This document provides instructions for securing network devices, including securing administrative access, implementing device hardening, and implementing traffic filtering. It discusses securing access to the device through the console port, VTY lines, and auxiliary port by configuring login passwords. It also recommends encrypting all passwords, configuring session timeouts, implementing access levels for administrators, and configuring warning banners. For the management plane, it suggests securing protocols like SNMP, SSH, and disabling unneeded services. Device hardening includes securing the management, control, and data planes through password policies and encryption. Traffic filtering can be implemented through access control lists.
5.3.1.2 packet tracer skills integration challenge instructionsJose Luis Heredia
The document provides requirements for configuring a new switch including initial settings, SSH, and port security. It lists requirements such as configuring the hostname, banner, console login, encrypted passwords, management interface addressing, SSH settings for remote access including domain name, key-pair, version, user, and VTY lines. It also lists requirements for port security such as disabling unused ports, setting the interface mode to access, enabling port security to allow two hosts per port, recording MAC addresses, and ensuring port violations disable ports.
The document discusses several ways to secure network devices like routers. It recommends:
1) Physically securing devices in a locked room and having backup power and components;
2) Using the latest stable operating system version and keeping backups; and
3) Restricting access to devices through secure passwords, login timeouts, and disabling unused ports and services.
This document provides information about router configuration. It discusses router components, operating systems, startup sequences, configuration modes and commands. Key points include:
- Routers have internal components like the CPU, RAM and flash memory and external components like Ethernet ports and console ports.
- The IOS operating system controls router functions. Routers boot by running POST checks, loading the IOS, and then loading the configuration file from NVRAM.
- Router configuration modes include setup, user exec, privilege exec, global configuration and interface configuration. Commands configure settings like interfaces, passwords and DHCP services.
Cisco Configuration Professional allows for the configuration of site-to-site IPsec VPN tunnels between two Cisco IOS routers. The document provides an example configuration using static routes that establishes an IPsec tunnel between Router A and Router B. The configuration is performed using Cisco Configuration Professional on each router and specifies the IKE and IPsec proposals, transform sets, and traffic to be protected between the 10.10.10.0 and 10.20.10.0 networks. Show commands are included to verify the tunnel is successfully established and traffic is being encrypted and decrypted.
This document discusses IP addressing and subnetting. It begins by explaining what an IP address is and how subnet masks are used to divide the address into a network and host portion. Various IP address classes and subnet mask lengths are presented. The document then demonstrates how to perform subnetting calculations to divide a network into multiple subnets and allocate host addresses within each subnet. Decimal to binary conversions and subnet mask bit calculations are also covered.
This document provides instructions for using the ESP8266 microcontroller development board. It begins with an overview of the ESP8266 module and its capabilities. It then provides step-by-step instructions for installing the Arduino IDE and ESP8266 package to program the board using the Arduino environment. Example code is given to blink an LED and connect to WiFi. The document also provides instructions for flashing the NodeMCU firmware using a Windows machine and programming the board using the ESPlorer IDE.
5.3.1.2 packet tracer skills integration challenge instructionsJose Luis Heredia
The document provides requirements for configuring a new switch including initial settings, SSH, and port security. It lists requirements such as configuring the hostname, banner, console login, encrypted passwords, management interface addressing, SSH settings for remote access including domain name, key-pair, version, user, and VTY lines. It also lists requirements for port security such as disabling unused ports, setting the interface mode to access, enabling port security to allow two hosts per port, recording MAC addresses, and ensuring port violations disable ports.
The document discusses several ways to secure network devices like routers. It recommends:
1) Physically securing devices in a locked room and having backup power and components;
2) Using the latest stable operating system version and keeping backups; and
3) Restricting access to devices through secure passwords, login timeouts, and disabling unused ports and services.
This document provides information about router configuration. It discusses router components, operating systems, startup sequences, configuration modes and commands. Key points include:
- Routers have internal components like the CPU, RAM and flash memory and external components like Ethernet ports and console ports.
- The IOS operating system controls router functions. Routers boot by running POST checks, loading the IOS, and then loading the configuration file from NVRAM.
- Router configuration modes include setup, user exec, privilege exec, global configuration and interface configuration. Commands configure settings like interfaces, passwords and DHCP services.
Cisco Configuration Professional allows for the configuration of site-to-site IPsec VPN tunnels between two Cisco IOS routers. The document provides an example configuration using static routes that establishes an IPsec tunnel between Router A and Router B. The configuration is performed using Cisco Configuration Professional on each router and specifies the IKE and IPsec proposals, transform sets, and traffic to be protected between the 10.10.10.0 and 10.20.10.0 networks. Show commands are included to verify the tunnel is successfully established and traffic is being encrypted and decrypted.
This document discusses IP addressing and subnetting. It begins by explaining what an IP address is and how subnet masks are used to divide the address into a network and host portion. Various IP address classes and subnet mask lengths are presented. The document then demonstrates how to perform subnetting calculations to divide a network into multiple subnets and allocate host addresses within each subnet. Decimal to binary conversions and subnet mask bit calculations are also covered.
This document provides instructions for using the ESP8266 microcontroller development board. It begins with an overview of the ESP8266 module and its capabilities. It then provides step-by-step instructions for installing the Arduino IDE and ESP8266 package to program the board using the Arduino environment. Example code is given to blink an LED and connect to WiFi. The document also provides instructions for flashing the NodeMCU firmware using a Windows machine and programming the board using the ESPlorer IDE.
SlingSecure, is proud to offer our one-of-a-kind device for data protection and for sending encrypted e-mail for the following reasons:
The encryption for the protection is done entirely via hardware and not via the usual software you are running on your computer (in an unprotected environment).
The coding system is attack proof and saves the data on a removable MicroSD memory card.
The device comes in the form of a normal USB stick which can be inserted into any computer / OS (e.g. Windows XP, Vista, 7, GNU Linux, Apple MAC OS X) without requiring drivers thus leaving no trace of use or footprints.
SLINGSECURE USB can protect as many MicroSD cards as the user desires and has two levels of authentication; the first is the password to use SLINGSECURE USB and the second to access each MicroSD.
The document provides instructions for configuring DHCP on a Nano Station by connecting it to a laptop or PC, setting the IP address to 192.168.1.20, and logging in with username "ubnt" and password "ubnt". It then describes configuring the wireless network with SSID "CentralCraft" and password "central-craft123", and the LAN interface with IP 192.168.1.26. It also enables the DHCP server to assign IPs from 192.168.1.27 to 192.168.1.30 to connected clients.
This document provides instructions for compiling and installing the VT6655 and VT6656 Linux driver and configuring it for various wireless security modes. Key steps include:
1. Unpacking the driver source code and dependencies.
2. Compiling the driver, wpa_supplicant, and OpenSSL.
3. Configuring the driver for open, WEP, WPA-PSK, and WPA2-PSK networks through iwconfig commands and editing the wpa_supplicant.conf file.
The document details the configuration of network devices including a router and switch. It instructs to:
1. Configure the global settings on the router including setting the hostname to "router1" and configuring login banners.
2. Secure access to the router by setting passwords for privileged EXEC mode, console, and VTY lines.
3. Configure the router interfaces including the host IP settings and verifying network connectivity.
4. Save the router configuration to NVRAM.
5. Connect a host to the switch, set the hostname to "switch1", and save the switch configuration to NVRAM.
This document discusses various types of firewall technologies, including hardware firewalls, software firewalls for different operating systems, and specific firewall products. It provides information on hardware firewalls such as Cisco PIX firewalls and Check Point firewalls. It also covers software firewalls for Windows like Norton Personal Firewall and McAfee Personal Firewall.
Troubleshooting Firewalls (2012 San Diego)Cisco Security
This presentation focuses on preemptive measures and reactive techniques that can be used to troubleshoot, secure, and maintain the Cisco Adaptive Security Appliance Products and the Cisco Firewall Services Module (FWSM). Providing an in-depth understanding of the packet flow through the firewall device, as well as how to effectively utilize the available commands and on-board tools to troubleshoot connectivity problems are the main goals of this presentation. Knowledge is assumed of security fundamentals and firewall technology at the level presented in the Cisco Networkers Online Introduction to Firewalls and Deploying Firewalls.
Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4377
The document discusses configuring and operating Cisco IOS. It describes starting a switch and router, observing the boot process, and entering different command modes. It also covers basic Cisco IOS commands, viewing device information, and configuring parameters like hostname, interfaces, and protocols. The document provides an example of initializing a router through an interactive setup process.
Secure Shell (SSH) is a protocol that provides secure remote access to devices. This document provides instructions for configuring SSH on Cisco switches including generating SSH keys, configuring the SSH server, and monitoring the SSH configuration. Key steps include generating an RSA key pair, configuring the SSH version, setting timeout values, and limiting network access to SSH-only connections.
The document provides an overview of connecting and communicating with an ESP8266 WiFi module via serial. It discusses the hardware connections needed, including using an FTDI or Arduino board. It then demonstrates some basic AT commands to check the module status, list available networks, connect to a network, and act as both a TCP client and server.
The motherboard supports Intel Celeron and Pentium III processors with front side bus speeds of 66MHz, 100MHz, and 133MHz. It has three DIMM slots supporting up to 1GB of SDRAM memory. Expansion slots include one 32-bit AGP slot and three 32-bit PCI slots. Additional features include onboard audio, LAN, USB, serial, parallel, and floppy disk connectors.
