Use SSH to build the safest route switch device

As a network administrator, how do we manage vrouters and switches, the core device of an enterprise network? If the routing switch device does not have a graphical management interface, what command should we use to connect to its management console? I'm afraid 99% of readers will say that telnet is used. However, is this connection safe? The answer is no. Only when we have configured an SSH connection to the routing switch device can we achieve real security. This article describes how to configure the SSH service on your own routing switch device to create the most secure routing switch device. Any data transmitted by connecting to the vro through SSH is encrypted, and illegal users cannot decrypt data using tools such as sniffer.

1. What is SSH?
What is SSH? The full name of SSH is Secure Shell, which is developed by a Finnish company. SSH is composed of software on the client and server. There are two incompatible versions: 1.x and 2.x. SSH is powerful. It can replace Telnet and provide a secure "channel" for FTP, POP3, and PPP ". SSH can be used to encrypt all transmitted data. Even if someone intercepts the data, they cannot obtain useful information. At the same time, data is compressed, which greatly speeds up transmission.

2. How to set up the SSH service on the routing switch device:
The following describes how to configure the SSH service on a CISCO router. The author uses GSR 12008, so take him as an example to introduce the configuration method of SSH-1.

Tip: There are only 7200 series, 7500 series, and 12000 Series GSR products in the Cisco router product series. IOS supports SSH. Generally, the names of IOS versions that support SSH include K3 or K4. K3 indicates 56bit SSH encryption, and K4 indicates 168bit SSH encryption. Cisco products currently only support SSH-1, not SSH-2. For SSH settings that do not support SSH by default, such as 6509, we can upgrade IOS to solve this problem.

Step 1: configure the host name hostname) and the domain name of the IP address domain-name)
Router # configure terminal
// Enter the Configuration Mode
Router (config) # hostname softer
// Set the vro host name to softer
Softer (config) # ip domain-name softer.com
// Set the IP address to softer.com.

Step 2: configure the logon username and password. Take local authentication as an example)
Softer (config) # username softer password 0 111111
// Add a user. The user name is softer and the password is 111111.
Softer (config) # line vty 0 4
// Set to allow this user to remotely manage through the network
Softer (config-line) # login local
// You need to enter the user name and password to set the local login vro. By default, you only need to enter the password to better manage the vro through user authentication.

TIPS: when you enter the login local command, pay special attention to the fact that I was too anxious to enter this command to log on to the vro. Once you enter this login local command, you must enter the user name and password to log on to the vro.

Step 3: configure the SSH service
Softer (config) # crypto key generate rsa
Set the SSH connection keyword. Generally, the keyword is the combination of the Host Name and domain name. For example, in this example, the host name is softer and the domain name is softer.com. The keyword is softer.softer.com.

The following message is displayed: How many bits in the modulus [512]:
This is the number of encrypted digits. Use the default value of 512.

Softer (config) # end
End SSH service settings

Softer # write
Save the settings to the start file.

Step 4: Check SSH settings
How can I check whether SSH is successfully set? Run the "show ip ssh" command. The following information is displayed.
SSH Enabled-version 1.5
Authentication timeout: 120 secs
Authentication retries: 3

This indicates that the SSH service has been started.

TIPS: If you want to disable the enabled SSH service, run the following command: softer (config) # crypto key zeroize rsa.

Step 5: Set SSH Parameters
After configuring SSH, we can see the default SSH parameters through the show run command. The timeout value is limited to 120 seconds, and the number of authentication retries is 3, of course, we can also modify it using the following command.

Softer (config) # ip ssh {[time-out seconds]} | [authentication-retries interger]}

For example, if you want to change the timeout limit to 180 seconds, use the softer (config) # ip ssh time-out 180 command. If you want to change the number of retries to 5 times, the softer (config) # ip ssh authentication-retries 5 command should be used.

After more specific configuration, SSH has been successfully established on the vro, and users can log on securely through SSH.

3. log on to the routing switch device that enables the SSH service on the client:
After the SSH service is enabled on the vro, you also need to install the SSH tool on the client. There are many tools that provide the SSH connection and transmission function on the network. If you are interested, you can search for and download and install the tool. The author only introduces a small SSH client tool-WiSSH.

WiSSH archive:
Software Version: Standard Edition V2.60
Software size: 3215 KB
Software language: English
Software type: Shared Software
Application Platform: Win9x/NT/2000/XP/2003
:
Http://count.skycn.com/softdownload.php? Id = 18218 & url = http://yncnc.driversky.com/down/se260_setup.exe

Download the software and install it directly. Then, start the software, select the "LOGIN" tab, enter the IP address of the SSH server, and enter the access user created on it. The user name is softer, the password is 111111. After setting, click connect to connect. The entire process is very simple and easy to use. 1)

Iv. Summary:
After using SSH to encrypt the connection to the vro, no settings or commands will be intercepted by hackers through sniffer. On the one hand, the security of the enterprise vro is improved, and on the other hand, the transmitted data is encrypted and compressed, therefore, the speed has been improved.