cisco網(wǎng)絡設備安全加固手冊

1、1.帳號權(quán)限加固對網(wǎng)絡設備的管理權(quán)限進行劃分和限制，將登錄口令密文保存在配置文件中，確保系統(tǒng)帳號口令長度和復雜度滿足安全要求,避免使用弱口令1、加強用戶認證，對網(wǎng)絡設備的管理權(quán)限進行劃分和限制2、修改帳號存在的弱口令（包括SNMP社區(qū)串），設置網(wǎng)絡系統(tǒng)的口令長度>8位3、禁用不需要的用戶4、對口令進行加密存儲1、Central(config)# username brian privilege 5 password g00d+pa55w0rdCentral(config)# line con 0Central(config-line)# login localCentral(config

2、-line)# endenable secret level 5 privilege exec level 15 show logging2、password <passwd> Enable sec <passwd> Snmp-server community <passwd>3、no username4. service password-encryption;例外：SNMP community strings、RADIUS keys、TACACS+ keys2.網(wǎng)絡服務加固關(guān)閉網(wǎng)絡設備中不安全的服務，確保網(wǎng)絡設備只開啟承載業(yè)務所必需的網(wǎng)絡服務1、 禁用h

3、ttpserver，或者對httpserver進行訪問控制2、 關(guān)閉不必要的SNMP服務，若必須使用，應采用SNMPv3以上版本并啟用身份驗證、更改默認社區(qū)串3、禁用與承載業(yè)務無關(guān)的服務（例如dhcp-relay、IGMP、CDPRUN、bootp服務等）1. Central(config)# no ip http serverSet up usernames and passwordsCreate and apply an IP access list to limit access to the web server.Configure and enable syslog loggingS

4、ample:Central(config)# ! Add web admin users, then turn on http authCentral(config)# username nzWeb priv 15 password 0 C5-A1rCarg0Central(config)# ip http auth localCentral(config)# ! Create an IP access list for web accessCentral(config)# no access-list 29Central(config)# access-list 29 permit host

5、 8 logCentral(config)# access-list 29 permit 55 logCentral(config)# access-list 29 deny any logCentral(config)# ! Apply the access list then start the serverCentral(config)# ip http access-class 29Central(config)# ip http serverCentral(config)# exit Explicitly unset (erase) a

6、ll existing community strings. Disable SNMP system shutdown and trap features. Disable SNMP system processing.Central(config)# ! erase old community stringsCentral(config)# no snmp-server community public ROCentral(config)# no snmp-server community admin RWCentral(config)#Central(config)# ! disable

7、SNMP trap and system-shutdown featuresCentral(config)# no snmp-server enable trapsCentral(config)# no snmp-server system-shutdownCentral(config)# no snmp-server trap-auth Central(config)#Central(config)# ! disable the SNMP serviceCentral(config)# no snmp-serverCentral(config)# endEast(config)# acces

8、s-list 20 permit East(config)# snmp-server group administrator v3 auth read adminview write adminviewEast(config)# snmp-server user root administrator v3 auth md5 “secret” access 20East(config)# snmp-server view adminview internet includedEast(config)# snmp-server view adminview ip.ipAddrTab

9、le exclEast(config)# snmp-server view adminview ip.ipRouteTable exclEast(config)# exit3.no cdp run No service dhcpNo ip bootp server停掉tcp、udp small servers，類似echo、daytime、chargen、discard等；no service tcp-small-serversno service udp-small-serversno service fingerno ip http server3.網(wǎng)絡訪問控制加固遠程控制有安全機制保證，

10、限制能夠訪問本機的用戶或IP地址1、 對可管理配置網(wǎng)絡設備的網(wǎng)段通過訪問控制列表進行限制2、 使用SSH等安全方式登錄,禁用TELNET方式South(config)# no access-list 92South(config)# access-list 92 permit South(config)# access-list 92 permit South(config)# line vty 0 4South(config-line)# access-class 92 inNorth(config)# no access-list 12North(conf

11、ig)# access-list 12 permit host logNorth(config)# line vty 0 4North(config-line)# access-class 12 inNorth(config)# username joeadmin password 0 1-g00d-pa$wordNorth(config)# line vty 0 4North(config-line)# login localNorth(config-line)# exitNorth(config)#host northNorth(config)#ip domain-nam

12、e North(config)# crypto key generate rsaThe name for the keys will be: NChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus 512: 2048Generating RSA

13、 Keys .OKNorth(config)#If this command succeeds, the SSH server is enabled and running. By default, the SSH service will be present on the router whenever an RSA key pair exists, but it will not be used until you configure it, as detailed below. If you delete the routers RSA key pair, then the SSH s

14、erver will stop.crypto key zeroize rsa.North(config)# ip ssh time-out 90North(config)# ip ssh authentication-retries 2North(config)# line vty 0 4North(config-line)# transport input sshNorth(config-line)# exitNorth(config)# line vty 5 15North(config-line)# transport input noneNorth(config-line)# exit

15、3、對SNMP進行ACL控制snmp-server community public rosnmp-server community ourCommStr rosnmp-server community topsecret rw 60snmp-server community hideit ro view noRouteTableaccess-list 60 permit access-list 60 permit snmp-server view noRouteTable internet includedsnmp-server view noRouteTab

16、le ip.21 excludedsnmp-server view noRouteTable ip.22 excludedsnmp-server view noRouteTable ifMIB excluded4.審計策略加固配置網(wǎng)絡設備的安全審計功能，設置日志緩存大小，指定日志服務器1、為網(wǎng)絡設備指定日志服務器2、合理配置日志緩沖區(qū)大小Central(config)# logging onCentral(config)# logging Central(config)# logging buffered 16000Central(config)# logging consol

17、e criticalCentral(config)# logging trap informationalCentral(config)# logging facility local15.惡意代碼防范配置訪問控制策，對蠕蟲端口進行屏蔽，關(guān)閉不安全的服務避免被入侵者利用1、屏蔽病毒常用的網(wǎng)絡端口2、使用TCPkeepalives服務以殺死僵連接3、禁止IP源路由功能1. ACL2. service tcp-keepalives-in.3.no ip source-routeRouter Security Checklist This security checklist is designed

18、 to help you review your router security configuration, and remind you of any security area you might have missed. Router security policy written, approved, distributed. Router IOS version checked and up to date. Router configuration kept off-line, backed up, access to it limited. Router configurati

19、on is well-documented, commented. Router users and passwords configured and maintained. Password encryption in use, enable secret in use. Enable secret difficult to guess, knowledge of it strictly limited. (if not, change the enable secret immediately) Access restrictions imposed on Console, Aux, VTYs. Unneeded network servers and facilities disabled. Necessary network services configured correctly (e.g. DNS) Unused interfaces and V