Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Securing Network
Devices
CCNA-Security
Presentation_ID
Cisco Confidential
Chapter 2: Objectives
In this chapter you will:
Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image and configuration files.
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Implementing Security
Single Router Approach
Defense-in-Depth Approach
DMZ Approach
Presentation_ID
Cisco Confidential
Securing Routers
Three areas of router security must be maintained:
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Securing Passwords
Cisco Confidential
ITE PC v4.1
Chapter 1
Cisco Public
Presentation_ID
Cisco Confidential
10
Note: IOS 15. An administrator can specify that SHA256 encryption be used for the secret text string.
The console, vty, and aux ports must be configured to require a username and password
combination from the local database. To do this, the login command must be changed to login
local on each line configuration.
Presentation_ID
Cisco Confidential
11
Presentation_ID
Cisco Confidential
12
Cisco Public
13
ITE PC v4.1
Chapter 1
Cisco Public
14
ITE PC v4.1
Chapter 1
Cisco Public
15
ITE PC v4.1
Chapter 1
Cisco Public
16
ITE PC v4.1
Chapter 1
Cisco Public
17
Presentation_ID
Cisco Confidential
18
Presentation_ID
Cisco Confidential
19
MOTD banners are shown prior to a login banner and before user authentication.
Login banners are displayed upon an attempting exec session establishment,
EXEC banners are shown once an individual has started an EXEC session with the
device.
Presentation_ID
Cisco Confidential
20
Configuring SSH
Presentation_ID
Cisco Confidential
21
Configuring SSH
Configuring SSH
Using the CLI, there are four steps to configure a Cisco router to
support SSH:
Step 1. Configure domain name using the ip domain-name
domain-namecommand in global configuration mode.
Step 2. Generate one-way secret keys for a router to encrypt the SSH
traffic. To create the RSA key, use the crypto key generate
rsa
general-keys modulus modulus-sizecommand in
global
configuration mode.
Step 3. Ensure that there is a valid local database username
entry. If not, create one using the
username name secret secret command.
Step 4. Enable vty inbound SSH sessions using the login
local and transport input ssh commands in line
configuration mode.
vty
To verify SSH and display the generated keys, use the show crypto
key mypubkey rsa command.
Presentation_ID
Cisco Confidential
22
Configuring SSH
Presentation_ID
Cisco Confidential
23
Configuring SSH
Presentation_ID
Cisco Confidential
24
2.2 Assigning
Administrative Roles
Presentation_ID
Cisco Confidential
25
privilege level
role-based CLI
Presentation_ID
Cisco Confidential
26
Privilege Levels
Level 0:
Predefined for user-level access privileges.
Seldom used, but includes five commands: disable, enable, exit,
help, and logout
Levels 2 14:
May be customized for user-level privileges.
Commands from lower levels may be moved up to a higher level, or
commands from higher levels may be moved down to a lower level.
Cisco Confidential
27
Presentation_ID
Cisco Confidential
28
Presentation_ID
Cisco Confidential
29
Presentation_ID
Cisco Confidential
30
Presentation_ID
Cisco Confidential
31
Role-Based Views
Root view:
Can configure any view for the system, the administrator must be in root
view.
Has the same access privileges as a user who has level 15 privileges.
However, a root view is not the same as a level 15 user.
Only a root view user can configure a new view and add or remove
commands from the existing views.
CLI view
A specific set of commands can be bundled into a CLI view
Superview
A superview consists of one or more CLI views. Administrators can
define which commands are accepted and which configuration
information is visible.
Presentation_ID
Cisco Confidential
32
Root View
Presentation_ID
View #1
View #2
View #3
show ip route
show run
show
interfaces
View #4
View #5
View #6
int fa0/0
Cisco Confidential
33
CLI Views
View #1
command exec
View #2
View #3
View #4
View #5
View #6
command exec
command exec
command exec
command exec
command exec
Superview #1
View #1
View #2
View #4
command exec
Presentation_ID
Superview #2
View #3
View #5
command exec
command exec
View #4
View #6
command exec
command exec
Cisco Confidential
34
Presentation_ID
Cisco Confidential
35
Presentation_ID
Cisco Confidential
36
Sample Config
R1(config)# parser view SHOWVIEW
*Mar 1 09:54:54.873: %PARSER-6-VIEW_CREATED: view SHOWVIEW' successfully created.
R1(config-view)# secret cisco
R1(config-view)# commands exec include show version
R1(config-view)# exit
R1(config)# parser view VERIFYVIEW
*Mar 1 09:55:24.813: %PARSER-6-VIEW_CREATED: view VERIFYVIEW' successfully
created.
R1(config-view)# commands exec include ping
% Password not set for the view VERIFYVIEW
R1(config-view)# secret cisco5
R1(config-view)# commands exec include ping
R1(config-view)# exit
R1(config)# parser view REBOOTVIEW
R1(config-view)#
*Mar 1 09:55:52.297: %PARSER-6-VIEW_CREATED: view REBOOTVIEW' successfully
created.
