Currently, most enterprises, institutions and departments are connected to the Internet network, and usually one router is connected to the ISP. This router is a bridge that communicates with the external Internet and the internal network. If this router can set up security reasonably, it can provide a certain degree of security to the internal network or add a layer of barrier to existing security. Most routers are now Cisco products or similar functions. This article will manage the security configuration of Cisco routers here.
Considering the role and location of the router, the quality of the router configuration not only affects its own security but also the security of the entire network. Currently, the router (taking Cisco as an example) itself also has certain security functions, such as access lists, encryption, etc., but most of these functions are turned off when configured by default. Manual configuration is required. What configuration can maximize the security needs without reducing network performance? This article explains it from the following parts:
1. Password management
Passwords are the main means used by the router to prevent unauthorized access to the router and are part of the security of the router itself. The best way to handle passwords is to save these passwords on a TACACS+ or RADIUS authentication server. However, almost every router must have a local configuration password for permission access. How to maintain this part of security?
1. Use enable secret
The enable secret command is used to set passwords with administrator privileges. And if there is no enable secret, this password can also be used for remote access when a password is set for console TTY. This situation is undesirable. Another point is that the old system uses enable password. Although the functions are similar, the encryption algorithm used by enable password is relatively weak.
2. Use service password-encryption
This command is used to encrypt all passwords and similar data stored in the configuration file (such as CHAP). Avoid getting plain text of these data when the configuration file is seen by the malicious person. But the encryption algorithm of service password-encryption is a simple Virginia encryption that is easily deciphered. This is mainly a password set for the enable password command. The enable secret command uses the MD5 algorithm, which is difficult to decipher. However, this MD5 algorithm still has no way to dictionary attacks.
So don't think you can rest assured after encryption. The best way is to choose a long password word to avoid the configuration file being obtained by the outside world. And set enable secret and service password-encryption.
2. Control interactive access
Anyone logged in to the router can display some important configuration information. An attacker can use the router as a transit station for the attack. Therefore, you need to correctly control the login access of the router. Although most login access is prohibited by default. But there are some exceptions, such as direct-connected console terminals, etc.
The console port has special permissions. It is particularly noteworthy that when the router restarts for a few seconds, if a Break signal is sent to the console port, the password recovery program can easily control the entire system. In this way, if an attacker does not have normal access rights, he has the ability to restart the system (cut off the power supply or crash the system) and access control ports (by direct connection to the terminal, Modem, and terminal server). Therefore, the security of access to all connected control ports must be ensured.
In addition to logging into the router through the console, there are many methods. Depending on the configuration and operating system version, it can support such as Telnet, rlogin, Ssh, and non-IP-based network protocols such as LAT, MOP, X.29 and V.120 or Modem dialing. All of this involves TTY, local asynchronous terminals and dial-up modem with standard "TTYs". No matter what protocol is used for remote network connections, they are virtual TTYs, namely "VTYs". To control the access of the router, it is best to control these TTYs or VTYs, add some authentication or use login and no password commands to prohibit access.
1. Control TTY
By default, a remote user can be connected to a TTY, called "reverse Telnet", allowing the remote user to interact with a terminal or Modem connected to this TTY. But these features allow a remote user to connect to a local asynchronous terminal or a dial-in Modem port, thereby constructing a fake login process to steal passwords or other illegal activities. Therefore, it is best to prohibit this function. You can use transport input none to set any asynchronous or Modem not to receive connections from network users. If possible, do not dial in and out with the same Modem and prohibit reverse Telnet in.
2. Control VTY
For security, any VTY should only allow the specified protocol to establish a link. Use the transport input command. If a VTY only supports Telnet services, you can set transport input telnet as follows. If the router operating system supports SSH, it is best to only support this protocol to avoid using plaintext Telnet services. The following settings are: transport input ssh. You can also use ip access-class to restrict the IP address range of VTY.
