SlideShare a Scribd company logo

CCNASv2_InstructorPPT_CH2.pptx

Download as PPTX, PDF
M
mohamedabdelwahed68

CCNA introduction

Education
1 of 85
CCNA Security v2.0 Chapter 2: Securing Network Devices
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 2.0 Introduction 2.1 Securing Device Access 2.2 Assigning Administrative Roles 2.3 Monitoring and Managing Devices 2.4 Using Automated Security Features 2.5 Securing the Control Plane 2.6 Summary
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Upon completion of this section, you should be able to: • Explain how to secure a network perimeter. • Configure secure administrative access to Cisco routers. • Configure enhanced security for virtual logins. • Configure an SSH daemon for secure remote management.
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Single Router Approach Defense in Depth Approach DMZ Approach
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Tasks: • Restrict device accessibility • Log and account for all access • Authenticate access • Authorize actions • Present legal notification • Ensure the confidentiality of data
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Local Access Remote Access Using Telnet Remote Access Using Modem and Aux Port
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Dedicated Management Network
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 11
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Guidelines: • Use a password length of 10 or more characters. • Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces. • Avoid passwords based on easily identifiable pieces of information. • Deliberately misspell a password (Smith = Smyth = 5mYth). • Change passwords often. • Do not write passwords down and leave them in obvious places. Weak Password Why it is Weak Strong Password Why it is Strong secret Simple dictionary password b67n42d39c Combines alphanumeric characters smith Mother’s maiden name 12^h u4@1p7 Combines alphanumeric characters, symbols, and includes a space toyota Make of car bob1967 Name and birthday of user Blueleaf23 Simple words and numbers
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Guidelines: • Configure all secret passwords using type 8 or type 9 passwords • Use the enable algorithm-type command syntax to enter an unencrypted password • Use the username name algorithm-type command to specify type 9 encryption
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 16
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Virtual login security enhancements: • Implement delays between successive login attempts • Enable login shutdown if DoS attacks are suspected • Generate system-logging messages for login detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Command Syntax: login block-for Example: login quiet-mode access-class Example: login delay
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Generate Login Syslog Messages Example: show login failures
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 21
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Example SSH Configuration Example Verification of SSH
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Two ways to connect: • Enable SSH and use a Cisco router as an SSH server or SSH client. As a server, the router can accept SSH client connections As a client, the router can connect via SSH to another SSH-enabled router • Use an SSH client running on a host, such as PuTTY, OpenSSH, or TeraTerm.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Upon completion of this section, you should be able to: • Configure administrative privilege levels to control command availability. • Configure role-based CLI access to control command availability.
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 26
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Levels of access commands: • User EXEC mode (privilege level 1) Lowest EXEC mode user privileges Only user-level command available at the router> prompt • Privileged EXEC mode (privilege level 15) All enable-level commands at the router# prompt Privilege levels: • Level 0: Predefined for user-level access privileges. • Level 1: Default level for login with the router prompt. • Level 2-14: May be customized for user-level privileges. • Level 15: Reserved for the enable mode privileges. Privilege Level Syntax
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 • No access control to specific interfaces, ports, logical interfaces, and slots on a router • Commands available at lower privilege levels are always executable at higher privilege levels • Commands specifically set at higher privilege levels are not available for lower privilege users • Assigning a command with multiple keywords allows access to all commands that use those
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 30
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 For example: • Security operator privileges Configure AAA Issue show commands Configure firewall Configure IDS/IPS Configure NetFlow • WAN engineer privileges Configure routing Configure interfaces Issue show commands
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Step 1 Step 2 Step 3 Step 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Step 1 Step 2 Step 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Enable Root View and Verify All Views
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Upon completion of this section, you should be able to: • Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image and configuration files. • Compare in-band and out-of band management access. • Configure syslog to log system events. • Configure secure SNMPv3 access using ACL • Configure NTP to enable accurate timestamping between all devices.
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 37
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Configure the router for server-side SCP with local AAA: 1. Configure SSH 2. Configure at least one user with privilege level 15 3. Enable AAA 4. Specify that the local database is to be used for authentication 5. Configure command authorization 6. Enable SCP server-side functionality
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 1. Connect to the console port. 2. Record the configuration register setting. 3. Power cycle the router. 4. Issue the break sequence. 5. Change the default configuration register with the confreg 0x2142 command. 6. Reboot the router. 7. Press Ctrl-C to skip the initial setup procedure. 8. Put the router into privileged EXEC mode. 9. Copy the startup configuration to the running configuration. 10. Verify the configuration. 11. Change the enable secret password. 12. Enable all interfaces. 13. Change the config-register with the config-register configuration_register_setting. 14. Save the configuration changes.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Password Recovery Functionality is Disabled No Service Password Recovery Disable Password Recovery
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 44
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 In-Band Management: • Apply only to devices that need to be managed or monitored • Use IPsec, SSH, or SSL when possible • Decide whether the management channel need to be open at all time Out-of-Band (OOB) Management: • Provide highest level of security • Mitigate the risk of passing management protocols over the production network
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 46
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Security Levels Example Severity Levels
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Step 1 Step 2 (optional) Step 3 Step 4
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 53
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Cisco MIB Hierarchy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Message integrity & authentication Encryption Access control • Transmissions from manager to agent may be authenticated to guarantee the identity of the sender and the integrity and timeliness of a message. • SNMPv3 messages may be encrypted to ensure privacy. • Agent may enforce access control to restrict each principal to certain actions on specific portions of data.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 62
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Sample NTP Topology Sample NTP Configuration on R1 Sample NTP Configuration on R2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 Upon completion of this section, you should be able to: • Use security audit tools to determine IOS-based router vulnerabilities. • Use AutoSecure to enable security on IOS-based routers.
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 67
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 There is a detailed list of security settings for protocols and services provided in Figure 2 of this page in the course. Additional recommended practices to ensure a device is secure: • Disable unnecessary services and interfaces. • Disable and restrict commonly configured management services. • Disable probes and scans. Ensure terminal access security. • Disable gratuitous and proxy ARPs • Disable IP-directed broadcasts.
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 70
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 1. The auto secure command is entered 2. Wizard gathers information about the outside interfaces 3. AutoSecure secures the management plane by disabling unnecessary services 4. AutoSecure prompts for a banner 5. AutoSecure prompts for passwords and enables password and login features 6. Interfaces are secured 7. Forwarding plane is secured
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Upon completion of this section, you should be able to: • Configure a routing protocol authentication. • Explain the function of Control Plane Policing.
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 75
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 Consequences of protocol spoofing: • Redirect traffic to create routing loops. • Redirect traffic so it can be monitored on an insecure link. • Redirect traffic to discard it.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 79
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Chapter Objectives: • Configure secure administrative access. • Configure command authorization using privilege levels and role-based CLI. • Implement the secure management and monitoring of network devices. • Use automated features to enable security on IOS-based routers. • Implement control plane security.
Thank you.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 • Remember, there are helpful tutorials and user guides available via your NetSpace home page. (https://www.netacad.com) • These resources cover a variety of topics including navigation, assessments, and assignments. • A screenshot has been provided here highlighting the tutorials related to activating exams, managing assessments, and creating quizzes. 1 2

