Cisco Router Security

Questions and Answers

Which of the following is NOT a guideline for creating strong passwords?

• Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.
• Use a password length of 10 or more characters.
• Avoid passwords based on easily identifiable pieces of information.
• Always write down your password in an obvious place to make sure you don't forget it. (correct)

What is the primary benefit of using the Cisco IOS Resilient Configuration feature?

• It disables all unused ports to prevent unauthorized access.
• It secures the Cisco IOS image and configuration files, detecting mismatches. (correct)
• It automatically backs up the entire IOS image and configuration to a remote TFTP server.
• It optimizes network performance by prioritizing voice traffic.

Which command is used to configure a router to send syslog messages to a specific syslog server?

• logging trap level
• logging host [hostname | ip-address] (correct)
• logging source-interface interface-type interface-number
• logging on

What is the purpose of Control Plane Policing (CoPP)?

To mitigate attacks targeting the control plane. (C)

Which of the following is a task associated with securing administrative access to a device?

Restricting device accessibility. (A)

When configuring privilege levels, which level is reserved for enable mode privileges?

Level 15 (B)

Which security approach involves implementing multiple layers of security controls?

Defense in Depth Approach (C)

Which of the following is a potential consequence of routing protocol spoofing?

Redirect traffic so it can be monitored on an insecure link. (A)

What is the primary purpose of using NTP (Network Time Protocol) in network security?

To synchronize time across network devices. (D)

What type of algorithm does the command username Bob algorithm-type scrypt secret cisco54321 specify?

scrypt (A)

Which command is used to enable the secure boot-image feature on a Cisco router?

secure boot-image (B)

Which syslog severity level indicates that a system is unusable?

Emergency (D)

What is the purpose of configuring transport input ssh on a VTY line?

To allow only SSH connections. (B)

After enabling AutoSecure what is the immediate next step?

The wizard gathers information about the outside interfaces (D)

Which of the following is a limitation of privilege levels when configuring command availability?

Commands available at lower privilege levels are always executable at higher privilege levels (C)

What type of attack is mitigated by implementing delays between successive login attempts?

Denial of Service(DoS) attack (A)

A network administrator wants to ensure that all network devices have synchronized time. Which protocol should be configured?

NTP (A)

Which command is utilized to configure OSPF with SHA authentication?

ip ospf authentication key-chain name (A)

Which of the following is the most secure method for remote access?

SSH (A)

What is the purpose of the crypto key zeroize rsa command?

To remove all RSA keys. (A)

A single router approach to network security includes a firewall and an intrusion prevention system.

False (B)

Physical security of a router does not influence overall network security.

False (B)

Restricting device accessibility is a key aspect of secure administrative access.

True (A)

Logging and accounting for all access on a network device is unnecessary.

False (B)

Using a password length of less than 8 characters is a good security practice.

False (B)

Password complexity, with a mix of character types, enhances password strength.

True (A)

Cisco devices store passwords in plain text by default.

False (B)

The enable algorithm-type command is used to enter an encrypted password.

False (B)

Applying transport input ssh on VTY lines restricts access to only SSH connections.

True (A)

Login delays can help mitigate brute-force password attacks.

True (A)

Using login delay 0 disables login delay.

True (A)

It is impossible to configure logging messages for successful login attempts.

False (B)

SSH provides an unencrypted channel for remote device management.

False (B)

The crypto key zeroize rsa command generates new RSA key pairs.

False (B)

Privilege levels cannot be used to restrict user access to specific show commands.

False (B)

Role-Based CLI Access allows for more granular control over command availability compared to privilege levels.

True (A)

Cisco IOS Resilient Configuration feature requires extra storage space to secure the primary Cisco IOS image files.

False (B)

Syslog messages with a severity level of 0 indicate debugging information.

False (B)

AutoSecure is a tool that guarantees complete security from all attacks.

False (B)

Control Plane Policing (CoPP) is used to protect the data plane from malicious traffic.

False (B)

Flashcards

Secure Administrative Access

Securing devices by restricting access, logging activity, authenticating users, authorizing actions, legal notifications, and data confidentiality.

Strong Password Guidelines

Guidelines include length of 10+ characters, mixed-case letters, numbers, symbols, spaces, avoid identifiable info, misspell, change and don't write down.

Privilege Levels

Limiting command availability for customized user-level privileges

SNMP

A network management protocol used for collecting and organizing information about managed devices on IP networks.

NTP

A protocol that enables accurate timestamping by synchronizing device clocks.

