SlideShare a Scribd company logo
1© 2005 Cisco Systems, Inc. All rights reserved.
CCNA Security
Module 2 – Securing Network
Devices
2© 2009 Cisco Systems, Inc. All rights reserved.
Learning Objectives
2.1 - Securing Devices Access
2.2 - Assigning Administrative Roles
2.3 - Monitoring and Managing Devices
2.4 - Using Automated security features
3© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – SecuringModule 2 – Securing
Network DevicesNetwork Devices
2.1 – Securing Devices
Access
4© 2009 Cisco Systems, Inc. All rights reserved.
Securing the edge router
5© 2009 Cisco Systems, Inc. All rights reserved.
Secure the perimeter network
6© 2009 Cisco Systems, Inc. All rights reserved.
Areas of router security: Physical
• Place the router and physical devices that connect to it in a secure
locked room that is accessible only to authorized personnel, is free
of electrostatic or magnetic interference, and has controls for
temperature and humidity.
• Install an uninterruptible power supply (UPS) and keep spare
components available. This reduces the possibility of a DoS attack
from power loss to the building.
7© 2009 Cisco Systems, Inc. All rights reserved.
Operating System Security
• Configure the router with the maximum amount of
memory possible. The availability of memory can help
protect the network from some DoS attacks, while
supporting the widest range of security services.
• Use the latest stable version that meets the feature
requirements of the network. Security features in an
operating system evolve over time. Keep in mind that
the latest version of an operating system might not be
the most stable version available.
• Keep a secure copy of the router operating system
image and router configuration file as a backup.
8© 2009 Cisco Systems, Inc. All rights reserved.
Router Hardening
• Secure administrative control. Ensure that only
authorized personnel have access and that their level of
access is controlled.
• Disable unused ports and interfaces. Reduce the
number of ways a device can be accessed.
• Disable unnecessary services. Similar to many
computers, a router has services that are enabled by
default. Some of these services are unnecessary and
can be used by an attacker to gather information or for
exploitation.
9© 2009 Cisco Systems, Inc. All rights reserved.
Router Management
10© 2009 Cisco Systems, Inc. All rights reserved.
Router Access Methods
11© 2009 Cisco Systems, Inc. All rights reserved.
Router Access Methods
12© 2009 Cisco Systems, Inc. All rights reserved.
Configuring Secure Administrative Access
• Use a password length of 10 or more characters. The
longer, the better.
• Make passwords complex. Include a mix of uppercase
and lowercase letters, numbers, symbols, and spaces.
• Avoid passwords based on repetition, dictionary words,
letter or number sequences, usernames, relative or pet
names, biographical information, such as birthdates,
• Deliberately misspell a password. For example, Smith =
Smyth = 5mYth or Security = 5ecur1ty.
• Change passwords often. If a password is unknowingly
compromised, the window of opportunity for the
attacker to use the password is limited.
13© 2009 Cisco Systems, Inc. All rights reserved.
Router access passwords
14© 2009 Cisco Systems, Inc. All rights reserved.
Increase security passwords
• Enforce minimum password lengths.
• Disable unattended connections.
• Encrypt all passwords in the configuration file.
15© 2009 Cisco Systems, Inc. All rights reserved.
Minimum Character Length
• Beginning with the Cisco IOS Release 12.3(1) and later,
administrators can set the minimum character length
for all router passwords from 0 to 16 characters using
the global configuration command security
passwords min-length length.
• This command affects user passwords, enable secret
passwords, and line passwords that are created after
the command is executed. Existing router passwords
remain unaffected. Any attempt to create a new
password that is less than the specified length fails and
results in an error message similar to the following:
Password too short - must be at least 10 characters.
Password configuration failed.
16© 2009 Cisco Systems, Inc. All rights reserved.
Disable Unattended Connections
• By default, an administrative interface stays active and logged in for 10
minutes after the last session activity. After that, the interface times out
and logs out of the session.
• If an administrator is away from the terminal while the console
connection is active, an attacker has up to 10 minutes to gain privilege
level access. It is recommended that these timers be fine-tuned to limit
the amount of time to within a two or three minute maximum. These
timers can be adjusted using the exec-timeout command in line
configuration mode for each of the line types that are used.
• It is also possible to turn off the exec process for a specific line, such
as on the auxiliary port, using the no exec command within the line
configuration mode. This command allows only an outgoing connection
on the line. The no exec command allows you to disable the
EXEC process for connections which may attempt to send
unsolicited data to the router.
17© 2009 Cisco Systems, Inc. All rights reserved.
Disable Unattended Connections
18© 2009 Cisco Systems, Inc. All rights reserved.
Encrypt All Passwords
• By default, some passwords are shown in plaintext,
meaning not encrypted, in the Cisco IOS software
configuration.
• With the exception of the enable secret password, all
other plaintext passwords in the configuration file can
be encrypted in the configuration file using the service
password-encryption command.
• This command hashes current and future plaintext
passwords in the configuration file into an encrypted
ciphertext.
• The algorithm used by the service password-encryption
command is simple and can be easily reversed by
someone with access to the encrypted ciphertext and a
password-cracking application
19© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Router Authentication
20© 2009 Cisco Systems, Inc. All rights reserved.
Example
21© 2009 Cisco Systems, Inc. All rights reserved.
Security for virtual logins
22© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Enhanced login features
• Router(config)# login block-for seconds
attempts tries within seconds
• Router(config)# login quiet-mode access-
class {acl-name | acl-number}
• Router(config)# login delay seconds
• Router(config)# login on-failure log [every
login]
• Router(config)# login on-success log
[every login]
23© 2009 Cisco Systems, Inc. All rights reserved.
Example
24© 2009 Cisco Systems, Inc. All rights reserved.
Login block-for
• Normal mode (watch mode) - The router keeps count of the
number of failed login attempts within an identified amount
of time.
• Quiet mode (quiet period) - If the number of failed logins
exceeds the configured threshold, all login attempts using
Telnet, SSH, and HTTP are denied.
25© 2009 Cisco Systems, Inc. All rights reserved.
Login quiet-mode
• When quiet mode is enabled, all login attempts, including
valid administrative access, are not permitted. However, to
provide critical hosts access at all times, this behavior can
be overridden using an ACL. The ACL must be created and
identified using the login quiet-mode access-class
command.
26© 2009 Cisco Systems, Inc. All rights reserved.
Login delay
• The login block-for command invokes an automatic delay of
1 second between login attempts. Attackers have to wait 1
second before they can try a different password.
• This delay time can be changed using the login delay
command.
27© 2009 Cisco Systems, Inc. All rights reserved.
Login success & failure
• The command auto secure enables message logging for
failed login attempts. Logging successful login attempts is
not enabled by default.
• These commands can be used to keep track of the number
of successful and failed login attempts.
28© 2009 Cisco Systems, Inc. All rights reserved.
Show login (normal mode)
29© 2009 Cisco Systems, Inc. All rights reserved.
Sample attack
30© 2009 Cisco Systems, Inc. All rights reserved.
Show login (quiet mode)
31© 2009 Cisco Systems, Inc. All rights reserved.
Show login failures
32© 2009 Cisco Systems, Inc. All rights reserved.
Banner messages
• Use banner messages to present legal notification to would-
be intruders to inform them that they are not welcome on a
network.
• Intruders have won court cases because they did not
encounter appropriate warning messages when accessing
router networks. In addition to warning would-be intruders,
banners are also used to inform remote administrators of
use restrictions
33© 2009 Cisco Systems, Inc. All rights reserved.
Configure SSH
• Step 1. Ensure that the target routers are running a Cisco
IOS Release 12.1(1)T image or later to support SSH. Only
the Cisco IOS cryptographic images containing the IPsec
feature set support SSH. For example, c1841-
advipservicesk9-mz.124-10b.bin image support SSH.
• Step 2. Ensure that each of the target routers has a unique
host name.
• Step 3. Ensure that each of the target routers is using the
correct domain name of the network.
• Step 4. Ensure that the target routers are configured for
local authentication or AAA services for username and
password authentication. This is mandatory for a router-to-
router SSH connection.
34© 2009 Cisco Systems, Inc. All rights reserved.
Telnet vs SSH
35© 2009 Cisco Systems, Inc. All rights reserved.
Supporting SSH
• Step 1. If the router has a unique host name, configure the IP domain
name of the network using the ip domain-name domain-name
command in global configuration mode.
• Step 2. One-way secret keys must be generated for a router to
encrypt the SSH traffic. These keys are referred to as asymmetric
keys. Cisco IOS software uses the Rivest, Shamir, and Adleman
(RSA) algorithm to generate keys. To create the RSA key, use the
crypto key generate rsa general-keys modulus modulus-
size command in global configuration mode. The modulus
determines the size of the RSA key and can be configured from 360
bits to 2048 bits.
• To verify SSH and display the generated keys, use the show crypto
key mypubkey rsa command in privileged EXEC mode. If there
are existing key pairs, it is recommended that they are overwritten
