Vro security can be enhanced in nine steps (1)

Source: Internet
Author: User

For most enterprise LAN, routers have become one of the most important security devices in use. Generally, most networks have a primary access point. This is the "virtual border router" that is usually used with a dedicated firewall ".

After proper configuration, the edge router can block almost all the most stubborn bad elements out of the network. If you want to, this type of router also allows good people to access the network. However, a vro without proper configuration is better than no security measures at all.

In the following guide, we will look at nine convenient steps you can use to protect network security. These steps ensure that you have a brick wall to protect your network, rather than an open door.

1. Modify the default password!

According to CERT/CC (Computer Emergency Response Team/Control Center) of Carnegie Mellon University, 80% of Security breakthroughs were caused by weak passwords. The network has a list of extensive default passwords for most vrouters. You are sure someone in some places will know your birthday. The SecurityStats.com website maintains a detailed list of available/unavailable passwords and a password reliability test.

2. Disable IP Direct Broadcast (IP Directed Broadcast)

Your server is very obedient. Let it do what it does, and no matter who sends the command. Smurf attacks are DoS attacks. In this attack, attackers use fake source addresses to send an "ICMP echo" request to your network broadcast address. This requires all hosts to respond to this broadcast request. This situation will at least reduce your network performance.

Refer to your router information file to learn how to disable IP direct broadcast. For example, the "Central (config) # no ip source-route" command will disable the IP direct broadcast address of the Cisco router.

3. If possible, disable the HTTP settings of the router.

As described in Cisco's technical description, the identity authentication protocol used by HTTP is equivalent to sending an unencrypted password to the entire network. However, unfortunately, there is no valid rule in the HTTP protocol for password verification or one-time password verification.

Although this unencrypted password may be very convenient for you to set your vro from a remote location (such as at home), other people can do the same thing you can do. Especially if you are still using the default password! If you must remotely manage the vro, make sure that you use the Protocol of SNMPv3 or later versions because it supports more strict passwords.

4. Block ICMP ping requests

The main purpose of ping is to identify the host currently in use. Therefore, ping is usually used for reconnaissance activities before large-scale collaborative attacks. By canceling the remote user's ability to receive ping requests, you can easily avoid unwanted scanning activities or defend against script kiddies that are looking for targets that are vulnerable to attacks ).

Please note that this does not actually protect your network from attacks, but it will make you less likely to be an attack target.

5. Disable IP Source Routing

The IP protocol allows a host to specify the route through your network, rather than allowing network components to determine the optimal path. The valid application of this function is used to diagnose connection faults. However, this function is rarely used. This feature is most commonly used to mirror your network for reconnaissance purposes, or for attackers to find a backdoor in your private network. This feature should be disabled unless you specify this feature for fault diagnosis only.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.