Security ch 2

  1. edge router
    the last router between the internal network and an untrusted network such as the Internet

    • -Functions as the first and last
    • line of defense

    • -Implements security actions based
    • on the organization’s security policies
  2. single router Approach
    connects the protected network, or internal LAN, to the Internet.
  3. Defense-in-Depth Approach
    Passes everything through to the firewall. A set of rules determines what traffic the router will allow or deny
  4. DMZ Approach
    The DMZ is set up between two routers. Most traffic filtering left to the firewall
  5. How can the edge router be secured?
    Use various perimeter router implementations

    • -Consider physical security,
    • operating system security, and router hardening

    -Secure administrative access

    -Local versus remote router access
  6. Physical Security
    • Place router in a secured, locked
    • room

    • -Install an uninterruptible power
    • supply
  7. Operating System Security
    • -Use the latest stable version
    • that meets network requirements

    • -Keep a copy of the O/S and
    • configuration file as a backup
  8. Router Hardening
    -Secure administrative control

    • -Disable unused ports and
    • interfaces

    -Disable unnecessary services
  9. Things to do to secure administrative access to routers:
    • Restrict device accessibility
    • Log and account for all access
    • Authenticate access
    • Authorize actions
    • Present legal notification
    • Ensure the confidentiality of data
  10. When accessing the network remotely,
    • Encrypt all traffic
    • Establish a dedicated management network
    • Configure a packet filter to allow only the identified administration hosts
  11. Password management in a large network should be maintained using a
    central TACACS+ or RADIUS authentication server such as the Cisco Secure Access Control Server (ACS)
  12. enable secret password global configuration command restricts access
    to privileged EXEC mode, it used MD5
  13. Cisco routers support up to five simultaneous
    virtual terminal vty (Telnet or SSH) sessions.
  14. To increase the security of passwords, the following should be configured:
    Enforce minimum password lengths.Disable unattended connections.Encrypt all passwords in the configuration file.
  15. minimum character length
    • 0 to 16 characters, min 10
    • security passwords min-length length.
  16. Disable Unattended Connections
    stays active and logged in for 10 minutes after the last session activity.
  17. timers be fine-tuned to
    • 2 TO 3 MIN MAX
    • exec-timeout
  18. encrypt all passwrods
    use service password-encryption command., it hashes them
  19. stringer password encryption
    • enable secret command
    • it uses md5
  20. two methods of configuring local username accounts.
    • username name password password
    • username name secret password- more secure md55
  21. Virtual Login Security Enhancements
    • Implement delays between successive login attempts.
    • Enable login shutdown if DoS attacks are suspected.
    • Generate system logging messages for login detection.
  22. dictionary attack,
    which is used to gain administrative access to a device, floods a device with thousands of username and password combinations.
  23. Use the login block-for command to enable
    login enhancements
  24. The login block-for feature monitors login device activity and operates in two modes:
    • This command must be issued before any other login command can be used.
    • This command can help provide DoS detection and prevention.
  25. Normal mode (watch mode)
    The router keeps count of the number of failed login attempts within an identified amount of time.
  26. Quiet mode (quiet period)
    If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.
  27. quite mode
    Command specifies an ACL is applied to the router when switched to Quiet-Mode and identifies hosts that are exempt from the Quiet-Mode failure time.If not configured, all login requests will be denied during the Quiet-Mode.
  28. loggin delay
    • Helps mitigate dictionary attacks
    • This is an optional command. If not set, a default delay of one second is enforced after the login block-for command is configured.
  29. The command auto secure enables
    message logging for failed login attempts.
  30. Use banner messages to present to
    present legal notification to potential intruders to inform them that they are not welcome on a network.
  31. SSH has replaced Telnet as the recommended practice for providing
    providing remote router administration with connections that support confidentiality and session integrity.
  32. ssh port
    port 22
  33. ssh config
    • Step 1: Configure the IP domain name
    • Step 2: Generate one-way secret keys
    • Step 3: Verify or create a local database entry
    • Step 4: Enable VTY inbound SSH sessions
  34. SSH version 1 (SSHv1)
    more secure SSH version 2 (SSHv2).
  35. SSHv2 provides better security using the
    Diffie-Hellman key exchange and the strong integrity-checking message authentication code (MAC).
  36. The time interval that the router waits for the SSH client to respond during the SSH negotiation phase can be configured using the ip ssh time-out seconds
    default is 120 sec
  37. To configure a different number of consecutive SSH retries, use the
    • ip ssh authentication-retries integer
    • default 3 attempts
  38. There are two different ways to connect to an SSH-enabled router:
    • using the privileged EXEC mode ssh command.
    • using a publicly and commercially available SSH client running on a host.
  39. The SSH key settings have two status options.
    • RSA key is not set on this router
    • RSA key is set on this router
  40. Privilege levels determine who should be
    allowed to connect to the device and what that person should be able to do with it.
  41. CLI has two levels of access to commands.
    • User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and allows only user-level commands available at the router> prompt.
    • Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the router# prompt.
  42. There are 16 privilege levels in total.
    • Level 0: Predefined for user-level access privileges
    • Level 1: The default level for login with the router prompt router>
    • Levels 2 –14: May be customized for user-level privileges
    • Level 15: Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.
  43. Privileled level access infranstructure access
    • privilege levels
    • role based CLI access
  44. two methods for assigning passwords to the different levels:
    • enable secret level level password.
    • username name privilege level secret password.
  45. might not find them suitable because of the following limitations:
    No access control to specific interfaces, ports, logical interfaces, and slots on a router.Commands available at lower privilege levels are always executable at higher levels.Commands specifically set on a higher privilege level are not available for lower privileged users.Assigning a command with multiple keywords to a specific privilege level also assigns all commands associated with the first keywords to the same privilege level. An example is the show ip route command.
  46. Role-Based CLI
    •Controls which commands are available to specific roles
  47. Each view defines the CLI commands that each user can access.
    • -Security: Defines the set of CLI
    • commands that is accessible by a particular user by controlling user access to
    • configure specific ports, logical interfaces, and slots on a router