using the crypto key zeroize rsa command.
36© 2009 Cisco Systems, Inc. All rights reserved.
Step 1 and 2: SSH
37© 2009 Cisco Systems, Inc. All rights reserved.
Transport input ssh
• Step 3. Ensure that there is a valid local database
username entry. If not, create one using the username
name secret secret command.
• Step 4. Enable vty inbound SSH sessions using the line
vty commands login local and transport input ssh.
• SSH is automatically enabled after the RSA keys are
generated. The router SSH service can be accessed
using SSH client software.
38© 2009 Cisco Systems, Inc. All rights reserved.
Optional SSH commands
39© 2009 Cisco Systems, Inc. All rights reserved.
Router to router SSH
40© 2009 Cisco Systems, Inc. All rights reserved.
Host to router SSH
41© 2009 Cisco Systems, Inc. All rights reserved.
SDM - SSH
42© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – SecuringModule 2 – Securing
Network DevicesNetwork Devices
2.2 – Assigning
administrative roles
43© 2009 Cisco Systems, Inc. All rights reserved.
Configuring privilege levels
44© 2009 Cisco Systems, Inc. All rights reserved.
Assigning Privilege Levels
45© 2009 Cisco Systems, Inc. All rights reserved.
Create privilege level example
46© 2009 Cisco Systems, Inc. All rights reserved.
Privilege levels - example
47© 2009 Cisco Systems, Inc. All rights reserved.
Assign level user
• To assign level 10 to the privileged EXEC mode reload
command, use the following command sequence.
privilege exec level 10 reload
username jr-admin privilege 10 secret cisco10
enable secret level 10 cisco10
48© 2009 Cisco Systems, Inc. All rights reserved.
Role-Based CLI Access
• To provide more flexibility than privilege levels, Cisco
introduced the Role-Based CLI Access feature in Cisco
IOS Release 12.3(11)T.
• This feature provides finer, more granular access by
controlling specifically which commands are available
to specific roles.
• Role-based CLI access enables the network
administrator to create different views of router
configurations for different users.
• Each view defines the CLI commands that each user
can access.
49© 2009 Cisco Systems, Inc. All rights reserved.
Security – Availability - Efficiency
• Role-based CLI access enhances the security of the device
by defining the set of CLI commands that is accessible by a
particular user. Additionally, administrators can control
user access to specific ports, logical interfaces, and slots
on a router.
• Role-based CLI access prevents unintentional execution of
CLI commands by unauthorized personnel, which could
result in undesirable results. This minimizes downtime.
• Users only see the CLI commands applicable to the ports
and CLI to which they have access; therefore, the router
appears to be less complex, and commands are easier to
identify when using the help feature on the device.
50© 2009 Cisco Systems, Inc. All rights reserved.
Role-based CLI: three types of views
• Root View
To configure any view for the system, the administrator
must be in root view. Root view has the same access
privileges as a user who has level 15 privileges. However,
a root view is not the same as a level 15 user. Only a root
view user can configure a new view and add or remove
commands from the existing views.
• CLI View
A specific set of commands can be bundled into a CLI
view. Unlike privilege levels, a CLI view has no command
hierarchy and, therefore, no higher or lower views. Each
view must be assigned all commands associated with
that view, and a view does not inherit commands from
any other views. Additionally, the same commands can
be used in multiple views.
51© 2009 Cisco Systems, Inc. All rights reserved.
• A superview consists of one or more CLI views.
Administrators can define which commands are accepted
and which configuration information is visible. Superviews
allow a network administrator to assign users and groups
of users multiple CLI views.
–A single CLI view can be shared within multiple
superviews.
–Commands cannot be configured for a superview. An
administrator must add commands to the CLI view and
add that CLI view to the superview.
–Users who are logged into a superview can access all
the commands that are configured for any of the CLI
views that are part of the superview.
Role-based CLI: Superview
52© 2009 Cisco Systems, Inc. All rights reserved.
Root – CLI - Superview
53© 2009 Cisco Systems, Inc. All rights reserved.
Create a view
• Step 1. Enable AAA with the aaa new-model global
configuration command. Exit and enter the root view with
the enable view command.
• Step 2. Create a view using the parser view view-name
command. This enables the view configuration mode. There
is a maximum limit of 15 views in total.
• Step 3. Assign a secret password to the view using the
secret encrypted-password command.
• Step 4. Assign commands to the selected view using the
commands parser-mode {include | include-exclusive |
exclude} [all] [interface interface-name | command]
command in view configuration mode.
54© 2009 Cisco Systems, Inc. All rights reserved.
Include commands
55© 2009 Cisco Systems, Inc. All rights reserved.
Example
56© 2009 Cisco Systems, Inc. All rights reserved.
Verifying Views
57© 2009 Cisco Systems, Inc. All rights reserved.
Create a Superview
• Step 1. Create a view using the parser view
view-name superview command and enter
superview configuration mode.
• Step 2. Assign a secret password to the view
using the secret encrypted-password
command.
• Step 3. Assign an existing view using the view
view-name command in view configuration
mode.
58© 2009 Cisco Systems, Inc. All rights reserved.
Superview Example
59© 2009 Cisco Systems, Inc. All rights reserved.
Verifying superview
60© 2009 Cisco Systems, Inc. All rights reserved.
Verify: Enable view
61© 2009 Cisco Systems, Inc. All rights reserved.
Root view: show parser view all
62© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Security
Planning and Policy
2.3 - Monitoring and
Managing Devices
63© 2009 Cisco Systems, Inc. All rights reserved.
Securing the IOS and configuration files
64© 2009 Cisco Systems, Inc. All rights reserved.
Resilience IOS and config file
• The Cisco IOS resilient configuration feature
detects image version mismatches. If the router is
configured to boot with Cisco IOS resilience and
an image with a different version of the Cisco IOS
software is detected, a message, is displayed at
bootup
65© 2009 Cisco Systems, Inc. All rights reserved.
Password Recovery Process
66© 2009 Cisco Systems, Inc. All rights reserved.
Password Recovery
67© 2009 Cisco Systems, Inc. All rights reserved.
NO password recovery
68© 2009 Cisco Systems, Inc. All rights reserved.
Using SYSLOG for network security
• Cisco router log messages fall into one of eight levels. The
lower the level number, the higher the severity level. Cisco
router log messages contain three main parts:
•Timestamp
•Log message name and severity level
•Message text
69© 2009 Cisco Systems, Inc. All rights reserved.
Severity levels
70© 2009 Cisco Systems, Inc. All rights reserved.
Configure system logging
• Step 1. Set the destination logging host using the logging
host command.
• Step 2. (Optional) Set the log severity (trap) level using the
logging trap level command.
• Step 3. Set the source interface using the logging source-
interface command. This specifies that syslog packets
contain the IPv4 or IPv6 address of a particular interface.
• Step 4. Enable logging with the logging on command. You
can turn logging on and off for these destinations
individually using the logging buffered, logging monitor,
and logging global configuration commands.
71© 2009 Cisco Systems, Inc. All rights reserved.
Configure SYSLOG
72© 2009 Cisco Systems, Inc. All rights reserved.
SYSLOG with SDM
73© 2009 Cisco Systems, Inc. All rights reserved.
Monitor>> Logging
74© 2009 Cisco Systems, Inc. All rights reserved.
Usig SNMP for network security
• SNMP was developed to manage nodes, such as
servers, workstations, routers, switches, hubs, and
security appliances, on an IP network.
• SNMP is an Application Layer protocol that facilitates
the exchange of management information between
network devices.
• SNMP is part of the TCP/IP protocol suite.
• SNMP enables network administrators to manage
network performance, find and solve network problems,
and plan for network growth.
• There are different versions of SNMP.
75© 2009 Cisco Systems, Inc. All rights reserved.
SNMP components
76© 2009 Cisco Systems, Inc. All rights reserved.
Community strings
Read-only community strings - Provides
read-only access to all objects in the MIB,
except the community strings.
Read-write community strings - Provides
read-write access to all objects in the MIB,
except the community strings.
77© 2009 Cisco Systems, Inc. All rights reserved.
SNMPv3
• SNMPv3 is an interoperable standards-based
protocol for network management. SNMPv3 uses a
combination of authenticating and encrypting
packets over the network to provide secure access
–Message integrity - Ensures that a packet has
not been tampered with in transit.
–Authentication - Determines that the message is
from a valid source.
–Encryption - Scrambles the contents of a packet
to prevent it from being seen by an unauthorized
source.
78© 2009 Cisco Systems, Inc. All rights reserved.
Configure SNMP with SDM
79© 2009 Cisco Systems, Inc. All rights reserved.
Using NTP for timestamp
• NTP allows routers on the network to synchronize their
time settings with an NTP server. A group of NTP clients
that obtain time and date information from a single source
have more consistent time settings.
• When NTP is implemented in the network, it can be set up
to synchronize to a private master clock, or it can
synchronize to a publicly available NTP server on the
Internet.
80© 2009 Cisco Systems, Inc. All rights reserved.
NTP example
81© 2009 Cisco Systems, Inc. All rights reserved.
NTP version 3
82© 2009 Cisco Systems, Inc. All rights reserved.
Security Audit
83© 2009 Cisco Systems, Inc. All rights reserved.
Security audit wizard
84© 2009 Cisco Systems, Inc. All rights reserved.
Security audit report
85© 2009 Cisco Systems, Inc. All rights reserved.
Auto secure
86© 2009 Cisco Systems, Inc. All rights reserved.
Auto secure output

