Route security settings and maintenance create security barriers

This article describes how to configure and maintain route security to create a security barrier and configure high security performance for your vro. Enter the network age with peace of mind! A router is an important bridge between a LAN and an external network. It is an indispensable part of the network system and a leading edge in network security. However, vro maintenance is rarely valued. Imagine that if a vro does not guarantee its own security, the entire network would be completely insecure.

Therefore, in terms of network security management, vrouters must be reasonably planned, configured for route security settings and maintenance, and necessary security measures must be taken, avoid vulnerabilities and risks to the entire network system due to security issues of the vro. Next we will introduce some router security measures and methods to make our network more secure.

Adds authentication for protocol exchanges between routers to improve network security.

An important feature of route security settings and maintenance is the management and maintenance of routes. Currently, a certain scale of networks use dynamic routing protocols, which are commonly used: RIP, VPN, OSPF, IS-IS, and BGP. When a vro with the same routing protocol and region identifier is added to the network, the route information table on the network is learned.

However, this routing security setting and maintenance method may cause network topology information leakage. It may also disrupt the routing information table that works normally on the network by sending its own routing information table to the network, in severe cases, the entire network is paralyzed. The solution to this problem is to authenticate the route information exchanged between routers in the network. When the router is configured with an authentication method, it will identify the sender and receiver of the route information.

Physical security protection of routers

A vro control port is a port with special permissions. If an attacker attempts to physically access a vro and restarts after a power failure, the system implements the "password repair process" and then logs on to the vro to completely control the vro.

Prevent Packet sniffing

Hackers often install the sniffing software on computers that have intruded into the network, monitor network data streams, and steal passwords, including SNMP communication passwords, as well as vro logon and privileged passwords, in this way, it is difficult for the network administrator to Ensure network security. Do not log on to the vro using non-encrypted protocols on untrusted networks. If the vro supports the encryption protocol, use SSH or KerberizedTelnet, or use IPSec to encrypt all the management flows of the vro.

Protect vro passwords

In the backup route security settings and Maintenance File, even if the password is stored in encrypted form, the plaintext of the password may still be cracked. Once the password is leaked, the network is completely insecure.

Blocks inspection of router diagnostic information

Run the following command to disable route security settings and maintenance: noservicetcp-small-serversnoserviceudp-small-servers

Disable CDP Service

On the basis of the OSI Layer 2 protocol (link layer), you can find some configuration information of the Peer router, such as the device platform, operating system version, port, and IP address. Run nocdprunning or nocdpenable to disable the service.

Prevents the router from receiving packets with source route marks and discards data streams with source route options.

"IPsource-route" is a global configuration command that allows a router to process data streams marked with source routing options. After the source route option is enabled, the route specified by the source route information enables the data stream to bypass the default route, which may bypass the firewall. The command to close is as follows: Reference segment: noipsource-route

Blocks the view of the current user list of the vro

The command to disable route security settings and maintenance is as follows: noservicefinger

Disable router broadcast packet forwarding

The SumrfD. o. S attack uses a router with a broadcast forwarding configuration as a reflector, occupying network resources and even causing network paralysis. Apply "noipdirected-broadcast" on each port to disable the router broadcast package.

Manage HTTP Services

Route security settings and maintenance: the HTTP service provides a Web management interface. "Noiphttpserver" can stop the HTTP service. If you must use HTTP, you must use the "iphttpaccess-class" command in the access list to strictly filter allowed IP addresses, and use the "iphttpauthentication" command to set authorization restrictions.

Prevent SYN Attacks

Currently, route security settings are maintained. Some software platforms of routers can enable TCP interception to prevent SYN attacks. The working mode is divided into interception and monitoring. The default mode is interception. (Interception mode: the router responds to the SYN request, and sends a SYN-ACK packet instead of the server, and then waits for the client ACK. If an ACK is received, the original SYN packet is sent to the server. Monitoring Mode: the router allows SYN requests to directly reach the server. If the session is not established within 30 seconds, the router sends an RST to clear the connection .)

First, set and maintain the access list for routing security to enable the IP address to be protected. The following is a reference segment: accesslist [1-199] [deny permit] tcpanydestinationdestination-wildcard. Then, Enable TCP interception: iptcpinterceptmodeinterceptIptcpinterceptlistaccesslist-numberIptcpinterceptmodewatch.

To defend against spoofing attacks, use the access control list to filter out all target addresses as network broadcast addresses and packages that claim to come from the internal network, but actually come from external sources. Configure the vro Port:
◆ Reference segment: ipaccess-grouplistinnumber
◆ The access control list is as follows:
◆ The following is a reference clip:
◆ Access-listnumberdenyicmpanyanyredirect
◆ Access-listnumberdenyip127.0.0.00.255.255.255any
◆ Access-listnumberdenyip224.0.0.031.255.255.255any
◆ Access-listnumberdenyiphost0.0.0.0any
◆ Note: The above four lines of commands will filter some data packets in the BOOTP/DHCP Application, and should be fully recognized when used in similar environments.

Verify validity of the data stream path

RPF (reversepathforwarding) is used for reverse route forwarding. Because the attacker's address is illegal, the attack packets are discarded to defend against spoofing attacks. The configuration command for RPF reverse-direction Forwarding is ipverifyunicastrpf. Note: you must first support CEF (CiscoExpressForwarding) Fast forwarding.

Use a secure SNMP Management Solution

SNMP is widely used in the monitoring and configuration of routers. SNMPVersion1 is not suitable for managing applications that pass through the public network because of its low security. The access list allows only SNMP access from a specific workstation. This function can improve the security performance of the SNMP service. Configuration command: snmp-servercommunityxxxxxRWxx; xx is the access control list number SNMPVersion2 using MD5 digital identity authentication. Different vro devices are configured with different digital signature passwords, which is an effective way to improve overall security performance.

Overview of route security settings and Maintenance

As a key device of the entire network, we need to pay special attention to the security problem. Of course, it is far from enough to protect our network by relying solely on the above settings. We also need to work with other devices to take security measures together, build our network into a secure and stable information exchange platform.