In-depth analysis of vro configuration to eliminate Network Security Risks

Security first is the premise for us to do anything. At the same time, we also need to ensure the safe operation of the network when using routing. Here we will analyze how to configure the router, makes the network more secure. A router is an important bridge between a LAN and an external network. It is an indispensable part of the network system and a leading edge in network security.

However, the maintenance of vro configurations is rarely valued. Imagine that if a vro does not guarantee its own security, the entire network would be completely insecure. Therefore, in terms of network security management, vrouters must be reasonably planned and configured to take necessary security protection measures, avoid vulnerabilities and risks to the entire network system due to security issues configured by the vro. Next, we will introduce some router configuration security measures and methods to make our network more secure.

1. added the authentication function for protocol exchanges between routers to improve network security.

An important feature of vro configuration is route management and maintenance. At present, a certain scale of networks use dynamic routing protocols, which are commonly used: RIP, VPN, OSPF, IS-IS, and BGP. When a vro with the same routing protocol and region identifier is added to the network, the route information table on the network is learned. However, this method may cause network topology information leakage. It may also disrupt the routing information table that works normally on the network by sending its own routing information table to the network. In severe cases, the entire network may be paralyzed. The solution to this problem is to authenticate the route information exchanged between routers in the network. When the router is configured with an authentication method, it will identify the sender and receiver of the route information.

2. Physical Security of routers.

A vro control port is a port with special permissions. If an attacker attempts to physically access a vro and restarts after a power failure, the system implements the "password repair process" and then logs on to the vro to completely control the vro.

3. Protect the vro password.

In the vro configuration file backed up, even if the password is stored in encrypted form, the plaintext of the password may still be cracked. Once the password is leaked, the network is completely insecure.

4. Check the router diagnostic information.

The command to disable the service is as follows: no service tcp-small-servers no service udp-small-servers

5. The current user list of the vro is blocked.

The command to close is no service finger.

6. disable CDP.

On the basis of the OSI Layer 2 protocol (link layer), you can find the configuration information of the Peer router, such as the device platform, operating system version, port, and IP address. You can run the command: no cdp running or no cdp enable to disable this service.

7. Prevent the router from receiving packets with source route marks and discard the data streams with source route options.

"IP source-route" is a global configuration command that allows the router configuration to process data streams marked with the source route option. After the source route option is enabled, the route specified by the source route information enables the data stream to bypass the default route, which may bypass the firewall. The command to close is as follows: no ip source-route.

8. Disable forwarding of router broadcast packets.

The Sumrf D. o. S attack uses the router configuration with broadcast forwarding configuration as the reflector, occupying network resources and even causing network paralysis. Apply "no ip directed-broadcast" on each port to disable the router broadcast package.

9. Manage HTTP Services.

The HTTP service provides Web management interfaces. "No ip http server" can stop the HTTP service. If you must use HTTP, you must use the "ip http access-class" command in the access list to strictly filter the allowed ip addresses, and use the "ip http authentication" command to set the authorization restrictions.