Most of the enterprises, institutions and departments with Internet network, usually a router and ISP links to achieve. This router is the external Internet and internal network communication bridge, if this router can set reasonable safety, then the internal network can provide a security or safety of the existing multi-layer barrier. Most routers are now Cisco product or its function approximation, this article here on the security configuration for Cisco routers to manage.
taking into account the role and position of the router, the router configuration is good or bad not only affect their own safety and also affect the overall network security. Currently the router (with Cisco for example) itself also comes with some safety features, such as access lists, encryption, etc., but the default configuration, most of these features turned off. The need for manual configuration. What kind of configuration to meet the greatest need for security, without reducing network performance? In this paper, the following sections illustrate, respectively:
1.
Password management password is the router is used to prevent unauthorized access to the router the primary means of security is part of the router itself. The best approach is to these password password stored in the TACACS + or RADIUS authentication server. But almost every router must have a local configuration password for permission to visit. How to maintain the security of this part?
1. Use enable secret
enable secret command is used to set the password with administrator privileges. And if there is no enable secret, then when a password is set for the console TTY, the passwords can be used for remote access. This situation is not promising. Another point is that the old system uses the enable password, although similar functions, but the enable password encryption algorithm used is relatively weak.
2. Using the service password-encryption
This command is used to store the configuration file all the passwords and similar data (such as CHAP) for encryption. When the configuration file to avoid being ill were seen to express the data obtained. But service password-encrypation encryption algorithm is a simple encryption Virginia, it is easy to decipher. This is mainly for the enable password command to set the password. The enable secret command uses the MD5 algorithm, this algorithm is difficult to decode. But the MD5 algorithm for the dictionary attack is still no way.
so do not think that can safely encrypted, and the best way is to select a long password, avoid being outside configuration files are. And set the enable secret and the service password-encryption.
2.
control interactive access to any person to log on to the router can display important configuration information. An attacker can attack the router as a transit point. So they need the right router login access control. Although the majority of the default login access is prohibited. But there are some exceptions, such as direct connection of the console terminals.
console port has special privileges. Of particular note is that when the router restart if the first few seconds to send a Break signal to the console port, then use the password recovery program can easily control the entire system. So, if an attacker even though he did not normally access, but with a system reboot (power off or system crashes) and access control port (direct connection through the terminal, Modem, terminal server) the ability to to control the whole system. Therefore, we must ensure that all links to control port access security. In addition to the router through the console log
addition there are many ways, according to the different configuration and operating system versions, can support such as Telnet, rlogin, Ssh, and non-IP-based network protocols such as LAT, MOP, X.29, and V .120, etc., or Modem dial-up. All of these are related to the TTY, the local asynchronous terminals and dial-up Modem to use the standard \Remote network connection regardless of what agreements are virtual TTYs, that \To control access to the router, the best is to control these TTYs or VTYs, plus some certification or use of login, no password an order prohibiting access.
1. Control TTY
default under a remote user can connect to a TTY, known as \However, these features allow a remote user to connect to a local asynchronous terminal port or a dial-in Modem port to construct a fake login process to steal passwords or other illegal activities. So the best against this feature, you can use transport input none set not to receive any asynchronous or Modem connection from the network users. If possible, do not use the same Modem dial and set aside, and the prohibition of reverse Telnet dial.
2. Control VTY
To ensure safety, any VTY should only allow the specified protocol to establish a link. Use transport input command. Such as a VTY only supports Telnet service can be set as follows transport input telnet. If the router operating system support for SSH, it's best to support this agreement, avoid the use of express delivery of the Telnet service. The following settings: transport input ssh. Can also use the ip access-class VTY restrict access to the ip address range.
because VTYs some restrictions on the number, when all the VTYs run out, you can not establish a remote network connection. This might be used for Dos (Denial of Service attacks). Here the attacker need not log into, as long as the establishment of a link to the login prompt, you can consume all the VTYs. For a good defense against this attack is to use the command ip access-class access restrictions last VTYs address, open only to specific management stations. The other VTYs no restrictions, so not only guarantee the flexibility and management to ensure key is not affected. Another method is to use exec-timeout command, configure VTY timeout. Avoid an idle task has been occupied VTY. Can also use a similar service tcp-keepalives-in to ensure Tcp built into the link is active, in order to avoid malicious attacks or remote system resources resulting from accidental collapse of the monopoly. Better way to protect the VTY close all non-IP-based access, and use IPSec encryption for all remote link with the router.
