Chapter 7

Security of Network Devices

Computer Network II (NET461)
 Security of Network Devices
• With the advent of personal computers, LANs, and the wide-open world of the Internet,
the networks of today are more open and as e-business and Internet applications
continue to grow, network security becomes more crucial than other information
processing processes. Security is a mix of all of Physical Security, Communication
Security, Emissions Security, Computer Security and Network Security.

• Good physical security is necessary to protect physical assets like paper records and
hardware devices. Communication security (COMSEC) is necessary to protect
information in transit. Emission security (EMSEC) is needed when the enemy has
significant resources to read the electronic emissions from our computer systems.
Computer security (COMPUSEC) is necessary to control access on our computer
systems, and network security (NETSEC) is needed to control the security of our local
area networks. Together, these concepts provide information security (INFOSEC).
2
 Internal Components of Network Devices
• PCs have main four basic components: a CPU,
memory, interfaces, and a bus. A router also has
these components, therefore it can be called a
computer device. However, it is a special purpose
computer. Instead of having components that are
dedicated to video and audio output devices,
keyboard and mouse inputs, and all of the typical
easy-to-use GUI software of a modern
multimedia computer, the router is dedicated to
routing.

3
 Internal Components of Network Devices
The router is a device that selects the best paths, and manages the switching of packets
between two different networks. Internal configuration components of a router are as follows:

 RAM/DRAM—Stores routing tables, ARP cache, fast-switching cache, packet buffering (shared RAM),
and packet hold queues. RAM also provides temporary and/or running memory for the router’s
configuration file while the router is powered on. RAM content is lost when you power down or
restart.
 NVRAM - nonvolatile RAM; stores a router’s backup/startup configuration file; content remains when
you power down or restart.
 Flash - erasable, reprogrammable ROM; holds the operating system image and micro code; allows you
to update software without removing and replacing chips on the processor; content remains when you
power down or restart; multiple versions of IOS software can be stored in Flash memory.
 ROM - contains power-on diagnostics, a bootstrap program, and operating system software; software
upgrades in ROM require replacing pluggable chips on the CPU.
 Interface - network connection through which packets enter and exit a router; it can be on the
motherboard or on a separate interface module.
4
 Internal Components of Network Devices
Cisco's IOS (Operating system)
• Cisco's Internetwork Operating System (IOS) software platform is implemented
on the varied hardware used in this course. It is the embedded software
architecture in all of the Cisco routers and is also the operating system of the
Catalyst 1900 series switches.

Cisco IOS Features

• Cisco IOS software enables network services in these products including:
• Features to carry the chosen network protocols and functions
• Connectivity for high speed traffic between devices
• Security to control access and discourage unauthorized network use
• Scalability to add interfaces and capability as needed for network growth
• Reliability to assure dependable access to networked resources
5
 Internal Components of Network Devices
Command Line Interface (CLI)

• The Cisco IOS command line interface can be accessed through a console
connection, modem connection, or a Telnet session.

• Regardless of which connection method is used, access to the IOS

command line interface is generally referred to as an EXEC session.

