network security

1© 2005 Cisco Systems, Inc. All rights reserved.

CCNA Security

Module 2 – Securing Network Devices


Learning Objectives

2.1 - Securing Devices Access

2.2 - Assigning Administrative Roles

2.3 - Monitoring and Managing Devices

2.4 - Using Automated security features


Module 2 – Securing Module 2 – Securing Network DevicesNetwork Devices

2.1 – Securing Devices Access


Securing the edge router


Secure the perimeter network


Areas of router security: Physical

• Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel, is free of electrostatic or magnetic interference, and has controls for temperature and humidity.

• Install an uninterruptible power supply (UPS) and keep spare components available. This reduces the possibility of a DoS attack from power loss to the building.


Operating System Security

• Configure the router with the maximum amount of memory possible. The availability of memory can help protect the network from some DoS attacks, while supporting the widest range of security services.

• Use the latest stable version that meets the feature requirements of the network. Security features in an operating system evolve over time. Keep in mind that the latest version of an operating system might not be the most stable version available.

• Keep a secure copy of the router operating system image and router configuration file as a backup.


Router Hardening

• Secure administrative control. Ensure that only authorized personnel have access and that their level of access is controlled.

• Disable unused ports and interfaces. Reduce the number of ways a device can be accessed.

• Disable unnecessary services. Similar to many computers, a router has services that are enabled by default. Some of these services are unnecessary and can be used by an attacker to gather information or for exploitation.


Router Management


Router Access Methods


Configuring Secure Administrative Access

• Use a password length of 10 or more characters. The longer, the better.

• Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.

• Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates,

• Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.

• Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited.


Router access passwords


Increase security passwords

• Enforce minimum password lengths.

• Disable unattended connections.

• Encrypt all passwords in the configuration file.


Minimum Character Length

• Beginning with the Cisco IOS Release 12.3(1) and later, administrators can set the minimum character length for all router passwords from 0 to 16 characters using the global configuration command security passwords min-length length.

• This command affects user passwords, enable secret passwords, and line passwords that are created after the command is executed. Existing router passwords remain unaffected. Any attempt to create a new password that is less than the specified length fails and results in an error message similar to the following:

Password too short - must be at least 10 characters. Password configuration failed.


Disable Unattended Connections

• By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. After that, the interface times out and logs out of the session.

• If an administrator is away from the terminal while the console connection is active, an attacker has up to 10 minutes to gain privilege level access. It is recommended that these timers be fine-tuned to limit the amount of time to within a two or three minute maximum. These

timers can be adjusted using the exec-timeout command in line configuration mode for each of the line types that are used.

• It is also possible to turn off the exec process for a specific line, such

as on the auxiliary port, using the no exec command within the line configuration mode. This command allows only an outgoing connection on the line. The no exec command allows you to disable the EXEC process for connections which may attempt to send unsolicited data to the router.


Disable Unattended Connections


Encrypt All Passwords

• By default, some passwords are shown in plaintext, meaning not encrypted, in the Cisco IOS software configuration.

• With the exception of the enable secret password, all other plaintext passwords in the configuration file can be encrypted in the configuration file using the service password-encryption command.

• This command hashes current and future plaintext passwords in the configuration file into an encrypted ciphertext.

• The algorithm used by the service password-encryption command is simple and can be easily reversed by someone with access to the encrypted ciphertext and a password-cracking application


Cisco Router Authentication


Example


Security for virtual logins


Cisco Enhanced login features

• Router(config)# login block-for seconds attempts tries within seconds

• Router(config)# login quiet-mode access-class {acl-name | acl-number}

• Router(config)# login delay seconds

• Router(config)# login on-failure log [every login]

• Router(config)# login on-success log [every login]


Example


Login block-for

• Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time.

• Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.


Login quiet-mode

• When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts access at all times, this behavior can be overridden using an ACL. The ACL must be created and identified using the login quiet-mode access-class command.


Login delay

• The login block-for command invokes an automatic delay of 1 second between login attempts. Attackers have to wait 1 second before they can try a different password.

• This delay time can be changed using the login delay command.


Login success & failure

• The command auto secure enables message logging for failed login attempts. Logging successful login attempts is not enabled by default.

• These commands can be used to keep track of the number of successful and failed login attempts.


Show login (normal mode)


Sample attack


Show login (quiet mode)


Show login failures


Banner messages

• Use banner messages to present legal notification to would-be intruders to inform them that they are not welcome on a network.

• Intruders have won court cases because they did not encounter appropriate warning messages when accessing router networks. In addition to warning would-be intruders, banners are also used to inform remote administrators of use restrictions


Configure SSH

• Step 1. Ensure that the target routers are running a Cisco IOS Release 12.1(1)T image or later to support SSH. Only the Cisco IOS cryptographic images containing the IPsec feature set support SSH. For example, c1841-advipservicesk9-mz.124-10b.bin image support SSH.

• Step 2. Ensure that each of the target routers has a unique host name.

• Step 3. Ensure that each of the target routers is using the correct domain name of the network.

• Step 4. Ensure that the target routers are configured for local authentication or AAA services for username and password authentication. This is mandatory for a router-to-router SSH connection.


Telnet vs SSH


Supporting SSH

• Step 1. If the router has a unique host name, configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode.