Recommended

Ccna sv2 instructor_ppt_ch2
Ccna sv2 instructor_ppt_ch2Ccna sv2 instructor_ppt_ch2
Ccna sv2 instructor_ppt_ch2SalmenHAJJI1
 
Chapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating SystemChapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating Systemnewbie2019
 
04 ccna sv2 instructor_ppt_ch5
04 ccna sv2 instructor_ppt_ch504 ccna sv2 instructor_ppt_ch5
04 ccna sv2 instructor_ppt_ch5Babaa Naya
 
Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Babaa Naya
 
network security
network securitynetwork security
network securityDayanna Moyano
 
CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.pptveracru1
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overviewali raza
 
Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8SalmenHAJJI1
 

Recommended

Ccna sv2 instructor_ppt_ch2
Ccna sv2 instructor_ppt_ch2Ccna sv2 instructor_ppt_ch2
Ccna sv2 instructor_ppt_ch2SalmenHAJJI1
 
Chapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating SystemChapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating Systemnewbie2019
 
04 ccna sv2 instructor_ppt_ch5
04 ccna sv2 instructor_ppt_ch504 ccna sv2 instructor_ppt_ch5
04 ccna sv2 instructor_ppt_ch5Babaa Naya
 
Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Babaa Naya
 
network security
network securitynetwork security
network securityDayanna Moyano
 
CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.pptveracru1
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overviewali raza
 
Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8SalmenHAJJI1
 
PC LEESOON 6.pptx
PC LEESOON 6.pptxPC LEESOON 6.pptx
PC LEESOON 6.pptxMLG College of Learning, Inc
 
012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9Babaa Naya
 
3 cucm database
3 cucm database3 cucm database
3 cucm databasepasabakac
 
Ccna sv2 instructor_ppt_ch6
Ccna sv2 instructor_ppt_ch6Ccna sv2 instructor_ppt_ch6
Ccna sv2 instructor_ppt_ch6SalmenHAJJI1
 
It nv51 instructor_ppt_ch6
It nv51 instructor_ppt_ch6It nv51 instructor_ppt_ch6
It nv51 instructor_ppt_ch6newbie2019
 
Ccna sv2 instructor_ppt_ch3
Ccna sv2 instructor_ppt_ch3Ccna sv2 instructor_ppt_ch3
Ccna sv2 instructor_ppt_ch3SalmenHAJJI1
 
Ccna security v2 instructor_ppt_ch10
Ccna security v2 instructor_ppt_ch10Ccna security v2 instructor_ppt_ch10
Ccna security v2 instructor_ppt_ch10SalmenHAJJI1
 
CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8Chaing Ravuth
 
Ccna sv2 instructor_ppt_ch9
Ccna sv2 instructor_ppt_ch9Ccna sv2 instructor_ppt_ch9
Ccna sv2 instructor_ppt_ch9SalmenHAJJI1
 
Ccna sv2 instructor_ppt_ch4
Ccna sv2 instructor_ppt_ch4Ccna sv2 instructor_ppt_ch4
Ccna sv2 instructor_ppt_ch4SalmenHAJJI1
 
Ccna sv2 instructor_ppt_ch7
Ccna sv2 instructor_ppt_ch7Ccna sv2 instructor_ppt_ch7
Ccna sv2 instructor_ppt_ch7SalmenHAJJI1
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeAhmed Habib
 
Ccna sv2 instructor_ppt_ch5
Ccna sv2 instructor_ppt_ch5Ccna sv2 instructor_ppt_ch5
Ccna sv2 instructor_ppt_ch5SalmenHAJJI1
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overviewali raza
 
It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8newbie2019
 
It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7newbie2019
 
CCNASv2_InstructorPPT_CH8.en.es.pptx
CCNASv2_InstructorPPT_CH8.en.es.pptxCCNASv2_InstructorPPT_CH8.en.es.pptx
CCNASv2_InstructorPPT_CH8.en.es.pptxRichardChecca1
 
It nv51 instructor_ppt_ch1
It nv51 instructor_ppt_ch1It nv51 instructor_ppt_ch1
It nv51 instructor_ppt_ch1newbie2019
 
ITN_Module_2.pptx
ITN_Module_2.pptxITN_Module_2.pptx
ITN_Module_2.pptxargost1003
 
TitleABC123 Version X1Film ListPSYCH650 Version 2.docx
TitleABC123 Version X1Film ListPSYCH650 Version 2.docxTitleABC123 Version X1Film ListPSYCH650 Version 2.docx
TitleABC123 Version X1Film ListPSYCH650 Version 2.docxjuliennehar
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 

More Related Content

Similar to CCNASv2_InstructorPPT_CH2.pptx

012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9Babaa Naya
 
3 cucm database
3 cucm database3 cucm database
3 cucm databasepasabakac
 
Ccna sv2 instructor_ppt_ch6
Ccna sv2 instructor_ppt_ch6Ccna sv2 instructor_ppt_ch6
Ccna sv2 instructor_ppt_ch6SalmenHAJJI1
 
It nv51 instructor_ppt_ch6
It nv51 instructor_ppt_ch6It nv51 instructor_ppt_ch6
It nv51 instructor_ppt_ch6newbie2019
 
Ccna sv2 instructor_ppt_ch3
Ccna sv2 instructor_ppt_ch3Ccna sv2 instructor_ppt_ch3
Ccna sv2 instructor_ppt_ch3SalmenHAJJI1
 
Ccna security v2 instructor_ppt_ch10
Ccna security v2 instructor_ppt_ch10Ccna security v2 instructor_ppt_ch10
Ccna security v2 instructor_ppt_ch10SalmenHAJJI1
 
Ccna sv2 instructor_ppt_ch9
Ccna sv2 instructor_ppt_ch9Ccna sv2 instructor_ppt_ch9
Ccna sv2 instructor_ppt_ch9SalmenHAJJI1
 
