ccna security chapter 2 powerpoint
DESCRIPTION
CCNA Security Chapter 2 PowerpointTRANSCRIPT
CCNA SecurityChapter 2
Securing Network DevicesPreview
Professor Deb KellerNetwork Authentication and Security
Major Concepts Discuss the aspects of router hardening Configure secure administrative access
and router resiliency Configure network devices for
monitoring administrative access Demonstrate network monitoring
techniques Secure IOS-based Routers using
automated features
Lesson ObjectivesUpon completion, the successful student will be
able to:1. Describe how to configure a secure network perimeter 2. Configure secure router administration access3. Describe and configure enhanced security for virtual
logins4. Describe and configure an SSH daemon for secure
remote management (use Putty client)5. Describe the purpose of and configure administrative
privilege levels6. Configure the role-based CLI access feature to provide
hierarchical administrative access7. Describe the factors to consider when securing the
data that transmits over the network related to the network management and reporting of device activity
Lesson Objectives
7. Describe and configure syslog for network security (use Solarwinds syslog server on PC)
8. Describe and configure SNMP for network security9. Describe and configure NTP to enable accurate time
stamping between all devices10. Describe the router services, interfaces, and
management services that are vulnerable to network attacks and perform a security audit
11. Lock down a router using AutoSecure and know its purposes and limitations
12. Lock down a router using CCP and know its purposes and limitations
Perimeter Implementations Single Router
Approach
Defense-in-depth Approach
DMZ Approach
LAN 1192.168.2.0
Router 1 (R1)
Internet
LAN 1192.168.2.0
R1Internet
Firewall
LAN 1192.168.2.0
R1Internet
R2Firewall
DMZ
The Edge Router What is the edge router?
The last router between the internal network and an untrusted network such as the Internet
Functions as the first and last line of defenseImplements security actions based on the organization’s security policies
How can the edge router be secured?Use various perimeter router implementationsConsider physical security, operating system security, and router hardening
Secure administrative accessLocal versus remote router access
Router Configuration
CLI Configuration CCP Configuration Privilege levels
16 levels Role-based “view” configuration
Root View CLI View Superview
Router Configuration Banners
Generally do not publish any information about the device or corporation
SSH Secure the IOS and configuration Password recovery Disabling password recovery
Secure Management Change management Logging Out-of-band vs. in-band management Syslog SNMP NTP
Configuration Logging to the console and terminal lines Setting up a syslog server Logging to a syslog server NTP server NTP client Disable unnecessary services CCP security audit
Security Audit Wizard vs. One-step Lockdown Cisco AutoSecure
Lab Tasks Basic CCNA-level network
configuration and cabling Encrypt all passwords Warning banner Enhanced username security Enhanced virtual login security SSH – router as server and PC as client Role Views …
Lab Tasks (continued) Secure IOS and configuration files Router as NTP client and as NTP
server Router as syslog client and PC as
syslog server Router as SNMP client with trap
reporting Cisco AutoSecure CCP Security Audit
Properly Setting the Date and Time
Tasks Set the timezone
We are in the Eastern timezone, which is 5 hours behind UTC# clock timezone ET -5
Set the dates for which the time changes in the timezone Daylight Saving Time in the United States begins at 2:00 a.m. on
the second Sunday of March and ends at 2:00 a.m. on the first Sunday of November
# clock summer-time ET recurring 2 Sunday March 2:00 1 Sunday November 2:00
Set the date and time# clock set 14:05:00 Jan 10 2011
Some devices have a hardware clock (called the calendar) and a software clock (called clock).
For these devices, must copy the date and time to hardware clock, or else the device reverts to default time when it is rebooted
#clock update-calendar There are other commands that operate between the hardware
and software clock, but they are not necessary for this purpose.
Plan (continued) Lab Day
Cable lab (assigned cable technician) Complete lab Parts and Tasks with these exceptions
Skip Part 4, Task 2, Step 3 (Configure NTP clients using CCP) Skip Part 4, Task 3, Step 5 (Configure syslog using CCP) When instructed to set the time, configure the timezone as
instructed in class and in these slides. Files and Information into springboard dropbox as instructed
on the dropbox. One per team, submitted by the team leader. While only one is required, every student is expected to keep a copy of these files.
Every student will submit the team evaluation survey on springboard.
Because you do not have a lot of time on lab day, many lab questions will need to be answered outside of class time.