cisco网络设备安全加固手册(共7页).doc

精选优质文档-倾情为你奉上1.帐号权限加固对网络设备的管理权限进行划分和限制，将登录口令密文保存在配置文件中，确保系统帐号口令长度和复杂度满足安全要求,避免使用弱口令1、加强用户认证，对网络设备的管理权限进行划分和限制2、修改帐号存在的弱口令（包括SNMP社区串），设置网络系统的口令长度>8位3、禁用不需要的用户4、对口令进行加密存储1、Central(config)# username brian privilege 5 password g00d+pa55w0rdCentral(config)# line con 0Central(config-line)# login localCentral(config-line)# endenable secret level 5 privilege exec level 15 show logging2、password <passwd> Enable sec <passwd> Snmp-server community <passwd>3、no username4. service password-encryption;例外：SNMP community strings、RADIUS keys、TACACS+ keys2.网络服务加固关闭网络设备中不安全的服务，确保网络设备只开启承载业务所必需的网络服务1、 禁用httpserver，或者对httpserver进行访问控制2、 关闭不必要的SNMP服务，若必须使用，应采用SNMPv3以上版本并启用身份验证、更改默认社区串3、禁用与承载业务无关的服务（例如dhcp-relay、IGMP、CDPRUN、bootp服务等）1. Central(config)# no ip http serverSet up usernames and passwordsCreate and apply an IP access list to limit access to the web server.Configure and enable syslog loggingSample:Central(config)# ! Add web admin users, then turn on http authCentral(config)# username nzWeb priv 15 password 0 C5-A1rCarg0Central(config)# ip http auth localCentral(config)# ! Create an IP access list for web accessCentral(config)# no access-list 29Central(config)# access-list 29 permit host 14.2.6.18 logCentral(config)# access-list 29 permit 14.2.9.0 0.0.0.255 logCentral(config)# access-list 29 deny any logCentral(config)# ! Apply the access list then start the serverCentral(config)# ip http access-class 29Central(config)# ip http serverCentral(config)# exit Explicitly unset (erase) all existing community strings. Disable SNMP system shutdown and trap features. Disable SNMP system processing.Central(config)# ! erase old community stringsCentral(config)# no snmp-server community public ROCentral(config)# no snmp-server community admin RWCentral(config)#Central(config)# ! disable SNMP trap and system-shutdown featuresCentral(config)# no snmp-server enable trapsCentral(config)# no snmp-server system-shutdownCentral(config)# no snmp-server trap-auth Central(config)#Central(config)# ! disable the SNMP serviceCentral(config)# no snmp-serverCentral(config)# endEast(config)# access-list 20 permit 14.2.6.6East(config)# snmp-server group administrator v3 auth read adminview write adminviewEast(config)# snmp-server user root administrator v3 auth md5 “secret” access 20East(config)# snmp-server view adminview internet includedEast(config)# snmp-server view adminview ip.ipAddrTable exclEast(config)# snmp-server view adminview ip.ipRouteTable exclEast(config)# exit3.no cdp run No service dhcpNo ip bootp server停掉tcp、udp small servers，类似echo、daytime、chargen、discard等；no service tcp-small-serversno service udp-small-serversno service fingerno ip http server3.网络访问控制加固远程控制有安全机制保证，限制能够访问本机的用户或IP地址1、 对可管理配置网络设备的网段通过访问控制列表进行限制2、 使用SSH等安全方式登录,禁用TELNET方式South(config)# no access-list 92South(config)# access-list 92 permit 14.2.10.1South(config)# access-list 92 permit 14.2.9.1South(config)# line vty 0 4South(config-line)# access-class 92 inNorth(config)# no access-list 12North(config)# access-list 12 permit host 14.2.9.1 logNorth(config)# line vty 0 4North(config-line)# access-class 12 inNorth(config)# username joeadmin password 0 1-g00d-pa$wordNorth(config)# line vty 0 4North(config-line)# login localNorth(config-line)# exitNorth(config)#host northNorth(config)#ip domain-name dod.milNorth(config)# crypto key generate rsaThe name for the keys will be: North.dod.milChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus 512: 2048Generating RSA Keys .OKNorth(config)#If this command succeeds, the SSH server is enabled and running. By default, the SSH service will be present on the router whenever an RSA key pair exists, but it will not be used until you configure it, as detailed below. If you delete the routers RSA key pair, then the SSH server will stop.crypto key zeroize rsa.North(config)# ip ssh time-out 90North(config)# ip ssh authentication-retries 2North(config)# line vty 0 4North(config-line)# transport input sshNorth(config-line)# exitNorth(config)# line vty 5 15North(config-line)# transport input noneNorth(config-line)# exit3、对SNMP进行ACL控制snmp-server community public rosnmp-server community ourCommStr rosnmp-server community topsecret rw 60snmp-server community hideit ro view noRouteTableaccess-list 60 permit 10.1.1.1access-list 60 permit 10.2.2.2snmp-server view noRouteTable internet includedsnmp-server view noRouteTable ip.21 excludedsnmp-server view noRouteTable ip.22 excludedsnmp-server view noRouteTable ifMIB excluded4.审计策略加固配置网络设备的安全审计功能，设置日志缓存大小，指定日志服务器1、为网络设备指定日志服务器2、合理配置日志缓冲区大小Central(config)# logging onCentral(config)# logging 14.2.9.1Central(config)# logging buffered 16000Central(config)# logging console criticalCentral(config)# logging trap informationalCentral(config)# logging facility local15.恶意代码防范配置访问控制策，对蠕虫端口进行屏蔽，关闭不安全的服务避免被入侵者利用1、屏蔽病毒常用的网络端口2、使用TCPkeepalives服务以杀死僵连接3、禁止IP源路由功能1. ACL2. service tcp-keepalives-in.3.no ip source-routeRouter Security Checklist This security checklist is designed to help you review your router security configuration, and remind you of any security area you might have missed. Router security policy written, approved, distributed. Router IOS version checked and up to date. Router configuration kept off-line, backed up, access to it limited. Router configuration is well-documented, commented. Router users and passwords configured and maintained. Password encryption in use, enable secret in use. Enable secret difficult to guess, knowledge of it strictly limited. (if not, change the enable secret immediately) Access restrictions imposed on Console, Aux, VTYs. Unneeded network servers and facilities disabled. Necessary network services configured correctly (e.g. DNS) Unused interfaces and VTYs shut down or disabled. Risky interface services disabled. Port and protocol needs of the network identified and checked. Access lists limit traffic to identified ports and protocols. Access lists block reserved and inappropriate addresses. Static routes configured where necessary. Routing protocols configured to use integrity mechanisms. Logging enabled and log recipient hosts identified and configured. Routers time of day set accurately, maintained with NTP. Logging set to include consistent time information. Logs checked, reviewed, archived in accordance with local policy. SNMP disabled or enabled with good community strings and ACLs. 专心-专注-专业