3. Management Service configuration
many users using protocols such as Http Snmp or to manage the router. But the use of these management services agreement, there will be some security issues.
1. Snmp
Snmp is the most frequently used for router management agreement. Snmp the most current version 1, but this version of the Snmp there are many security issues:
A. Use of explicit authentication, use of \
B. In the periodic round robin, the repeated sending of these \
C. Easy to be deceived by the packet-based protocol.
So as far as possible Snmp V2, because it is based on the number of MD5 authentication, and allows the management of data for different restrictions. If we must use the Snmp V1, will have to carefully configured. Such as avoiding using the default community, such as public, private and so on. To avoid for each device with the same community, read and write differences and limitations commnity. For Snmp V2, is possible for different router security set different MD5 value. There is the best use of limited access list can use Snmp manageable.
2. Http:
recent Http protocol router operating system to support remote configuration and monitoring. The certification for Http equivalent to the network to send clear and effective for Http not challenge or one-time password-based protection. This makes it very dangerous to use Http management.
If you choose to use Http management, preferably ip http access-class command limited access to address and configuration with the command ip http authentication certificate. The best choice is to use http authentication TACACS + or RADIUS server.
4. log
use the router log function is very important for safety. Cisco routers support the following log
1. AAA Log: The main collection of links on the user dial, login, Http access permissions change. These logs using TACACS + or RADIUS protocol sent to the authentication server and saved locally. These can be achieved with aaa accouting.
2. Snmp trap log: Send change of system state to Snmp management workstation.
3. System Log: According to the configuration record of a large number of system events. And can send these logs to the following areas:
a. Console port
b. Syslog server
c. TTYs or VTYs
d. Local log cache.
most concerned about here is the system log, the default cases these logs were sent to the console port, through the console monitor to observe the operation of the system, but the small amount of information in this way and can not be recorded for later of view. It is best to use syslog server log information sent to the server to survive.
5. Routing security
1. Prevent forgery:
forgery is an attack method often used. Through the router's configuration to a certain extent, to prevent forgery. Access list is usually used to restrict the packets through the range of addresses. But note the following points.
A. Any point in the network to limit, but the best border routers in the network, because it is difficult to judge the internal network address forged.
B. Best of the interface to access the data access control (using ip access-group list in). Because the output list of filters only protect the network after the router is located in part of the input list of data filtering also protects the router itself is not subject to outside attack.
C. Not only on the external port access control, but also on the internal port access control. Because they can prevent attacks from the inside.
The following is an example of an access list:
ip access-list number deny icmp any any redirect deny all the Icmp redirect
ip access-list number deny ip host 127.0.0.0 0.255.255.255 any refused Loopback packets
ip access-list number deny ip 224.0.0.0 31.255.255.255 any refusal multicast address packet access list
addition to the restrictions, but also can check the router's RPF (ip verify unicast rpf). This feature is mainly used for checking the data entry interface, the source address of packets, according to the routing Biao judge is not to reach the source address of the route is not also transmitted through this interface, if not then abandon. This further ensures the accuracy of the data source. However, this approach is not suitable for asymmetric routing, the route A to B and B to A different route. Therefore, a clear need to determine the specific router configurations.
2. Control direct broadcast
a destination IP is a direct broadcast to a subnet broadcast address for the packets, but the sending host's subnet is not directly connected with this purpose. Therefore, the packet is a router as a general packet forwarding until the destination subnet, and then be converted to link-layer broadcast. Ip address as the characteristics of the structure, only directly connected to the subnet of the router to identify a direct broadcast package. For this function, there is now an attack known as \Resulting subnet address of all hosts send a response to this illegal, the ultimate purpose of the network broadcast storms caused.
for this attack can be set in the router interface no ip directed-broadcast, but this direct broadcast package, to be the interface into the radio link layer, not abandon, so in order to better prevent attacks, the most Fortunately, all may be connected to the destination subnet of the router are configured no ip directed-broadcast.
