router security is an important part of network security, and it must be coordinated with other security measures, so as to build a whole project of security. The following is how to protect the router I collected from Cocoa Experience Channel. Welcome to read.
1. add authentication function for protocol exchange between routers to improve network security
an important function of routers is the management and maintenance of routes. At present, networks with a certain scale all adopt dynamic routing protocols, such as RIP, EIGRP, OSPF, IS-IS, BGP, etc. When a router with the same routing protocol and the same area identifier joins the network, it will learn the routing information table on the network. However, this method may lead to the leakage of network topology information, or it may disturb the normal routing information table on the network by sending its own routing information table to the network, which may paralyze the whole network in serious cases.
The solution to this problem is to authenticate the routing information exchanged between routers in the network. When the router is configured with authentication method, it will identify the sender and receiver of routing information. There are two authentication methods, among which "plain text method" has low security, so it is recommended to use "MD5 method".
2. Physical security precautions of the router
The router control port is a port with special rights. If an attacker physically touches the router, he will power off and restart, implement the "password recovery process", and then log in to the router, and then he can completely control the router.
3. Protect the router password
In the backup router configuration file, even if the password is stored in encrypted form, the password plaintext may still be cracked. Once the password is leaked, the network will be insecure.
4. stop viewing the router diagnostic information
the closing command is as follows: noservicetcp-small-serversnoserviceudp-small-servers
5. stop viewing the current user list of the router
the closing command is: noservicefinger.
6. turn off CDP service
based on the OSI layer 2 protocol, i.e. the link layer, some configuration information of the opposite router can be found, including important information such as device platform, operating system version, port and IP address. You can close this service with the command: nocdprunning or nocdpenable.
7. prevent the router from receiving packets marked with source routing and discard data streams with source routing options
"IP source-route" is a global configuration command that allows the router to process data streams marked with source routing options. When the source routing option is enabled, the route specified by the source routing information enables the data flow to bypass the default route, and such a packet may bypass the firewall. The shutdown command is as follows: noipsource-route.
8. Turn off the router's broadcast packet forwarding
SumrfD.o.S attacks use the router with broadcast forwarding configuration as a reflector, which takes up network resources and even causes network paralysis. "noipdirected-broadcast" should be applied to each port to turn off router broadcast packets.
9. manage HTTP services
HTTP services provide a Web management interface. “noipmunityxxxxxRWxx; Xx is the access control list number SNMPVersion2 uses MD5 digital authentication method. Different router devices are configured with different digital signature passwords, which is an effective means to improve the overall security performance.
in a word, router security is an important part of network security, and it must be coordinated with other security measures, so as to build a whole project of security.