Scribd
Upload
37 views

CCNASv2 InstructorPPT CH2

The document discusses securing network device access through configuration of administrative roles, passwords, login authentication, and secure remote access protocols. It provides guidance on: 1) Configuring strong passwords, encrypting secret passwords, restricting virtual terminal and console line access, and implementing login delay and failure logging to enhance authentication security. 2) Configuring SSH to encrypt management sessions for secure remote access, including generating key pairs, specifying protocol versions, and modifying configuration parameters. 3) Securing the edge router through approaches like using a single router, defense-in-depth with a firewall, or a DMZ architecture and hardening the router through physical security, operating system security, and disabling unused services.

Uploaded by

duy ha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
37 views

CCNASv2 InstructorPPT CH2

The document discusses securing network device access through configuration of administrative roles, passwords, login authentication, and secure remote access protocols. It provides guidance on: 1) Configuring strong passwords, encrypting secret passwords, restricting virtual terminal and console line access, and implementing login delay and failure logging to enhance authentication security. 2) Configuring SSH to encrypt management sessions for secure remote access, including generating key pairs, specifying protocol versions, and modifying configuration parameters. 3) Securing the edge router through approaches like using a single router, defense-in-depth with a firewall, or a DMZ architecture and hardening the router through physical security, operating system security, and disabling unused services.

Uploaded by

duy ha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 85

Chapter 2:

Securing Network Devices

CCNA Security v2.0


2.0 Introduction
2.1 Securing Device Access
2.2 Assigning Administrative Roles

Chapter Outline 2.3 Monitoring and Managing Devices


2.4 Using Automated Security Features
2.5 Securing the Control Plane
2.6 Summary

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 2.1:
Securing Device Access
Upon completion of this section, you should be able to:
• Explain how to secure a network perimeter.

• Configure secure administrative access to Cisco routers.

• Configure enhanced security for virtual logins.

• Configure an SSH daemon for secure remote management.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Topic 2.1.1:
Securing the Edge Router

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Securing the Network Infrastructure

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Edge Router Security Approaches

• Single Router Approach


Router 1 (R1)
A single router connects the LAN 1
internal LAN to the Internet. All Internet 192.168.2.0
security policies are
configured on this device.
• Defense-in-depth Approach
Passes everything through to R1 Firewall LAN 1
Internet
the firewall. A set of rules 192.168.2.0
determines what traffic the
router will allow or deny.
• DMZ Approach
R1 Firewall R2
The DMZ is set up between Internet LAN 1
two routers. Most traffic 192.168.2.0

filtering left to the firewall DMZ

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Three Areas of Router Security
• Physical Security • Operating System Security
Place router in a secured, locked Use the latest stable version that meets
room network requirements
Install an uninterruptible power Keep a copy of the O/S and configuration
supply file as a backup

• Router Hardening
Secure administrative
control
Disable unused ports
and interfaces
Disable unnecessary
services

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Secure Administrative Access
Tasks:
• Restrict device accessibility

• Log and account for all access

• Authenticate access

• Authorize actions

• Present legal notification

• Ensure the confidentiality of data

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Secure Local and Remote Access

Local Access Remote Access Using Telnet

Remote Access Using Modem and Aux Port

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Secure Local and Remote Access (Cont.)
Dedicated Management Network

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Topic 2.1.2:
Configuring Secure Administrative Access

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Strong Passwords
Guidelines:
• Use a password length of 10 or more characters.

• Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.

• Avoid passwords based on easily identifiable pieces of information.

• Deliberately misspell a password (Smith = Smyth = 5mYth).

• Change passwords often.

• Do not write passwords down and leave them in obvious places.

Weak Password Why it is Weak Strong Password Why it is Strong

secret Simple dictionary password b67n42d39c Combines alphanumeric characters

smith Mother’s maiden name 12^h u4@1p7 Combines alphanumeric characters,


symbols, and includes a space
toyota Make of car

bob1967 Name and birthday of user

Blueleaf23 Simple words and numbers

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Increasing Access Security
To increase the security of passwords, use additional configuration
parameters:
• Minimum password lengths should be enforced
• Unattended connections should be disabled
• All passwords in the configuration file
should be encrypted

R1(config)# service password-encryption


R1(config)# exit
R1# show running-config
line con 0
exec-timeout 3 30
password 7 094F471A1A0A
login
line aux 0
exec-timeout 3 30
password 7 094F471A1A0A
login

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Secret Password Algorithms
Guidelines:
• Configure all secret passwords using type 8 or type 9 passwords

• Use the enable algorithm-type command syntax to enter an unencrypted


password

• Use the username name algorithm-type command to specify type 9


encryption

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Securing Line Access
Command to restrict access to
R1(config)# enable secret cisco privileged EXEC mode