• Step 2. One-way secret keys must be generated for a router to encrypt the SSH traffic. These keys are referred to as asymmetric keys. Cisco IOS software uses the Rivest, Shamir, and Adleman (RSA) algorithm to generate keys. To create the RSA key, use the crypto key generate rsa general-keys modulus modulus-size command in global configuration mode. The modulus determines the size of the RSA key and can be configured from 360 bits to 2048 bits.

• To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If there are existing key pairs, it is recommended that they are overwritten using the crypto key zeroize rsa command.


Step 1 and 2: SSH


Transport input ssh

• Step 3. Ensure that there is a valid local database username entry. If not, create one using the username name secret secret command.

• Step 4. Enable vty inbound SSH sessions using the line vty commands login local and transport input ssh.

• SSH is automatically enabled after the RSA keys are generated. The router SSH service can be accessed using SSH client software.


Optional SSH commands


Router to router SSH


Host to router SSH


SDM - SSH


Module 2 – Securing Module 2 – Securing Network DevicesNetwork Devices

2.2 – Assigning administrative roles


Configuring privilege levels


Assigning Privilege Levels


Create privilege level example


Privilege levels - example


Assign level user

• To assign level 10 to the privileged EXEC mode reload command, use the following command sequence.

privilege exec level 10 reload

username jr-admin privilege 10 secret cisco10

enable secret level 10 cisco10


Role-Based CLI Access

• To provide more flexibility than privilege levels, Cisco introduced the Role-Based CLI Access feature in Cisco IOS Release 12.3(11)T.

• This feature provides finer, more granular access by controlling specifically which commands are available to specific roles.

• Role-based CLI access enables the network administrator to create different views of router configurations for different users.

• Each view defines the CLI commands that each user can access.


Security – Availability - Efficiency

• Role-based CLI access enhances the security of the device by defining the set of CLI commands that is accessible by a particular user. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router.

• Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel, which could result in undesirable results. This minimizes downtime.

• Users only see the CLI commands applicable to the ports and CLI to which they have access; therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device.


Role-based CLI: three types of views

• Root View

To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views.

• CLI View

A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views. Each view must be assigned all commands associated with that view, and a view does not inherit commands from any other views. Additionally, the same commands can be used in multiple views.


• A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views.

–A single CLI view can be shared within multiple superviews.

–Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.

–Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview.

Role-based CLI: Superview


Root – CLI - Superview


Create a view

• Step 1. Enable AAA with the aaa new-model global configuration command. Exit and enter the root view with the enable view command.

• Step 2. Create a view using the parser view view-name command. This enables the view configuration mode. There is a maximum limit of 15 views in total.

• Step 3. Assign a secret password to the view using the secret encrypted-password command.

• Step 4. Assign commands to the selected view using the commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] command in view configuration mode.


Include commands


Example


Verifying Views


Create a Superview

• Step 1. Create a view using the parser view view-name superview command and enter superview configuration mode.

• Step 2. Assign a secret password to the view using the secret encrypted-password command.

• Step 3. Assign an existing view using the view view-name command in view configuration mode.


Superview Example


Verifying superview


Verify: Enable view


Root view: show parser view all


Module 2 – Security Planning and Policy

2.3 - Monitoring and Managing Devices


Securing the IOS and configuration files


Resilience IOS and config file

• The Cisco IOS resilient configuration feature detects image version mismatches. If the router is configured to boot with Cisco IOS resilience and an image with a different version of the Cisco IOS software is detected, a message, is displayed at bootup


Password Recovery Process


Password Recovery


NO password recovery


Using SYSLOG for network security

• Cisco router log messages fall into one of eight levels. The lower the level number, the higher the severity level. Cisco router log messages contain three main parts:

•Timestamp

•Log message name and severity level

•Message text


Severity levels


Configure system logging

• Step 1. Set the destination logging host using the logging host command.

• Step 2. (Optional) Set the log severity (trap) level using the logging trap level command.

• Step 3. Set the source interface using the logging source-interface command. This specifies that syslog packets contain the IPv4 or IPv6 address of a particular interface.

• Step 4. Enable logging with the logging on command. You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands.


Configure SYSLOG


SYSLOG with SDM


Monitor>> Logging


Usig SNMP for network security

• SNMP was developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances, on an IP network.

• SNMP is an Application Layer protocol that facilitates the exchange of management information between network devices.

• SNMP is part of the TCP/IP protocol suite.

• SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.

• There are different versions of SNMP.


SNMP components


Community strings

Read-only community strings - Provides read-only access to all objects in the MIB, except the community strings.Read-write community strings - Provides read-write access to all objects in the MIB, except the community strings.


SNMPv3

• SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 uses a combination of authenticating and encrypting packets over the network to provide secure access

–Message integrity - Ensures that a packet has not been tampered with in transit.

–Authentication - Determines that the message is from a valid source.

–Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.


Configure SNMP with SDM


Using NTP for timestamp

• NTP allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings.

• When NTP is implemented in the network, it can be set up to synchronize to a private master clock, or it can synchronize to a publicly available NTP server on the Internet.


NTP example


NTP version 3


Security Audit


Security audit wizard


Security audit report


Auto secure


Auto secure output

network security

Documents

cisco systems

areas of router security

router management10

router access methods11

router access methods12

router access passwords14

secure administrative

securing network devices2