How to set effective Router Security

With the increasing number of routing applications, it is also widely used. At the same time, security issues need special attention. Many people may not know how to configure Router Security, to improve network security. Vro is the main device of the network system and the frontier of network security. If a vro does not guarantee its own security, the entire network will be completely insecure.

Therefore, in terms of network security management, you must make reasonable planning and configuration of the router security settings and take necessary security protection measures, avoid vulnerabilities and risks to the entire network system due to security issues of the vro. The following are some specific measures to enhance vro security settings to prevent attacks on the vro itself and prevent the theft of network information. This article takes Cisco router IOS 12.0 as an example for your reference.

1. added the authentication function for protocol exchanges between routers to improve network security. An important feature of vro security settings is route management and maintenance. Currently, a certain scale of networks use dynamic routing protocols, which are commonly used: RIP, VPN, OSPF, IS-IS, and BGP. When a vro with the same routing protocol and region identifier is added to the network, the route information table on the network is learned. However, this method may cause network topology information leakage. It may also disrupt the routing information table that works normally on the network by sending its own routing information table to the network. In severe cases, the entire network may be paralyzed. The solution to this problem is to authenticate the route information exchanged between routers in the network. When the authentication method is set for the router security, the sender and receiver of the route information are identified. There are two authentication methods. The "plain text mode" is of low security. We recommend that you use the "MD5 mode ".

2. Physical security protection for vro security settings. A vro control port is a port with special permissions. If an attacker attempts to physically access a vro and restarts after a power failure, the system implements the "password repair process" and then logs on to the vro to completely control the vro.

3. Protect the vro password. In the backup vro security settings file, even if the password is stored in encrypted form, the plaintext of the password may still be cracked. Once the password is leaked, the network is completely insecure.

4. Check the router diagnostic information.

5. The current user list of the vro is blocked. The command to close is no service finger.

6. Disable the CDPCisco Discover Protocol) service. On the basis of the OSI Layer 2 protocol (link layer), you can find some configuration information of the Peer router, such as the device platform, operating system version, port, and IP address. You can run the command: no cdp running or no cdp enable to disable this service.

7. Prevent the router from receiving packets with source route marks and discard the data streams with source route options. "IP source-route" is a global configuration command that allows a router to process data streams marked with source routing options. After the source route option is enabled, the route specified by the source route information enables the data stream to bypass the default route, which may bypass the firewall. The command to close is as follows: no ip source-route.

8. Disable forwarding of router broadcast packets. The sumrf D. o. S attack uses a router with a broadcast forwarding configuration as a reflector, occupying network resources and even causing network paralysis. Apply "no ip directed-broadcast" on each port to disable the router broadcast package.

9. Manage HTTP Services. The HTTP service provides Web management interfaces. "No ip http server" can stop the HTTP service. If you must use HTTP, you must use the "ip http access-class" command in the access list to strictly filter the allowed ip addresses, and use the "ip http authentication" command to set the authorization restrictions.

10. Defend against spoofing attacks. Use the access control list to filter out all target addresses as the network broadcast address and packages that claim to be from the internal network, but actually from the outside.

11. Prevent Packet sniffing. Hackers often install the sniffing software on computers that have intruded into the network, monitor network data streams, and steal passwords, including SNMP communication passwords, as well as vro logon and privileged passwords, in this way, it is difficult for the network administrator to Ensure network security. Do not log on to the vro using non-encrypted protocols on untrusted networks. If the vro supports the encryption protocol, use SSH or receivized Telnet, or use IPSec to encrypt all the management flows of the vro.

12. verify the validity of the data stream path. RPF (reverse path forwarding) is used for reverse route forwarding. Because the attacker's address is illegal, the attack packets are discarded to defend against spoofing attacks. The configuration command for RPF reverse path Forwarding is: ip verify unicast rpf.

13. Prevent SYN attacks. For IOS versions on the Cisco 4xxx and 7x00 series platforms, you can enable TCP interception to prevent SYN attacks. The working mode is divided into two types: interception and monitoring. The default mode is interception. Interception mode: the router responds to the SYN request that arrives, and sends a SYN-ACK packet instead of the server, and then waits for the client ACK. If an ACK is received, the original SYN packet is sent to the server. Monitoring Mode: the router allows SYN requests to directly reach the server. If the session is not established within 30 seconds, the router sends an RST to clear the connection .)

14. Use a secure SNMP management solution. SNMP is widely used in monitoring and configuring vro security settings. SNMP Version 1 is not suitable for managing applications over the public network because of its low security. The access list allows only SNMP access from a specific workstation. This function can improve the security performance of the SNMP service. In short, vro security settings and prevention are an important part of network security. In addition, you must cooperate with other security measures to jointly build an overall security protection project.