More Related Content

What's hot

Mastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationMastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installation
networkershome
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overview
ali raza
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
 
Serie dei nuovi processori Xeon Scalabili - Yashi Italia
Serie dei nuovi processori Xeon Scalabili - Yashi ItaliaSerie dei nuovi processori Xeon Scalabili - Yashi Italia
Serie dei nuovi processori Xeon Scalabili - Yashi Italia
Yashi Italia
 
Security features of fedora
Security features of fedoraSecurity features of fedora
Security features of fedora
Badrul Alam
 
CCNAv5 - S1: Chapter11 It's A Network
CCNAv5 - S1: Chapter11 It's A NetworkCCNAv5 - S1: Chapter11 It's A Network
CCNAv5 - S1: Chapter11 It's A Network
Vuz Dở Hơi
 
CCNA RS_NB - Chapter 2
CCNA RS_NB - Chapter 2CCNA RS_NB - Chapter 2
CCNA RS_NB - Chapter 2
Irsandi Hasan
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
ali raza
 
Zsq03116usen 02
Zsq03116usen 02Zsq03116usen 02
Zsq03116usen 02
Manikandan Suresh
 
CCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsCCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control Lists
Vuz Dở Hơi
 
CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2
Nil Menon
 
Unix nim-presentation
Unix nim-presentationUnix nim-presentation
Unix nim-presentation
Rajeev Ghosh
 
CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1
Irsandi Hasan
 
CCNA RS_ITN - Chapter 2
CCNA RS_ITN - Chapter 2CCNA RS_ITN - Chapter 2
CCNA RS_ITN - Chapter 2
Irsandi Hasan
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 
EnGenius ERA150
EnGenius ERA150EnGenius ERA150
EnGenius ERA150
OneTel
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
FFRI, Inc.
 
Is this guide for you cisco firepower threat defense for the asa 5506-x series
Is this guide for you cisco firepower threat defense for the asa 5506-x seriesIs this guide for you cisco firepower threat defense for the asa 5506-x series
Is this guide for you cisco firepower threat defense for the asa 5506-x series
Sarah Tao
 
Day 6 - Manage CISCO IOS
Day 6 - Manage CISCO IOSDay 6 - Manage CISCO IOS
Day 6 - Manage CISCO IOS
anilinvns
 

What's hot (20)

Mastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationMastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installation
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overview
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
 
Serie dei nuovi processori Xeon Scalabili - Yashi Italia
Serie dei nuovi processori Xeon Scalabili - Yashi ItaliaSerie dei nuovi processori Xeon Scalabili - Yashi Italia
Serie dei nuovi processori Xeon Scalabili - Yashi Italia
 
Security features of fedora
Security features of fedoraSecurity features of fedora
Security features of fedora
 
CCNAv5 - S1: Chapter11 It's A Network
CCNAv5 - S1: Chapter11 It's A NetworkCCNAv5 - S1: Chapter11 It's A Network
CCNAv5 - S1: Chapter11 It's A Network
 
CCNA RS_NB - Chapter 2
CCNA RS_NB - Chapter 2CCNA RS_NB - Chapter 2
CCNA RS_NB - Chapter 2
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
 
Zsq03116usen 02
Zsq03116usen 02Zsq03116usen 02
Zsq03116usen 02
 
CCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control ListsCCNAv5 - S2: Chapter 9 Access Control Lists
CCNAv5 - S2: Chapter 9 Access Control Lists
 
CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2CCNA 2 Routing and Switching v5.0 Chapter 2
CCNA 2 Routing and Switching v5.0 Chapter 2
 
Unix nim-presentation
Unix nim-presentationUnix nim-presentation
Unix nim-presentation
 
CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1
 
CCNA RS_ITN - Chapter 2
CCNA RS_ITN - Chapter 2CCNA RS_ITN - Chapter 2
CCNA RS_ITN - Chapter 2
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted boot
 
EnGenius ERA150
EnGenius ERA150EnGenius ERA150
EnGenius ERA150
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Is this guide for you cisco firepower threat defense for the asa 5506-x series
Is this guide for you cisco firepower threat defense for the asa 5506-x seriesIs this guide for you cisco firepower threat defense for the asa 5506-x series
Is this guide for you cisco firepower threat defense for the asa 5506-x series
 
Day 6 - Manage CISCO IOS
Day 6 - Manage CISCO IOSDay 6 - Manage CISCO IOS
Day 6 - Manage CISCO IOS
 

Viewers also liked

Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2
Kris Mofu
 
CCA security answers chapter 2 test
CCA security answers chapter 2 testCCA security answers chapter 2 test
CCA security answers chapter 2 test
Soporte Yottatec
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
IGZ Software house
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
Paul Green
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
Umesh Dhital
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)
shraddha_b
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
NetworkSecurity.ppt
NetworkSecurity.pptNetworkSecurity.ppt
NetworkSecurity.ppt
DreamMalar
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
Sheetal Verma
 
Network Security
Network SecurityNetwork Security
Network Security
MAJU
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 

Viewers also liked (12)

Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2
 
CCA security answers chapter 2 test
CCA security answers chapter 2 testCCA security answers chapter 2 test
CCA security answers chapter 2 test
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
NetworkSecurity.ppt
NetworkSecurity.pptNetworkSecurity.ppt
NetworkSecurity.ppt
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Network Security
Network SecurityNetwork Security
Network Security
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 

Similar to network security

CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.ppt
veracru1
 
Curso de Seguridad de Redes Inalambricas CCNA
Curso de Seguridad de Redes Inalambricas CCNACurso de Seguridad de Redes Inalambricas CCNA
Curso de Seguridad de Redes Inalambricas CCNA
VictorTonio
 
Ex 1 chapter11-configure-network-tony_chen
Ex 1 chapter11-configure-network-tony_chenEx 1 chapter11-configure-network-tony_chen
Ex 1 chapter11-configure-network-tony_chen
Đô GiẢn
 
CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8
Chaing Ravuth
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
Ahmed Habib
 
CCNASv2_InstructorPPT_CH2.pptx
CCNASv2_InstructorPPT_CH2.pptxCCNASv2_InstructorPPT_CH2.pptx
CCNASv2_InstructorPPT_CH2.pptx
mohamedabdelwahed68
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 2
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 2CCNA (R & S) Module 01 - Introduction to Networks - Chapter 2
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 2
Waqas Ahmed Nawaz
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
Harris Andrea
 
CCNP Switching Chapter 10
CCNP Switching Chapter 10CCNP Switching Chapter 10
CCNP Switching Chapter 10
Chaing Ravuth
 
Chapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating SystemChapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating System
newbie2019
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
Waqas Ahmed Nawaz
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
ThangDang53
 
CCNA_ITN_Chp2_.pptx
CCNA_ITN_Chp2_.pptxCCNA_ITN_Chp2_.pptx
CCNA_ITN_Chp2_.pptx
NguyenLe340487
 
CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02
Irsandi Hasan
 
lab2_2.pptx
lab2_2.pptxlab2_2.pptx
lab2_2.pptx
RobelTsada
 
PC LEESOON 6.pptx
PC LEESOON 6.pptxPC LEESOON 6.pptx
PC LEESOON 6.pptx
MLG College of Learning, Inc
 
Ccnas v11 ch02_eb
Ccnas v11 ch02_ebCcnas v11 ch02_eb
Ccnas v11 ch02_eb
Edgar Benavente
 
ITN_Module_2.pptx
ITN_Module_2.pptxITN_Module_2.pptx
ITN_Module_2.pptx
AshiruMUmar
 
Managing Network Device Security
Managing Network Device SecurityManaging Network Device Security
Managing Network Device Security
Arnold Derrick Kinney
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overview
ali raza
 

Similar to network security (20)

CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.ppt
 
Curso de Seguridad de Redes Inalambricas CCNA
Curso de Seguridad de Redes Inalambricas CCNACurso de Seguridad de Redes Inalambricas CCNA
Curso de Seguridad de Redes Inalambricas CCNA
 
Ex 1 chapter11-configure-network-tony_chen
Ex 1 chapter11-configure-network-tony_chenEx 1 chapter11-configure-network-tony_chen
Ex 1 chapter11-configure-network-tony_chen
 
CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
 
CCNASv2_InstructorPPT_CH2.pptx
CCNASv2_InstructorPPT_CH2.pptxCCNASv2_InstructorPPT_CH2.pptx
CCNASv2_InstructorPPT_CH2.pptx
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 2
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 2CCNA (R & S) Module 01 - Introduction to Networks - Chapter 2
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 2
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 
CCNP Switching Chapter 10
CCNP Switching Chapter 10CCNP Switching Chapter 10
CCNP Switching Chapter 10
 
Chapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating SystemChapter 2 Configure a Network Operating System
Chapter 2 Configure a Network Operating System
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
 
