Edge Router Security

Questions and Answers

Which security approach involves creating a non-secure zone between the internet and the internal network?

• Defense in Depth Approach
• Routing Hardening
• DMZ Approach (correct)
• Single Router Approach

What does ensuring the 'confidentiality of data' achieve within secure administrative access tasks?

• Authenticating user access
• Restricting device accessibility
• Preventing unauthorized disclosure of information (correct)
• Authorizing administrative actions

Which of the following is NOT a guideline for creating strong passwords?

• Using a password length of 10 or more characters
• Using a mix of uppercase and lowercase letters
• Using passwords based on easily identifiable information (correct)
• Changing passwords often

Which command is used to enter an unencrypted password with a specified algorithm type?

enable algorithm-type (D)

What is privilege level 15 typically reserved for?

Enable mode privileges (B)

In the context of privilege levels, what does the reset command option do?

Resets the privilege level of a command (B)

Which mode grants access to all enable-level commands on a router?

Privileged EXEC mode (privilege level 15) (C)

Which of the following is NOT a limitation of privilege levels?

There's access control to specific interfaces, ports and logical interfaces on a router. (C)

What does a syslog server provide?

A centralized system logging (C)

In a syslog message, which field denotes the source or cause of the system message?

facility (D)

What does the acronym SNMP stand for?

Simple Network Management Protocol (C)

What is the purpose of setting 'traps rules' in SNMP?

To determine what message will be sent to the manager under certain conditions. (A)

Which SNMP version provides secure access to devices by authenticating and encrypting packets?

SNMPv3 (B)

Which of the following BEST describes the advantage of 'message integrity & authentication' in SNMPv3?

Guaranteeing the identity of the sender and the integrity of the message. (A)

When configuring SNMPv3 security, what is the initial step?

Configure an ACL to permit the protected management network (A)

In syslog, if a message has a severity level of 0, what does this indicate?

System Unusable (D)

What does 'routing hardening' refer to in the context of router security?

Securing the router's operating system and configuration. (A)

Which of the following encryption algorithms is NOT an option when configuring a user as a member of the SNMP group in SNMPv3?

rsa (B)

What is the potential risk associated with the SNMP actions 'get' and 'set'?

They are vulnerabilities that can open SNMP to an attack. (C)

You are tasked with configuring a router to forward syslog messages to a central server. However, you need to ensure only critical events are sent. Which syslog severity level should the router be configured to send, at a minimum, to meet this requirement and why?

Level 2 (Critical), because it represents conditions which need immediate attention. (A)

Defense in Depth involves utilizing a single firewall for network protection.

False (B)

A DMZ is a highly secure zone for sensitive data storage.

False (B)

Physical security, router OS security, and routing hardening are key areas of router security.

True (A)

Restricting device accessibility is not a task of secure administrative access.

False (B)

A strong password should be easy to guess.

False (B)

Using a password length of less than 8 characters is a strong password practice.

False (B)

It is recommended to write passwords down and leave them in an obvious place.

False (B)

Configuring type 7 passwords provides stronger encryption than type 8 or type 9.

False (B)

Privilege level 15 is reserved for enable mode.

True (A)

User EXEC mode (privilege level 1) allows all enable-level commands.

False (B)

Commands available at higher privilege levels are also available at lower privilege levels.

False (B)

A syslog server consolidates system logs in one location.

True (A)

In a Syslog message, the facility field denotes the destination IP address of the log.

False (B)

SNMP is primarily designed to reconfigure physical hardware components within a network device.

False (B)

An SNMP environment can have multiple managers for redundancy.

False (B)

SNMPv1 offers enhanced security features, including encryption.

False (B)

In SNMP, the manager uses 'traps' to request information from agents.

False (B)

The primary advantage of SNMPv3 is reduced network overhead compared to previous versions.

False (B)

Configuring an ACL is an optional step when implementing SNMPv3 security.

False (B)

In SNMPv3 configuration, choosing des, 3des, or aes determines the hashing algorithm used for authentication.

False (B)

Flashcards

Edge Router Security Approaches

Securing edge routers through single router, defense in depth, or DMZ approaches.

Three Areas of Router Security

Physical security, router OS/config file security, and routing hardening.

Secure Admin Access Tasks

Restrict access, log all activity, authenticate users, authorize actions, provide legal notices, and protect data.

Strong Password Guidelines

Use >=10 characters, mix case/numbers/symbols, avoid personal info, misspell, change often, and don't write down.

Secret Password Configuration

Type 8 or 9 passwords should be configured.

Router Privilege Levels

Level 0 (user), Level 1 (default), Levels 2-14 (customizable), Level 15 (enable mode).

Levels of Access Commands

User EXEC mode (level 1) and Privileged EXEC mode (level 15).

Limitations of Privilege Levels

No granular access, lower levels accessible at higher levels, higher levels not available at lower levels, keywords affect access.

Syslog Server Operation

Centralized logging, collects errors/logs, decodes events, aids intrusion detection.

Syslog Severity Levels

System Unusable is level 0, Debugging Message is level 7.

Syslog Message Format Fields

seq no, timestamp, facility, severity, MNEMONIC, description.

SNMP Definition

Collecting/organizing info about devices on IP networks and changing their behavior; monitors device status.

SNMP Devices

SNMP Agent and SNMP Manager (one only).

SNMP Versions

SNMPv1 (no security), SNMPv2c (no security), SNMPv3 (more secure).