Cisco AutoSecure

Automated tool to assess and improve router security.

Routing Protocol Authentication

Using authentication methods to prevent spoofing and unauthorized route updates.

Routing Protocol Spoofing

Traffic is redirected creating routing loops, traffic is monitored on an insecure link, traffic is discarded

Cisco IOS Resilient Configuration

It secures the Cisco IOS image and configuration files.

Syslog

A standard protocol for network logging, especially on Cisco devices, for network security.

Single Router Approach

An edge router setup using a single router to administer network security policies.

Defense in Depth

An edge router setup strategy involving multiple layers of security using routers and a firewall.

DMZ Approach

An edge router setup that includes a firewall and a DMZ to isolate traffic.

Router Security Areas

Physical security, router OS and config file security, and router hardening.

Local Access

Connecting via console or AUX ports directly to a network device.

Remote Access

Connecting using Telnet/SSH or a modem and aux port.

Password Encryption

A method where the enable password is known, but easily cracked.

Secret Passwords

Type 8 or 9 passwords using MD5, SHA256 or Scrypt encryption.

Legal banner

A banner displayed before login to warn of legal prosecution.

Login Delay

Command that adds a delay time after successive login attempts.

Login Block-For

A security feature that freezes login attempts to slow down attackers.

Login Success

Command syntax is: login on-success log [every login]

Login Failures

Command syntax is: login on-failure log [every login]

SSH

A protocol providing secure, encrypted remote access. Replaces Telnet.

Role-Based CLI

Specifies admin roles and access rather than a privilege level.

Command Availability

A router configuration using privilege levels to control command availability.

Secure Bootset

A command that secures both images and configurations.

Security Audit

Tool used to analyze device configs, identifies potential vulnerabilities.

Routing Protocol SHA Authentication

Use a key chain to specify an SHA authentication key.

Study Notes

Securing Device Access

• Securing the network perimeter is a key component
• Configuring secure administrative access to Cisco routers is crucial
• Enhanced security for virtual logins improves overall security
• Configuring an SSH daemon enables secure remote management

Edge Router Security

• Single Router Approach: A basic setup using one router to connect the LAN to the Internet
• Defense in Depth Approach: Employs multiple layers of security, including firewalls and multiple routers
• DMZ Approach: Uses a demilitarized zone to isolate public-facing servers from the internal network
• Router security involves physical security, securing the router operating system and config files, and router hardening

Secure Administrative Access

• Tasks include restricting device accessibility, logging all access, authentication, and authorization
• Present legal notification and ensure data confidentiality

Local and Remote Access

• Local Access: Direct connection to the router, typically using a console cable
• Remote Access via Telnet/SSH: Enables access over a network connection
• Remote Access via Modem: Allows connections through an auxiliary port

Strong Passwords

• Passwords should exceed 10 characters and use a mix of upper/lowercase letters, numbers, symbols and spaces
• Should not be easily identifiable and be changed often
• Never write passwords down in plain sight
• secret is a Weak Password because it is a Simple dictionary password
• b67n42d39c is a Strong Password because it Combines alphanumeric characters
• smith is a Weak Password because it is a Mother’s maiden name
• 12^h u4@1p7 is a Strong Password because it Combines alphanumeric characters,symbols, and includes a space
• toyota is a Weak Password because it is a Make of car
• bob1967 is a Weak Password because it is a Name and birthday of user
• Blueleaf23 is a Weak Password because it is Simple words and numbers

Increasing Access Security

• It is possible to enforce a minimum password length of 10 characters
• Enable password encryption
• Configure login timeouts

Secret Password Algorithms

• Use either type 8 or type 9 password encryption
• The enable algorithm-type command along with the username algorithm-type command is to specify encryption

Securing Line Access

• Commands can be configured on a router, specifically for console, AUX, and VTY lines
• Using a username database in conjunction with SSH for virtual terminal lines

Enhancing Login Security

• Delays between login attempts can slow down brute-force attacks
• Login shutdown can be enabled if DoS attacks are suspected
• System-logging messages can be configured for login detection

Login Enhancements

• The command syntax "login block-for seconds attempts tries within seconds" is how to set the lockout
• The command syntax "login delay seconds" sets a delay between login attempts

Logging Failed Attempts

• Login Syslog Messages can be generated

SSH Configuration

• Configuration of domain-name, key generation, SSH version, username and related terminal configs
• SSH can be enabled on a Cisco router to function as an SSH server or client
• A client can connect through programs like PuTTY, OpenSSH, or TeraTerm

