Security Policy Checks

Customer has a 3600 route suddenly speed is very slow, check the line, reboot after the discovery of iOS is gone ... Had to use Xmodem to transfer the iOS back up, start normal, and did not find hardware problems. A careful examination of the router's configuration reveals that there are two configuration directives:
Snmp-server Community Public RO
Snmp-server Community Private RW

Ask network administrators, originally they want to use a network tester record equipment working status, the result is given such SNMP parameters. For a router that is connected directly to the Internet, this configuration ... Equal to open the door, welcome hacker.

Cisco's configuration documentation recommends that you establish an effective security policy using the following methods:

1. Identify network resources to focus on protection

As in the above example of the network export, once the work is not normal, the impact is very large, need to focus on protection, the network of important files, databases, applications, etc., is the focus of protection.

2. Find the danger point

Generally speaking, Internet exports, Internet servers, dialing access, and so on are vulnerable to security problems, should focus on protection. Learn about newly discovered vulnerabilities and take appropriate measures, such as patching, upgrading iOS, or temporarily shutting down the problematic service. According to the CCO "Security Advisor" Web page, the more extensive, serious security vulnerabilities that Cisco products have discovered this year are:

CSCdw33027 SSH scan caused when machine 2002.6.27
CSCdt93866 NTP buffer Overflow Vulnerability 2002.5.8
CSCdw67458 SNMP Denial of service vulnerability 2002.2.12

Do you understand these vulnerabilities and take the appropriate measures? If not, it is likely that your most recent computer event was related to them, as evidenced by some customer experience. In addition to security issues, there are a number of other functional design flaws, and so on, it is worth keeping up with the main iOS update version to upgrade.

3. Limit the scope of access

A typical means is an access control list. In the example above, the community word is well known as the public/private of course. Because SNMP is a fairly insecure protocol (especially a low version), you should also qualify a host that can access device SNMP through an access control list: After Snmp-server community xxxx RO/RW, you can add a standard or extended access control list. The console port can be equipped with a password, do not set no exec-timeout. The restriction of Telnet access is achieved by specifying Access-class in line vty; CatOS switches with IP permit-list; High-end devices can replace telnet with SSH. Unnecessary services, such as Tcp/udp-small-servers, IP finger, IP http server, etc. should be closed. The IP HTTP server (Web management interface) has a serious security breach last year that can be limited by IP http access-class. The Tftp-server service should be closed when it is exhausted, or it can be assigned ACLs or replaced with a more secure FTP. Routing protocols can be combined with authentication, commonly used RIP v2, EIGRP, OSPF, and BGP support plaintext or MD5 authentication. Apply ACLs on ports, filter unnecessary traffic, and take advantage of iOS security features to prevent IP spoofing and some common attacks.

4. Check security assumptions

We usually make assumptions about the security status of the network, such as we think that no one within the company is familiar with the network device/specific application system, so there are few opportunities for attacks from within. Such assumptions need to be checked periodically, because the environment will change. For example, there may be some viruses attacking the network, or some hacker tools will be used by the curious person to use, and so on. Therefore, after a period of time, the network internal equipment software also need to carry out necessary upgrades.

5. Determining the cost of security measures

This includes the impact of security measures on the efficiency of network systems, inconvenience to users and management requirements and equipment costs. About the network security equipment recommended as far as possible the use of domestic manufacturers of products, there are three reasons: first, foreign products may leave a backdoor; Secondly, foreign countries for the safety products have export restrictions, can buy product design performance lower than domestic products; Finally, domestic manufacturers can provide cheap but higher quality support.

6. Consideration of human factors

The lack of user-supported security measures is likely to be ineffective if users are trained to understand security measures and improve security awareness. Users should also save a good password, can not be in the phone, mail to others, the input password can not let others see, can not unregister the system to leave the console and so on.

7. Keep a limited number of secrets

Can be used less password word, but complex enough, such as the use of uppercase letters and%#^*& symbols, telnet password due to easy to see, should be different from the Enable secret, you can use service password-encryption. Keep the password properly, don't write it Down under the keyboard,:-).

8. Implementation of comprehensive and easily scalable security measures

Adopt a systematic approach to apply security measures to the entire process. The systematic approach also facilitates appropriate adjustments to the process when changes are made.

9. Understand the normal working state of the network

It is clear that the normal state of the network can observe the abnormal situation and help to find the security problem in time. At this point, a properly configured network management software or IDs can be useful, and they can instantly detect and record anomalies in the networks and make alarms.

10. Don't forget physical security.

If the device can be physically contacted by the intruder, then its safety is completely out of the security, so this is the most basic point, can not forget.

In addition to the regular attention to the product manufacturer's Web site Security page, recommend two to go to the network security site: CERT, the Green Alliance, if not convenient to often surf the Internet, you can subscribe to the corresponding mailing list.