Network Device Security

Questions and Answers

Which of the following is NOT a primary area to consider when implementing router security?

• Physical Security
• User Account Security (correct)
• Router Hardening
• Router Operating System and Configuration File Security

Which action is a critical task when securing administrative access to a network device?

• Disabling authentication to improve usability.
• Allowing unrestricted access for all users.
• Using default passwords to simplify access.
• Logging and accounting for all access attempts. (correct)

Which of the following is generally considered a characteristic of a strong password?

• Using a simple dictionary word.
• A password that includes personal information such as a name or birthdate.
• A password that contains a mix of uppercase and lowercase letters, numbers, and symbols. (correct)
• A short password that is easy to remember.

What is the primary purpose of the service password-encryption command on a Cisco router?

To encrypt passwords stored in the router's configuration file. (C)

Which command is used to configure a username with a specific privilege level on a Cisco device?

username [name] privilege [level] [password] [secret] (C)

What is the range of privilege levels available on a Cisco IOS device?

0 to 15 (D)

What is a primary limitation of using privilege levels for command authorization?

Commands available at lower privilege levels are also executable at higher privilege levels. (C)

What is the purpose of Role-Based CLI Access (RBAC) in network device management?

To restrict the commands available to specific network administrators based on their roles. (B)

Which of the following is a key benefit of using the Cisco IOS Resilient Configuration feature?

It secures the Cisco IOS image and configuration files by detecting mismatches. (B)

What is the purpose of configuring syslog in a network environment?

To log system events and messages for monitoring and troubleshooting. (B)

Which syslog severity level indicates the most severe condition?

Emergencies (D)

What does SNMP primarily provide for network management?

A framework for monitoring and managing network devices. (B)

Which of the following is the primary purpose of NTP (Network Time Protocol) in network security?

Enabling accurate timestamping for log files and events. (D)

What is the function of the Cisco AutoSecure feature?

To provide automated security configuration on Cisco IOS-based routers. (C)

What security measure can mitigate the consequences of routing protocol spoofing?

Configuring routing protocol authentication. (D)

What type of attack does Control Plane Policing (CoPP) help to mitigate?

Denial-of-service (DoS) attacks (D)

An engineer wants to configure a Cisco router so that all passwords, including the enable password, are encrypted in the configuration file. Which command globally achieves this?

service password-encryption (D)

An administrator needs to configure a router to send syslog messages to a central server with the IP address 192.168.1.10. Additionally, they want to ensure that only informational messages and above are logged. Which set of commands will accomplish this?

logging host 192.168.1.10; logging trap 6 (D)

An engineer is tasked with increasing the security of OSPF routing protocol advertisements. They decide to implement SHA authentication. Which set of commands is necessary to achieve this configuration on the interface?

key chain ospf-auth; key 1; key-string cisco123; cryptographic-algorithm hmac-sha-256; ip ospf authentication key-chain ospf-auth (C)

A network administrator wants to harden a Cisco router against common security threats using the AutoSecure feature. However, they want to avoid being prompted for any interactive configuration options during the AutoSecure process. Which command should they use?

auto secure no-interact (B)

Flashcards

Edge Router Security Approaches?

Single Router, Defense in Depth, and DMZ.

Three Areas of Router Security?

Physical, Router Operating System and Configuration File Security and Router Hardening.

Secure Administrative Access Tasks?

Restrict device access, log all access, authenticate, authorize, present legal notification, ensure data confidentiality.

Strong Password Guidelines?

Use a password length of 10 or more characters. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.

Secret password algorithms?

Use the enable algorithm-type command syntax to enter an unencrypted password

Virtual login security enhancements?

Implement delays between login attempts, enable login shutdown if DoS attacks are suspected, log login attempts.

What does banner motd do?

Defines a banner message that users see before logging in.

Connecting to an SSH-Enabled Router?

Using an SSH client running on a host, enable SSH and use a Cisco router as an SSH server or SSH client.

Privilege command mode?

Specifies the configuration mode. Use the privilege ? command to see a complete list of router configuration modes available on your router.

Privilege Levels on a Cisco Router?

Level 0: User, Level 1: Default, Level 2-14: Customized, Level 15: Enable.

Security operator privileges?

Security operator is configure AAA, issue show commands, firewall, IDS/IPS and Netflow.

Cisco IOS Resilient Configuration Feature?

Secures the Cisco IOS image and configuration files.

Using Syslog for Network Security?

Syslog is for logging system events.

Syslog Security Levels?

0-Emergencies, 1-Alerts, 2-Critical, 3-Errors, 4-Warnings, 5-Notifications, 6-Informational, 7-Debugging.

Syslog Message?

Column 1 contains Sequence Number, Timestamp, Facility, Severity, Mnemonic, Descriptions

Using SNMP for Network Security?

SNMP facilitates network device management.

Auto Secure Command Parameters?

auto secure [no-interact | full] [forwarding | management] [ntp| login | ssh | firewall | tcp-intercept]

What does the auto secure command wizard gathers information about?

It is not the outside interfaces.

Consequences of routing protocol spoofing?

Redirect traffic to create routing loops, monitor on an insecure link, or discard traffic.

Control and Management Planes?

ACLs, AAA, SYSLOG, SNMP, and OSPF

Study Notes

Securing Network Devices

• Focuses on securing network devices, covering device access, administrative roles, monitoring, automated security features, and control plane security.

Securing the Edge Router

• Edge routers need physical security, OS and config file security, and router hardening.
• Security approaches can be single router, defense in depth with firewalls, or DMZ (Demilitarized Zone) approach.

Secure Administrative Access

• Restrict device accessibility.
• Log and account for all access attempts.
• Both authenticate and authorize access.
• Present legal notification.
• Ensure data confidentiality.

