Virtual border router (VBR) is a key route connecting an internal LAN to an external Internet. As a bridge between internal and external networks, its safe operation is related to the fate of the entire LAN. Because of the direct connection with the Internet, the border router bears the brunt of hacker attacks. Based on this, the VBR should be the key maintenance object of the Network Manager. This article takes the Cisco router product as an example to share with you the security deployment solution of the border router.
1. Secure deployment starts with the password
A password is the primary method used by a vro to prevent unauthorized access to the vro. It is part of the security of the vro itself. For vbrs, secure and reliable password policies are essential.
(1). Set the password in complex privileged Mode
After logging on to the vro。 for the first time, you need to set a complex password for the vrouter, for example, "Router (config) # enable secret 55 ctocio,.". We recommend that you do not use enable password. Although the two functions are similar, the encryption algorithm used by enable password is weak. You must also enable service password-encryption. For example, "Router (config) # service password-encryption" uses this command to encrypt all passwords and similar data stored in the configuration file to improve the security of the password. (Figure 1)
(2) Try not to remotely access the vro
If you do not need to perform remote maintenance and management on the vro, we recommend that you do not enable remote access. Even if the vro remote access function is enabled, you must control the number of remote accesses. This is because anyone logging on to a vro will display some important information on the vro, which can help attackers with network penetration. Another situation is that an attacker may not attack the LAN through a vro, but will use your vro as a springboard to attack other targets. In this way, attackers can exploit your vro and cause you troubles (to marry others ). Therefore, we must control the vro's remote access. In special cases, you must set a strong enough password to access the vro remotely. I suggest that you do not set the remote access password to the same as the privileged password.
Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password ineing55ete |
(Figure 2)
(3). Set a high-intensity Consol port access password
Although most login accesses are disabled by default. But there are some exceptions. For example, a directly connected console terminal. The Console port has special permissions. Note that when a Break signal is sent to the Console port within seconds at the beginning of the vro restart, the password recovery program can easily control the entire system. In this way, if an attacker does not have the normal access permission, but has the system reboot (power off or system crash) and access control port (through direct connection terminal, Modem, Terminal Server) to control the entire system. Therefore, you must ensure the access security of all Connection Control ports and set a high-strength password for the Consol port.
Router(config)#line consol 0 Router(config-line)#password ewingw58erer Router(config-line)#login |
(Figure 3)