cisco網(wǎng)絡(luò)設(shè)備安全加固手冊(cè)_第1頁(yè)
cisco網(wǎng)絡(luò)設(shè)備安全加固手冊(cè)_第2頁(yè)
cisco網(wǎng)絡(luò)設(shè)備安全加固手冊(cè)_第3頁(yè)
cisco網(wǎng)絡(luò)設(shè)備安全加固手冊(cè)_第4頁(yè)
cisco網(wǎng)絡(luò)設(shè)備安全加固手冊(cè)_第5頁(yè)
免費(fèi)預(yù)覽已結(jié)束,剩余3頁(yè)可下載查看

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

1、1.帳號(hào)權(quán) 限加固對(duì)網(wǎng)絡(luò)設(shè)備的管理 權(quán)限進(jìn)行劃分和限 制,將登錄口令密 文保存在配置文件 中,確保系統(tǒng)帳號(hào) 口令長(zhǎng)度和復(fù)雜度 滿足安全要求,避 免使用弱口令1、加強(qiáng)用戶認(rèn)證,對(duì)網(wǎng)絡(luò)設(shè)備的 管理權(quán)限進(jìn)行劃分和限制2、修改帳號(hào)存在的弱口令(包括 SNM社區(qū)串),設(shè)置網(wǎng)絡(luò)系統(tǒng)的 口令長(zhǎng)度8位3、禁用不需要的用戶4、對(duì)口令進(jìn)行加密存儲(chǔ)1、Cen tral(co nfig)# user name bria n privilege 5 password g00d+pa55w0rdCen tral(con fig)# line con 0Central(config-line)# login localCe

2、n tral(con fig-li ne)# enden able secret level 5privilege exec level 15 show loggi ng2、password <passwd>En able sec <passwd>Snm p-server com mun ity <passwd>3、no user name4、service password-encryption;例外: SNMP community strings、RADIUS keys TACACS+ keys2.網(wǎng)絡(luò)服 務(wù)加固關(guān)閉網(wǎng)絡(luò)設(shè)備中不 安全的服務(wù),確保網(wǎng)絡(luò)設(shè)

3、備只開(kāi)啟承載業(yè)務(wù)所必需 的網(wǎng)絡(luò)服務(wù)1、禁用httpserver,或者對(duì) httpserver 進(jìn)行訪問(wèn)控制1. Cen tral(c on fig)# no ip http serverSet up user names and passwordsCreate and apply an IP access list to limit access to the webserver. Con figure and en able syslog logg ingSample:Cen tral(c on fig)# ! Add web adm in users, the n turn on http

4、 authCen tral(c on fig)# user name n zWeb priv 15 password 0 C5-A1rCarg0Cen tral(c on fig)# ip http auth localCen tral(c on fig)# ! Create an IP access list for web accessCen tral(c on fig)# no access-list 29Cen tral(co nfig)# access-list 29 permit host 14.2618 log Cen tral(co nfig)# access-list 29

5、permit 55 log Cen tral(c on fig)# access-list 29 deny any logCen tral(c on fig)# ! Apply the access list the n start the serverCen tral(c on fig)# ip http access-class 29Cen tral(c on fig)# ip http serverCen tral(c on fig)# exit2、關(guān)閉不必要的 SNMP艮務(wù),若? Explicitly unset (erase) all existing

6、 community strings. 必須使用,應(yīng)采用 SNMPv以 ? Disable SNMP system shutdown and trap features. 上版本并啟用身份驗(yàn)證、更改? Disable SNMP system processing.默認(rèn)社區(qū)串Cen tral(c on fig)# ! erase old com mun ity stri ngsCen tral(c on fig)# no sn mp-server com mun ity public RO Cen tral(c on fig)# no sn mp-server com mun ity admin

7、 RW Cen tral(c on fig)#Cen tral(c on fig)#! disable SNMPrap and system-shutdow n featuresCen tral(c on fig)# no sn mp-server en able trapsCen tral(c on fig)# no sn mp-server system-shutdow nCen tral(c on fig)# no sn mp-server trap-authCen tral(c on fig)#Cen tral(co nfig)# ! disable the SNMP serviceC

8、en tral(c on fig)# no sn mp-serverCen tral(c on fig)# endEast(config)# access-list 20 permit 3、禁用與承載業(yè)務(wù)無(wú)關(guān)的服務(wù) (例如 dhcp-relay、IGMRCDPRUNbootp 服務(wù)等)East(c on fig)# sn mp-server group admi nistrator v3 auth read admi nview write admi nviewEast(c on fig)# sn mp-server user root admi nistrator v3 au