Ccna sv2 instructor_ppt_ch4
Ccna sv2 instructor_ppt_ch4Ccna sv2 instructor_ppt_ch4
Ccna sv2 instructor_ppt_ch4SalmenHAJJI1
 
Ccna sv2 instructor_ppt_ch7
Ccna sv2 instructor_ppt_ch7Ccna sv2 instructor_ppt_ch7
Ccna sv2 instructor_ppt_ch7SalmenHAJJI1
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeAhmed Habib
 
Ccna sv2 instructor_ppt_ch5
Ccna sv2 instructor_ppt_ch5Ccna sv2 instructor_ppt_ch5
Ccna sv2 instructor_ppt_ch5SalmenHAJJI1
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overviewali raza
 
It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8newbie2019
 
It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7newbie2019
 
CCNASv2_InstructorPPT_CH8.en.es.pptx
CCNASv2_InstructorPPT_CH8.en.es.pptxCCNASv2_InstructorPPT_CH8.en.es.pptx
CCNASv2_InstructorPPT_CH8.en.es.pptxRichardChecca1
 
It nv51 instructor_ppt_ch1
It nv51 instructor_ppt_ch1It nv51 instructor_ppt_ch1
It nv51 instructor_ppt_ch1newbie2019
 
ITN_Module_2.pptx
ITN_Module_2.pptxITN_Module_2.pptx
ITN_Module_2.pptxargost1003
 
TitleABC123 Version X1Film ListPSYCH650 Version 2.docx
TitleABC123 Version X1Film ListPSYCH650 Version 2.docxTitleABC123 Version X1Film ListPSYCH650 Version 2.docx
TitleABC123 Version X1Film ListPSYCH650 Version 2.docxjuliennehar
 

Similar to CCNASv2_InstructorPPT_CH2.pptx (20)

PC LEESOON 6.pptx
PC LEESOON 6.pptxPC LEESOON 6.pptx
PC LEESOON 6.pptx
 
012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9
 
3 cucm database
3 cucm database3 cucm database
3 cucm database
 
Ccna sv2 instructor_ppt_ch6
Ccna sv2 instructor_ppt_ch6Ccna sv2 instructor_ppt_ch6
Ccna sv2 instructor_ppt_ch6
 
It nv51 instructor_ppt_ch6
It nv51 instructor_ppt_ch6It nv51 instructor_ppt_ch6
It nv51 instructor_ppt_ch6
 
Ccna sv2 instructor_ppt_ch3
Ccna sv2 instructor_ppt_ch3Ccna sv2 instructor_ppt_ch3
Ccna sv2 instructor_ppt_ch3
 
Ccna security v2 instructor_ppt_ch10
Ccna security v2 instructor_ppt_ch10Ccna security v2 instructor_ppt_ch10
Ccna security v2 instructor_ppt_ch10
 
CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8
 
Ccna sv2 instructor_ppt_ch9
Ccna sv2 instructor_ppt_ch9Ccna sv2 instructor_ppt_ch9
Ccna sv2 instructor_ppt_ch9
 
Ccna sv2 instructor_ppt_ch4
Ccna sv2 instructor_ppt_ch4Ccna sv2 instructor_ppt_ch4
Ccna sv2 instructor_ppt_ch4
 
Ccna sv2 instructor_ppt_ch7
Ccna sv2 instructor_ppt_ch7Ccna sv2 instructor_ppt_ch7
Ccna sv2 instructor_ppt_ch7
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
 
Ccna sv2 instructor_ppt_ch5
Ccna sv2 instructor_ppt_ch5Ccna sv2 instructor_ppt_ch5
Ccna sv2 instructor_ppt_ch5
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overview
 
It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8It nv51 instructor_ppt_ch8
It nv51 instructor_ppt_ch8
 
It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7It nv51 instructor_ppt_ch7
It nv51 instructor_ppt_ch7
 
CCNASv2_InstructorPPT_CH8.en.es.pptx
CCNASv2_InstructorPPT_CH8.en.es.pptxCCNASv2_InstructorPPT_CH8.en.es.pptx
CCNASv2_InstructorPPT_CH8.en.es.pptx
 
It nv51 instructor_ppt_ch1
It nv51 instructor_ppt_ch1It nv51 instructor_ppt_ch1
It nv51 instructor_ppt_ch1
 
