Simple Solution for Cisco Router Security Configuration

1. Security Configuration of vro Access Control

1. strictly control the administrator who can access the vro. Record Filing is required for any maintenance.

2. do not access the vro remotely. Even if you need to access the vro remotely, we recommend that you use the access control list and high-intensity password control.

3. Strictly control access to CON ports. Specific measures include:

A. if you can open the chassis, you can cut off the physical line connected to the CON port.

B. You can change the default connection property. For example, you can change the baud rate (96000 by default) to another one ).

C. Use the access control list to control access to the CON port.

For example, Router (Config) # Access-list 1 permit 192.168.0.1

Router (Config) # line con 0

Router (Config-line) # Transport input none

Router (Config-line) # Login local

Router (Config-line) # Exec-timeoute 5 0

Router (Config-line) # access-class 1 in

Router (Config-line) # end

D. Set a strong password for the CON port.

4. disable this port if you do not use the AUX port. It is disabled by default. Prohibited:

Router(Config)#line aux 0

Router(Config-line)#transport input none

Router(Config-line)#no exec

5. We recommend that you use a permission classification policy. For example:

Router(Config)#username BluShin privilege 10 G00dPa55w0rd

Router(Config)#privilege EXEC level 10 telnet

Router(Config)#privilege EXEC level 10 show ip access-list

6. Set a strong password for privileged mode access. Do not use enable password to set the password. Use the enable secret command. And enable Service password-encryption.

7. control access to VTY. Disable remote access. If necessary, you must set a strong password. Because VTY is encrypted during network transmission, strict control is required. For example, set a strong password, control the number of concurrent connections, strictly control the access address using the access list, and set user access control using AAA.

8. We recommend that you use FTP instead of TFTP for IOS upgrade and backup and configuration file backup. For example:

Router(Config)#ip ftp username BluShin

Router(Config)#ip ftp password 4tppa55w0rd

Router#copy startup-config ftp:

9. Upgrade and patch IOS software in a timely manner.

Ii. vro Network Service Security Configuration

1. disable CDP (Cisco Discovery Protocol ). For example:

Router (Config) # no cdp run

Router (Config-if) # no cdp enable

2. Disable other TCP and UDP Small services.

Router (Config) # no service tcp-small-servers

Router (Config) # no service udp-samll-servers

3. Disable the Finger service.

Router (Config) # no ip finger

Router (Config) # no service finger

4. We recommend that you disable the HTTP service.

Router (Config) # no ip http server

If the HTTP service is enabled, You need to configure its security:

Set the user name and password, and use the access list for control. For example:

Router (Config) # username BluShin privilege 10 G00dPa55w0rd

Router (Config) # ip http auth local

Router (Config) # no access-list 10

Router (Config) # access-list 10 permit 192.168.0.1

Router (Config) # access-list 10 deny any

Router (Config) # ip http access-class 10

Router (Config) # ip http server

Router (Config) # exit

5. Disable the BOOTp service.

Router (Config) # no ip bootp server

Disable starting from the network and automatically downloading the initial configuration file from the network.

Router (Config) # no boot network

Router (Config) # no servic config

6. Disable IP Source Routing.

Router (Config) # no ip source-route

7. If you do not need the ARP-Proxy service, disable it. The router is enabled by default.

Router (Config) # no ip proxy-arp

Router (Config-if) # no ip proxy-arp

8. explicitly Disable IP Directed Broadcast.

Router (Config) # no ip directed-broadcast

9. Disable IP Classless.

Router (Config) # no ip classless

10. Disable icmp ip Unreachables, Redirects, and Mask Replies.

Router (Config-if) # no ip unreacheables

Router (Config-if) # no ip redirects

Router (Config-if) # no ip mask-reply

11. We recommend that you disable the SNMP protocol service. You must delete the default configuration of some SNMP services when disabling them.

Or you need to filter the access list. For example:

Router (Config) # no snmp-server community public Ro

Router (Config) # no snmp-server community admin RW

Router (Config) # no access-list 70

Router (Config) # access-list 70 deny any

Router (Config) # snmp-server community MoreHardPublic Ro 70

Router (Config) # no snmp-server enable traps

Router (Config) # no snmp-server system-shutdown

Router (Config) # no snmp-server trap-anth

Router (Config) # no snmp-server

Router (Config) # end

12. If not necessary, disable WINS and DNS services.

Router (Config) # no ip domain-lookup

If necessary, you need to configure:

Router (Config) # hostname Router

Router (Config) # ip name-server 202.102.134.96

13. Explicitly prohibit unused ports.

Router (Config) # interface eth0/3

Router (Config) # shutdown

3. router routing protocol Security Configuration

1. First, disable the ARP-Proxy enabled by default, which may cause confusion in the route table.

Router (Config) # no ip proxy-arp or

Router (Config-if) # no ip proxy-arp

2. Enable OSPF route protocol authentication.
The default OSPF Authentication password is transmitted in plaintext. We recommend that you enable MD5 authentication.

And set a certain strength key (Key, the vro must have the same key ).

Router (Config) # router ospf 100

Router (Config-router) # network 192.168.100.0 0.0.255 area 100

! Enable MD5 authentication.