    • -Availability: Prevents
    • unintentional execution of CLI commands by unauthorized personnel

    • -Operational Efficiency: Users only see the CLI commands applicable to
    • the ports and CLI to which they have access
  48. Role-based CLI provides three types of views:
    • Root view
    • CLI view
    • Superview
  49. root view
    has all of the access privileges as a user who has level 15 privileges.
  50. •CLI View
    Each view must be assigned all commands associated with that view and there is no inheritance of commands from other views
  51. superview
    • Allow a network
    • administrator to assign users and groups of users multiple CLI views at once
    • instead of having to assign a single CLI view per user with all commands
    • associated to that one CLI view.
  52. Cisco IOS Resilient Configuration facts
    The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.The feature automatically detects image or configuration version mismatch.Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.The feature can be disabled only through a console session.
  53. secure boot-image
    • Enables Cisco IOS image resilience. Prevents the IOS image from being deleted by a malicious
    • user.
  54. secure boot-config
    takes a snapshot of the routers running configuration and securley archives it in perstent storage
  55. Out-of-band
    • Information flows on a
    • dedicated management network on which no production traffic resides

    • appropriate for large
    • enterprise networks

    Provide the highest level of security and mitigate the risk of passing insecure management protocols over the production network.
  56. Implementing Secure
    • •Configuration Change
    • Management

    • -Know the state of critical
    • network devices

    • -Know when the last modifications
    • occurred

    • -Ensure the right people have
    • access when new management methodologies are adopted

    • -Know how to handle tools and
    • devices no longer used

    • •Automated logging and
    • reporting of information from identified devices to management hosts

    • •Available applications and
    • protocols like SNMP
  57. In-band:
    Information flows across an enterprise production network, the Internet, or both using regular data channels.

