Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Border Router Security Settings Notes

2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

R1 (conf) # no cdp run # shuts down the CDP protocol on the border router to prevent illegal users from detecting the internal network through CDP

R1 (conf) # no service tcp-small-service # echo 17; chargen 19; daytime 13

R1 (conf) # no service udp-small-service # shuts down low port services, such as preventing * from sending traffic to chargen service ports, consuming CPU resources, and preventing DoS***.

R1 (conf) # no ip finger # shuts down FINGER to prevent * users logging in via finger to check the router

R1 (conf) # no ip identd # identD allows remote devices to query a TCP port for identification purposes, port number is 113

R1 (conf) # no ip source-route # closes the IP source path to prevent * * from bypassing the firewall by using IP source route selection

R1 (conf) # no ftp-server enable # turns off the FTP-SERVER function to prevent the establishment of a FTP server on the router

R1 (conf) # no ip bootp server # prevents * * from starting as Boot through the router

R1 (conf) # no service pad # PAD (packet assembler/disassemble) for X.25 network

R1 (conf) # no boot network # forbids starting as TFTP through the router

R1 (conf) # no service config # turn off server settings

R1 (conf) # no ip proxy-arp # there is a case in which the ARP agent should not be turned off: when the router side remotely accesses the IPSec × × connection, the local device has to go through the × × × remote defense client, and the router responds to the arp request from the local device. In this case, the APR agent function should be turned on.

R1 (conf) # no ip directed-broadcast # Dos*** uses broadcast direction to flood specific networks or subnets *

R1 (conf) # no ip unreachable # * * uses DoS*** to cause the router to generate ICMP unreachable messages

R1 (conf) # no ip redirect # * * may use the ip redirection method to make the route generate a loop route, resulting in a network paralysis.

R1 (conf) # no ip mask-reply # uses the subnet message request function to * broadcast DoS*** subnets directionally

-

ACL parameter description:

Precedence: filter specific priority levels, ranging from 0 to 7. IP packet headers usually classify traffic for quality of service (Quality of Service, Qos) and queue purposes.

Dscp: filter the differentiated Services Code (Differentiated Services Code Point,DSCP) value in the IP packet header to filter

Tos: filter the service type domain in the IP packet header for QoS implementation

Log: used to record control bars, internal caches or system logs, including TCP, UDP or ICMP, source port number and destination port number, etc.

Log-input: the recorded information includes the input interface of the received packet and the layer 2 source address in the packet

ACL example:

Access-list 100 permit tcp any host 200.1.1.2 eq 25 # any traffic can send E-mail traffic to 200.1.1.2

Access-list 100 permit tcp any eq 25 host 200.1.1.2 established # internal E-mail server sends mail to an external server and receives a reply. Established is the TCP traffic sent by the user will be allowed to return, but this parameter will create a loophole on the border router, that is, * it can be modified and carried out by using the TCP tag bits such as ACK\ FIN\ PSH\ RST\ SYS of the returned data.

Using ip accounting access-violations to do IP statistics under the interface

-

Use PAM and ACL to restrict CBAC review

R1 (config) # ip port-map http port 8080 list 1

R1 (config) # access-list permit 192.168.100.2

R1 (config) # ip port-map http port 8090 list 2

R1 (config) # access-list permit 192.168.100.3

-

Use ACL to deal with TCP SYN floods

R1 (config) # ip access-list extended tcp-syn-flood

R1 (config-ext-nacl) # permit tcp any 200.1.1.0 0.0.0.255 establised

R1 (config-ext-nacl) # permit tcp any host 200.1.1.11 eq 25

R1 (config-ext-acl) # deny ip any any

R1 (config) # interface g0bin1

R1 (config-if) # ip access-group tcp-syn-flood in

This example ACL cannot prevent the E-mail server TCP SYN flood, which should be reviewed in conjunction with CBAC.

-

* Dos***,Fraggle that uses ACL to block Smurf and Fraggle,Smurf for icmp echo (echo) uses UDP echo *

