network security

1© 2005 Cisco Systems, Inc. All rights reserved.
CCNA Security
Module 2 – Securing Network
Devices

Learning Objectives
2.1 - Securing Devices Access
2.2 - Assigning Administrative Roles
2.3 - Monitoring and Managing Devices
2.4 - Using Automated security features

Module 2 – SecuringModule 2 – Securing
Network DevicesNetwork Devices
2.1 – Securing Devices
Access

Securing the edge router

Secure the perimeter network

Areas of router security: Physical
• Place the router and physical devices that connect to it in a secure
locked room that is accessible only to authorized personnel, is free
of electrostatic or magnetic interference, and has controls for
temperature and humidity.
• Install an uninterruptible power supply (UPS) and keep spare
components available. This reduces the possibility of a DoS attack
from power loss to the building.

Operating System Security
• Configure the router with the maximum amount of
memory possible. The availability of memory can help
protect the network from some DoS attacks, while
supporting the widest range of security services.
• Use the latest stable version that meets the feature
requirements of the network. Security features in an
operating system evolve over time. Keep in mind that
the latest version of an operating system might not be
the most stable version available.
• Keep a secure copy of the router operating system
image and router configuration file as a backup.

Router Hardening
• Secure administrative control. Ensure that only
authorized personnel have access and that their level of
access is controlled.
• Disable unused ports and interfaces. Reduce the
number of ways a device can be accessed.
• Disable unnecessary services. Similar to many
computers, a router has services that are enabled by
default. Some of these services are unnecessary and
can be used by an attacker to gather information or for
exploitation.

Router Management

Router Access Methods

Configuring Secure Administrative Access
• Use a password length of 10 or more characters. The
longer, the better.
• Make passwords complex. Include a mix of uppercase
and lowercase letters, numbers, symbols, and spaces.
• Avoid passwords based on repetition, dictionary words,
letter or number sequences, usernames, relative or pet
names, biographical information, such as birthdates,
• Deliberately misspell a password. For example, Smith =
Smyth = 5mYth or Security = 5ecur1ty.
• Change passwords often. If a password is unknowingly
compromised, the window of opportunity for the
attacker to use the password is limited.

Router access passwords

Increase security passwords
• Enforce minimum password lengths.
• Disable unattended connections.
• Encrypt all passwords in the configuration file.

Minimum Character Length
• Beginning with the Cisco IOS Release 12.3(1) and later,
administrators can set the minimum character length
for all router passwords from 0 to 16 characters using
the global configuration command security
passwords min-length length.
• This command affects user passwords, enable secret
passwords, and line passwords that are created after
the command is executed. Existing router passwords
remain unaffected. Any attempt to create a new
password that is less than the specified length fails and
results in an error message similar to the following:
Password too short - must be at least 10 characters.
Password configuration failed.

Disable Unattended Connections
• By default, an administrative interface stays active and logged in for 10
minutes after the last session activity. After that, the interface times out
and logs out of the session.
• If an administrator is away from the terminal while the console
connection is active, an attacker has up to 10 minutes to gain privilege
level access. It is recommended that these timers be fine-tuned to limit
the amount of time to within a two or three minute maximum. These
timers can be adjusted using the exec-timeout command in line
configuration mode for each of the line types that are used.
• It is also possible to turn off the exec process for a specific line, such
as on the auxiliary port, using the no exec command within the line
configuration mode. This command allows only an outgoing connection
on the line. The no exec command allows you to disable the
EXEC process for connections which may attempt to send
unsolicited data to the router.

Disable Unattended Connections

Encrypt All Passwords
• By default, some passwords are shown in plaintext,
meaning not encrypted, in the Cisco IOS software
configuration.
• With the exception of the enable secret password, all
other plaintext passwords in the configuration file can
be encrypted in the configuration file using the service
password-encryption command.
• This command hashes current and future plaintext
passwords in the configuration file into an encrypted
ciphertext.
• The algorithm used by the service password-encryption
command is simple and can be easily reversed by
someone with access to the encrypted ciphertext and a
password-cracking application

Cisco Router Authentication

Example

Security for virtual logins

Cisco Enhanced login features
• Router(config)# login block-for seconds
attempts tries within seconds
• Router(config)# login quiet-mode access-
class {acl-name | acl-number}
• Router(config)# login delay seconds
• Router(config)# login on-failure log [every
login]
• Router(config)# login on-success log
[every login]

Example

Login block-for
• Normal mode (watch mode) - The router keeps count of the
number of failed login attempts within an identified amount
of time.
• Quiet mode (quiet period) - If the number of failed logins
exceeds the configured threshold, all login attempts using
Telnet, SSH, and HTTP are denied.

