Cisco Router Security

Questions and Answers

Which security approach involves multiple layers of security devices, such as routers and firewalls, to protect the network?

• Single Router Approach
• DMZ Approach
• Perimeter Security Approach
• Defense in Depth Approach (correct)

What is the recommended minimum length for strong passwords?

• 12 characters
• 8 characters
• 6 characters
• 10 characters (correct)

Which of the following commands is used to enable password encryption on a Cisco router?

• `password encryption enable`
• `service password-encryption` (correct)
• `enable secret password`
• `encrypt all passwords`

Which algorithm type is NOT an option for the enable algorithm-type command when configuring secret passwords?

aes (D)

When configuring line access security, which command is used to specify that only SSH connections are allowed?

transport input ssh (C)

What is the purpose of implementing delays between successive login attempts?

To prevent denial-of-service (DoS) attacks (C)

Which command is used to configure the number of failed login attempts before a user is blocked?

login block-for (C)

What action does the crypto key zeroize rsa command perform?

It removes all RSA keys. (D)

Which CLI mode is required to configure privilege levels?

Global Configuration mode (B)

What is the range of privilege levels that can be customized for user-level privileges?

2-14 (C)

What is a key limitation of privilege levels regarding command execution?

Commands at lower levels are executable at higher levels. (C)

What does role-based CLI access primarily control?

Command availability (A)

What is the primary function of the Cisco IOS Resilient Configuration feature?

To detect and correct image or configuration version mismatch (A)

What type of storage does the Cisco IOS Resilient Configuration feature use for securing files?

Local storage (B)

What is the default severity level for informational syslog messages?

6 (D)

What does the logging trap level command configure?

The severity level of messages sent to the syslog server (B)

What security practice should be applied during security audits to discovery protocols such as CDP and LLDP?

Disable probes and scans that provide detailed network information (B)

Which automated security tool can be used on Cisco IOS-based routers to enhance security settings?

AutoSecure (D)

What is the primary consequence of routing protocol spoofing?

Creation of routing loops and traffic redirection (C)

When configuring OSPF authentication, which command is used to specify the SHA authentication key?

ip ospf authentication key-chain name (C)

A single router approach to network security involves multiple firewalls and routers to protect the internal network.

False (B)

Physical security, router operating system security, and router hardening are key areas of router security.

True (A)

Restricting device accessibility is not an important step in securing administrative access.

False (B)

It is recommended to use passwords shorter than 8 characters for better memorization.

False (B)

The command service password-encryption encrypts all passwords in the router's configuration file.

True (A)

Secret passwords of type 8 or 9 are less secure compared to type 7 passwords.

False (B)

Using the login local command on a line requires a locally defined username and password.

True (A)

Implementing delays between successive login attempts can help mitigate brute-force attacks.

True (A)

The command login block-for 60 attempts 3 within 10 blocks login attempts for 60 seconds after 3 failed attempts within 10 seconds.

True (A)

Configuring SSH involves generating RSA keys and enabling SSH on VTY lines.

True (A)

Administrative privilege levels are configured to restrict command availability.

True (A)

Privilege level 15 is the user EXEC mode, with limited privileges.

False (B)

Role-Based CLI Access allows administrators to create custom views with specific command sets.

True (A)

Commands set at higher privilege levels are executable by users at lower privilege levels.

False (B)

Cisco IOS resilient configuration feature secures the Cisco IOS image and nothing else.

False (B)

Syslog messages include a severity level, with 0 indicating emergencies and 7 indicating debugging messages.

True (A)

In syslog, a facility code denotes the destination or the source of the message.

False (B)

SNMPv4 uses secure authentication and encryption, making it the preferred version for network management.

False (B)

NTP can be configured with authentication to prevent malicious time synchronization attacks.

True (A)

AutoSecure configures only the management plane and guarantees absolute security from all attacks.

False (B)

Flashcards

Physical Security

Securing the physical location of the router and its components.

Router OS Security

Protecting the software and configurations on the router.

Router Hardening

Enhancing the router's security posture through various configuration tweaks.

Secure Administrative Access

Limiting physical access, logging access attempts, and protecting data confidentiality.

Password Misspelling

Deliberately misspelling a password to increase its complexity.

IOS Resilient Configuration

A Cisco IOS feature that automatically backs up and restores the IOS image and configuration files.

Syslog

A protocol to log system events for network security.

