Quản trị mạng - Chapter 2: Securing network devices

Chapter 2 – Securing Network Devices CCNA Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Objectives • Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing Device Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Edge Router • Securing the network infrastructure is critical to overall network security: routers, switches, servers, endpoints, and other devices. • The edge router is the last router between the internal network and an untrusted network such as the Internet. • If an attacker gains access to a router, the security and management of the entire network can be compromised, leaving servers and endpoints at risk Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Edge Router • The edge router implementation varies depending on the size of the organization and the complexity of the required network design. • Single Router Approach – In the single router approach, a single router connects the protected network, or internal LAN, to the Internet. – This is more commonly deployed in smaller site implementations such as branch and SOHO sites. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Edge Router • Defense-in-Depth Approach – In this approach, the edge router acts as the first line of defense and is known as a screening router. – It passes all connections that are intended for the internal LAN to the firewall. – The second line of defense is the firewall, they typically picks up where the edge router leaves off and performs additional filtering. – It provides additional access control by tracking the state of the connections and acts as a checkpoint device. authentication proxy ? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Edge Router • DMZ Approach – A variation of the defense-in-depth approach is to offer an intermediate area, often called the demilitarized zone (DMZ) – The DMZ can be used for servers that must be accessible from the Internet or some other external network. – The DMZ can be set up between two routers, with an internal router connecting to the protected network and an external router connecting to the unprotected network, or simply be an additional port off of a single router Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Edge Router • Three areas of router security must be maintained. – Physical Security – Operating System Security – Router Hardening Refer to 2.1.1.3 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Edge Router Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Edge Router • There are 2 ways to access a device for administrative purposes, locally and remotely. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Edge Router Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Secure Administrative Access • Attackers deploy various methods of discovering administrative passwords. – They can shoulder surf, attempt to guess passwords based on the user's personal information, or sniff TFTP packets containing plaintext configuration files. – Attackers can also use tools such as L0phtCrack and Cain & Abel to attempt brute force attacks and guess passwords. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Secure Administrative Access • These guidelines to make password: 1. Use a password length of 10 or more characters. The longer, the better. 2. Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces. 3. Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.. 4. Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty. 5. Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited. 6. Do not write passwords down and leave them in obvious places such as on the desk or monitor. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Secure Administrative Access • Configure password: pass phrase ? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Secure Administrative Access • To increase the security of passwords, the following should be configured: – Enforce minimum password lengths. – Disable unattended connections. – Encrypt all passwords in the configuration file. 1. Minimum password lengths Beginning with the Cisco IOS Release 12.3(1) and later, administrators can set the minimum character length for all router passwords from 0 to 16 characters using the global configuration command security passwords min-length length. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Secure Administrative Access 2. Disable Unattended Connections – By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. – After that, the interface times out and logs out of the session. – These timers can be adjusted using the exec-timeout command in line configuration mode for each of the line types that are used. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Secure Administrative Access Example: line vty 0 exec-timeout 0 10 password cisco T1 T1+10” Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Secure Administrative Access 3. Encryption Passwords Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Secure Administrative Access • Another available security feature is authentication. • Cisco routers can maintain a list of usernames and passwords in a local database on the router for performing local login authentication. • There are two methods of configuring local username accounts. 1. username name password password 2. username name secret password Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Secure Administrative Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Secure Administrative Access Configuring Secure Administrative Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins • The following commands are available to configure a Cisco IOS device to support the enhanced login features. • Router# configure terminal • Router(config)# login block-for seconds attempts tries within seconds • Router(config)# login quiet-mode access-class {acl- name | acl-number} • Router(config)# login delay seconds • Router(config)# login on-failure log [every login] • Router(config)# login on-success log [every login] Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins (Virtual TeletYpe) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins • All login enhancement features are disabled by default. • Use the login block-for command to enable login enhancements. • The login block-for feature monitors login device activity and operates in two modes: 1. Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time. 2. Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied. • When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. • However, to provide critical hosts access at all times, this behavior can be overridden using an ACL. • The ACL must be created and identified using the login quiet-mode access-class command. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins For example Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins • By default, Cisco IOS devices can accept connections, such as Telnet, SSH, and HTTP, as quickly as they can be processed. • This makes devices susceptible to dictionary attack tools, such as Cain or L0phtCrack, which are capable of thousands of password attempts per second. • The login block-for command invokes an automatic delay of 1 second between login attempts. • Attackers have to wait 1 second before they can try a different password. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins • This delay time can be changed using the login delay command. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins • login on-failure log [every login] generates logs for failed login requests. • login on-success log [every login] generates log messages for successful login requests. • The number of login attempts before a message is generated can be specified using the [every login] parameter. • The default value is 1 attempt. The valid range is from 1 to 65,535. • As an alternative, the security authentication failure rate threshold-rate log command generates a log message when the login failure rate is exceeded. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins • Use banner messages to present legal notification to potential intruders to inform them that they are not welcome on a network. • Banners are disabled by default and must be explicitly enabled. • Tokens are optional and can be used within the message section of the banner command: – $(hostname) - Displays the host name for the router. – $(domain) - Displays the domain name for the router. – $(line) - Displays the vty or tty (asynchronous) line number. – $(line-desc) - Displays the description that is attached to the line. Refer to 2.1.3.5 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Enhanced Security for Virtual Logins • darkstar(config)# banner login % • Enter TEXT message. End with the character '%'. • You have entered $(hostname).$(domain) on line $(line) ($(line-desc)) % • When the login banner is executed, the user will see the following banner. Notice that the $(token) syntax is replaced by the corresponding configuration variable. • You have entered darkstar.ourdomain.com on line 5 (Dialin Modem) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH • SSH has replaced Telnet as the recommended practice for providing remote router administration with connections that support confidentiality and session integrity. • It provides functionality that is similar to an outbound Telnet connection, except that the connection is encrypted and operates on port 22. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH • Step 1. Ensure that the target routers are running a Cisco IOS Release 12.1(1)T image or later to support SSH. • Step 2. Ensure that each of the target routers has a unique host name. • Step 3. Ensure that each of the target routers is using the correct domain name of the network. • Step 4. Ensure that the target routers are configured for local authentication or AAA services for username and password authentication.This is mandatory for a router-to-router SSH connection. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH • Optionally, SSH commands can be used to configure the following: – SSH version – SSH timeout period – Number of authentication retries • The time interval that the router waits for the SSH client to respond during the SSH negotiation phase can be configured using the ip ssh time-out seconds command in global configuration mode. The default is 120 seconds. • By default, a user logging in has 3 attempts before being disconnected. • To configure a different number of consecutive SSH retries, use the ip ssh authentication-retries integer command in global configuration mode. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH • There are two different ways to connect to an SSH-enabled router: 1. Connect using an SSH-enabled Cisco router using the privileged EXEC mode ssh command. 2. Connect using a publicly and commercially available SSH client running on a host. Examples of these clients are PuTTY, OpenSSH, and TeraTerm. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH • CCP can be used to configure an SSH daemon on a router. • To see the current SSH key settings, choose Configure > Router > Router Access > SSH. • The SSH key settings have two status options 1. RSA key is not set on this router - This notice appears if there is no cryptographic key configured for the device. If there is no key configured, enter a modulus size and generate a key. 2. RSA key is set on this router - This notice appears if a cryptographic key has been generated, in which case SSH is enabled on this router. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configure SSH Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Assigning Administrative Roles Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels • Configuring privilege levels is the next step for the system administrator who wants to secure the network. • Privilege levels determine who should be allowed to connect to the device and what that person should be able to do with it. • The Cisco IOS software CLI has 2 levels of access to commands. 1. User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and allows only user-level commands available at the router> prompt. 2. Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the router# prompt. • Cisco IOS software has two methods of providing infrastructure access: privilege level and role-based CLI. