Cisco router Simple Security Configuration

Many junior network administrators ignore security settings when using Cisco routers, and the following three are ideal for novice users to configure network security when using Cisco routers.

One, the security configuration of the router "access control"

1, the administrator who can access the router is strictly controlled. Any maintenance needs to be documented.

2, the router is not recommended for remote access. It is recommended that you use Access control lists and high-intensity password controls, even if you require remote access routers.

3, strictly control the access to the con port. The specific measures are:

A, if you can boot the box, you can cut off the connection with the con port of the physical circuit.

B, you can change the default connection properties, such as modifying the baud rate (default is 96000, can be changed to another).

C, use the Access Control list to control access to the con port.

such as: Router (Config) #Access-list 1 Permit 192.168.0.1

Router (Config) #line con 0

Router (config-line) #Transport input None

Router (config-line) #Login Local

Router (config-line) #Exec-timeoute 5 0

Router (config-line) #access-class 1 in

Router (Config-line) #end

D, set a high strength password for the con port.

4, this port is prohibited if the AUX port is not used. The default is not enabled. Prohibit such as:

Router (Config) #line aux 0

Router (config-line) #transport input None

Router (config-line) #no exec

5, it is recommended to adopt a privilege grading strategy. Such as:

Router (Config) #username blushin privilege g00dpa55w0rd

Router (Config) #privilege EXEC level Telnet

Router (Config) #privilege EXEC level show IP access-list

6, set strong passwords for access to privileged mode. Do not use the Enable password to set the password. Instead, use the Enable secret command setting. and to enable service password-encryption.

7, control the access to the vty. If remote access is not required, it is prohibited. Be sure to set a strong password if you want. Because Vty is encrypted during the transmission of the network, it needs to be strictly controlled. Such as: Set strong password, control the number of concurrent connections, use Access list to strictly control access to the address, you can use AAA to set User access control.

8,ios upgrades and backups, as well as backup of configuration files suggest using FTP instead of TFTP. Such as:

Router (Config) #ip FTP username Blushin

Router (Config) #ip ftp password 4tppa55w0rd

Router#copy startup-config ftp:

9, timely upgrade and repair the iOS software.

Second, the security configuration of router "Network Service"

1, the CDP (Cisco Discovery Protocol) is prohibited. Such as:

Router (Config) #no CDP run

Router (CONFIG-IF) # no CDP enable

2, prohibit other TCP, UDP small service.

Router (Config) # no service tcp-small-servers

Router (Config) # no service udp-samll-servers

3, Finger service is prohibited.

Router (Config) # no IP finger

Router (Config) # no service finger

4, it is recommended that HTTP services be prohibited.

Router (Config) # no IP HTTP Server

If the HTTP service is enabled, it needs to be configured securely: Set the username and password, and use the access list for control. Such as:

Router (Config) # username Blushin Privilege G00dpa55w0rd

Router (Config) # IP HTTP auth Local

Router (Config) # no access-list 10

Router (Config) # Access-list Permit 192.168.0.1

Router (Config) # access-list deny any

Router (Config) # IP HTTP access-class 10

Router (Config) # IP HTTP Server

Router (Config) # exit

5, the BOOTP service is prohibited.

Router (Config) # no IP BOOTP server

Prevents the initial configuration file from being started and automatically downloaded from the network.

Router (Config) # no Boot network

Router (config) # no Servic config

6, prohibit IP Source Routing.

Router (Config) # no IP source-route

7, it is recommended that if the Arp-proxy service is not required, the router defaults to it.

Router (Config) # no IP proxy-ar

Router (config-if) # no IP proxy-ar

8, the explicit prohibition of IP directed broadcast.

Router (Config) # no IP directed-broadcast

9, prohibit IP classless.

Router (Config) # no IP classless

10, prohibit the ICMP protocol IP unreachables,redirects,mask replies.

Router (config-if) # no IP unreacheables

Router (config-if) # no IP redirects

Router (config-if) # no IP mask-reply

11, it is recommended that SNMP protocol services be prohibited. You must remove the default configuration for some SNMP services when prohibited. Or you need to access the list to filter. Such as:

Router (Config) # no Snmp-server Community public Ro

Router (Config) # no Snmp-server Community admin RW

Router (Config) # no Access-list 70

Router (Config) # access-list deny any

Router (Config) # Snmp-server Community Morehardpublic Ro 70

Router (Config) # no Snmp-server enable traps

Router (Config) # no Snmp-server system-shutdown

Router (Config) # no Snmp-server trap-anth

Router (Config) # no Snmp-server

Router (Config) # End

12, prohibit wins and DNS services if not necessary.

Router (Config) # no IP domain-looku

You need to configure if needed:

Router (Config) # hostname Router

Router (Config) # IP Name-server 202.102.134.96

13, explicitly prohibit unused ports.

Router (Config) # interface ETH0/3

Router (Config) # shutdown