Router Security Principles

Questions and Answers

Which of the following is NOT a security principle used to secure administrative access to a router?

Logging and accounting for all access

Restricting device accessibility

Using a strong firewall to block all inbound traffic (correct)

Authenticating access

What is the recommended minimum password length to secure a router?

12 characters

8 characters

10 characters (correct)

6 characters

Which of the following is considered a good practice for creating strong router passwords?

Reusing the same password for multiple devices

Using a dictionary word or common phrase

Using a password that is easy to remember and is frequently used

Including a mix of uppercase and lowercase letters, numbers, symbols, and spaces (correct)

Which of the following is NOT a method for securing remote access to a router?

SSL (D)

What are the three main areas of router security that need to be considered?

Physical security, administrative access security, and data security (B)

Which of the following privilege levels provides user access to a device?

0 (A), 1 (B)

What command enables privileged EXEC mode in a Cisco router?

enable (C)

Which privilege level is reserved for the enable mode?

15 (D)

What is the default privilege level for a user logging into the router?

1 (D)

Which mode is associated with privilege level 1?

User EXEC mode (C)

What is the purpose of configuring privilege levels?

To limit command availability based on user roles (A)

What privilege level is associated with the router> prompt?

1 (D)

In what range can privilege levels be customized for user-level privileges?

2-14 (D)

What is a primary disadvantage of using privilege levels to restrict access to a router?

Privilege levels do not provide granular control over access to specific router components. (B)

Which of the following is NOT a benefit of using role-based CLI access control on a router?

It eliminates the need for complex password management procedures. (A)

What is a key advantage of using the Cisco IOS resilient configuration feature?

It allows the router to automatically recover its configuration in case of a failure. (C)

How does Syslog contribute to network security?

Syslog logs system events and security violations, enabling administrators to analyze and respond to security threats. (A)

Which of the following is a characteristic of in-band management access to a router?

It uses the same network connection as the router's data traffic. (C)

Why might a network administrator configure secure SNMPv3 access on a router?

To enforce authentication and encryption for SNMP communication to protect sensitive data. (C)

Which of the following is NOT a common practice for securing Cisco IOS images and configuration files?

Configuring NTP to synchronize the clock on all devices. (D)

Which of the following is a strong password?

b67n42d39c (C)

Which of the following is an effective way to enhance virtual login security?

Implementing delays between successive login attempts (B)

What is the purpose of the command show login failures?

To view a list of failed login attempts (A)

What is the importance of using strong passwords?

Strong passwords are less likely to be guessed (D)

Which of the following is an example of a weak password?

Blueleaf23 (C)

Secure administrative access typically involves logging and accounting for all access to a device.

True (A)

The DMZ Approach to router security involves placing the router directly on the public internet.

False (B)

Configuring a router with a strong password and disabling unused ports are examples of securing the edge router.

True (A)

Using a combination of uppercase and lowercase letters, numbers, and special characters is an example of a weak password.

False (B)

Enabling SSH on a router allows secure remote management using encrypted connections.

True (A)

A good password for a router should be at least 8 characters long and include a combination of uppercase and lowercase letters, numbers, and special characters.

True (A)

The command login delay is used to implement delays between successive login attempts, thus mitigating DoS attacks.

True (A)

The username name algorithm-type command syntax is used to specify type 8 encryption for passwords.

False (B)

The show login failures command is used to generate system-logging messages for login detection and security analysis.

True (A)

The command login block-for is used to enable login shutdown if DoS attacks are suspected.

False (B)

Privilege level 0 is specifically designated for user-level access privileges.

True (A)

Privilege level 1 is the default level for logging in to the router, where only user-level commands are available at the router> prompt.

True (A)

Privilege levels 2 to 14 can be customized to provide different user-level privileges.

True (A)

Privilege level 15 is reserved for the enable mode privileges, granting access to all enable-level commands, including configuration changes.

True (A)

The user EXEC mode is associated with privilege level 15.

False (B)

The command ip access-list standard 10 permit 192.168.1.0 0.0.0.255 is used for configuring basic access control lists (ACLs).

True (A)

When configuring privilege levels, you can assign a particular privilege level number multiple times to different users.

False (B)

Privilege levels are a form of role-based CLI access control, allowing for granular control over command access.

False (B)

Commands available at a lower privilege level are never executable at a higher privilege level.

False (B)

The enable command is used to enter the privileged EXEC mode on a Cisco router.

True (A)

Role-based CLI access provides a way to restrict user access to specific commands and configurations, ensuring only authorized users have access to sensitive operations.

True (A)

The Cisco IOS Resilient Configuration feature allows for redundancy in the configuration files, ensuring that if one file becomes corrupted, the router can still boot using a backup configuration.

True (A)

The Syslog feature on a Cisco router provides a mechanism for logging system events, including security-related events, which can then be used to diagnose issues and identify potential security threats.

True (A)

In-band management access provides secure access to a network device through a separate network interface, ensuring that management traffic is not susceptible to attacks on the main network.

False (B)

Configuring secure SNMPv3 access can help protect sensitive device information by utilizing authentication and encryption for SNMP communications, adding a significant layer of security to network management.

