Network Management: How to maintain routers on campus

Vro has a wide range of applications and many problems have emerged. Here, we will mainly explain the knowledge of vro maintenance and share it with you here, hoping to help you. The campus is connected to the Internet, allowing teachers and students to obtain a large amount of information resources to broaden their horizons and knowledge.

Therefore, the establishment of campus networks has become the only way to promote the modernization of school education. As a router for the internal network and Internet connection hub of the campus network, it plays an important role in it. Therefore, the management and maintenance of the router is an essential major for every campus network administrator. Considering the versatility of the Primary and Secondary campus, we mainly introduce the maintenance content of Cisco 2612, a common router in the campus network. Of course, the content of this article can also be applied to routers such as Cisco 7600 with higher performance. The Cisco 2612 modular architecture provides the versatility needed to adapt to the changing network technology. It is equipped with a powerful RISC processor that can support the Advanced Quality of Service (QoS) required for today's evolving Networks), security and network integration features. By integrating the functions of multiple independent devices into one unit, Cisco 2612 also reduces the complexity of managing remote networks, it provides cost-effective solutions for Internet, Intranet access on campus, multi-service Voice/Data Integration, analog and digital dial-up access services, VPN access, centralized ATM access, VLAN, route bandwidth management, and other applications. solution.

Preparations before connection

Many primary and secondary school campus networks use the ADSL or HDSL connection method. First, check the Modem status. If the Modem DCD is not bright, the line connection is faulty. Check the access line connection first, then check the router's cable connection, connect the control terminal to the vro, and press enter to display the vro name. Connect a terminal or a PC node running simulation software to the CONSOLE port. Terminal or PC configuration information: 9600 baud 8 data bits no parity 2 stop bits 9600,8/N/2), meaning: baud rate 9600, data bit 8, stop bit 1, no parity. The administrator can also remotely set through Telnet address at the remote end. However, if the router is configured for the first time, the previous configuration method must be used.

Router Security Maintenance

Attacks initiated by exploiting vro vulnerabilities often occur. Router attacks waste CPU cycles, mislead information traffic, and cause network exceptions or even paralysis. Therefore, appropriate security measures must be taken to protect the security of the router.

Prevent password Leakage

According to CERT/CC Computer Emergency Response Team/control center at Carnegie Mellon University, 80% of Security breakthroughs were caused by weak passwords. Hackers often use weak passwords or default passwords for attacks. This vulnerability can be prevented by using a password extension and a password validity period of 30 to 60 days.

Disable IP Direct Broadcast

Smurf attacks are DoS attacks. In this attack, attackers use fake source addresses to send an "ICMP echo" request to your network broadcast address. This requires all hosts to respond to this broadcast request. This will reduce network performance. Use no ip source-route to disable the IP direct broadcast address.

Disable unnecessary services

To emphasize the security of the vro, You have to disable unnecessary local services, such as SNMP and DHCP, which are rarely used by users and can be used only when necessary. In addition, if possible, disable the HTTP settings of the vro because the identity authentication protocol used by HTTP is equivalent to sending an unencrypted password to the entire network. However, there is no valid rule in the HTTP protocol for password verification or one-time password verification.

Restrict logical access

Limiting logical access mainly relies on Reasonable disposal of access control lists. Limiting remote terminal sessions helps prevent hackers from obtaining system Logical access. SSH is the preferred logical access method, but if Telnet cannot be avoided, Use Terminal Access Control to restrict access to trusted hosts only. Therefore, you must add an access list to the virtual terminal port used by Telnet on the vrotelnet.

Block ICMP ping requests

Control the Message Protocol ICMP) helps to troubleshoot and identify the host in use, this allows attackers to view network devices, determine the local Timestamp and network mask, and speculate on the OS modified version. Therefore, by canceling the remote user's ping request response capability, it is easier to avoid unnoticed scanning activities or defend against "script kiddies" script kiddies for targets that are easy to attack ).

Disable IP Source Routing

The IP protocol allows a host to specify data packets to route through your network, rather than allowing network components to determine the optimal path. The valid application of this function is to diagnose connection faults. However, this function is rarely used. In fact, the most common purpose is to mirror the network for reconnaissance purposes, or to find a backdoor in a private network. This feature should be disabled unless you specify this feature for fault diagnosis only.

Monitoring configuration changes

After you modify the vro configuration, You need to monitor it. If you use SNMP, You must select a powerful shared string. It is best to use SNMP that provides message encryption. If you do not remotely configure the device through SNMP management, you are advised to configure the SNMP device as read-only. If you refuse to write access to these devices, you can prevent hackers from modifying or disabling interfaces. In addition, you must send system log messages from the vro to the specified server. To further ensure security management, users can use SSH and other encryption mechanisms to establish encrypted remote sessions with the vro. To enhance protection, users should also restrict SSH session negotiation and only allow sessions to communicate with several trusted systems that users often use.

Address Filtering

Create a policy on the campus network border router to filter inbound and outbound network violations based on IP addresses. Except in special cases, all IP addresses that attempt to access the Internet from within the network should have an allocated LAN address. For example, 192.168.0.1 may be legal to access the Internet through this vro. However, the address 216.239.55.99 may be fraudulent and part of an attack. On the contrary, source addresses for external communications from the Internet should not be part of the internal network. Therefore, IP addresses such as 192.168.X.X, 172.16.X.X, and 10. X must be blocked. Finally, all communications with the source address, the reserved address, and the destination address cannot be routed should be allowed through this router. This includes the return address 127.0.0.1 or Class E address segment. When setting up a campus network, the campus network can be smooth, secure, and reliable only when appropriate vrouters are selected and the Corresponding Maintenance policies are correctly configured and adopted, give full play to the campus network's role in school management and information resource acquisition.

How routers work

A vro is used to connect different network segments or networks by identifying the network ID numbers of different networks. To identify another network, the router must first identify the network ID of the Peer to see if it is consistent with the network ID number in the destination node address. If it is sent to the vro of the network, after receiving the packet from the source network, the router of the receiving Network, identify the node to which the message is sent based on the host ID in the IP address of the destination node, and then send it directly.