Classic tutorial vro nine steps to protect Intranet Security

For most enterprise LAN, routers have become one of the most important security devices in use. Generally, most networks have a primary access point. This is the "virtual border router" that is usually used with a dedicated firewall ".

After proper configuration, the edge router can block almost all the most stubborn bad elements out of the network. If you want to, this type of router also allows good people to access the network. However, a vro without proper configuration is better than no security measures at all.

In the following guide, we will look at nine convenient steps you can use to protect network security. These steps ensure that you have a brick wall to protect your network, rather than an open door.

1. Modify the default password

According to foreign surveys, 80% of Security breakthroughs are caused by weak passwords. The network has a list of extensive default passwords for most vrouters. You are sure someone in some places will know your birthday. The SecurityStats.com website maintains a detailed list of available/unavailable passwords and a password reliability test.

2. Disable IP direct Broadcast IP Directed Broadcast)

Your server is very obedient. Let it do what it does, and no matter who sends the command. Smurf attacks are DoS attacks. In this attack, attackers use fake source addresses to send an "ICMP echo" request to your network broadcast address. This requires all hosts to respond to this broadcast request. This situation will at least reduce your network performance. Refer to your router information file to learn how to disable IP direct broadcast. For example, the "Centralconfig) # no ip source-route" command will disable the IP direct broadcast address of the Cisco router.

3. If possible, disable the HTTP settings of the router.

As described in Cisco's technical description, the identity authentication protocol used by HTTP is equivalent to sending an unencrypted password to the entire network. However, unfortunately, there is no valid rule in the HTTP protocol for password verification or one-time password verification.

Although this unencrypted password may be very convenient for you to set your vro from a remote location such as at home), other people can do the same thing you can do. Especially if you are still using the default password! If you must remotely manage the vro, make sure that you use the Protocol of SNMPv3 or later versions because it supports more strict passwords.

4. Block ICMP ping requests

The main purpose of ping is to identify the host currently in use. Therefore, ping is usually used for reconnaissance activities before large-scale collaborative attacks. By canceling the remote user's ability to receive ping requests, you can easily avoid scanning activities that are not noticed or defend against "script kiddies" scripts for targets that are easy to attack ).

Please note that this does not actually protect your network from attacks, but it will make you less likely to be an attack target.

5. Disable IP Source Routing

The IP protocol allows a host to specify the route through your network, rather than allowing network components to determine the optimal path. The valid application of this function is used to diagnose connection faults. However, this function is rarely used. This feature is most commonly used to mirror your network for reconnaissance purposes, or for attackers to find a backdoor in your private network. This feature should be disabled unless you specify this feature for fault diagnosis only. 6. Determine your data packet filtering requirements

There are two reasons to block the port. One of them is suitable for your network based on your security requirements.