R1 (config) # ip access-list extended Smurf-fraggle

R1 (config-ext-nacl) # deny icmp any any echo

R1 (config-ext-nacl) # deny icmp any any echo-reply

R1 (config-ext-nacl) # deny udp any any echo

R1 (config-ext-nacl) # deny udp any any echo-reply

R1 (config-ext-acl) # deny ip any any

R1 (config) # interface g0bin1

R1 (config-if) # ip access-group Smurf-fraggle in

R1 (config-if) # ip access-group Smurf-fraggle out

-

Filter icmp, traceroute, RPC, SQL

R1 (config) # ip access-list extended ICMP-IN-OUT

R1 (config-ext-nacl) # deny icmp any any echo

R1 (config-ext-nacl) # deny icmp any any redirect

R1 (config-ext-nacl) # deny icmp any any mask-request

R1 (config-ext-nacl) # permit icmp any host 200.1.1.5 echo-reply

R1 (config-ext-nacl) # deny icmp any any echo-reply

R1 (config-ext-nacl) # permit icmp any 200.1.1.0 0.0.0.255

R1 (config-ext-nacl) # deny udp any any range 32400 34400 # filter Traceroute

R1 (config-ext-nacl) # deny tcp any any eq 514 # filter RPC

R1 (config-ext-nacl) # deny udp any any eq 1434 # filter SQL

R1 (config-ext-nacl) # deny tcp any any eq 1433 # filter SQL

R1 (config-ext-nacl) # deny tcp any any eq 445 # filter SMB

R1 (config-ext-acl) # deny ip any any

R1 (config) # interface g0bin1

R1 (config-if) # ip access-group CMP-IN-OUT in

R1 (config-if) # ip access-group CMP-IN-OUT out

-

Filter Trinoo

R1 (config) # ip access-list extended trinoo

R1 (config-ext-nacl) # deny tcp any any eq 1524

R1 (config-ext-nacl) # deny tcp any any eq 1524

R1 (config-ext-nacl) # deny udp any any eq 1524

R1 (config-ext-nacl) # deny tcp any any eq 27665

R1 (config-ext-nacl) # deny tcp any any eq 27665

R1 (config-ext-nacl) # deny tcp any any eq 31335

R1 (config-ext-nacl) # deny tcp any any eq 31335

R1 (config-ext-acl) # deny ip any any

R1 (config) # interface g0bin1

R1 (config-if) # ip access-group trinoo in

R1 (config-if) # ip access-group trinoo out

-

Filter DCOM connections and * take advantage of defects in Microsoft's RPC code. Microsoft found a vulnerability in the distributed object module (Distributed Component Object Module,DCOM). The port used by DCOM is 135139 445

R1 (config) # ip access-list extended Deny_RPC

R1 (config-ext-nacl) # deny tcp any any eq 135

R1 (config-ext-nacl) # deny udp any any eq 135

R1 (config-ext-nacl) # deny tcp any any eq 139

R1 (config-ext-nacl) # deny udp any any eq 139

R1 (config-ext-nacl) # deny tcp any any eq 445

R1 (config-ext-nacl) # deny udp any any eq 445

R1 (config-ext-nacl) # deny udp any any eq 593

R1 (config-ext-nacl) # deny udp any any eq 4444

R1 (config-ext-nacl) # permit ip any any

R1 (config) # interface g0bin1

R1 (config-if) # ip access-group Deny_RPC in

-

Use CBAC to block DoS***

R1 (config) # ip inspect tcp synwait-time 20

R1 (config) # ip inspect tcp idle-time 60

R1 (config) # ip inspect udp idle-time 20

R1 (config) # ip inspect max-incomplete high 400

R1 (config) # ip inspect max-incomplete low 300

R1 (config) # ip inspect one-minute high 600

R1 (config) # ip inspect one-minute low 500

R1 (config) # ip inspect tcp max-incomplete host 300 block-time 0

Set up a simple audit configuration for CBAC

R1 (config) # ip access-list extended extended_acl

R1 (config-ext-nacl) # deny tcp any any log

R1 (config-ext-nacl) # deny udp any any log

R1 (config-ext-nacl) # deny icmp any any log

R1 (config-ext-nacl) # permit ip any any

R1 (config) # ip inspect name cbac-example tcp

R1 (config) # ip inspect name cbac-example udp

R1 (config) # ip inspect name cbac-example icmp

R1 (config) # interface g0bin1

R1 (config-if) # ip access-group extended_acl

R1 (config-if) # ipinspect cbac-example in

-

Use CBAC to block DoS***

R1 (config) # ip inspect tcp synwait-time 20

R1 (config) # ip inspect tcp idle-time 60

R1 (config) # ip inspect udp idle-time 20

R1 (config) # ip inspect max-incomplete high 400

R1 (config) # ip inspect max-incomplete low 300

R1 (config) # ip inspect one-minute high 600

R1 (config) # ip inspect one-minute low 500

R1 (config) # ip inspect tcp max-incomplete host 300 block-time 0

-

Use TCP to intercept servers inside the reserve.

R1 (config) # access-list 100 tcp permit tcp any host 192.168.1.1 eq 80

R1 (config) # access-list 100 tcp permit tcp any host 192.168.1.2 eq25

R1 (config) # ip tcp intercept list 100

R1 (config) # ip tcp intercept mode watch

R1 (config) # ip tcp intercept watch-timeout 20

R1 (config) # ip tcp intercept connection-time 120

R1 (config) # ip tcp intercept max-incomplete high 600

R1 (config) # ip tcp intercept min-incomplete low 500

R1 (config) # ip tcp intercept one-minute high 800

R1 (config) # ip tcp intercept one-minute low 600

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 247

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report