CCNA_ITN_Chp2_.pptx
CCNA_ITN_Chp2_.pptxCCNA_ITN_Chp2_.pptx
CCNA_ITN_Chp2_.pptx
 
CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02
 
lab2_2.pptx
lab2_2.pptxlab2_2.pptx
lab2_2.pptx
 
PC LEESOON 6.pptx
PC LEESOON 6.pptxPC LEESOON 6.pptx
PC LEESOON 6.pptx
 
Ccnas v11 ch02_eb
Ccnas v11 ch02_ebCcnas v11 ch02_eb
Ccnas v11 ch02_eb
 
ITN_Module_2.pptx
ITN_Module_2.pptxITN_Module_2.pptx
ITN_Module_2.pptx
 
Managing Network Device Security
Managing Network Device SecurityManaging Network Device Security
Managing Network Device Security
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overview
 

network security

  • 1. 1© 2005 Cisco Systems, Inc. All rights reserved. CCNA Security Module 2 – Securing Network Devices
  • 2. 2© 2009 Cisco Systems, Inc. All rights reserved. Learning Objectives 2.1 - Securing Devices Access 2.2 - Assigning Administrative Roles 2.3 - Monitoring and Managing Devices 2.4 - Using Automated security features
  • 3. 3© 2005 Cisco Systems, Inc. All rights reserved. Module 2 – SecuringModule 2 – Securing Network DevicesNetwork Devices 2.1 – Securing Devices Access
  • 4. 4© 2009 Cisco Systems, Inc. All rights reserved. Securing the edge router
  • 5. 5© 2009 Cisco Systems, Inc. All rights reserved. Secure the perimeter network
  • 6. 6© 2009 Cisco Systems, Inc. All rights reserved. Areas of router security: Physical • Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel, is free of electrostatic or magnetic interference, and has controls for temperature and humidity. • Install an uninterruptible power supply (UPS) and keep spare components available. This reduces the possibility of a DoS attack from power loss to the building.
  • 7. 7© 2009 Cisco Systems, Inc. All rights reserved. Operating System Security • Configure the router with the maximum amount of memory possible. The availability of memory can help protect the network from some DoS attacks, while supporting the widest range of security services. • Use the latest stable version that meets the feature requirements of the network. Security features in an operating system evolve over time. Keep in mind that the latest version of an operating system might not be the most stable version available. • Keep a secure copy of the router operating system image and router configuration file as a backup.
  • 8. 8© 2009 Cisco Systems, Inc. All rights reserved. Router Hardening • Secure administrative control. Ensure that only authorized personnel have access and that their level of access is controlled. • Disable unused ports and interfaces. Reduce the number of ways a device can be accessed. • Disable unnecessary services. Similar to many computers, a router has services that are enabled by default. Some of these services are unnecessary and can be used by an attacker to gather information or for exploitation.
  • 9. 9© 2009 Cisco Systems, Inc. All rights reserved. Router Management
  • 10. 10© 2009 Cisco Systems, Inc. All rights reserved. Router Access Methods
  • 11. 11© 2009 Cisco Systems, Inc. All rights reserved. Router Access Methods
  • 12. 12© 2009 Cisco Systems, Inc. All rights reserved. Configuring Secure Administrative Access • Use a password length of 10 or more characters. The longer, the better. • Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces. • Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, • Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty. • Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited.
  • 13. 13© 2009 Cisco Systems, Inc. All rights reserved. Router access passwords
  • 14. 14© 2009 Cisco Systems, Inc. All rights reserved. Increase security passwords • Enforce minimum password lengths. • Disable unattended connections. • Encrypt all passwords in the configuration file.
  • 15. 15© 2009 Cisco Systems, Inc. All rights reserved. Minimum Character Length • Beginning with the Cisco IOS Release 12.3(1) and later, administrators can set the minimum character length for all router passwords from 0 to 16 characters using the global configuration command security passwords min-length length. • This command affects user passwords, enable secret passwords, and line passwords that are created after the command is executed. Existing router passwords remain unaffected. Any attempt to create a new password that is less than the specified length fails and results in an error message similar to the following: Password too short - must be at least 10 characters. Password configuration failed.
  • 16. 16© 2009 Cisco Systems, Inc. All rights reserved. Disable Unattended Connections • By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. After that, the interface times out and logs out of the session. • If an administrator is away from the terminal while the console connection is active, an attacker has up to 10 minutes to gain privilege level access. It is recommended that these timers be fine-tuned to limit the amount of time to within a two or three minute maximum. These timers can be adjusted using the exec-timeout command in line configuration mode for each of the line types that are used. • It is also possible to turn off the exec process for a specific line, such as on the auxiliary port, using the no exec command within the line configuration mode. This command allows only an outgoing connection on the line. The no exec command allows you to disable the EXEC process for connections which may attempt to send unsolicited data to the router.
  • 17. 17© 2009 Cisco Systems, Inc. All rights reserved. Disable Unattended Connections
  • 18. 18© 2009 Cisco Systems, Inc. All rights reserved. Encrypt All Passwords • By default, some passwords are shown in plaintext, meaning not encrypted, in the Cisco IOS software configuration. • With the exception of the enable secret password, all other plaintext passwords in the configuration file can be encrypted in the configuration file using the service password-encryption command. • This command hashes current and future plaintext passwords in the configuration file into an encrypted ciphertext. • The algorithm used by the service password-encryption command is simple and can be easily reversed by someone with access to the encrypted ciphertext and a password-cracking application
  • 19. 19© 2009 Cisco Systems, Inc. All rights reserved. Cisco Router Authentication
  • 20. 20© 2009 Cisco Systems, Inc. All rights reserved. Example
  • 21. 21© 2009 Cisco Systems, Inc. All rights reserved. Security for virtual logins
  • 22. 22© 2009 Cisco Systems, Inc. All rights reserved. Cisco Enhanced login features • Router(config)# login block-for seconds attempts tries within seconds • Router(config)# login quiet-mode access- class {acl-name | acl-number} • Router(config)# login delay seconds • Router(config)# login on-failure log [every login] • Router(config)# login on-success log [every login]
  • 23. 23© 2009 Cisco Systems, Inc. All rights reserved. Example
  • 24. 24© 2009 Cisco Systems, Inc. All rights reserved. Login block-for • Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time. • Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.
  • 25. 25© 2009 Cisco Systems, Inc. All rights reserved. Login quiet-mode • When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts access at all times, this behavior can be overridden using an ACL. The ACL must be created and identified using the login quiet-mode access-class command.
  • 26. 26© 2009 Cisco Systems, Inc. All rights reserved. Login delay • The login block-for command invokes an automatic delay of 1 second between login attempts. Attackers have to wait 1 second before they can try a different password. • This delay time can be changed using the login delay command.
  • 27. 27© 2009 Cisco Systems, Inc. All rights reserved. Login success & failure • The command auto secure enables message logging for failed login attempts. Logging successful login attempts is not enabled by default. • These commands can be used to keep track of the number of successful and failed login attempts.
  • 28. 28© 2009 Cisco Systems, Inc. All rights reserved. Show login (normal mode)
  • 29. 29© 2009 Cisco Systems, Inc. All rights reserved. Sample attack
  • 30. 30© 2009 Cisco Systems, Inc. All rights reserved. Show login (quiet mode)
  • 31. 31© 2009 Cisco Systems, Inc. All rights reserved. Show login failures
  • 32. 32© 2009 Cisco Systems, Inc. All rights reserved. Banner messages • Use banner messages to present legal notification to would- be intruders to inform them that they are not welcome on a network. • Intruders have won court cases because they did not encounter appropriate warning messages when accessing router networks. In addition to warning would-be intruders, banners are also used to inform remote administrators of use restrictions
  • 33. 33© 2009 Cisco Systems, Inc. All rights reserved. Configure SSH • Step 1. Ensure that the target routers are running a Cisco IOS Release 12.1(1)T image or later to support SSH. Only the Cisco IOS cryptographic images containing the IPsec feature set support SSH. For example, c1841- advipservicesk9-mz.124-10b.bin image support SSH. • Step 2. Ensure that each of the target routers has a unique host name. • Step 3. Ensure that each of the target routers is using the correct domain name of the network. • Step 4. Ensure that the target routers are configured for local authentication or AAA services for username and password authentication. This is mandatory for a router-to- router SSH connection.
  • 34. 34© 2009 Cisco Systems, Inc. All rights reserved. Telnet vs SSH
