对网络设备的管理权限进行划分和限制,将登录口令密帐号权文保存在配置文件限加固中,确保系统帐号口令长度和复杂度满足安全要求,避免使用弱口令1、加强用户认证,对网络设备的管理权限进行划分和限制2、修改帐号存在的弱口令(包括SNMP社区串),设置网络系统的口令长度>8位3、禁用不需要的用户4、对口令进行加密存储1、Central(config)#usernamebrianprivilege5passwordg00d+pa55w0rdCentral(config)#linecon0Central(config-line)#loginlocalCentral(config-line)#endenablesecretlevel5privilegeexeclevel15showlogging2、password
EnablesecSnmp-servercommunity3、nousernameservicepassword-encryption;例外:SNMPcommunitystrings、RADIUSkeys、TACACS+keys1、禁用httpserver,或者对httpserver进行访问控制关闭网络设备中不安全的服务,确保网络设网络服备只开务加固启承载业务所必需的网络服务1.Central(config)#noiphttpserverSetupusernamesandpasswordsCreateandapplyanIPaccesslisttolimitaccesstothewebserver.ConfigureandenablesyslogloggingSample:Central(config)#!Addwebadminusers,thenturnonhttpauthCentral(config)#usernamenzWebpriv15password0C5-A1rCarg0Central(config)#iphttpauthlocalCentral(config)#!CreateanIPaccesslistforwebaccessCentral(config)#noaccess-list29Central(config)#access-list29permithost14.2.6.18logCentral(config)#access-list29permit14.2.9.00.0.0.255logCentral(config)#access-list29denyanylogCentral(config)#!ApplytheaccesslistthenstarttheserverCentral(config)#iphttpaccess-class29Central(config)#iphttpserver2、关闭不必要的SNMP服务,若Central(config)#exit必须使用,应采用SNMPv3以?Explicitlyunset(erase)allexistingcommunitystrings.上版本并启用身份验证、更?DisableSNMPsystemshutdownandtrapfeatures.改默认社区串?DisableSNMPsystemprocessing.Central(config)#!eraseoldcommunitystringsCentral(config)#nosnmp-servercommunitypublicROCentral(config)#nosnmp-servercommunityadminRWCentral(config)#Central(config)#!disableSNMPtrapandsystem-shutdownfeaturesCentral(config)#nosnmp-serverenabletrapsCentral(config)#nosnmp-serversystem-shutdownCentral(config)#nosnmp-servertrap-authCentral(config)#Central(config)#!disabletheSNMPserviceCentral(config)#nosnmp-serverCentral(config)#endEast(config)#access-list20permit14.2.6.6East(config)#snmp-servergroupadministratorv3authreadadminviewwriteadminviewEast(config)#snmp-serveruserrootadministratorv3authmd5“secret”access20East(config)#snmp-serverviewadminviewinternetincludedEast(config)#snmp-serverviewadminviewip.ipAddrTableexclEast(config)#snmp-serverviewadminviewip.ipRouteTableexclEast(config)#exit3、禁用与承载业务无关的服务(例如dhcp-relay、IGMP、CDPRUN、bootp服务等)3.nocdprunNoservicedhcpNoipbootpserver停掉tcp、udpsmallservers,类似echo、daytime、chargen、discard等;noservicetcp-small-serversnoserviceudp-small-serversnoservicefingernoiphttpserver远程控制有安全机网络访制保证,限制能够问控制访问本机的用户或加固IP地址1、对可管理配置网络设备的网South(config)#noaccess-list92段通过访问控制列
表
关于同志近三年现实表现材料材料类招标技术评分表图表与交易pdf视力表打印pdf用图表说话 pdf