Cohesive Networks Support Docs: VNS3 Configuration for IBM SoftlayerCohesive Networks
The document provides instructions for setting up a VNS3 controller instance on Softlayer. It includes requirements, launching a VNS3 template on Softlayer, configuring public IP access, sizing considerations, and optional configuration of the VNS3 controller as an internet gateway. The steps covered include selecting the VNS3 template, assigning public IP access, launching the instance with appropriate resources, and basic gateway configuration on the VNS3 and Softlayer hosts. Links are also provided to additional VNS3 documentation.
- A router is a networking device that connects different computer networks. It can be configured through commands accessed via a direct connection or remotely.
- Common router configuration modes include user mode, privileged mode, configuration mode, and interface configuration mode.
- Key configuration commands include enable (to switch between user and privileged mode), configure terminal (to enter configuration mode), hostname (to name the router), banner motd (to set a message of the day), and copy running-config startup-config (to save configurations).
Licensing on Cisco 2960, 3560X and 3750X...IT Tech
This document discusses licensing for Cisco 2900/3500/3700 series switches. It describes the available feature sets (LAN Base, IP Base, IP Services), how to install and remove software licenses using the CLI, and license considerations for specific switch models including 2960/2960-S, 3560/3750, 3560E/3750E, and 3560X/3750X. It provides commands for checking licenses and guidelines for license installation on switch stacks.
This document provides frequently asked questions about MikroTik RouterOS. It addresses questions about what RouterOS is, how to install and license it, how to configure features like networking, bandwidth management, wireless connectivity, and BGP routing. The document provides concise answers and instructions for tasks like upgrading RouterOS, recovering lost passwords, and troubleshooting common issues.
ifconfig is a command used to configure network interfaces in Linux, BSD, Solaris, and Mac OSX. It displays the status of interfaces, including the IP address, subnet mask, hardware address, and packet transmission/reception statistics. It is used at boot to configure interfaces and can also be used to view interface information or manually configure addresses, change interfaces between up/down states, and set other parameters.
Поиск и устранение неисправностей в вычислительной системе Cisco UCSCisco Russia
The document discusses troubleshooting of failures in a Cisco UCS computing system. It describes monitoring the status of various components in the UCS infrastructure like chassis, I/O modules, servers, ports, and hard drives using LED indicators. It also provides instructions on connecting to the fabric interconnects via SSH and using the show tech-support command for detailed information when involving Cisco TAC for issue resolution.
This document provides a tutorial on how to connect and configure a 3G module on various operating systems, including Linux, Windows XP, Windows 7, and Mac OS X using a virtual machine. It describes steps such as installing drivers, identifying the correct USB port, using terminal programs to send AT commands to the module, and configuring the module for modem functionality using Wvdial on Linux.
This document provides an overview of the SRX JUMP STATION, which is a collection of quick start guides for configuring Juniper SRX firewalls. The purpose is to help users with ScreenOS experience transition to using JUNOS-based SRX firewalls. It assumes some basic JUNOS knowledge and provides examples of commands for common tasks. Navigation links and chapter buttons guide users through topics like login, interfaces, routing, security policies, VPNs, clustering, and more. Additional documentation sources are also referenced for more in-depth information or training.
This document discusses different types of audio cables and connectors. It describes single core and balanced audio cables, and common connectors like XLR, 1/4" jacks, and RCA. It provides wiring diagrams for making cables to connect different connectors, such as XLR to 1/4" jack, XLR to RCA, stereo jack to dual RCA, and XLR to stereo jack or dual RCA.
The document discusses various components of a motherboard including the CPU, expansion slots, expansion cards, RAM slots, ports, and connectors. The CPU controls the computer's operations and interprets basic instructions. Expansion slots allow additional capabilities to be added via cards. RAM slots hold the computer's memory. Ports and connectors allow peripherals to connect to the computer and send/receive data using various interfaces like serial, parallel, USB, FireWire, MIDI, SCSI, IrDA, and Bluetooth. The sound port transmits audio signals.
SlingSecure, is proud to offer our one-of-a-kind device for data protection and for sending encrypted e-mail for the following reasons:
The encryption for the protection is done entirely via hardware and not via the usual software you are running on your computer (in an unprotected environment).
The coding system is attack proof and saves the data on a removable MicroSD memory card.
The device comes in the form of a normal USB stick which can be inserted into any computer / OS (e.g. Windows XP, Vista, 7, GNU Linux, Apple MAC OS X) without requiring drivers thus leaving no trace of use or footprints.
SLINGSECURE USB can protect as many MicroSD cards as the user desires and has two levels of authentication; the first is the password to use SLINGSECURE USB and the second to access each MicroSD.
The document provides instructions for configuring DHCP on a Nano Station by connecting it to a laptop or PC, setting the IP address to 192.168.1.20, and logging in with username "ubnt" and password "ubnt". It then describes configuring the wireless network with SSID "CentralCraft" and password "central-craft123", and the LAN interface with IP 192.168.1.26. It also enables the DHCP server to assign IPs from 192.168.1.27 to 192.168.1.30 to connected clients.
This document provides instructions for compiling and installing the VT6655 and VT6656 Linux driver and configuring it for various wireless security modes. Key steps include:
1. Unpacking the driver source code and dependencies.
2. Compiling the driver, wpa_supplicant, and OpenSSL.
3. Configuring the driver for open, WEP, WPA-PSK, and WPA2-PSK networks through iwconfig commands and editing the wpa_supplicant.conf file.
The document details the configuration of network devices including a router and switch. It instructs to:
1. Configure the global settings on the router including setting the hostname to "router1" and configuring login banners.
2. Secure access to the router by setting passwords for privileged EXEC mode, console, and VTY lines.
3. Configure the router interfaces including the host IP settings and verifying network connectivity.
4. Save the router configuration to NVRAM.
5. Connect a host to the switch, set the hostname to "switch1", and save the switch configuration to NVRAM.
This document discusses various types of firewall technologies, including hardware firewalls, software firewalls for different operating systems, and specific firewall products. It provides information on hardware firewalls such as Cisco PIX firewalls and Check Point firewalls. It also covers software firewalls for Windows like Norton Personal Firewall and McAfee Personal Firewall.
Troubleshooting Firewalls (2012 San Diego)Cisco Security
This presentation focuses on preemptive measures and reactive techniques that can be used to troubleshoot, secure, and maintain the Cisco Adaptive Security Appliance Products and the Cisco Firewall Services Module (FWSM). Providing an in-depth understanding of the packet flow through the firewall device, as well as how to effectively utilize the available commands and on-board tools to troubleshoot connectivity problems are the main goals of this presentation. Knowledge is assumed of security fundamentals and firewall technology at the level presented in the Cisco Networkers Online Introduction to Firewalls and Deploying Firewalls.
Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4377
The document discusses configuring and operating Cisco IOS. It describes starting a switch and router, observing the boot process, and entering different command modes. It also covers basic Cisco IOS commands, viewing device information, and configuring parameters like hostname, interfaces, and protocols. The document provides an example of initializing a router through an interactive setup process.
Secure Shell (SSH) is a protocol that provides secure remote access to devices. This document provides instructions for configuring SSH on Cisco switches including generating SSH keys, configuring the SSH server, and monitoring the SSH configuration. Key steps include generating an RSA key pair, configuring the SSH version, setting timeout values, and limiting network access to SSH-only connections.
The document provides an overview of connecting and communicating with an ESP8266 WiFi module via serial. It discusses the hardware connections needed, including using an FTDI or Arduino board. It then demonstrates some basic AT commands to check the module status, list available networks, connect to a network, and act as both a TCP client and server.
The motherboard supports Intel Celeron and Pentium III processors with front side bus speeds of 66MHz, 100MHz, and 133MHz. It has three DIMM slots supporting up to 1GB of SDRAM memory. Expansion slots include one 32-bit AGP slot and three 32-bit PCI slots. Additional features include onboard audio, LAN, USB, serial, parallel, and floppy disk connectors.
Cohesive Networks Support Docs: VNS3 Configuration for IBM SoftlayerCohesive Networks
The document provides instructions for setting up a VNS3 controller instance on Softlayer. It includes requirements, launching a VNS3 template on Softlayer, configuring public IP access, sizing considerations, and optional configuration of the VNS3 controller as an internet gateway. The steps covered include selecting the VNS3 template, assigning public IP access, launching the instance with appropriate resources, and basic gateway configuration on the VNS3 and Softlayer hosts. Links are also provided to additional VNS3 documentation.
- A router is a networking device that connects different computer networks. It can be configured through commands accessed via a direct connection or remotely.
- Common router configuration modes include user mode, privileged mode, configuration mode, and interface configuration mode.
- Key configuration commands include enable (to switch between user and privileged mode), configure terminal (to enter configuration mode), hostname (to name the router), banner motd (to set a message of the day), and copy running-config startup-config (to save configurations).
Licensing on Cisco 2960, 3560X and 3750X...IT Tech
This document discusses licensing for Cisco 2900/3500/3700 series switches. It describes the available feature sets (LAN Base, IP Base, IP Services), how to install and remove software licenses using the CLI, and license considerations for specific switch models including 2960/2960-S, 3560/3750, 3560E/3750E, and 3560X/3750X. It provides commands for checking licenses and guidelines for license installation on switch stacks.