  • 35. 35© 2009 Cisco Systems, Inc. All rights reserved. Supporting SSH • Step 1. If the router has a unique host name, configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode. • Step 2. One-way secret keys must be generated for a router to encrypt the SSH traffic. These keys are referred to as asymmetric keys. Cisco IOS software uses the Rivest, Shamir, and Adleman (RSA) algorithm to generate keys. To create the RSA key, use the crypto key generate rsa general-keys modulus modulus- size command in global configuration mode. The modulus determines the size of the RSA key and can be configured from 360 bits to 2048 bits. • To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If there are existing key pairs, it is recommended that they are overwritten using the crypto key zeroize rsa command.
  • 36. 36© 2009 Cisco Systems, Inc. All rights reserved. Step 1 and 2: SSH
  • 37. 37© 2009 Cisco Systems, Inc. All rights reserved. Transport input ssh • Step 3. Ensure that there is a valid local database username entry. If not, create one using the username name secret secret command. • Step 4. Enable vty inbound SSH sessions using the line vty commands login local and transport input ssh. • SSH is automatically enabled after the RSA keys are generated. The router SSH service can be accessed using SSH client software.
  • 38. 38© 2009 Cisco Systems, Inc. All rights reserved. Optional SSH commands
  • 39. 39© 2009 Cisco Systems, Inc. All rights reserved. Router to router SSH
  • 40. 40© 2009 Cisco Systems, Inc. All rights reserved. Host to router SSH
  • 41. 41© 2009 Cisco Systems, Inc. All rights reserved. SDM - SSH
  • 42. 42© 2005 Cisco Systems, Inc. All rights reserved. Module 2 – SecuringModule 2 – Securing Network DevicesNetwork Devices 2.2 – Assigning administrative roles
  • 43. 43© 2009 Cisco Systems, Inc. All rights reserved. Configuring privilege levels
  • 44. 44© 2009 Cisco Systems, Inc. All rights reserved. Assigning Privilege Levels
  • 45. 45© 2009 Cisco Systems, Inc. All rights reserved. Create privilege level example
  • 46. 46© 2009 Cisco Systems, Inc. All rights reserved. Privilege levels - example
  • 47. 47© 2009 Cisco Systems, Inc. All rights reserved. Assign level user • To assign level 10 to the privileged EXEC mode reload command, use the following command sequence. privilege exec level 10 reload username jr-admin privilege 10 secret cisco10 enable secret level 10 cisco10
  • 48. 48© 2009 Cisco Systems, Inc. All rights reserved. Role-Based CLI Access • To provide more flexibility than privilege levels, Cisco introduced the Role-Based CLI Access feature in Cisco IOS Release 12.3(11)T. • This feature provides finer, more granular access by controlling specifically which commands are available to specific roles. • Role-based CLI access enables the network administrator to create different views of router configurations for different users. • Each view defines the CLI commands that each user can access.
  • 49. 49© 2009 Cisco Systems, Inc. All rights reserved. Security – Availability - Efficiency • Role-based CLI access enhances the security of the device by defining the set of CLI commands that is accessible by a particular user. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router. • Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel, which could result in undesirable results. This minimizes downtime. • Users only see the CLI commands applicable to the ports and CLI to which they have access; therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device.
  • 50. 50© 2009 Cisco Systems, Inc. All rights reserved. Role-based CLI: three types of views • Root View To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views. • CLI View A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views. Each view must be assigned all commands associated with that view, and a view does not inherit commands from any other views. Additionally, the same commands can be used in multiple views.
  • 51. 51© 2009 Cisco Systems, Inc. All rights reserved. • A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views. –A single CLI view can be shared within multiple superviews. –Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview. –Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview. Role-based CLI: Superview
  • 52. 52© 2009 Cisco Systems, Inc. All rights reserved. Root – CLI - Superview
  • 53. 53© 2009 Cisco Systems, Inc. All rights reserved. Create a view • Step 1. Enable AAA with the aaa new-model global configuration command. Exit and enter the root view with the enable view command. • Step 2. Create a view using the parser view view-name command. This enables the view configuration mode. There is a maximum limit of 15 views in total. • Step 3. Assign a secret password to the view using the secret encrypted-password command. • Step 4. Assign commands to the selected view using the commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] command in view configuration mode.
  • 54. 54© 2009 Cisco Systems, Inc. All rights reserved. Include commands
  • 55. 55© 2009 Cisco Systems, Inc. All rights reserved. Example
  • 56. 56© 2009 Cisco Systems, Inc. All rights reserved. Verifying Views
  • 57. 57© 2009 Cisco Systems, Inc. All rights reserved. Create a Superview • Step 1. Create a view using the parser view view-name superview command and enter superview configuration mode. • Step 2. Assign a secret password to the view using the secret encrypted-password command. • Step 3. Assign an existing view using the view view-name command in view configuration mode.
  • 58. 58© 2009 Cisco Systems, Inc. All rights reserved. Superview Example
  • 59. 59© 2009 Cisco Systems, Inc. All rights reserved. Verifying superview
  • 60. 60© 2009 Cisco Systems, Inc. All rights reserved. Verify: Enable view
  • 61. 61© 2009 Cisco Systems, Inc. All rights reserved. Root view: show parser view all
  • 62. 62© 2005 Cisco Systems, Inc. All rights reserved. Module 2 – Security Planning and Policy 2.3 - Monitoring and Managing Devices
  • 63. 63© 2009 Cisco Systems, Inc. All rights reserved. Securing the IOS and configuration files
  • 64. 64© 2009 Cisco Systems, Inc. All rights reserved. Resilience IOS and config file • The Cisco IOS resilient configuration feature detects image version mismatches. If the router is configured to boot with Cisco IOS resilience and an image with a different version of the Cisco IOS software is detected, a message, is displayed at bootup
  • 65. 65© 2009 Cisco Systems, Inc. All rights reserved. Password Recovery Process
  • 66. 66© 2009 Cisco Systems, Inc. All rights reserved. Password Recovery
  • 67. 67© 2009 Cisco Systems, Inc. All rights reserved. NO password recovery
  • 68. 68© 2009 Cisco Systems, Inc. All rights reserved. Using SYSLOG for network security • Cisco router log messages fall into one of eight levels. The lower the level number, the higher the severity level. Cisco router log messages contain three main parts: •Timestamp •Log message name and severity level •Message text
  • 69. 69© 2009 Cisco Systems, Inc. All rights reserved. Severity levels
  • 70. 70© 2009 Cisco Systems, Inc. All rights reserved. Configure system logging • Step 1. Set the destination logging host using the logging host command. • Step 2. (Optional) Set the log severity (trap) level using the logging trap level command. • Step 3. Set the source interface using the logging source- interface command. This specifies that syslog packets contain the IPv4 or IPv6 address of a particular interface. • Step 4. Enable logging with the logging on command. You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands.
  • 71. 71© 2009 Cisco Systems, Inc. All rights reserved. Configure SYSLOG
  • 72. 72© 2009 Cisco Systems, Inc. All rights reserved. SYSLOG with SDM
  • 73. 73© 2009 Cisco Systems, Inc. All rights reserved. Monitor>> Logging
  • 74. 74© 2009 Cisco Systems, Inc. All rights reserved. Usig SNMP for network security • SNMP was developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances, on an IP network. • SNMP is an Application Layer protocol that facilitates the exchange of management information between network devices. • SNMP is part of the TCP/IP protocol suite. • SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. • There are different versions of SNMP.
  • 75. 75© 2009 Cisco Systems, Inc. All rights reserved. SNMP components
  • 76. 76© 2009 Cisco Systems, Inc. All rights reserved. Community strings Read-only community strings - Provides read-only access to all objects in the MIB, except the community strings. Read-write community strings - Provides read-write access to all objects in the MIB, except the community strings.
  • 77. 77© 2009 Cisco Systems, Inc. All rights reserved. SNMPv3 • SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 uses a combination of authenticating and encrypting packets over the network to provide secure access –Message integrity - Ensures that a packet has not been tampered with in transit. –Authentication - Determines that the message is from a valid source. –Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.
  • 78. 78© 2009 Cisco Systems, Inc. All rights reserved. Configure SNMP with SDM
  • 79. 79© 2009 Cisco Systems, Inc. All rights reserved. Using NTP for timestamp • NTP allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings. • When NTP is implemented in the network, it can be set up to synchronize to a private master clock, or it can synchronize to a publicly available NTP server on the Internet.
  • 80. 80© 2009 Cisco Systems, Inc. All rights reserved. NTP example
  • 81. 81© 2009 Cisco Systems, Inc. All rights reserved. NTP version 3
  • 82. 82© 2009 Cisco Systems, Inc. All rights reserved. Security Audit
  • 83. 83© 2009 Cisco Systems, Inc. All rights reserved. Security audit wizard
  • 84. 84© 2009 Cisco Systems, Inc. All rights reserved. Security audit report
  • 85. 85© 2009 Cisco Systems, Inc. All rights reserved. Auto secure
  • 86. 86© 2009 Cisco Systems, Inc. All rights reserved. Auto secure output