Because there is a certain limit on the number of VTYs, when all VTYs are used up, you can no longer establish a remote network connection. This can be exploited for Dos (Denforcement Attack). Here, the attacker does not have to log in. Just establish a link and go to the login prompt to consume all VTYs. A good defense method for this kind of attack is to use the ip access-class command to limit the access address of the last VTYs and only open it to a specific management workstation. Other VTYs are not restricted, which not only ensures flexibility, but also ensures that key management work is not affected. Another method is to use the exec-timeout command to configure the timeout of VTY. Avoid an idle task that keeps consuming VTY. Similarly, you can also use service tcp-keepalives-in to ensure that the incoming links established by Tcp are active, thereby avoiding resource exclusiveness caused by malicious attacks or unexpected crashes of remote systems. A better way to protect VTY is to turn off all non-IP-based access and encrypt all remote connections with the router using IPSec.
3. Management service configuration
Many users use protocols such as Snmp or Http to manage routers. However, when using these protocols to manage services, there will be certain security problems.
1. Snmp
Snmp is the protocol most often used for router management. Currently, the most used Snmp version 1 is available, but this version of Snmp has many security problems:
A. Use plaintext authentication and use the "community" string.
B. During periodic cycles, these "community" are sent repeatedly.
C. Adopt packet-based protocols that are easily spoofed.
So try to use Snmp V2, because it adopts digital authentication based on MD5 and allows restrictions on different management data. If you must use Snmp V1, you need to configure it carefully. For example, avoid using default community such as public, private, etc. Avoid using the same community for each device, distinguishing and limiting read-only and read-write commnity. For Snmp V2, if possible, different MD5 security values are set for different routers. Also, it is best to use access list to limit the scope that can be managed using Snmp.
2. Http:
The recent router operating system supports the Http protocol for remote configuration and monitoring. Authentication for Http is equivalent to sending plaintext on the network and there is no effective challenge-based or one-time password protection for Http. This makes managing with Http quite dangerous.
If you choose to use Http for management, it is best to use the ip http access-class command to limit the access address and use the ip http authentication command to configure authentication. The best http authentication option is to leverage TACACS+ or RADIUS servers.
4. Log
Using the logging function of the router is very important for security. Cisco router supports the following logs
1. AAA log: mainly collects user dial-in links, login, Http access, permission changes, etc. These logs are sent to the authentication server using TACACS+ or RADIUS protocol and saved locally. These can be implemented using aaa accouting.
2. Snmp trap log: Send system status changes to Snmp management workstation.
3. System log: Record a large number of system events based on configuration. And you can send these logs to the following places:
a. Console port
b. Syslog Server
c. TTYs or VTYs
d. Local log cache.
What we care about most here is the system logs. By default, these logs are sent to the console port to observe the system's operation through the console monitor. However, this method has a small amount of information and cannot be recorded for future viewing. It is best to use a syslog server to send the log information to this server for storage.
five. Routing security
1. Prevent forgery:
Forgetting is a method that attackers often use. The configuration of the router can prevent forgery to a certain extent. Usually, access lists are used to limit the address range of passing data packets. But there are some things to note below.
A. It can be restricted at any point in the network, but it is best to do it on the border router of the network, because it is difficult to judge the address forgery within the network.
B. It is best to access control of the data entered by the interface (using ip access-group list in). Because output list filtering only protects the network part located behind the router, input list data filtering also protects the router itself from outside attacks.
C. Not only does it require access control for external ports, but it also requires access control for internal ports. Because it can prevent attacks from within.
Here is an example of an access list:
ip access-list number deny icmp any any redirect reject all Icmp redirect
ip access-list number deny ip host 127.0.0.0 0.255.255.255 any Reject Loopback’s data packet
ip access-list number deny ip 224.0.0.0 31.255.255.255 any Reject packets with multiple destination addresses
In addition to the restrictions on accessing lists, you can also use the router's RPF check (ip verify unicast rpf). This function is mainly used to check the source address of the data packet entering the interface, and to determine whether the route to this source address is also forwarded through this interface based on the routing table. If not, it will be discarded. This further ensures the correctness of the data source. However, this method is not suitable for asymmetric routing, that is, the route from A to B is different from the route from B to A. Therefore, it is necessary to determine the specific configuration of the router.
2. Control direct broadcast
A direct IP broadcast is a packet with a destination of a subnet's broadcast address, but the sending host is not directly connected to the destination subnet. Therefore, this data packet is forwarded by the router as a normal packet until the destination subnet and then converted to link-layer broadcast. Due to the characteristics of the IP address structure, only the router directly connected to this subnet can recognize a direct broadcast packet. In response to this function, there is currently an attack called "smurf", where an attacker continuously sends a direct broadcast packet to the attack's subnet by continuously sending an illegal address. This causes all hosts of the subnet to send responses to this illegal address, which ultimately leads to a broadcast storm of the destination network.
