| 路由器安全配置速查表(三) |
|
| |
|
|
Specific Recommendations: Logging & Debugging
1. Turn on the router’s logging capability, and use it to log errors and blocked packets to an internal (trusted) syslog host. Make sure that the router blocks syslog traffic from untrusted networks. See example commands below.
Central(config)# logging on
Central(config)# logging 14.2.9.1
Central(config)# logging buffered
Central(config)# logging console critical
Central(config)# logging trap informational
Central(config)# logging facility local1
|
2. Configure the router to include time information in the logging. Configure at least two different NTP servers to ensure availability of good time information. This will allow an administrator to trace network attacks more accurately. See example commands below.
East(config)# service timestamps log datetime localtime show-timezone msec
East(config)# clock timezone GMT 0
East(config)# ntp server 14.1.1.250
East(config)# ntp server 14.2.9.1 |
3. If your network requires SNMP, then configure an SNMP ACL and hard-to-guess SNMP community strings. The example commands below show how to remove the default community strings and set a better read-only community string, with an ACL.
East(config)# no snmp community public ro
East(config)# no snmp community private rw
East(config)# no access-list 51
East(config)# access-list 51 permit 14.2.9.1
East(config)# snmp community BTRl8+never ro 51 Router Security Checklist |
This security checklist is designed to help you review your router security configuration, and remind you of any security area you might have missed.
Router security policy written, approved, distributed.
Router IOS version checked and up to date.
Router configuration kept off-line, backed up, access to it limited.
Router configuration is well-documented, commented.
Router users and passwords configured and maintained.
Password encryption in use, enable secret in use.
Enable secret difficult to guess, knowledge of it strictly limited. (if not, change the enable secret immediately).
Access restrictions imposed on Console, Aux, VTYs.
Unneeded network servers and facilities disabled.
Necessary network services configured correctly (e.g. DNS)
Unused interfaces and VTYs shut down or disabled.
Risky interface services disabled.
Port and protocol needs of the network identified and checked.
Access lists limit traffic to identified ports and protocols.
Access lists block reserved and inappropriate addresses.
Static routes configured where necessary.
Routing protocols configured to use integrity mechanisms.
Logging enabled and log recipient hosts identified and configured.
Router’s time of day set accurately, maintained with NTP.
Logging set to include consistent time information.
Logs checked, reviewed, archived in accordance with local policy.
SNMP disabled or enabled with good community strings and ACLs. |
(责任编辑: 51CTO.com TEL:010-68476606)
 |
频道声明:本频道的文章除部分特别声明禁止转载的专稿外,可以自由转载.但请务必注明出出处和原始作者 文章版权归本频道与文章作者所有.对于被频道转载文章的个人和网站,我们表示深深的谢意。
| 原始作者:佚名 |
录入时间:2006-10-13 4:50:49 |
| 信息来源:不详 |
投稿信箱:itqoo@126.com |
|
|
 |
|
|
|
| 文章录入:admin 责任编辑:admin |
|
上一篇文章: 路由器安全配置速查表(二)
下一篇文章: 认识Cisco IOS的访问权限 |
| 【字体:小 大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 |
用户登录 
新用户注册 
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!) 