Basic working principle of router and its security setting management

Basic working principle of router and its security setting management

Working Principle of Router A router is a device that works in the IP protocol network layer to forward data between subnets. The router can be divided into control plane and data channel. On the control plane, routing protocols can have different types. Routers exchange network topology information through routing protocols, and dynamically generate routing tables according to the topology. On the data channel, the forwarding engine analyzes and modifies the packet header after receiving the IP packet from the input line, uses the forwarding table to find the output port, and exchanges the data on the output line. The forwarding table is generated based on the routing table. There is a direct correspondence between the table entries and the routing table entries. However, the format of the forwarding table and the routing table are different. The main process of forwarding includes line input, packet header analysis, data storage, packet header modification and line output.

The routing protocol dynamically generates routing tables based on the network topology. The IP protocol divides the entire network into management areas. These management areas are called autonomous domains, and the area codes of the autonomous domains implement unified management of the entire network. In this way, routing protocols are divided into intra-domain and inter-domain protocols. Intra-domain routing protocols, such as OSPF and IS-IS, exchange link states representing the network topology in the management domain between routers, and derive routing tables based on the link states. Inter-domain routing protocols exchange data between adjacent nodes. Multicast cannot be used, and only specified point-to-point connections can be used.

Router architecture

The control plane of the router, running in a general-purpose CPU system, has not changed much over the years. In high-availability design, dual-master control can be used for master-slave backup to ensure the reliability of the control plane. The data channel of the router adopts different implementation technologies to adapt to different line speeds and different system capacities. The structural system of the router is distinguished according to the realization mechanism of the data channel forwarding engine. In simple terms, it can be divided into software forwarding routers and hardware forwarding routers. Software forwarding routers use CPU software technology to implement data forwarding. According to the number of CPUs used, they are further divided into single-CPU centralized and multi-CPU distributed. The hardware forwarding router uses network processor hardware technology to achieve data forwarding. According to the number of network processors used and the position of the network processor in the device, it is further subdivided into a single network processor centralized, multi-network processor load sharing parallel Distributed and centralized exchange.

For hackers, it is usually easier to launch attacks using router vulnerabilities. Router attacks will waste CPU cycles, mislead information traffic, and paralyze the network. A good router itself will adopt a good security mechanism to protect itself, but this is not enough. Protecting router security also requires network administrators to take appropriate security measures during the configuration and management of the router.

1. Blocking security holes

Restricting physical access to the system is one of the most effective ways to ensure router security. One way to limit physical access to the system is to configure the console and terminal sessions to automatically exit the system after a short idle time. It is also important to avoid connecting the modem to the auxiliary port of the router. Once physical access to the router is restricted, users must ensure that the router's security patches are up to date. Vulnerabilities are often disclosed before a vendor issues a patch, which allows hackers to use the affected system before the vendor issues a patch, which requires user attention.

2. Avoid identity crisis

Hackers often use weak passwords or default passwords to attack. Measures such as lengthening the password and choosing a password validity period of 30 to 60 days can help prevent such vulnerabilities. In addition, once an important IT employee resigns, the user should immediately change the password. The user should enable the password encryption function on the router so that even if a hacker can browse the system configuration file, he still needs to decipher the ciphertext password. Implement reasonable verification controls so that routers can safely transmit certificates. On most routers, users can configure some protocols, such as remote authentication dial-in user services, so that these protocols can be used in conjunction with authentication servers to provide encrypted and authenticated router access. The authentication control can forward the user's authentication request to the authentication server usually on the back-end network. The authentication server can also require users to use two-factor authentication to strengthen the authentication system. The former of the two factors is the token generation part of software or hardware, and the latter is the user identity and token passcode. Other authentication solutions involve the transmission of security certificates within a secure shell (SSH) or IPSec.

3. Disable unnecessary services

Having many routing services is a good thing, but recent security incidents have highlighted the importance of disabling local services. It should be noted that disabling CDP on the router may affect the performance of the router. Another factor that users need to consider is timing. Timing is essential for effective operation of the network. Even if the user ensures time synchronization during deployment, after a period of time, the clock may still gradually lose synchronization. Users can make use of a service called Network Time Protocol (NTP) to control the effective and accurate time source to ensure the clock synchronization of devices on the network. However, the best way to ensure clock synchronization of network devices is not through a router, but to place an NTP server in the network segment of the demilitarized zone (DMZ) protected by a firewall, and configure the server to only allow trusted public outside The time source makes a time request. On the router, users rarely need to run other services, such as SNMP and DHCP. Use these services only when absolutely necessary.

