1. Security Configuration of vro Access Control
1. strictly control the administrator who can access the vro. Record Filing is required for any maintenance.
2. do not access the vro remotely. Even if you need to access the vro remotely, we recommend that you use the access control list and high-intensity password control.
3. Strictly control access to CON ports. Specific measures include:
A. if you can open the chassis, you can cut off the physical line connected to the CON port.
B. You can change the default connection property. For example, you can change the baud rate (96000 by default) to another one ).
C. Use the access control list to control access to the CON port.
For example, Router (Config) # Access-list 1 permit 192.168.0.1
Router (Config) # line con 0
Router (Config-line) # Transport input none
Router (Config-line) # Login local
Router (Config-line) # Exec-timeoute 5 0
Router (Config-line) # access-class 1 in
Router (Config-line) # end
D. Set a strong password for the CON port.
4. disable this port if you do not use the AUX port. It is disabled by default. Prohibited:
Router(Config)#line aux 0
Router(Config-line)#transport input none
Router(Config-line)#no exec
5. We recommend that you use a permission classification policy. For example:
Router(Config)#username BluShin privilege 10 G00dPa55w0rd
Router(Config)#privilege EXEC level 10 telnet
Router(Config)#privilege EXEC level 10 show ip access-list
6. Set a strong password for privileged mode access. Do not use enable password to set the password. Use the enable secret command. And enable Service password-encryption.
7. control access to VTY. Disable remote access. If necessary, you must set a strong password. Because VTY is encrypted during network transmission, strict control is required. For example, set a strong password, control the number of concurrent connections, strictly control the access address using the access list, and set user access control using AAA.
8. We recommend that you use FTP instead of TFTP for IOS upgrade and backup and configuration file backup. For example:
Router(Config)#ip ftp username BluShin
Router(Config)#ip ftp password 4tppa55w0rd
Router#copy startup-config ftp:
9. Upgrade and patch IOS software in a timely manner.
Ii. vro Network Service Security Configuration
1. disable CDP (Cisco Discovery Protocol ). For example:
Router (Config) # no cdp run
Router (Config-if) # no cdp enable
2. Disable other TCP and UDP Small services.
Router (Config) # no service tcp-small-servers
Router (Config) # no service udp-samll-servers
3. Disable the Finger service.
Router (Config) # no ip finger
Router (Config) # no service finger
4. We recommend that you disable the HTTP service.
Router (Config) # no ip http server
If the HTTP service is enabled, You need to configure its security:
Set the user name and password, and use the access list for control. For example:
Router (Config) # username BluShin privilege 10 G00dPa55w0rd
Router (Config) # ip http auth local
Router (Config) # no access-list 10
Router (Config) # access-list 10 permit 192.168.0.1
Router (Config) # access-list 10 deny any
Router (Config) # ip http access-class 10
Router (Config) # ip http server
Router (Config) # exit
5. Disable the BOOTp service.
Router (Config) # no ip bootp server
Disable starting from the network and automatically downloading the initial configuration file from the network.
Router (Config) # no boot network
Router (Config) # no servic config
6. Disable IP Source Routing.
Router (Config) # no ip source-route
7. If you do not need the ARP-Proxy service, disable it. The router is enabled by default.
Router (Config) # no ip proxy-arp
Router (Config-if) # no ip proxy-arp
8. explicitly Disable IP Directed Broadcast.
Router (Config) # no ip directed-broadcast
9. Disable IP Classless.
Router (Config) # no ip classless
10. Disable icmp ip Unreachables, Redirects, and Mask Replies.
Router (Config-if) # no ip unreacheables
Router (Config-if) # no ip redirects
Router (Config-if) # no ip mask-reply
11. We recommend that you disable the SNMP protocol service. You must delete the default configuration of some SNMP services when disabling them.
Or you need to filter the access list. For example:
Router (Config) # no snmp-server community public Ro
Router (Config) # no snmp-server community admin RW
Router (Config) # no access-list 70
Router (Config) # access-list 70 deny any
Router (Config) # snmp-server community MoreHardPublic Ro 70
Router (Config) # no snmp-server enable traps
Router (Config) # no snmp-server system-shutdown
Router (Config) # no snmp-server trap-anth
Router (Config) # no snmp-server
Router (Config) # end
12. If not necessary, disable WINS and DNS services.
Router (Config) # no ip domain-lookup
If necessary, you need to configure:
Router (Config) # hostname Router
Router (Config) # ip name-server 202.102.134.96
13. Explicitly prohibit unused ports.
Router (Config) # interface eth0/3
Router (Config) # shutdown
3. router routing protocol Security Configuration
1. First, disable the ARP-Proxy enabled by default, which may cause confusion in the route table.
Router (Config) # no ip proxy-arp or
Router (Config-if) # no ip proxy-arp
2. Enable OSPF route protocol authentication.
The default OSPF Authentication password is transmitted in plaintext. We recommend that you enable MD5 authentication.
And set a certain strength key (Key, the vro must have the same key ).
Router (Config) # router ospf 100
Router (Config-router) # network 192.168.100.0 0.0.255 area 100
! Enable MD5 authentication.
