路由器安全配置速查表（三）

Specific Recommendations: Logging & Debugging

1. Turn on the router’s logging capability, and use it to log errors and blocked packets to an internal (trusted) syslog host. Make sure that the router blocks syslog traffic from untrusted networks. See example commands below. ks.54yjs.cn

Central(config)# logging on
Central(config)# logging 14.2.9.1
Central(config)# logging buffered
Central(config)# logging console critical
Central(config)# logging trap informational
Central(config)# logging facility local1 ks.54yjs.cn

2. Configure the router to include time information in the logging. Configure at least two different NTP servers to ensure availability of good time information. This will allow an administrator to trace network attacks more accurately. See example commands below. ks.54yjs.cn

East(config)# service timestamps log datetime localtime show-timezone msec
East(config)# clock timezone GMT 0
East(config)# ntp server 14.1.1.250
East(config)# ntp server 14.2.9.1 

3. If your network requires SNMP, then configure an SNMP ACL and hard-to-guess SNMP community strings. The example commands below show how to remove the default community strings and set a better read-only community string, with an ACL.

East(config)# no snmp community public ro
East(config)# no snmp community private rw
East(config)# no access-list 51
East(config)# access-list 51 permit 14.2.9.1
East(config)# snmp community BTRl8+never ro 51

This security checklist is designed to help you review your router security configuration, and remind you of any security area you might have missed.

• Router security policy written, approved, distributed.
• Router IOS version checked and up to date.
• Router configuration kept off-line, backed up, access to it limited.
• Router configuration is well-documented, commented.
• Router users and passwords configured and maintained.
• Password encryption in use, enable secret in use.
• Enable secret difficult to guess, knowledge of it strictly limited. (if not, change the enable secret immediately). 
• Access restrictions imposed on Console, Aux, VTYs. 
• Unneeded network servers and facilities disabled. 
• Necessary network services configured correctly (e.g. DNS) 
• Unused interfaces and VTYs shut down or disabled. 
• Risky interface services disabled. 
• Port and protocol needs of the network identified and checked. 
• Access lists limit traffic to identified ports and protocols. 
• Access lists block reserved and inappropriate addresses. 
• Static routes configured where necessary. 
• Routing protocols configured to use integrity mechanisms. 
• Logging enabled and log recipient hosts identified and configured. 
• Router’s time of day set accurately, maintained with NTP. 
• Logging set to include consistent time information. 
• Logs checked, reviewed, archived in accordance with local policy. 
• SNMP disabled or enabled with good community strings and ACLs.