As the number of vrouters increases, the security of vrouters has gradually become a hot topic for discussion. Today, Alibaba Cloud also talks about the security configurations of vrouters in network security. the following articles are my study notes recorded during my work. I will share them with you today.
1. Configure the access control list:
The purpose of using the access control list is to protect Router Security and optimize network traffic. the purpose of the access list is to check whether the packet passes through the access control list when it passes through a port of the router. therefore, to protect the vro, consider configuring the access control list first.
There are multiple access lists. The most common access lists are standard access lists and extended access lists.
Basic configuration syntax for creating a standard Access control list: access-list Access-list-number {denypermit} source [source-wildcard]
Note: access-list-number is a value that defines the number of the access list, ranging from 1 to 99. the deny or permit parameter specifies whether to accept or reject data packets. the source parameter is the host address for sending data packets. source-wildcard is the wildcard character of the host that sends data packets. in practical applications, if the source address of the data packet is not found in the access list or is not forwarded, the packet will be rejected. for a specific explanation, the following is an example of a simple access list:
1) access-list 3 permit 172.30.1.0 0.0.255 */specify an access control list with a list number of 3, and promise that the data in the network segment 172.30.1.0 is a wildcard through. 0.0.0.255.
2) access-list 3 permit 10.1.1.0 0.0.15.255 */all data packets whose source addresses are from 10.1.0.0 to 10.1.15.255 are accepted through the router interface that applies the access list.
3) access-list 3 deny 172.31.1.0 0.0.255 */reject data packets from the source IP address 172.31.1.0 to 172.31.1.255 through this access list.
After configuring the access list, you must enable the access control list. In interface configuration mode, you can use the access-group or ip access-class command to specify that the access list is applied to an interface. use the keyword in (out) to define whether the interface is an outbound packet or an inbound packet.
For example, ip access-group 3 in */defines that the inbound packet of the port must follow the principle in access list 3.
Because the standard access control list does not distinguish the ports used, an extended access control list is introduced (the list number ranges from 100--199 ). the extended access list can check the source address, Destination Address, port, and other items of the data packet. Any project can prevent a data packet from going through the router interface. simple configuration example:
1) ip access-list 101 permit tcp any host 10.1.1.2 established log
2) ip access-list 101 permit tcp any host 172.30.1.3 eq www log
3) ip access-list 101 permit tcp any host 172.30.1.4 eq FTP log
4) ip access-list 101 permit tcp any host 172.30.1.4 log
Note:
The first line promised to access host 10.1.1.2 through the TCP protocol. If no connection is established between host 10.1.1.2 and a remote host to be accessed, the row will not promise any data packets to pass through the router interface, unless the call is initiated from the internal enterprise network. the second line promises to request the www Service by connecting to the host 172.30.1.3, and all other types of connections will be rejected because the access list is automatically at the end of the list by default, there is a deny any statement to restrict other types of connections. the third line is to reject any FTP connection to access the host 172.30.1.4. the fourth line is to allow all types of access to connect to the 172.30.1.4 host. -->
Basic CISCO Router Security Configuration
A vro is a neural hub in the network, and a Wan is composed of routers connected by each other. It has also been applied to routers in the LAN. In many enterprises and institutions, vrouters have been used to access networks for data communication. It can be said that the mysterious vro has now flown into ordinary homes.
As the number of vrouters increases, the security of vrouters has gradually become a hot topic for discussion. Today, Alibaba Cloud also talks about the security configurations of vrouters in network security. the following articles are my study notes recorded during my work. I will share them with you today.
1. Configure the access control list:
The purpose of using the access control list is to protect Router Security and optimize network traffic. the purpose of the access list is to check whether the packet passes through the access control list when it passes through a port of the router. therefore, to protect the vro, consider configuring the access control list first.
Good dream weaving
There are multiple access lists. The most common access lists are standard access lists and extended access lists.
Basic configuration syntax for creating a standard Access control list: access-list Access-list-number {denypermit} source [source-wildcard]
Note: access-list-number is a value that defines the number of the access list, ranging from 1 to 99. the deny or permit parameter specifies whether to accept or reject data packets. the source parameter is the host address for sending data packets. source-wildcard is the wildcard character of the host that sends data packets. in practical applications, if the source address of the data packet is not found in the access list or is not forwarded, the packet will be rejected. for a specific explanation, the following is an example of a simple access list:
1) access-list 3 permit 172.30.1.0 0.0.255 */specify an access control list with a list number of 3, and promise that the data in the network segment 172.30.1.0 is a wildcard through. 0.0.0.255.
2) access-list 3 permit 10.1.1.0 0.0.15.255 */all data packets whose source addresses are from 10.1.0.0 to 10.1.15.255 are accepted through the router interface that applies the access list.
3) access-list 3 deny 172.31.1.0 0.0.255 */reject data packets from the source IP address 172.31.1.0 to 172.31.1.255 through this access list.
After configuring the access list, you must enable the access control list. In interface configuration mode, you can use the access-group or ip access-class command to specify that the access list is applied to an interface. use the keyword in (out) to define whether the interface is an outbound packet or an inbound packet. dedecms.com
For example, ip access-group 3 in */defines that the inbound packet of the port must follow the principle in access list 3.
