Make your network more secure with your router's underlying settings

The router is an important bridge for the LAN to connect the external network, is an indispensable part in the network system, and also the Frontier Gateway of the network security. But the maintenance of the router is rarely appreciated. Just imagine, if the router even its own security is not guaranteed, the entire network there is no security to say. Therefore, in the network security management, the router must be properly planned and configured to take the necessary security measures to avoid the security problems of the router to the entire network system to bring loopholes and risks. We are here to introduce some of the routers to enhance the security of the measures and methods to make our network more secure. 1. For the Protocol exchange between routers to increase the authentication function, improve network security. Router is an important function of the management and maintenance of the route, the current network has a certain size of the dynamic routing protocol, commonly used: RIP, EIGRP, OSPF, is, BGP and so on. When a router that has the same routing protocol and the same area designator joins the network, it learns the routing information table on the network. However, such a method may cause network topology information to leak, or it may disrupt the entire network by sending its own routing information table to disturb the normal working routing information table in the network. The solution to this problem is to authenticate the routing information that is exchanged between routers in the network. When the router is configured with authentication methods, the sender and receiver of the routing information are identified. 2. The physical security guard of the router. Router control port is a port with special permissions, if the attacker physical contact with the router, power cycle, implementation of the "Password repair process", and then log on to the router, you can fully control the router. 3. Protect the router password. In the backup router configuration file, the password is still possible to be cracked, even if it is stored in encrypted form. Once the password is compromised, there is no security to the network. 4. Prevent viewing of router diagnostic information. The closing commands are as follows: No service tcp-small-servers no service Udp-small-servers 5. Prevents viewing of the current list of users to the router. The Turn off command is: no service finger. 6. Turn off CDP services. On the basis of the OSI two-layer protocol, which is the link layer, some configuration information of the End-to-end router can be found: device platform, operating system version, port, IP address and other important information. You can use the command: No CDP running or no CDP enable to turn off this service. 7. Prevents routers from receiving packets with source route tokens, discarding data streams with source routing options. IP Source-route is a global configuration command that allows routers to process data streams with source routing option tokens. When the source routing option is enabled, the route specified by the source routing information allows the data stream to bypass the default route, which may circumvent the firewall. The close command is as follows: no IP Source-route. 8. Turn off forwarding of router broadcast packets. SUMRF D.O.s attacks with routers with broadcast forwarding configured as reflectors, occupy network resources, and even cause network paralysis. "No IP directed-broadcast" should be applied at each port to turn off the router broadcast packet. 9. Manage HTTP services. The HTTP service provides a Web management interface. No IP HTTP server can stop the HTTP service. If you must use HTTP, be sure to use the Access list IP http access-class command to strictly filter the allowed IP addresses and set authorization limits with the IP HTTP Authentication command. 10. Defend against spoofing (deception) attacks. Use the Access control list to filter out all destination addresses for webcasts and claims from internal networks that actually come from external packages. In Router port configuration: The IP Access-group list in number access control list is as follows: Access-list number deny ICMP any any redirect access-list number deny I P 127.0.0.0 0.255.255.255 any access-list number deny IP 224.0.0.0 31.255.255.255 any access-list number deny IP host 0.0. 0.0 Any note: The four lines above will filter some of the packets in the BOOTP application and be fully aware when used in similar environments. 11. Prevent bag sniffing. Hackers often install sniffer software on computers that have hacked into the network, monitor network data streams, and steal passwords, including SNMP communication passwords, and router logins and privileged passwords, which makes it difficult for network administrators to secure the network. Do not log on to routers with unencrypted protocols on untrusted networks. If the router supports the encryption protocol, use SSH or kerberized Telnet, or use IPSec to encrypt all the management flows for the router. 12. Verify the legality of the data flow path. Using RPF (reverse path forwarding) reverse-phase forwarding, the attack packet is discarded because the attacker's address is illegal, thereby defending against the spoofing attack. RPF reverse-phase path forwarding configuration commands are: IP verify unicast RPF. Note: First, support CEF (Cisco Express Forwarding)Fast forwarding. 13. Prevent SYN attacks. At present, the software platform of some routers can turn on TCP interception function, prevent SYN attack, work mode intercept and monitor two kinds, the default is interception mode. (Interception mode: The router responds to the incoming SYN request and sends a SYN message instead of the server and waits for the client to ACK.) If an ACK is received, the original SYN message is sent to the server; Monitoring mode: The router allows SYN requests to reach the server directly, and if the session is not established within 30 seconds, the router sends a RST to clear the connection. First, configure the access list to open the IP address that needs to be protected: Access list [1-199] [deny|permit] TCP any destination Destination-wildcard then, turn on TCP interception: Ip TCP I ntercept mode intercept IP TCP intercept list access list-number IP TCP intercept mode watch 14. Use secure SNMP management scenarios. SNMP is widely used in the monitoring and configuration of routers. SNMP Version 1 is less secure and unsuitable for use in managing applications across public networks. Access lists allow SNMP access only from specific workstations to enhance the security performance of the SNMP service by using this feature. Configuration command: Snmp-server community xxxxx RW XX is the Access control List number SNMP Version 2 uses MD5 digital authentication method. Different router devices are configured with different digital signature passwords, which is an effective means to improve the overall security performance. Summary: As the key equipment of the whole network, the security problem needs our special attention. Of course, if only rely on these methods to protect our network is not enough, but also with other equipment to do a good job of security precautions, our network to create a secure and stable information exchange platform. "Related article" topic: Router Security Configuration Technology "responsible editor: Yutie TEL: (010) 68476606" Original: Make the network safer to return to the Network security home page through the Router Foundation