This document provides frequently asked questions about MikroTik RouterOS. It addresses questions about what RouterOS is, how to install and license it, how to configure features like networking, bandwidth management, wireless connectivity, and BGP routing. The document provides concise answers and instructions for tasks like upgrading RouterOS, recovering lost passwords, and troubleshooting common issues.
ifconfig is a command used to configure network interfaces in Linux, BSD, Solaris, and Mac OSX. It displays the status of interfaces, including the IP address, subnet mask, hardware address, and packet transmission/reception statistics. It is used at boot to configure interfaces and can also be used to view interface information or manually configure addresses, change interfaces between up/down states, and set other parameters.
Поиск и устранение неисправностей в вычислительной системе Cisco UCSCisco Russia
The document discusses troubleshooting of failures in a Cisco UCS computing system. It describes monitoring the status of various components in the UCS infrastructure like chassis, I/O modules, servers, ports, and hard drives using LED indicators. It also provides instructions on connecting to the fabric interconnects via SSH and using the show tech-support command for detailed information when involving Cisco TAC for issue resolution.
This document provides a tutorial on how to connect and configure a 3G module on various operating systems, including Linux, Windows XP, Windows 7, and Mac OS X using a virtual machine. It describes steps such as installing drivers, identifying the correct USB port, using terminal programs to send AT commands to the module, and configuring the module for modem functionality using Wvdial on Linux.
This document provides an overview of the SRX JUMP STATION, which is a collection of quick start guides for configuring Juniper SRX firewalls. The purpose is to help users with ScreenOS experience transition to using JUNOS-based SRX firewalls. It assumes some basic JUNOS knowledge and provides examples of commands for common tasks. Navigation links and chapter buttons guide users through topics like login, interfaces, routing, security policies, VPNs, clustering, and more. Additional documentation sources are also referenced for more in-depth information or training.
This document discusses different types of audio cables and connectors. It describes single core and balanced audio cables, and common connectors like XLR, 1/4" jacks, and RCA. It provides wiring diagrams for making cables to connect different connectors, such as XLR to 1/4" jack, XLR to RCA, stereo jack to dual RCA, and XLR to stereo jack or dual RCA.
The document discusses various components of a motherboard including the CPU, expansion slots, expansion cards, RAM slots, ports, and connectors. The CPU controls the computer's operations and interprets basic instructions. Expansion slots allow additional capabilities to be added via cards. RAM slots hold the computer's memory. Ports and connectors allow peripherals to connect to the computer and send/receive data using various interfaces like serial, parallel, USB, FireWire, MIDI, SCSI, IrDA, and Bluetooth. The sound port transmits audio signals.
This document summarizes various computer input/output ports and connectors. It describes ports for video such as VGA, DVI, S-Video and TV out. It also covers audio ports like audio out, microphones in and line in. Additional ports covered include modem, Ethernet, infrared, USB, serial RS-232, PS/2, parallel IEEE 1284, FireWire 400, ISA bus, PCI bus, EIDE, SATA, and SCSI. For each port, it provides information on data width, transfer rate, typical uses and connector types.
Ports and connectors allow external devices to connect to a computer system. Ports are points of connection on the computer case where peripherals attach via cables and connectors. Common ports include USB, FireWire, Bluetooth, serial and parallel ports. Connectors join cables to ports and come in male and female varieties. Devices like hubs allow multiple peripherals to connect to a single port.
This document discusses asynchronous and synchronous communication. Asynchronous communication transmits data intermittently without an external clock, with timing encoded in the symbols. It is used for variable bit rate applications like file transfers and email. Synchronous communication transmits data in a steady stream at a constant rate, requiring synchronized clocks, but allows more data transfer. It is used for real-time applications like telephone calls. Both methods have advantages and disadvantages related to overhead, speed and clock synchronization.
The document discusses different types of touch screen technologies used in various applications. It describes resistive and capacitive touch screens used in point-of-sale systems, industrial controls, and public information displays. It also mentions infrared touch screens used in large plasma displays. Touch screens allow for intuitive navigation and are well-suited for applications where ease of use is important, such as kiosks, retail systems, and customer self-service.
The document discusses different types of touch screen technologies. It provides a brief history of touch screens, describing the first touch sensor developed in 1971 and first transparent touch screen in 1974. It then explains the basic components and functioning of touch screens, including touch sensors, controllers, and software drivers. The document goes on to describe various touch screen technologies like resistive, capacitive, surface wave, and infrared technologies; and their advantages and disadvantages. It concludes by discussing applications of touch screens in public displays, customer self-service, and other areas.
Touchscreens differ from other input devices in that they require no special commands to learn, allow users to interact directly on the screen without looking away, and only offer valid selectable options. The basic components of a touchscreen are a touch sensor layered over the display, a controller that translates signals from the sensor, and a software driver that allows the computer's operating system to interpret touch events. The main types of touch technologies are resistive, capacitive, surface acoustic wave, infrared, and others. Resistive screens work via pressure while capacitive screens rely on finger capacitance, with capacitive providing better accuracy, multi-touch capability, and durability.
The document discusses touch screen technology. It provides an overview of the group members working on the project, objectives of the document, introduction to touch screens including their history and applications. The key technologies used in touch screens are described along with advantages like intuitive interfaces and disadvantages like fingerprints. Examples of popular touch screen devices are given and the large and growing touch screen market is highlighted. The document concludes by noting how touch screens are becoming more widely used and replacing other input devices.
Touchless technology Seminar PresentationAparna Nk
This document discusses touchless technology that allows users to interact with screens without physically touching them. It describes a touchless monitor developed by TouchKo, White Electronics Designs, and Groupe 3D that uses sensors around the screen to detect 3D motions and interpret them as on-screen interactions. The document also mentions several other touchless technologies like the Touchless SDK, Touch Wall, eye tracking devices, gesture recognition tools, and motion sensors that enable touchless control of devices.
Storage provides capacity for files and information through devices like hard disks, while memory provides working space through RAM. Primary storage includes RAM and cache for running the computer, while secondary storage is long-term storage like hard disks. RAM is volatile memory used for running programs, coming in static RAM and dynamic RAM forms. ROM is read-only memory storing basic instructions. Cache memory improves performance by storing frequently used data and instructions. Optical storage includes CDs, DVDs, and Blu-rays, while magnetic storage encompasses floppy disks and hard disks. Flash memory offers portable options like USB drives and solid-state drives.
A touch screen consists of a clear glass panel with a touch-sensitive surface connected to a controller. The controller determines the type of interface needed and connects the touch screen to a PC. A driver software allows the touch screen and computer to communicate. There are different types of touch screen technologies including resistive, capacitive, surface acoustic wave, and infrared screens. Touch screens are used in public displays, customer self-service kiosks, and other applications where direct input is needed without keyboards or mice.
Straight through cables are normally used for serial to serial connections between computers. Toslink and optical cables transmit audio using fiber optic cables and are mainly used in Dolby surround sound systems and newer laptops. USB cables are primarily used for printing but also connect cameras, phones, and game consoles, and support transfer speeds of 12MBps for USB1 and 480MBps for USB2. Internal PC cables such as IDE and SATA cables connect hard drives to the motherboard and support different connection speeds. Network cables include Cat5e and Cat6e which are available as straight through or crossed cables. ADSL and modem cables connect telephone sockets to routers or modems using RJ11 cables, which is the American
The document discusses securing the management plane of Cisco routers. It describes 9 steps to secure the management plane: 1) follow a router security policy, 2) secure physical access, 3) use strong encrypted passwords, 4) control access to the router, 5) secure management access using AAA, 6) use secure management protocols like SSH, 7) implement system logging, 8) backup configurations periodically, and 9) disable unneeded services. It also discusses authenticating users locally and with RADIUS/TACACS+ servers.
This document discusses configuring security on Ethernet switches. It covers securing the command line interface (CLI) with passwords, usernames and encryption. It describes how to configure secure shell (SSH) for encrypted access. Methods for securing access include using simple passwords, local usernames/passwords, and external authentication servers. The document also covers encrypting passwords, configuring banners, and other security-related commands.
This document provides instructions for configuring passwords on a Cisco router to restrict access to the console, virtual terminals (VTY), and privileged EXEC mode. It explains that passwords should be set on the console and VTY lines to prevent unauthorized access. The steps shown allow setting passwords on the console line using the "line console 0" and "password" commands. VTY line passwords are configured on lines 0 to 4 using similar commands. Privileged EXEC mode passwords can be set with the "enable password" command, while "enable secret" encrypts the password. Finally, the "service password-encryption" command encrypts all router passwords.
This document provides an overview of a lesson on securing network devices. The lesson objectives include describing how to configure secure router administration access, SSH, privilege levels, and role-based CLI access. It discusses concepts like router hardening, administrative access configuration, and network monitoring techniques. Specific configuration examples are provided for setting passwords, virtual login security, and SSH. The document also summarizes using SDM to configure the SSH daemon and assigning administrative roles through privilege levels and role-based CLI access.
This document discusses basic switch configuration steps for remote management, including configuring an IP address, subnet mask, and default gateway on a switch virtual interface; configuring switch ports at the physical layer; enabling MDIX auto-detection on ports; verifying port configuration; configuring secure SSH access; and connecting the switch to the internet. It provides detailed instructions for connecting to the switch, setting the hostname and passwords, restricting Telnet access by IP, assigning the management IP address and default gateway, and saving the configuration.