Routing Protocol Authentication

A method of ensuring that routing updates are from trusted sources.

Routing Protocol Spoofing

Redirecting traffic to create routing loops, monitor insecure links, or discard traffic.

Control Plane Policing

A feature to protect the control plane by filtering traffic.

Privilege Levels

The level defines access to router commands, ranging from 0 (lowest) to 15 (highest, enable mode).

Role-Based CLI Access

A model where access rights are granted based on the roles of individual users.

Security Audit Tools

A tool to identify vulnerabilities and security weaknesses in Cisco IOS-based routers.

AutoSecure

A Cisco IOS feature that automates the process of securing a router.

Network Time Protocol (NTP)

A protocol used to synchronize the clocks of computer systems over a network.

Single Router Approach

An edge router security approach using one router to connect to a LAN network.

Defense in Depth Approach

A defense strategy using multiple layers of security. This includes routers and firewalls.

DMZ Approach

Edge router setup that uses firewalls to create isolated zones with different security levels, DMZ (Demilitarized Zone)

Password Length

Minimum password length recommended for strong security.

Password Encryption

Encrypts passwords, increasing security. It can be enabled using the command: service password-encryption.

Enable Algorithm-Type Secret

A command used on Cisco devices to enter an unencrypted password for later encrypted use.

Login Delay

Enhances security for virtual logins. It implements delays between successive login attempts.

Login Failure Messages

Shows login failures as a security enhancement for virtual logins.

SSH

A secure protocol for remote management, replacing Telnet.

Privilege Command

Display available router configuration modes to set privilege levels.

SNMPv3 Access

Monitor network using SNMP, configure secure SNMPv3 access with ACLs for security.

Disable Unnecessary Services

A core task for device security by disabling unnecessary services and interfaces.

Study Notes

Securing Device Access

• Securing a network perimeter is important
• Configure secure administrative access to Cisco routers
• Enhance security for virtual logins
• Configure an SSH daemon for secure remote management

Edge Router Security

• Security approaches for edge routers include single router, defense in depth, and DMZ
  • Single Router: A simple approach using one router to connect the network to the Internet.
  • Defense in Depth: Multiple layers of security including firewalls.
  • DMZ: Uses a firewall to protect the internal network, while providing controlled external access to specific resources.
• Areas of focus for router security
  • Physical Security
  • Router Operating System and Configuration File Security
  • Router Hardening

Secure Administrative Access

• Restricting device accessibility is crucial
• All access attempts should be logged
• Access authentication is needed
• Authorize user actions
• Present a legal notification
• Ensure the confidentiality of data by encrypting when possible

Local and Remote Access

• Local access involves direct connection to the router
• Remote access can be achieved using Telnet/SSH or Modem and Aux Port

Strong Passwords

• Use a password length of 10 or more characters
• Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces in passwords
• Avoid using easily obtainable personal information for passwords
• Intentionally misspell words in your passwords
• Change passwords frequently
• Never leave passwords in plain view
• Weak passwords, such as dictionary words are easily cracked

Increasing Access Security

• Increase password security by setting a minimum password length and enabling password encryption

Secret Password Algorithms

• Best practice is to configure all secret passwords as type 8 or type 9
• Use the enable algorithm-type command to enter an unencrypted password
• Use the username name algorithm-type command to specify type 9 encryption for usernames

Securing Line Access

• Secure line access prevents unauthorized entry into the network devices

Login Enhancements

• Implementing delays between successive login attempts adds a layer of security
• Enable login shutdown if DoS attacks are suspected
• Generate system-logging messages for login detection
• Can implement delays and shutdowns from the "line" configuration page
  • login block-for seconds attempts tries within seconds
  • login delay 3

Logging Failed Attempts

• Generate login syslog messages to monitor failed access attempts
• Use commands like login on-success log, login on-failure log, and security authentication failure rate threshold-rate log

Configuring SSH

• SSH can be enabled and used with a Cisco router as either an SSH server or client for secure remote management.
• As a client, a router can use SSH to connect to another SSH-enabled route where it can accept SSH client connections as a server
• Clients such as PuTTY, OpenSSH, or TeraTerm, can connect via SSH

Administrative Roles

• Configure administrative privilege levels to control command availability
• Configure role-based CLI access to control command availability

