this is far from enough. To protect the security of a router, the network administrator must take appropriate security measures during the configuration and management of the router.

1. Block Security Vulnerabilities

Limiting system physical access is one of the most effective ways to ensure vro security. One way to restrict physical access to the system is to configure console and terminal sessions to automatically exit the system after a short period of idle time. It is also important to avoid connecting the modem to the secondary port of the router. Once physical access to the vro is restricted, you must ensure that the security patch of the vro is the latest. Vulnerabilities are often exposed before a supplier releases a patch, which allows hackers to take advantage of the affected system before the supplier releases the patch. This requires user attention.

Ii. Preventing identity crisis

Hackers often use weak passwords or default passwords for attacks. This vulnerability can be prevented by using a password extension and a password validity period of 30 to 60 days. In addition, once an important IT Employee Resign, the user should change the password immediately. The user should enable the password encryption function on the vro, so that even if the hacker can browse the system configuration file, he still needs to decrypt the ciphertext password. Implement reasonable verification control so that the router can transmit certificates securely. On most routers, you can configure some protocols, such as remote authentication dial-in to the user service, so that these protocols can be used together with the verification server to provide encrypted and verified Router Access. Verification control can forward user authentication requests to verification servers on the backend network. The verification server can also require users to use two-factor verification to enhance the verification system. The two factors are the software or hardware token generation part, and the latter is the user identity and token pass code. Other verification solutions involve transferring security certificates within the Secure Shell (SSH) or IPSec.

3. disable unnecessary services

It is a good thing to have a large number of routing services, but many recent security events have highlighted the importance of disabling local services. It should be noted that disabling CDP on a vro。 may affect the performance of the vro. Another factor to consider is timing. Timing is essential for effective network operations. Even if the user ensures time synchronization during deployment, the clock may gradually lose synchronization after a period of time. You can use a service named Network Time Protocol (NTP) to compare effective and accurate time sources to ensure the hourly synchronization of devices on the network. However, the best way to ensure clock synchronization between network devices is not through a router, but to put an NTP server in the network segment of the DMZ protected by the fire wall, configure the server to only allow time requests to external trusted public time sources. On a vro, you rarely need to run other services, such as SNMP and DHCP. These services are used only when absolutely necessary.
4. Restrict logical access

Logical access is restricted mainly by rationally processing the access control list. Limiting remote terminal sessions helps prevent hackers from obtaining system Logical access. SSH is the preferred logical access method, but if Telnet cannot be avoided, Use Terminal Access Control to restrict access to trusted hosts only. Therefore, you must add an access list to the virtual terminal port used by Telnet on the vrotelnet.

Controlling the Message Protocol (ICMP) helps to troubleshoot, but it also provides attackers with information to browse network devices, determine local timestamps and network masks, and speculate on the OS revised version. To prevent hackers from collecting the above information, only the following types of ICMP traffic are allowed to enter the user network: ICMP cannot be reached, the host cannot be reached, the port cannot be reached, the packet is too large, the source is blocked, and the TTL is exceeded. In addition, logical access control should also prohibit all traffic other than ICMP traffic.

Use inbound access control to direct a specific service to the corresponding server. For example, only SMTP traffic is allowed to enter the mail server, DNS traffic is allowed to enter the DSN server, and HTTP (HTTP/S) traffic through the SSL protocol layer is allowed to enter the Web server. To prevent the router from becoming a DoS attack target, the user should reject the following traffic: packages without IP addresses, with local host addresses, broadcast addresses, multicast addresses, and any fake internal addresses. Although users cannot prevent DoS attacks, users can restrict the harm of DoS. You can increase the length of the syn ack queue and shorten the ACK timeout to protect the router from tcp syn attacks.

You can also use outbound access control to restrict traffic from the network. This control can prevent internal hosts from sending ICMP traffic and only allow valid source address packets to leave the network. This helps prevent IP Address Spoofing and reduce the possibility of hackers using the user system to attack another site.

5. monitoring configuration changes

After you modify the vro configuration, You need to monitor it. If you use SNMP, You must select a powerful shared string. It is best to use SNMP that provides message encryption. If you do not remotely configure the device through SNMP management, you are advised to configure the SNMP device as read-only. If you refuse to write access to these devices, you can prevent hackers from modifying or disabling interfaces. In addition, you must send system log messages from the vro to the specified server.

To further ensure security management, users can use SSH and other encryption mechanisms to establish encrypted remote sessions with the vro. To enhance protection, users should also restrict SSH session negotiation and only allow the session to communicate with several trusted systems frequently used by users.

An important part of configuration management is to ensure that the Network uses a reasonable routing protocol. Avoid using the route information protocol (RIP). RIP is prone to spoofing and accept invalid route updates. You can configure Border Gateway Protocol (BGP) and Open Shortest Path First Protocol (OSPF) to send the MD5 hash of the password before receiving route updates, use a password to authenticate the other party. The above measures help ensure that any route updates accepted by the system are correct.

Vi. Implement Configuration Management

Users should implement configuration management policies that control the storage, retrieval, and update of vro configurations, and properly store the configuration backup documents on the security server, in case of problems with the new configuration, you need to change, reinstall, or reply to the original configuration.

You can store configuration documents on a vro platform that supports the command line interface (CLI) in two ways. One method is to run the script. The script can establish an SSH session between the server and the router, log on to the system, disable the Controller log function, display the configuration, save the configuration to a local file, and exit the system; another method is to create an IPSec tunnel between the configuration server and the router, and copy the configuration file to the server through the TFTP in the security tunnel. Users should also specify who can change the vro configuration, when and how to change the vro. Develop detailed reverse operation procedures prior to any changes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.