Cisco路由器autosecure命令小結

　　 

    路由器命令auto secure用起來比較方便，而且可以關閉一些不安全的服務和啟用一些安全的服務。這里對這個命令做了一個總結。（注：ios版本為：12.3（1）以上才支持使用）

    總結如下：

    1、關閉一些全局的不安全服務如下：

    Finger

    PAD

    Small Servers

    Bootp

    HTTP service

    Identification Service

    CDP

    NTP

    Source Routing

    2、開啟一些全局的安全服務如下：

    Password-encryption service

    Tuning of scheduler interval/allocation

    TCP synwait-time

    TCP-keepalives-in and tcp-kepalives-out

    SPD configuration

    No ip unreachables for null 0

    3、關閉接口的一些不安全服務如下：

    ICMP

    Proxy-Arp

    Directed Broadcast

    Disables MOP service

    Disables icmp unreachables

    Disables icmp mask reply messages.

    4、提供日志安全如下：

    Enables sequence numbers & timestamp

    Provides a console log

    Sets log buffered size

    Provides an interactive dialogue to configure the logging server ip address.

    5、保護訪問路由器如下：

    Checks for a banner and provides facility to add text to automatically configure：

    Login and password

    Transport input & output

    Exec-timeout

    Local AAA

    SSH timeout and ssh authentication-retries to minimum number

    Enable only SSH and SCP for aclearcase/" target="_blank" >ccess and file transfer to/from the router

    6、保護轉發Forwarding Plane

    Enables Cisco Express Forwarding （CEF） or distributed CEF on the router， when available

    Anti-spoofing

    Blocks all IANA reserved IP address blocks

    Blocks private address blocks if customer desires

    Installs a default route to NULL 0， if a default route is not being used

    Configures TCP intercept for connection-timeout， if TCP intercept feature is available and the user is interested

    Starts interactive configuration for CBAC on interfaces facing the Inte.net， when using a Cisco IOS Firewall image，

    Enables NetFlow on software forwarding platforms

原文轉自：http://www.kjueaiud.com