Login quiet-mode
• When quiet mode is enabled, all login attempts, including
valid administrative access, are not permitted. However, to
provide critical hosts access at all times, this behavior can
be overridden using an ACL. The ACL must be created and
identified using the login quiet-mode access-class
command.

Login delay
• The login block-for command invokes an automatic delay of
1 second between login attempts. Attackers have to wait 1
second before they can try a different password.
• This delay time can be changed using the login delay
command.

Login success & failure
• The command auto secure enables message logging for
failed login attempts. Logging successful login attempts is
not enabled by default.
• These commands can be used to keep track of the number
of successful and failed login attempts.

Show login (normal mode)

Sample attack

Show login (quiet mode)

Show login failures

Banner messages
• Use banner messages to present legal notification to would-
be intruders to inform them that they are not welcome on a
network.
• Intruders have won court cases because they did not
encounter appropriate warning messages when accessing
router networks. In addition to warning would-be intruders,
banners are also used to inform remote administrators of
use restrictions

Configure SSH
• Step 1. Ensure that the target routers are running a Cisco
IOS Release 12.1(1)T image or later to support SSH. Only
the Cisco IOS cryptographic images containing the IPsec
feature set support SSH. For example, c1841-
advipservicesk9-mz.124-10b.bin image support SSH.
• Step 2. Ensure that each of the target routers has a unique
host name.
• Step 3. Ensure that each of the target routers is using the
correct domain name of the network.
• Step 4. Ensure that the target routers are configured for
local authentication or AAA services for username and
password authentication. This is mandatory for a router-to-
router SSH connection.

Telnet vs SSH

Supporting SSH
• Step 1. If the router has a unique host name, configure the IP domain
name of the network using the ip domain-name domain-name
command in global configuration mode.
• Step 2. One-way secret keys must be generated for a router to
encrypt the SSH traffic. These keys are referred to as asymmetric
keys. Cisco IOS software uses the Rivest, Shamir, and Adleman
(RSA) algorithm to generate keys. To create the RSA key, use the
crypto key generate rsa general-keys modulus modulus-
size command in global configuration mode. The modulus
determines the size of the RSA key and can be configured from 360
bits to 2048 bits.
• To verify SSH and display the generated keys, use the show crypto
key mypubkey rsa command in privileged EXEC mode. If there
are existing key pairs, it is recommended that they are overwritten
using the crypto key zeroize rsa command.

Step 1 and 2: SSH

Transport input ssh
• Step 3. Ensure that there is a valid local database
username entry. If not, create one using the username
name secret secret command.
• Step 4. Enable vty inbound SSH sessions using the line
vty commands login local and transport input ssh.
• SSH is automatically enabled after the RSA keys are
generated. The router SSH service can be accessed
using SSH client software.

Optional SSH commands

Router to router SSH

Host to router SSH

SDM - SSH

Module 2 – SecuringModule 2 – Securing
Network DevicesNetwork Devices
2.2 – Assigning
administrative roles

Configuring privilege levels

Assigning Privilege Levels

Create privilege level example

Privilege levels - example

Assign level user
• To assign level 10 to the privileged EXEC mode reload
command, use the following command sequence.
privilege exec level 10 reload
username jr-admin privilege 10 secret cisco10
enable secret level 10 cisco10

Role-Based CLI Access
• To provide more flexibility than privilege levels, Cisco
introduced the Role-Based CLI Access feature in Cisco
IOS Release 12.3(11)T.
• This feature provides finer, more granular access by
controlling specifically which commands are available
to specific roles.
• Role-based CLI access enables the network
administrator to create different views of router
configurations for different users.
• Each view defines the CLI commands that each user
can access.

Security – Availability - Efficiency
• Role-based CLI access enhances the security of the device
by defining the set of CLI commands that is accessible by a
particular user. Additionally, administrators can control
user access to specific ports, logical interfaces, and slots
on a router.
• Role-based CLI access prevents unintentional execution of
CLI commands by unauthorized personnel, which could
result in undesirable results. This minimizes downtime.
• Users only see the CLI commands applicable to the ports
and CLI to which they have access; therefore, the router
appears to be less complex, and commands are easier to
identify when using the help feature on the device.