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels • It is important to note that assigning a command with multiple keywords, such as show ip route, to a specific privilege level automatically assigns all commands associated with the first few keywords to the specified privilege level. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels • For example, • Subcommands coming under show ip route are also automatically assigned to the same privilege level. Assigning the show ip route allows the user to issue all show commands, such as show version. • Both the show command and the show ip command are automatically set to the privilege level where show ip route is set. This is necessary because the show ip route command cannot be executed without access to the show and show ip commands. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels • To assign level 10 to the privileged EXEC mode reload command, use the following command sequence. – privilege exec level 10 reload – username jr-admin privilege 10 secret cisco10 – enable secret level 10 cisco10 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Privilege levels • Limitations: 1. No access control to specific interfaces, ports, logical interfaces, and slots on a router. 2. Commands available at lower privilege levels are always executable at higher levels. 3. Commands specifically set on a higher privilege level are not available for lower privileged users. 4. Assigning a command with multiple keywords to a specific privilege level also assigns all commands associated with the first keywords to the same privilege level. An example is the show ip route command. Configuring Privilege levels Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện mạng Bách khoa - www.bkacad.com Configuring Privilege levels For Example, username student14 privilege 14 secret cisco14 privilege router level 14 default-information originate privilege router level 14 redistribute privilege router level 14 network privilege configure level 14 router privilege interface level 14 ip address privilege interface level 14 no shutdown privilege configure level 14 interface privilege exec level 14 configure terminal privilege exec level 14 show running-config line vty 0 4 login local Học viện mạng Bách khoa - www.bkacad.com Configuring Privilege levels Router(config)# enable secret level 15 class15 Or Router(config)# enable secret class15 default level: 15 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access • To provide more flexibility than privilege levels, Cisco introduced the Role-Based CLI Access feature in Cisco IOS Release 12.3(11)T. • Role-based CLI access enhances the security of the device by defining the set of CLI commands that is accessible by a particular user. • Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel, which could result in undesirable results. • Users only see the CLI commands applicable to the ports and CLI to which they have access; therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device. • Role-based CLI provides 3 types of views: 1. Root view 2. CLI view 3. Superview Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access Refer: 2.2.2.2 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access • Root View – To configure any view for the system, the administrator must be in root view. – Root view has the same access privileges as a user who has level 15 privileges. – However, a root view is not the same as a level 15 user. – Only a root view user can configure a new view and add or remove commands from the existing views. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access • CLI View – Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views. – Each view must be assigned all commands associated with that view, and a view does not inherit commands from any other views. – Additionally, the same commands can be used in multiple views. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access • Superview – A superview consists of one or more CLI views. – Superviews allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated to that one CLI view. • Superviews have the following characteristics: – A single CLI view can be shared within multiple superviews. – Commands cannot be configured for a superview. – An administrator must add commands to the CLI view and add that CLI view to the superview. – Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview. – Each superview has a password that is used to switch between superviews or from a CLI view to a superview. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access • To configure and alter views, an administrator must log in as the root view, using the enable view privileged EXEC command. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access For example Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access View “admin1” • R1(config)# enable secret cisco • R1(config)# aaa new-model • R1#enable view • Password: • R1(config)#parser view admin1 – Secret admin1 – Commands exec include show running-config • Testing: • R1#enable view admin1 • Password: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com View “admin2” • R1#enable view • Password: • R1(config)#parser view admin2 – Secret admin2 – Commands exec include configure terminal – Commands configure include interface – Commands configure include interface Loopback0 • Testing: • R1#enable view admin2 • Password: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access Configure Superview Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access The steps to configure a superview are essentially the same as configuring a CLI view, except that instead of using the commands command to assign commands, use the view view- name command to assign views. