ISCW10S05L02关闭不需要服务.ppt

CiscoDeviceHardening,DisablingUnusedCiscoRouterNetworkServicesandInterfaces,VulnerableRouterServicesandInterfaces,VulnerableRouterServicesandInterfaces,CiscoIOSrouterscanbeusedas:EdgedevicesFirewallsInternalroutersDefaultservicesthatcreatepotentialvulnerabilities(e.g.,BOOTP,CDP,FTP,TFTP,NTP,Finger,SNMP,TCP/UDPminorservices,IPsourcerouting,andproxyARP).Vulnerabilitiescanbeexploitedindependentlyoftherouterplacement.,VulnerableRouterServices,Disableunnecessaryservicesandinterfaces(BOOTP,CDP,FTP,TFTP,NTP,PAD,andTCP/UDPminorservices)Disablecommonlyconfiguredmanagementservices(SNMP,HTTP,andDNS)Ensurepathintegrity(ICMPredirectsandIPsourcerouting)Disableprobesandscans(finger,ICMPunreachables,andICMPmaskreplies)Ensureterminalaccesssecurity(identandTCPkeepalives)DisablegratuitousandproxyARPDisableIPdirectedbroadcast,RouterHardeningConsiderations,Attackerscanexploitunusedrouterservicesandinterfaces.Administratorsdonotneedtoknowhowtoexploittheservices,buttheyshouldknowhowtodisablethem.Itistedioustodisabletheservicesindividually.Anautomatedmethodisneededtospeedupthehardeningprocess.,LockingDownRouterswithAutoSecure,WhatisAutoSecure?,AutoSecurehelpssecureCiscoIOSnetworksbyperformingtheserouterfunctions:DisablesinsecureglobalservicesEnablessecurity-basedglobalservicesDisablesinsecureinterfaceservicesEnablesappropriatesecurityloggingSecuresrouteradministrativeaccessSecurestheroutermanagementplaneSecurestherouterforwardingplane,AutoSecureOperationModes,AutoSecurecanbedeployedusingoneofthefollowingtwomodesofoperation:Interactivemode:Promptstheuserwithoptionstoenableanddisableservicesandothersecurity-relatedfeaturesNoninteractivemode:Automaticallyexecutestheautosecurecommandusingrecommendeddefaultsettings,AutoSecureFunctions,AutoSecurecanselectivelylockdown:Managementplaneservicesandfunctions:Finger,PAD,UDP&TCPsmallservers,passwordencryption,TCPkeepalives,CDP,BOOTP,HTTP,sourcerouting,gratuitousARP,proxyARP,ICMP(redirects,mask-replies),directedbroadcast,MOP,bannerAlsoprovidespasswordsecurityandSSHaccessForwardingplaneservicesandfunctions:CEF,trafficfilteringwithACLsFirewallservicesandfunctions:CiscoIOSFirewallinspectionforcommonprotocolsLoginfunctions:PasswordsecurityNTPprotocolSSHaccessTCPInterceptservices,AutoSecureFailureScenarios,IfAutoSecurefailstocompleteitsoperation,yourrunningconfigurationmaybecorrupt:In12.3(8)TandlaterreleasesPre-autosecureconfigurationsnapshotisstoredintheflashunderfilenamepre_autosec.cfgRoll-backrevertstheroutertoitspre-autosecureconfigurationCommand:configurereplaceflash:pre_autosec.cfgPriorto12.3(8)T,youshouldsavetherunningconfigurationbeforerunningAutoSecure,AutoSecureProcessOverview,AutoSecureProcessOverview,autosecuremanagement|forwardingno-interact|fullntp|login|ssh|firewall|tcp-intercept,router#,LaunchesAutoSecureMainstepswiththeinteractivefulloption:Identifyoutsideinterfaces.Securethemanagementplane.Createsecuritybanner.Configurepasswords,AAA,andSSH.Securetheinterfacesettings.Securetheforwardingplane.,StartandInterfaceSelection,Router#autosecure-AutoSecureConfiguration-*AutoSecureconfigurationenhancesthesecurityoftherouterbutitwillnotmakerouterabsolutelysecurefromallsecurityattacks*AlltheconfigurationdoneaspartofAutoSecurewillbeshownhere.Formoredetailsofwhyandhowthisconfigurationisuseful,andanypossiblesideeffects,pleaserefertoCiscodocumentationofAutoSecure.Atanypromptyoumayenter?forhelp.Usectrl-ctoabortthissessionatanyprompt.GatheringinformationabouttherouterforAutoSecureIsthisrouterconnectedtointernet?no:yEnterthenumberofinterfacesfacinginternet1:1InterfaceIP-AddressOK?MethodStatusProtocolEthernet0/0YESNVRAMupupEthernet0/1YESNVRAMupupEntertheinterfacenamethatisfacinginternet:Ethernet0/1,SecuringManagementPlaneServices,SecuringManagementplaneservices.DisablingservicefingerDisablingservicepadDisablingudp&tcpsmallserversEnablingservicepasswordencryptionEnablingservicetcp-keepalives-inEnablingservicetcp-keepalives-outDisablingthecdpprotocolDisablingthebootpserverDisablingthehttpserverDisablingthefingerserviceDisablingsourceroutingDisablinggratuitousarp,CreatingSecurityBanner,HereisasampleSecurityBannertobeshownateveryaccesstodevice.Modifyittosuityourenterpriserequirements.AuthorisedAccessonlyThissystemisthepropertyofSo-&-So-Enterprise.UNAUTHORISEDACCESSTOTHISDEVICEISPROHIBITED.Youmusthaveexplicitpermissiontoaccessthisdevice.Allactivitiesperformedonthisdeviceareloggedandviolationsofofthispolicyresultindisciplinaryaction.EnterthesecuritybannerPutthebannerbetweenkandk,wherekisanycharacter:%ThissystemisthepropertyofCiscoSystems,Inc.UNAUTHORIZEDACCESSTOTHISDEVICEISPROHIBITED.%,PasswordsandAAA,EnablesecretiseithernotconfiguredorissameasenablepasswordEnterthenewenablesecret:Curium96ConfigurationoflocaluserdatabaseEntertheusername:student1Enterthepassword:student1ConfiguringaaalocalauthenticationConfiguringconsole,Auxandvtylinesforlocalauthentication,exec-timeout,transportSecuringdeviceagainstLoginAttacksConfigurethefollowingparametersBlockingPeriodwhenLoginAttackdetected:300MaximumLoginfailureswiththedevice:3Maximumtimeperiodforcrossingthefailedloginattempts:60,SSHandInterface-SpecificServices,ConfigureSSHserver?yes:yEnterthehostname:R2Enterthedomain-name:ConfiguringinterfacespecificAutoSecureservicesDisablingthefollowingipservicesonallinterfaces:noipredirectsnoipproxy-arpnoipunreachablesnoipdirected-broadcastnoipmask-replyDisablingmoponEthernetinterfaces,ForwardingPlane,VerificatonandDeployment,SecuringForwardingplaneservices.EnablingCEF(Thismightimpactthememoryrequirementsforyourplatform)EnablingunicastrpfonallinterfacesconnectedtointernetConfigureCBACFirewallfeature?yes/no:yesThisistheconfigurationgenerated:noservicefingernoservicepadnoserviceudp-small-serversnoservicetcp-small-serversservicepassword-encryption.Applythisconfigurationtorunning-config?yes:y,LockingDownRouterswiththeSDM,SecurityDeviceManager,SDMautomatedhardeningfeatures:SecurityAuditOne-StepLockdown,SDMSecurityAuditOverview,Thesecurityauditcomparesrouterconfigurationagainstrecommendedsettings.Examplesoftheauditinclude:Shutdownunneededservers.Disableunneededservices.Applythefirewalltotheoutsideinterfaces.DisableorhardenSNMP.Shutdownunusedinterfaces.Checkpasswordstrength.EnforcetheuseofACLs.,SDMSecurityAudit:MainWindow,1.,2.,3.,SDMSecurityAuditWizard,SDMSecurityAuditInterfaceConfiguration,SDMSecurityAudit,SDMSecurityAudit:F