Quick tutorial on vro Configuration

It is very useful to learn about vro configurations. Here we mainly introduce vro configurations, including blocking Security Vulnerabilities and preventing identity crisis. A vro is a key device in an information network for network interconnection. It translates data from different networks or CIDR blocks to achieve network interconnection and resource sharing.

Block Security Vulnerabilities

Vrouters also have some defects and vulnerabilities like computers and other network devices. It is a common method for hackers to conduct network attacks by exploiting the disadvantages of routers. Therefore, we must take necessary measures to block router security vulnerabilities. Limiting system physical access is one of the most effective methods. It configures the console and terminal session router to automatically exit the system after a short period of idle time to block the security vulnerabilities of the router and protect the security of the entire network. In addition, do not connect the modem to the secondary port of the router.

Avoid identity crisis

Hackers often use weak passwords or default passwords for attacks. Lengthen the password to help defend against such attacks. The password should be changed immediately when the network manager is transferred out of the current position. In addition, the password encryption function of the vro should be enabled. In most vrouters, you can configure some protocols, such as remote authentication dial-in user services, and provide encrypted and verified vro access combined with the verification server to enhance the security factor of the vro, improve the security of the entire network.

Restrict logical access

Restrict logical access by means of Reasonable disposal of access control lists to restrict remote terminal sessions, which helps prevent hackers from obtaining system Logical access. SSH is the preferred logical access method, but if TELNET cannot be avoided, Use Terminal Access Control to restrict access to trusted hosts only. Therefore, you must add an access list to the virtual terminal port used by TELNET on the vrotelnet.

Controlling the Message Protocol ICMP helps to troubleshoot, but it also provides attackers with information to browse network devices, determine timestamps and network masks, and speculate on the OS revised version. To prevent hackers from collecting the above information, only the following types of ICMP traffic are allowed to enter the network: ICMP cannot be reached, the host cannot be reached, the port cannot be reached, the packet is too large, the source is blocked, and the TTL is exceeded. In addition, logical access control should also prohibit all traffic other than ICMP traffic.

With inbound access control, you can direct a specific server to the corresponding server. For example, only SMTP traffic is allowed to enter the mail server, DNS traffic is allowed to enter the DNS server, and HTTP (HTTPS) traffic through the SSL protocol layer is allowed to enter the WEB server. In order to prevent the router from becoming a DoS attack target, the following traffic should be rejected: packets without IP addresses, using the local host address, broadcast address, multicast address and any fake internal address package. You can also increase the length of the sym ack queue and shorten the ACK timeout to protect the router from tcp syn attacks.

Monitor vro configuration changes

When you modify the vro configuration, You need to monitor it. If SNMP is used, you must select a powerful shared string. It is best to use SNMP that provides message encryption. If you do not configure a remote router for the device through SNMP management, you 'd better configure the SNMP Device router as read-only and reject write access to these devices. This prevents hackers from modifying or disabling interfaces. In addition, the system log information is sent from the router to the specified server. To further ensure security management, you can also use SSH and other encryption mechanisms to establish encrypted remote sessions with the vro.

Implement vro Configuration Management

An important part of configuration management is to ensure that the Network uses a reasonable Router Protocol and avoid using the routing information protocol (RIP ). Because RIP is vulnerable to spoofing and receives illegal route updates. Therefore, you must control the storage, retrieval, and updating of the router configuration so that you can change, reinstall, or restore the original router configuration when the new configuration is faulty. In addition, you can store the configuration document on a vro platform that supports the command line interface (CLT) in two ways. A script can be used to configure an SSH session, log on to the system, disable the Controller log function, display the configuration, save the vro configuration to a local file, and exit the system. The other is to create an IPSEC tunnel between the vro configuration server and the vro, and copy the vro configuration file to the server through the TFTP in the secure tunnel. At the same time, the personnel who can change the vro configuration, when and how to make the changes should also be clarified, and detailed reverse operation procedures should be formulated before any changes are made.