network security
TRANSCRIPT
1© 2005 Cisco Systems, Inc. All rights reserved.
CCNA Security
Module 2 – Securing Network Devices
2© 2009 Cisco Systems, Inc. All rights reserved.
Learning Objectives
2.1 - Securing Devices Access
2.2 - Assigning Administrative Roles
2.3 - Monitoring and Managing Devices
2.4 - Using Automated security features
3© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Securing Module 2 – Securing Network DevicesNetwork Devices
2.1 – Securing Devices Access
4© 2009 Cisco Systems, Inc. All rights reserved.
Securing the edge router
5© 2009 Cisco Systems, Inc. All rights reserved.
Secure the perimeter network
6© 2009 Cisco Systems, Inc. All rights reserved.
Areas of router security: Physical
• Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel, is free of electrostatic or magnetic interference, and has controls for temperature and humidity.
• Install an uninterruptible power supply (UPS) and keep spare components available. This reduces the possibility of a DoS attack from power loss to the building.
7© 2009 Cisco Systems, Inc. All rights reserved.
Operating System Security
• Configure the router with the maximum amount of memory possible. The availability of memory can help protect the network from some DoS attacks, while supporting the widest range of security services.
• Use the latest stable version that meets the feature requirements of the network. Security features in an operating system evolve over time. Keep in mind that the latest version of an operating system might not be the most stable version available.
• Keep a secure copy of the router operating system image and router configuration file as a backup.
8© 2009 Cisco Systems, Inc. All rights reserved.
Router Hardening
• Secure administrative control. Ensure that only authorized personnel have access and that their level of access is controlled.
• Disable unused ports and interfaces. Reduce the number of ways a device can be accessed.
• Disable unnecessary services. Similar to many computers, a router has services that are enabled by default. Some of these services are unnecessary and can be used by an attacker to gather information or for exploitation.
9© 2009 Cisco Systems, Inc. All rights reserved.
Router Management
10© 2009 Cisco Systems, Inc. All rights reserved.
Router Access Methods
11© 2009 Cisco Systems, Inc. All rights reserved.
Router Access Methods
12© 2009 Cisco Systems, Inc. All rights reserved.
Configuring Secure Administrative Access
• Use a password length of 10 or more characters. The longer, the better.
• Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.
• Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates,
• Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
• Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited.
13© 2009 Cisco Systems, Inc. All rights reserved.
Router access passwords
14© 2009 Cisco Systems, Inc. All rights reserved.
Increase security passwords
• Enforce minimum password lengths.
• Disable unattended connections.
• Encrypt all passwords in the configuration file.
15© 2009 Cisco Systems, Inc. All rights reserved.
Minimum Character Length
• Beginning with the Cisco IOS Release 12.3(1) and later, administrators can set the minimum character length for all router passwords from 0 to 16 characters using the global configuration command security passwords min-length length.
• This command affects user passwords, enable secret passwords, and line passwords that are created after the command is executed. Existing router passwords remain unaffected. Any attempt to create a new password that is less than the specified length fails and results in an error message similar to the following:
Password too short - must be at least 10 characters. Password configuration failed.
16© 2009 Cisco Systems, Inc. All rights reserved.
Disable Unattended Connections
• By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. After that, the interface times out and logs out of the session.
• If an administrator is away from the terminal while the console connection is active, an attacker has up to 10 minutes to gain privilege level access. It is recommended that these timers be fine-tuned to limit the amount of time to within a two or three minute maximum. These
timers can be adjusted using the exec-timeout command in line configuration mode for each of the line types that are used.
• It is also possible to turn off the exec process for a specific line, such
as on the auxiliary port, using the no exec command within the line configuration mode. This command allows only an outgoing connection on the line. The no exec command allows you to disable the EXEC process for connections which may attempt to send unsolicited data to the router.
17© 2009 Cisco Systems, Inc. All rights reserved.
Disable Unattended Connections
18© 2009 Cisco Systems, Inc. All rights reserved.