ITN_Module_2.pptx
ITN_Module_2.pptxITN_Module_2.pptx
ITN_Module_2.pptx
 
TitleABC123 Version X1Film ListPSYCH650 Version 2.docx
TitleABC123 Version X1Film ListPSYCH650 Version 2.docxTitleABC123 Version X1Film ListPSYCH650 Version 2.docx
TitleABC123 Version X1Film ListPSYCH650 Version 2.docx
 

Recently uploaded

A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 

Recently uploaded (20)

A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 

CCNASv2_InstructorPPT_CH2.pptx

  • 1. CCNA Security v2.0 Chapter 2: Securing Network Devices
  • 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 2.0 Introduction 2.1 Securing Device Access 2.2 Assigning Administrative Roles 2.3 Monitoring and Managing Devices 2.4 Using Automated Security Features 2.5 Securing the Control Plane 2.6 Summary
  • 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Upon completion of this section, you should be able to: • Explain how to secure a network perimeter. • Configure secure administrative access to Cisco routers. • Configure enhanced security for virtual logins. • Configure an SSH daemon for secure remote management.
  • 4. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 4
  • 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  • 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Single Router Approach Defense in Depth Approach DMZ Approach
  • 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  • 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Tasks: • Restrict device accessibility • Log and account for all access • Authenticate access • Authorize actions • Present legal notification • Ensure the confidentiality of data
  • 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Local Access Remote Access Using Telnet Remote Access Using Modem and Aux Port
  • 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Dedicated Management Network
  • 11. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 11
  • 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Guidelines: • Use a password length of 10 or more characters. • Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces. • Avoid passwords based on easily identifiable pieces of information. • Deliberately misspell a password (Smith = Smyth = 5mYth). • Change passwords often. • Do not write passwords down and leave them in obvious places. Weak Password Why it is Weak Strong Password Why it is Strong secret Simple dictionary password b67n42d39c Combines alphanumeric characters smith Mother’s maiden name 12^h u4@1p7 Combines alphanumeric characters, symbols, and includes a space toyota Make of car bob1967 Name and birthday of user Blueleaf23 Simple words and numbers
  • 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Guidelines: • Configure all secret passwords using type 8 or type 9 passwords • Use the enable algorithm-type command syntax to enter an unencrypted password • Use the username name algorithm-type command to specify type 9 encryption
  • 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  • 16. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 16
  • 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Virtual login security enhancements: • Implement delays between successive login attempts • Enable login shutdown if DoS attacks are suspected • Generate system-logging messages for login detection
  • 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  • 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Command Syntax: login block-for Example: login quiet-mode access-class Example: login delay
  • 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Generate Login Syslog Messages Example: show login failures
  • 21. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 21
  • 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Example SSH Configuration Example Verification of SSH
  • 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  • 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Two ways to connect: • Enable SSH and use a Cisco router as an SSH server or SSH client. As a server, the router can accept SSH client connections As a client, the router can connect via SSH to another SSH-enabled router • Use an SSH client running on a host, such as PuTTY, OpenSSH, or TeraTerm.
  • 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Upon completion of this section, you should be able to: • Configure administrative privilege levels to control command availability. • Configure role-based CLI access to control command availability.
  • 26. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 26
  • 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Levels of access commands: • User EXEC mode (privilege level 1) Lowest EXEC mode user privileges Only user-level command available at the router> prompt • Privileged EXEC mode (privilege level 15) All enable-level commands at the router# prompt Privilege levels: • Level 0: Predefined for user-level access privileges. • Level 1: Default level for login with the router prompt. • Level 2-14: May be customized for user-level privileges. • Level 15: Reserved for the enable mode privileges. Privilege Level Syntax
  • 28. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • 29. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 • No access control to specific interfaces, ports, logical interfaces, and slots on a router • Commands available at lower privilege levels are always executable at higher privilege levels • Commands specifically set at higher privilege levels are not available for lower privilege users • Assigning a command with multiple keywords allows access to all commands that use those
  • 30. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 30
  • 31. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 For example: • Security operator privileges Configure AAA Issue show commands Configure firewall Configure IDS/IPS Configure NetFlow • WAN engineer privileges Configure routing Configure interfaces Issue show commands
  • 32. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  • 33. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Step 1 Step 2 Step 3 Step 4
  • 34. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Step 1 Step 2 Step 3
  • 35. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Enable Root View and Verify All Views
  • 36. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Upon completion of this section, you should be able to: • Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image and configuration files. • Compare in-band and out-of band management access. • Configure syslog to log system events. • Configure secure SNMPv3 access using ACL • Configure NTP to enable accurate timestamping between all devices.
  • 37. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 37