Role-based CLI: three types of views
• Root View
To configure any view for the system, the administrator
must be in root view. Root view has the same access
privileges as a user who has level 15 privileges. However,
a root view is not the same as a level 15 user. Only a root
view user can configure a new view and add or remove
commands from the existing views.
• CLI View
A specific set of commands can be bundled into a CLI
view. Unlike privilege levels, a CLI view has no command
hierarchy and, therefore, no higher or lower views. Each
view must be assigned all commands associated with
that view, and a view does not inherit commands from
any other views. Additionally, the same commands can
be used in multiple views.

• A superview consists of one or more CLI views.
Administrators can define which commands are accepted
and which configuration information is visible. Superviews
allow a network administrator to assign users and groups
of users multiple CLI views.
–A single CLI view can be shared within multiple
superviews.
–Commands cannot be configured for a superview. An
administrator must add commands to the CLI view and
add that CLI view to the superview.
–Users who are logged into a superview can access all
the commands that are configured for any of the CLI
views that are part of the superview.
Role-based CLI: Superview

Root – CLI - Superview

Create a view
• Step 1. Enable AAA with the aaa new-model global
configuration command. Exit and enter the root view with
the enable view command.
• Step 2. Create a view using the parser view view-name
command. This enables the view configuration mode. There
is a maximum limit of 15 views in total.
• Step 3. Assign a secret password to the view using the
secret encrypted-password command.
• Step 4. Assign commands to the selected view using the
commands parser-mode {include | include-exclusive |
exclude} [all] [interface interface-name | command]
command in view configuration mode.

Include commands

Example

Verifying Views

Create a Superview
• Step 1. Create a view using the parser view
view-name superview command and enter
superview configuration mode.
• Step 2. Assign a secret password to the view
using the secret encrypted-password
command.
• Step 3. Assign an existing view using the view
view-name command in view configuration
mode.

Superview Example

Verifying superview

Verify: Enable view

Root view: show parser view all

Module 2 – Security
Planning and Policy
2.3 - Monitoring and
Managing Devices

Securing the IOS and configuration files

Resilience IOS and config file
• The Cisco IOS resilient configuration feature
detects image version mismatches. If the router is
configured to boot with Cisco IOS resilience and
an image with a different version of the Cisco IOS
software is detected, a message, is displayed at
bootup

Password Recovery Process

Password Recovery

NO password recovery

Using SYSLOG for network security
• Cisco router log messages fall into one of eight levels. The
lower the level number, the higher the severity level. Cisco
router log messages contain three main parts:
•Timestamp
•Log message name and severity level
•Message text

Severity levels

Configure system logging
• Step 1. Set the destination logging host using the logging
host command.
• Step 2. (Optional) Set the log severity (trap) level using the
logging trap level command.
• Step 3. Set the source interface using the logging source-
interface command. This specifies that syslog packets
contain the IPv4 or IPv6 address of a particular interface.
• Step 4. Enable logging with the logging on command. You
can turn logging on and off for these destinations
individually using the logging buffered, logging monitor,
and logging global configuration commands.

Configure SYSLOG

SYSLOG with SDM

Monitor>> Logging

Usig SNMP for network security
• SNMP was developed to manage nodes, such as
servers, workstations, routers, switches, hubs, and
security appliances, on an IP network.
• SNMP is an Application Layer protocol that facilitates
the exchange of management information between
network devices.
• SNMP is part of the TCP/IP protocol suite.
• SNMP enables network administrators to manage
network performance, find and solve network problems,
and plan for network growth.
• There are different versions of SNMP.

SNMP components

Community strings
Read-only community strings - Provides
read-only access to all objects in the MIB,
except the community strings.
Read-write community strings - Provides
read-write access to all objects in the MIB,
except the community strings.

SNMPv3
• SNMPv3 is an interoperable standards-based
protocol for network management. SNMPv3 uses a
combination of authenticating and encrypting
packets over the network to provide secure access
–Message integrity - Ensures that a packet has
not been tampered with in transit.
–Authentication - Determines that the message is
from a valid source.
–Encryption - Scrambles the contents of a packet
to prevent it from being seen by an unauthorized
source.

Configure SNMP with SDM

Using NTP for timestamp
• NTP allows routers on the network to synchronize their
time settings with an NTP server. A group of NTP clients
that obtain time and date information from a single source
have more consistent time settings.
• When NTP is implemented in the network, it can be set up
to synchronize to a private master clock, or it can
synchronize to a publicly available NTP server on the
Internet.

NTP example

NTP version 3

Security Audit

Security audit wizard

Security audit report

Auto secure

Auto secure output

network security

More Related Content

What's hot

Viewers also liked

Similar to network security

network security

Editor's Notes