Chapter 2: Securing Network Devices PDF

Summary

This document is a chapter from a Cisco networking course, specifically covering Chapter 2: Securing Network Devices for CCNA Security v2.0. It describes various security configurations and considerations.

Full Transcript

Chapter 2:

Securing Network Devices

CCNA Security v2.0
Dr. Nadhir Ben Halima
 2.0 Introduction
2.1 Securing Device Access
2.2 Assigning Administrative Roles

Chapter Outline 2.3 Monitoring and Managing Devices
2.4 Using Automated Security Features
2.5 Securing the Control Plane
2.6 Summary

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 2.1:
Securing Device Access
Upon completion of this section, you should be able to:
Explain how to secure a network perimeter.

Configure secure administrative access to Cisco routers.

Configure enhanced security for virtual logins.

Configure an SSH daemon for secure remote management.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Topic 2.1.1:
Securing the Edge Router

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Edge Router Security Approaches
Single Router Approach

Defense in Depth Approach

DMZ Approach

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Three Areas of Router Security

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Secure Administrative Access
Tasks:
Restrict device accessibility

Log and account for all access

Authenticate access

Authorize actions

Present legal notification

Ensure the confidentiality of data

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Secure Local and Remote Access

Local Access Remote Access Using Telnet/SSH

Remote Access Using Modem and Aux Port

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Topic 2.1.2:
Configuring Secure Administrative Access

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Strong Passwords
Guidelines:
Use a password length of 10 or more characters.

Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.

Avoid passwords based on easily identifiable pieces of information.

Deliberately misspell a password (Smith = Smyth = 5mYth).

Change passwords often.

Do not write passwords down and leave them in obvious places.

Weak Password Why it is Weak Strong Password Why it is Strong

secret Simple dictionary password b67n42d39c Combines alphanumeric characters

smith Mother’s maiden name 12^h u4@1p7 Combines alphanumeric characters,
symbols, and includes a space
toyota Make of car

bob1967 Name and birthday of user

Blueleaf23 Simple words and numbers

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Increasing Access Security

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Secret Password Algorithms
Guidelines:
Configure all secret passwords using type 8 or type 9 passwords

Use the enable algorithm-type command syntax to enter an unencrypted
password

Use the username name algorithm-type command to specify type 9
encryption

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Securing Line Access

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Topic 2.1.3:
Configuring Enhanced Security for Virtual Logins

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Enhancing the Login Process

Virtual login security enhancements:
Implement delays between
successive login attempts
Enable login shutdown if DoS
attacks are suspected
Generate system-logging
messages for login detection

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Enable Login Enhancements
Command Syntax: login block-for

Example: login delay

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Logging Failed Attempts
Generate Login Syslog Messages

Example: show login failures

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Topic 2.1.4:
Configuring SSH

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Steps for Configuring SSH
Example SSH Configuration

Example Verification of SSH

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Connecting to an SSH-Enabled Router

Two ways to connect:
Enable SSH and use a Cisco router as an SSH server or SSH client.
As a server, the router can accept SSH client connections
As a client, the router can connect via SSH to another SSH-enabled router
Use an SSH client running on a host, such as PuTTY, OpenSSH, or TeraTerm.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Section 2.2:
Assigning Administrative Roles
Upon completion of this section, you should be able to:
Configure administrative privilege levels to control command availability.

Configure role-based CLI access to control command availability.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Topic 2.2.1:
Configuring Privilege Levels

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Limiting Command Availability
Privilege levels: Levels of access commands:
Level 0: Predefined for user-level access privileges. User EXEC mode (privilege level 1)

Lowest EXEC mode user privileges
Level 1: Default level for login with the router prompt.
Only user-level command available at the router> prompt
Level 2-14: May be customized for user-level privileges.
Privileged EXEC mode (privilege level 15)
Level 15: Reserved for the enable mode privileges.
All enable-level commands at the router# prompt

Privilege Level Syntax

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Configuring and Assigning Privilege Levels

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Limitations of Privilege Levels
No access control to specific interfaces, ports, logical interfaces, and
slots on a router
Commands available at lower privilege levels are always executable at
higher privilege levels
Commands specifically set at higher privilege levels are not available
for lower privilege users
Assigning a command with multiple keywords allows access to all
commands that use those

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Topic 2.2.2:
Configuring Role-Based CLI

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Role-Based CLI Access
For example:
Security operator privileges
Configure AAA
Issue show commands
Configure firewall
Configure IDS/IPS
Configure NetFlow

WAN engineer privileges
Configure routing
Configure interfaces
Issue show commands

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Role-Based Views

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Section 2.3:
Monitoring and Managing Devices
Upon completion of this section, you should be able to:
Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image
and configuration files.
Compare in-band and out-of band management access.

Configure syslog to log system events.

Configure secure SNMPv3 access using ACL

Configure NTP to enable accurate timestamping between all devices.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Topic 2.3.1:
Securing Cisco IOS Image and Configuration Files

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Cisco IOS Resilient Configuration Feature

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Enabling the IOS Image Resilience Feature

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Topic 2.3.3:
Using Syslog for Network Security

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Introduction to Syslog

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Syslog Operation

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Syslog Message
Security Levels

Example Severity Levels

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Syslog Message (Cont.)

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Configuring System Logging
Step 1

Step 2 (optional)

Step 3

Step 4

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Topic 2.3.4:
Using SNMP for Network Security

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Introduction to SNMP

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Topic 2.3.5:
Using NTP

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Network Time Protocol

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
NTP Server

Sample NTP Topology

Sample NTP
Configuration on R1

Sample NTP
Configuration on R2

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
NTP Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Section 2.4:
Using Automated Security Features
Upon completion of this section, you should be able to:
Use security audit tools to determine IOS-based router vulnerabilities.

Use AutoSecure to enable security on IOS-based routers.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Topic 2.4.1:
Performing a Security Audit

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Discovery Protocols CDP and LLDP

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Settings for Protocols and Services
There is a detailed list of security settings for protocols and services
provided in Figure 2 of this page in the course.

Additional recommended practices to ensure a device is secure:
Disable unnecessary services and interfaces.

Disable and restrict commonly configured management services.

Disable probes and scans. Ensure terminal access security.

Disable gratuitous and proxy ARPs

Disable IP-directed broadcasts.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Topic 2.4.2:
Locking Down a Router Using AutoSecure

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cisco AutoSecure

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Using the Cisco AutoSecure Feature

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Using the auto secure Command
1. The auto secure command is entered

2. Wizard gathers information about the outside interfaces

3. AutoSecure secures the management plane by disabling unnecessary
services
4. AutoSecure prompts for a banner

5. AutoSecure prompts for passwords and enables password and login
features
6. Interfaces are secured

7. Forwarding plane is secured

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Section 2.5:
Securing the Control Plane
Upon completion of this section, you should be able to:
Configure a routing protocol authentication.

Explain the function of Control Plane Policing.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Topic 2.5.1:
Routing Protocol Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Routing Protocol Spoofing
Consequences of protocol spoofing:
Redirect traffic to create routing loops.

Redirect traffic so it can be monitored on an insecure link.

Redirect traffic to discard it.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
OSPF MD5 Routing Protocol Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
OSPF SHA Routing Protocol Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Topic 2.5.2:
Control Plane Policing

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Network Device Operations

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Control and Management Plane Vulnerabilities

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
CoPP Operation

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Section 2.6:
Summary
Chapter Objectives:
Configure secure administrative access.

Configure command authorization using privilege levels and role-based CLI.

Implement the secure management and monitoring of network devices.

Use automated features to enable security on IOS-based routers.

Implement control plane security.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Thank you.