True (A)

Study Notes

Chapter 2: Securing Network Devices

• This chapter covers securing network devices, specifically Cisco routers.
• The CCNA Security v2.0 curriculum is the focus.
• Dr. Nadhir Ben Halima is the instructor.

Chapter Outline

• The outline details the topics within the chapter: introduction, securing device access, assigning administrative roles, monitoring and managing devices, using automated security features, securing the control plane, and the summary.

Section 2.1: Securing Device Access

• Upon completion, students will be able to explain securing a network perimeter.
• Configure secure administrative access to Cisco routers.
• Configure enhanced security for virtual logins.
• Configure SSH daemon for secure remote management.

Topic 2.1.1: Securing the Edge Router

• This section discusses different approaches to securing edge routers, including single router, defense in depth, and DMZ approaches.
• Diagrams illustrate these approaches.

Edge Router Security Approaches

• Single Router Approach: Basic security using only one router to filter traffic.
• Defense in Depth Approach: Multiple layers of security such as firewalls to protect the network.
• DMZ Approach: Creates a separate zone between the internet and the internal network.

Three Areas of Router Security

• Physical Security: Protecting the physical device from theft or damage.
• Router Operating System and Configuration File Security: Protecting code from modification.
• Router Hardening: General security measures.

Secure Administrative Access

• Tasks: Restricting device access, logging all access, authenticating access, authorizing actions, providing legal notifications, and ensuring data confidentiality.

Secure Local and Remote Access

• Describes methods for local and remote access to routers.
• Includes diagrams illustrating Telnet/SSH, modem, and auxiliary port remote access.

Topic 2.1.2: Configuring Secure Administrative Access

• This section focuses on secure administrative access, especially strong passwords.

Strong Passwords

• Passwords should be at least 10 characters long.
• Employ a mix of uppercase and lowercase letters, numbers, symbols, and spaces.
• Avoid using easily identifiable information.
• Deliberately misspell passwords.
• Frequently change passwords.
• Do not write passwords down or leave them in obvious places.

Increasing Access Security

• This is a section related to increasing access security.
• Detailed commands are provided including configurations to improve password security.

Secret Password Algorithms

• This outlines how to configure secret passwords using specific types.
• This section describes commands and methods for enabling unencrypted passwords.

Securing Line Access

• Specific configuration instructions for securing router lines.

Topic 2.1.3: Configuring Enhanced Security for Virtual Logins

• The presentation provides information on enhancing security for virtual logins.

Enhancing the Login Process

• This part covers implementing delays between successive login attempts.
• Enabling login shutdown if DoS attacks are suspected.
• Generating system-logging messages for login detection.

Enable Login Enhancements

• Detailed commands show how to enable login enhancements.
• This section discusses login delay and blocking attempts.

Logging Failed Attempts

• Generating syslog messages for failed login attempts.
• Using show login failures command to view failed attempts. Examples of failed login attempts are provided.

Topic 2.1.4: Configuring SSH

• This section covers SSH configuration for secure remote access.
• It includes detailed steps for configuring SSH.
• It explains generating secure RSA certificates for authentication. Steps are provided to generate and manage SSH keys.

Steps for Configuring SSH

• This section provides specific commands and steps for configuring SSH.

Connecting to an SSH-Enabled Router

• This section describes two-way connections: configuring the router as an SSH server or client.
• Using clients such as PuTTY.

Section 2.2: Assigning Administrative Roles

• Explains configuring administrative privilege levels.
• Describes configuring role-based CLI access to control command availability.

Topic 2.2.1: Configuring Privilege Levels

• The presentation provides details on privilege levels for access control on Cisco routers.

Limiting Command Availability

• Explains default privilege levels, user EXEC mode, and privileged EXEC mode commands.
• Discusses privilege level syntax and descriptions with examples. Also details the different levels.

Configuring and Assigning Privilege Levels

• Shows commands and configurations for assigning privilege levels with specific examples.

Limitations of Privilege Levels

• Explains limitations of privilege levels regarding specific interfaces, ports, and slots.
• Discusses command availability at different privilege levels.
• Describes assigning a command with multiple keywords.

Topic 2.2.2: Configuring Role-Based CLI

• Describes how to configure the CLI using role-based security.

Role-Based CLI Access

• Covers examples of security privileges, such as for security operators, and WAN engineers.
• Includes details on configuring and issuing command. Specific examples of commands and privileges are provided.

Role-Based Views

• Diagrams show how role-based views work.
• Shows examples of views available to different users. Illustrative diagrams are included.

Section 2.3: Monitoring and Managing Devices

• Covers using the Cisco IOS resilient configuration feature to secure the Cisco IOS image and configuration files, including the details.
• Explains comparing in-band and out-of-band management access.
• Includes configuring syslog to log system events (using logging host, and logging trap). Specific examples of commands are provided.
• Explains using secure SNMPv3 access, with details of the configuration.
• Configuring NTP server for time synchronization, including examples of commands.

Topic 2.3.1: Securing Cisco IOS Image and Configuration Files

• Explains how the IOS resilient configuration feature secures files, with explanation details.
• Describes automatic detection of image and configuration version mismatches.
• Explains the challenges of using TFTP servers for security reasons.