For this kind of attack, no ip directed-broadcast can be set on the router's interface, but this direct broadcast packet must be converted into link-layer broadcast by this interface rather than abandoned. Therefore, in order to better prevent attacks, it is best to configure no ip directed-broadcast to all routers that may be connected to the destination subnet.
3. Prevent routing attacks
Source routing attacks are a common attack method. Because some old IP implementations have problems when handling source routing packets, they may cause these machines to crash, so it is best to turn off source routing on the router. Use the command no ip source-route.
Icmp redirect attack is also a commonly used routing attack method. The attacker sends incorrect redirect information to the end host, resulting in a wrong routing of the end host. This attack can be achieved by setting the filtering of all icmp redirect data on the boundary router. However, this can only prevent external attackers. If the attacker and the destination host are in the same network segment, there is no way.
When the router adopts a dynamic protocol, an attacker can forge routing packets and destroy the router's routing table. To prevent such attacks, the distribution-list in can be used to limit the scope of correct routing information. And if possible, an authentication mechanism is adopted. For example, Rip 2 or ospf supports authentication, etc.
6. Traffic management
Most Dos attacks currently useless packets to occupy the resources of routers and bandwidth, causing network and devices to overload. This attack is also called a "flood attack". To prevent this kind of attack, we must first clarify the bottleneck. For example: If an attack causes line blockage, filtering by the source routing node of the line can effectively prevent it, but filtering by the destination routing end of the line will have no effect. And be aware that the router itself may also be the target of the attack, and this situation is even worse. Preventions for this type of attack are as follows:
1. Network protection:
Use the router's Qos function to share the load to prevent some flood attacks. The methods include WFQ, CAR, GTS, etc. But it should be noted that each method is applied differently. For example, WFQ prevents ping attacks more effectively than SYN attacks. Therefore, you must choose the right method to effectively prevent attacks
Although the router can protect other parts of the network from overloading, it also needs to protect itself from attacks. The required security configurations are:
a. Using the CEF switching mode instead of the traditional routing table cache method, because the CEF method is adopted, there is no need to build a routing cache entrance for new destinations that appear. Therefore, this method can better prevent SYN attacks (because SYN attacks use random source addresses)
b. Use scheduler interval or scheduler allocate. Because when a large number of data packets are to be forwarded quickly by the router, the router may spend a lot of time handling the interruption of the network interface, causing other tasks to fail to work properly. To avoid this, you can use scheduler interval or scheduler allocate command to stop processing interrupts within a specified time interval to process other events. The side effects of this method are very small and will not affect the normal transmission of the network.
c. Set the default route to the empty device (ip route 0.0.0.0 0.0.0.0 null 0 255):
This setting can be a good way to discard unreachable destinations worth packets and increase router performance.
seven. Service Management
Routers usually provide a lot of services such as Finger, Telnet, etc., but some of these services can be exploited by attackers, so it is best to prohibit all unwanted services.
1. Cisco routers provide some small services based on TCP and UDP protocols such as echo, charger and discard. These services are rarely used and are easily exploited by attackers to overcome packet filtering mechanisms. Such as echo service, it can be used by the attacker to send packets, as if these packets are from the router itself. Therefore, it is best to prohibit these services. You can use the no service tcp-small-servers and no service udp-small-servers commands to implement it.
2.Finger、NTP、CDP:
Finger service may be attacked by attackers using search users and passwords. NTP is not very dangerous, but without a good authentication, it will affect the correct time of the router, resulting in log and other tasks errors. CDP may be used by attackers to obtain information such as the version of the router to conduct an attack. Therefore, if there is no need for the above services, it is best to ban them. It can be implemented using no service finger, no ntp enable, no cdp running (or no cdp enable ).
