the last router between the internal network and an untrusted network such as the Internet
-Functions as the first and last
line of defense
-Implements security actions based
on the organization’s security policies
single router Approach
connects the protected network, or internal LAN, to the Internet.
Passes everything through to the firewall. A set of rules determines what traffic the router will allow or deny
The DMZ is set up between two routers. Most traffic filtering left to the firewall
How can the edge router be secured?
Use various perimeter router implementations
-Consider physical security,
operating system security, and router hardening
-Secure administrative access
-Local versus remote router access
Place router in a secured, locked
-Install an uninterruptible power
Operating System Security
-Use the latest stable version
that meets network requirements
-Keep a copy of the O/S and
configuration file as a backup
-Secure administrative control
-Disable unused ports and
-Disable unnecessary services
Things to do to secure administrative access to routers:
Restrict device accessibility
Log and account for all access
Present legal notification
Ensure the confidentiality of data
When accessing the network remotely,
Encrypt all traffic
Establish a dedicated management network
Configure a packet filter to allow only the identified administration hosts
Password management in a large network should be maintained using a
central TACACS+ or RADIUS authentication server such as the Cisco Secure Access Control Server (ACS)
enable secret password global configuration command restricts access
to privileged EXEC mode, it used MD5
Cisco routers support up to five simultaneous
virtual terminal vty (Telnet or SSH) sessions.
To increase the security of passwords, the following should be configured:
Enforce minimum password lengths.Disable unattended connections.Encrypt all passwords in the configuration file.
minimum character length
0 to 16 characters, min 10
security passwords min-length length.
Disable Unattended Connections
stays active and logged in for 10 minutes after the last session activity.
timers be fine-tuned to
2 TO 3 MIN MAX
encrypt all passwrods
use service password-encryption command., it hashes them
stringer password encryption
enable secret command
it uses md5
two methods of configuring local username accounts.
username name password password
username name secret password- more secure md55
Virtual Login Security Enhancements
Implement delays between successive login attempts.
Enable login shutdown if DoS attacks are suspected.
Generate system logging messages for login detection.
which is used to gain administrative access to a device, floods a device with thousands of username and password combinations.
Use the login block-for command to enable
The login block-for feature monitors login device activity and operates in two modes:
This command must be issued before any other login command can be used.
This command can help provide DoS detection and prevention.
Normal mode (watch mode)
The router keeps count of the number of failed login attempts within an identified amount of time.
Quiet mode (quiet period)
If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.
Command specifies an ACL is applied to the router when switched to Quiet-Mode and identifies hosts that are exempt from the Quiet-Mode failure time.If not configured, all login requests will be denied during the Quiet-Mode.
Helps mitigate dictionary attacks
This is an optional command. If not set, a default delay of one second is enforced after the login block-for command is configured.
The command auto secure enables
message logging for failed login attempts.
Use banner messages to present to
present legal notification to potential intruders to inform them that they are not welcome on a network.
SSH has replaced Telnet as the recommended practice for providing
providing remote router administration with connections that support confidentiality and session integrity.
Step 1: Configure the IP domain name
Step 2: Generate one-way secret keys
Step 3: Verify or create a local database entry
Step 4: Enable VTY inbound SSH sessions
SSH version 1 (SSHv1)
more secure SSH version 2 (SSHv2).
SSHv2 provides better security using the
Diffie-Hellman key exchange and the strong integrity-checking message authentication code (MAC).
The time interval that the router waits for the SSH client to respond during the SSH negotiation phase can be configured using the ip ssh time-out seconds
default is 120 sec
To configure a different number of consecutive SSH retries, use the
ip ssh authentication-retries integer
default 3 attempts
There are two different ways to connect to an SSH-enabled router:
using the privileged EXEC mode ssh command.
using a publicly and commercially available SSH client running on a host.
The SSH key settings have two status options.
RSA key is not set on this router
RSA key is set on this router
Privilege levels determine who should be
allowed to connect to the device and what that person should be able to do with it.
CLI has two levels of access to commands.
User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and allows only user-level commands available at the router> prompt.
Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the router# prompt.
There are 16 privilege levels in total.
Level 0: Predefined for user-level access privileges
Level 1: The default level for login with the router prompt router>
Levels 2 –14: May be customized for user-level privileges
Level 15: Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.
Privileled level access infranstructure access
role based CLI access
two methods for assigning passwords to the different levels:
enable secret level level password.
username name privilege level secret password.
might not find them suitable because of the following limitations:
No access control to specific interfaces, ports, logical interfaces, and slots on a router.Commands available at lower privilege levels are always executable at higher levels.Commands specifically set on a higher privilege level are not available for lower privileged users.Assigning a command with multiple keywords to a specific privilege level also assigns all commands associated with the first keywords to the same privilege level. An example is the show ip route command.
•Controls which commands are available to specific roles
Each view defines the CLI commands that each user can access.
