1. Security configuration of router access control
1. Strictly control the administrator who can access the router. Any maintenance requires record and filing.
2. It is recommended not to remotely access the router. Even if you need to access the router remotely, it is recommended to use access control lists and high-strength password control.
3. Strictly control the access of CON ports. Specific measures include:
A,If you can open the chassis,Then it can be cut off withCONPhysical circuits for port interconnection。
B,You can change the default connection properties,For example, modify the baud rate(The default is96000,Can be changed to another)。
C,Cooperate Use access control list to control pairsCONAccess to the port。
like:Router(Config)#Access-list 1 permit 192.168.0.1
Router(Config)#line con 0
Router(Config-line)#Transport input none
Router(Config-line)#Login local
Router(Config-line)#Exec-timeoute 5 0
Router(Config-line)#access-class 1 in
Router(Config-line)#end
D,GiveCONHigh-strength password。
4. If the AUX port is not used, this port is prohibited. The default is not enabled. Forbidden as:
Router(Config)#line aux 0
Router(Config-line)#transport input none
Router(Config-line)#no exec
5. It is recommended to adopt a permission hierarchical strategy. like:
Router(Config)#username BluShin privilege 10 G00dPa55w0rd
Router(Config)#privilege EXEC level 10 telnet
Router(Config)#privilege EXEC level 10 show ip access-list
6. Set a strong password for entry of privileged mode. Do not use enable password to set password. But use the enable secret command to set it. And you want to enable Service password-encryption.
7. Control access to VTY. Disable it if remote access is not required. If necessary, be sure to set a strong password. Since VTY is encrypted during the transmission of the network, it needs to be strictly controlled. For example: setting a strong password; controlling the number of concurrent connections; using access lists to strictly control the access address; using AAA can set user access control, etc.
8. It is recommended to use FTP instead of TFTP for IOS upgrades and backups, as well as configuration files. like:
Router(Config)#ip ftp username BluShin
Router(Config)#ip ftp password 4tppa55w0rd
Router#copy startup-config ftp:
9. Timely upgrade and repair IOS software.
2. Router network service security configuration
1,prohibitCDP(Cisco Discovery Protocol)。like:
Router(Config)#no cdp run
Router(Config-if)# no cdp enable
2,No otherTCP、UDP SmallServe。
Router(Config)# no service tcp-small-servers
Router(Config)# no service udp-samll-servers
3,prohibitFingerServe。
Router(Config)# no ip finger
Router(Config)# no service finger
4,It is recommended to prohibitHTTPServe。
Router(Config)# no ip http server
If enabledHTTPThe service needs to be configured securely:
Set username and password;Use access list for control。like:
Router(Config)# username BluShin privilege 10 G00dPa55w0rd
Router(Config)# ip http auth local
Router(Config)# no access-list 10
Router(Config)# access-list 10 permit 192.168.0.1
Router(Config)# access-list 10 deny any
Router(Config)# ip http access-class 10
Router(Config)# ip http server
Router(Config)# exit
5,prohibitBOOTpServe。
Router(Config)# no ip bootp server
Disable startup and automatic download of initial configuration files from the network。
Router(Config)# no boot network
Router(Config)# no servic config
6,prohibitIP Source Routing。
Router(Config)# no ip source-route
7,It is recommended if not requiredARP-ProxyService prohibits it,The router is turned on by default。
Router(Config)# no ip proxy-arp
Router(Config-if)# no ip proxy-arp
8,Clearly prohibitedIP Directed Broadcast。
Router(Config)# no ip directed-broadcast
9,prohibitIP Classless。
Router(Config)# no ip classless
10,prohibitICMPThe agreementIP Unreachables,Redirects,Mask Replies。
Router(Config-if)# no ip unreacheables
Router(Config-if)# no ip redirects
Router(Config-if)# no ip mask-reply
11,It is recommended to prohibitSNMPAgreement Services。Some must be deleted when prohibitedSNMPDefault configuration for the service。
Or you need to access the list to filter。like:
Router(Config)# no snmp-server community public Ro
Router(Config)# no snmp-server community admin RW
Router(Config)# no access-list 70
Router(Config)# access-list 70 deny any
Router(Config)# snmp-server community MoreHardPublic Ro 70
Router(Config)# no snmp-server enable traps
Router(Config)# no snmp-server system-shutdown
Router(Config)# no snmp-server trap-anth
Router(Config)# no snmp-server
Router(Config)# end
12,If not necessaryWINSandDNSServe。
Router(Config)# no ip domain-lookup
If necessary, you need to configure it:
Router(Config)# hostname Router
Router(Config)# ip name-server 202.102.134.96
13,Unused ports are explicitly prohibited。
Router(Config)# interface eth0/3
Router(Config)# shutdown
3. Router routing protocol security configuration
1,First, the default enabled is disabledARP-Proxy,It can easily cause confusion in routing tables。
Router(Config)# no ip proxy-arp or
Router(Config-if)# no ip proxy-arp
2,EnableOSPFAuthentication of routing protocols。
DefaultOSPFThe authentication password is transmitted in plain text,It is recommended to enable itMD5Certification。
