Keep your vro secure

In our study and work, the use of vrouters is everywhere. So how do we configure vro security? Let's take a look at how this article introduces you.

In a typical campus network, a router is generally outside the firewall and is responsible for connecting to the Internet. In fact, this topology exposes the vro to the campus network security defense. If the vro itself does not adopt an appropriate security defense policy, it may become a stepping stone for attackers to launch attacks, threats to internal network security.

Access Table-based security policy

1. prevent external IP Address Spoofing

Users of the external network may use the valid IP address or loopback address of the internal network as the source address to achieve illegal access. To address this problem, you can create the following access list:

Access-list 101 deny ip 10.0.0.0 0.20.255.255 any

Access-list 101 deny ip 192.168.0.0 0.0.255.255 any

Access-list 101 deny ip 172.16.0.0 0.0.255.255 any

! Blocks all communication streams whose source address is private.

Access-list 101 deny ip 127.0.0.0 0.20.255.255 any

! Block all communication streams whose source address is the loopback address.

Access-list 101 deny ip 224.0.0.0 7.20.255.255 any

! Blocks all communication streams with the source address as a multi-destination address.

Access-list 101 deny ip host 0.0.0.0 any

! Blocks communication streams that do not list the source addresses.

Note: You can use 101 filter in the inner direction of the external interface.

2. prevent external illegal Detection

Illegal visitors often use ping or other commands to detect the network before initiating an attack on the internal network. Therefore, they can prevent attacks by Using ping, traceroute, and other network probes from outside. You can create the following access list:

Access-list 102 deny icmp any echo

! Prevents the use of ping to detect the network.

Access-list 102 deny icmp any time-exceeded

! Prevents network probing with traceroute.

Note: You can use 102 filter in the outward direction of the configured vro external interface. In this example, the reply output is blocked and the test entry is not blocked.