Cisco IOS Resilient Configuration Feature

• Explains the details on the Cisco IOS resilient configuration feature, with details.

Enabling the IOS Image Resilience Feature

• Explains the process of enabling IOS image resilience in routers using specific commands, examples included.

Topic 2.3.3: Using Syslog for Network Security

• Introduces and explains syslog functionality, including its purpose and use.
• Demonstrates use cases for logging messages.
• Explains syslog message details with columns for sequence numbers, timestamps, facilities, severity, and descriptions with details.

Introduction to Syslog

• Diagram illustrates a network setup with routers and a syslog server.
• The diagram shows system messages being transmitted to the server with explanation details.

Syslog Operation

• Illustrates the process of syslog operation in a network with multiple devices with details of the process and configurations.

Syslog Message

• Shows details on severity levels and keywords for syslog.
• Provides explanations for each level and examples.

Syslog Message (Cont.)

• Explains columns in a syslog message, details, and functions of each column.

Configuring System Logging

• Step-by-step instructions for configuring system logging with examples of different logging settings.
• Explains parameters for logging host, logging trap level, logging from sources, and enabling logging.

Topic 2.3.4: Using SNMP for Network Security

• Explains the use of SNMP for device management, with specifics on its use.

Introduction to SNMP

• Network diagram shows how SNMP works.
• Illustrates managed nodes, SNMP agents, and SNMP managers, with details.

Topic 2.3.5: Using NTP

• Explains the use of NTP for time synchronization. Includes the use of NTP server details and their configuration.

Network Time Protocol

• Explains the process of setting the time on a network device, with explanations and specific examples.

Sample NTP Configuration on R1

• Covers configuring NTP on router R1. Includes detailed examples of commands and configurations for configuring the master NTP daemon on the device.
• Shows commands for configuring the NTP master.

Sample NTP Topology

• Network diagram shows the connection of devices for NTP.
• The diagram shows the connection for the NTP server to send time synchronization to other devices on the network. Includes illustrative diagrams.

Sample NTP Configuration on R2

• Covers configuring the NTP server on router R2 Includes detailed examples of commands and configurations for configuring the client NTP daemon on the device.
• Shows commands for configuring the NTP client, as well as for synchronization and status display.

NTP Authentication

• This part shows how to configure NTP security. Illustrative commands for secure NTP authentication.

Section 2.4: Using Automated Security Features

• This section covers using security audit tools and AutoSecure for IOS-based routers to identify vulnerabilities and enable security, including details.

Topic 2.4.1: Performing a Security Audit

• Introduces using security audit tools to identify issues in IOS-based routers. Includes details and explanations for the process.

Discovery Protocols CDP and LLDP

• Discusses using CDP and LLDP for device discovery on networks.
• Shows commands for enabling CDP and LLDP and displaying neighbors. Specific steps and example commands are included.

Settings for Protocols and Services

• Lists recommended security settings for protocols and services, including recommended best practices to ensure a device is secure.

Topic 2.4.2: Locking Down a Router Using AutoSecure

• This part describes Cisco AutoSecure for secure management, including the process and steps.

Cisco AutoSecure

• Explains Cisco AutoSecure, including its configuration details and prompts. Detailed explanations of the feature.
• This section describes how to enable security on devices using the AutoSecure feature with specific examples of the prompts. With detailed explanations.

Using the Cisco AutoSecure Feature

• Details on using AutoSecure to configure different protocols and services. Specific steps and illustrations are included. with detailed explanations.

Section 2.5: Securing the Control Plane

• Discusses securing the control plane using authentication.

Topic 2.5.1: Routing Protocol Authentication

• Explains the importance of routing protocol authentication in preventing spoofing. Includes details of protocol authentication methods, explaining why security of these protocols are critical.

Routing Protocol Spoofing

• Discusses the consequences of protocol spoofing.

OSPF MD5 Routing Protocol Authentication

• Details steps for configuring OSPF MD5 authentication. Includes complete commands and explanations.

OSPF SHA Routing Protocol Authentication

• Introduces configuring OSPF SHA authentication, with illustrative configuration examples.

Topic 2.5.2: Control Plane Policing

• Explains the function of Control Plane Policing. Includes a description of the mechanism that is used to secure the control plane.

Network Device Operations

• Diagram explains how the control and management planes interact in a router. Illustrative diagrams showing the connections including details on the layers and components.

Control and Management Plane Vulnerabilities

• Diagram illustrates control and management plane vulnerabilities and potential implications.

CoPP Operation

• Diagram shows how COPP works in a network device. Illustrated diagrams to explain the workings of COPP.

Section 2.6: Summary

• Summarizes the chapter objectives, with details on each objective including specific security controls.
• Briefly describes how to configure secure administrative access and command authorization, with examples showing configurations.
• Briefly describes other important security features included.
• Briefly describes implementing control plane security. With relevant instructions.

Description

Test your knowledge on the security principles necessary for securing administrative access to a router. This quiz covers topics such as password policies, privilege levels, and methods for securing remote access. Assess your understanding of how to effectively manage router security.