Editor's Notes

  1. Securing outgoing network traffic and scrutinizing incoming traffic are critical aspects of network security. Securing the edge router, which connects to the outside network, is an important first step in securing the network. Device hardening is an essential task that must never be overlooked. It involves implementing proven methods for physically securing the router and protecting the router's administrative access using the Cisco IOS command-line interface (CLI) as well as the Cisco Router and Security Device Manager (SDM). Some of these methods involve securing administrative access, including maintaining passwords, configuring enhanced virtual login features, and implementing Secure Shell (SSH). Because not all information technology personnel should have the same level of access to the infrastructure devices, defining administrative roles in terms of access is another important aspect of securing infrastructure devices. Securing the management and reporting features of Cisco IOS devices is also important. Recommended practices for securing syslog, using Simple Network Management Protocol (SNMP), and configuring Network Time Protocol (NTP) are examined. Many router services are enabled by default. A number of these features are enabled for historical reasons but are no longer required today. This chapter discusses some of these services and examines router configurations with the Security Audit feature of Cisco SDM. This chapter also examines the one-step lockdown Cisco SDM feature and the auto secure command, which can be used to automate device hardening tasks.
  2. Secure the physical installation of and the administrative access to Cisco routers based on different network requirements using the CLI and SDM. Configure administrative roles using privilege levels and role-based CLI. Implement the management and reporting features of syslog, SNMP, SSH, and NTP. Examine router configurations with the Security Audit feature of Cisco SDM, and make the router and network more secure by using the auto secure command or the One-Step Lockdown feature of Cisco SDM.
  3. Securing the network infrastructure is critical to overall network security. The network infrastructure includes routers, switches, servers, endpoints, and other devices. Consider a disgruntled employee casually looking over the shoulder of a network administrator while the administrator is logging in to an edge router. This is known as shoulder surfing, and it is a surprisingly easy way for an attacker to gain unauthorized access. If an attacker gains access to a router, the security and management of the entire network can be compromised, leaving servers and endpoints at risk. It is critical that the appropriate security policies and controls be implemented to prevent unauthorized access to all infrastructure devices. Although all infrastructure devices are at risk, routers are a primary target for network attackers. This is because routers act as traffic police, directing traffic into, out of and between networks. The edge router is the last router between the internal network and an untrusted network such as the Internet. All of an organization's Internet traffic goes through this edge router; therefore, it often functions as the first and last line of defense for a network. Through initial and final filtering, the edge router helps to secure the perimeter of a protected network. It is also responsible for implementing security actions that are based on the security policies of the organization. For these reasons, securing network routers is imperative.
  4. The edge router implementation varies depending on the size of the organization and the complexity of the required network design. Router implementations can include a single router protecting an entire inside network or a router as the first line of defense in a defense-in-depth approach. Single Router Approach In the single router approach, a single router connects the protected network, or internal LAN, to the Internet. All security policies are configured on this device. This is more commonly deployed in smaller site implementations such as branch and SOHO sites. In smaller networks, the required security features can be supported by ISRs without impeding the router's performance capabilities. Defense-in-Depth Approach A defense-in-depth approach is more secure than the single router approach. In this approach, the edge router acts as the first line of defense and is known as a screening router. It passes all connections that are intended for the internal LAN to the firewall. The second line of defense is the firewall. The firewall typically picks up where the edge router leaves off and performs additional filtering. It provides additional access control by tracking the state of the connections and acts as a chokepoint device. The edge router has a set of rules specifying which traffic it allows and denies. By default, the firewall denies the initiation of connections from the outside (untrusted) networks to the inside (trusted) network. However, it allows the internal users to establish connections to the untrusted networks and permits the responses to come back through the firewall. It can also perform user authentication (authentication proxy) where users must be authenticated to gain access to network resources. DMZ Approach A variation of the defense-in-depth approach is to offer an intermediate area, often called the demilitarized zone (DMZ). The DMZ can be used for servers that must be accessible from the Internet or some other external network. The DMZ can be set up between two routers, with an internal router connecting to the protected network and an external router connecting to the unprotected network, or simply be an additional port off of a single router. The firewall, located between the protected and unprotected networks, is set up to permit the required connections (for example, HTTP) from the outside (untrusted) networks to the public servers in the DMZ. The firewall serves as the primary protection for all devices on the DMZ. In the DMZ approach, the router provides some protection by filtering some traffic, but leaves the bulk of the protection to the firewall. (The focus of this course is on ISR security features, including explanations of how to configure these features. With respect to the Cisco Adaptive Security Appliance (ASA), the discussion is limited to design implementation in this course. For ASA device configuration, see www.cisco.com.)
  5. There are two ways to access a device for administrative purposes, locally and remotely. All network infrastructure devices can be accessed locally. Local access to a router usually requires a direct connection to a console port on the Cisco router using a computer that is running terminal emulation software. Some network devices can be accessed remotely. Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTPS, or Simple Network Management Protocol (SNMP) connections to the router from a computer. The computer can be on the same subnet or a different subnet. Some remote access protocols send the data, including usernames and passwords, to the router in plaintext. If an attacker can collect network traffic while an administrator is remotely logged in to a router, the attacker can capture passwords or router configuration information. For this reason, it is preferable to allow only local access to the router. However, remote access might still be necessary. When accessing the network remotely, a few precautions should be taken: Encrypt all traffic between the administrator computer and the router. For example, instead of using Telnet, use SSH. Or instead of using HTTP, use HTTPS. Establish a dedicated management network. The management network should include only identified administration hosts and connections to a dedicated interface on the router. Configure a packet filter to allow only the identified administration hosts and preferred protocols to access the router. For example, permit only SSH requests from the IP address of the administration host to initiate a connection to the routers in the network. These precautions are valuable, but they do not protect the network completely. Other lines of defense must also be implemented. One of the most basic and important is the use of a secure password.
  6. Attackers deploy various methods of discovering administrative passwords. They can shoulder surf, attempt to guess passwords based on the user's personal information, or sniff TFTP packets containing plaintext configuration files. Attackers can also use tools such as L0phtCrack and Cain & Abel to attempt brute force attacks and guess passwords. To protect assets such as routers and switches, follow these common guidelines for choosing strong passwords. These guidelines are designed to make passwords less easily discovered by intelligent guessing and cracking tools: Use a password length of 10 or more characters. The longer, the better. Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces. Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.. Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty. Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited. Do not write passwords down and leave them in obvious places such as on the desk or monitor. On Cisco routers and many other systems, password-leading spaces are ignored, but spaces after the first character are not ignored. Therefore, one method to create a strong password is to use the space bar in the password and create a phrase made of many words. This is called a pass phrase. A pass phrase is often easier to remember than a simple password. It is also longer and harder to guess. Administrators should ensure that strong passwords are used across the network. One way to accomplish this is to use the same cracking and brute force attack tools that attackers use as a way to verify password strength.
  7. Many access ports require passwords on a Cisco router, including the console port, auxiliary port, and virtual terminal connections. Password management in a large network should be maintained using a central TACACS+ or RADIUS authentication server such as the Cisco Secure Access Control Server (ACS). All routers must be configured with the user and privileged EXEC passwords. A local username database is also recommended as backup if access to an authentication, authorization, and accounting (AAA) server is compromised. Using a password and assigning privilege levels is a simple way to provide terminal access control in a network. Passwords must be established for privileged EXEC mode access and individual lines such as the console and auxiliary lines. Enable Secret Password The enable secret password global configuration command restricts access to privileged EXEC mode. The enable secret password is always hashed inside the router configuration using a Message Digest 5 (MD5) hashing algorithm. If the enable secret password is lost or forgotten, it must be replaced using the Cisco router password recovery procedure. Console Line By default, the console port does not require a password for console administrative access; however, it should always be configured as a console port line-level password. Use the line console 0 command followed by the login and password subcommands to require login and establish a login password on the console line. Virtual Terminal Lines By default, Cisco routers support up to five simultaneous virtual terminal vty (Telnet or SSH) sessions. On the router, the vty ports are numbered from 0 through 4. Use the line vty 0 4 command followed by the login and password subcommands to require login and establish a login password on incoming Telnet sessions. Auxiliary Line By default, Cisco router auxiliary ports do not require a password for remote administrative access. Administrators sometimes use this port to remotely configure and monitor the router using a dialup modem connection. To access the auxiliary line use the line aux 0 command. Use the login and password subcommands to require login and establish a login password on incoming connections. By default, with the exception of the enable secret password, all Cisco router passwords are stored in plain text within the router configuration. These passwords can be viewed with the show running-config command. Sniffers can also see these passwords if the TFTP server configuration files traverse an unsecured intranet or Internet connection. If an intruder gains access to the TFTP server where the router configuration files are stored, the intruder is able to obtain these passwords.