6
 IOS Basic Configuration Commands and their Usage.
Purpose Commands
Enter Privileged Exec Mode enable
Leave Privileged Exec Mode and go back to User Mode disable
Log out of the router, end the console session, same as exit command exit
Log out of the router, end the console session, same as logout command logout
Setup a basic configuration by answering questions setup
Show the current configuration stored in RAM show running-config
Show the start up configuration stored in NVRAM show startup-config
Display IOS version (configuration register value is also displayed) show version
Show IOS files stored in flash and available free space show flash
Save the current configuration into NVRAM copy running-config startup-config
Use the startup configuration stored in NVRAM copy startup-config running-config
Load a saved configuration from a TFTP server into NVRAM copy tftp running-config
Upgrade the IOS stored in flash from an image stored on a TFTP server copy tftp flash
Create a backup of router IOS and store it in a file on a TFTP server copy flash tftp
Instruct the router to boot from a specific IOS image stored in flash boot system flash [filename]
Instruct the router to boot from a specific IOS image stored on a TFTP server boot system tftp [filename]
Enter Global Configuration Mode config terminal
Set a Message-of-the-day banner to be displayed before the user logs in to the router banner motd # message #
Set a login message to be displayed before the user logs in to the router banner login # message #
Give the router a hostname (default is router) hostname [name]
Disable DNS lookups (enabled by default) no ip domain-lookup
Change the size of the history buffer (default is 10 commands) terminal history size 20
7
 IOS Basic Configuration Commands and their Usage.
Passwords
Set a password for Privileged Exec Mode enable password [password]
Set an encrypted password for Privileged Exec Mode enable secret [password]
Set a password minimum length security password min-length [0-16]
Set password TELNET access line vty 0 4
login
password [passwords]
Set a password for Console Port access line console 0
login
password [passwords]
Interface configuration
Configure the interface Ethernet 0 interface e 0
Configure the first Serial interface interface s 0
Configure the second Token Ring interface interface t 1
Enable an interface no shutdown
Disable an interface shutdown
Set the clock rate on a DCE (make a router a DCE) clock rate 56000
Set the bandwidth bandwidth 64
Display the status of an interface show interface serial 1
Display DTE/DCE state show controller serial 1
8
 IOS Basic Configuration Commands and their Usage.
IP
Add static routes in routing table ip route address 25.25.25.0/24 dev eth0
Disable IP routing (IP routing is enabled by default) no ip routing
Display IP routing table show ip route
Configure an interface with an IP address ip address 192.168.1.12 255.255.255.0
Enable RIP router rip
network [network-address1]
network [network-address2…]

Enable IGRP router igrp [as-number]

network [network-address1]
network [network-address2…]

Enable EIGRP router (config)# router eigrp AS

router (config-router)# network X.X.X.X

Enable OSPF router ospf 1

network 0.0.0.0 255.255.255.255 area 0
9
Security and Access Levels of Devices -IOS
• As a security feature, Cisco IOS separates the EXEC sessions into
two different access levels - User EXEC level and Privileged EXEC
level.

• User EXEC level allows a person to access only a limited number of

basic monitoring commands.

• Privileged EXEC level allows a person to access all router commands

(for example, configuration and management) and can be password
protected to allow only authorized individuals to access the router.
10
 Security and Access Levels of Devices -IOS
The EXEC interprets the commands you enter and carries out the corresponding
operations. You must log in before you can enter an EXEC command.
As mentioned earlier, for security purposes, the EXEC has two levels of access to
commands,
1- User EXEC mode:
• User EXEC: Allows a person to access only a limited number of basic monitoring
commands. User EXEC mode is the default mode you enter after logging in to a
Cisco router from the CLI. User EXEC mode is identified by the > prompt
• When an EXEC session is started, the router or switch will display a hostname>
prompt. The right arrow (>) in the prompt indicates that the router or switch is at
the user EXEC level.
• The user EXEC level does not contain any commands that might control (for
example, reloading or configuring) the operation of the router or switch.
11
 Security and Access Levels of Devices -IOS
2- Privileged Mode
• Privileged EXEC: Allows a person to access all device commands, such as those
used for configuration and management, and can be password-protected to
allow only authorized users to access the device. Privileged EXEC mode is
identified by the # prompt.
• Critical commands (for example, configuration and management) require that
the user be at the privileged EXEC level.
• The Privileged Mode is the most commonly used and allows a person to access
all router commands for management and configuration. Its characteristics
include:
– Detailed examination of switch or router
– Enables configuration and debugging
– Prerequisite for other configuration modes 12
 Security and Access Levels of Devices -IOS
The following image depicts an example login on a router.

