Ways to secure a router

Routers have become one of the most important security devices in use. In general, most networks have a major access point. This is the "border router" that is typically used with a dedicated firewall.


has been properly set up, the edge routers are able to block almost all the most stubborn bad molecules outside the network. If you want, this router will also allow good people to enter the network. However, a router that is not properly set up is just a little better than no security at all.


in the following guidelines, we will look at 9 convenient steps that you can use to secure your network. These steps will ensure that you have a brick wall that protects your network, not an open door.


1. Modify the default password!


according to Carnegie Mellon University's CERT/CC (Computer Emergency Response Team/control center), 80% of the security breach was caused by weak passwords. There is a broad list of default passwords for most routers on the network. You can be sure that someone in some place will know your birthday. The Securitystats.com website maintains a detailed list of available/unavailable passwords, as well as a password reliability test.


2. Turn off IP direct broadcast (IP directed broadcast)


your server is very obedient. Let it do what it does, and no matter who sends the instructions. A smurf attack is a denial of service attack. In this attack, an attacker uses a fake source address to send an "ICMP echo" request to your webcast address. This requires all hosts to respond to this broadcast request. This situation will at least degrade your network performance.


refer to your router information file to find out how to turn off IP direct broadcasts. For example, the command "#no IP source-route" will turn off the IP direct broadcast address of Cisco routers.


3. If possible, turn off the HTTP settings for the router


as the Cisco Technical Note briefly explains, HTTP uses an identity protocol that is equivalent to sending an unencrypted password to the entire network. Unfortunately, however, there is no valid rule for verifying a password or a one-time password in the HTTP protocol.


Although this unencrypted password may be convenient for you to set up your router from a remote location (for example, at home), you can do what you can. Especially if you are still using the default password! If you have to manage the router remotely, make sure you use the SNMPV3 version of the protocol because it supports more stringent passwords.


4. Block ICMP ping request

The primary purpose of
Ping is to identify the host that is currently in use. As a result, ping is typically used for reconnaissance activities prior to a larger scale of coordinated attacks. By canceling the ability of a remote user to receive ping requests, you are much more likely to avoid unnoticed scan activities or to defend "script boys" (scripts kiddies) that look for vulnerable targets.


Note that this does not actually protect your network from attack, but it will make you less likely to be an attack target.


5. Turn off IP Source routing

The
IP protocol allows a host to specify that packets are routed through your network rather than allowing the network components to determine the best path. The legitimate application of this feature is to diagnose connection failures. However, this use is rarely used. The most common use of this feature is to mirror your network for reconnaissance purposes, or for an attacker to look for a backdoor in your private network. This feature should be turned off unless you specify that this feature should be used only for troubleshooting purposes.


6. Determine the requirements of your packet filtering

There are two reasons for
blocking the port. One of them is appropriate for your network based on your level of security requirements.


for highly secure networks, especially when storing or maintaining secret data, it is usually required to be allowed to filter. In this provision, all ports and IP addresses need to be blocked in addition to the network functionality. For example, port 80 for web traffic and 110/25 ports for SMTP allow access from a specified address, and all other ports and addresses can be closed. (material)


Most networks will enjoy an acceptable level of security by using the "Filter by reject request" scenario. When using this filtering policy, you can secure your network by blocking ports that your network does not use and Trojan horses or frequently used ports for reconnaissance activities. For example, blocking 139 ports and 445 (TCP and UDP) ports will make it more difficult for hackers to perform exhaustive attacks on your network. Blocking 31337 (TCP and UDP) ports makes it harder for the back orifice Trojan to attack your network.


This work should be determined at the network planning stage, when the level of security requirements should meet the needs of network users. View a list of these ports for the normal purpose of these ports.


7. Establishment of access and outgoing address filtering policy


set up policies on your border routers to filter out security breaches of access to and from the network based on IP addresses. In addition to exceptional unusual cases, all IP addresses that attempt to access the Internet from within your network should have an address assigned to your local area network. For example, 192.168.0.1 this address may be legal to access the Internet via this router. However, 216.239.55.99 this address is likely to be deceptive and is part of an attack.


instead, the source address of the communication from outside the Internet should not be part of your internal network. Therefore, the 192.168.x.x, 172.16.x.x and 10.x.x.x 碉 should be blocked from the network