  • 38. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  • 39. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  • 40. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  • 41. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Configure the router for server-side SCP with local AAA: 1. Configure SSH 2. Configure at least one user with privilege level 15 3. Enable AAA 4. Specify that the local database is to be used for authentication 5. Configure command authorization 6. Enable SCP server-side functionality
  • 42. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 1. Connect to the console port. 2. Record the configuration register setting. 3. Power cycle the router. 4. Issue the break sequence. 5. Change the default configuration register with the confreg 0x2142 command. 6. Reboot the router. 7. Press Ctrl-C to skip the initial setup procedure. 8. Put the router into privileged EXEC mode. 9. Copy the startup configuration to the running configuration. 10. Verify the configuration. 11. Change the enable secret password. 12. Enable all interfaces. 13. Change the config-register with the config-register configuration_register_setting. 14. Save the configuration changes.
  • 43. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Password Recovery Functionality is Disabled No Service Password Recovery Disable Password Recovery
  • 44. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 44
  • 45. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 In-Band Management: • Apply only to devices that need to be managed or monitored • Use IPsec, SSH, or SSL when possible • Decide whether the management channel need to be open at all time Out-of-Band (OOB) Management: • Provide highest level of security • Mitigate the risk of passing management protocols over the production network
  • 46. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 46
  • 47. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
  • 48. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  • 49. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Security Levels Example Severity Levels
  • 50. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • 51. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  • 52. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Step 1 Step 2 (optional) Step 3 Step 4
  • 53. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 53
  • 54. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
  • 55. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Cisco MIB Hierarchy
  • 56. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
  • 57. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
  • 58. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Message integrity & authentication Encryption Access control • Transmissions from manager to agent may be authenticated to guarantee the identity of the sender and the integrity and timeliness of a message. • SNMPv3 messages may be encrypted to ensure privacy. • Agent may enforce access control to restrict each principal to certain actions on specific portions of data.
  • 59. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
  • 60. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
  • 61. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
  • 62. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 62
  • 63. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
  • 64. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Sample NTP Topology Sample NTP Configuration on R1 Sample NTP Configuration on R2
  • 65. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
  • 66. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 Upon completion of this section, you should be able to: • Use security audit tools to determine IOS-based router vulnerabilities. • Use AutoSecure to enable security on IOS-based routers.
  • 67. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 67
  • 68. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
  • 69. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 There is a detailed list of security settings for protocols and services provided in Figure 2 of this page in the course. Additional recommended practices to ensure a device is secure: • Disable unnecessary services and interfaces. • Disable and restrict commonly configured management services. • Disable probes and scans. Ensure terminal access security. • Disable gratuitous and proxy ARPs • Disable IP-directed broadcasts.
  • 70. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 70
  • 71. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
  • 72. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
  • 73. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 1. The auto secure command is entered 2. Wizard gathers information about the outside interfaces 3. AutoSecure secures the management plane by disabling unnecessary services 4. AutoSecure prompts for a banner 5. AutoSecure prompts for passwords and enables password and login features 6. Interfaces are secured 7. Forwarding plane is secured
  • 74. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Upon completion of this section, you should be able to: • Configure a routing protocol authentication. • Explain the function of Control Plane Policing.
  • 75. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 75
  • 76. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 Consequences of protocol spoofing: • Redirect traffic to create routing loops. • Redirect traffic so it can be monitored on an insecure link. • Redirect traffic to discard it.
  • 77. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
  • 78. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
  • 79. Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 79
  • 80. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
  • 81. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
  • 82. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
  • 83. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Chapter Objectives: • Configure secure administrative access. • Configure command authorization using privilege levels and role-based CLI. • Implement the secure management and monitoring of network devices. • Use automated features to enable security on IOS-based routers. • Implement control plane security.
  • 85. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 • Remember, there are helpful tutorials and user guides available via your NetSpace home page. (https://www.netacad.com) • These resources cover a variety of topics including navigation, assessments, and assignments. • A screenshot has been provided here highlighting the tutorials related to activating exams, managing assessments, and creating quizzes. 1 2