13
 Security and Access Levels of Devices -IOS
Router Identification Syntax
Syntax for the Router Identification commands are as follows:

Command Description

hostname Assigns the router name. Configure in the

(hostname) global configuration mode.

banner motd Creates a message to be displayed upon

(message) router login. Configure in the global
configuration mode.

description Sets a description for an interface. Configure

(interface in the interface configuration mode.
description)

14
 Security and Access Levels of Devices -IOS
Router Identification Syntax
Syntax for the Router Identification commands are as follows:

15
 Security and Access Levels of Devices -IOS
Router Identification Syntax
Syntax for the Router Identification commands are as follows:

The description will appear in the output when you display the configuration information
that exists in router memory and in a show interfaces command display. 16
 Network Device Security
• Enable password
• Enable Secret password
• Remote Access (Telnet access and SSH access)
• Encrypt Clear Text Password
• Username/Password Creation
• Access Control List (ACL)

17
 Enable Password &
Enable Secret Password
Configure minimum password length for all router passwords
R1(config)# security passwords min-length 5

Configure enable password

R1(config)# ! In running-config file this password appears in clear text.
R1(config)# enable password cisco

Configure enable secret password

R1(config)#! In running-config file this password appears in encrypted form.
R1(config)# enable secret cisco

18
 Console, Auxiliary, and Virtual Lines
• The CTY line-type is the Console Port. On any router, it appears in the
router configuration as line con 0 and in the output of the show line
command as cty. The console port is mainly used for local system access
using a console terminal.
• The AUX line is the Auxiliary port, seen in the configuration as line aux 0.
• The VTY lines are the Virtual Terminal lines of the router, used solely to
control inbound Telnet connections. They are virtual, in the sense that
they are a function of software - there is no hardware associated with
them. They appear in the configuration as line vty 0 4.

19
 Console, Auxiliary, and Virtual Lines (cont.)
• Each of these types of lines can be configured with password
protection. Lines can be configured to use one password for all
users, or for user-specific passwords. User-specific passwords
can be configured locally on the router, or you can use an
authentication server to provide authentication.

20
 Console line
• Every Cisco router or a switch has a console port (also known as
the management port) on its back side. Console port is used to
connect a computer directly to a router or switch and manage
the router or switch since there is no display device for a router
or switch .

21
 Console line (cont.)
• Following configurations are performed below:
– Configured a console password and enabled login for routers.
– For additional security, the exec-timeout command causes the line to log out
after 5 minutes of inactivity.
– The logging synchronous command prevents console messages from
interrupting command entry.
• To avoid repetitive logins, the exec-timeout command can be set to 0 0, which
prevents it from expiring. However, this is not considered a good security practice.

R1(config)# line console 0

R1(config-line)# password cisco
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
R1(config-line)# logging synchronous
22
 Auxiliary Line
• The router's auxiliary (AUX) port functions as a backup async port. It is most
commonly used as a backup console port, but it can also be used as a dial-
up port for remote router management and many other functions.

Minutes
R1(config)# line aux 0
R1(config-line)# password cisco
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
Seconds

23
 Virtual Line
• VTY ports are virtual ports, used to remotely login into the
router.
• Methods of remote login are Telnet and SSH.
• In Telnet password goes in plain-text form while SSH encrypts it.
• Most routers have five VTY ports, numbered 0 to 4.

24
 Virtual line
R1(config)# line vty 0 4
R1(config-line)# password cisco
R1(config-line)# exec-timeout 5 0
R1(config-line)# transport input telnet
R1(config-line)# login

25
 Virtual line
• Login through Telnet
PC-A> telnet 192.168.1.1

• Login through SSH

Detail given on next slide

26
 Secure Shell - SSH
• Configure a domain name
R1(config)# ip domain-name ccna.com

• Configure a user to login from SSH client computer

R1(config)#username admin privilege 15 secret cisco

27
 SSH
• Configure the incoming line

R1(config)# line vty 0 4

R1(config-line)# privilege level 15
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit

28
 SSH
• Erase existing key pairs on the router
R1(config)# crypto key zeroize rsa

• Generate the RSA encryption key pair for the router

R1(config)#crypto key generate rsa

29
 SSH
• Force the SSH version 2
R1(config)# ip ssh version 2

• Verify SSH Configuration

R1# show ip ssh

30
 SSH
• Configure SSH timeout and authentication parameter
R1(config)# ip ssh time-out 90 Seconds

R1(config)# ip ssh authentication-retries 2

• Login through SSH client computer

PC-A>ssh -l admin 192.168.1.1
Open
Password: Hidden L letter

31
 Encrypt Clear Text Password
This command encrypts all console, aux, and vty passwords.
R1(config)# service password-encryption
R1# show running-config

32
 Practical Configurations
Step 1: Login to the router in privileged EXEC mode
Enter enable at the user EXEC mode prompt.
Router>enable

Step 2: Enter global configuration mode

Enter configure terminal at the privilege EXEC mode prompt.
Router# configure terminal

Step 3: Enter a hostname of ROUTER LAB1 for this router

Enter hostname ROUTER LAB1 at the prompt.
Router(config)#hostname ROUTER LAB1

33
 Practical Configurations
Step 4: Configure Console and exit
Configure the console password on the router and exit from line console:

ROUTER LAB1 (config)#line console 0

ROUTER LAB1 (config-line)#password cisco
ROUTER LAB1 (config-line)#login
ROUTER LAB1 (config-line)#exit
ROUTER LAB1 (config)#

34
 Practical Configurations
Step 5: Configure VTY (Virtual Line) and exit

Configure the password on the virtual terminal lines and exit line mode:

ROUTER LAB1 (config)#line vty 0 4

ROUTER LAB1 (config-line)#password cisco
ROUTER LAB1 (config-line)#login
ROUTER LAB1 (config-line)#exit
ROUTER LAB1 (config)#

35
 Practical Configurations
Step 6: Configure the enable password
Configure the enable password on the router and exit from global
configuration mode:

ROUTER LAB1 (config)#enable password cisco

ROUTER LAB1 (config)#exit

Step 7: Return to the user EXEC mode

Return to the user EXEC mode by entering the disable command:

ROUTER LAB1 #disable

36
 Practical Configurations
Step 8: Enter the privileged EXEC mode again
This time a prompt for a password will show. Enter cisco but the characters
will not be seen on the line.

ROUTER LAB1 >enable

Password:cisco

Step 9: Return to the configuration mode

Return to the configuration mode by entering configure terminal:

ROUTER LAB1 #configure terminal

37
 Practical Configurations
Step 10: Configure the enable secret password
Configure the enable secret password and exit from global configuration mode:

ROUTER LAB1 (config)#enable secret class

ROUTER LAB1 (config)#exit

Step 11: Return to the user EXEC mode

Return to the user EXEC mode by entering the command disable:

ROUTER LAB1 #disable

38
 Practical Configurations
Step 12: Enter the privileged EXEC mode again
A prompt for a password will show. Enter cisco. The characters will not be
seen on the line. If it fails, continue until the bad secrets message is displayed:

ROUTER LAB1 >enable

Password:cisco
Password:cisco
Password:cisco
% Bad secrets

39
 Practical Configurations
Step 13: Enter the privileged EXEC mode again
A prompt for a password will show. Enter class. The characters will not be
displayed on the line:

ROUTER >enable

Password: class
ROUTER #

Note: The enable secret password takes precedence over the enable
password. So once an
enable secret password is entered the enable password no longer is accepted.
40
 Practical Configurations
Step 14: Show the routers running configuration
ROUTER #show running-config

Note: to set a minimum password length use the security password min-length
command to set a minimum characters, the allowed length is between 0-16.