Basic security of a router can be achieved by adopting and following the above configuration, but this is not enough for a strictly required security environment, because there are still many attacks that cannot be filtered from the router, and the router is incapable of ensuring attacks from the internal network. However, through the security configuration of a router, an external barrier can be established for network security, which reduces the burden on the internal firewall and ensures the security of the router itself. Therefore, the security configuration of the router is still very heavy
Considering the role and location of the router, the quality of the router configuration not only affects its own security but also the security of the entire network. Currently, the router (taking Cisco as an example) itself also has certain security functions, such as access lists, encryption, etc., but most of these functions are turned off when configured by default. Manual configuration is required. What configuration can maximize the security needs without reducing network performance? This article explains it from the following parts:
1. Password management
Passwords are the main means used by the router to prevent unauthorized access to the router and are part of the security of the router itself. The best way to handle passwords is to save these passwords on a TACACS+ or RADIUS authentication server. However, almost every router must have a local configuration password for permission access. How to maintain this part of security?
1. Use enable secret
The enable secret command is used to set passwords with administrator privileges. And if there is no enable secret, this password can also be used for remote access when a password is set for console TTY. This situation is undesirable. Another point is that the old system uses enable password. Although the functions are similar, the encryption algorithm used by enable password is relatively weak.
2. Use service password-encryption
This command is used to encrypt all passwords and similar data stored in the configuration file (such as CHAP). Avoid getting plain text of these data when the configuration file is seen by the malicious person. But the encryption algorithm of service password-encryption is a simple Virginia encryption that is easily deciphered. This is mainly a password set for the enable password command. The enable secret command uses the MD5 algorithm, which is difficult to decipher. However, this MD5 algorithm still has no way to dictionary attacks.
So don't think you can rest assured after encryption. The best way is to choose a long password word to avoid the configuration file being obtained by the outside world. And set enable secret and service password-encryption.
2. Control interactive access
Anyone logged in to the router can display some important configuration information. An attacker can use the router as a transit station for the attack. Therefore, you need to correctly control the login access of the router. Although most login access is prohibited by default. But there are some exceptions, such as direct-connected console terminals, etc.
The console port has special permissions. It is particularly noteworthy that when the router restarts for a few seconds, if a Break signal is sent to the console port, the password recovery program can easily control the entire system. In this way, if an attacker does not have normal access rights, he has the ability to restart the system (cut off the power supply or crash the system) and access control ports (by direct connection to the terminal, Modem, and terminal server). Therefore, the security of access to all connected control ports must be ensured.
In addition to logging into the router through the console, there are many methods. Depending on the configuration and operating system version, it can support such as Telnet, rlogin, Ssh, and non-IP-based network protocols such as LAT, MOP, X.29 and V.120 or Modem dialing. All of this involves TTY, local asynchronous terminals and dial-up modem with standard "TTYs". No matter what protocol is used for remote network connections, they are virtual TTYs, namely "VTYs". To control the access of the router, it is best to control these TTYs or VTYs, add some authentication or use login and no password commands to prohibit access.
1. Control TTY
By default, a remote user can be connected to a TTY, called "reverse Telnet", allowing the remote user to interact with a terminal or Modem connected to this TTY. But these features allow a remote user to connect to a local asynchronous terminal or a dial-in Modem port, thereby constructing a fake login process to steal passwords or other illegal activities. Therefore, it is best to prohibit this function. You can use transport input none to set any asynchronous or Modem not to receive connections from network users. If possible, do not dial in and out with the same Modem and prohibit reverse Telnet in.
2. Control VTY
For security, any VTY should only allow the specified protocol to establish a link. Use the transport input command. If a VTY only supports Telnet services, you can set transport input telnet as follows. If the router operating system supports SSH, it is best to only support this protocol to avoid using plaintext Telnet services. The following settings are: transport input ssh. You can also use ip access-class to restrict the IP address range of VTY.
Because there is a certain limit on the number of VTYs, when all VTYs are used up, you can no longer establish a remote network connection. This can be exploited for Dos (Denforcement Attack). Here, the attacker does not have to log in. Just establish a link and go to the login prompt to consume all VTYs. A good defense method for this kind of attack is to use the ip access-class command to limit the access address of the last VTYs and only open it to a specific management workstation. Other VTYs are not restricted, which not only ensures flexibility, but also ensures that key management work is not affected. Another method is to use the exec-timeout command to configure the timeout of VTY. Avoid an idle task that keeps consuming VTY. Similarly, you can also use service tcp-keepalives-in to ensure that the incoming links established by Tcp are active, thereby avoiding resource exclusiveness caused by malicious attacks or unexpected crashes of remote systems. A better way to protect VTY is to turn off all non-IP-based access and encrypt all remote connections with the router using IPSec.