Editor's Notes

  1. 2.1.1.1 Securing the Network Infrastructure
  2. 2.1.1.2 Edge Router Security Approaches
  3. 2.1.1.3 Three Areas of Router Security
  4. 2.1.1.4 Secure Administrative Access
  5. 2.1.1.5 Secure Local and Remote Access
  6. 2.1.1.5 Secure Local and Remote Access
  7. 2.1.2.1 Strong Passwords
  8. 2.1.2.2 Increasing Access Security
  9. 2.1.2.3 Secret Password Algorithms
  10. 2.1.2.4 Securing Line Access Syntax Checker: Secure Administrative Access on R2
  11. 2.1.3.1 Enhancing the Login Process
  12. 2.1.3.2 Configuring Login Enhancement Features
  13. 2.1.3.3 Enable Login Enhancements Syntax Checker: Configure Enhanced Login Security on R2
  14. 2.1.3.4 Logging Failed Attempts
  15. 2.1.4.1 Steps for Configuring SSH
  16. 2.1.4.2 Modifying the SSH Configuration Syntax Checker: Enable SSH on R2
  17. 2.1.4.3 Connecting to an SSH-Enabled Router
  18. 2.2.1.1 Limiting Command Availability
  19. 2.2.1.2 Configuring and Assigning Privilege Levels
  20. 2.2.1.3 Limitations of Privilege Levels Syntax Checker: Configure Privilege Levels on R2
  21. 2.2.2.1 Role-Based CLI Access
  22. 2.2.2.2 Role-Based Views
  23. 2.2.2.3 Configuring Role-Based Views Syntax Checker: Configure Views on R2
  24. 2.2.2.4 Configuring Role-Based CLI Superviews Syntax Checker: Configure Superviews on R2
  25. 2.2.2.5 Verify Role-Based CLI Views
  26. 2.3.1.1 Cisco IOS Resilient Configuration Feature
  27. 2.3.1.2 Enabling the IOS Image Resilience Feature
  28. 2.3.1.3 The Primary Bootset Image
  29. 2.3.1.4 Configuring Secure Copy
  30. 2.3.1.5 Recovering a Router Password
  31. 2.3.1.6 Password Recovery
  32. 2.3.2.1 Determining the Type of Management Access 2.3.2.2 Out-of-Band and In-Band Access
  33. 2.3.3.1 Introduction to Syslog
  34. 2.3.3.2 Syslog Operation
  35. 2.3.3.3 Syslog Message
  36. 2.3.3.3 Syslog Message 2.3.3.4 Activity - Parts 1-3 : Interpret Syslog Output
  37. 2.3.3.5 Syslog Systems
  38. 2.3.3.6 Configuring System Logging
  39. 2.3.4.1 Introduction to SNMP
  40. 2.3.4.2 Management Information Base
  41. 2.3.4.3 SNMP Versions
  42. 2.3.4.4 SNMP Vulnerabilities
  43. 2.3.4.5 SNMPv3
  44. 2.3.4.6 Configuring SNMPv3 Security
  45. 2.3.4.7 Secure SNMPv3 Configuration Example Syntax Checker: Configure SNMPv3 Authentication Using an ACL
  46. 2.3.4.8 Verifying the SNMPv3 Configuration
  47. 2.3.5.1 Network Time Protocol
  48. 2.3.5.2 NTP Server
  49. 2.3.5.3 NTP Authentication Syntax Checker: Configure NTP Authentication on R1
  50. 2.4.1.1 Discovery Protocols CDP and LLDP
  51. 2.4.1.2 Settings for Protocols and Services
  52. 2.4.2.1 Cisco AutoSecure
  53. 2.4.2.2 Using the Cisco AutoSecure Feature
  54. 2.4.2.3 Using the auto secure Command Syntax Checker: Use AutoSecure to Secure R1
  55. 2.5.1.1 Routing Protocol Spoofing
  56. 2.5.1.2 OSPF MD5 Routing Protocol Authentication
  57. 2.5.1.3 OSPF SHA Routing Protocol Authentication Syntax Checker: Configure OSPF Authentication Using SHA 256
  58. 2.5.2.1 Network Device Operations
  59. 2.5.2.2 Control and Management Plane Vulnerabilities
  60. 2.5.2.3 CoPP Operation 2.5.2.4 Activity - Identify the Features of CoPP 2.5.2.5 Activity - Identify the Network Device Security Features
  61. 2.6.1.1 Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations
  62. https://www.netacad.com