Commands to establish a
Commands to establish a login login password for dial-up
password on incoming Telnet sessions modem connections
R1(config)# line vty 0 4 R1(config)# line aux 0
R1(config-line)# password cisco R1(config-line)# password cisco
R1(config-line)# login R1 R1(config-line)# login

R1(config)# line con 0


R1(config-line)# password cisco
R1(config-line)# login

Commands to establish a
login password on the
console line
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Topic 2.1.3:
Configuring Enhanced Security for Virtual Logins

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Enhancing the Login Process

Virtual login security enhancements:


• Implement delays between
successive login attempts
• Enable login shutdown if DoS attacks
are suspected
• Generate system-logging messages
for login detection

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Configuring Login Enhancement Features

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Enable Login Enhancements
Command Syntax: login block-for

Example: login quiet-mode access-class

Example: login delay

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Logging Failed Attempts
Generate Login Syslog Messages

Example: show login failures

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Topic 2.1.4:
Configuring SSH

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Steps for Configuring SSH
Example SSH Configuration

Example Verification of SSH

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Modifying the SSH Configuration

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Connecting to an SSH-Enabled Router

Two ways to connect:


• Enable SSH and use a Cisco router as an SSH server or SSH client.
As a server, the router can accept SSH client connections
As a client, the router can connect via SSH to another SSH-enabled router
• Use an SSH client running on a host, such as PuTTY, OpenSSH, or TeraTerm.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Section 2.2:
Assigning Administrative Roles
Upon completion of this section, you should be able to:
• Configure administrative privilege levels to control command availability.

• Configure role-based CLI access to control command availability.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Topic 2.2.1:
Configuring Privilege Levels

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Limiting Command Availability
Privilege levels: Levels of access commands:
• Level 0: Predefined for user-level access privileges. • User EXEC mode (privilege level 1)
Lowest EXEC mode user privileges
• Level 1: Default level for login with the router prompt.
Only user-level command available at the router>
• Level 2-14: May be customized for user-level privileges. prompt

• Level 15: Reserved for the enable mode privileges. • Privileged EXEC mode (privilege level 15)
All enable-level commands at the router# prompt

Privilege Level Syntax

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Configuring and Assigning Privilege Levels

• A USER account with normal, Level 1 access.


• A SUPPORT account with Level 1 and ping command access.
• A JR-ADMIN account with the same privileges as the SUPPORT account
plus access to the reload command.
• An ADMIN account which has all of the regular privileged EXEC commands.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Limitations of Privilege Levels
• No access control to specific interfaces, ports, logical interfaces, and
slots on a router
• Commands available at lower privilege levels are always executable at
higher privilege levels
• Commands specifically set at higher privilege levels are not available
for lower privilege users
• Assigning a command with multiple keywords allows access to all
commands that use those

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Topic 2.2.2:
Configuring Role-Based CLI

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Role-Based CLI Access
For example:
• Security operator privileges
Configure AAA
Issue show commands
Configure firewall
Configure IDS/IPS
Configure NetFlow

• WAN engineer privileges


Configure routing
Configure interfaces
Issue show commands

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Role-Based Views

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Configuring Role-Based Views
Step 1

Step 2

Step 3

Step 4

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Configuring Role-Based CLI Superviews

Step 1

Step 2

Step 3

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Verify Role-Based CLI Views

Enable Root View and Verify All Views

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Section 2.3:
Monitoring and Managing Devices
Upon completion of this section, you should be able to:
• Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image
and configuration files.
• Compare in-band and out-of band management access.

• Configure syslog to log system events.

• Configure secure SNMPv3 access using ACL

• Configure NTP to enable accurate timestamping between all devices.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Topic 2.3.1:
Securing Cisco IOS Image and Configuration Files

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cisco IOS Resilient Configuration Feature

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Enabling the IOS Image Resilience Feature

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
The Primary Bootset Image

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Configuring Secure Copy
Configure the router for server-side SCP with local AAA:
1. Configure SSH

2. Configure at least one user with privilege level 15

3. Enable AAA

4. Specify that the local database is to be used for authentication

5. Configure command authorization

6. Enable SCP server-side functionality

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Recovering a Router Password
1. Connect to the console port.

