This article is intended for CISCO router users. It mainly introduces technical issues related to basic network equipment, regular system upgrades, and use of CISCO routers. I hope this article will help you.
These two tools enable communication between devices connected to the network and other networks. Although vrouters and vswitches look very similar, they have different functions in the Network: vswitches are mainly used to connect multiple devices in a building or campus to the same network. A vro is used to connect multiple networks. First, the router analyzes the data sent by the network, changes the data packaging method, and then sends the data to another network or other types of network.
They connect companies with the outside world to protect information from security threats and even determine which computers have a higher priority. System Administrators and security experts often spend a lot of energy configuring various firewalls, Web servers, and infrastructure devices that make up the enterprise network. However, they often ignore routers and switches. This often causes hackers to listen to network packets, modify routes, and perform other malicious attacks. This article analyzes and discusses the technical application of Cisco routers and switches.
1. Network Basic device Problems
Although many attacks target terminal hosts, such as web servers, application servers, and database servers, many users ignore the security issues of basic network devices. Routers and switches can be attacked, used as tools for hackers, and suitable devices for hackers to collect useful information. Cisco routers and switches have their own operating systems, or are known as CiscoIOS (network operating systems ). Like other operating systems, early versions have many vulnerabilities, which may cause many problems if users do not upgrade.
From an application perspective, routers and switches can not only serve as attack targets, but also help hackers conceal identities, create listening devices, or generate noise. For example, many Cisco switches can create a monitoring port to listen to other ports of the switch. In this way, administrators and hackers can back up the network data packets seen on the vswitch to a specified vswitch port. Despite the Administrator's efforts to prevent the monitoring problem caused by the hub in the system, if hackers can access the network through a vswitch, the network security is in danger.
2. Regularly upgrade the system
All systems must be upgraded in a timely manner. Cisco has been paying attention to IOS version update, upgrade and release policies, and the system versions released by Cisco are relatively stable. The first thing to do when analyzing basic network devices is to investigate the various IOS systems running on the system. You can use the ShowVersion command to conveniently find the information. If the user finds that the 10 s system version is old, it is best to compare the energy and money spent on the upgrade before the upgrade, consider "if there is no problem, no need to upgrade. What is more important than the IOS system version is whether the version has exceeded the use cycle. Cisco defines three phases:
Early development phase (EarlyDeployment, ED ). The 10 s system in this period has some immature new features and many problems. LimitedDeployment (LD ). IOS in this status is mainly an improved version for the vulnerabilities in the ED system. General development stage (GeneralDeployment, GD ). At this stage, the IOS system emphasizes system stability and basically has no vulnerabilities. Even though users all want to use the latest I0S system, I would also like to remind users to pay attention to their actual needs. The GD version will point out a large number of detected vulnerabilities in the system, it is usually a version that has fixed the detected vulnerability. Unless the system of this version has serious vulnerabilities, there is no choice but to upgrade.
3. Configure the Cisco Router
The Cisco router is easier to protect than the UNIX system at the host level, because the system provides fewer remotely accessible services. A Router performs complex routing computing and plays an important role in the network. It does not have services such as BIND, IMAP, POP, and sendmail, which are frequently problematic in UNIX systems. Although there are few ways to access a vro, further configuration is required to restrict further access to the vro.
Most Cisco routers are still controlled through remote logon and do not adopt any encryption method. Communication Using Remote logon is transmitted in plain text, which easily exposes the logon password. Although CiscoIOS12.1 adopts the SSHl encryption method, there are still many problems. Before Cisco considers using SSH, users can only use Telnet. However, there are still many ways to control the access to the vro, thus limiting the access to the vro by unauthorized users. You can log on to a vro through the physical Console port, physical Auxiliary port, and other physical serial ports (only in a model with a port ); enter the IP address of a unit through remote logon. The first three methods require physical interfaces, which is easy to control. The fourth method is discussed below.
The Cisco router has five virtual terminals that can be remotely logged on or called vty. When using remote logon, pay attention to two points. First, make sure that all vty logon requires a password. The following command can be used for Configuration:
Router1 (config) # linevty04
Router1 (config) # passwordfabi0!
In this way, you need to enter the "fabi0!" password when logging on through vty !". Second, you can increase the control level to prevent hacker intrusion. You can bind five vty instances at the same time. The specific command is as follows:
Router1 (config) # linevty04
Router1 (config-line) # exec-timeout1
Router1 (config-line) # exit
Router1 (config) # servicetcp-keepalives.in
These commands set the vty time limit to 1 minute and the TCP connection time limit. In addition to the preceding commands, you can set a standard access list to limit the number of workstations that can be remotely logged on to the vro itself. For example, if the system's management network segment is 10.1.1.0 and you will be remotely logged on, the following command can limit the number of inbound Remote logon sessions in this range. The command is as follows:
Router1 (config) # access-list1permit10.1.1.00.0.0.255
Router1 (config) # access-list1denyany
Router1 (config) # linevty04
Router1 (config. line) # access-class1in
When it comes to physical access, there are two points to note: the Console port and the auxiliary Management port. The Auxiliary port is set to access the router through a modem and other devices. It is very important to protect this port. The cCisco router can run the following command:
Router1 (config) # lineaux0
Router1 (config. line) # passwordfabi0!
Router1 (config) # lineconsole0
Router1 (config. line) # passwordfabi0!