Security Plus Training Event for ITProcamp Jacksonville 2016. Helping those new to the IT Security get prepared. Understand how to complete your DOD 8570.m requirements.. Discussion about Exam Objectives
This document discusses securing Cisco routers. It covers topics like securing physical and remote access to routers, configuring administrative roles and views, and monitoring router activity. Some key points include assigning privilege levels to restrict commands, creating CLI views to control command access for different user roles, and using login features like quiet mode, block lists, and banners to restrict failed login attempts. The document provides examples of securing routers by configuring services like SSH and encrypting passwords.
The document discusses router configurations, including accessing the router through the command line interface, different command modes like user EXEC and privileged EXEC, and basic router configurations like setting the hostname, enabling IP on interfaces, and verifying interface settings. It provides instructions on securing device access with passwords, saving configuration files, and documenting network addressing.
Cisco Internetworking Operating System (ios)Netwax Lab
Cisco IOS (originally Internetwork Operating
System) is software used on most Cisco Systems
routers and current Cisco network switches.
(Earlier switches ran CatOS.) IOS is a package of
routing, switching, internetworking and
telecommunications functions integrated into a
multitasking operating system.
This document discusses setting up an Internet access server using MikroTik RouterOS and the ISP billing system NetUP UTM5. It provides instructions for configuring MikroTik RouterOS on the access server, including setting IP addresses, default gateway, DNS, and SNAT. It also describes configuring the utm5_rfw daemon to allow the billing system to control Internet access by adding and removing firewall rules via scripts. The billing system is then configured to define firewall rules and tariffs to automate enabling and limiting bandwidth for user accounts.
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
FIWARE Wednesday Webinar - How to Secure IoT Devices (22nd April 2020)
Corresponding webinar recording: https://youtu.be/_87IZhrYo3U
Live coding session and commentary, demonstrating various techniques and methods for securing the interactions between Devices, IoT Agents and the Context Broker
Chapter: Security
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
This chapter discusses the Cisco IOS operating system and how to perform basic configurations on Cisco networking devices. It covers accessing and navigating the Cisco IOS command-line interface, setting hostnames, securing device access with passwords, saving configurations, and configuring IP addresses and testing connectivity. The key topics are accessing the Cisco IOS through its command-line interface, learning IOS navigation modes, and making initial device configurations including hostnames, passwords, and IP addresses.
This chapter discusses configuring a network operating system using Cisco IOS. It covers accessing and navigating the Cisco IOS using the command line interface, setting hostnames and IP addresses, securing device access, and verifying basic network connectivity. Key topics include how to configure a switch hostname, set passwords to limit access, assign IP addresses to devices and interfaces, and use ping and show commands to test connectivity.
The BRST (Border Router Security Tool) is a web-based utility that asks questions and generates a secure configuration for border routers. It disables unneeded services, enables helpful ones like SSH, controls access, and configures anti-spoofing and logging. An example shows using the BRST to harden a Cisco router, closing ports revealed in an initial Nmap scan. The resulting configuration locks down services, access, and logging while enabling features like SSH and TCP keepalives.
Network topology is the topological structure of a system and might be portrayed physically or sensibly. It is an utilization of chart hypothesis wherein conveying gadgets are demonstrated as hubs and the associations between the gadgets are displayed as connections or lines between the hubs.
This document provides instructions for a lesson on securing network devices. It discusses concepts like router hardening, secure administrative access, and network monitoring techniques. It also outlines objectives like configuring a secure network perimeter and demonstrating secure router administration access. Finally, it provides details on implementing security features like banners, SSH, privilege levels, role-based CLI access, resilient configuration, and password recovery procedures.
The document provides instructions for configuring Windows 7. It discusses upgrade paths, hardware requirements, disk management including creating and attaching virtual hard disks, file system formatting and conversion, and using the disk management utility. Specific topics covered include Windows 7 editions, minimum requirements, configuring virtual hard disks, managing basic and dynamic storage, and using the Microsoft Management Console.
This document discusses network device management and configuration. It covers initial configuration of Cisco routers and switches, including connecting interfaces, setting IP addresses and default routes. It also discusses securing devices by configuring passwords, ACLs and port security. Common security threats to enterprises like malware and DDoS attacks are discussed along with mitigation techniques such as firewalls, IDS/IPS and security policies. The importance of securing routers and applying features like ACLs is emphasized.
The document discusses implementing an OSPF routing protocol. It provides an overview of OSPF including how it establishes neighbor relationships, propagates link state advertisements, and uses the shortest path first algorithm to calculate routes. It then covers topics like configuring single-area and multi-area OSPF, setting the router ID, verifying the OSPF configuration, and different OSPF network types including broadcast and point-to-point.
The document discusses implementing an EIGRP-based solution for computer networking. It covers topics such as EIGRP configuration, metrics, neighbor discovery, route summarization, and troubleshooting. Specific configuration commands are provided for enabling EIGRP routing, verifying neighbor relationships, and modifying interface metrics. The routing protocol's use of DUAL, finite state machines, and automatic summarization are also explained.
The document provides instructions on troubleshooting basic connectivity issues using tools like ping and traceroute. It describes how ping is used to test reachability between devices and can return round-trip time statistics. Traceroute is used to identify where packets are being dropped by showing each hop to the destination. The document also provides details on using Cisco's debug ip packet command to examine packets passing through a router for troubleshooting.
The document discusses a computer networking course on wide-area networks (WANs) and virtual private networks (VPNs). It covers several topics:
- WAN technologies including physical and data link layer protocols for transmitting data to remote locations.
- Configuring serial interfaces and encapsulation methods like HDLC and PPP.
- Connectivity options for WANs like leased lines, PSTN, and packet switching.
- VPN solutions that provide secure connectivity over shared infrastructures at lower costs than private networks. VPNs offer flexibility, scalability, and cost savings.
This document provides an overview of building a medium-sized computer network, including introducing different wide area network (WAN) technologies, dynamic routing protocols, and implementing the Open Shortest Path First (OSPF) routing protocol. Specifically, it discusses point-to-point links, circuit switching, packet switching, virtual circuits, dialup services, WAN devices, the role of dynamic routing protocols, how they operate, classifying routing protocols, metrics, and load balancing. The overall purpose is to teach readers how to construct a medium-sized computer network using various WAN technologies and routing protocols.
This document provides instructions on implementing VLANs and trunks in a medium-sized computer network. It discusses how VLANs can segment a network into logical broadcast domains while trunks allow multiple VLANs to be transported over a single link between switches. Static and dynamic VLAN configuration methods are described. The document also covers VLAN trunking protocols, configuring trunk links on switches, and managing VLAN traffic passing over trunks.
This document provides an overview of the basics of UNIX operating systems. It covers UNIX lessons objectives which include knowing UNIX, commands, compiling software packages, and variables. It defines UNIX as a stable, multi-user operating system and describes its graphical user interface. It also outlines the different types of UNIX and explains the core components of the UNIX operating system including the kernel, shell, and programs. The document provides examples of files and processes in UNIX and describes the directory structure and pathnames. It demonstrates various commands for listing files, making directories, copying/moving files, removing files and directories, and searching files. The document also covers redirection of input/output in UNIX.
The document discusses IPv6, the next generation internet protocol. It introduces IPv6, describing its benefits over IPv4 including vastly larger address space. It then covers key aspects of IPv6 such as address types, auto-configuration, routing protocols, and technology scope. IPv6 aims to meet growing internet demands through expanded addressing and more efficient headers.
This document provides instruction on converting between binary and decimal number formats. It includes:
1. Lessons on binary math concepts like converting binary to decimal and vice versa using a bit value chart.
2. Examples of converting specific IP addresses between dotted decimal and binary formats by placing the binary digits in the chart and adding or subtracting column values.
3. Practice questions for readers to convert sample IP addresses between the two number formats on their own.
The Cisco Unified Computing System (UCS) consolidates many separate data center elements like networking, storage, and servers into a single unified system using converged network adapters and fabric interconnects. The UCS Manager allows for unified management of physical and virtual infrastructure. Service profiles define hardware configurations that can be rapidly applied to server blades. Role-based access controls in the UCS Manager separate administrator access for networking, servers, storage and other roles.
IGRP is a Cisco proprietary distance-vector routing protocol that is more scalable than RIP. IGRP uses bandwidth and delay as its metric to calculate the distance to destinations. IGRP has limitations when networks are not contiguous and have inconsistent subnet masks, as it may summarize routes incorrectly.
This document provides an overview of establishing internet connectivity through exploring packet delivery processes, enabling static routing, managing traffic using access control lists (ACLs), and enabling internet connectivity. It discusses topics such as packet and frame formats, routing metrics, path determination, switching functions of routers, static route configuration and verification, ACL purposes and functions, and wildcard masking. The document is made up of multiple sections providing details on these various networking topics.
The document discusses establishing internet connectivity through TCP/IP networking. It covers TCP/IP protocols, IP addressing, subnetting networks, routing, and configuring routers. Specifically, it explains how TCP/IP uses the client/server model for communication and defines common application layer protocols. It also provides examples for subnetting a Class C network address into a specific number of subnets and networks.
The document discusses configuring and troubleshooting VLANs on Cisco switches. It describes creating VLANs on a switch, assigning switch ports to VLANs in access mode, and configuring trunk ports. Key steps include using the global config vlan command to create VLANs, the show vlan command to verify configurations, and the switchport mode access and switchport access commands to assign access ports to VLANs. The document also covers VTP modes, extended VLAN ranges, and trunk port configuration options.