3.
Source routing attacks against routing attacks a common attack method, because some old Ip achieve in dealing with problems when source routing packets, it may lead to the collapse of these machines, so it is best to turn off source routing at the router. Command no ip source-route.
Icmp redirection attack is also a common method of routing attacks. Attacker redirects by sending the wrong message to the end of the host, leading to errors in the end the host route. The attack at the border router can filter all icmp redirect the data set to achieve. But this can only prevent external attackers, if the attacker and the destination host in the same segment, no way.
When the router using the dynamic protocol, the attacker can be forged routing packets, destroy the router's routing table. In order to prevent such attacks can access list (distribute-list in) limit the scope of the correct routing information. And if possible, use of authentication mechanisms. If Rip 2 or ospf support certification.
6. Traffic Management
Most of Dos attacks are by sending a large number of useless packets, to take up the router and bandwidth resources, leading to overload the network and equipment, such attacks also known as \attack. \For the prevention of such attacks must first clear where the bottleneck. For example: If the attack led to line blocking, the source routing node in the line filter can effectively prevent, but the purpose of routing the line-side filter, will have little effect. And to pay attention to the router itself may become the object of attack, and this situation worse. For this type of attack against the following:
1. Network protection:
use router to share the load Qos function to prevent the number of flood attacks. Methods are WFQ,please contact us so that we jointly plan, CAR, GTS, etc.. However, to note that the application of each method different. Such as WFQ prevent ping attacks more effective than the SYN attack. So, should choose the right way, can effectively prevent the attack.
2. Protection of the router itself:
router although the rest of the network can be protected to avoid overload, but also the need to protect itself from attack. Security should be equipped with:
a. CEF switching mode, rather than using the traditional method of routing table Cache, since the use CEF mode, for the emergence of new destinations do not need to build a routing Cache entry. So in this way for better prevention of SYN attack (as SYN attacks using a random source address)
b. Use the scheduler interval or scheduler allocate. Because when a large number of data packets to the router fast forward cases, you may spend a lot of time on the router network interface interrupt, causing other tasks not work properly. To avoid this, you can use the scheduler interval or the scheduler allocate command at a specified time interval the router to stop handling interrupts to handle other events. In this way the side effects are minor and will not affect the normal network transmission.
c. Set default route to the air device (ip route 0.0.0.0 0.0.0.0 null 0 255):
this setting can not reach out very well discard the packet destination is worth to increase the performance of the router.
7. Service Management
routers usually provide many services such as Finger, Telnet, etc., but some of these services can be exploited by attackers, so the best against all unnecessary services.
1. Cisco routers provide some TCP and UDP protocols based on the small services such as: echo, chargen, and discard. These services are rarely used, and could easily be exploited by attackers to cross the packet filtering mechanism. Such as the echo service, an attacker can use it to send packets, if the data packets from the router itself. It is better to ban these services can no service tcp-small-servers and no service udp-small-servers command to achieve.
2. Finger, NTP, CDP:
Finger service may be exploited by attackers to find the user and password attacks. NTP is not very dangerous, but without a good authentication, it will affect the router the right time, resulting in error logs and other tasks. CDP may be an attacker access to the router using the version of such information to carry out attacks. Therefore, several services for the above is necessary if the demand is not the best against them. Can be no service finger, no ntp enabel, no cdp running (or no cdp enable) to achieve.
through the use of and follow the above configuration on a router can implement basic security, but it is a strict requirement for the security environment is not enough, because there are a lot of attacks can not be filtered from the router, and to come from within network attack, the router is unable to guarantee. But through a router's security configuration, network security can create a barrier outside, easing the burden on the internal firewall, and ensure the security of the router itself. Therefore, the security configuration or the router is very important
没有评论:
发表评论