路由器安全功能的分析和配置研究

摘 要

随着Internet的发展，网络安全问题日益严重。需要是发明之母，这句话完全适用于网络。网络安全现在已经是计算机网络中一个不可缺少的部分。保护网络的基础设备是网络安全中最关键的部分。网络的基础设备包括路由器、交换机、服务器、终端和其他一些设备。如果攻击者获得了某个路由器的访问权限，这个网络的安全和管理就会处于危险的境地。服务器和终端也会处于风险中。所以，实施适当的安全策略和控制，以阻止对所有网络基础设施的未授权访问是非常关键的。所有的基础设施都可能处于危险中，但路由器是网络攻击者的主要攻击目标，这是因为路由器像一个交通警察，指挥着流量的进出。所以，保护路由器的安全是非常重要的。

本课题是关于路由器安全功能的分析与配置研究。通过思科packet tracer网

络模拟软件，实现路由器的安全配置。为路由器设置强壮口令，避免路由器的非授权访问；采用加密的SSH远程登录路由器，不使用明文的telnet，避免登录信息和配置文件泄露；配置路由器使用AAA服务，实现可扩展的访问安全性；配置访问控制列表，用于减少网络攻击和控制访问流量；配置IOS入侵防御系统，以面对快速进化的攻击；配置一个站点到站点的IPsec VPN，保证信息在隧道上的安全传播，以建立安全的、端到端的专用网络连接。

关键字：网络安全、路由器、路由器安全、路由器配置

1

Abstract

With the development of the Internet, network security is a growing problem. “Necessity is the mother of invention.” This saying applies perfectly to network security. Network security is now an integral part of computer networking. Securing the network infrastructure is critical to overall network security. The network infrastructure includes routers, switches, servers, endpoints, and other devices. If an attacker gains access to a router, the security and management of the entire network can be compromised, leaving servers and endpoints at risk. It is critical that the appropriate security policies and controls be implemented to prevent unauthorized access to all infrastructure devices. Although all infrastructure devices are at risk, routers are a primary target for network attackers. This is because routers act as traffic police, directing traffic into, out of and between networks.

This study is the analysis and configuration on the router security features.

Achieving the security configuration of the router uses packet tracer network simulation software of Cisco. Setting strong password for the router to avoid unauthorized access to the router; Use encrypted SSH remote login and do not use clear text telnet to avoid the login information and configuration files leaked; Routers can be configured to use AAA to enable scalable access security; Routers can be configured to use Access control lists (ACLs) for mitigating network attacks and controlling network traffic; Configuring IOS Intrusion Prevention System to defend against fast-moving and evolving attacks; Configuring a Site-to-Site IPsec VPN guarantees that the information remains secure while traversing the tunnel to establish secure, end-to-end, private network connections.

Keywords: network security, routers, router security, router configuration

2

目 录

第一章 引言 .................................................................................................................. 7

1.1课题研究的背景和意义 ................................................................................. 7 1.2课题研究的主要内容 ..................................................................................... 8 第二章 路由器基本知识介绍 ...................................................................................... 9

2.1路由器简介 ..................................................................................................... 9 2.2 路由器的类型及特点 .................................................................................. 10

2.2.1接入路由器 ........................................................................................ 11 2.2.2企业级路由器 .................................................................................... 11 2.2.3骨干级路由器 .................................................................................... 11 2.2.4太比特路由器 .................................................................................... 12 2.3路由器的构成 ............................................................................................... 12

2.3.1 路由器的输入端口 ........................................................................... 12 2.3.2 路由器的交换开关 ........................................................................... 12 2.3.3 路由器的输出端口 ........................................................................... 13 2.3.4 路由处理器 ....................................................................................... 13 2.4路由器的作用 ............................................................................................... 13 第三章 路由器工作原理和各种路由协议 .............................................................. 15

3.1 路由器的工作原理 ...................................................................................... 15 3.2 路由选择方式 .............................................................................................. 16