进行限South(config)#access-list92permit14.2.10.1制South(config)#access-list92permit14.2.9.1South(config)#linevty04South(config-line)#access-class92in2、使用SSH等安全方式登录用TELNET方式,禁North(config)#noaccess-list12North(config)#access-list12permithost14.2.9.1logNorth(config)#linevty04North(config-line)#access-class12inNorth(config)#usernamejoeadminpassword01-g00d-pa$$wordNorth(config)#linevty04North(config-line)#loginlocalNorth(config-line)#exitNorth(config)#hostnorthNorth(config)#ipdomain-namedod.milNorth(config)#cryptokeygeneratersaThenameforthekeyswillbe:North.dod.milChoosethesizeofthekeymodulusintherangeof360to2048foryourGeneralPurposeKeys.Choosingakeymodulusgreaterthan512maytakeafewminutes.Howmanybitsinthemodulus[512]:2048GeneratingRSAKeys...[OK]North(config)#Ifthiscommandsucceeds,theSSHserverisenabledandrunning.Bydefault,theSSHservicewillbepresentonthe3、对SNMP进行ACL控制配置网络设备的安4.审计策1、为网络设备指定日志服务器全审计略加固功能,设置日志缓2、合理配置日志缓冲区大小routerwheneveranRSAkeypairexists,butitwillnotbeuseduntilyouconfigureit,asdetailedbelow.Ifyoudeletetherouter’sRSAkeypair,thentheSSHserverwillstop.cryptokeyzeroizersa.North(config)#ipsshtime-out90North(config)#ipsshauthentication-retries2North(config)#linevty04North(config-line)#transportinputsshNorth(config-line)#exitNorth(config)#linevty515North(config-line)#transportinputnoneNorth(config-line)#exitsnmp-servercommunitypublicrosnmp-servercommunityourCommStrrosnmp-servercommunitytopsecretrw60snmp-servercommunityhideitroviewnoRouteTableaccess-list60permit10.1.1.1access-list60permit10.2.2.2snmp-serverviewnoRouteTableinternetincludedsnmp-serverviewnoRouteTableip.21excludedsnmp-serverviewnoRouteTableip.22excludedsnmp-serverviewnoRouteTableifMIBexcludedCentral(config)#loggingonCentral(config)#logging14.2.9.1Central(config)#loggingbuffered16000存大小,指定日志服务器配置访问控制策,对蠕虫1、屏蔽病毒常用的网络端口5.恶意代端口进行屏蔽,关、使用TCPkeepalives服务以闭不安2杀死僵连接码防范全的服务避免被入3、禁止IP源路由功能侵者利用Central(config)#loggingconsolecriticalCentral(config)#loggingtrapinformationalCentral(config)#loggingfacilitylocal1ACLservicetcp-keepalives-in.3.noipsource-routeRouterSecurityChecklistThissecuritychecklistisdesignedtohelpyoureviewyourroutersecurityconfiguration,andremindyouofanysecurityareayoumighthavemissed.?Routersecuritypolicywritten,approved,distributed.?RouterIOSversioncheckedanduptodate.?Routerconfigurationkeptoff-line,backedup,accesstoitlimited.?Routerconfigurationiswell-documented,commented.?Routerusersandpasswordsconfiguredandmaintained.?Passwordencryptioninuse,enablesecretinuse.?Enablesecretdifficulttoguess,knowledgeofitstrictlylimited.(ifnot,changetheenablesecretimmediately)?AccessrestrictionsimposedonConsole,Aux,VTYs.?Unneedednetworkserversandfacilitiesdisabled.?Necessarynetworkservicesconfiguredcorrectly(e.g.DNS)?UnusedinterfacesandVTYsshutdownordisabled.?Riskyinterfaceservicesdisabled.?Portandprotocolneedsofthenetworkidentifiedandchecked.?Accesslistslimittraffictoidentifiedportsandprotocols.?Accesslistsblockreservedandinappropriateaddresses.?Staticroutesconfiguredwherenecessary.?Routingprotocolsconfiguredtouseintegritymechanisms.?Loggingenabledandlogrecipienthostsidentifiedandconfigured.?Router’stimeofdaysetaccurately,maintainedwithNTP.?Loggingsettoincludeconsistenttimeinformation.?Logschecked,reviewed,archivedinaccordancewithlocalpolicy.?SNMPdisabledorenabledwithgoodcommunitystringsandACLs.