  8. To increase the security of passwords, the following should be configured: Enforce minimum password lengths. Disable unattended connections. Encrypt all passwords in the configuration file. Minimum Character Length Beginning with the Cisco IOS Release 12.3(1) and later, administrators can set the minimum character length for all router passwords from 0 to 16 characters using the global configuration command security passwords min-length length. It is strongly recommended that the minimum password length be set to at least 10 characters to eliminate common passwords that are short and prevalent on most networks, such "lab" and "cisco". This command affects user passwords, enable secret passwords, and line passwords that are created after the command is executed. Existing router passwords remain unaffected. Any attempt to create a new password that is less than the specified length fails and results in an error message similar to the following: Password too short - must be at least 10 characters. Password configuration failed. Disable Unattended Connections By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. After that, the interface times out and logs out of the session. If an administrator is away from the terminal while the console connection is active, an attacker has up to 10 minutes to gain privilege level access. It is recommended that these timers be fine-tuned to limit the amount of time to within a two or three minute maximum. These timers can be adjusted using the exec-timeout command in line configuration mode for each of the line types that are used. It is also possible to turn off the exec process for a specific line, such as on the auxiliary port, using the no exec command within the line configuration mode. This command allows only an outgoing connection on the line. The no exec command allows you to disable the EXEC process for connections which may attempt to send unsolicited data to the router. Encrypt All Passwords By default, some passwords are shown in plaintext, meaning not encrypted, in the Cisco IOS software configuration. With the exception of the enable secret password, all other plaintext passwords in the configuration file can be encrypted in the configuration file using the service password-encryption command. This command hashes current and future plaintext passwords in the configuration file into an encrypted ciphertext. To stop encrypting passwords, use the no form of the command. Only passwords created after the no command is issued will be unencrypted. Existing passwords that have been previously encrypted will remain so. The service password-encryption command is primarily useful for keeping unauthorized individuals from viewing passwords in the configuration file. The algorithm used by the service password-encryption command is simple and can be easily reversed by someone with access to the encrypted ciphertext and a password-cracking application. For that reason, this command should not be used with the intention to protect configuration files against serious attacks. The enable secret command is far more secure because it encrypts the password using MD5, which is a stronger algorithm.
  9. Assigning passwords and local authentication does not prevent a device from being targeted for attack. DoS attacks flood a device with so many connection requests that the device might not provide normal login service to legitimate system administrators. A dictionary attack, which is used to gain administrative access to a device, floods a device with thousands of username and password combinations. The end result is much the same as a DoS attack, in that the device cannot process legitimate user requests. The network needs to have systems in place to detect and help prevent these attacks. By enabling a detection profile, a network device can be configured to react to repeated failed login attempts by refusing further connection requests (login blocking). This block can be configured for a period of time, which is called a quiet period. Legitimate connection attempts can still be permitted during a quiet period by configuring an access control list (ACL) with the addresses that are known to be associated with system administrators. The Cisco IOS login enhancements feature allows Cisco IOS devices to be better secured when creating a virtual connection, such as Telnet, SSH, or HTTP, by slowing down dictionary attacks and stopping DoS attacks. To better configure security for virtual login connections, the login process should be configured with specific parameters: Delays between successive login attempts Login shutdown if DoS attacks are suspected Generation of system logging messages for login detection These enhancements do not apply to console connections. It is assumed that only authorized personnel have physical access to the devices.
  10. All login enhancement features are disabled by default. Use the login block-for command to enable login enhancements. The login block-for feature monitors login device activity and operates in two modes: Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time. Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied. When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts access at all times, this behavior can be overridden using an ACL. The ACL must be created and identified using the login quiet-mode access-class command. By default, Cisco IOS devices can accept connections, such as Telnet, SSH, and HTTP, as quickly as they can be processed. This makes devices susceptible to dictionary attack tools, such as Cain or L0phtCrack, which are capable of thousands of password attempts per second. The login block-for command invokes an automatic delay of 1 second between login attempts. Attackers have to wait 1 second before they can try a different password. This delay time can be changed using the login delay command. The login delay command introduces a uniform delay between successive login attempts. The delay occurs for all login attempts, including failed or successful attempts. The login block-for, login quiet-mode access-class, and login delay commands help block failed login attempts for a limited period of time but cannot prevent an attacker from trying again. How can an administrator know when someone tries to gain access to the network by guessing the password?
  11. The command auto secure enables message logging for failed login attempts. Logging successful login attempts is not enabled by default. These commands can be used to keep track of the number of successful and failed login attempts. login on-failure log generates logs for failed login requests. login on-success log generates log messages for successful login requests. As an alternative, the security authentication failure rate threshold-rate log command generates a log message when the login failure rate is exceeded. To verify that the login block-for command is configured and which mode the router is currently in, use the show login command. The router is in either normal or quite mode, depending on whether login thresholds were exceeded. The show login failures command displays more information regarding the failed attempts, such as the IP address from which the failed login attempts originated.
  12. Use banner messages to present legal notification to would-be intruders to inform them that they are not welcome on a network. Banners are very important to the network from a legal perspective. Intruders have won court cases because they did not encounter appropriate warning messages when accessing router networks. In addition to warning would-be intruders, banners are also used to inform remote administrators of use restrictions. Choosing what to place in banner messages is important and should be reviewed by legal counsel before putting them on network routers. Never use the word welcome or any other familiar greeting that may be misconstrued as an invitation to use the network. Banners are disabled by default and must be explicitly enabled. Use the banner command from global configuration mode to specify appropriate messages. banner {exec | incoming | login | motd | slip-ppp} d message d Tokens are optional and can be used within the message section of the banner command: $(hostname) - Displays the host name for the router. $(domain) - Displays the domain name for the router. $(line) - Displays the vty or tty (asynchronous) line number. $(line-desc) - Displays the description that is attached to the line. Be careful in placing this information in the banner because it provides more information to a possible intruder. Cisco SDM can also be used to configure banner messages.
  13. When enabling remote administrative access, it is also important to consider the security implications of sending information across the network. Traditionally, remote access on routers was configured using Telnet on TCP port 23. However, Telnet was developed in the days when security was not an issue, therefore, all Telnet traffic is forwarded in plaintext. Using this protocol, critical data, such as router configurations, is easily accessible to attackers. Hackers can capture packets forwarded by an administrator's computer using a protocol analyzer such as Wireshark. If the initial Telnet stream is discovered and followed, attackers can learn the administrator's username and password. However, having remote access capability can save an organization time and money when making necessary configuration changes. So how can a secure remote access connection be established to manage Cisco IOS devices? SSH has replaced Telnet as the recommended practice for providing remote router administration with connections that support confidentiality and session integrity. It provides functionality that is similar to an outbound Telnet connection, except that the connection is encrypted and operates on port 22. With authentication and encryption, SSH allows for secure communication over a non-secure network. Four steps must be completed prior to configuring routers for the SSH protocol: Step 1. Ensure that the target routers are running a Cisco IOS Release 12.1(1)T image or later to support SSH. Only the Cisco IOS cryptographic images containing the IPsec feature set support SSH. Specifically, Cisco IOS 12.1 or later IPsec DES or Triple Data Encryption Standard (3DES) cryptographic images support SSH. Typically, these images have image IDs of k8 or k9 in their image names. For example, c1841-advipservicesk9-mz.124-10b.bin is an image that can support SSH. Step 2. Ensure that each of the target routers has a unique host name. Step 3. Ensure that each of the target routers is using the correct domain name of the network. Step 4. Ensure that the target routers are configured for local authentication or AAA services for username and password authentication. This is mandatory for a router-to-router SSH connection.
  14. Using the CLI, there are four steps to configure a Cisco router to support SSH: Step 1. If the router has a unique host name, configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode. Step 2. One-way secret keys must be generated for a router to encrypt the SSH traffic. These keys are referred to as asymmetric keys. Cisco IOS software uses the Rivest, Shamir, and Adleman (RSA) algorithm to generate keys. To create the RSA key, use the crypto key generate rsa general-keys modulus modulus-size command in global configuration mode. The modulus determines the size of the RSA key and can be configured from 360 bits to 2048 bits. The larger the modulus, the more secure the RSA key. However, keys with large modulus values take slightly longer to generate and longer to encrypt and decrypt as well. The minimum recommended modulus key length is 1024 bits. To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If there are existing key pairs, it is recommended that they are overwritten using the crypto key zeroize rsa command. Step 3. Ensure that there is a valid local database username entry. If not, create one using the username name secret secret command. Step 4. Enable vty inbound SSH sessions using the line vty commands login local and transport input ssh. SSH is automatically enabled after the RSA keys are generated. The router SSH service can be accessed using SSH client software.
  15. Optional SSH Commands Optionally, SSH commands can be used to configure the following: SSH version SSH timeout period Number of authentication retries Cisco routers support two versions of SSH: SSH version 1 (SSHv1) and the newer, more secure SSH version 2 (SSHv2). SSHv2 provides better security using the Diffie-Hellman key exchange and the strong integrity-checking message authentication code (MAC). Cisco IOS Release 12.1(1)T and later supports SSHv1. Cisco IOS Release 12.3(4)T and later operates in compatibility mode and supports both SSHv1 and SSHv2. To change from compatibility mode to a specific version, use the ip ssh version {1 | 2} global configuration command. The time interval that the router waits for the SSH client to respond during the SSH negotiation phase can be configured using the ip ssh time-out seconds command in global configuration mode. The default is 120 seconds. When the EXEC session starts, the standard exec timeout configured for the vty applies. By default, a user logging in has three attempts before being disconnected. To configure a different number of consecutive SSH retries, use the ip ssh authentication-retries integer command in global configuration mode. To verify the optional SSH command settings, use the show ip ssh command. After SSH is configured, an SSH client is required to connect to an SSH-enabled router.
