14 Ways to protect the router strokes

Router is the main equipment of network system, network security is thefrontier pass.

Here are some specific measures to strengthen the security of router, the router itself to

stop the attack, and prevent the network information is stolen.

1 Increase the authentication function for inter router protocol exchange, improve

network security

An important function of the router's routing management and maintenance,now has a

certain scale network protocol by dynamic, commonly used are:RIP, EIGRP, OSPF, IS-

IS, BGP etc.. When a set of the same protocol and the same

area identifier router joining network, will study the routing table information network. But

this method may lead to network topology information leakage, may also be due to

the network to send its own routing table routing table information, disrupt the normal

work on the network, serious when cancause paralysis of the entire network. The solution

to this problem is toauthenticate routing information exchange between network routers

within.When the router is configured authentication mode, will identify routing

information receiving party. There are two kinds of identification methods,including "plain

text" low security, recommend the use of "MD5".

2 Physical security for the router

Router control port is a privileged port, if the attacker in physical contact withthe

router, power-off restart, the implementation of the "password

recoveryprocess", then login router, can completely control the router.

3 The protecting password for router

In the router configuration files in the backup, password even if stored in encrypted

form, the password in plaintext still break may. Once the passwordleakage, the network

has no security at all.

4 Stop checking diagnostic information on the router 

The close command is as follows: no service tcp-small-servers no service udp-small-

servers

5 Stop checking current user list on the router 

Close the command: no service finger.

6 Close CDP service

1

Based on OSI two layer protocol link layer can be found in some configuration

information to end router: equipment platform, operating system version, port,IP address

and other important information. Use the command: no CDPrunning or no CDP enable

off this service.

7 Prevent router receives with source routing marking of packages, with asource

route option data flow dropping

"IP source-route" is a global configuration command, allows the router to deal with

the source route option labeled data streams. Enable the source routingoption, source

routing information specified routing the data flow can cross the default

routing, the packet may bypass the firewall. The close command is as follows:

no IP source-route.

8 Close packet forwarding on the router 

Sumrf D.o.S attack to broadcast forwarding configured router as a

reflectionplate, occupation of cyber source, or even network paralysis. Close

the routerpacket in each application port "no IP directed-broadcast".

9 Manage the HTTP services

The HTTP service provides Web management interface. "No IP HTTP server"to stop the

HTTP service. If you must use HTTP, be sure to use the access list"IP http access-

class" command, strict filtering allows IP address, at the same time set

authorization limit "IP HTTP authentication" command.

10 Against spoofing (cheating) attack

The use of access control lists, filter out all the target address for the internal network

from network broadcast address and claimed, but from the outside.The router

port configuration: IP access-group list in number access control list as follows: access-

list number deny ICMP any any redirect access-listnumber deny IP 127.0.0.0 0.255.255.2

55 any access-list number deny IP224.0.0.0 31.255.255.255 any access-list number den

y IP host 0.0.0.0 anynote: these four commands will filter the data in BOOTP/DHCP

applicationpackage, used in similar contexts to have a good understanding of.

11 Avoid packet sniffer

Hackers often will be sniffing software installed on has invaded

the networkcomputer, monitor network data flow, thus stealing passwords, including

SNMPcommunication code, including router login and password privileges, so it is

difficult for network administrators to ensure the security of network. Don't use

non encryption protocol logging router in an untrusted network. If the routersupport

2

encryption protocol, use SSH or Kerberized Telnet, or use IPSecencryption router all

management flow.

12 Validity check data flow path

The use of RPF (reverse path forwarding) reverse path forwarding address,because the

attacker is illegal, so the attack packets are discarded, so as to achieve the purpose

of defending against spoofing attack. Reverse pathforwarding RPF configuration

command: IP verify unicast rpf. Note: the first tosupport

CEF (Cisco Express Forwarding) fast forwarding.

13 Prevent SYN attacks

At present, some router software platform can open TCP

interception function,prevent SYN attack, the work model of interception and monitoring

of two, the default is to intercept model. Router (interception model: in response to the

arrival of the SYN request, and instead of the server sends a SYN-ACK message, and

then wait for the client ACK. If you receive a ACK, then sendsthe SYN message to the

server; the monitor mode: router allows SYN requestdirectly to the server, if the

conversation in 30 seconds is not established, the router sends a RST, to

clear the connection). First, the configuration access list, prepared to open the need to

protect the IP address: access list [1-199][deny|permit] TCP any destination destination-

wildcard and TCP Ip TCP, open

the intercept intercept mode intercept: Ip TCP intercept list access list-numberIp TCP inte

rcept mode Watch

14 Use the SNMP management plan

SNMP is widely used in monitoring, configuration of router. SNMP Version 1

inmanagement application through the public network, the security is low, not suitable for

the use of. Access list is only allowed from a particular workstationSNMP access through

the security properties of this function can improveSNMP service. Configuration

commands: snmp-server community xxxxx RW XX;XX is the access control list No.

SNMP Version 2 using MD5 digital identityauthentication. Digital signature code different

routers different equipment configurations, this is an effective means to improve

the overall safetyperformance.

In short, the router security is an important part of network security, but alsomust

cooperate with other security precautions, so as to build up the whole project safety

precautions.

3

More related:

H ow T o R ecover C isco R outer P assword

T he D ifference of T he C isco C atalyst 2900 and C isco C atalyst 1900

More Cisco products and Reviews you can visit: http://www.3anetwork.com/blog

It is referred from

3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale

original new Cisco networking equipments, including Cisco Catalyst switches, Cisco

routers, Cisco firewalls, Cisco wireless products, Cisco modules and interface cards

products at competitive price and ship to worldwide.

Our website: http://www.3anetwork.com

Telephone: +852-3069-7733

Email:  info@3Anetwork.com

Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong

4