Cleverly set vrouters to prevent network hacker intrusion

Source: China IT lab

Due to the complexity of enterprise network applications, network resources become more tight. In such an environment, enterprise network remote management becomes the heart disease of enterprise network administrators. Major network equipment manufacturers have also made a lot of effort on the enterprise network router products. After long-term research and analysis on the enterprise network application environment, developed a series of optimization measures and advanced functions for network applications in complex application environments. For example, vro remote management can reduce the burden on administrators and reduce maintenance costs for enterprises. But everything has two sides. At the same time, it facilitates some malicious users. If the security measures are not properly configured, enterprise routers are likely to be taken over by hackers, and the entire enterprise network is not secure.

Generally, a vro is the first entry to protect the Intranet. Therefore, in terms of network security management, the vro must be properly planned and configured to take necessary security protection measures, avoid vulnerabilities and risks to the entire network system due to security issues of the vro.

Protect vro passwords

Assume that a branch has a marketing outlet in the suburbs, and the employees of the marketing outlet share the Internet with the Broadband Router to maintain contact with the company headquarters. If a problem occurs, the administrator needs to take a car for more than two hours to the marketing outlet to maintain the Broadband Router, which is very exhausting. However, he thought of enabling the "Remote Control" function of the Broadband Router and performing remote maintenance on the router at the headquarters. However, security problems are bothering him. At the same time, it facilitates those who are "unfriendly". Once they get the Administrator account of the router, they can carry out various damage activities, the consequences are unimaginable. So how can we enhance the security of remote control?

It can be seen that the account and password are the first security line of the router. To manage the Broadband Router, you must first have the Administrator account of the router. However, by default, the initial account and password of the vro are relatively simple, especially when the vro remote control function is enabled, other users in the public network will have the opportunity to access the vro. If you do not modify the initial account of a vro to make it more complex and make it difficult for malicious users to guess and crack it, The vro may be used by others. Once the password is leaked, the network is completely insecure.

Enable vro Firewall

The security of vro remote management is greatly enhanced. However, in the face of ever-emerging viruses and hacker attacks on the network, in order to make better use of the built-in "firewall" of the router to add "double insurance" to the remote control security of the router ". On the Broadband Router Management page, click "Security Settings> firewall settings", and select "Enable Firewall" in the "Settings" box on the right, click "save" to enable the firewall function of the router. Click "Advanced Security Settings" to go to the "Advanced Security Settings" page. Here provides some more specific security defense functions, such as defense DoS attacks, ICMP-FLOOD attack filtering and TCP-SYN-FLOOD attack filtering. Figure 1

 

 

 

Set hidden ports, specific IP addresses, and disable

A complex access account is set for the Broadband Router, but this only lays a good foundation for the Remote Security Management router. However, many vrouters do not enable the remote control function by default. Therefore, they must be manually enabled. In addition, there are many security enhancement techniques and methods. On the Broadband Router Management page, click "Security Settings> remote Web management" to go to the "remote Web management" page. Next, you can enable the remote control function. By default, the vro uses port 80 to provide remote management, but this is very insecure and can be easily guessed by attackers. Therefore, you can modify the port number and use an uncommon port to provide remote management. In the "Web Management port" column, modify the port number used by remote management (such as "8081 "). Now, it is hard for attackers to guess the port number. Next, in the "remote Web management IP Address" column, enter the IP address of the public network computer that can remotely control the vro. The safest way is to allow a machine with a specific IP address to remotely log on to the router and set this parameter to the IP address used by the Administrator at the Headquarters (for example, "10. 254 .*.*"). Currently, only the IP host can remotely log on to the vro on the host at the headquarters of the company, but not on other public networks.

Disable telnet command logon. In most cases, you do not need an active telnet session from an Internet interface. If you enable Web logon, you can disable it, reduce the possibility of cyberattacks. Disable IP-targeted broadcast. IP-targeted broadcast allows attackers to launch denial-of-service attacks on routers. Therefore, it is necessary to disable this function to avoid DDOS attacks when attackers cannot log on to the vro. Because the memory and CPU of A vro cannot withstand too many requests, this result will cause cache overflow and the vro will fall. IP routing and IP redirection must also be disabled, because redirection allows data packets to come in from one interface and then go out from another interface, attackers can redirect specially designed data packets to a dedicated internal network, endangering the security of the internal network.