Be careful about network paralysis and vro Security

It is usually easier for hackers to launch attacks by exploiting vro vulnerabilities. Vro attacks waste CPU cycles, mislead information traffic, and paralyze the network. A good router uses a good security mechanism to protect itself, but this is far from enough. To protect the security of a router, the network administrator must take appropriate security measures during the configuration and management of the router.

Block Security Vulnerabilities

Limiting system physical access is one of the most effective ways to ensure vro security. One way to restrict physical access to the system is to configure console and terminal sessions to automatically exit the system after a short period of idle time. It is also important to avoid connecting the modem to the secondary port of the router. Once physical access to the vro is restricted, you must ensure that the security patch of the vro is the latest. Vulnerabilities are often disclosed before the supplier releases the patch. This allows hackers to exploit the affected system before the supplier releases the patch, which requires the user's attention.

Avoid identity crisis

Hackers often use weak passwords or default passwords for attacks. This vulnerability can be prevented by using a password extension and a password validity period of 30 to 60 days. In addition, once an important IT Employee Resign, the user should change the password immediately. The user should enable the password encryption function on the vro, so that even if the hacker can browse the system configuration file, he still needs to decrypt the ciphertext password. Implement reasonable verification control so that the router can transmit certificates securely. On most routers, you can configure some protocols, such as remote authentication dial-in to the user service, so that these protocols can be used together with the verification server to provide encrypted and verified Router Access. Verification control can forward user authentication requests to verification servers on the backend network. The verification server can also require users to use two-factor verification to enhance the verification system. The two factors are the software or hardware token generation part, and the latter is the user identity and token pass code. Other verification solutions involve transferring security certificates within the Secure Shell SSH) or IPSec.

Disable unnecessary services

It is a good thing to have a large number of routing services, but many recent security events have highlighted the importance of disabling local services. It should be noted that disabling CDP on a vro。 may affect the performance of the vro. Another factor that users need to consider is timing. Timing is essential for effective network operations. Even if the user ensures time synchronization during deployment, the clock may gradually lose synchronization after a period of time. You can use the service named Network Time Protocol NTP to compare valid and accurate time sources to ensure the hourly synchronization of devices on the network. However, the best way to ensure clock synchronization between network devices is not through a router, but to put an NTP server in the network segment of the firewall-protected DMZ, configure the server to only allow time requests to external trusted public time sources. On a vro, you rarely need to run other services, such as SNMP and DHCP. These services are used only when absolutely necessary.

Restrict logical access

Logical access is restricted mainly by rationally processing the access control list. Limiting remote terminal sessions helps prevent hackers from obtaining system Logical access. SSH is the preferred logical access method, but if Telnet cannot be avoided, Use Terminal Access Control to restrict access to trusted hosts only. Therefore, you must add an access list to the virtual terminal port used by Telnet on the vrotelnet.

Control Message Protocol ICMP) helps to troubleshoot, but also provides attackers with information to browse network devices, determine local timestamps and network masks, and speculate on OS correction versions. To prevent hackers from collecting the above information, only the following types of ICMP traffic are allowed to enter the user network: ICMP cannot be reached, the host cannot be reached, the port cannot be reached, the packet is too large, the source is blocked, and the TTL is exceeded. In addition, logical access control should also prohibit all traffic other than ICMP traffic.

Use inbound access control to direct a specific service to the corresponding server. For example, only SMTP traffic is allowed to enter the mail server; DNS traffic is allowed to enter the DSN server; HTTPHTTP/S of SSL at the Secure Sockets Layer) traffic is allowed to enter the Web server. To prevent a router from becoming a DoS attack target, the user should reject the following traffic: packets without IP addresses, packets with local host addresses, broadcast addresses, multicast addresses, and any fake internal addresses. Although users cannot prevent DoS attacks, users can restrict the harm of DoS. You can increase the length of the syn ack queue and shorten the ACK timeout to protect the router from tcp syn attacks.

You can also use outbound access control to restrict traffic from the network. This control can prevent internal hosts from sending ICMP traffic and only allow valid source address packets to leave the network. This helps prevent IP Address Spoofing and reduce the possibility of hackers using the user system to attack another site.

Monitoring configuration changes

After you modify the vro configuration, You need to monitor it. If you use SNMP, You must select a powerful shared string. It is best to use SNMP that provides message encryption. If you do not remotely configure the device through SNMP management, you are advised to configure the SNMP device as read-only. If you refuse to write access to these devices, you can prevent hackers from modifying or disabling interfaces. In addition, you must send system log messages from the vro to the specified server.

To further ensure security management, users can use SSH and other encryption mechanisms to establish encrypted remote sessions with the vro. To enhance protection, users should also restrict SSH session negotiation and only allow the session to communicate with several trusted systems frequently used by users.

An important part of configuration management is to ensure that the Network uses a reasonable routing protocol. Avoid using the route information protocol (RIP). RIP is prone to spoofing and accept invalid route updates. You can configure Border Gateway Protocol (BGP) and Open Shortest Path protocol (OSPF) to authenticate each other by sending the MD5 hash of the password before receiving the route update. The above measures help ensure that any route updates accepted by the system are correct.

Implement Configuration Management

Users should implement configuration management policies that control the storage, retrieval, and update of vro configurations, and properly store the configuration backup documents on the security server, in case of problems with the new configuration, you need to change, reinstall, or reply to the original configuration.

You can store configuration documents on a vro platform that supports CLI in two ways. One method is to run the script, which can establish an SSH session between the server and the router, log on to the system, disable the Controller log function, display the configuration, save the configuration to a local file, and exit the system; another method is to create an IPSec tunnel between the configuration server and the router, and copy the configuration file to the server through the TFTP in the security tunnel. Users should also specify who can change the vro configuration, when and how to change the vro. Develop detailed reverse operation procedures prior to any changes.

1. Improve basic router settings to ensure Network Security
2. Strengthen routing security to prevent hacker attacks