Encrypt All Passwords
• By default, some passwords are shown in plaintext, meaning not encrypted, in the Cisco IOS software configuration.
• With the exception of the enable secret password, all other plaintext passwords in the configuration file can be encrypted in the configuration file using the service password-encryption command.
• This command hashes current and future plaintext passwords in the configuration file into an encrypted ciphertext.
• The algorithm used by the service password-encryption command is simple and can be easily reversed by someone with access to the encrypted ciphertext and a password-cracking application
19© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Router Authentication
20© 2009 Cisco Systems, Inc. All rights reserved.
Example
21© 2009 Cisco Systems, Inc. All rights reserved.
Security for virtual logins
22© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Enhanced login features
• Router(config)# login block-for seconds attempts tries within seconds
• Router(config)# login quiet-mode access-class {acl-name | acl-number}
• Router(config)# login delay seconds
• Router(config)# login on-failure log [every login]
• Router(config)# login on-success log [every login]
23© 2009 Cisco Systems, Inc. All rights reserved.
Example
24© 2009 Cisco Systems, Inc. All rights reserved.
Login block-for
• Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time.
• Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.
25© 2009 Cisco Systems, Inc. All rights reserved.
Login quiet-mode
• When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts access at all times, this behavior can be overridden using an ACL. The ACL must be created and identified using the login quiet-mode access-class command.
26© 2009 Cisco Systems, Inc. All rights reserved.
Login delay
• The login block-for command invokes an automatic delay of 1 second between login attempts. Attackers have to wait 1 second before they can try a different password.
• This delay time can be changed using the login delay command.
27© 2009 Cisco Systems, Inc. All rights reserved.
Login success & failure
• The command auto secure enables message logging for failed login attempts. Logging successful login attempts is not enabled by default.
• These commands can be used to keep track of the number of successful and failed login attempts.
28© 2009 Cisco Systems, Inc. All rights reserved.
Show login (normal mode)
29© 2009 Cisco Systems, Inc. All rights reserved.
Sample attack
30© 2009 Cisco Systems, Inc. All rights reserved.
Show login (quiet mode)
31© 2009 Cisco Systems, Inc. All rights reserved.
Show login failures
32© 2009 Cisco Systems, Inc. All rights reserved.
Banner messages
• Use banner messages to present legal notification to would-be intruders to inform them that they are not welcome on a network.
• Intruders have won court cases because they did not encounter appropriate warning messages when accessing router networks. In addition to warning would-be intruders, banners are also used to inform remote administrators of use restrictions
33© 2009 Cisco Systems, Inc. All rights reserved.
Configure SSH
• Step 1. Ensure that the target routers are running a Cisco IOS Release 12.1(1)T image or later to support SSH. Only the Cisco IOS cryptographic images containing the IPsec feature set support SSH. For example, c1841-advipservicesk9-mz.124-10b.bin image support SSH.
• Step 2. Ensure that each of the target routers has a unique host name.
• Step 3. Ensure that each of the target routers is using the correct domain name of the network.
• Step 4. Ensure that the target routers are configured for local authentication or AAA services for username and password authentication. This is mandatory for a router-to-router SSH connection.
34© 2009 Cisco Systems, Inc. All rights reserved.
Telnet vs SSH
35© 2009 Cisco Systems, Inc. All rights reserved.
Supporting SSH
• Step 1. If the router has a unique host name, configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode.
• Step 2. One-way secret keys must be generated for a router to encrypt the SSH traffic. These keys are referred to as asymmetric keys. Cisco IOS software uses the Rivest, Shamir, and Adleman (RSA) algorithm to generate keys. To create the RSA key, use the crypto key generate rsa general-keys modulus modulus-size command in global configuration mode. The modulus determines the size of the RSA key and can be configured from 360 bits to 2048 bits.
• To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If there are existing key pairs, it is recommended that they are overwritten using the crypto key zeroize rsa command.
36© 2009 Cisco Systems, Inc. All rights reserved.