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access For example Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access To verify Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Role-Based CLI Access Superview “admin” • R1#enable view • Password: • R1(config)# parser view admin superview – Secret admin – View admin1 – View admin1 • Testing • R1#enable view admin • Password: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Example: view Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Example: superview Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Example: superview Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Monitoring and Managing Devices Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Cisco IOS Image and Configuration Files • If attackers gain access to a router there are many things that they could do. • For example, they could alter traffic flows, alter configurations, and even erase the startup configuration file and Cisco IOS image. • If the configuration or IOS image is erased, the operator might need to retrieve an archived copy to restore the router. • The Cisco IOS Resilient Configuration feature allows for faster recovery if someone reformats flash memory or erases the startup configuration file in NVRAM. • When a Cisco IOS image is secured, the resilient configuration feature denies all requests to copy, modify, or delete it. The secure copy of the startup configuration is stored in flash along with the secure IOS image. This set of Cisco IOS image and router running configuration files is referred to as the bootset. Securing the Cisco IOS Image and Configuration Files • The Cisco IOS resilient configuration feature is only available for systems that support a PCMCIA Advanced Technology Attachment (ATA) flash interface. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Cisco IOS Image and Configuration Files • Two global configurations commands are available to configure the Cisco IOS resilient configuration features: – secure boot-image – secure boot-config Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Cisco IOS Image and Configuration Files Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Cisco IOS Image and Configuration Files • The secure boot-image command – This feature can be disabled only through a console session using the no form of the command. – This command functions properly only when the system is configured to run an image from a flash drive with an ATA interface. – Images that are booted from the network, such as a TFTP server, cannot be secured. – If the router is configured to boot with Cisco IOS resilience and an image with a different version of the Cisco IOS software is detected, is displayed at bootup: ios resilience: Archived image and configuration version 12.2 differs from running version 12.3 Securing the Cisco IOS Image and Configuration Files Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Cisco IOS Image and Configuration Files • The secure boot-config command – A log message is displayed on the console notifying the user that configuration resilience is activated. – The configuration archive is hidden and cannot be viewed or removed directly from the CLI prompt. – This feature detects a different version of Cisco IOS configurations and notifies the user of a version mismatch. – The secure boot-config command can be run to upgrade the configuration archive to a newer version after new configuration commands have been issued. Securing the Cisco IOS Image and Configuration Files Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Cisco IOS Image and Configuration Files • Secured files do not appear in the output of a dir command that is issued from the CLI because the Cisco IOS file system prevents secure files from being listed. • use the show secure bootset command to verify the existence of the archive. Securing the Cisco IOS Image and Configuration Files Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Cisco IOS Image and Configuration Files • There are five steps to restore a primary bootset from a secure archive after the router has been tampered with (by an NVRAM erase or a disk format): 1. Step 1. Reload the router using the reload command. 2. Step 2. From ROMmon mode, enter the dir command to list the contents of the device that contains the secure bootset file. From the CLI, the device name can be found in the output of the show secure bootset command. 3. Step 3. Boot the router with the secure bootset image using the boot command with the filename found in Step 2. When the compromised router boots, change to privileged EXEC mode and restore the configuration. 4. Step 4. Enter global configuration mode using conf t 5. Step 5. Restore the secure configuration to the supplied filename using the command. Securing the Cisco IOS Image and Configuration Files Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Cisco IOS Image and Configuration Files Recover password Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Cisco IOS Image and Configuration Files • An administrator can mitigate this potential security breach by using the no service password-recovery global configuration command. • If a router is configured with the no service password-recovery command, all access to ROMmon mode is disabled. • To recover a device after the no service password-recovery command is entered, issue the break sequence within 5 seconds after the image decompresses during the boot. – You are prompted to confirm the break action. – After the action is confirmed, the startup configuration is completely erased, the password recovery procedure is enabled, and the router boots with the factory default configuration. • One note of caution, if the router flash memory does not contain a valid Cisco IOS image because of corruption or deletion, the ROMmon xmodem command cannot be used to load a new flash image. • To repair the router, an administrator must obtain a new Cisco IOS image on a flash SIMM or on a PCMCIA card. