路由器安全配置速查表（一）

文章作者 100test 发表时间 2007:03:14 13:15:05
来源 100Test.Com百考试题网

Specific Recommendations: Router Access

1. Shut down unneeded services on the router. Servers that are not running

cannot break. Also, more memory and processor slots are available. Start

by running the show proc command on the router, then turn off clearly

unneeded facilities and services. Some servers that should almost always

be turned off and the corresponding commands to disable them are listed

below.

Small services (echo, discard, chargen, etc.)

no service tcp-small-servers

no service udp-small-servers

BOOTP - no ip bootp server

Finger - no service finger

HTTP - no ip http server

SNMP - no snmp-server

2. Shut down unneeded services on the routers. These services allow

certain packets to pass through the router, or send special packets, or

are used for remote router configuration. Some services that should almost

always be turned off and the corresponding commands to

disable them are listed below.

CDP - no cdp run

Remote config. - no service config

Source routing - no ip source-route

3. The interfaces on the router can be made more secure by using certain

commands in the Configure Interface mode. These commands should be applied

to every interface.

Unused interfaces - shutdown

No Smurf attacks - no ip directed-broadcast

Mask replies - no ip mask-reply

Ad-hoc routing - no ip proxy-arp

4. The console line, the auxiliary line and the virtual terminal lines on

the router can be made more secure in the Configure Line mode. The console

line and the virtual terminal lines should be secured as shown below. The

Aux line should be disabled, as shown below, if it is not being used.

Console Line - line con 0

exec-timeout 5 0

login

Auxiliary Line - line aux 0

no exec

exec-timeout 0 10

transport input none

VTY lines - line vty 0 4

exec-timeout 5 0

login

transport input telnet ssh

5. Passwords can be configured more securely as well. Configure the Enable

Secret password, which is protected with an MD5-based algorithm. Also,

configure passwords for the console line, the auxiliary line and the

virtual terminal lines. Provide basic protection for the user and line

passwords using the service passwordencryption command. See examples

below.

Enable secret - enable secret 0 2manyRt3s

Console Line - line con 0

password Soda-4-jimmY

Auxiliary Line - line aux 0

password Popcorn-4-sara

VTY Lines - line vty 0 4

password Dots-4-georg3

Basic protection - service password-encryption

6. Consider adopting SSH, if your router supports it, for all remote

administration.

7. Protect your router configuration file from unauthorized disclosure.