深圳市ip 城域网组网方案
十、安全控制
为了保护城域网设备不被末授权的非法访问和操作,采用了下述的安全设计:
(1) 用 Access control list 限制 TELNET 和 SNMP 访问城域网网络设备;
(2) 采用 Username 和 privilege 进行访问控制;
(3) 进行全网设备的 NTP 时间同步,对所有重要事件进行 logging ;
(4) 对不必要的端口进行 Passive ,以防止路由泄露;
下面是所有城域网设备必须的安全配置:
hostname M-HMG-12012-A
service password-encryption
enable secret x xxxxxxxxxx
no service udp-small-servers
no service tcp-small-servers
ip subnet-zero
no ip source-route
ip classless
service timestamps log datetime msec localtime
service timestamps debug datetime msec localtime
logging buffered 4096 debugging
line con 0
line aux 0
exec-timeout 3 0
password xxxxxxx
login
line vty 0 4
exec-timeout 10 0
password xxxxxxx
login |
采用 local 或 Radius 方法对登录用户进行论证:
aaa new-model
aaa authentication login default local
username admin password xxxxxxxxx
username oper password xxxxxxxx
username oper level 3
privilege exec level 3 traceroute
privilege exec level 3 ping
privilege exec level 3 show startup-config
privilege exec level 3 show |
用 NTP 进行全网时间同步,在同步的时间上进行 logging :
ntp update-calendar
ntp server x.x.x.x prefer
logging trap notif
logging a.b.c.d
· where x.x.x.x is the loopback 0 address of one of the GSR 12012 router configured as NTP master
· where a.b.c.d is the ip address of Cisco InfoCenter workstation |
对 TELNET 和 SNMP 访问进行限制:
snmp-server community xxxxxx RW 5
snmp-server community xxxxxx RO 5
!
snmp-server enable traps
snmp-server host a.b.c.d xxxxxx snmp envmon bgp
snmp-server host e.f.g.h xxxxxx snmp envmon bgp
snmp-server trap-source loopback 0
access-list 5 permit a.b.c.d
access-list 5 permit e.f.g.h
! x.x.x.x is the MAN supernet
! allowing only TELNET access from within MAN
access-list 10 permit x.x.x.x 0.0.255.255
line vty 0 4
exec-timeout 10 0
access-class 10 in |
|
