Router is the main equipment of network system, Catalyst 3750X network security is thefrontier pass.
Here are some specific measures to strengthen the security of router, the router itself to stop the attack, and prevent the network information is stolen.
1 Increase the authentication function for inter router protocol exchange, improve network security
An important function of the router's routing management and maintenance,now has a certain scale network protocol by dynamic, commonly used are:RIP, EIGRP, OSPF, IS-IS, BGP etc.. When a set of the same protocol and the same area identifier router joining network, will study the routing table information network. But this method may lead to network topology information leakage, may also be due to the network to send its own routing table routing table information, disrupt the normal work on the network, serious when cancause paralysis of the entire network. The solution to this problem is toauthenticate routing information exchange between network routers within.When the router is configured authentication mode, will identify routing information receiving party. There are two kinds of identification methods,including "plain text" low security, recommend the use of "MD5".
2 Physical security for the router
Router control port is a privileged port, if the attacker in physical contact withthe router, power-off restart, the implementation of the "password
recoveryprocess", then login router, can completely control the router.
3 The protecting password for router
In the router configuration files in the backup, password even if stored in encrypted form, the password in plaintext still break may. Once the passwordleakage, the network has no security at all.
4 Stop checking diagnostic information on the router
The close command is as follows: no service tcp-small-servers no service udp-small-servers
5 Stop checking current user list on the router
Close the command: no service finger.
6 Close CDP service
Based on OSI two layer protocol link layer can be found in some configuration information to end router: equipment platform, operating system version, port,IP address and other important information. Use the command: no CDPrunning or no CDP enable off this service.
7 Prevent router receives with source routing marking of packages, with asource route option data flow dropping
"IP source-route" is a global configuration command, allows the router to deal with the source route option labeled data streams. Enable the source routingoption, source routing information specified routing the data flow can cross the default routing, the packet may bypass the firewall. The close command is as follows: no IP source-route.
8 Close packet forwarding on the router
Sumrf D.o.S attack to broadcast forwarding configured router as a reflectionplate, occupation of cyber source, or even network paralysis. Close the routerpacket in each application port "no IP directed-broadcast".
9 Manage the HTTP services
The HTTP service provides Web management interface. "No IP HTTP server"to stop the HTTP service. If you must use HTTP, be sure to use the access list"IP http access-class" command, strict filtering allows IP address, at the same time set authorization limit "IP HTTP authentication" command.
10 Against spoofing (cheating) attack
The use of access control lists, filter out all the target address for the internal network from network broadcast address and claimed, but from the outside.The router port configuration: IP access-group list in number access control list as follows: access-list number deny ICMP any any redirect access-listnumber deny IP 127.0.0.0 0.255.255.255 any access-list number deny IP224.0.0.0 31.255.255.255 any access-list number deny IP host 0.0.0.0 anynote: these four commands will filter the data in BOOTP/DHCP applicationpackage, used in similar contexts to have a good understanding of.
11 Avoid packet sniffer
Hackers often will be sniffing software installed on has invaded the networkcomputer, monitor network data flow, thus stealing passwords, including SNMPcommunication code, including router login and password privileges, so it is difficult for network administrators to ensure the security of network. Don't use non encryption protocol logging router in an untrusted network. If the routersupport encryption protocol, use SSH or Kerberized Telnet, or use IPSecencryption router all management flow.
12 Validity check data flow path
The use of RPF (reverse path forwarding) reverse path forwarding address,because the attacker is illegal, so the attack packets are discarded, so as to achieve the purpose of defending against spoofing attack. Reverse pathforwarding RPF configuration command: IP verify unicast rpf. Note: the first tosupport CEF (Cisco Express Forwarding) fast forwarding.
13 Prevent SYN attacks
At present, some router software platform can open TCP interception function,prevent SYN attack, the work model of interception and monitoring of two, the default is to intercept model. Router (interception model: in response to the arrival of the SYN request, and instead of the server sends a SYN-ACK message, and then wait for the client ACK. If you receive a ACK, then sendsthe SYN message to the server; the monitor mode: router allows SYN requestdirectly to the server, if the conversation in 30 seconds is not established, the router sends a RST, to clear the connection). First, the configuration access list, prepared to open the need to protect the IP address: access list [1-199][deny|permit] TCP any destination destination-wildcard and TCP Ip TCP, open the intercept intercept mode intercept: Ip TCP intercept list access list-numberIp TCP intercept mode Watch
14 Use the SNMP management plan
SNMP is widely used in monitoring, configuration of router. SNMP Version 1 inmanagement application through the public network, the security is low, not suitable for the use of. Access list is only allowed from a particular workstationSNMP access through the security properties of this function can improveSNMP service. Configuration commands: snmp-server community xxxxx RW XX;XX is the access control list No. SNMP Version 2 using MD5 digital identityauthentication. Digital signature code different routers different equipment configurations, this is an effective means to improve the overall safetyperformance.
In short, the router security is an important part of network security, but alsomust cooperate with other security precautions, so as to WS-C2960S-24TS-L Price build up the whole project safety precautions.
More information about switch and router, please view :http://ciscoswitches.webgarden.com/