Fourth, restrict logical access

Restricting logical access is mainly through the proper disposal of access control lists. Limiting remote terminal sessions helps prevent hackers from gaining logical access to the system. SSH is the preferred logical access method, but if Telnet cannot be avoided, use terminal access control to limit access to trusted hosts. Therefore, users need to add an access list to the virtual terminal port used by Telnet on the router.

The Control Message Protocol (ICMP) helps to troubleshoot, but it also provides attackers with information to browse network devices, determine local timestamps and netmasks, and make speculations about OS revisions. In order to prevent hackers from collecting the above information, only the following types of ICMP traffic are allowed to enter the user network: ICMP network unreachable, host unreachable, port unreachable, packet too large, source suppressed, and time to live (TTL) exceeded . In addition, logical access control should also prohibit all traffic except ICMP traffic.

Use inbound access control to direct specific services to the corresponding server. For example, only SMTP traffic is allowed to enter the mail server; DNS traffic is allowed to enter the DSN server; HTTP (HTTP / S) traffic through the Secure Sockets Layer (SSL) layer enters the web server. In order to prevent the router from becoming a DoS attack target, users should reject the following traffic: packets without an IP address, packets with a local host address, broadcast address, multicast address, and any fake internal address. Although users cannot prevent DoS attacks, users can limit the harm of DoS. Users can take measures to increase the length of the SYN ACK queue and shorten the ACK timeout to protect the router from TCP SYN attacks.

Users can also use outbound access control to restrict traffic from within the network. This control prevents internal hosts from sending ICMP traffic and allows only valid source address packets to leave the network. This helps prevent IP address spoofing and reduces the possibility of hackers using the user's system to attack another site.

V. Monitoring configuration changes

After changing the router configuration, users need to monitor it. If you use SNMP, you must choose a powerful shared character string, preferably using SNMP, which provides message encryption. If you do not configure the device remotely through SNMP management, you should configure the SNMP device as read-only. By denying write access to these devices, users can prevent hackers from changing or closing the interface. In addition, users also need to send system log messages from the router to the designated server.

To further ensure security management, users can use encryption mechanisms such as SSH to establish encrypted remote sessions with the router using SSH. To strengthen protection, users should also restrict SSH session negotiation and only allow sessions to communicate with several trusted systems that users often use.

An important part of configuration management is to ensure that the network uses reasonable routing protocols. Avoid using Routing Information Protocol (RIP), RIP can easily be spoofed to accept illegal routing updates. Users can configure protocols such as Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), so that they can use passwords to authenticate each other by sending MD5 hashes of passwords before accepting routing updates. The above measures help to ensure that any routing updates accepted by the system are correct.

Sixth, implement configuration management

Users should implement a configuration management strategy that controls storage, retrieval, and update of router configurations, and properly store configuration backup files on a secure server to prevent users from replacing, reinstalling, or reverting to the original configuration when the new configuration encounters problems.

There are two ways for users to store configuration files on the router platform that supports the command line interface (CLI). One method is to run a script. The script can establish an SSH session from the configuration server to the router, log in to the system, close the controller log function, display the configuration, save the configuration to a local file, and log out of the system; An IPSec tunnel is established between the routers, and the configuration file is copied to the server through TFTP in the secure tunnel. Users should also be clear who can change the router configuration, when to make changes, and how to make changes. Before making any changes, formulate detailed reverse order operating procedures.

Food Processor 11 In 1

Food Processor 11 In 1 is our latest Food Processors. They include almost all the features that can meet the needs of family life.

Description for Food Processor 11 In 1

1000W, 8825 full copper motor with fuse
3 speeds with pulse, chrome rotary switch, with blue LED light
2.0L AS  food processing bowl(thickness 2.0mm) with chute lid.
With 1.5L AS plastic blender jar, 0.4L dry mill
With 3 stinless steel big shredder disc parts
With chopper blade, dough blade, egg whisk, citrus juicer

With small juice extractor

Color box size: 53.2*27.2*40.7cm                Carton Box: 56*54*42.5cm 
20'GP: 452pcs 40' HQ: 1052pcs

Food Processor 11 In 1

Food Processor 11 In,Stainless Steel Food Processor,Stainless Steel Jar Food Processor,Best Food Processors

Flying Electronic Co., Ltd ,