Форум
Блоги
Статьи
Интернет-магазин

Безопасная конфигурация для маршрутизатора Cisco

Безопасная конфигурация для маршрутизатора Cisco

Конфигурация маршрутизатора Cisco заданная по умолчанию далека от того, чтобы быть безопасным. Хотя есть много 'шаблонов безопасности', доступных в Интернете, многие из них устаревшие и не используют возможности IOS версии 12.4T.

General config
Код
configuration mode exclusive auto expire 600

hostname Router

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
no service dhcp

logging buffered 64000 informational
logging persistent url flash:/LOG size 4096000 filesize 64000
no logging console
no logging monitor
logging origin-id hostname
logging source-interface Loopback0
logging count
logging x.x.x.x
logging y.y.y.y

aaa new-model
aaa local authentication attempts max-fail 10
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local

username user privilege 1 secret 5 <MD5>
username admin privilege 15 secret 5 <MD5>

enable secret 5 <MD5>

no ip source-route
ip options drop

ip cef

ip dhcp bootp ignore
no ip bootp server

no ip domain lookup

memory reserve critical 16000

secure boot-image

warm-reboot count 10

archive
log config
logging enable
logging size 1000
hidekeys
path flash:/ARCHIVE/config
write-memory

no ip http server
no ip http secure-server

no cdp run


Lines
Код
line con 0
exec-timeout 60 0
logging synchronous
transport preferred none
transport output none

line aux 0
exec-timeout 60 0
logging synchronous
transport preferred none
transport output none

line vty 0 n
no exec
transport input none
transport output none


Interfaces
Код
interface Null0
no ip unreachables

interface Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp

interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no mop enabled
no cdp enabled


NTP
Код
ntp authentication-key 1 md5 <MD5> 7
ntp authenticate
ntp trusted-key 1
ntp source Loopback0
ntp update-calendar
ntp server x.x.x.x key 1
ntp server y.y.y.y key 1


Basic control plane for DOS protection
Valid for 12.4.15T, will be changed in 12.4.16T release.
Код
class-map match-any CPPR_HOST_CRITICAL
match protocol bgp

class-map match-any CPPR_HOST_ICMP
match protocol icmp

class-map match-any CPPR_HOST_NORMAL
match protocol ntp
match protocol ssh
match protocol sntp

class-map match-any CPPR_HOST_IP
match protocol ip

class-map match-any CPPR_TRANSIT_CRITICAL
match protocol ospf
match protocol bgp

class-map match-any CPPR_TRANSIT_IP
match protocol ip

class-map match-any CPPR_CEF-EXCEPTION_CRITICAL
match protocol arp

class-map match-any CPPR_CEF-EXCEPTION_IP
match protocol ip


policy-map CPPR_HOST
class CPPR_HOST_CRITICAL
class CPPR_HOST_ICMP
police 128000
class CPPR_HOST_NORMAL
police 512000
class CPPR_HOST_IP
drop

policy-map CPPR_TRANSIT
class CPPR_TRANSIT_CRITICAL
class CPPR_TRANSIT_IP
police 512000

policy-map CPPR_CEF-EXCEPTION
class CPPR_CEF-EXCEPTION_CRITICAL
class CPPR_CEF-EXCEPTION_IP
police 512000

control-plane host
service-policy input CPPR_HOST
control-plane transit
service-policy input CPPR_TRANSIT
control-plane cef-exception
service-policy input CPPR_CEF-EXCEPTION

< Назад к списку новостей