3. Management service configuration
Many users use protocols such as Snmp or Http to manage routers. However, when using these protocols to manage services, there will be certain security problems.
1. Snmp
Snmp is the protocol most often used for router management. Currently, the most used Snmp version 1 is available, but this version of Snmp has many security problems:
A. Use plaintext authentication and use the "community" string.
B. During periodic cycles, these "community" are sent repeatedly.
C. Adopt packet-based protocols that are easily spoofed.
So try to use Snmp V2, because it adopts digital authentication based on MD5 and allows restrictions on different management data. If you must use Snmp V1, you need to configure it carefully. For example, avoid using default community such as public, private, etc. Avoid using the same community for each device, distinguishing and limiting read-only and read-write commnity. For Snmp V2, if possible, different MD5 security values are set for different routers. Also, it is best to use access list to limit the scope that can be managed using Snmp.
[1][2][3] Next page
Article entry: csh Editor in charge: csh
2. Http:
The recent router operating system supports the Http protocol for remote configuration and monitoring. Authentication for Http is equivalent to sending plaintext on the network and there is no effective challenge-based or one-time password protection for Http. This makes managing with Http quite dangerous.
If you choose to use Http for management, it is best to use the ip http access-class command to limit the access address and use the ip http authentication command to configure authentication. The best http authentication option is to leverage TACACS+ or RADIUS servers.
4. Log
Using the logging function of the router is very important for security. Cisco router supports the following logs
1. AAA log: mainly collects user dial-in links, login, Http access, permission changes, etc. These logs are sent to the authentication server using TACACS+ or RADIUS protocol and saved locally. These can be implemented using aaa accouting.
2. Snmp trap log: Send system status changes to Snmp management workstation.
3. System log: Record a large number of system events based on configuration. And you can send these logs to the following places:
a. Console port
b. Syslog Server
c. TTYs or VTYs
d. Local log cache.
What we care about most here is the system logs. By default, these logs are sent to the console port to observe the system's operation through the console monitor. However, this method has a small amount of information and cannot be recorded for future viewing. It is best to use a syslog server to send the log information to this server for storage.
five. Routing security
1. Prevent forgery:
Forgetting is a method that attackers often use. The configuration of the router can prevent forgery to a certain extent. Usually, access lists are used to limit the address range of passing data packets. But there are some things to note below.
A. It can be restricted at any point in the network, but it is best to do it on the border router of the network, because it is difficult to judge the address forgery within the network.
B. It is best to access control of the data entered by the interface (using ip access-group list in). Because output list filtering only protects the network part located behind the router, input list data filtering also protects the router itself from outside attacks.
C. Not only does it require access control for external ports, but it also requires access control for internal ports. Because it can prevent attacks from within.
Here is an example of an access list:
ip access-list number deny icmp any any redirect reject all Icmp redirect
ip access-list number deny ip host 127.0.0.0 0.255.255.255 any Reject Loopback’s data packet
ip access-list number deny ip 224.0.0.0 31.255.255.255 any Reject packets with multiple destination addresses
In addition to the restrictions on accessing lists, you can also use the router's RPF check (ip verify unicast rpf). This function is mainly used to check the source address of the data packet entering the interface, and to determine whether the route to this source address is also forwarded through this interface based on the routing table. If not, it will be discarded. This further ensures the correctness of the data source. However, this method is not suitable for asymmetric routing, that is, the route from A to B is different from the route from B to A. Therefore, it is necessary to determine the specific configuration of the router.
2. Control direct broadcast
A direct IP broadcast is a packet with a destination of a subnet's broadcast address, but the sending host is not directly connected to the destination subnet. Therefore, this data packet is forwarded by the router as a normal packet until the destination subnet and then converted to link-layer broadcast. Due to the characteristics of the IP address structure, only the router directly connected to this subnet can recognize a direct broadcast packet. In response to this function, there is currently an attack called "smurf", where an attacker continuously sends a direct broadcast packet to the attack's subnet by continuously sending an illegal address. This causes all hosts of the subnet to send responses to this illegal address, which ultimately leads to a broadcast storm of the destination network.