! Area-id authentication enable authentication, which is plaintext and password authentication.
! Area-id authentication message-digest
Router (Config-router) # area 100 authentication message-digest
Router (Config) # exit
Router (Config) # interface eth0/1
! Enable the MD5 Key as routerospfkey.
! Ip ospf authentication-key enables the authentication key, but it will be transmitted in plaintext.
! Ip ospf message-digest-key-id (1-255) md5 key
Router (Config-if) # ip ospf message-digest-key 1 md5 routerospfkey
3. RIP protocol authentication. Only RIP-V2 supported, RIP-1 not supported. It is recommended to enable RIP-V2.
And uses MD5 authentication. Normal authentication is also transmitted in plain text.
Router (Config) # config terminal
! Enable set key chain
Router (Config) # key chain mykeychainname
Router (Config-keychain) # key 1
! Set the key string
Router (Config-leychain-key) # key-string MyFirstKeyString
Router (Config-keyschain) # key 2
Router (Config-keychain-key) # key-string MySecondKeyString
! Enable RIP-V2
Router (Config) # router rip
Router (Config-router) # version 2
Router (Config-router) # network 192.168.100.0
Router (Config) # interface eth0/1
! Use MD5 authentication and select the configured key chain
Router (Config-if) # ip rip authentication mode md5
Router (Config-if) # ip rip anthentication key-chain mykeychainname
4. The passive-interface command can disable ports that do not need to receive or forward route information.
We recommend that you enable passive-interface for ports that do not require routing.
However, in the RIP Protocol, only route information Forwarding is prohibited and receiving is not prohibited.
In OSPF, route forwarding and receiving are prohibited.
! In Rip, disable port 0/3 from forwarding route information
Router (Config) # router Rip
Router (Config-router) # passive-interface eth0/3
! In OSPF, port 0/3 is prohibited from receiving and forwarding route information.
Router (Config) # router ospf 100
Router (Config-router) # passive-interface eth0/3
5. Enable the access list function to Filter Junk and malicious route information and control the network's spam information flow.
Router (Config) # access-list 10 deny 192.168.1.0 0.0.255
Router (Config) # access-list 10 permit any
! The router is prohibited from receiving and updating the route information of the 192.168.1.0 network.
Router (Config) # router ospf 100
Router (Config-router) # distribute-list 10 in
! Disable router forwarding to spread route information of 192.168.1.0 Network
Router (Config) # router ospf 100
Router (Config-router) # distribute-list 10 out
6. We recommend that you enable the IP Unicast Reverse-Path Verification.
It can check the accuracy of the source IP address and prevent certain IP Spooling.
However, it can only be used on routers that enable CEF (Cisco Express Forwarding.
Router # config t
! Enable CEF
Router (Config) # ip cef
! Enable Unicast Reverse-Path Verification
Router (Config) # interface eth0/1
Router (Config) # ip verify unicast reverse-path
4. Other vro security configurations
1. promptly upgrade IOS software and install patches for IOS.
2. perform security backup for IOS strictly and conscientiously.
3. Make a security backup for the vro configuration file.
4. Purchase UPS devices, or at least have redundant power supplies.
5. There must be a complete log of secure access and maintenance of vrouters.
6. Strictly set logon to Banner. It must contain the words "forbidden to log on" by an unauthorized user.
7. IP spoofing provides simple protection. For example, filter out non-public addresses to access the internal network.
Filter your own internal network address; return address (127.0.0.0/8 );
RFC1918 private address; DHCP custom address (169.254.0.0/16 );
Scientific Document Author test address (192.0.2.0/24 );
Unwanted multicast address (224.0.0.0/4 );
SUN's old test address (20171000020.0/24; 204.152.64.0/23 );
Full network address (0.0.0.0/8 ).
Router (Config) # access-list 100 deny ip 192.168.0.0 0.0.255 any log
Router (Config) # access-list 100 deny ip 127.0.0.0 0.20.255.255 any log
Router (Config) # access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
Router (Config) # access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
Router (Config) # access-list 100 deny ip 10.0.0.0 0.20.255.255 any log
Router (Config) # access-list 100 deny ip 169.254.0.0 0.0.20.255 any log
Router (Config) # access-list 100 deny ip 192.0.2.0 0.0.255 any log
Router (Config) # access-list 100 deny ip 224.0.0.0 15.20.255 any
Router (Config) # access-list 100 deny ip Route route 20.0 0.0.255 any log
Router (Config) # access-list 100 deny ip 204.152.64.0 0.0.2.255 any log
Router (Config) # access-list 100 deny ip 0.0.0.0 0.20.255.255 any log
8. We recommend that you use the access list to control the outbound addresses of internal networks. For example:
Router (Config) # no accesskey-list 101
Router (Config) # access-list 101 permit ip 192.168.0.0 0.0.255 any
Router (Config) # access-list 101 deny ip any log
Router (Config) # interface eth 0/1
Router (Config-if) # description "internet Ethernet"
Router (Config-if) # ip address 192.168.0.254 255.255.255.0
Router (Config-if) # ip access-group
Article entry: csh responsible editor: csh