Because the standard access control list does not distinguish the ports used, an extended access control list is introduced (the list number ranges from 100--199 ). the extended access list can check the source address, Destination Address, port, and other items of the data packet. Any project can prevent a data packet from going through the router interface. simple configuration example:
1) ip access-list 101 permit tcp any host 10.1.1.2 established log
2) ip access-list 101 permit tcp any host 172.30.1.3 eq www log
3) ip access-list 101 permit tcp any host 172.30.1.4 eq FTP log
4) ip access-list 101 permit tcp any host 172.30.1.4 log
Note:
The first line promised to access host 10.1.1.2 through the TCP protocol. If no connection is established between host 10.1.1.2 and a remote host to be accessed, the row will not promise any data packets to pass through the router interface, unless the call is initiated from the internal enterprise network. the second line promises to request the www Service by connecting to the host 172.30.1.3, and all other types of connections will be rejected because the access list is automatically at the end of the list by default, there is a deny any statement to restrict other types of connections. the third line is to reject any FTP connection to access the host 172.30.1.4. the fourth line is to allow all types of access to the 172.30.1.4 host.
1) disable the enable passWord command. The password encryption mechanism is very old and has a huge security vulnerability. You must disable it. The practice is: no enable passWord.
2) use the enable secret command to set the password. The encryption mechanism is that IOS uses the MD5 Hash Algorithm for encryption. The specific syntax is: enable secret [level] {passwordencryption-type encrypted-password}
Example:
Ro (config-if) # enable secret level 9 ~ @~!
79 # ^ & ^ 089 ^ */set a level of 9 ~ @~! 79 # ^ & ^ 089 ^ Password
Ro (config-if) # service router-encryption */start the service password encryption process
The enable secret command allows the Administrator to specify the password encryption level through numbers 0-15. The default value is 15.
3. Control telnet Access Control
To protect the access control permission of the vrotelnet, you must restrict access to the host on the vrotelnet. For the access control method of the VTY (telnet) Port, you must first create an access control list for the specific configuration, as shown in the following example, create a standard access control list (numbers can be selected from 1-99 ):
Access-list 90 permit 172.30.1.45
Access-list 90 permit 10.1.1.53
Copyright dedecms
12
This access list only allows a host with one of the preceding two IP addresses to access the vrotelnet through telnet. Note: After creating this list, you must specify a port on the vro port. The specific method is as follows:
Line vty E0 4
Access-class 90 in
The above configuration is an example of telnet between the inbound and E0 ports. The outbound configuration uses out, which will not be detailed here. to protect the security settings of the vrotelnet, you can also restrict the telnet access permissions of the vrotelnet. For example, you can assign a governance password to restrict a administrator to the following configurations:
Enable secret level 6 123456
Privilege exec 6 show
The password is 123456. after entering the vrotelnet through telnet, you can only use the show command. All other settings are restricted. in addition, the access time can also be used to restrict the access to all ports. When the access time is out, the access will be automatically disconnected. The following is an example of setting the access activity for all ports at 3 minutes 30 seconds:
Exec-timeout 3 30
4. disable CDP
CDP (Cisco Discovery Protocol) CISCO lookup Protocol, which is enabled by default in IOS versions later than CISCO11.0. It has the following defects: responds to all device requests. this will threaten the leakage of the vro. Therefore, you must disable the operation as follows:
No cdp run
The administrator can also specify to disable CDP for a port. For example, to prevent the vro from responding to CDP on the Internet by using CDP on the internal network of the vro, enter the following interface command:
No cdp enable
5. HTTP service configuration
Now many CISCO devices have promised to use the WEB interface for control configuration, which can provide convenient management for beginners. However, behind this convenience, but it hides a great crisis. In order to be able to configure the HTTP service, this article also describes how to configure it.
You can use the ip http server command to open the HTTP service, and use the no ip http server command to disable the HTTP service. for security consideration, if you need to use the HTTP Service to manage the vro, it is best to work with the access control list and AAA authentication. You can also use the enable password command to control the login password of the vro. the specific configuration is completed in global mode. The following is an example of creating a simple standard access control list that works with HTTP Services:
Ip http server */open the HTTP service
Ip http port 10248 */Define port 10248 as the HTTP Service Access port
Access-list 80 permit host 10.0.0.1 */create standard access list 80, only allow 10.0.0.1 host to pass
Ip http access-class 80 */defines the standard access list with the list number 80 as the access promised by the HTTP service
Ip http authentication aaa tacacs */added the AAA authentication service to verify the HTTP-controlled host
6. written at the end
It is not that simple to protect a router. In many practical applications, many auxiliary configurations are required. to protect vrouters, various security products have emerged one after another, such as adding a hardware firewall to the vro, configuring AAA service authentication, and setting IDS intrusion detection. in order to maintain the security and stability of routers, I would like to tell you the most important thing is to minimize the configuration of IOS, no service device, no one can intrude, and the minimal service is our maximum security.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
