Shulou(Shulou.com)06/01 Report--

In the process of enterprise network construction, with the increase of business projects, the expansion of the network and the equipment meeting of the networking network

As the scale continues to increase. What I share with you today is that among the additional devices, a good operation and maintenance habit can improve the internal security network properties of the enterprise.

Roaming from most network devices and security devices is caused by the configuration department of the operator. So for a qualified network security

Operators should have a set of security baselines for their own network environment. In order to effectively control some of the work of intranet security, I would like to share the following.

My method of establishing a security baseline in security operations and maintenance:

1. Cisco router check configuration table

NO

Check Category

Check the project

Key points of inspection

Check object

Inspection method

Judgment condition

one

Device access control

User authentication mode

Enable local or AAA authentication to view login authentication methods, such as local account password, authentication server, etc.

Core domain

Use show running-config to view related information

Compliance: check in configuration file

[hostname] # show running-config

...

Aaa authentication login $(AAA_LIST_NAME) local

Aaa authentication enable default enable

Or

Username $(LOCAL_USERNAME) privilege (ID) password or equivalent configuration information

Non-compliance: no relevant information

two

Define session timeout

Configure a scheduled account to log out automatically, and automatically log out after the session is idle for a certain period of time. (it is recommended to set the timeout to 5 minutes)

Core domain

Reference configuration operation

User-interface vty 0 4

Idle-timeout 5 0

User-interface con 0

Idle-timeout 5 0

Match: refer to configuration operation

User-interface vty 0 4

Idle-timeout 5 0

User-interface con 0

Idle-timeout 5 0

Or equivalent configuration information

Does not match: no account is configured to log out automatically

three

Access to devices by remote security management

With SSH enabled, it is recommended to disable TELNET (as appropriate), and the login source address of remote management (VTY) must be restricted by ACL or specify a fixed management IP. Please state the brand, model and software version for the unsupported devices.

Core domain

Use show running-configuration commands or related commands to view relevant information

Compliance: check whether there are ACL controls for VTY access in the configuration:

[hostname] display current-configuration

...

User-interface vty 0 4

Acl XXXX inbound or equivalent configuration information

Non-compliance: no relevant information

four

Account management

Check useless account and permission assignment

1. Accounts that have nothing to do with equipment operation and maintenance should be deleted or locked.

2. Different levels of management and maintenance personnel, assign different accounts to avoid mixed use of accounts.

Core domain

Check the configuration file

[hostname] # show running-config

Username $(LOCAL_USERNAME) privilege password LOCAL_PASSWORD field or related commands to view relevant information

Match: spot check 3 network devices in the balance sheet, log in to 4A system and equipment for account comparison, and analyze whether there are useless accounts (slave accounts that are not assigned to any natural person). Or equivalent configuration information

Non-compliance: no relevant information

five

Password management

Passwords are encrypted and changed regularly

Enable password encryption service and update it regularly

Core domain

Check to see if the configuration file adopts appropriate authentication information protection measures:

[hostname] show running-config

Service password-encryption

Epassword + WumoGDbE75GFYyp+R47Mg==, or related commands to view relevant information

Compliance: check whether the configuration file adopts the appropriate authentication information protection measures

[hostname] show running-config

Service password-encryption

Non-compliance: no relevant information

six

Log management

Log service

Specify log server

Core domain

View logging on (enable), logging [ip add] in the configuration file

Or related commands to view relevant information

Match: view logging on (enable), logging [ip add] in the configuration file

Or equivalent configuration information

Non-compliance: no relevant information

seven

The timestamp of the system setting log

The log should be time stamped

Core domain

View the logging timestamp entry in the configuration file

[hostname] # show running-config

Logging timestamp

Or related commands to view relevant information

Match: view the logging timestamp entry in the configuration file

[hostname] # show running-config

Logging timestamp or equivalent configuration information

Non-compliant: no timestamp

eight

System configuration log level

LOG should define levels

Core domain

View logging facility [20] item or related commands in the configuration file to view relevant information

Match: view logging facility [20] or equivalent configuration information in the configuration file

Non-compliant: no relevant configuration

nine

Service management

Modify SNMP read-only or writeable string

SNMP rules match snmp-server community * RO

Core domain

View the configuration file

[hostname] # show running-config

Snmp-server community * RO/RW or related commands to view relevant information

Match: view the configuration file

[hostname] # show running-config

Snmp-server community * * RO/RW or equivalent configuration information

Non-compliance: no relevant information

ten

NTP service or local time management

Specify NTP server or proofread local time

Core domain

View the configuration file:

[hostname] # show running-config

Ntp server *. *

[hostname] # show clock

Check whether it is consistent with the current time or related commands to view relevant information