This document provides instructions on building a simple computer network. It describes how networking works from host-to-host communication using the OSI model. It defines the components of a network including hardware, software, end devices, and intermediary devices. It also discusses network structures such as local area networks (LANs) and wide area networks (WANs), Ethernet standards, and the roles of hubs and switches. The document concludes with an overview of the Cisco Internetwork Operating System used to configure and manage Cisco networking devices.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
4. Securing Administrative Access to a Cisco Router
Configuring administrative access on the Cisco router is an
important step toward network security. You can access all
Cisco routers in various ways:
Console
VTY
Aux
SNMP
HTTP
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
5. Connection Through the Console Port
To protect administrative access to the routers, you must
protect the console port via a password policy. You can
store passwords locally on the router or use some kind of
remote administration using a Cisco Secure Access Control
Server authentication, authorization, and accounting
(AAA) server. You can store passwords locally on the
router or use Remote Authentication Dial-In User Service
(RADIUS) or Terminal Access Controller Access Control
System + (TACACS+) for remote AAA using CSACS.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
6. Password Policy
You should keep the following rules in mind when
formulating a password policy:
Acceptable password length must be between 1 and 25
characters. Blank passwords are not a part of a good
security policy. The passwords should contain
alphanumeric, uppercase, and lowercase characters.
On Cisco equipment, the first character in the password
cannot be a number.
Leading spaces in the password are ignored; however.
spaces after the first character are not ignored.
Passwords must be changed often, and using the same
passwords over again should be avoided.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
7. Securing Privilege EXEC Mode Using the enable
secret Command
When you first power on the router, assuming that
there is no prior configuration stored in the
nonvolatile RAM (NVRAM), the router enters the
Initial Configuration dialog box. The Initial
Configuration dialog box is a menu system that assists
you in applying basic configuration on the router. You
can use Ctrl+Z to break out of the Initial
Configuration dialog box.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
8. To make changes to the router configuration, you have to
first enter privilege EXEC mode. By default, you do not
need a password to access privilege EXEC mode. You can
use the enable command to access the privilege EXEC
mode of a router:
Router> enable Router#Once you are in privilege EXEC
mode, you can then secure privilege EXEC mode on the
routers using the enable secret command in global
configuration mode. The enable secret command encrypts
the password to the privilege EXEC mode using the
Message Digest 5 (MD5) hashing algorithm. It is a one-way
hash. In other words, once you have a password using
MD5, you cannot unhash it:
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
10. if you do a show running-config on the router, you will
note that the enable secret is encrypted and
the 5 after enable secret identifies that it is an MD5 hash.
Here is an example to illustrate this concept:
Router# show running-config
! Last configuration change at 14:34:43 MST Wed Jul 16
2003
! NVRAM config last updated at 14:34:44 MST Wed Jul 16
2003
! version 12.3 service timestamps debug uptime service
timestamps log uptime service password-encryption !
hostname Router !
enable secret 5 $1$oeJp$08vrQkQWGgsz5S5h.VqQe/ !
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
11. Securing Console Access Using a Console Password
A Cisco router's console port is the most important port
on the device. Password recovery on the router can only be
done using the console port. This port can be used to
access the ROMMON mode on the router as well. The
console port allows a hard break signal that interrupts the
boot sequence of the router. You can issue the break
sequence on a router within 60 seconds of the reboot, and
it gives complete access to the user issuing this command.
Cisco routers are vulnerable if you have physical access to
the devices. However, if someone is trying to access the
console port of the router remotely, you can apply an
additional layer of security by prompting the user for a
password.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
12. Here is how you protect the console port on the router:
Router> enable
Router# configure terminal
Router(config)# line console 0
Router(config-line)# password Ciscorocks123 Router(config-line)# login
Router(config-line)# end Router#
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
13. Securing VTY Access Using a Telnet Password
By default, all Cisco routers support up to five
simultaneous Telnet sessions, and by default, no passwords
are assigned to these Telnet or VTY lines. There is built-in
security on the VTY lines that mandates the use of
passwords to access the router via a Telnet session. If a
Telnet session is initiated to a router that does not have a
password assigned to the VTY lines, the following message
appears on the screen:
telnet 172.31.100.11 Trying... Connected to 172.31.100.11
Escape character is '^]'. Password required, but not set
Connection closed by remote host
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
14. Here is how you protect the Telnet lines on the router:
Router> enable
Router# configure terminal
Router(config)# line vty 0 4
Router(config-line)# password VtyLines123 Router(config-line)# login
Router(config-line)# end
Router#
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
15. You should consider a few guidelines when configuring VTY access
to the router:
If there is no password set on the router to access the
privilege EXEC mode, you will not be able to access the
privilege EXEC mode of the router via the Telnet session.
Telnet transmits and receives all data in clear text, even
the passwords. To provide additional security in this
aspect, you can use Secured Shell (SSH) or administer the
router via an IPSec tunnel. You can provide additional
security by using access lists to manage administrative
access to the routers from specific IP addresses.
Remember, Cisco routers work with SSH1 only.
Make sure you have a password assigned to the VTY lines
of the router; otherwise, no one will be able to access the
router via Telnet.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
16. The aux port on the router is another way you can gain access to the router. You
can protect the aux port on the router by assigning a password to it. Here is
how you accomplish the task:
Router> enable
Router# configure terminal
Router(config)# line aux 0
Router(config-line)# password ProtectAux0 Router(config-line)# login
Router(config-line)# end
Router#In this example, every time a user accesses the router via the aux port, he or she will
be prompted for a password.
If you are not using the aux port on the router, you can disable it by issuing the following
command:
Router(config)# line aux 0 Router(config-line)# no exec
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
17. Encrypting All Passwords on the Router
By default, only the enable secret password is encrypted.
To encrypt all other passwords configured on the router,
issue the following command in global configuration
mode:
Router(config)# service password-encryption
The service password-encryption command uses a Cisco proprietary Vigenere
cipher to encrypt all other passwords on the router except the enable secret
password (which uses MD5). The Vigenere cipher is easy to break, and if you
do a show running-config on the router, it appears as follows:
line con 0
password 7 110A1016141D
logging synchronous
login
transport input none
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
18. The number 7 after the keyword password indicates that the password has
been encrypted using the Vigenere cipher. This command does not change the
fact that the Vigenere cipher can be cracked. In fact, you can download the
GETPASS utility, which will decrypt the Vigenere cipher for you.
Configuring Session Activity Timeouts
You can also control access to the router by configuring activity
timeouts. You can use the exec-timeout command to accomplish this
task. Here is an example of the configuration:
line console 0 exec-timeout 5 0 end
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
19. Configuring Access Levels on the Router
You can configure access levels on the routers so the junior administrators do not have
complete access to the router. Cisco routers have 16 different privilege levels that you
can configure. The 16 levels range from 0 to 15, where 15 is equal to full access. You can
customize levels 2 to 15 to provide monitoring abilities to the secondary administrators.
Here is a sample configuration for privilege levels on the router:
Central(config)#username junioradmin privilege 3 password
0 s3cUr!tY
Central(config)#privilege exec level 3 ping
Central(config)#privilege exec level 3 traceroute
Central(config)#privilege exec level 3 show ip route
Central(config-line)#line vty 0 4
Central(config-line)#password CisC0r0cK5
Central(config-line)#login local
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
20. Notice that in addition to the login local command a
password is configured on the VTY lines. However,
users will need to use the local router database to log
in to the VTY lines because the login local command
takes precedence over the password command.
Looking at this config, whenever junioradmin logs
into the router, he or she is allowed only three
commands: ping, traceroute, and show ip route. Using
the privilege command, you can provide another layer
of security to your network backbone.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
21. Configuring Routers with a Statutory Warning
It is imperative that you configure a statutory warning on all your networking devices that
clearly states the repercussions of attempting to log on to an unauthorized system. You
can achieve this by using various banner messages:
banner exec—You can use this command to specify a message that appears when an
EXEC process is initiated.
banner motd—You can use this command to enable a message of the day for your
admins and team.
banner login—You can use this command to enable messages that appear before
username and password prompts.
You can configure a few more banner messages on routers to ensure that you get the
word out that unauthorized users will be prosecuted.
Just an FYI: Do not use such phrases as "Welcome to the ABC Network" because they can
create a loophole that a hacker can use to avoid legal action. We highly recommend that
you consult your legal department to come up with the correct verbiage.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
22. Securing SNMP
SNMP is one of the most exploited protocols and can be
used to gain administrative access to Cisco routers by
establishing communication between a router's internal
SNMP agent and management information base (MIB).
SNMP uses community strings that act as the passwords to
access the routers. Whenever you are setting up SNMP
community strings, make sure you know which strings will
have read-only access; which ones will have read-write
access; and, most of all, which systems will be allowed
SNMP access via ACLs.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
23. Implementing Device Hardening
Secure your Cisco IOS® system devices, which increases the overall security of your
network. Structured around the three planes into which functions of a network device
can be categorized, this document provides an overview of each included feature and
references to related documentation.
The three functional planes of a network, the management plane, control plane, and data
plane, each provide different functionality that needs to be protected.
Management Plane—The management plane manages traffic that is sent to the Cisco
IOS device and is made up of applications and protocols such as SSH and SNMP.