  16. While it is important that a system administrator can securely connect to and manage a device, still more configurations are needed to keep the network secure. For example, should complete access be provided for all employees in a company? The answer to that question is usually no. Most company employees require only specific areas of access to the network. What about complete access for all employees in the IT department? Keep in mind that large organizations have many various job functions within an IT department. For example, job titles include Chief Information Officer (CIO), Security Operator, Network Administrator, WAN Engineer, LAN Administrator, Software Administrator, PC Tech support, Help Desk support, and others. Not all job functions should have the same level of access to the infrastructure devices. As an example, a senior network administrator leaves for vacation and, as a precaution, provides a junior administrator with the privileged EXEC mode passwords to all infrastructure devices. A few days later, the curious junior administrator accidentally disables the company network. This is not an uncommon scenario, because all too often a router is secured with only one privileged EXEC password. Anyone with knowledge of this password has open access to the entire router. Configuring privilege levels is the next step for the system administrator who wants to secure the network. Privilege levels determine who should be allowed to connect to the device and what that person should be able to do with it. The Cisco IOS software CLI has two levels of access to commands. User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and allows only user-level commands available at the router> prompt. Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the router# prompt. Although these two levels do provide control, sometimes a more precise level of control is required. Cisco IOS software has two methods of providing infrastructure access: privilege level and role-based CLI.
  17. If attackers gain access to a router there are many things that they could do. For example, they could alter traffic flows, alter configurations, and even erase the startup configuration file and Cisco IOS image. If the configuration or IOS image is erased, the operator might need to retrieve an archived copy to restore the router. The recovery process must then be performed on each affected router, adding to the total network downtime. The Cisco IOS Resilient Configuration feature allows for faster recovery if someone reformats flash memory or erases the startup configuration file in NVRAM. This feature allows a router to withstand malicious attempts at erasing the files by securing the router image and maintaining a secure working copy of the running configuration. When a Cisco IOS image is secured, the resilient configuration feature denies all requests to copy, modify, or delete it. The secure copy of the startup configuration is stored in flash along with the secure IOS image. This set of Cisco IOS image and router running configuration files is referred to as the bootset. The Cisco IOS resilient configuration feature is only available for systems that support a PCMCIA Advanced Technology Attachment (ATA) flash interface. The Cisco IOS image and backup running configuration on the Flash drive are hidden from view, so the files are not included in any directory listing on the drive. Two global configurations commands are available to configure the Cisco IOS resilient configuration features: secure boot-image and secure boot-config.
  18. In the event that a router is compromised or needs to be recovered from a misconfigured password, an administrator must understand password recovery procedures. For security reasons, password recovery requires the administrator to have physical access to the router through a console cable. Recovering a router password involves several steps. Step 1. Connect to the console port. Step 2. Use the show version command to view and record the configuration register. The configuration register is similar to the BIOS setting of a computer, which controls the bootup process. A configuration register, represented by a single hexadecimal value, tells a router what specific steps to take when powered on. Configuration registers have many uses, and password recovery is probably the most used. To view and record the configuration register, use the show version command. R1>show version <Output omitted> Configuration register is 0x2102 The configuration register is usually set to 0x2102 or 0x102. If there is no longer access to the router (because of a lost login or TACACS password), an administrator can safely assume that the configuration register is set to 0x2102. Step 3. Use the power switch to power cycle the router. Step 4. Issue the break sequence within 60 seconds of power up to put the router into ROMmon. Step 5. Type confreg 0x2142 at the rommon 1> prompt. This changes the default configuration register and causes the router to bypass the startup configuration where the forgotten enable password is stored. Step 6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration. Step 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure. Step 8. Type enable at the Router> prompt. This puts the router into enable mode and allows you to see the Router# prompt. Step 9. Type copy startup-config running-config to copy the NVRAM into memory. Be careful not to type copy running-config startup-config or the startup configuration will be erased. Step 10. Type show running-config. In this configuration, the shutdown command appears under all interfaces because all interfaces are currently shut down. An administrator can now see the passwords (enable password, enable secret, vty, and console passwords) either in encrypted or unencrypted format. Unencrypted passwords can be reused, but encrypted passwords need a new password to be created. Step 11. Enter global configuration and type the enable secret command to change the enable secret password. For example: R1(config)# enable secret cisco Step 12. Issue the no shutdown command on every interface to be used. Then issue the show ip interface brief command in privileged EXEC mode to confirm that the interface configuration is correct. Every interface to be used should display "up up." Step 13. From global configuration mode type config-register configuration_register_setting. The configuration register setting is either the value recorded in step 2 or 0x2102 . For example: R1(config)# config-register 0x2102 Step 14. Save the configuration changes using the copy running-config startup-config command. Password recovery is now complete. Enter the show version command to confirm that the router is using the configured configuration register setting on the next reboot.
  19. Implementing a router logging facility is an important part of any network security policy. Cisco routers can log information regarding configuration changes, ACL violations, interface status, and many other types of events. Cisco routers can send log messages to several different facilities. You should configure the router to send log messages to one or more of the following items. Console - Console logging is on by default. Messages log to the console and can be viewed when modifying or testing the router using terminal emulation software while connected to the console port of the router. Terminal lines - Enabled EXEC sessions can be configured to receive log messages on any terminal lines. Similar to console logging, this type of logging is not stored by the router and, therefore, is only valuable to the user on that line. Buffered logging - Buffered logging is a little more useful as a security tool because log messages are stored in router memory for a time. However, events are cleared whenever the router is rebooted. SNMP traps - Certain thresholds can be preconfigured on routers and other devices. Router events, such as exceeding a threshold, can be processed by the router and forwarded as SNMP traps to an external SNMP server. SNMP traps are a viable security logging facility but require the configuration and maintenance of an SNMP system. Syslog - Cisco routers can be configured to forward log messages to an external syslog service. This service can reside on any number of servers or workstations, including Microsoft Windows and UNIX-based systems, or the Cisco Security MARS appliance. Syslog is the most popular message logging facility, because it provides long-term log storage capabilities and a central location for all router messages. Cisco router log messages fall into one of eight levels. The lower the level number, the higher the severity level. Cisco router log messages contain three main parts: Timestamp Log message name and severity level Message text
  20. Another common monitoring tool is SNMP. SNMP was developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances, on an IP network. SNMP is an Application Layer protocol that facilitates the exchange of management information between network devices. SNMP is part of the TCP/IP protocol suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. There are different versions of SNMP. SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2) are based on managers (network management systems [NMSs]), agents (managed nodes), and Management Information Bases (MIBs). In any configuration, at least one manager node runs SNMP management software. Network devices that need to be managed, such as switches, routers, servers, and workstations, are equipped with an SMNP agent software module. The agent is responsible for providing access to a local MIB of objects that reflects the resources and activity at its node. MIBs store data about the device operation and are meant to be available to authenticated remote users. The SNMP manager can get information from the agent, and change, or set, information in the agent. Sets can change configuration variables in the agent device. Sets can also initiate actions in devices. A reply to a set indicates the new setting in the device. For example, a set can cause a router to reboot, send a configuration file, or receive a configuration file. SNMP traps enable an agent to notify the management station of significant events by sending an unsolicited SNMP message. The action of gets and sets are the vulnerabilities that open SNMP to attack.
  21. NTP uses UDP port 123 and is documented in RFC 1305. When determining whether to use a private clock synchronization versus a public clock, it is necessary to weigh the risks and benefits of both. If a private master clock is implemented, it could be synchronized to Coordinated Universal Time (UTC) via satellite or radio. The administrator does need to ensure that the time source is valid and from a secure site; otherwise, it can introduce vulnerabilities. For example, an attacker can launch a DoS attack by sending bogus NTP data across the Internet to the network in an attempt to change the clocks on network devices, possibly causing digital certificates to become invalid. An attacker could attempt to confuse a network administrator during an attack by disrupting the clocks on network devices. This scenario would make it difficult for the network administrator to determine the order of syslog events on multiple devices. Pulling the clock time from the Internet means that unsecured packets are allowed through the firewall. Many NTP servers on the Internet do not require any authentication of peers; therefore, the network administrator must trust that the clock itself is reliable, valid, and secure. The communications (known as associations) between machines that run NTP are usually statically configured. Each device is given the IP address of NTP masters. Accurate timekeeping is possible by exchanging NTP messages between each pair of machines with an association. In an NTP configured network, one or more routers are designated as the master clock keeper (known as an NTP master) using the ntp master global configuration command. NTP clients either contact the master or listen for messages from the master to synchronize their clocks. To contact the master, use the ntp server ntp-server-address command. In a LAN environment, NTP can be configured to use IP broadcast messages instead by using the ntp broadcast client command. This alternative reduces configuration complexity because each machine can be configured to send or receive broadcast messages. The accuracy of timekeeping is marginally reduced because the information flow is one-way only.
  22. Cisco routers are initially deployed with many services that are enabled by default. This is done for convenience and to simplify the configuration process required to get the device operational. However, some of these services can make the device vulnerable to attack if security is not enabled. Administrators can also enable services on Cisco routers that can expose the device to significant risk. Both of these scenarios must be taken into account when securing the network. For example, Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default in Cisco routers. It is used primarily to obtain protocol addresses of neighboring Cisco devices and to discover the platforms of those devices. Unfortunately, an attacker on the network can use CDP to discover devices on the local network. In addition, attackers do not need to have CDP-enabled devices. Readily available software, such as Cisco CDP Monitor, can be downloaded to gain the information. The intent of CDP is to make it easier for administrators to discover and troubleshoot other Cisco devices on the network. However, because of the security implications, the use of CDP should be deterministic. While it is an extremely helpful tool, it should not be everywhere in the network. Edge devices are an example of a device that should have this feature disabled.