2. Record the configuration register setting.

3. Power cycle the router.

4. Issue the break sequence.

5. Change the default configuration register with the confreg 0x2142 command.

6. Reboot the router.

7. Press Ctrl-C to skip the initial setup procedure.

8. Put the router into privileged EXEC mode.

9. Copy the startup configuration to the running configuration.

10. Verify the configuration.

11. Change the enable secret password.

12. Enable all interfaces.

13. Change the config-register with the config-register configuration_register_setting.

14. Save the configuration changes.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Password Recovery

Disable Password Recovery

No Service Password Recovery

Password Recovery
Functionality is Disabled

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Topic 2.3.2:
Secure Management and Reporting

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Determining the Type of Management Access
In-Band Management:

• Apply only to devices that need to be


managed or monitored

• Use IPsec, SSH, or SSL when


possible

• Decide whether the management


channel need to be open at all time

Out-of-Band (OOB) Management:

• Provide highest level of security

• Mitigate the risk of passing management


protocols over the production network

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Topic 2.3.3:
Using Syslog for Network Security

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Introduction to Syslog

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Syslog Operation

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Syslog Message
Security Levels

Example Severity Levels

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Syslog Message (Cont.)

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Syslog Systems

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Configuring System Logging

Turn logging on and off using the


logging buffered, logging
monitor, and logging
commands

1. Set the destination logging host


R3(config)# logging 10.2.2.6
R3(config)# logging trap informational 2. Set the log severity (trap) level
R3(config)# logging source-interface loopback 0 3. Set the source interface
R3(config)# logging on 4. Enable logging

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Topic 2.3.4:
Using SNMP for Network Security

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Introduction to SNMP

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Management Information Base
Cisco MIB
Hierarchy

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
SNMP Versions

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
SNMP Vulnerabilities

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
SNMPv3
Message integrity & authentication

Encryption

Access control

• Transmissions from manager to agent may be authenticated to guarantee the identity of


the sender and the integrity and timeliness of a message.

• SNMPv3 messages may be encrypted to ensure privacy.

• Agent may enforce access control to restrict each principal to certain actions on specific
portions of data.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Configuring SNMPv3 Security

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Secure SNMPv3 Configuration Example

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Verifying the SNMPv3 Configuration

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Topic 2.3.5:
Using NTP

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Network Time Protocol

Clocks on hosts and network devices must be maintained and synchronized to


ensure that log messages are synchronized with one another
The date and time settings of the router can be set using one of two methods:
• Manually edit the date and time
• Configure Network Time Protocol

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
NTP Server

Sample NTP Topology

Sample NTP
Configuration on R1

Sample NTP
Configuration on R2

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
NTP Authentication
• There are two security mechanisms available:
An ACL-based restriction scheme
An encrypted authentication mechanism such as offered by NTP version 3 or higher

• Implement NTP version 3 or higher. Use the following commands on both NTP
Master and the NTP client:
ntp authenticate
ntp authentication key md5 value
ntp trusted-key key-value

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Section 2.4:
Using Automated Security Features
Upon completion of this section, you should be able to:
• Use security audit tools to determine IOS-based router vulnerabilities.

• Use AutoSecure to enable security on IOS-based routers.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Topic 2.4.1:
Performing a Security Audit

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Discovery Protocols CDP and LLDP

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Settings for Protocols and Services
There is a detailed list of security settings for protocols and services
provided in Figure 2 of this page in the course.

Additional recommended practices to ensure a device is secure:


• Disable unnecessary services and interfaces.

• Disable and restrict commonly configured management services.

• Disable probes and scans. Ensure terminal access security.

• Disable gratuitous and proxy ARPs

• Disable IP-directed broadcasts.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Topic 2.4.2:
Locking Down a Router Using AutoSecure

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Cisco AutoSecure

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Using the Cisco AutoSecure Feature

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Using the auto secure Command
1. The auto secure command is entered

2. Wizard gathers information about the outside interfaces

3. AutoSecure secures the management plane by disabling unnecessary


services
4. AutoSecure prompts for a banner

5. AutoSecure prompts for passwords and enables password and login


features
6. Interfaces are secured

7. Forwarding plane is secured

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Section 2.5:
Securing the Control Plane
Upon completion of this section, you should be able to:
• Configure a routing protocol authentication.

• Explain the function of Control Plane Policing.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Topic 2.5.1:
Routing Protocol Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Routing Protocol Spoofing
Consequences of protocol spoofing:
• Redirect traffic to create routing loops.

• Redirect traffic so it can be monitored on an insecure link.

• Redirect traffic to discard it.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
OSPF MD5 Routing Protocol Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
OSPF SHA Routing Protocol Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Topic 2.5.2:
Control Plane Policing

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Network Device Operations

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Control and Management Plane Vulnerabilities

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
CoPP Operation

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Section 2.6:
Summary
Chapter Objectives:
• Configure secure administrative access.

• Configure command authorization using privilege levels and role-based CLI.

• Implement the secure management and monitoring of network devices.

• Use automated features to enable security on IOS-based routers.

• Implement control plane security.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Thank you.
Instructor Resources

• Remember, there are


helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

You might also like