14 Ways to protect the router strokes

Router is the main equipment of network system, network security is thefrontier pass. Here are some specific measures to strengthen the security of router, the router itself to stop the attack, and prevent the network information is stolen.

1 Increase the authentication function for inter router protocol exchange, improve network security An important function of the router's routing management and maintenance,now has a certain scale network protocol by dynamic, commonly used are:R !, " #R!, $%!&, %' %, (#! etc.. )hen a set of the same protocol and the same area identifier router *oining network, will study the routing table information network. (ut this method may lead to network topology information leakage, may also be due to the network to send its own routing table routing table information, disrupt the normal work on the network, serious when cancause paralysis of the entire network. +he solution to this problem is toauthenticate routing information e,change between network routers within.)hen the router is configured authentication mode, will identify routing information receiving party. +here are two kinds of identification methods,including -plain te,t- low security, recommend the use of -./0-.

2 Physical security for the router Router control port is a privileged port, if the attacker in physical contact withthe router, power'off restart, the implementation of the -password recoveryprocess-, then login router, can completely control the router.

3 The protecting passwor for router n the router configuration files in the backup, password even if stored in encrypted form, the password in plainte,t still break may. $nce the passwordleakage, the network has no security at all.

4 !top checking iagnostic information on the router +he close command is as follows: no service tcp'small'servers no service udp'small' servers

" !top checking current user list on the router 1lose the command: no service finger.

# $lose $%P service

1

(ased on $% two layer protocol link layer can be found in some configuration information to end router: equipment platform, operating system version, port, ! address and other important information. 2se the command: no 1/!running or no 1/! enable off this service.

& Prevent router receives with source routing marking of packages, with asource route option ata flow ropping - ! source'route- is a global configuration command, allows the router to deal with the source route option labeled data streams. "nable the source routingoption, source routing information specified routing the data flow can cross the default routing, the packet may bypass the firewall. +he close command is as follows: no ! source'route.

' $lose packet forwar ing on the router %umrf /.o.% attack to broadcast forwarding configured router as a reflectionplate, occupation of cyber source, or even network paralysis. 1lose the routerpacket in each application port -no ! directed'broadcast-.

( )anage the *TTP services +he H++! service provides )eb management interface. -3o ! H++! server-to stop the H++! service. f you must use H++!, be sure to use the access list- ! http access' class- command, strict filtering allows ! address, at the same time set authori4ation limit - ! H++! authentication- command.

1+ ,gainst spoofing -cheating. attack +he use of access control lists, filter out all the target address for the internal network from network broadcast address and claimed, but from the outside.+he router port configuration: ! access'group list in number access control list as follows: access' list number deny 1.! any any redirect access'listnumber deny ! 567.8.8.8 8.600.600.6 00 any access'list number deny !669.8.8.8 :5.600.600.600 any access'list number den y ! host 8.8.8.8 anynote: these four commands will filter the data in ($$+!;/H1! applicationpackage, used in similar conte,ts to have a good understanding of.

11 ,voi packet sniffer Hackers often will be sniffing software installed on has invaded the networkcomputer, monitor network data flow, thus stealing passwords, including %3.!communication code, including router login and password privileges, so it is difficult for network administrators to ensure the security of network. /on't use non encryption protocol logging router in an untrusted network. f the routersupport
2

encryption protocol, use %%H or <erberi4ed +elnet, or use !%ecencryption router all management flow.

12 /ali ity check ata flow path +he use of R!& =reverse path forwarding> reverse path forwarding address,because the attacker is illegal, so the attack packets are discarded, so as to achieve the purpose of defending against spoofing attack. Reverse pathforwarding R!& configuration command: ! verify unicast rpf. 3ote: the first tosupport 1"& =1isco ",press &orwarding> fast forwarding.

13 Prevent !01 attacks At present, some router software platform can open +1! interception function,prevent %?3 attack, the work model of interception and monitoring of two, the default is to intercept model. Router =interception model: in response to the arrival of the %?3 request, and instead of the server sends a %?3'A1< message, and then wait for the client A1<. f you receive a A1<, then sendsthe %?3 message to the server@ the monitor mode: router allows %?3 requestdirectly to the server, if the conversation in :8 seconds is not established, the router sends a R%+, to clear the connection>. &irst, the configuration access list, prepared to open the need to protect the ! address: access list A5'5BBCAdenyDpermitC +1! any destination destination' wildcard and +1! p +1!, open the intercept intercept mode intercept: p +1! intercept list access list'number p +1! inte rcept mode )atch

14 2se the !1)P management plan %3.! is widely used in monitoring, configuration of router. %3.! Eersion 5 inmanagement application through the public network, the security is low, not suitable for the use of. Access list is only allowed from a particular workstation%3.! access through the security properties of this function can improve%3.! service. 1onfiguration commands: snmp'server community ,,,,, R) FF@FF is the access control list 3o. %3.! Eersion 6 using ./0 digital identityauthentication. /igital signature code different routers different equipment configurations, this is an effective means to improve the overall safetyperformance. n short, the router security is an important part of network security, but alsomust cooperate with other security precautions, so as to build up the whole pro*ect safety precautions.

)ore relate 3 How +o Recover 1isco Router !assword +he /ifference of +he 1isco 1atalyst 6B88 and 1isco 1atalyst 5B88 )ore $isco pro ucts an 4eviews you can visit3 http://www.3anetwork.com/blog t is referred from

:Anetwork.com is a world leading 1isco networking products wholesaler, we wholesale original new 1isco networking equipments, including 1isco 1atalyst switches, 1isco routers, 1isco firewalls, 1isco wireless products, 1isco modules and interface cards products at competitive price and ship to worldwide. $ur website: http:;;www.:anetwork.com +elephone: GH06':8IB'77:: "mail: infoJ:Anetwork.com Address: 6:;& Kucky !la4a, :50':65 Kockhart Road, )anchai, Hongkong