Step 1 and 2: SSH
37© 2009 Cisco Systems, Inc. All rights reserved.
Transport input ssh
• Step 3. Ensure that there is a valid local database username entry. If not, create one using the username name secret secret command.
• Step 4. Enable vty inbound SSH sessions using the line vty commands login local and transport input ssh.
• SSH is automatically enabled after the RSA keys are generated. The router SSH service can be accessed using SSH client software.
38© 2009 Cisco Systems, Inc. All rights reserved.
Optional SSH commands
39© 2009 Cisco Systems, Inc. All rights reserved.
Router to router SSH
40© 2009 Cisco Systems, Inc. All rights reserved.
Host to router SSH
41© 2009 Cisco Systems, Inc. All rights reserved.
SDM - SSH
42© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Securing Module 2 – Securing Network DevicesNetwork Devices
2.2 – Assigning administrative roles
43© 2009 Cisco Systems, Inc. All rights reserved.
Configuring privilege levels
44© 2009 Cisco Systems, Inc. All rights reserved.
Assigning Privilege Levels
45© 2009 Cisco Systems, Inc. All rights reserved.
Create privilege level example
46© 2009 Cisco Systems, Inc. All rights reserved.
Privilege levels - example
47© 2009 Cisco Systems, Inc. All rights reserved.
Assign level user
• To assign level 10 to the privileged EXEC mode reload command, use the following command sequence.
privilege exec level 10 reload
username jr-admin privilege 10 secret cisco10
enable secret level 10 cisco10
48© 2009 Cisco Systems, Inc. All rights reserved.
Role-Based CLI Access
• To provide more flexibility than privilege levels, Cisco introduced the Role-Based CLI Access feature in Cisco IOS Release 12.3(11)T.
• This feature provides finer, more granular access by controlling specifically which commands are available to specific roles.
• Role-based CLI access enables the network administrator to create different views of router configurations for different users.
• Each view defines the CLI commands that each user can access.
49© 2009 Cisco Systems, Inc. All rights reserved.
Security – Availability - Efficiency
• Role-based CLI access enhances the security of the device by defining the set of CLI commands that is accessible by a particular user. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router.
• Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel, which could result in undesirable results. This minimizes downtime.
• Users only see the CLI commands applicable to the ports and CLI to which they have access; therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device.
50© 2009 Cisco Systems, Inc. All rights reserved.
Role-based CLI: three types of views
• Root View
To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views.
• CLI View
A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views. Each view must be assigned all commands associated with that view, and a view does not inherit commands from any other views. Additionally, the same commands can be used in multiple views.
51© 2009 Cisco Systems, Inc. All rights reserved.
• A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views.
–A single CLI view can be shared within multiple superviews.
–Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.
–Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview.
Role-based CLI: Superview
52© 2009 Cisco Systems, Inc. All rights reserved.
Root – CLI - Superview
53© 2009 Cisco Systems, Inc. All rights reserved.
Create a view
• Step 1. Enable AAA with the aaa new-model global configuration command. Exit and enter the root view with the enable view command.
• Step 2. Create a view using the parser view view-name command. This enables the view configuration mode. There is a maximum limit of 15 views in total.
• Step 3. Assign a secret password to the view using the secret encrypted-password command.
• Step 4. Assign commands to the selected view using the commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] command in view configuration mode.
54© 2009 Cisco Systems, Inc. All rights reserved.
Include commands
55© 2009 Cisco Systems, Inc. All rights reserved.
Example
56© 2009 Cisco Systems, Inc. All rights reserved.
Verifying Views
57© 2009 Cisco Systems, Inc. All rights reserved.
Create a Superview
• Step 1. Create a view using the parser view view-name superview command and enter superview configuration mode.
• Step 2. Assign a secret password to the view using the secret encrypted-password command.
• Step 3. Assign an existing view using the view view-name command in view configuration mode.
58© 2009 Cisco Systems, Inc. All rights reserved.