Control Plane—The control plane of a network device processes the traffic that is
paramount to maintaining the functionality of the network infrastructure. The control
plane consists of applications and protocols between network devices, which includes
the Border Gateway Protocol (BGP), as well as the Interior Gateway Protocols (IGPs)
such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest
Path First (OSPF).
Data Plane—The data plane forwards data through a network device. The data plane
does not include traffic that is sent to the local Cisco IOS device.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
24. Management Plane
The management plane consists of functions that achieve the management goals of the
network. This includes interactive management sessions using SSH, as well as statistics-
gathering with SNMP or Net Flow. When you consider the security of a network device,
it is critical that the management plane be protected. If a security incident is able to
undermine the functions of the management plane, it can be impossible for you to
recover or stabilize the network.
General Management Plane Hardening
The management plane is used in order to access, configure, and manage a device, as well as
monitor its operations and the network on which it is deployed. The management plane
is the plane that receives and sends traffic for operations of these functions. You must
secure both the management plane and control plane of a device, as operations of the
control plane directly affect operations of the management plane. This list of protocols is
used by the management plane:
Simple Network Management Protocol
Telnet
Secure Shell Protocol
File Transfer Protocol
Trivial File Transfer Protocol
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Secure Copy Protocol
TACACS+
RADIUS
NetFlow
Network Time
Protocol
Syslog
Managing Network Device Security
25. Password Management
The enable secret command is used in order to set the password that grants privileged
administrative access to the Cisco IOS system. The enable secret command must be
used, rather than the older enable password command. The enable password command
uses a weak encryption algorithm.
The service password-encryption global configuration command directs the Cisco IOS
software to encrypt the passwords, Challenge Handshake Authentication Protocol
(CHAP) secrets, and similar data that are saved in its configuration file. Such encryption
is useful in order to prevent casual observers from reading passwords, such as when they
look at the screen over the muster of an administrator.
While this weak encryption algorithm is not used by the enable secret command, it is used
by the enable password global configuration command, as well as the password line
configuration command. Passwords of this type must be eliminated and the enable
secret command or the Enhanced Password Security feature needs to be used.
The enable secret command and the Enhanced Password Security feature use Message
Digest 5 (MD5) for password hashing. This algorithm has had considerable public review
and is not known to be reversible.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
26. Enhanced Password Security
The feature Enhanced Password Security, introduced in Cisco IOS Software Release
12.2(8)T, allows an administrator to configure MD5 hashing of passwords for
the username command. Prior to this feature, there were two types of passwords: Type 0,
which is a cleartext password, and Type 7, which uses the algorithm from the Vigenère
cipher. The Enhanced Password Security feature cannot be used with protocols that
require the cleartext password to be retrievable, such as CHAP.
In order to encrypt a user password with MD5 hashing, issue the username secret global
configuration command.
!
username <name> secret <password>
!
Refer to Enhanced Password Security for more information about this feature.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
27. Login Password Retry Lockout
The Login Password Retry Lockout feature, added in Cisco IOS Software Release 12.3(14)T,
allows an you to lock out a local user account after a configured number of unsuccessful
login attempts. Once a user is locked out, their account is locked until you unlock it. An
authorized user who is configured with privilege level 15 cannot be locked out with this
feature. The number of users with privilege level 15 must be kept to a minimum.
Note that authorized users can lock themselves out of a device if the number of
unsuccessful login attempts is reached. Additionally, a malicious user can create a denial
of service (DoS) condition with repeated attempts to authenticate with a valid username.
This example shows how to enable the Login Password Retry Lockout feature:
!
aaa new-model
aaa local authentication attempts max-fail <max-attempts>
aaa authentication login default local
!
username <name> secret <password>
!
This feature also applies to authentication methods such as CHAP and Password
Authentication Protocol (PAP).
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
28. No Service Password-Recovery
In Cisco IOS Software Release 12.3(14)T and later, the No Service Password-Recovery feature
does not allow anyone with console access to insecurely access the device configuration
and clear the password. It also does not allow malicious users to change the
configuration register value and access NVRAM.
!
no service password-recovery
!
Cisco IOS software provides a password recovery procedure that relies upon access to
ROMMON mode using the Break key during system startup. In ROMMON mode, the
device software can be reloaded to prompt a new system configuration that includes a
new password.
The current password recovery procedure enables anyone with console access to access the
device and its network. The No Service Password-Recovery feature prevents the
completion of the Break key sequence and the entering of ROMMON mode during
system startup.
If no service password-recovery is enabled on a device, it is recommended that an offline
copy of the device configuration be saved and that a configuration archiving solution be
implemented. If it is necessary to recover the password of a Cisco IOS device once this
feature is enabled, the entire configuration is deleted.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
29. Disable Unused Services
As a security best practice, any unnecessary service must be disabled. These unneeded
services, especially those that use UDP (User Datagram Protocol), are infrequently used
for legitimate purposes, but can be used in order to launch DoS and other attacks that
are otherwise prevented by packet filtering.
The TCP and UDP small services must be disabled. These services include:
echo (port number 7)
discard (port number 9)
daytime (port number 13)
chargen (port number 19)
Although abuse of the small services can be avoided or made less dangerous by anti-
spoofing access lists, the services must be disabled on any device accessible within the
network. The small services are disabled by default in Cisco IOS Software Releases 12.0
and later. In earlier software, the no service tcp-small-servers and no service udp-small-
servers global configuration commands can be issued in order to disable them.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
30. This is a list of additional services that must be disabled if not in use:
Issue the no ip finger global configuration command in order to disable Finger service.
Cisco IOS software releases later than 12.1(5) and 12.1(5)T disable this service by default.
Issue the no ip bootp server global configuration command in order to disable
Bootstrap Protocol (BOOTP).
In Cisco IOS Software Release 12.2(8)T and later, issue the ip dhcp bootp
ignore command in global configuration mode in order to disable BOOTP. This leaves
Dynamic Host Configuration Protocol (DHCP) services enabled.
DHCP services can be disabled if DHCP relay services are not required. Issue the no
service dhcp command in global configuration mode.
Issue the no mop enabled command in interface configuration mode in order to
disable the Maintenance Operation Protocol (MOP) service.
Issue the no ip domain-lookup global configuration command in order to disable
Domain Name System (DNS) resolution services.
Issue the no service pad command in global configuration mode in order to disable
Packet Assembler/Disassembler (PAD) service, which is used for X.25 networks.
HTTP server can be disabled with the no ip http server command in global configuration
mode, and Secure HTTP (HTTPS) server can be disabled with the no ip http secure-
server global configuration command.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
31. Unless Cisco IOS devices retrieve configurations from the network during startup,
the no service config global configuration command must be used. This prevents the
Cisco IOS device from attempting to locate a configuration file on the network using
TFTP.
Cisco Discovery Protocol (CDP) is a network protocol that is used in order to discover
other CDP enabled devices for neighbor adjacency and network topology. CDP can be
used by Network Management Systems (NMS) or during troubleshooting. CDP must be
disabled on all interfaces that are connected to untrusted networks. This is
accomplished with the no cdp enable interface command. Alternatively, CDP can be
disabled globally with the no cdp run global configuration command. Note that CDP
can be used by a malicious user for reconnaissance and network mapping.
Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB.
LLDP is similar to CDP. However, this protocol allows interoperability between other
devices that do not support CDP. LLDP must be treated in the same manner as CDP and
disabled on all interfaces that connect to untrusted networks. In order to accomplish
this, issue the no lldp transmit and no lldp receive interface configuration
commands. Issue the no lldp run global configuration command in order to disable
LLDP globally. LLDP can also be used by a malicious user for reconnaissance and
network mapping.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
32. EXEC Timeout
In order to set the interval that the EXEC command interpreter waits for user input before
it terminates a session, issue the exec-timeout line configuration command. The exec-
timeout command must be used in order to logout sessions on vty or tty lines that are
left idle. By default, sessions are disconnected after 10 minutes of inactivity.
!
line con 0
exec-timeout <minutes> [seconds]
line vty 0 4
exec-timeout <minutes> [seconds]
!
Keepalives for TCP Sessions
The service tcp-keepalive-in and service tcp-keepalive-out global configuration
commands enable a device to send TCP keepalives for TCP sessions. This configuration
must be used in order to enable TCP keepalives on inbound connections to the device
and outbound connections from the device. This ensures that the device on the remote
end of the connection is still accessible and that half-open or orphaned connections are
removed from the local Cisco IOS device.
!
service tcp-keepalive-in service tcp-keepalive-out
!
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
33. Using Management Interfaces
The management plane of a device is accessed in-band or out-of-band on a
physical or logical management interface. Ideally, both in-band and out-of-
band management access exists for each network device so that the
management plane can be accessed during network outages.
One of the most common interfaces that is used for in-band access to a device is
the logical loopback interface. Loopback interfaces are always up, whereas
physical interfaces can change state, and the interface can potentially not be
accessible. It is recommended to add a loopback interface to each device as a
management interface and that it be used exclusively for the management
plane. This allows the administrator to apply policies throughout the network
for the management plane. Once the loopback interface is configured on a
device, it can be used by management plane protocols, such as SSH, SNMP,
and syslog, in order to send and receive traffic.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
34. Memory Threshold Notifications
The feature Memory Threshold Notification, added in Cisco IOS Software Release 12.3(4)T,
allows you to mitigate low-memory conditions on a device. This feature uses two
methods to accomplish this: Memory Threshold Notification and Memory Reservation.