9、th md5“ secret ” access 20East(c on fig)# sn mp-server view admi nview internet in cluded East(c on fig)# sn mp-server view admi nview ip.ipAddrTable excl East(c on fig)# sn mp-server view admi nview ip.ipRouteTable excl East(c on fig)# exit3.no cdp runNo service dhcpNo ip bootp server停掉 tcp、udp sma

10、ll servers,類似 echo、daytime、chargen、discard 等;no service tcp-small-serversno service udp-small-servers no service fin ger no ip http server3.網(wǎng)絡(luò)訪 問(wèn)控制 加固遠(yuǎn)程控制有安全機(jī) 制保證,限制能夠 訪問(wèn)本機(jī)的用戶或 P地址1、對(duì)可管理配置網(wǎng)絡(luò)設(shè)備的網(wǎng) 段通過(guò)訪問(wèn)控制列表進(jìn)行限 制South(c on fig)# no access-list 92South(config)# access-list 92 permit South(confi

11、g)# access-list 92 permit South(config)# line vty 0 4South(c on fig-l ine)# access-class 92 in2、使用SSH等安全方式登錄,禁 用TELNET方式North(co nfig)# no access-list 12North(co nfig)# access-list 12 permit host logNorth(config)# line vty 0 4North(c on fig-l in e)# access-class 12 inNorth(co nfig)

12、# user name joeadm in password 0 1-g00d-pa$wordNorth(config)# line vty 0 4North(c on fig-l in e)# log in localNorth(c on fig-l in e)# exitNorth(c on fig)#host northNorth(co nfig)#ip doma in-n ame North(co nfig)# crypto key gen erate rsaThe n ame for the keys will be: NChoose the s

13、ize of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few mi nu tes.How ma ny bits in the modulus 512: 2048Generating RSA Keys .OKNorth(co nfig)#If this comma nd succeeds, the SSH server is en abled and running.By default

14、, the SSHservice will be present on the router wheneve an RSAkey pair exists, but it will not be used un til you con figure it, as detailed below. If you delete the router' s RSA key pair,then the SSH server will stop. crypto key zeroize rsa.North(c on fig)# ip ssh time-out 90North(co nfig)# ip

15、ssh authe nticatio n-retries 2North(config)# line vty 0 4North(c on fig-l in e)# tran sport in put sshNorth(c on fig-l in e)# exitNorth(config)# line vty 5 15North(c on fig-li ne)# tran sport in put noneNorth(c on fig-l in e)# exit3、對(duì)SNM進(jìn)行ACL空希9snm p-server com mun ity public rosnm p-server com mun

16、ity ourCommStr rosnm p-server com mun ity topsecret rw 60snm p-server com mun ity hideit ro view n oRouteTable access-list 60 permit access-list 60 permit snm p-server view n oRouteTable internet in cluded snm p-server view n oRouteTable ip.21 excluded snm p-server view n oRouteTable

17、 ip.22 excluded snm p-server view n oRouteTable ifMIB excluded4.審計(jì)策 略加固配置網(wǎng)絡(luò)設(shè)備的安 全審計(jì)功能,設(shè)置日志緩 存大小,指定日志服務(wù)器1、為網(wǎng)絡(luò)設(shè)備指定日志服務(wù)器2、合理配置日志緩沖區(qū)大小Cen tral(c on fig)# logg ing onCentral(config)# logging Cen tral(co nfig)# loggi ng buffered 16000Cen tral(c on fig)# logg ing con sole critical Cen tral(c on fig

18、)# logg ing trap in formatio nalCen tral(c on fig)# logg ing facility local15.惡意代 碼防范配置訪問(wèn)控制策,對(duì)蠕蟲端口進(jìn)行屏蔽,關(guān)閉不安全的服務(wù)避免被入 侵者利用1、屏蔽病毒常用的網(wǎng)絡(luò)端口2、使用TCPkeepalives服務(wù)以殺 死僵連接3、禁止IP源路由功能1. ACL2. service tcp-keepalives-in.3. no ip source-routeRouter Security ChecklistThis security checklist is designed to help you r

19、eview your router security configuration,and remind you of any securityarea you might have missed.? Router security policy written, approved, distributed.? Router IOS version checked and up to date.? Router configuration kept off-line, backed up, access to it limited.? Router configuration is well-d

20、ocumented, commented.? Router users and passwords con figured and maintain ed.? Password encryption in use, enable secret in use.? Enable secret difficult to guess,knowledge of it strictly limited. (if not, change the enable secret immediately)? Access restricti ons imposed on Con sole, Aux, VTYs.? Unneeded network servers and facilities disabled.? Necessary n etwork services con figured correctly (e.g. DNS)? Unu sed in terfaces and VTYs sh

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

評(píng)論

0/150

提交評(píng)論