1. adds authentication function for protocol exchange between routers, and improves network security.
An important function of a router is to manage and maintain routes. At present, networks with a certain scale all adopt dynamic routing protocols, such as RIP, EIGRP, OSPF, IS-IS, BGP and so on. When a router with the same routing protocol and the same area identifier joins the network, it will learn the routing information table on the network. However, this method may lead to the disclosure of network topology information, or interfere with the normal routing information table on the network by sending its own routing information table to the network, which may lead to the paralysis of the whole network in serious cases. The solution to this problem is to authenticate the routing information exchanged between routers in the network. When the router is configured with an authentication method, it will identify the sender and receiver of routing information.
2. Physical security of the router.
The control port of the router is a port with special rights. If the attacker physically touches the router, power off and restarts, implements the "password recovery process", and then logs in to the router, he can completely control the router.
3. Protect the router password.
In the backup router configuration file, even if the password is stored in encrypted form, the clear text of the password may still be cracked. Once the password is leaked, the network will be unsafe.
4. Prevent viewing router diagnostic information.
The shutdown command is as follows: no service TCP-small-servers no service UDP-small-servers.
5. Prevent viewing the current user list of the router.
The close command is: No service finger.
6. Turn off CDP service.
On the basis of the second layer protocol of OSI, that is, the link layer, we can find some configuration information of the opposite router, such as device platform, operating system version, port, IP address and other important information. You can shut down this service with the following command: no cdp running or no cdp enable.
7. Prevent the router from receiving packets marked with active routing and discard data streams with source routing options.
"IP source-route" is a global configuration command, which allows the router to process data streams marked with active routing options. When the source routing option is enabled, the route specified by the source routing information enables data flow to bypass the default route, and such packets can bypass the firewall. The shutdown command is as follows: No ip source route.
8. Turn off the forwarding of router broadcast packets.
Sumrf D.o.S attacks use routers with broadcast forwarding configuration as reflectors, which occupy network resources and even cause network paralysis. "No ip Directed Broadcasting" should be applied on each port to turn off router broadcast packets.
-Paged columns.
9. Manage HTTP services.
HTTP service provides Web management interface. "There is no intellectual property community xxxxxxxx RXXXX is the access control list number SNMP version 2 using the MD5 digital authentication method. It is an effective means to improve the overall security performance that different router devices are configured with different digital signature passwords.
Summary:
As the key equipment of the whole network, the security of router needs our special attention. Of course, it is not enough to protect our network only by the above setting methods. We also need to cooperate with other equipment to take security precautions and build our network into a safe and stable information exchange platform.