For this kind of attack, no ip directed-broadcast can be set on the router's interface, but this direct broadcast packet must be converted into link-layer broadcast by this interface rather than abandoned. Therefore, in order to better prevent attacks, it is best to configure no ip directed-broadcast to all routers that may be connected to the destination subnet.
3. Prevent routing attacks
Source routing attacks are a common attack method. Because some old IP implementations have problems when handling source routing packets, they may cause these machines to crash, so it is best to turn off source routing on the router. Use the command no ip source-route.
Icmp redirect attack is also a commonly used routing attack method. The attacker sends incorrect redirect information to the end host, resulting in a wrong routing of the end host. This attack can be achieved by setting the filtering of all icmp redirect data on the boundary router. However, this can only prevent external attackers. If the attacker and the destination host are in the same network segment, there is no way.
When the router adopts a dynamic protocol, an attacker can forge routing packets and destroy the router's routing table. To prevent such attacks, the distribution-list in can be used to limit the scope of correct routing information. And if possible, an authentication mechanism is adopted. For example, Rip 2 or ospf supports authentication, etc.
6. Traffic management
Most Dos attacks currently useless packets to occupy the resources of routers and bandwidth, causing network and devices to overload. This attack is also called a "flood attack". To prevent this kind of attack, we must first clarify the bottleneck. For example: If an attack causes line blockage, filtering by the source routing node of the line can effectively prevent it, but filtering by the destination routing end of the line will have no effect. And be aware that the router itself may also be the target of the attack, and this situation is even worse. Preventions for this type of attack are as follows:
1. Network protection:
Use the router's Qos function to share the load to prevent some flood attacks. The methods include WFQ, CAR, GTS, etc. But it should be noted that each method is applied differently. For example, WFQ prevents ping attacks more effectively than SYN attacks. Therefore, you must choose the right method to effectively prevent attacks
Previous page [1][2][3] Next page
Article entry: csh Editor in charge: csh2. Router itself protection:
Although the router can protect other parts of the network from overloading, it also needs to protect itself from attacks. The required security configurations are:
a. Using the CEF switching mode instead of the traditional routing table cache method, because the CEF method is adopted, there is no need to build a routing cache entrance for new destinations that appear. Therefore, this method can better prevent SYN attacks (because SYN attacks use random source addresses)
b. Use scheduler interval or scheduler allocate. Because when a large number of data packets are to be forwarded quickly by the router, the router may spend a lot of time handling the interruption of the network interface, causing other tasks to fail to work properly. To avoid this, you can use scheduler interval or scheduler allocate command to stop processing interrupts within a specified time interval to process other events. The side effects of this method are very small and will not affect the normal transmission of the network.
c. Set the default route to the empty device (ip route 0.0.0.0 0.0.0.0 null 0 255):
This setting can be a good way to discard unreachable destinations worth packets and increase router performance.
seven. Service Management
Routers usually provide a lot of services such as Finger, Telnet, etc., but some of these services can be exploited by attackers, so it is best to prohibit all unwanted services.
1. Cisco routers provide some small services based on TCP and UDP protocols such as echo, charger and discard. These services are rarely used and are easily exploited by attackers to overcome packet filtering mechanisms. Such as echo service, it can be used by the attacker to send packets, as if these packets are from the router itself. Therefore, it is best to prohibit these services. You can use the no service tcp-small-servers and no service udp-small-servers commands to implement it.
2.Finger、NTP、CDP:
Finger service may be attacked by attackers using search users and passwords. NTP is not very dangerous, but without a good authentication, it will affect the correct time of the router, resulting in log and other tasks errors. CDP may be used by attackers to obtain information such as the version of the router to conduct an attack. Therefore, if there is no need for the above services, it is best to ban them. It can be implemented using no service finger, no ntp enable, no cdp running (or no cdp enable ).
Basic security of a router can be achieved by adopting and following the above configuration, but this is not enough for a strictly required security environment, because there are still many attacks that cannot be filtered from the router, and the router is incapable of ensuring attacks from the internal network. However, through the security configuration of a router, an external barrier can be established for network security, which reduces the burden on the internal firewall and ensures the security of the router itself. Therefore, the security configuration of the router is still very heavy
Previous page [1] [2][3]
Article entry: csh Editor in charge: csh