index_130
Router Security Configuration Guide
UNCLASSIFIED
130
UNCLASSIFIED
Version 1.0g
Additional Security Concerns
There are several security issues surrounding upgrades, this section attempts to
address them.
First, if you follow the installation procedure outlined above, you transmit a copy of
your router configuration to a TFTP server. Because TFTP provides no security, it is
critical that you protect the TFTP transaction and server from potential attackers.
There are several approaches to doing this, but the simplest is to ensure that the TFTP
traffic does not traverse hostile networks. Also, do not leave TFTP enabled on your
host; always turn it off immediately after you finish the installation procedure.
Second, whenever you make any kind of backup copy of a router configuration, you
may be exposing your encrypted passwords to disclosure. The simplest approach to
mitigating this risk is to change the enable secret immediately after installation (see
Section 4.1).
Third, many default settings differ between various IOS releases. Some of these
settings can affect your routers security. Also, some newer versions offer services
not present in older versions.
4.5.6. Diagnosing and Debugging Router Operation
Effective logging and SNMP help an administrator to stay aware of their routers
status and operational condition. When a problem occurs, or when a network is
under attack, Cisco IOS diagnostic and debug facilities can be used to get vital
information, identify sources and causes, and validate repairs.
Techniques for troubleshooting and debugging routers could (and do) fill entire
books. This short sub-section describes some of the most useful techniques for IOS
11.3 and 12.0. The techniques fall into three groups:
§ Router status and configuration commands
These commands display information about that settings and tables held by
the router; some of this information is global to the whole router, and some
is particular to each interface.
§ Router throughput and traffic commands
Each interface, and some other facilities, keep input/output statistics.
There are IOS commands to display these statistics that can be used to
detect problems.
§ Debugging commands
Virtually every IOS facility and protocol has associated debugging
commands, and they offer a great deal of visibility into the operation of the