《关闭不需要服务课件》由会员分享,可在线阅读,更多相关《关闭不需要服务课件(31页珍藏版)》请在金锄头文库上搜索。
1、Cisco Device Hardening,Disabling Unused Cisco Router Network Services and Interfaces,Vulnerable Router Services and Interfaces,Vulnerable Router Services and Interfaces,Cisco IOS routers can be used as: Edge devices Firewalls Internal routers Default services that create potential vulnerabilities (e
2、.g., BOOTP, CDP, FTP, TFTP, NTP, Finger, SNMP, TCP/UDP minor services, IP source routing, and proxy ARP). Vulnerabilities can be exploited independently of the router placement.,Vulnerable Router Services,Disable unnecessary services and interfaces (BOOTP, CDP, FTP, TFTP, NTP, PAD, and TCP/UDP minor
3、 services) Disable commonly configured management services (SNMP, HTTP, and DNS) Ensure path integrity (ICMP redirects and IP source routing) Disable probes and scans (finger, ICMP unreachables, and ICMP mask replies) Ensure terminal access security (ident and TCP keepalives) Disable gratuitous and
4、proxy ARP Disable IP directed broadcast,Router Hardening Considerations,Attackers can exploit unused router services and interfaces. Administrators do not need to know how to exploit the services, but they should know how to disable them. It is tedious to disable the services individually. An automa
5、ted method is needed to speed up the hardening process.,Locking Down Routers with AutoSecure,What is AutoSecure?,AutoSecure helps secure Cisco IOS networks by performing these router functions: Disables insecure global services Enables security-based global services Disables insecure interface servi
6、ces Enables appropriate security logging Secures router administrative access Secures the router management plane Secures the router forwarding plane,AutoSecure Operation Modes,AutoSecure can be deployed using one of the following two modes of operation: Interactive mode: Prompts the user with optio
7、ns to enable and disable services and other security-related features Noninteractive mode: Automatically executes the auto secure command using recommended default settings,AutoSecure Functions,AutoSecure can selectively lock down: Management plane services and functions: Finger, PAD, UDP & TCP smal
8、l servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner Also provides password security and SSH access Forwarding plane services and functions: CEF, traffic filtering with ACLs Firewa
9、ll services and functions: Cisco IOS Firewall inspection for common protocols Login functions: Password security NTP protocol SSH access TCP Intercept services,AutoSecure Failure Scenarios,If AutoSecure fails to complete its operation, your running configuration may be corrupt: In 12.3(8)T and later
10、 releases Pre-autosecure configuration snapshot is stored in the flash under filename pre_autosec.cfg Roll-back reverts the router to its pre-autosecure configuration Command: configure replace flash:pre_autosec.cfg Prior to 12.3(8)T, you should save the running configuration before running AutoSecu
11、re,AutoSecure Process Overview,AutoSecure Process Overview,auto secure management | forwarding no-interact | full ntp | login | ssh | firewall | tcp-intercept,router#,Launches AutoSecure Main steps with the interactive full option: Identify outside interfaces. Secure the management plane. Create sec
12、urity banner. Configure passwords, AAA, and SSH. Secure the interface settings. Secure the forwarding plane.,Start and Interface Selection,Router#auto secure - AutoSecure Configuration - * AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from
13、 all security attacks * All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure. At any prompt you may enter ? for help. Use ctrl-c to abort thi
14、s session at any prompt. Gathering information about the router for AutoSecureIs this router connected to internet? no: y Enter the number of interfaces facing internet 1: 1 Interface IP-Address OK? Method Status Protocol Ethernet0/0 10.0.2.2 YES NVRAM up up Ethernet0/1 172.30.2.2 YES NVRAM up upEnt
15、er the interface name that is facing internet: Ethernet0/1,Securing Management Plane Services,Securing Management plane services Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service t
16、cp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp,Creating Security Banner,Here is a sample Security Banner to be shown at every access to device. Modify it to suit your ent
17、erprise requirements. Authorised Access onlyThis system is the property of So-&-So-Enterprise.UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.You must have explicit permission to access thisdevice. All activities performed on this deviceare logged and violations of of this policy resultin disciplinary action. Enter the security banner Put the banner between k and k, where k is any character: %This system is the property of Cisco Systems, Inc. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.%,