Memory Threshold Notification generates a log message in order to indicate that free
memory on a device has fallen lower than the configured threshold. This configuration
example shows how to enable this feature with the memory free low-watermark
global configuration command. This enables a device to generate a notification when
available free memory falls lower than the specified threshold, and again when available
free memory rises to five percent higher than the specified threshold.
!
memory free low-watermark processor <threshold>
memory free low-watermark io <threshold>
!
Memory Reservation is used so that sufficient memory is available for critical notifications.
This configuration example demonstrates how to enable this feature. This ensures that
management processes continue to function when the memory of the device is
exhausted.
!
memory reserve critical <value>
!
08/08/13 Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
35. Reserve Memory for Console Access
In Cisco IOS Software Release 12.4(15)T and later, the Reserve Memory for Console Access
feature can be used in order to reserve enough memory to ensure console access to a
Cisco IOS device for administrative and troubleshooting purposes. This feature is
especially beneficial when the device runs low on memory. You can issue the memory
reserve console global configuration command in order to enable this feature. This
example configures a Cisco IOS device to reserve 4096 kilobytes for this purpose.
!
memory reserve console 4096
!
Network Time Protocol
The Network Time Protocol (NTP) is not an especially dangerous service, but any unneeded
service can represent an attack vector. If NTP is used, it is important to explicitly
configure a trusted time source and to use proper authentication. Accurate and reliable
time is required for syslog purposes, such as during forensic investigations of potential
attacks, as well as for successful VPN connectivity when depending on certificates for
Phase 1 authentication.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
36. NTP Time Zone—When configuring NTP the time zone needs to be configured so that
timestamps can be accurately correlated. There are usually two approaches to
configuring the time zone for devices in a network with a global presence. One method
is to configure all network devices with the Coordinated Universal Time (UTC)
(previously Greenwich Mean Time (GMT)). The other approach is to configure network
devices with the local time zone. More information on this feature can be found in
“clock timezone” in the Cisco product documentation.
NTP Authentication—Configuring NTP authentication provides assurance that NTP
messages are exchanged between trusted NTP peers. Refer to ntp authenticate and ntp
authentication-key for more information on how to configure NTP authentication.
Limiting Access to the Network with Infrastructure
ACLs
Devised to prevent unauthorized direct communication to network devices,
infrastructure access control lists (iACLs) are one of the most critical security controls
that can be implemented in networks. Infrastructure ACLs leverage the idea that nearly
all network traffic traverses the network and is not destined to the network itself.
An iACL is constructed and applied to specify connections from hosts or networks that
need to be allowed to network devices. Common examples of these types of connections
are eBGP, SSH, and SNMP. After the required connections have been permitted, all other
traffic to the infrastructure is explicitly denied. All transit traffic that crosses the network
and is not destined to infrastructure devices is then explicitly permitted.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
37. The protections provided by iACLs are relevant to both the management and control
planes. The implementation of iACLs can be made easier through the use of distinct
addressing for network infrastructure devices. Refer to A Security Oriented Approach to
IP Addressing for more information on the security implications of IP addressing.
This example iACL configuration illustrates the structure that must be used as a starting
point when you begin the iACL implementation process:
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
38. Once created, the iACL must be applied to all interfaces that face non-infrastructure
devices. This includes interfaces that connect to other organizations, remote access
segments, user segments, and segments in data centers.
ICMP Packet Filtering
The Internet Control Message Protocol (ICMP) is designed as an IP control protocol. As
such, the messages it conveys can have far-reaching ramifications to the TCP and IP
protocols in general. While the network troubleshooting tools ping andtraceroute use
ICMP, external ICMP connectivity is rarely needed for the proper operation of a network.
Cisco IOS software provides functionality to specifically filter ICMP messages by name or
type and code. This example ACL, which must be used with the access control entries
(ACEs) from previous examples, allows pings from trusted management stations and
NMS servers and blocks all other ICMP packets:
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
39. Filtering IP Fragments
The filtering of fragmented IP packets can pose a challenge to security devices. This is
because the Layer 4 information that is used in order to filter TCP and UDP packets is
only present in the initial fragment. Cisco IOS software uses a specific method to check
non-initial fragments against configured access lists. Cisco IOS software evaluates these
non-initial fragments against the ACL and ignores any Layer 4 filtering information. This
causes non-initial fragments to be evaluated solely on the Layer 3 portion of any
configured ACE.
In this example configuration, if a TCP packet destined to 192.168.1.1 on port 22 is
fragmented in transit, the initial fragment is dropped as expected by the second ACE
based on the Layer 4 information within the packet. However, all remaining (non-initial)
fragments are allowed by the first ACE based completely on the Layer 3 information in
the packet and ACE. This scenario is shown in this configuration:
!
ip access-list extended ACL-FRAGMENT-EXAMPLE
permit tcp any host 192.168.1.1 eq 80 deny tcp any host 192.168.1.1 eq 22
!
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
40. Due to the no intuitive nature of fragment handling, IP fragments are often
inadvertently permitted by ACLs. Fragmentation is also often used in attempts to evade
detection by intrusion detection systems. It is for these reasons that IP fragments are
often used in attacks, and why they must be explicitly filtered at the top of any
configured iACLs. This example ACL includes comprehensive filtering of IP fragments.
The functionality from this example must be used in conjunction with the functionality
of the previous examples.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
41. ACL Support for Filtering IP Options
Cisco IOS Software Release 12.3(4)T added support for the use of ACLs to filter IP packets based on the
IP options that are contained in the packet. IP options present a security challenge for network
devices because these options must be processed as exception packets. This requires a level of CPU
effort that is not required for typical packets that traverse the network. The presence of IP options
within a packet can also indicate an attempt to subvert security controls in the network or otherwise
alter the transit characteristics of a packet. It is for these reasons that packets with IP options must
be filtered at the edge of the network.
This example must be used with the ACEs from previous examples in order to include complete filtering
of IP packets that contain IP options:
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
42. Securing Interactive Management Sessions
Management sessions to devices allow you the ability to view and collect information about
a device and its operations. If this information is disclosed to a malicious user, the device
can become the target of an attack, compromised, and used in order to perform
additional attacks. Anyone with privileged access to a device has the capability for full
administrative control of that device. Securing management sessions is imperative to
prevent information disclosure and unauthorized access.
Management Plane Protection
Beginning with Cisco IOS Software Release 12.4(6)T, the feature Management Plane Protection (MPP)
allows an administrator to restrict on which interfaces management traffic can be received by a
device. This allows the administrator additional control over a device and how the device is accessed.
This example shows how to enable the MPP to only allow SSH and HTTPS on the GigabitEthernet0/1
interface:
!
control-plane host
management-interface GigabitEthernet 0/1 allow ssh https
!
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
43. Control Plane Protection
Control Plane Protection (CPPr) builds on the functionality of Control Plane Policing in
order to restrict and police control plane traffic that is destined to the route processor of
the IOS device. CPPr, added in Cisco IOS Software Release 12.4(4)T, divides the control
plane into separate control plane categories that are known as subinterfaces. Three
control plane subinterfaces exist: Host, Transit and CEF-Exception. In addition, CPPr
includes these additional control plane protection features:
Port-filtering feature—This feature provides for the policing or dropping of packets
going to closed or non-listening TCP and UDP ports.
Queue-threshold policy feature—This feature limits the number of packets for a
specified protocol that are allowed in the control plane IP input queue.
CPPr allows an administrator to classify, police, and restrict traffic that is sent to a device
for management purposes using the host subinterface. Examples of packets that are
classified for the host subinterface category include management traffic such as SSH or
Telnet and routing protocols.
Note that CPPr does not support IPv6 and is restricted to the IPv4 input path.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
44. Encrypting Management Sessions
Because information can be disclosed during an interactive management session, this traffic
must be encrypted so that a malicious user cannot gain access to the data being
transmitted. Encrypting the traffic allows a secure remote access connection to the
device. If the traffic for a management session is sent over the network in cleartext, an
attacker can obtain sensitive information about the device and the network.
An administrator is able to establish an encrypted and secure remote access management
connection to a device by using the SSH or HTTPS (Secure Hypertext Transfer Protocol)
features. Cisco IOS software supports SSH version 1.0 (SSHv1), SSH version 2.0 (SSHv2),
and HTTPS that uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for
authentication and data encryption. Note that SSHv1 and SSHv2 are not compatible.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
45. Cisco IOS software also supports the Secure Copy Protocol (SCP), which allows an
encrypted and secure connection for copying device configurations or software images.
SCP relies on SSH. This example configuration enables SSH on a Cisco IOS device:
!
ip domain-name example.com
!
crypto key generate rsa modulus 2048
!
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh source-interface GigabitEthernet 0/1
!
line vty 0 4
transport input ssh
!
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
46. This configuration example enables SCP services:
!
ip scp server enable
!
This is a configuration example for HTTPS services:
!
crypto key generate rsa modulus 2048
!
ip http secure-server
!
SSHv2
The SSHv2 support feature introduced in Cisco IOS Software Release 12.3(4)T allows a user
to configure SSHv2. (SSHv1 support was implemented in an earlier release of Cisco IOS
Software.) SSH runs on top of a reliable transport layer and provides strong
authentication and encryption capabilities. The only reliable transport that is defined for
SSH is TCP. SSH provides a means to securely access and securely execute commands on
another computer or device over a network. The Secure Copy Protocol (SCP) feature that
is tunneled over SSH allows for the secure transfer of files.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
47. The following example configuration enables SSHv2 (with SSHv1 disabled) on a Cisco IOS
device:
!
hostname router
!
ip domain-name example.com
!
crypto key generate rsa modulus 2048
!