! Area-id authentication enable authentication, which is plaintext and password authentication.

! Area-id authentication message-digest

Router (Config-router) # area 100 authentication message-digest

Router (Config) # exit

Router (Config) # interface eth0/1

! Enable the MD5 Key as routerospfkey.

! Ip ospf authentication-key enables the authentication key, but it will be transmitted in plaintext.

! Ip ospf message-digest-key-id (1-255) md5 key

Router (Config-if) # ip ospf message-digest-key 1 md5 routerospfkey

3. RIP protocol authentication. Only RIP-V2 supported, RIP-1 not supported. It is recommended to enable RIP-V2.

And uses MD5 authentication. Normal authentication is also transmitted in plain text.

Router (Config) # config terminal

! Enable set key chain

Router (Config) # key chain mykeychainname

Router (Config-keychain) # key 1

! Set the key string

Router (Config-leychain-key) # key-string MyFirstKeyString

Router (Config-keyschain) # key 2

Router (Config-keychain-key) # key-string MySecondKeyString

! Enable RIP-V2

Router (Config) # router rip

Router (Config-router) # version 2

Router (Config-router) # network 192.168.100.0

Router (Config) # interface eth0/1

! Use MD5 authentication and select the configured key chain

Router (Config-if) # ip rip authentication mode md5

Router (Config-if) # ip rip anthentication key-chain mykeychainname

4. The passive-interface command can disable ports that do not need to receive or forward route information.

We recommend that you enable passive-interface for ports that do not require routing.

However, in the RIP Protocol, only route information Forwarding is prohibited and receiving is not prohibited.
In OSPF, route forwarding and receiving are prohibited.

! In Rip, disable port 0/3 from forwarding route information

Router (Config) # router Rip

Router (Config-router) # passive-interface eth0/3

! In OSPF, port 0/3 is prohibited from receiving and forwarding route information.

Router (Config) # router ospf 100

Router (Config-router) # passive-interface eth0/3

5. Enable the access list function to Filter Junk and malicious route information and control the network's spam information flow.

Router (Config) # access-list 10 deny 192.168.1.0 0.0.255

Router (Config) # access-list 10 permit any

! The router is prohibited from receiving and updating the route information of the 192.168.1.0 network.

Router (Config) # router ospf 100

Router (Config-router) # distribute-list 10 in

! Disable router forwarding to spread route information of 192.168.1.0 Network

Router (Config) # router ospf 100

Router (Config-router) # distribute-list 10 out

6. We recommend that you enable the IP Unicast Reverse-Path Verification.

It can check the accuracy of the source IP address and prevent certain IP Spooling.

However, it can only be used on routers that enable CEF (Cisco Express Forwarding.

Router # config t

! Enable CEF

Router (Config) # ip cef

! Enable Unicast Reverse-Path Verification

Router (Config) # interface eth0/1

Router (Config) # ip verify unicast reverse-path

4. Other vro security configurations

1. promptly upgrade IOS software and install patches for IOS.

2. perform security backup for IOS strictly and conscientiously.

3. Make a security backup for the vro configuration file.

4. Purchase UPS devices, or at least have redundant power supplies.

5. There must be a complete log of secure access and maintenance of vrouters.

6. Strictly set logon to Banner. It must contain the words "forbidden to log on" by an unauthorized user.

7. IP spoofing provides simple protection. For example, filter out non-public addresses to access the internal network.

Filter your own internal network address; return address (127.0.0.0/8 );

RFC1918 private address; DHCP custom address (169.254.0.0/16 );
Scientific Document Author test address (192.0.2.0/24 );

Unwanted multicast address (224.0.0.0/4 );

SUN's old test address (20171000020.0/24; 204.152.64.0/23 );
Full network address (0.0.0.0/8 ).

Router (Config) # access-list 100 deny ip 192.168.0.0 0.0.255 any log

Router (Config) # access-list 100 deny ip 127.0.0.0 0.20.255.255 any log

Router (Config) # access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

Router (Config) # access-list 100 deny ip 172.16.0.0 0.15.255.255 any log

Router (Config) # access-list 100 deny ip 10.0.0.0 0.20.255.255 any log

Router (Config) # access-list 100 deny ip 169.254.0.0 0.0.20.255 any log

Router (Config) # access-list 100 deny ip 192.0.2.0 0.0.255 any log

Router (Config) # access-list 100 deny ip 224.0.0.0 15.20.255 any

Router (Config) # access-list 100 deny ip Route route 20.0 0.0.255 any log

Router (Config) # access-list 100 deny ip 204.152.64.0 0.0.2.255 any log

Router (Config) # access-list 100 deny ip 0.0.0.0 0.20.255.255 any log

8. We recommend that you use the access list to control the outbound addresses of internal networks. For example:

Router (Config) # no accesskey-list 101

Router (Config) # access-list 101 permit ip 192.168.0.0 0.0.255 any

Router (Config) # access-list 101 deny ip any log

Router (Config) # interface eth 0/1

Router (Config-if) # description "internet Ethernet"

Router (Config-if) # ip address 192.168.0.254 255.255.255.0

Router (Config-if) # ip access-group

Article entry: csh responsible editor: csh