Routing security has always been the focus of attention, so I studied how to effectively set the router to improve the security performance of the network. Vro setting is an important bridge between a LAN and an external network. It is an indispensable part of the network system and a leading edge in network security. However, the maintenance of vro settings is rarely valued.
Imagine that if the vro settings do not guarantee its own security, there will be no security for the entire network. Therefore, in terms of network security management, you must reasonably plan and configure the router settings and take necessary security protection measures, avoid vulnerabilities and risks to the entire network system due to security issues of the vro. Next we will introduce some router security measures and methods to make our network more secure.
1. added the authentication function for protocol exchanges between routers to improve network security.
One of the important functions of a router is the management and maintenance of routing. Currently, a certain scale of networks use dynamic routing protocols, which are commonly used: RIP, VPN, OSPF, IS-IS, and BGP. When a vro with the same routing protocol and region identifier is added to the network, the route information table on the network is learned. However, this method may cause network topology information leakage. It may also disrupt the routing information table that works normally on the network by sending its own routing information table to the network. In severe cases, the entire network may be paralyzed. The solution to this problem is to authenticate the route information exchanged between routers in the network. When the router is configured with an authentication method, it will identify the sender and receiver of the route information.
2. Physical Security of routers.
A vro control port is a port with special permissions. If an attacker attempts to physically access a vro and restarts after a power failure, the system implements the "password repair process" and then logs on to the vro to completely control the vro.
3. Protect the vro password.
In the vro configuration file backed up, even if the password is stored in encrypted form, the plaintext of the password may still be cracked. Once the password is leaked, the network is completely insecure.
4. Check the router diagnostic information.
The command to disable the service is as follows: no service tcp-small-servers no service udp-small-servers
5. The current user list of the vro is blocked.
The command to close is no service finger.
6. disable CDP.
On the basis of the OSI Layer 2 protocol (link layer), you can find some of the configuration information of the Peer router: Device platform, operating system version, port, IP address, and other important information. You can run the command: no cdp running or no cdp enable to disable this service.
7. Prevent the router from setting to receive packets with source route marks and discard the data streams with source route options.
"IP source-route" is a global configuration command that allows a router to process data streams marked with source routing options. After the source route option is enabled, the route specified by the source route information enables the data stream to bypass the default route, which may bypass the firewall. The command to close is as follows: no ip source-route.
8. Disable forwarding of router broadcast packets.
The Sumrf D. o. S attack uses the router settings with broadcast forwarding configurations as the reflector, occupying network resources and even causing network paralysis. Apply "no ip directed-broadcast" on each port to disable the router broadcast package.
9. Manage HTTP Services.
The HTTP service provides Web management interfaces. "No ip http server" can stop the HTTP service. If you must use HTTP, you must use the "ip http access-class" command in the access list to strictly filter the allowed ip addresses, and use the "ip http authentication" command to set the authorization restrictions.
10. defends against spoofing attacks.
Use the access control list to filter out all target addresses as the network broadcast address and packages that claim to be from the internal network, but actually from the outside. Configure the port in the vro: ip access-group list in number access Control list: access-list number deny icmp any redirect access-list number deny ip 127.0.0.0 0.20.255.255 any access-list number deny ip 224.0.0.0 31.20.255.255 any access-list number deny ip host 0.0.0.0 any note: the above four lines of command will filter some data packets in the BOOTP/DHCP Application, and should be fully recognized when used in similar environments.
11. Prevent Packet sniffing.
Hackers often install the sniffing software on computers that have intruded into the network, monitor network data streams, and steal passwords, including SNMP communication passwords, as well as vro logon and privileged passwords, in this way, it is difficult for the network administrator to Ensure network security. Do not log on to the vro using non-encrypted protocols on untrusted networks. If the vro supports the encryption protocol, use SSH or receivized Telnet, or use IPSec to encrypt the vro to set all management streams.
12. verify the validity of the data stream path.
Use RPF reverse path forwarding) for reverse route forwarding. Because the attacker's address is illegal, the attack packets are discarded to defend against spoofing attacks. The configuration command for RPF reverse route Forwarding is: ip verify unicast rpf. Note: First, you must support CEFCisco Express Forwarding for fast Forwarding.
13. Prevent SYN attacks.
Currently, some vro software platforms can enable TCP interception to prevent SYN attacks. The working mode is divided into interception and monitoring. The default mode is interception. Interception mode: the router responds to the SYN request, and sends a SYN-ACK packet instead of the server, and then waits for the client ACK. if an ACK is received, the original SYN packet is sent to the server. Monitoring Mode: the router allows SYN requests to directly reach the server. If the session is not established within 30 seconds, the router configuration sends an RST to clear the connection .) First, configure the access list to enable the IP address to be protected: access list [1-199] [deny permit] tcp any destination-wildcard. Then, Enable TCP interception: ip tcp intercept mode intercept Ip tcp intercept list access list-number Ip tcp intercept mode watch
14. Use a secure SNMP management solution.
SNMP is widely used in the monitoring and configuration of vro settings. SNMP Version 1 is not suitable for managing applications over the public network because of its low security. The access list allows only SNMP access from a specific workstation. This function can improve the security performance of the SNMP service. Configuration command: snmp-server community xxxxx RW xx; xx is the access control list number SNMP Version 2 using MD5 digital identity authentication method. Different vrouters set different digital signature passwords, which is an effective way to improve overall security performance.
Summary
As a key device of the entire network, we need to pay special attention to the security problem. Of course, it is far from enough to protect our network by relying solely on the above settings. We also need to work with other devices to take security measures together, build our network into a secure and stable information exchange platform.