cisco网络设备安全加固手册

1、1.帐号权 限加固对网络设备的管理 权限进行划分和限 制，将登录口令密 文保存在配置文件 中，确保系统帐号 口令长度和复杂度 满足安全要求,避 免使用弱口令1、加强用户认证，对网络设备的 管理权限进行划分和限制2、修改帐号存在的弱口令（包括 SNM社区串），设置网络系统的 口令长度8位3、禁用不需要的用户4、对口令进行加密存储1、Cen tral(co nfig)# user name bria n privilege 5 password g00d+pa55w0rdCen tral(con fig)# line con 0Central(config-line)# login localCe

2、n tral(con fig-li ne)# enden able secret level 5privilege exec level 15 show loggi ng2、password <passwd>En able sec <passwd>Snm p-server com mun ity <passwd>3、no user name4、service password-encryption;例外： SNMP community strings、RADIUS keys TACACS+ keys2.网络服 务加固关闭网络设备中不 安全的服务，确保网络设

3、备只开启承载业务所必需 的网络服务1、禁用httpserver，或者对 httpserver 进行访问控制1. Cen tral(c on fig)# no ip http serverSet up user names and passwordsCreate and apply an IP access list to limit access to the webserver. Con figure and en able syslog logg ingSample:Cen tral(c on fig)# ! Add web adm in users, the n turn on http

4、 authCen tral(c on fig)# user name n zWeb priv 15 password 0 C5-A1rCarg0Cen tral(c on fig)# ip http auth localCen tral(c on fig)# ! Create an IP access list for web accessCen tral(c on fig)# no access-list 29Cen tral(co nfig)# access-list 29 permit host 14.2618 log Cen tral(co nfig)# access-list 29

5、permit 55 log Cen tral(c on fig)# access-list 29 deny any logCen tral(c on fig)# ! Apply the access list the n start the serverCen tral(c on fig)# ip http access-class 29Cen tral(c on fig)# ip http serverCen tral(c on fig)# exit2、关闭不必要的 SNMP艮务，若? Explicitly unset (erase) all existing

6、 community strings. 必须使用，应采用 SNMPv以 ? Disable SNMP system shutdown and trap features. 上版本并启用身份验证、更改？ Disable SNMP system processing.默认社区串Cen tral(c on fig)# ! erase old com mun ity stri ngsCen tral(c on fig)# no sn mp-server com mun ity public RO Cen tral(c on fig)# no sn mp-server com mun ity admin

7、 RW Cen tral(c on fig)#Cen tral(c on fig)#! disable SNMPrap and system-shutdow n featuresCen tral(c on fig)# no sn mp-server en able trapsCen tral(c on fig)# no sn mp-server system-shutdow nCen tral(c on fig)# no sn mp-server trap-authCen tral(c on fig)#Cen tral(co nfig)# ! disable the SNMP serviceC

8、en tral(c on fig)# no sn mp-serverCen tral(c on fig)# endEast(config)# access-list 20 permit 3、禁用与承载业务无关的服务 （例如 dhcp-relay、IGMRCDPRUNbootp 服务等）East(c on fig)# sn mp-server group admi nistrator v3 auth read admi nview write admi nviewEast(c on fig)# sn mp-server user root admi nistrator v3 au

9、th md5“ secret ” access 20East(c on fig)# sn mp-server view admi nview internet in cluded East(c on fig)# sn mp-server view admi nview ip.ipAddrTable excl East(c on fig)# sn mp-server view admi nview ip.ipRouteTable excl East(c on fig)# exit3.no cdp runNo service dhcpNo ip bootp server停掉 tcp、udp sma

10、ll servers，类似 echo、daytime、chargen、discard 等；no service tcp-small-serversno service udp-small-servers no service fin ger no ip http server3.网络访 问控制 加固远程控制有安全机 制保证，限制能够 访问本机的用户或 P地址1、对可管理配置网络设备的网 段通过访问控制列表进行限 制South(c on fig)# no access-list 92South(config)# access-list 92 permit South(confi

11、g)# access-list 92 permit South(config)# line vty 0 4South(c on fig-l ine)# access-class 92 in2、使用SSH等安全方式登录,禁 用TELNET方式North(co nfig)# no access-list 12North(co nfig)# access-list 12 permit host logNorth(config)# line vty 0 4North(c on fig-l in e)# access-class 12 inNorth(co nfig)

12、# user name joeadm in password 0 1-g00d-pa$wordNorth(config)# line vty 0 4North(c on fig-l in e)# log in localNorth(c on fig-l in e)# exitNorth(c on fig)#host northNorth(co nfig)#ip doma in-n ame North(co nfig)# crypto key gen erate rsaThe n ame for the keys will be: NChoose the s

13、ize of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few mi nu tes.How ma ny bits in the modulus 512: 2048Generating RSA Keys .OKNorth(co nfig)#If this comma nd succeeds, the SSH server is en abled and running.By default

14、, the SSHservice will be present on the router wheneve an RSAkey pair exists, but it will not be used un til you con figure it, as detailed below. If you delete the router' s RSA key pair,then the SSH server will stop. crypto key zeroize rsa.North(c on fig)# ip ssh time-out 90North(co nfig)# ip

15、ssh authe nticatio n-retries 2North(config)# line vty 0 4North(c on fig-l in e)# tran sport in put sshNorth(c on fig-l in e)# exitNorth(config)# line vty 5 15North(c on fig-li ne)# tran sport in put noneNorth(c on fig-l in e)# exit3、对SNM进行ACL空希9snm p-server com mun ity public rosnm p-server com mun

16、ity ourCommStr rosnm p-server com mun ity topsecret rw 60snm p-server com mun ity hideit ro view n oRouteTable access-list 60 permit access-list 60 permit snm p-server view n oRouteTable internet in cluded snm p-server view n oRouteTable ip.21 excluded snm p-server view n oRouteTable

17、 ip.22 excluded snm p-server view n oRouteTable ifMIB excluded4.审计策 略加固配置网络设备的安 全审计功能，设置日志缓 存大小，指定日志服务器1、为网络设备指定日志服务器2、合理配置日志缓冲区大小Cen tral(c on fig)# logg ing onCentral(config)# logging Cen tral(co nfig)# loggi ng buffered 16000Cen tral(c on fig)# logg ing con sole critical Cen tral(c on fig

18、)# logg ing trap in formatio nalCen tral(c on fig)# logg ing facility local15.恶意代 码防范配置访问控制策，对蠕虫端口进行屏蔽，关闭不安全的服务避免被入 侵者利用1、屏蔽病毒常用的网络端口2、使用TCPkeepalives服务以杀 死僵连接3、禁止IP源路由功能1. ACL2. service tcp-keepalives-in.3. no ip source-routeRouter Security ChecklistThis security checklist is designed to help you r

19、eview your router security configuration,and remind you of any securityarea you might have missed.? Router security policy written, approved, distributed.? Router IOS version checked and up to date.? Router configuration kept off-line, backed up, access to it limited.? Router configuration is well-d

20、ocumented, commented.? Router users and passwords con figured and maintain ed.? Password encryption in use, enable secret in use.? Enable secret difficult to guess,knowledge of it strictly limited. (if not, change the enable secret immediately)? Access restricti ons imposed on Con sole, Aux, VTYs.? Unneeded network servers and facilities disabled.? Necessary n etwork services con figured correctly (e.g. DNS)? Unu sed in terfaces and VTYs sh