Superview Example
59© 2009 Cisco Systems, Inc. All rights reserved.
Verifying superview
60© 2009 Cisco Systems, Inc. All rights reserved.
Verify: Enable view
61© 2009 Cisco Systems, Inc. All rights reserved.
Root view: show parser view all
62© 2005 Cisco Systems, Inc. All rights reserved.
Module 2 – Security Planning and Policy
2.3 - Monitoring and Managing Devices
63© 2009 Cisco Systems, Inc. All rights reserved.
Securing the IOS and configuration files
64© 2009 Cisco Systems, Inc. All rights reserved.
Resilience IOS and config file
• The Cisco IOS resilient configuration feature detects image version mismatches. If the router is configured to boot with Cisco IOS resilience and an image with a different version of the Cisco IOS software is detected, a message, is displayed at bootup
65© 2009 Cisco Systems, Inc. All rights reserved.
Password Recovery Process
66© 2009 Cisco Systems, Inc. All rights reserved.
Password Recovery
67© 2009 Cisco Systems, Inc. All rights reserved.
NO password recovery
68© 2009 Cisco Systems, Inc. All rights reserved.
Using SYSLOG for network security
• Cisco router log messages fall into one of eight levels. The lower the level number, the higher the severity level. Cisco router log messages contain three main parts:
•Timestamp
•Log message name and severity level
•Message text
69© 2009 Cisco Systems, Inc. All rights reserved.
Severity levels
70© 2009 Cisco Systems, Inc. All rights reserved.
Configure system logging
• Step 1. Set the destination logging host using the logging host command.
• Step 2. (Optional) Set the log severity (trap) level using the logging trap level command.
• Step 3. Set the source interface using the logging source-interface command. This specifies that syslog packets contain the IPv4 or IPv6 address of a particular interface.
• Step 4. Enable logging with the logging on command. You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands.
71© 2009 Cisco Systems, Inc. All rights reserved.
Configure SYSLOG
72© 2009 Cisco Systems, Inc. All rights reserved.
SYSLOG with SDM
73© 2009 Cisco Systems, Inc. All rights reserved.
Monitor>> Logging
74© 2009 Cisco Systems, Inc. All rights reserved.
Usig SNMP for network security
• SNMP was developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances, on an IP network.
• SNMP is an Application Layer protocol that facilitates the exchange of management information between network devices.
• SNMP is part of the TCP/IP protocol suite.
• SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.
• There are different versions of SNMP.
75© 2009 Cisco Systems, Inc. All rights reserved.
SNMP components
76© 2009 Cisco Systems, Inc. All rights reserved.
Community strings
Read-only community strings - Provides read-only access to all objects in the MIB, except the community strings.Read-write community strings - Provides read-write access to all objects in the MIB, except the community strings.
77© 2009 Cisco Systems, Inc. All rights reserved.
SNMPv3
• SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 uses a combination of authenticating and encrypting packets over the network to provide secure access
–Message integrity - Ensures that a packet has not been tampered with in transit.
–Authentication - Determines that the message is from a valid source.
–Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.
78© 2009 Cisco Systems, Inc. All rights reserved.
Configure SNMP with SDM
79© 2009 Cisco Systems, Inc. All rights reserved.
Using NTP for timestamp
• NTP allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings.
• When NTP is implemented in the network, it can be set up to synchronize to a private master clock, or it can synchronize to a publicly available NTP server on the Internet.
80© 2009 Cisco Systems, Inc. All rights reserved.
NTP example
81© 2009 Cisco Systems, Inc. All rights reserved.
NTP version 3
82© 2009 Cisco Systems, Inc. All rights reserved.
Security Audit
83© 2009 Cisco Systems, Inc. All rights reserved.
Security audit wizard
84© 2009 Cisco Systems, Inc. All rights reserved.
Security audit report
85© 2009 Cisco Systems, Inc. All rights reserved.
Auto secure
86© 2009 Cisco Systems, Inc. All rights reserved.
Auto secure output