14 ways to protect the router strokes
DESCRIPTION
Leading Cisco networking products distributor-3network.com 14 Ways to protect the router strokesTRANSCRIPT
14 Ways to protect the router strokes
Router is the main equipment of network system, network security is thefrontier pass.
Here are some specific measures to strengthen the security of router, the router itself to
stop the attack, and prevent the network information is stolen.
1 Increase the authentication function for inter router protocol exchange, improve
network security
An important function of the router's routing management and maintenance,now has a
certain scale network protocol by dynamic, commonly used are:RIP, EIGRP, OSPF, IS-
IS, BGP etc.. When a set of the same protocol and the same
area identifier router joining network, will study the routing table information network. But
this method may lead to network topology information leakage, may also be due to
the network to send its own routing table routing table information, disrupt the normal
work on the network, serious when cancause paralysis of the entire network. The solution
to this problem is toauthenticate routing information exchange between network routers
within.When the router is configured authentication mode, will identify routing
information receiving party. There are two kinds of identification methods,including "plain
text" low security, recommend the use of "MD5".
2 Physical security for the router
Router control port is a privileged port, if the attacker in physical contact withthe
router, power-off restart, the implementation of the "password
recoveryprocess", then login router, can completely control the router.
3 The protecting password for router
In the router configuration files in the backup, password even if stored in encrypted
form, the password in plaintext still break may. Once the passwordleakage, the network
has no security at all.
4 Stop checking diagnostic information on the router
The close command is as follows: no service tcp-small-servers no service udp-small-
servers
5 Stop checking current user list on the router
Close the command: no service finger.
6 Close CDP service
1
Based on OSI two layer protocol link layer can be found in some configuration
information to end router: equipment platform, operating system version, port,IP address
and other important information. Use the command: no CDPrunning or no CDP enable
off this service.
7 Prevent router receives with source routing marking of packages, with asource
route option data flow dropping
"IP source-route" is a global configuration command, allows the router to deal with
the source route option labeled data streams. Enable the source routingoption, source
routing information specified routing the data flow can cross the default
routing, the packet may bypass the firewall. The close command is as follows:
no IP source-route.
8 Close packet forwarding on the router
Sumrf D.o.S attack to broadcast forwarding configured router as a
reflectionplate, occupation of cyber source, or even network paralysis. Close
the routerpacket in each application port "no IP directed-broadcast".
9 Manage the HTTP services
The HTTP service provides Web management interface. "No IP HTTP server"to stop the
HTTP service. If you must use HTTP, be sure to use the access list"IP http access-
class" command, strict filtering allows IP address, at the same time set
authorization limit "IP HTTP authentication" command.
10 Against spoofing (cheating) attack
The use of access control lists, filter out all the target address for the internal network
from network broadcast address and claimed, but from the outside.The router
port configuration: IP access-group list in number access control list as follows: access-
list number deny ICMP any any redirect access-listnumber deny IP 127.0.0.0 0.255.255.2
55 any access-list number deny IP224.0.0.0 31.255.255.255 any access-list number den
y IP host 0.0.0.0 anynote: these four commands will filter the data in BOOTP/DHCP
applicationpackage, used in similar contexts to have a good understanding of.
11 Avoid packet sniffer
Hackers often will be sniffing software installed on has invaded
the networkcomputer, monitor network data flow, thus stealing passwords, including
SNMPcommunication code, including router login and password privileges, so it is
difficult for network administrators to ensure the security of network. Don't use
non encryption protocol logging router in an untrusted network. If the routersupport
2
encryption protocol, use SSH or Kerberized Telnet, or use IPSecencryption router all
management flow.
12 Validity check data flow path
The use of RPF (reverse path forwarding) reverse path forwarding address,because the
attacker is illegal, so the attack packets are discarded, so as to achieve the purpose
of defending against spoofing attack. Reverse pathforwarding RPF configuration
command: IP verify unicast rpf. Note: the first tosupport
CEF (Cisco Express Forwarding) fast forwarding.
13 Prevent SYN attacks
At present, some router software platform can open TCP
interception function,prevent SYN attack, the work model of interception and monitoring
of two, the default is to intercept model. Router (interception model: in response to the
arrival of the SYN request, and instead of the server sends a SYN-ACK message, and
then wait for the client ACK. If you receive a ACK, then sendsthe SYN message to the
server; the monitor mode: router allows SYN requestdirectly to the server, if the
conversation in 30 seconds is not established, the router sends a RST, to
clear the connection). First, the configuration access list, prepared to open the need to
protect the IP address: access list [1-199][deny|permit] TCP any destination destination-
wildcard and TCP Ip TCP, open
the intercept intercept mode intercept: Ip TCP intercept list access list-numberIp TCP inte
rcept mode Watch
14 Use the SNMP management plan
SNMP is widely used in monitoring, configuration of router. SNMP Version 1
inmanagement application through the public network, the security is low, not suitable for
the use of. Access list is only allowed from a particular workstationSNMP access through
the security properties of this function can improveSNMP service. Configuration
commands: snmp-server community xxxxx RW XX;XX is the access control list No.
SNMP Version 2 using MD5 digital identityauthentication. Digital signature code different
routers different equipment configurations, this is an effective means to improve
the overall safetyperformance.
In short, the router security is an important part of network security, but alsomust
cooperate with other security precautions, so as to build up the whole project safety
precautions.
3
More related:
H ow T o R ecover C isco R outer P assword
T he D ifference of T he C isco C atalyst 2900 and C isco C atalyst 1900
More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog
It is referred from
3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale
original new Cisco networking equipments, including Cisco Catalyst switches, Cisco
routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards
products at competitive price and ship to worldwide.
Our website: http://www.3anetwork.com
Telephone: +852-3069-7733
Email: [email protected]
Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong
4