Vro configures classic instances to make the network more secure

Maybe many people do not know about vro configuration. So I have studied vro configuration for classic instances to make the network more secure. I would like to share it with you here and hope it will be useful to you. A router is an important bridge between a LAN and an external network. It is an indispensable part of the network system and a leading edge in network security. However, vro maintenance is rarely valued.

Imagine that if a vro does not guarantee its own security, the entire network would be completely insecure. Therefore, in terms of network security management, vrouters must be reasonably planned and configured to take necessary security protection measures, avoid vulnerabilities and risks to the entire network system due to security issues configured by the vro. Next, we will introduce some router configuration security measures and methods to make our network more secure.

1. added the authentication function for protocol exchanges between routers to improve network security.

One of the important functions of a router is the management and maintenance of routing. Currently, a certain scale of networks use dynamic routing protocols, which are commonly used: RIP, VPN, OSPF, IS-IS, and BGP. When a vro with the same routing protocol and region identifier is added to the network, the route information table on the network is learned. However, this method may cause network topology information leakage. It may also disrupt the routing information table that works normally on the network by sending its own routing information table to the network. In severe cases, the entire network may be paralyzed. The solution to this problem is to authenticate the route information exchanged between routers in the network. When the router is configured with an authentication method, it will identify the sender and receiver of the route information.

2. Physical security protection of routers

A vro control port is a port with special permissions. If an attacker attempts to physically access the vro configuration and restarts after a power failure, the attacker can perform the "password repair process" and then log on to the vro to completely control the vro.

3. Protect the vro Password

In the vro configuration file backed up, even if the password is stored in encrypted form, the plaintext of the password may still be cracked. Once the password is leaked, the network is completely insecure.

4. Stop checking the router diagnostic information. The command to close is as follows: Reference segment: no service tcp-small-servers no service udp-small-servers.

5. The current user list of the vro configuration is blocked.

The close command is as follows: Reference segment: no service finger.

6. disable CDP Service

On the basis of the OSI Layer 2 protocol (link layer), you can find some of the configuration information of the Peer router: Device platform, operating system version, port, IP address, and other important information. You can run the command: no cdp running or no cdp enable to disable this service.

7. Prevent the router from receiving packets with source route marks and discard the data streams with source route options.

"IP source-route" is a global configuration command that allows a router to process data streams marked with source routing options. After the source route option is enabled, the route specified by the source route information enables the data stream to bypass the default route, which may bypass the firewall. The command to close is as follows: Reference segment: no ip source-route.

8. Disable router broadcast packet forwarding.

The Sumrf D. o. S attack uses the router configuration with broadcast forwarding configuration as the reflector, occupying network resources and even causing network paralysis. Apply "no ip directed-broadcast" on each port to disable the router broadcast package.