R1(config-view)# secret cisco10
R1(config-view)# commands exec include reload
R1(config-view)# exit
Presentation_ID
Cisco Confidential
37
Configure Views
R1(config)# parser view USER superview
* Mar 1 09:56:26.465 : %PARSER-6-SUPER_VIEW_CREATED: super view 'USER' successfully created.
R1(config-view)# secret cisco
R1(config-view)# view SHOWVIEW
*Mar 1 09:56:33.469: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview USER.
R1(config-view)# exit
R1(config)# parser view SUPPORT superview
*Mar 1 09:57:33.825 : %PARSER-6-SUPER_VIEW_CREATED: super view 'SUPPORT' successfully created.
R1(config-view)# secret cisco1
R1(config-view)# view SHOWVIEW
*Mar 1 09:57:45.469: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview SUPPORT.
R1(config-view)# view VERIFYVIEW
*Mar 1 09:57:57.077: %PARSER-6-SUPER_VIEW_EDIT_ADD: view VERIFYVIEW added to superview
SUPPORT.
R1(config-view)# exit
R1(config)# parser view JR-ADMIN superview
*Mar 1 09:58:09.993: %PARSER-6-SUPER_VIEW_CREATED: super view 'JR-ADMIN' successfully created.
R1(config-view)# secret cisco2
R1(config-view)# view SHOWVIEW
*Mar 1 09:58:26.973: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview JR-ADMIN.
R1(config-view)# view VERIFYVIEW
*Mar 1 09:58:31.817: %PARSER-6-SUPER_VIEW_EDIT_ADD: view VERIFYVIEW added to superview JRADMIN.
R1(config-view)# view REBOOTVIEW
*Mar 1 09:58:39.669: %PARSER-6-SUPER_VIEW_EDIT_ADD: view REBOOTVIEW added to superview JRADMIN.
R1(config-view)# exit
Presentation_ID
Cisco Confidential
38
Presentation_ID
Cisco Confidential
39
Presentation_ID
Cisco Confidential
40
Presentation_ID
Cisco Confidential
41
Presentation_ID
Cisco Confidential
42
restore the
Cisco Confidential
43
Presentation_ID
Cisco Confidential
44
Cisco Confidential
45
Presentation_ID
Cisco Confidential
46
Presentation_ID
Cisco Confidential
47
Introduction to Syslog
The syslog logging service provides three primary functions:
The ability to gather logging information for monitoring and
troubleshooting
The ability to select the type of logging information that is captured
The ability to specify the destinations of captured syslog messages
Presentation_ID
Cisco Confidential
48
Syslog Operation
Presentation_ID
Cisco Confidential
49
Presentation_ID
Cisco Confidential
50
Syslog Systems
Presentation_ID
Cisco Confidential
51
Presentation_ID
Cisco Confidential
52
Introduction to SNMP
The SNMP system
consists of three
elements:
SNMP manager
SNMP agents
(managed node)
Management
Information Base (MIB)
Uses UDP port 162
Presentation_ID
Cisco Confidential
53
SNMP Operation
Presentation_ID
Cisco Confidential
54
SNMP agents can generate and send traps to inform the NMS
immediately of certain events.
Traps are unsolicited messages alerting the SNMP manager to a
condition or event on the network.
Presentation_ID
Cisco Confidential
55
SNMP Vulnerabilities
The get and set actions create vulnerabilities that open SNMP to attack.
Presentation_ID
Cisco Confidential
56
Presentation_ID
Cisco Confidential
57
SNMPv3
Presentation_ID
Cisco Confidential
58
Using NTP
Cisco Confidential
59
Using NTP
Presentation_ID
Cisco Confidential
60
Using NTP
NTP Server
Sample NTP Configuration
Presentation_ID
Cisco Confidential
61
Using NTP
NTP Authentication
There are two security mechanisms available:
ACL-based restriction scheme
Encrypted authentication mechanism offered by NTP version 3 or later
Presentation_ID
Cisco Confidential
62
Presentation_ID
Cisco Confidential
63
Presentation_ID
Cisco Confidential
64
Presentation_ID
Cisco Confidential
65
Presentation_ID
Cisco Confidential
66
Presentation_ID
Cisco Confidential
67
Cisco AutoSecure
The Cisco AutoSecure feature is initiated from the CLI and executes a
script. It first makes recommendations for fixing security vulnerabilities,
and then modifies the security configuration of the router.
Presentation_ID
Cisco Confidential
68
Presentation_ID
Cisco Confidential
69
Presentation_ID
Cisco Confidential
70
Cisco Confidential
71
Chapter 2
Summary
When securing a network device, hardening should be the first step, which
includes:
Cisco Confidential
72
Presentation_ID
Cisco Confidential
73
Presentation_ID
Cisco Confidential
74