Cisco路由器auto secure命令小结

    路由器命令auto secure用起来比较方便，而且可以关闭一些不安全的服务和启用一些安全的服务。这里对这个命令做了一个总结。（注：ios版本为：12.3（1）以上才支持使用）

    总结如下：

    1、关闭一些全局的不安全服务如下：

    Finger

    PAD

    Small Servers

    Bootp

    HTTP service

    Identification Service

    CDP

    NTP

    Source Routing

    2、开启一些全局的安全服务如下：

    PassWord-encryption service

    Tuning of scheduler interval/allocation

    TCP synwait-time

    TCP-keepalives-in and tcp-kepalives-out

    SPD configuration

    No ip unreachables for null 0

    3、关闭接口的一些不安全服务如下：

    ICMP

    PRoxy-Arp

    Directed Broadcast

    Disables MOP service

    Disables icmp unreachables

    Disables icmp mask reply messages.

    4、提供日志安全如下：

    Enables sequence numbers & timestamp

    Provides a console log

    Sets log buffered size

    Provides an interactive dialogue to configure the logging server ip address.

    5、保护访问路由器如下：

    Checks for a banner and provides facility to add text to automatically configure：

    Login and password

    Transport input & output

    Exec-timeout

    Local AAA

    SSH timeout and ssh authentication-retries to minimum number

    Enable only SSH and SCP for access and file transfer to/from the router

    6、保护转发Forwarding Plane

    Enables Cisco EXPress Forwarding （CEF） or distributed CEF on the router， when available

    Anti-spoofing

    Blocks all IANA reserved IP address blocks

    Blocks private address blocks if customer desires

    Installs a default route to NULL 0， if a default route is not being used

    Configures TCP intercept for connection-timeout， if TCP intercept feature is available and the user is interested

    Starts interactive configuration for CBAC on interfaces facing the Internet， when using a Cisco IOS Firewall image，

    Enables NetFlow on software forwarding platforms