3.2.1 静态路由 ........................................................................................... 16 3.2.2 动态路由 ........................................................................................... 16 3.2.3 静态路由和动态路由的应用 ........................................................... 16 3.3 路由协议 ...................................................................................................... 17

3.3.1 RIP ....................................................................................................... 17 3.3.2 OSPF .................................................................................................... 17

3

3.3.3 IS-IS ...................................................................................................... 17 3.3.4 IGRP ..................................................................................................... 18 3.3.5 EIGRP ................................................................................................... 18 3.3.6 BGP ...................................................................................................... 18

第四章 保护路由器安全 ............................................................................................ 19

4.1 边界路由器简述 .......................................................................................... 19 4.2 边界路由器的实施方案 .............................................................................. 19

4.2.1 单一路由器方法 ............................................................................... 19 4.2.2 纵深防御方法 ................................................................................... 19 4.2.3 DMZ方法 ............................................................................................ 20 4.3 路由器的维护 .............................................................................................. 20

4.3.1物理安全 ............................................................................................ 20 4.3.2操作系统安全 .................................................................................... 20 4.3.3加固路由器 ........................................................................................ 21 4.4 安全路由 ...................................................................................................... 22

4.4.1 安全路由的概念 ............................................................................... 22 4.4.2 IPsec协议 ........................................................................................... 23 4.4.3 安全路由器的特点 ........................................................................... 24

第五章 路由器安全管理与配置 ................................................................................ 26

5.1 配置路由器的Syslog，NTP，SSH服务 ...................................................... 26

5.1.1 技术简介 ........................................................................................... 26 5.1.2 实验拓扑图和IP地址表 .................................................................. 28 5.1.3实验要求 ............................................................................................ 28 5.1.4实验设计 ............................................................................................ 29 5.1.5 具体实验 ........................................................................................... 30 5.2路由器的AAA认证 ....................................................................................... 33

5.2.1 技术简介 ........................................................................................... 33 5.2.2实验拓扑图和地址表 ........................................................................ 33 5.2.3实现要求： ........................................................................................ 34

4

5.2.4实验设计 ............................................................................................ 34 5.3配置IP ACLs 减轻攻击 ................................................................................. 39

5.3.1 技术简介 ........................................................................................... 39 5.3.2实验拓扑图和IP地址表 ................................................................... 39 5.3.3 实验要求 ........................................................................................... 40 5.3.4实验设计 ............................................................................................ 40 5.3.5 具体实验 ........................................................................................... 40 5.4配置路由器的Context-Based Access Control (CBAC) ............................ 43

5.4.1 技术简介 ........................................................................................... 43 5.4.2实验拓扑图和IP地址表 ................................................................... 44 5.4.3 实验要求 ........................................................................................... 44 5.4.4实验设计 ............................................................................................ 44 5.4.5 具体实验 ........................................................................................... 45 5.5配置路由器的基于区域策略防火墙（ZPF） .............................................. 48

5.5.1 技术简介 ........................................................................................... 48 5.5.2实验拓扑图和IP地址表 ................................................................... 49 5.5.3实现要求 ............................................................................................ 49 5.5.4实验设计 ............................................................................................ 49 5.5.5 具体实验 ........................................................................................... 50 5.6配置路由器的入侵防御系统(IPS) ................................................................ 54

5.6.1 技术简介 ........................................................................................... 54 5.6.2 实验拓扑图和IP地址表 .................................................................. 54 5.6.3 实验要求 ........................................................................................... 55 5.6.4 实验设计 ........................................................................................... 55 5.6.5 具体实验 ........................................................................................... 56 5.7配置站点到站点的IPsec虚拟专用网 ......................................................... 59

5.7.1 技术简介 ........................................................................................... 59 5.7.2 实验拓扑图和IP地址表 .................................................................. 60 5.7.3 实验要求 ........................................................................................... 60

5

本文来源：https://www.bwwdw.com/article/o2wa.html