In-depth explanation of Cisco router default settings

This article describes in detail how to set the default settings for Cisco routers in terms of security analysis, specific measures, and default settings. I believe this article will help you.

Security Analysis

Readers who have experience configuring routers should know that network administrators often set access control lists on routers or switches to prevent viruses and hackers. By default, the "deny any" statement is added to the access control list of vrouters or vswitches produced by Cisco) the data packet of the rule is discarded.

Recently, my company has added the 2621 series routers of Huawei. Generally, the configuration methods for CISCO and Huawei devices are basically the same. Therefore, I have developed ACL rules according to the default setting statement on the Cisco router, enter these rules on the Huawei router. Because CISCO automatically adds the deny any statement by default, I also assume that the Huawei router will add this command by default. However, after the configuration, it is found that all ACL filtering rules have not taken effect, and the filtered data packets are still forwarded by the router normally.

After repeated research and data query, I found that the original Access Control List of Huawei company was added with the "PERMIT ANY" statement at the end, so that the access control list (ACL) does not comply with) the packet with the Rule Set in the statement will be allowed to pass, which causes a serious consequence: packets that do not comply with the ACL rules will also be unconditionally forwarded by the router rather than discarded by Cisco, as a result, the filtered data packets are not filtered, and the network security is at risk. Illegal data packets bypass the anti-virus "magino line" carefully set by the network administrator, which easily intrude into the user's intranet.

Solution

How can this problem be solved? This problem is caused by the default settings of the Cisco router. We can add the "deny any" statement at the end of the ACL or set the default ACL end statement to deny any. the first method only applies to the currently configured ACL. When a new ACL is set later, the router still allows all data packets to pass through by default. The second method modifies the default value of the router, change it to the same default as the CISCO device to block all packets.

1. Add ACL rules directly

After setting all the ACL statements on the Huawei device, use "rule deny ip source any destination any" to discard packets that do not comply with the rules.

2. Modify the default settings

& Nbsp; Use "firewall default deny" on Huawei devices to change the default settings from permitted forwarding to discarded packets. To solve the default vulnerability problem. Therefore, we recommend that you use the second method to solve the defects in this default setting.

Summary of Cisco router default settings

After this "maqino" event, we can find that even the same configuration command, if the vendor is different, it is best to read the user manual in advance (pay special attention to the default settings ), the default settings may cause many unknown faults. Do not easily suspect that the hardware of the device is faulty after the problem is discovered. You should start from the software and configuration commands to find the problem. A small default setting will completely break through the well-developed anti-virus system. Therefore, our network administrators should carefully test the network conditions after each setting to ensure that the implemented measures take effect.