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the Cisco IOS Image and Configuration Files Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Secure Management and Report Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Secure Management and Report • When logging and managing information, the information flow between management hosts and the managed devices can take two paths: – Out-of-band (OOB) - Information flows on a dedicated management network on which no production traffic resides. – In-band - Information flows across an enterprise production network, the Internet, or both using regular data channels. • The primary threat is a hacker attempting to gain access to the management network itself. • To mitigate the threat of a compromised device, strong access control should be implemented at the firewall and at every other device. • Additionally, management devices should be set up in a fashion that prevents direct communication with other hosts on the same management subnet, using separate LAN segments or VLANs. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Secure Management and Report Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Secure Management and Report Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • You should configure the router to send log messages to one or more of the following items. – Console - Console logging is on by default. • Messages log to the console and can be viewed when modifying or testing the router using terminal emulation software while connected to the console port of the router. – Terminal lines - Enabled EXEC sessions can be configured to receive log messages on any terminal lines. – Buffered logging - Buffered logging is a little more useful as a security tool because log messages are stored in router memory for a time. – SNMP traps - Certain thresholds can be preconfigured on routers and other devices – Syslog - Cisco routers can be configured to forward log messages to an external syslog service. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Cisco router log messages fall into one of 8 levels. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Examples: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Log message: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Syslog is the standard for logging system events. • Syslog implementations contain 2 types of systems. 1. Syslog servers - Also known as log hosts, these systems accept and process log messages from syslog clients. 2. Syslog clients - Routers or other types of equipment that generate and forward log messages to syslog servers. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Use the following steps to configure system logging. • Step 1. Set the destination logging host using the logging host command. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Step 2. (Optional) Set the log severity (trap) level using the logging trap level command. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Step 3. Set the source interface using the logging source-interface command. • This specifies that syslog packets contain the IPv4 or IPv6 address of a particular interface, regardless of which interface the packet uses to exit the router. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Step 4. Enable logging with the logging on command. • You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands • However, if the logging on command is disabled, no messages are sent to these destinations. • Only the console receives messages. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • For Example: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • To enable syslog logging on your router using Cisco Router and Security Device Manager (SDM), follow these steps. 1. Step 1. Choose Configure > Router > Logging. 2. Step 2. From the Logging pane, click Edit. 3. Step 3. In the Logging window, select Enable Logging Level and choose the logging level from the Logging Level list box. Messages will be logged for the level selected and below. 4. Step 4. Click Add, and enter an IP address of a logging host in the IP Address/Hostname field. 5. Step 5. Click OK to return to the Logging dialog box. 6. Step 6. Click OK to accept the changes and return to the Logging pane. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Cisco SDM can be used to monitor logging by choosing Monitor > Logging. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • SNMP was developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances, on an IP network. SNMP is an Application Layer protocol that facilitates the exchange of management information between network devices. • SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2) are based on managers (network management systems [NMSs]), agents (managed nodes), and Management Information Bases (MIBs) • The SNMP manager can get information from the agent, and change, or set, information in the agent. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • There are two types of community strings. – Read-only community strings - Provides read-only access to all objects in the MIB, except the community strings. – Read-write community strings - Provides read-write access to all objects in the MIB, except the community strings Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • The current version of SNMPv3 addresses the vulnerabilities of earlier versions by including three important services: authentication, privacy, and access control. • SNMPv3 is an interoperable standards-based protocol for network management. • SNMPv3 provides three security features. – Message integrity - Ensures that a packet has not been tampered with in transit. – Authentication - Determines that the message is from a valid source. – Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • There are three security levels. – noAuth - Authenticates a packet by a string match of the username or community string. – auth - Authenticates a packet by using either the Hashed Message Authentication Code (HMAC) with MD5 method or Secure Hash Algorithms (SHA) method. The HMAC method is described in RFC 2104, HMAC: Keyed-Hashing for Message Authentication. – priv - Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using the Data Encryption Standard (DES), Triple DES (3DES), or Advanced Encryption Standard (AES) algorithms. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • To enable SNMPv1 and SNMPv2 using CCP follow these steps: • Step 1. Choose Configure > Router > SNMP. Click the Edit button. • Step 2. From the SNMP Properties window, select Enable SNMP to enable SNMP support. • Set community strings and enter trap manager information from the same SNMP Properties window used to enable support. • Step 3. In the SNMP Properties window, click Add to create new community strings, click Edit to edit an existing community string, or click Delete to delete a community string. