交换器安全配置标准.docx

XXX网络平安交换器平安配置标准文件编号:1 .目的通过建立系统的平安基线标准，规范网安公司网络环境Cisco路由器和交换机的平安配置，并提出相应的指导；降低系统存在的风险，确保Cisco路由器和交换器可靠的运行。2 .范围适合网安公司网络环境的所有Cisco路由器和交换机。3 .术语定义ICMP： Internet Control Message Protocol) Internet 控制J报文协议SNMP： Simple Network Management Protocol,简单网络管理协议SSH： Secure Shell Protocol加密通道配置代理服务器 平安外壳协议.参考文件无5.角色与职责角色职责网络管理员依据此标准进行平安配置Cicso路由器、交换机等型号产品6.内容6.1 设置加密口令(config)# enable secret XXX(config)# service password-encryption配置文件的离线备份6.2 远程维护平安1)关闭AUX端口(config)# line aux 0(config-line)# no exec(config-line)# transport input none(config-line)# exit2) SNMP平安如需使用SNMP,建议使用v3,如不能提供v3支持的，建议关闭或加强访问控制列表，更改默认团体字,关闭snmp的写功能,关闭shutdown和trap功能(config)# show snmp(config)# no snmp-server community admin RW(config)# no snmp-server enable traps(config)# no snmp-server system-shutdown(config)# no snmp-server trap-auth(config)# no snmp-server3) SSH远程管理使用SSH进行远程管理并严格控制允许的IP,并记录日志(config)# access-list 50 (config)# access-list 50 deny any(config)# line vty 0 4 (config-line)# login local(config-line)# transport input SSH (config-line)# access-class 50 in关闭不活动的链接service tcp-keepalivesCon终端和vty终端配置登录超时10分钟（config-line）exec-timeout 10配置时间同步服务clock timezone CST +8设置时区关闭维护网络管理的所有端口关闭除用于网络维护管理的所有端口（可在使用端口扫描后或使用show proc命令，有选择的使用下列命令关闭不需要的服务）no ftp-server enableno ip fingerno ip serverno ip bootp server /关闭BOOTP服务，BOOTP服务允许设置作为其他设备的IOS下载服务器no service tcp-small-serversno service udp-small-serversno tftp-serverno printer 禁用 LPD 服务（TCP 515 端口）在日志中记录完整时间service timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezone关闭源路由no ip source-route关闭ICMP重定向no ip redirect禁止 ARP-Proxyno ip proxy-arp （需要在每个端口进行设置）禁止 IP Directed Broadcast防止类似smurf的攻击。（攻击者发送源为被攻击地址，目的为一个网络的广播地址，让网络内所有设备向攻击者反应数据包）no ip directed-broadcast禁止网络启动和下载配置路由器：no boot networkno service config交换机：no boot hostno boot networkno boot systemno service config关闭PAD服务数据包的装配/分解（packet assembler/disassembler-PAD）,在大多数CISCO设备上都是缺省启用的，该服务用来和其他网络设备间的X.25连接，攻击者可以利用PAD接口来破坏路由过程和设备和稳定性，因此，如果不需要X.25网络连接话，应该明确禁止PAD服务:router(config)# no service pad关闭DNS服务router(config)# no ip domain-lookup交互机选项设置vtp密码vtp password XX路由器选项1)关闭MOP服务在CISCO路由器以太网接口上，DEC的维护操作协议(Maintenance Operation Protocol)MOP服务缺省情况下是启用的，MOP是一个潜在的攻击因素，如果不需要应该在所有接口上明确禁止：router(config-if)# no mop enable2)外网口地址过滤过滤内部地址、私有地址、本地地址、组播地址、DHCP自定义地址、科学文档作者测试用地址进, 过滤非内网地址出：interface xyip access-group 101 inaccess-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 0.0.0.0 0.255.255.255 any (全网地址)access-list 101 deny ip 224.0.0.0 15.255.255.255 any (组播地址)access-list 101 deny ip 169.254.0.0 0.0.255.255 any (DHCP 自定义地址)access-list 101 deny ip 192.0.2.0 0.0.0.255 any （科学文档作者测试用地址）access-list 101 permit ip any any3）动态路由平安建议使用OSPF或RIP-V2,并采用MD5认证设备命名规那么办公网骨干交换机命名规那么：NFJJ-BGW-设备型号-编号，例如NFJJ-BGW-6506-1交易网骨干交换机命名规那么：NFJJ-JYW-设备型号-编号，例如：NFJJ-JYW-4506-1楼层办公网交换机命名规那么：楼层-OA-SW-编号，例如31F-OA-SW-1楼层交易网交换机命名规那么：楼层-JY-SW-编号，例如31F-JY-SW-1机房内办公网交换机命名规那么：NFJJ-BGW-IDC-设备型号-编号，例如：NFJJ-BGW-IDC-3560G-1机房内交易网交换机命名规那么：NFJJ-JYW-IDC-设备型号-编号，例如：NFJJ-JYW-IDC-3560G-1其他功能性交换机命名规那么：NFJJ-功能-设备型号，例如：NFJJ-DMZ-A3560G路由器命名规那么：设备名称中需含有链接对端的信息。如总部到北京分公司两段路由器：总部端为“hq_to_bjbranch”，北京分公司端为“bjbranch_to_hq”附录默认开放的服务FeatureDescriptionDefaultRecommendationCisco DiscoveryProtocol (CDP)Proprietary layer 2protocolbetween Cisco devicesEnabledCDP is almost never needed, disable it.TCP small serversStandard TCP network11.3: disabledThis is a legacyservices: echo, chargen, etc.11.2: enabledfeature, disable it explicitly.UDP smallserversStandard UDP network services: echo, discard, etc.11.3: disabled11.2: enabledThis is a legacyfeature, disable it explicitly.FingerUnix user lookup service, allows remote listing of logged in users.EnabledUnauthorizedpersonsdon5t need to knowthis,disable it. serverSome Cisco IOS devices offer web-based configuration.Varies by deviceIf not in use, explicitly disable, otherwise restrict access.Bootp serverService to allow other routers to boot from this one.EnabledThis is rarely needed and may open a security hole, disable it.Configurationauto-loadingRouter will attempt to loadits configuration viaTFTP.DisabledThis is rarely used, disableit if it is not in use.IP source routingIP feature that allowspackets to specify theirEnabledThis rarely-usedfeatureownroutes.can be helpful inattacks, disable it.Proxy ARPRouter w川 act as aproxyfor layer 2 address resolution.EnabledDisable this service unless the router is serving as a LAN bridge.IP directedbroadcastPackets can identify a targetLAN for broadcasts.Enabled(11.3 & earlier)Directed broadcast can be used for attacks, disable it.IP unreachablenotificationsRouter w川 explicitlynotifysenders of incorrect IP addresses.EnabledCan aid networkmapping,disable on interfacestoIP mask replyRouter will send an interface's IP address maskin response to an ICMP mask request.DisabledCan aid IP address mapping; explicitly disable on interfaces to untrusted networks.IP redirectsRouter will send anICMPredirect message inresponseto certain routed IPpackets.EnabledCan aid networkmapping,disable on interfacestountrusted networks.NTP serviceRouter can act as atimeserver for other devicesandhosts.Enabled(if NTP isconfigured)If not in use, explicitly disable, otherwise restrict access.Simple NetworkMgmt. ProtocolRouters can support SNMP remote query and configuration.EnabledIf not in use, remove default community strings and explicitly disable, otherwise restrict access.Domain NameServiceRouters can performDNSname resolution.Enabled(broadcast)Set the DNS server addresses explicitly, ordisable DNS lookup.