Match: view configuration file:

[hostname] # show running-config

Ntp server *. *

[hostname] # show clock

Check whether it is consistent with the current time or equivalent configuration information

Non-compliance: no relevant information

eleven

Http service

Http shuts down

Core domain

The view profile cannot appear:

[hostname] # show running-config

Ip http server or related commands to view relevant information

Match: check if there is a no ip http server field in the configuration file

[hostname] # show running-config

No ip http server or equivalent configuration information

Non-compliant: http service turned on

twelve

FTP, TFTP services

FTP and TFTP services are turned off

Core domain

The view profile cannot appear:

[hostname] # show running-config

Ip ftp-server

Ip tftp-server or related commands to view relevant information

Compliance: view configuration file that does not include ip ftp-server enable or ip tftp-server or equivalent configuration information

Non-compliant: ip ftp-server enable or ip tftp-server is included in the configuration file

thirteen

DNS service

Disable the DNS resolution service

Core domain

The view profile cannot appear:

[hostname] # show running-config

Ip domain-lookup or related commands to view relevant information

Match: check if there is

[hostname] # show running-config

No ip domain-lookup or equivalent configuration information

Does not match: enable DNS resolution service

fourteen

Small tcp and udp services

Disable small tcp and udp service, should give a reason for unsatisfied devices

Core domain

The view profile cannot appear:

[hostname] # show running-config

Service tcp-small-servers

Service udp-smail-servers or related commands to view relevant information

Match: check whether the configuration file has

[hostname] # show running-config

No service tcp-small-servers

No service udp-smail-servers or equivalent configuration information

Non-compliant: small tcp and udp services are enabled

fifteen

Finger service

Disable the finger service, and explain the reasons for unsatisfied devices.

Core domain

The view profile cannot appear:

[hostname] # show running-config

Finger or related commands to view relevant information

Match: check to see if there is

[hostname] # show running-config

No finger or equivalent configuration information

Does not match: enable finger

sixteen

Bootp service

Disable the bootp service, and explain the reasons for unsatisfied devices.

Core domain

The view profile cannot appear:

[hostname] # show running-config

Ip bootp server or related commands to view relevant information

Match: check to see if there is

[hostname] # show running-config

No ip bootp server or equivalent configuration information

Non-compliant: enable bootp service

seventeen

Turn off the IP source routing protocol

The IP source routing protocol should be turned off, and the reason should be explained for unsatisfied devices.

Core domain

The view profile cannot appear:

[hostname] # show running-config

Ip source-route or related commands to view relevant information

Match: view the configuration file

[hostname] # show running-config

No ip source-route or equivalent configuration information

Does not match: enable IP source routing protocol

eighteen

Prohibit arp-proxy

The ARP agent is disabled and should be explained for unsatisfied devices.

Core domain

The view configuration file cannot appear:

[hostname] # show running-config

Ip arp-proxy or related commands to view relevant information

Match: view the no arp-proxy entry in the configuration file

[hostname] # show running-config

No ip arp-proxy

Does not match: enable ARP proxy

nineteen

Close IP Directed Broadcast

IP Directed Broadcast should be shut down, and reasons should be given for unsatisfied equipment.

Core domain

The view configuration file cannot appear:

[hostname] # show running-config

Ip directed-broadcast or related commands to view relevant information

Match: view the IP Directed Broadcast entry in the configuration file

[hostname] # show running-config

No ip directed-broadcast or equivalent configuration information

Does not match: IP Directed Broadcast

twenty

Port management

Unused network interfaces for shutdown

Explicitly turn off unused network interfaces, such as the AUX port of the router, and other network interfaces, but do not include special interfaces such as management ports.

Core domain

Use show running-config or related commands to view relevant information

Match: use the show running-config command, as in the following example:

Router#show running-config

Building configuration...

Current configuration:

!

...

Line aux 0

No exec

Transport input none

Exit or equivalent configuration information

Non-compliant: unused interfaces are not down

Mainly use these aspects as the basic equipment security baseline, if you need more detailed multi-factory friends can leave a message to leave contact information, I can share the relevant information with you. It is recommended that you have the ability to develop small.

Partners can establish a feature library according to the main category and check the internal infrastructure configuration in batches according to the judgment conditions. The work of security operation and maintenance is not just to maintain the security policy of security equipment and network equipment, the security policy is only

Preventing unauthorized access at the network layer and solving the security risks caused by configuration errors is also the only way to improve the robustness of the basic network.

Thank you. I will share my work experience with you when I have time. I also hope that after you see it, if you don't mind paying attention, the updated article will be pushed.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.