CCNA SecurityChapter 2

Securing Network DevicesPreview

Professor Deb KellerNetwork Authentication and Security

Major Concepts Discuss the aspects of router hardening Configure secure administrative access

and router resiliency Configure network devices for

monitoring administrative access Demonstrate network monitoring

techniques Secure IOS-based Routers using

automated features

Lesson ObjectivesUpon completion, the successful student will be

able to:1. Describe how to configure a secure network perimeter 2. Configure secure router administration access3. Describe and configure enhanced security for virtual

logins4. Describe and configure an SSH daemon for secure

remote management (use Putty client)5. Describe the purpose of and configure administrative

privilege levels6. Configure the role-based CLI access feature to provide

hierarchical administrative access7. Describe the factors to consider when securing the

data that transmits over the network related to the network management and reporting of device activity

Lesson Objectives

7. Describe and configure syslog for network security (use Solarwinds syslog server on PC)

8. Describe and configure SNMP for network security9. Describe and configure NTP to enable accurate time

stamping between all devices10. Describe the router services, interfaces, and

management services that are vulnerable to network attacks and perform a security audit

11. Lock down a router using AutoSecure and know its purposes and limitations

12. Lock down a router using CCP and know its purposes and limitations

Perimeter Implementations Single Router

Approach

Defense-in-depth Approach

DMZ Approach

LAN 1192.168.2.0

Router 1 (R1)

Internet

LAN 1192.168.2.0

R1Internet

Firewall

LAN 1192.168.2.0

R1Internet

R2Firewall

DMZ

The Edge Router What is the edge router?

The last router between the internal network and an untrusted network such as the Internet

Functions as the first and last line of defenseImplements security actions based on the organization’s security policies

How can the edge router be secured?Use various perimeter router implementationsConsider physical security, operating system security, and router hardening

Secure administrative accessLocal versus remote router access

Router Configuration

CLI Configuration CCP Configuration Privilege levels

16 levels Role-based “view” configuration

Root View CLI View Superview

Router Configuration Banners

Generally do not publish any information about the device or corporation

SSH Secure the IOS and configuration Password recovery Disabling password recovery

Secure Management Change management Logging Out-of-band vs. in-band management Syslog SNMP NTP

Configuration Logging to the console and terminal lines Setting up a syslog server Logging to a syslog server NTP server NTP client Disable unnecessary services CCP security audit

Security Audit Wizard vs. One-step Lockdown Cisco AutoSecure

Lab Tasks Basic CCNA-level network

configuration and cabling Encrypt all passwords Warning banner Enhanced username security Enhanced virtual login security SSH – router as server and PC as client Role Views …

Lab Tasks (continued) Secure IOS and configuration files Router as NTP client and as NTP

server Router as syslog client and PC as

syslog server Router as SNMP client with trap

reporting Cisco AutoSecure CCP Security Audit

Properly Setting the Date and Time

Tasks Set the timezone

We are in the Eastern timezone, which is 5 hours behind UTC# clock timezone ET -5

Set the dates for which the time changes in the timezone Daylight Saving Time in the United States begins at 2:00 a.m. on

the second Sunday of March and ends at 2:00 a.m. on the first Sunday of November

# clock summer-time ET recurring 2 Sunday March 2:00 1 Sunday November 2:00

Set the date and time# clock set 14:05:00 Jan 10 2011

Some devices have a hardware clock (called the calendar) and a software clock (called clock).

For these devices, must copy the date and time to hardware clock, or else the device reverts to default time when it is rebooted

#clock update-calendar There are other commands that operate between the hardware

and software clock, but they are not necessary for this purpose.

Plan (continued) Lab Day

Cable lab (assigned cable technician) Complete lab Parts and Tasks with these exceptions

Skip Part 4, Task 2, Step 3 (Configure NTP clients using CCP) Skip Part 4, Task 3, Step 5 (Configure syslog using CCP) When instructed to set the time, configure the timezone as

instructed in class and in these slides. Files and Information into springboard dropbox as instructed

on the dropbox. One per team, submitted by the team leader. While only one is required, every student is expected to keep a copy of these files.

Every student will submit the team evaluation survey on springboard.

Because you do not have a lot of time on lab day, many lab questions will need to be answered outside of class time.