Privilege Levels

• Level 0 is predefined for user-level access privileges
• Level 1 is default for login with the router prompt
• Levels 2-14 can be customized for user-level privileges
• Level 15 is reserved for enable mode privileges
• Lower levels are the user EXEC mode (privilege level 1) and privileged EXEC mode (privilege level 15)
• Command syntax: privilege mode {level level | reset) command

Configuring and Assigning Privilege Levels

• Different commands can be configured for different levels of users

Limitations of Privilege Levels

• There is no access control for specific interfaces, ports, logical interfaces, and slots on a router
• Commands available at lower privilege levels are always executable at higher privilege levels
• Commands specifically set at higher privilege levels are not available for lower privilege users
• Assigning a command with multiple keywords allows access to all commands that use those

Role-Based CLI Access

• Security operator privileges can include configurations such as AAA, show commands, firewall, IDS/IPS, and NetFlow
• WAN engineer privileges would configure routing, configure interfaces and issue show commands
• Superviews contain Views but not commands, Two Superviews can use the same View. For example, both Superview 1 and Superview 2 can have CLI View 4 placed inside.

Monitoring and Management

• Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image and configuration files.
• Secure SNMPv3 access using ACL and NTP to enable accurate timestamping between all devices.
• Compare in-band and out-of band management access.

Cisco IOS Resilient Configuration Feature

• Copy of running configuration that was in the router when the feature was first enabled
• Secures working set of files to preserve persistent storage space
• Automatically detects image or configuration version mismatch
• It can be disabled only through a console session and is only available for systems that support a PCMCIA Advanced Technology Attachment (ATA) flash interface.

Enabling the IOS Image Resilience Feature

• This is for systems that need to ensure they can go back to a stable config

Syslog

• Standard logging
• Security logs

Syslog Operation

• Syslog data is routed to
  • Console Line
  • Logging Buffer
  • Terminal Line
  • Syslog Server

Syslog Message

• Messages can have different Levels 0-7 where 0 is the highest:
  • 0 Emergencies: System unusable
  • 1 Alerts: Immediate action needed
  • 2 Critical: Critical conditions exist
  • 3 Errors: Error conditions exist
  • 4 Warnings: Warning conditions exist
  • 5 Notifications: Normal but significant condition
  • 6 Informational: Informational messages only
  • 7 Debugging: Debugging messages

Configuring System Logging

• Set logging host
• Select trap level if needed
• source-interface if needed
• Enable logging

Introduction to SNMP

• SNMP is used to send alerts
• SNMP agents on managed devices communicate with the SNMP Manager

Configuring SNMP Access

• SNMP is used to send alerts

NTP

• NTP is used to keep the systems in sync

NTP Authentication

• Can be authentic
• Add authentication keys as needed

Using Automated Security Features

• Utilize security audit tools to determine IOS-based router vulnerabilities and AutoSecure for security on IOS-based routers

Discovery Protocols CDP and LLDP

• Use discovery protocols to identify any vulnerabilities

Settings for Protocols and Services

• Additional device security measures
  • Disable unnecessary services and interfaces
  • Disable and restrict commonly configured management services
  • Disable probes and scans; ensure terminal access security
  • Disable gratuitous and proxy ARPs
  • Disable IP-directed broadcasts

Cisco AutoSecure

• AutoSecure helps to greatly reduce the attack vector on Cisco routers

Using the auto secure Command

• Auto Secure helps to greatly reduce the attack vector on Cisco routers
• During operation
  • Auto secure command is entered.
  • Wizard gathers information about the outside interfaces
  • AutoSecure secures the management plane by disabling unnecessary services
  • AutoSecure prompts for a banner
  • AutoSecure prompts for passwords and enables password and login features
  • Interfaces and Forwarding plane are secured

Securing the Control Plane

• Configure routing protocol authentication
• Explain the function of Control Plane Policing

Routing Protocol Spoofing

• Consequences of protocol spoofing: - Redirect traffic to create routing loops - Redirect traffic so it can be monitored on an insecure link - Redirect traffic to discard it

OSPF MD5 Routing Protocol Authentication

• Enhanced security with authentication keys

OSPF SHA Routing Protocol Authentication

• Enhanced security with authentication keys

Network Device Operations

• Management, Control, Data connections all need security considerations

Control and Management Plane Vulnerabilities

• Data plane and devices can potentially target AAA, Syslog, SNMP, OSPF

CoPP Operation

• Control Plane Policing restricts traffic to different planes of the network device