分析一条Cisco路由器的安全命令

前两天在路由器试用了一个命令：auto secure，这个命令用起来比较方便，而且可以关闭一些不安全的服务和启用一些安全的服务。然后对这个命令做了一个总结。（注：好像ios版本为：12.3（1）以上才支持使用）

总结如下：

1、关闭一些全局的不安全服务如下：

Finger

PAD

Small Servers

Bootp

HTTP service

Identification Service

CDP

NTP

Source Routing

2、开启一些全局的安全服务如下：

Password-encryption service

Tuning of scheduler interval/allocation

TCP synwait-time

TCP-keepalives-in and tcp-kepalives-out

SPD configuration

No ip unreachables for null 0

3、关闭接口的一些不安全服务如下：

ICMP

Proxy-Arp

Directed Broadcast

Disables MOP service

Disables icmp unreachables

Disables icmp mask reply messages.

4、提供日志安全如下：

Enables sequence numbers & timestamp

Provides a console log

Sets log buffered size

Provides an interactive dialogue to configure the logging server ip address.

5、保护访问路由器如下：

Checks for a banner and provides facility to add text to automatically configure：

Login and password

Transport input & output

Exec-timeout

Local AAA

SSH timeout and ssh authentication-retries to minimum number

Enable only SSH and SCP for access and file transfer to/from the router

6、保护转发Forwarding Plane

Enables Cisco Express Forwarding （CEF） or distributed CEF on the router， when available

Anti-spoofing

Blocks all IANA reserved IP address blocks

Blocks private address blocks if customer desires

Installs a default route to NULL 0， if a default route is not being used

Configures TCP intercept for connection-timeout， if TCP intercept feature is available and the user is interested

Starts interactive configuration for CBAC on interfaces facing the Internet， when using a Cisco IOS Firewall image，

Enables NetFlow on software forwarding platforms