ROUTER(config)# security password min-length 8

** What will happen if you tried to set a shorter password? **

ROUTER(config)# enable password 123

% Password too short - must be at least 8 characters. Password not
configured.
41
 Access Control List (ACL)
ACL Types ACL Rules
• Standard ACL (1 – 99) • Use only one ACL per interface per
direction
• Extended ACL
• Write most specific rules on top of the
– Extended numbered (100 – 199)
list while generic rules in the last.
– Extended named
• Routers cannot filter self-generated
traffic
Where to apply ACL?
• Explicit deny comes, automatically, in
• Standard ACL the end of list to nullify its effect use
– Close to destination ‘permit all’
• Extended
– Close to source
42
 ACL Syntax
Standard ACL
Commands
ip access-list standard number
permit/deny [source network/IP]

Example
ip access-list standard 12
deny 40.0.0.3 0.0.0.0
permit any

43
ACL Syntax - Standard

44
ACL Syntax- Extended

45
 ACL Syntax- Extended
Extended ACL
Creation
ip access-list extended number
permit/deny [service/protocol] [source network/IP] [destination network/IP] [port#]
1 2 3 4 5
Router1(config)#ip access-list extended 120
Router1(config-ext-nacl)#deny tcp 30.30.30.0 0.0.0.255 40.40.40.3 0.0.0.0 eq http
1 2 3 4 5
Router1(config-ext-nacl)#permit any any

Configuration on an Interface
Router1(config)#int fa0/0
Router1(config-if)#ip access-group 120 in

Note: inbound: from inside to outside router/ Outbound: from outside to inside.
eq: a given port, such as 80 for http or www 46
ACL Syntax- Extended- Example 1

47
ACL Extended
Example 2
OSPF Area 0
Port Close to Source

Step 1: Creating access list

Router1(config)#ip access-list extended 120
Router1(config-ext-nacl)#deny ip 30.30.30.0 0.0.0.255 40.40.40.3 0.0.0.0
Router1(config-ext-nacl)#permit ip any any
Step 2: Applying access list on interface
Router1(config)#int fa0/0
48
Router1(config-if)#ip access-group 120 in
ACL Extended
Example 3

To remove access list

R1 (config) # no access-list 100

Note: PCs in network 192.168.2.0 can access the webpage on Webserver only and can’t ping any PCs in network 192.168.1.0,
49
however, they can ping PCs in network 192.168.4.0
ACL Extended
Example 4

50
Wildcard Mask- Inverse of Subnet Mask
Slash Netmask Wildcard mask
/32 255.255.255.255 0.0.0.0
/31 255.255.255.254 0.0.0.1
/30 255.255.255.252 0.0.0.3
/29 255.255.255.248 0.0.0.7
/28 255.255.255.240 0.0.0.15
/27 255.255.255.224 0.0.0.31
/26 255.255.255.192 0.0.0.63
/25 255.255.255.128 0.0.0.127
/24 255.255.255.0 0.0.0.255
/23 255.255.254.0 0.0.1.255
/22 255.255.252.0 0.0.3.255
/21 255.255.248.0 0.0.7.255
/20 255.255.240.0 0.0.15.255
/19 255.255.224.0 0.0.31.255
/18 255.255.192.0 0.0.63.255
/17 255.255.128.0 0.0.127.255
/16 255.255.0.0 0.0.255.255
/15 255.254.0.0 0.1.255.255
/14 255.252.0.0 0.3.255.255
/13 255.248.0.0 0.7.255.255
/12 255.240.0.0 0.15.255.255
/11 255.224.0.0 0.31.255.255
/10 255.192.0.0 0.63.255.255
/9 255.128.0.0 0.127.255.255
/8 255.0.0.0 0.255.255.255
/7 254.0.0.0 1.255.255.255
/6 252.0.0.0 3.255.255.255
/5 248.0.0.0 7.255.255.255
/4 240.0.0.0 15.255.255.255
/3 224.0.0.0 31.255.255.255
/2 192.0.0.0 63.255.255.255
/1 128.0.0.0 127.255.255.255
/0 0.0.0.0 255.255.255.255
51
End of Chapter 7