思科路由器配置安全手册

ReportNumber:C4-040R-02RouterSecurityConfigurationGuidePrinciplesandguidanceforsecureconfigurationofIProuters,withdetailedinstructionsforCiscoSystemsroutersRouterSecurityGuidanceActivityoftheSystemandNetworkAttackCenter(SNAC)Authors:VanessaAntoineRaymondBongiorniAnthonyBorzaPatriciaBosmajianDanielDuesterhausMichaelDransfieldBrianEppingerKevinGallicchioStephenHamiltonJamesHouserAndrewKimPhyllisLeeBrianMcNamaraTomMillerDavidOpitzFlorenceRichburgMichaelWiacekMarkWilsonNealZiringDecember15,2005Version:1.1cNationalSecurityAgency9800SavageRd.Suite6704Ft.Meade,MD20755-6704SNAC.Guides@nsa.govRouterSecurityConfigurationGuideWarningsThisdocumentisonlyaguidetorecommendedsecuritysettingsforInternetProtocol(IP)routers,particularlyroutersrunningCiscoSystemsInternetOperatingSystem(IOS)versions11.3through12.4.Itcannotreplacewell-designedpolicyorsoundjudgment.Thisguidedoesnotaddresssite-specificconfigurationissues.Caremustbetakenwhenimplementingthesecuritystepsspecifiedinthisguide.Ensurethatallsecuritystepsandprocedureschosenfromthisguidearethoroughlytestedandreviewedpriortoimposingthemonanoperationalnetwork.SOFTWAREISPROVIDEDASISANDANYEXPRESSORIMPLIEDWARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEAREEXPRESSLYDISCLAIMED.INNOEVENTSHALLTHECONTRIBUTORSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.ThisdocumentiscurrentasofOctober,2005.Themostrecentversionofthisdocumentmayalwaysbeobtainedthrough“CiscoRouterSecurityConfigurationGuide,”andthemanagementandstaffoftheApplicationsandArchitecturesdivisionfortheirpatienceandassistancewiththeinitialdevelopmentofthisguide.SpecialthanksalsogotoRayBongiorniforqualityassuranceandeditorialwork,andtoJulieMartzandKathyJonesforproof-readingassistance.AdditionalcontributorstotheguideeffortincludeAndrewDorsett,CharlesHall,ScottMcKay,andJeffreyThomas.ThanksmustalsobegiventothedozensofprofessionalsoutsideNSAwhomadesuggestionsfortheimprovementofthisdocument,especiallyGeorgeJones,JohnStewart,andJoshuaWright.TrademarkInformationCisco,IOS,andCiscoSecureareregisteredtrademarksofCiscoSystems,Inc.intheUSAandothercountries.Windows2000andWindowsXPareregisteredtrademarksofMicrosoftCorporationintheUSAandothercountries.Allothernamesaretrademarksorregisteredtrademarksoftheirrespectivecompanies.RevisionHistory1.0Sep2000Firstcompletedraft,extensiveinternalreview.1.0bOct2000RevisedafterreviewbyRayBongiorni1.0fMar2001Secondreleaseversion:secondpre-pubreview1.0gApr2001Thirdreleaseversion:incorporatedexternalfeedback.1.0hAug2001Fourthreleaseversion;anotherQAreview.1.0jNov2001Fifthreleaseversion.1.0kMar2002Lastreleaseof1.0,anotherpre-pubreview.1.1Sep2002Majorrevisionandexpansion,anotherpre-pubreview1.1bDec2003Minorrevision,corrections,additions,fixedlinks1.1cDec2005Updated,fixedinconsistencies,checkedlinks2Version1.1cContentsContentsPreface51.Introduction71.1.TheRolesofRoutersinModernNetworks.....................................................................71.2.MotivationsforProvidingRouterSecurityGuidance......................................................91.3.TypographicandDiagrammaticConventionsUsedinthisGuide.................................101.4.StructuralOverview.......................................................................................................122.BackgroundandReview152.1.ReviewofTCP/IPNetworking......................................................................................152.2.TCP/IPandtheOSIModel............................................................................................172.3.ReviewofIPRoutingandIPArchitectures...................................................................192.4.BasicRouterFunctionalArchitecture............................................................................242.5.ReviewofRouter-RelevantProtocolsandLayers.........................................................272.6.Quick“Review”ofAttacksonRouters.........................................................................292.7.References......................................................................................................................303.RouterSecurityPrinciplesandGoals333.1.ProtectingtheRouterItself............................................................................................333.2.ProtectingtheNetworkwiththeRouter.........................................................................353.3.ManagingtheRouter......................................................................................................433.4.SecurityPolicyforRouters................