Local and Remote Access

• Local access is from a PC via Serial connection to the router.
• Remote access uses Telnet/SSH or Modem and Aux Port.

Strong Passwords

• Guidelines for strong passwords include using a length of 10+ characters.
• A mix of uppercase and lowercase letters, numbers, symbols, and spaces should be used.
• Passwords which contain easily identifiable pieces of information, should be avoided.
• Misspell passwords deliberately (e.g., Smith = Smyth = 5mYth).
• Change passwords often.
• Do not write passwords down and leave them where they can be seen.

Increasing Access Security

• Minimum password lengths should be configured using the security passwords min-length command.
• The service password-encryption command encrypts passwords in the configuration.
• The exec-timeout command sets the inactivity timeout for terminal lines.

Secret Password Algorithms

• Configure all secret passwords using type 8 or type 9 passwords
• Use the enable algorithm-type command to enter an unencrypted password.
• Use the username name algorithm-type command to specify type 9 encryption.

Securing Line Access

• Secure console and aux lines by using the login local command and removing the password.
• Enable SSH and use a local database for authentication on VTY lines.

Enhancing the Login Process

• Implement delays between successive login attempts.
• Enable login shutdown if DoS attacks are suspected.
• Generate system-logging messages for login detection.

Enable Login Enhancements

• login block-for seconds attempts tries within seconds is the command syntax.
• login delay 3 sets a delay of 3 seconds between login attempts.

Logging Failed Attempts

• Login Syslog messages can be generated with commands such as, login on-success log [every login] and login on-failure log [every login].
• Can limit the rate with the command security authentication failure rate threshold-rate log
• The show login failures command shows failed login attempts.

Configuring SSH

• Assign a hostname and domain name.
• Generate RSA keys with crypto key generate rsa general-keys modulus 1024.
• Enable SSH ip ssh version 2.
• Create a local user account with secured password.
• Configure VTY lines to use local login and SSH transport with commands such as, login local and transport input ssh.

Connecting to an SSH-Enabled Router

• SSH can be enabled, and a Cisco router can be used either as an SSH server or an SSH client.
• As a client, the router can connect via SSH to another SSH-enabled router
• An SSH client can be used if it's running on a host, such as PuTTY, OpenSSH, or TeraTerm.

Configuring Privilege Levels

• Privilege levels can be configured to control command availability.
• Levels range from 0 (user) to 15 (enable).
• The privilege mode {level level | reset} command command is used to set privilege levels for specific commands.

Limitations of Privilege Levels

No access control to specific interfaces, ports, logical interfaces, and slots on a router

• Commands available at lower privilege levels are always executable at higher privilege levels
• Commands specifically set at higher privilege levels are not available for lower privilege users
• Assigning a command with multiple keywords allows access to all commands that use those

Role-Based CLI Access

• Helps configure AAA, issue show commands, configure the firewall etc.
• Helps configure routing and interfaces.

Role-Based Views

• Views help configure interfaces.
• Superviews contain Views but not commands, two Superviews can use the same View.

Securing Cisco IOS Image and Configuration Files

• The Cisco IOS resilient configuration feature can be used.
• Feature is only available for systems that support a PCMCIA Advanced Technology Attachment (ATA) flash interface.

Cisco IOS Resilient Configuration Feature

• Configuration is copied to the bootset.
• Secures files to preserve storage, does not require extra space.
• Automatically detects image or configuration version mismatch.
• Disabling the feature can only be performed through a console session.

Enabling the IOS Image Resilience Feature

• Use the command, secure boot-image command to secure the running image.
• Use the command, secure boot-config to secure the config archive.
• Use the command, show secure bootset to show the image resilience router.

Using Syslog for Network Security

• Syslog is capable of logging system events.

Introduction to Syslog

• A Syslog server is required, and Router and Switch can send system messages to the Syslog server.

Syslog Message

• Various security levels exist from “emergencies” to “debugging”.
• Syslog messages contain a sequence number, timestamp, facility code, severity level, mnemonic, and description.

Configuring System Logging

• logging host [hostname | ip-address] configures the Syslog server
• logging trap level sets the severity level to log.
• logging source-interface interface-type interface-number specifies the source interface for Syslog messages.
• logging on enables logging.

Introduction to SNMP

• Manages nodes through SNMP.

Using NTP

• Network Time Protocol (NTP) should be used for accurate timestamping between devices.

NTP Server

• Requires configuration with an NTP master.

NTP Authentication

• Requires authentication set.

Performing a Security Audit

• Security settings need to be verified for protocols and services.
• Unneccessary services/interfaces should be disabled.
• Management services must be disabled and restricted.
• Disable probes and scans and enable terminal access security.
• Disable Gratuitous and Proxy ARPs.
• Disable IP-directed broadcasts.

Locking Down a Router Using AutoSecure

• Auto Secure is for enhancing the security of the router.

Using the Cisco AutoSecure Feature

Important command parameters include: no-interact, full, forwarding, management, ntp, login, ssh, firewall and tcp-intercept.

Using the auto secure Command

• An auto secure command is entered.
• A wizard gathers information about the outside interfaces.
• Management and forwarding planes are secured.
• A banner is prompted for.
• Password and login features are prompted for.
• Interfaces are secured.

Routing Protocol Spoofing

• Spoofing will redirect traffic to create routing loops.
• Traffic redirects could allow monitoring on an insecure link.
• Traffic redirects could allow discard.

OSPF MD5 Routing Protocol Authentication

• Requires setup and configuration.

OSPF SHA Routing Protocol Authentication

• Requires interface set and number.

Control Plane Policing

• The goal of policing is to protect the control plane.