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • An example CLI command that SDM would generate based on a read only community string of cisco123 is snmp-server community cisco123 ro. – ro - Assigns a read-only community string. – rw - Assigns a read-write community string. Using SNMP for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • CCP can be used to add, edit, or delete a trap receiver: • Step 1. From the SNMP pane in CCP, click Edit. The SNMP Properties window displays. • Step 2. To add a new trap receiver, click Add in the Trap Receiver section of the SNMP Properties window. The Add a Trap Receiver window displays. • Step 3. Enter the IP address or host name of the trap receiver and the password that is used to connect to the trap receiver. Typically, this is the IP address of the SNMP management station that monitors the domain. Check with the site administrator to determine the address if unsure. • Step 4. Click OK to finish adding the trap receiver. • Step 5. To edit an existing trap receiver, choose a trap receiver from the trap receiver list and click Edit. To delete an existing trap receiver, choose a trap receiver from the trap receiver list and click Delete. • Step 6. When the trap receiver list is complete, click OK to return to the SNMP pane. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP • Typically, the date and time settings of the router can be set using one of two methods: – Manually editing the date and time – Configuring the Network Time Protocol (NTP) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Stratum Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Stratum • In the world of NTP, stratum levels define the distance from the reference clock. A reference clock is a stratum-0 device that is assumed to be accurate and has lttle or no delay associated with it. The reference clock typically synchronizes to the correct time (UTC) using GPS transmissions, CDMA technology or other time signals such as Irig-B, WWV, DCF77, etc. Stratum-0 servers cannot be used on the network, instead, they are directly connected to computers which then operate as stratum-1 servers. A server that is directly connected to a stratum-0 device is called a stratum-1 server. This includes all time servers with built-in stratum-0 devices, such as the EndRun Time Servers, and also those with direct links to stratum-0 devices such as over an RS-232 connection or via an IRIG-B time code. The basic definition of a stratum-1 time server is that it be directly linked (not over a network path) to a reliable source of UTC time such as GPS, WWV, or CDMA transmissions. A stratum-1 time server acts as a primary network time standard. A stratum-2 server is connected to the stratum-1 server OVER A NETWORK PATH. Thus, a stratum-2 server gets its time via NTP packet requests from a stratum-1 server. A stratum-3 server gets its time via NTP packet requests from a stratum-2 server, and so on. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP • CCP allows a network administrator to view the configured NTP server information, add new information, and edit or delete existing information. • There are seven steps to add an NTP server using CCP: • Step 1. Choose Configure > Router > Time > NTP and SNTP • Step 2. To add a new NTP server, click Add. • Step 3. Add an NTP server by name (if the router is configured to use a Domain Name System server) or by IP address. • Step 4. (Optional) From the NTP Source Interface drop-down list, choose the interface that the router uses to communicate with the NTP server. • Step 5. Select Prefer if this NTP server has been designated as a preferred NTP server. • Step 6. If the NTP server uses authentication, select Authentication Key and enter the key number and key value. • Step 7. Click OK to finish adding the server. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default in Cisco routers. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Many practices help ensure a device is secure. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Many practices help ensure a device is secure. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Three security audit tools available include: – Security Audit Wizard – Cisco AutoSecure – One-Step Lockdown Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Security Audit Wizard Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Security Audit Wizard Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Security Audit Wizard Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Security Audit Wizard Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Security Audit Wizard Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure • Released in IOS version 12.3, Cisco AutoSecure is a feature that is initiated from the CLI and executes a script. • AutoSecure first makes recommendations for fixing security vulnerabilities and then modifies the security configuration of the router. • There are three forwarding plane services and functions: 1. Enables Cisco Express Forwarding (CEF) 2. Enables traffic filtering with ACLs 3. Implements Cisco IOS firewall inspection for common protocols • AutoSecure is often used in the field to provide a baseline security policy on a new router. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure • Config: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure • When the auto secure command is initiated, a wizard is displayed to step the administrator through the configuration of the device. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP • Step 1: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP • Step 2: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP • Step 3: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP • Step 4: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP • Step 5: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com