    • recommended in smaller networks providing a
    • more cost-effective security deployment

    Apply only to devices that need to be managed or monitored.Use IPsec, SSH, or SSL when possible.Decide whether the management channel needs to be open at all times.
  58. security vulnerabilities
    of using remote management tools with
  59. Cisco router log messages contain three main parts:
    • Timestamp
    • Log message name and severity level
    • Message text
  60. Syslog implementations contain two types of systems.
    • Syslog servers - Also known as log hosts, these systems accept and process log messages from syslog clients.
    • Syslog clients - Routers or other types of equipment that generate and forward log messages to syslog servers.
  61. There are two types of community strings.
    • Read-only community strings - Provides read-only access to all objects in the MIB, except the community strings.
    • Read-write community strings - Provides read-write access to all objects in the MIB, except the community strings.
  62. Community Strings Facts:
    Used to authenticate messages between a management station and an SNMPv1 or SNMPv2 engineRead-write community strings can get and set information in an agent.Set access is equivalent to having the enable password for a device.
  63. SNMPv3 provides three security features.
    • Message integrity - Ensures that a packet has not been tampered with in transit.
    • Authentication - Determines that the message is from a valid source.
    • Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.
  64. Using NTP
    • •Clocks on hosts and
    • network devices must be maintained and synchronized to ensure that log messages
    • are synchronized with one another
  65. The date and time settings of the router can be set using one of two methods
    -Manually edit the date and time

    -Configure Network Time Protocol
  66. NTP allows routers on the network to synchronize their time settings with an NTP server
  67. ntp trusted-key key-number
    Authenticates the identity of a system to which NTP will synchronize
  68. The intent of CDP is to make it easier for administrators to discover and troubleshoot other Cisco devices on the network. However,
    it should not be everywhere in the network. Edge devices are an example
  69. Security Practices
    • •To ensure a device is
    • secure:

    • -Disable unnecessary services and
    • interfaces

    • -Disable and restrict commonly
    • configured management services, such as SNMP

    • -Disable probes and scans, such as
    • ICMP

    -Ensure terminal access security

    • -Disable gratuitous and proxy
    • Address Resolution Protocol (ARP)

    -Disable IP-directed broadcast
  70. Three security audit tools available include:
    • Security Audit Wizard - a security audit feature provided through Cisco SDM. The Security Audit Wizard provides a list of vulnerabilities and then allows the administrator to choose which potential security-related configuration changes to implement on a router.
    • Cisco AutoSecure - a security audit feature available through the Cisco IOS CLI. The autosecure command initiates a security audit and then allows for configuration changes. Based on the mode selected, configuration changes can be automatic or require network administrator input.
    • One-Step Lockdown - a security audit feature provided through Cisco SDM. The
    • One-Step Lockdown feature provides a list of vulnerabilities and then automatically makes all recommended security-related configuration changes.
  71. audit wizard
    • Compares router configuration against
    • recommended settings:

    •Shut down unneeded servers

    •Disable unneeded services

    • •Apply the firewall to the
    • outside interfaces

    •Disable or harden SNMP

    • •Shut down unused
    • interfaces

    •Check password strength

    •Enforce the use of ACLs
  72. Cisco One-step Lockdown
    • Tests router configuration for any potential
    • security problems and automatically makes the necessary configuration changes
    • to correct any problems found
  73. Command to enable the
    Cisco AutoSecure
    feature setup
    auto secure [no-interact]
  74. Cisco AutoSecure
    • •Initiated from CLI and
    • executes a script. The AutoSecure feature first makes recommendations for
    • fixing security vulnerabilities, and then modifies the security configuration
    • of the router.

    • •Can lockdown the
    • management plane functions and the forwarding plane services and functions of a
    • router

    • •Used to provide a baseline
    • security policy on a new router
  75. AutoSecure Versus SDM Security
    Audit One-Step Lockdown
    • Cisco
    • AutoSecure
    • also:

    •Disables NTP

    •Configures AAA

    •Sets SPD values

    •Enables TCP intercepts

    •Configures anti-spoofing ACLs on

    outside-facing interfaces

    • SDM
    • implements some the following features differently:

    • •SNMP is disabled but will not
    • configure SNMPv3

    • •SSH is enabled and configured
    • with images that support this feature.

    • Secure
    • Copy Protocol (SCP) is not enabled--unsecure FTP is
Card Set
Security ch 2
Security ch 2