Router application comprehensive knowledge

Currently, vrouters are widely used. Many people may not understand some important functions and skills in vro applications. It does not matter. After reading this article, you must have gained a lot, I hope this article will teach you more things. In the world of the Internet, router applications are an indispensable part. Without them, we cannot establish a connection with the colorful external world. Therefore, the management of router applications has always been one of the most important daily tasks of network administrators.

Based on my work practices, the author summarizes 14 ways to protect routers and prevent illegal intrusion. Vro is the main device of the network system and the frontier of network security. If the router application does not guarantee its own security, the entire network will be completely insecure. Therefore, in terms of network security management, router applications must be reasonably planned and configured, and necessary security measures must be taken, avoid vulnerabilities and risks to the entire network system due to security issues of the router application. The following are some specific measures to enhance vro security to prevent attacks on the vro itself and prevent the theft of network information.

1. added the authentication function for protocol exchanges between routers to improve network security.

One of the important functions of a router is the management and maintenance of routing. Currently, a certain scale of networks use dynamic routing protocols, which are commonly used: RIP, VPN, OSPF, IS-IS, and BGP. When a vro with the same routing protocol and region identifier is added to the network, the route information table on the network is learned. However, this method may cause network topology information leakage. It may also disrupt the routing information table that works normally on the network by sending its own routing information table to the network. In severe cases, the entire network may be paralyzed. The solution to this problem is to authenticate the route information exchanged between routers in the network. When the router is configured with an authentication method, it will identify the sender and receiver of the route information. There are two authentication methods. The "plain text mode" is of low security. We recommend that you use the "MD5 mode ".

2. Physical security protection of routers

A vro control port is a port with special permissions. If an attacker attempts to physically access a vro and restarts after a power failure, the system implements the "password repair process" and then logs on to the vro to completely control the vro.

3. Protect the vro Password

In the vro configuration file backed up, even if the password is stored in encrypted form, the plaintext of the password may still be cracked. Once the password is leaked, the network is completely insecure.

4. Disable inspection of router diagnostic information

The command to disable the service is as follows: no service tcp-small-servers no service udp-small-servers

5. Check the current user list of the vro.

The command to close is no service finger.

6. disable CDP Service

On the basis of the OSI Layer 2 protocol (link layer), you can find some important configuration information of the Peer router application, such as the device platform, operating system version, port, and IP address. You can run the command: no cdp running or no cdp enable to disable this service.

7. Prevent the router from receiving packets with source route marks and discard the data streams with source route options.

"IP source-route" is a global configuration command that allows router applications to process data streams marked with source routing options. After the source route option is enabled, the route specified by the source route information enables the data stream to bypass the default route, which may bypass the firewall. The command to close is as follows: no ip source-route.

8. Disable router broadcast packet forwarding.

The sumrf D. o. S attack uses a router with a broadcast forwarding configuration as a reflector, occupying network resources and even causing network paralysis. Apply "no ip directed-broadcast" on each port to disable the router broadcast package.

9. Manage HTTP Services

The HTTP service provides Web management interfaces. "No ip http server" can stop the HTTP service. If you must use HTTP, you must use the "ip http access-class" command in the access list to strictly filter the allowed ip addresses, and use the "ip http authentication" command to set the authorization restrictions.

10. Defense Against spoofing attacks

Use the access control list to filter out all target addresses as the network broadcast address and packages that claim to be from the internal network, but actually from the outside. In the vro port configuration: ip access-group list in number access Control list: access-list number deny icmp any redirect access-list number deny ip 127.0.0.0 0.20.255.255 any access-list number deny ip 224.0.0.0 31.20.255.255 any access-list number deny ip host 0.0.0.0 any note: the above four lines of command will filter some data packets in the BOOTP/DHCP Application, and should be fully recognized when used in similar environments.

11. Prevent Packet sniffing

Hackers often install the sniffing software on computers that have intruded into the network, monitor network data streams, and steal passwords, including SNMP communication passwords, and logon and privileged passwords of router applications, in this way, it is difficult for the network administrator to Ensure network security. Do not log on to the vro using non-encrypted protocols on untrusted networks. If the vro supports the encryption protocol, use SSH or receivized Telnet, or use IPSec to encrypt all management streams of the vro.

12. verify the validity of the data stream path

RPF (reverse path forwarding) is used for reverse route forwarding. Because the attacker's address is illegal, the attack packets are discarded to defend against spoofing attacks. The configuration command for RPF reverse route Forwarding is: ip verify unicast rpf. Note: CEF (Cisco Express Forwarding) must be supported first.