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh source-interface GigabitEthernet 0/1
!
ip ssh version 2
!
line vty 0 4 transport input ssh
!
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
48. Console and AUX Ports
If password recovery is not required, then an administrator can remove the ability to
perform the password recovery procedure using the no service password-recovery global
configuration command; however, once the no service password-recoverycommand has
been enabled, an administrator can no longer perform password recovery on a device.
In most situations, the AUX port of a device must be disabled to prevent unauthorized
access. An AUX port can be disabled using these commands:
!
line aux 0
transport input none
transport output none
no exec
exec-timeout 0 1
no password
!
Warning Banners
In some legal jurisdictions it can be impossible to prosecute and illegal to monitor
malicious users unless they have been notified that they are not permitted to use the
system. One method to provide this notification is to place this information into a
banner message that is configured with the Cisco IOS software banner login command.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
49. Legal notification requirements are complex, vary by jurisdiction and situation, and should
be discussed with legal counsel. Even within jurisdictions, legal opinions can differ. In
cooperation with counsel, a banner can provide some or all of the this information:
Notice that the system is to be logged into or used only by specifically authorized
personnel and perhaps information about who can authorize use.
Notice that any unauthorized use of the system is unlawful and can be subject to civil
and criminal penalties.
Notice that any use of the system can be logged or monitored without further notice and
that the resulting logs can be used as evidence in court.
Specific notices required by local laws.
Logging Best Practices
Event logging provides you visibility into the operation of a Cisco IOS device and the
network into which it is deployed. Cisco IOS software provides several flexible logging
options that can help achieve the network management and visibility goals of an
organization.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
50. Send Logs to a Central Location
You are advised to send logging information to a remote syslog server. By doing so, it
becomes possible to correlate and audit network and security events across network
devices more effectively. Note that syslog messages are transmitted unreliably by UDP
and in cleartext. For this reason, any protections that a network affords to management
traffic (for example, encryption or out-of-band access) should be extended to include
syslog traffic.
This configuration example configures a Cisco IOS device to send logging information to a
remote syslog server:
!
logging host <ip-address>
!
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
51. Control Plane
Control plane functions consist of the protocols and processes that communicate between
network devices to move data from source to destination. This includes routing
protocols such as the Border Gateway Protocol, as well as protocols like ICMP and the
Resource Reservation Protocol (RSVP).
IP ICMP Redirects
There are two types of ICMP redirect messages: redirect for a host address and redirect for
an entire subnet. A malicious user can exploit the ability of the router to send ICMP
redirects by continually sending packets to the router, forcing the router to respond with
ICMP redirect messages, resulting in an adverse impact on the CPU and performance of
the router. In order to prevent the router from sending ICMP redirects, use the no ip
redirects interface configuration command.
ICMP Unreachable
In Cisco IOS software, ICMP unreachable generation is limited to one packet every 500
milliseconds by default. ICMP unreachable message generation can be disabled using
the interface configuration command no ip unreachables. ICMP unreachable rate
limiting can be changed from the default using the global configuration command ip
icmp rate-limit unreachable interval-in-ms.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
52. Proxy ARP
Man-in-the-middle attacks enable a host on the network to spoof the MAC address of the
router, resulting in unsuspecting hosts sending traffic to the attacker. Proxy ARP can be
disabled using the interface configuration command no ip proxy-arp.
Control Plane Protection
Control Plane Protection (CPPr), introduced in Cisco IOS Software Release 12.4(4)T, can be
used in order to restrict or police control plane traffic that is destined to the CPU of the
Cisco IOS device. While similar to CoPP, CPPr has the ability to restrict traffic with finer
granularity. CPPr divides the aggregate control plane into three separate control plane
categories known as subinterfaces. Subinterfaces exist for Host, Transit, and CEF-
Exception traffic categories. In addition, CPPr includes these control plane protection
features:
Port-filtering feature—This feature provides for policing and dropping of packets that are
sent to closed or non-listening TCP or UDP ports.
Queue-thresholding feature—This feature limits the number of packets for a specified
protocol that are allowed in the control-plane IP input queue.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
53. Securing BGP
The Border Gateway Protocol (BGP) is the routing foundation of the Internet. As such, any
organization with more than modest connectivity requirements often finds itself
utilizing BGP. BGP is often targeted by attackers because of its ubiquity and the “set and
forget” nature of BGP configurations in smaller organizations.
TTL-based Security Protections
GTSM for BGP is enabled using the ttl-security option for the neighbor BGP router
configuration command. This example illustrates the configuration of this feature:
!
router bgp <asn>
neighbor <ip-address> remote-as <remote-asn>
neighbor <ip-address> ttl-security hops <hop-count>
!
BGP Peer Authentication with MD5
Peer authentication using MD5 creates an MD5 digest of each packet sent as part of a BGP
session. Specifically, portions of the IP and TCP headers, TCP payload, and a secret key
are used in order to generate the digest.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
54. !
router bgp <asn>
neighbor <ip-address> remote-as <remote-asn>
neighbor <ip-address> password <secret>
!
Data Plane
Although the data plane is responsible for moving data from source to destination, within
the context of security, the data plane is the least important of the three planes. It is for
this reason that when securing a network device it is important to protect the
management and control planes in preference over the data plane.
IP Options Selective Drop
In the first form of this command, ip options drop, all IP packets containing IP options
that are received by the Cisco IOS device are dropped. This prevents both the elevated
CPU load and possible subversion of security controls that IP options can enable.
The second form of this command, ip options ignore, configures the Cisco IOS device to
ignore IP options that are contained in received packets. While this does mitigate the
threats related to IP options for the local device, it is possible that downstream devices
could be affected by the presence of IP options. It is for this reason that the drop form of
this command is highly recommended. This is demonstrated in the configuration
example:
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
55. Disable IP Source Routing
If IP options have not been completely disabled via the IP Options Selective Drop
feature, it is important that IP source routing is disabled. IP source routing,
which is enabled by default in all Cisco IOS Software Releases, is disabled via
the no ip source-route global configuration command. This configuration
example illustrates the use of this command:
!
no ip source-route
!
Disable ICMP Redirects
In some situations, it may be possible for an attacker to cause the Cisco IOS
device to send many ICMP redirect messages, resulting in an elevated CPU
load. For this reason, it is recommended that the transmission of ICMP
redirects be disabled. ICMP redirects are disabled using the interface
configuration command no ip redirects, as shown in the example
configuration:
!
interface FastEthernet 0 no ip redirects
!08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
56. Disable or Limit IP Directed Broadcasts
Current versions of Cisco IOS software have this functionality disabled by
default; however, it can be enabled via the ip directed-broadcast interface
configuration command. Releases of Cisco IOS software prior to 12.0 have this
functionality enabled by default.
If a network absolutely requires directed broadcast functionality, its use should
be controlled. This is possible using an access control list as an option to the ip
directed-broadcast command. This configuration example limits directed
broadcasts to those UDP packets originating at a trusted network,
192.168.1.0/24:
!
access-list 100 permit udp 192.168.1.0 0.0.0.255 any
!
interface FastEthernet 0
ip directed-broadcast 100
!
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
57. Anti-Spoofing Protections
Many attacks utilize source IP address spoofing to be effective or to conceal the
true source of an attack and hinder accurate traceback. Cisco IOS software
provides Unicast RPF and IP Source Guard (IPSG) to deter attacks that rely on
source IP address spoofing. In addition, ACLs and null routing are often
deployed as a manual means of spoofing prevention.
Unicast RPF
RPF can be configured in one of two modes: loose or strict. In cases where there
is asymmetric routing, loose mode is preferred because strict mode is known
to drop packets in these situations. During configuration of the ip
verify interface configuration command, the keyword any configures loose
mode while the keyword rx configures strict mode.
This example illustrates configuration of this feature:
!
ip cef
!
interface <interface> ip verify unicast source reachable-via <mode>
!
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
58. IP Source Guard
P Source Guard can be applied to Layer 2 interfaces belonging to DHCP
snooping-enabled VLANs. These commands enable DHCP snooping:
!
ip dhcp snooping
ip dhcp snooping vlan <vlan-range>
!
After DHCP snooping is enabled, these commands enable IPSG:
! interface <interface-id>
ip verify source
!
Port security can be enabled with the ip verify source port security interface
configuration command. This requires the global configuration command ip
dhcp snooping information option; additionally, the DHCP server must
support DHCP option 82.
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security
59. Port Security
Port Security is used in order to mitigate MAC address spoofing at the access
interface. Port Security can use dynamically learned (sticky) MAC addresses to
ease in the initial configuration. Once port security has determined a MAC
violation.
These modes are protect, restrict, shutdown, and shutdown VLAN. In instances
when a port only provides access for a single workstation utilizing standard
protocols, a maximum number of one may be sufficient. Protocols that
leverage virtual MAC addresses such as HSRP do not function when the
maximum number is set to one.
!
interface <interface>
switchport
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum <number>
switchport port-security violation <violation-mode>
!
08/08/13
Instructional Design-Computer Networking -
Bridges Educational Group
Managing Network Device Security