And set a certain strength key(key,The relative router must have the sameKey)。
Router(Config)# router ospf 100
Router(Config-router)# network 192.168.100.0 0.0.0.255 area 100
! EnableMD5Certification。
! area area-id authentication Enable authentication,It is clear text password authentication。
!area area-id authentication message-digest
Router(Config-router)# area 100 authentication message-digest
Router(Config)# exit
Router(Config)# interface eth0/1
!EnableMD5KeyKeyforrouterospfkey。
!ip ospf authentication-key key Enable authentication key,But it will be a plain text transmission。
!ip ospf message-digest-key key-id(1-255) md5 key
Router(Config-if)# ip ospf message-digest-key 1 md5 routerospfkey
3,RIPCertification of the agreement。onlyRIP-V2support,RIP-1不support。It is recommended to enable itRIP-V2。
And adoptMD5Certification。普通Certification同样是明文传输的。
Router(Config)# config terminal
! Enable Settings Keychain
Router(Config)# key chain mykeychainname
Router(Config-keychain)# key 1
!Set the key string
Router(Config-leychain-key)# key-string MyFirstKeyString
Router(Config-keyschain)# key 2
Router(Config-keychain-key)# key-string MySecondKeyString
!EnableRIP-V2
Router(Config)# router rip
Router(Config-router)# version 2
Router(Config-router)# network 192.168.100.0
Router(Config)# interface eth0/1
! useMD5Mode authentication,and select the configured key chain
Router(Config-if)# ip rip authentication mode md5
Router(Config-if)# ip rip anthentication key-chain mykeychainname
4,Enablepassive-interfaceCommands can disable some ports that do not need to receive and forward routing information.。
Recommended for ports that do not require routing,Enablepassive-interface。
but,existRIPThe protocol only prohibits forwarding of routing information,No reception is prohibited。
existOSPFThe protocol prohibits forwarding and receiving routing information。
! Ripmiddle,Disable ports0/3Forward routing information
Router(Config)# router Rip
Router(Config-router)# passive-interface eth0/3
!OSPFmiddle,Disable ports0/3Receive and forward routing information
Router(Config)# router ospf 100
Router(Config-router)# passive-interface eth0/3
5,Enable access list filtering some spam and malicious routing information,Control the spam flow on the network。
Router(Config)# access-list 10 deny 192.168.1.0 0.0.0.255
Router(Config)# access-list 10 permit any
! Disable the router from receiving updates192.168.1.0Network routing information
Router(Config)# router ospf 100
Router(Config-router)# distribute-list 10 in
!Prohibit forwarding and propagation by routers192.168.1.0Network routing information
Router(Config)# router ospf 100
Router(Config-router)# distribute-list 10 out
6,It is recommended to enable itIP Unicast Reverse-Path Verification。
It can check the sourceIPThe accuracy of the address,This prevents certainIP Spooling。
But it can only be enabledCEF(Cisco Express Forwarding)Used on the router。
Router# config t
! EnableCEF
Router(Config)# ip cef
!EnableUnicast Reverse-Path Verification
Router(Config)# interface eth0/1
Router(Config)# ip verify unicast reverse-path
Four,Other security configurations of the router
1,Timely upgradeIOSsoftware,And quicklyIOSInstall patches。
2,Be strict and seriousIOSMake a safe backup。
3,To make a secure backup of the router's configuration file。
4,BuyUPSequipment,Or at least have redundant power supplies。
5,You must have a complete router secure access and maintenance log。
6,Login strictly set upBanner。Must contain words that are prohibited from logging in by unauthorized users。
7, IPSimple protection for deception。For example, filter non-public addresses to access internal network。
Filter your own internal network address;Loopback address(127.0.0.0/8);
RFC1918Private address;DHCPCustom address(169.254.0.0/16);
Scientific document author test address(192.0.2.0/24);
Unused multicast address(224.0.0.0/4);Article entry: csh Editor in charge: csh
SUNAncient testing address of the company(20.20.20.0/24;204.152.64.0/23);
Full network address(0.0.0.0/8)。
Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 any log
Router(Config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
Router(Config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
Router(Config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
Router(Config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
Router(Config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
Router(Config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any
Router(Config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 any log
Router(Config)# access-list 100 deny ip 204.152.64.0 0.0.2.255 any log
Router(Config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
8,It is recommended to use access list to control the address of the internal network that flows out of the internal network.。like:
Router(Config)# no access-list 101
Router(Config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 any
Router(Config)# access-list 101 deny ip any any log
Router(Config)# interface eth 0/1
Router(Config-if)# description "internet Ethernet"
Router(Config-if)# ip address 192.168.0.254 255.255.255.0
Router(Config-if)# ip access-group