-Security: Defines the set of CLI
commands that is accessible by a particular user by controlling user access to
configure specific ports, logical interfaces, and slots on a router
unintentional execution of CLI commands by unauthorized personnel
-Operational Efficiency: Users only see the CLI commands applicable to
the ports and CLI to which they have access
Role-based CLI provides three types of views:
has all of the access privileges as a user who has level 15 privileges.
Each view must be assigned all commands associated with that view and there is no inheritance of commands from other views
Allow a network
administrator to assign users and groups of users multiple CLI views at once
instead of having to assign a single CLI view per user with all commands
associated to that one CLI view.
Cisco IOS Resilient Configuration facts
The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.The feature automatically detects image or configuration version mismatch.Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.The feature can be disabled only through a console session.
Enables Cisco IOS image resilience. Prevents the IOS image from being deleted by a malicious
takes a snapshot of the routers running configuration and securley archives it in perstent storage
Information flows on a
dedicated management network on which no production traffic resides
appropriate for large
Provide the highest level of security and mitigate the risk of passing insecure management protocols over the production network.
-Know the state of critical
-Know when the last modifications
-Ensure the right people have
access when new management methodologies are adopted
-Know how to handle tools and
devices no longer used
•Automated logging and
reporting of information from identified devices to management hosts
•Available applications and
protocols like SNMP
Information flows across an enterprise production network, the Internet, or both using regular data channels.
recommended in smaller networks providing a
more cost-effective security deployment
Apply only to devices that need to be managed or monitored.Use IPsec, SSH, or SSL when possible.Decide whether the management channel needs to be open at all times.
of using remote management tools with
Cisco router log messages contain three main parts:
Log message name and severity level
Syslog implementations contain two types of systems.
Syslog servers - Also known as log hosts, these systems accept and process log messages from syslog clients.
Syslog clients - Routers or other types of equipment that generate and forward log messages to syslog servers.
There are two types of community strings.
Read-only community strings - Provides read-only access to all objects in the MIB, except the community strings.
Read-write community strings - Provides read-write access to all objects in the MIB, except the community strings.
Community Strings Facts:
Used to authenticate messages between a management station and an SNMPv1 or SNMPv2 engineRead-write community strings can get and set information in an agent.Set access is equivalent to having the enable password for a device.
SNMPv3 provides three security features.
Message integrity - Ensures that a packet has not been tampered with in transit.
Authentication - Determines that the message is from a valid source.
Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.
•Clocks on hosts and
network devices must be maintained and synchronized to ensure that log messages
are synchronized with one another
The date and time settings of the router can be set using one of two methods
-Manually edit the date and time
-Configure Network Time Protocol
NTP allows routers on the network to synchronize their time settings with an NTP server
ntp trusted-key key-number
Authenticates the identity of a system to which NTP will synchronize
The intent of CDP is to make it easier for administrators to discover and troubleshoot other Cisco devices on the network. However,
it should not be everywhere in the network. Edge devices are an example
•To ensure a device is
-Disable unnecessary services and
-Disable and restrict commonly
configured management services, such as SNMP
-Disable probes and scans, such as
-Ensure terminal access security
-Disable gratuitous and proxy
Address Resolution Protocol (ARP)
-Disable IP-directed broadcast
Three security audit tools available include:
Security Audit Wizard - a security audit feature provided through Cisco SDM. The Security Audit Wizard provides a list of vulnerabilities and then allows the administrator to choose which potential security-related configuration changes to implement on a router.
Cisco AutoSecure - a security audit feature available through the Cisco IOS CLI. The autosecure command initiates a security audit and then allows for configuration changes. Based on the mode selected, configuration changes can be automatic or require network administrator input.
One-Step Lockdown - a security audit feature provided through Cisco SDM. The
One-Step Lockdown feature provides a list of vulnerabilities and then automatically makes all recommended security-related configuration changes.
Compares router configuration against
•Shut down unneeded servers
•Disable unneeded services
•Apply the firewall to the
•Disable or harden SNMP
•Shut down unused
•Check password strength
•Enforce the use of ACLs
Cisco One-step Lockdown
Tests router configuration for any potential
security problems and automatically makes the necessary configuration changes
to correct any problems found
Command to enable the
auto secure [no-interact]
•Initiated from CLI and
executes a script. The AutoSecure feature first makes recommendations for
fixing security vulnerabilities, and then modifies the security configuration
of the router.
•Can lockdown the
management plane functions and the forwarding plane services and functions of a
•Used to provide a baseline
security policy on a new router
AutoSecure Versus SDM Security
Audit One-Step Lockdown
•Sets SPD values
•Enables TCP intercepts
•Configures anti-spoofing ACLs on
implements some the following features differently:
•SNMP is disabled but will not
•SSH is enabled and configured
with images that support this feature.
Copy Protocol (SCP) is not enabled--unsecure FTP is