SNMP Setup Steps

Set up management console, install agent software, set traps rules.

SNMP Communication Types

Traps (agent to manager) and Get/Set (manager to agent).

Advantages of SNMPv3

Message integrity/authentication, encryption, and access control.

Config Steps for SNMP v3

Configure ACL, SNMP view, SNMP group, and an SNMP account.

DMZ Approach

A security approach where a network is divided into different security zones, with the DMZ acting as a buffer between the internal network and the external, untrusted network.

Defense in Depth

Protecting a system by implementing security measures at multiple layers.

Enable algorithm command use

Use the 'enable algorithm-type' command and specify the encryption type (md5, scrypt, or sha256) and the unencrypted password.

Username Algorithm-type Command

Use the 'username name algorithm-type' command and specify the encryption type (md5, scrypt, or sha256) and the unencrypted password.

Study Notes

Edge Router Security Approaches

• Single Router Approach: Uses a single router for network security.
• Defense in Depth Approach: Employs multiple security layers, including firewalls.
• DMZ Approach: Creates a demilitarized zone separating servers from the internal one; and is neither a military zone, nor secure zone.

Three Areas of Router Security

• Physical security: Protection of the physical router device.
• Router operating system and security configuration file: Secure the router's software and settings.
• Routing hardening: Enhance the router's security through configurations.

Secure Administrative Access Tasks

• Restrict device accessibility: Limit access to the router.
• Log and account for all access: Track and monitor access.
• Authenticate access: Verify user identity.
• Authorize actions: Control user actions.
• Present legal notification: Display legal notices during login.
• Ensure data confidentiality: Protect sensitive information.

Strong Passwords Guidelines

• Password length should be at least 10 characters.
• Include uppercase, lowercase letters, numbers, symbols, and spaces.
• Passwords should not be based on easily identifiable information.
• Deliberate misspelling enhances password complexity (e.g., Smith = Smyth = 5mYth).
• Change passwords regularly.
• Avoid recording passwords in easily discoverable places.
• Examples of weak passwords include simple dictionary words, mother's maiden names, car make or model, names and birthdays, or simple numbers.
• Strong passwords combine alphanumeric characters, symbols, and spaces.

Secret Password Algorithms Guidelines

• Type 8 or type 9 passwords should be used for all secret passwords.
• Use the enable algorithm-type command syntax to enter an unencrypted password.
• Specifies type 9 encryption with the username name algorithm-type command.

Privilege Levels

• Level 0: Predefined for user-level access privileges.
• Level 1: Default level for login with the router prompt.
• Levels 2-14: Customizable for user-level privileges.
• Level 15: Reserved for enable mode privileges.
• User EXEC mode (privilege level 1) grants access to the lowest EXEC mode user privileges, enabling only user-level commands at the router prompt.
• Privileged EXEC mode (privilege level 15) grants access to all enable-level commands at the router# prompt.

Limitations of Privilege Levels

• No access control to specific interfaces, ports, logical interfaces, and slots on a router.
• Commands available at lower privilege levels remain executable at higher privilege levels.
• Commands specifically set at higher privilege levels are not available for lower privilege users.
• Multiple keywords assigned to a command grants access to all commands using those keywords.

Syslog Server

• Syslog servers offer centralized system logging.
• Collects errors and system logs in one location.
• Coordinate and decode system events across multiple systems.
• Forwards event logs to an IDS/IPS for intrusion detection.
• Monitor and keep records of network events.

Syslog Severity Levels

• Emergency (Level 0): System Unusable.
• Alert (Level 1): Immediate Action Needed.
• Critical (Level 2): Critical Condition.
• Error (Level 3): Error Condition.
• Warning (Level 4): Warning Condition.
• Notification (Level 5): Normal, but Significant Condition.
• Informational (Level 6): Informational Message.
• Debugging (Level 7): Debugging Message.

Syslog Message Format

• Seq no: Stamps log messages with a sequence number if the service sequence-numbers command is configured.
• Timestamp: Date and time of the message, appearing only if the service timestamps command is configured.
• Facility: Refers to where the message originated.
• Severity: Severity is indicated as a single-digit code from 0 to 7.
• MNEMONIC: A unique text string describing the message.
• Description: Provides detailed information about the event being reported through a text string.

Simple Network Management Protocol (SNMP)

• SNMP collects, organizes, and modifies managed device information on IP networks
• Monitors status of devices in a network.
• Consists of one SNMP Manager and multiple agents.

Steps for SNMP

• Management console setup on the management server
• Install agent software on all network devices
• Set trap rules to send messages to the manager i.e anytime the the memory utilization is >30 then notification, and when a memory is infected on the agents
• SNMP versions include SNMPv1 (No security), SNMPv2c (No security), and SNMPv3 (More secured).
• SNMPv3 uses authentication and packet encryption for secure device access.

Advantages of SNMPv3

• Message integrity and authentication: Sender identity and integrity are guaranteed through authenticated transmissions
• Encryption: Preserves privacy of SNMPv3 messages through encryption.
• Access control: Allows agents to enforce access control to restrict each principal to certain actions on specific portions of data.

Configuring SNMPv3 Security

• Step 1: Configure an ACL to permit the protected management network.
• Step 2: Configure an SNMP view.
• Step 3: Configure an SNMP group.
• Step 4: Configure a user as a member of the SNMP group.