Assigning Administrative Roles

• Administrative privilege levels can control command availability
• Role-based CLI access can also control command availability

Privilege Levels

• Level 0 is for user-level access, Level 1 is the default for router login, levels 2-14 are customizable, and Level 15 is for enable mode
• User EXEC mode (level 1): User-level commands at the router> prompt
• Privileged EXEC mode (level 15): Enable-level commands at the router# prompt

Privilege Level Syntax

• privilege mode {level level | reset} command

Limitations of Privilege Levels

• No access control is possible to specific interfaces, ports, logical interfaces, and slots on a router
• Lower privilege levels are executable at higher privilege levels
• Setting Commands at higher privilege levels does not make them available for lower privilege users

Role-Based CLI Access

• Security operator privileges: includes configuring AAA, firewall, IDS/IPS, and NetFlow
• WAN engineer privileges: includes configuring routing and interfaces

Role Based Views

• Superviews are a combination of CLI views

Monitoring and Managing Devices

• Use the Cisco IOS resilient configuration feature
• Compare in-band and out-of band management access
• Configure syslog to log system events
• Configure secure SNMPv3 access using ACL
• Configure NTP to enable accurate timestamping

Cisco IOS Resilient Configuration Feature

• Ensures the configuration file in the primary bootset mirrors the router's running configuration when the feature was enabled
• Secures the smallest set of files to save storage space and automatically detects any image or configuration version mismatch
• Local storage is used for securing files, which avoids scalability issues associated with TFTP servers
• Can only be disabled through a console session

Enabling IOS Image Resilience Feature

• With use of the secure boot-image command

Syslog

• Syslog is an operation that sends messages to a Syslog server
• Used for network security

Syslog Message

• Level 0 (emergencies): System is unusable
• Level 1 (alerts): Immediate action is needed
• Level 2 (critical): Critical conditions exist
• Level 3 (errors): Error conditions exist
• Level 4 (warnings): Warning conditions exist
• Level 5 (notifications): Normal but significant condition
• Level 6 (informational): Informational messages only
• Level 7 (debugging): Debugging messages

Message Breakdown

• The sequence number is the first item
• The timestamp displays if service timestamps log is configured
• The next items denote the source, cause, or level of system, mnemonic, and message

Configuring System Logging

• Step 1: logging host [hostname | ip-address]
• Step 2 (optional): logging trap level
• Step 3: logging source-interface interface-type interface-number
• Step 4: logging on

NTP

• Accuracy across a network ensures synchronized operations

NTP Server Config

• Configuration with the ntp master 1 command

NTP Authentication Config

• Can be configured with using: ntp authenticate, ntp authentication-key, and ntp trusted-key

Using Automated Security Features

• Use security audit tools to determine IOS-based router vulnerabilities while using AutoSecure to enable security on IOS-based routers

Discovery protocols

• Protocols like CDP and LLDP help uncover potential vulnerabilities

Settings For Protocols and Services

• Additional recommendations to ensure a device is secure: disable unnecessary services and interfaces and restrict commonly configured management services
• disable probes and scans and gratuitous aRPs and IP directed broadcasts

Cisco Auto Secure Parameters

• no-interact: Prevents interactive configuration prompts
• full: Prompts for all interactive questions
• forwarding: Secures only the forwarding plane
• management: Secures only the management plane
• ntp, login, ssh, firewall, tcp-intercept: Specifies configuration of each specific feature

Operation of Auto Secure

• AutoSecure command is entered and the wizard gathers info about the outside interfaces
• AutoSecure secures the management plane by disabling unnecessary services
• AutoSecure prompts for a banner and for passwords which then enables password and login features

Securing the Control Plane

• The function of securing control plane involves configuring both routing protocol authentications in conjunction Control Plane Policing to prevent spoofing

Routing Protocol Spoofing

• Consequences can be that traffic is re-directed creating routing loops
• Can be monitored on an insecure link
• Can be re-directed to discard it

Authentication

• This can be implemented on OSPF using both MD5 and SHA algorithms

OSPF MD5 Routing Protocol Authentication

• Configuration required on both interfaces of the routers

OSPF SHA Routing Protocol Authentication

• Step 1: Specify an SHA authentication key chain.
• Step 2: Assign the authentication key chain to the desired interfaces.

CoPP

• Control plane policing protects allows various levels for monitoring on interfaces