Released in IOS version 12.3, Cisco AutoSecure is a feature that is
initiated from the CLI and executes a script.
• AutoSecure first makes recommendations for fixing security
vulnerabilities and then modifies the security configuration of the
router.
• There are three forwarding plane services and functions:
1. Enables Cisco Express Forwarding (CEF)
2. Enables traffic filtering with ACLs
3. Implements Cisco IOS firewall inspection for common
protocols
• AutoSecure is often used in the field to provide a baseline security
policy on a new router
175 trang |
Chia sẻ: nguyenlam99 | Lượt xem: 928 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Quản trị mạng - Chapter 2: Securing network devices, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 2 – Securing Network Devices
CCNA Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Objectives
•
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing Device
Access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Edge Router
• Securing the network infrastructure is critical to overall network
security: routers, switches, servers, endpoints, and other devices.
• The edge router is the last router between the internal network and
an untrusted network such as the Internet.
• If an attacker gains access to a router, the security and
management of the entire network can be compromised,
leaving servers and endpoints at risk
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Edge Router
• The edge router implementation varies depending on the size
of the organization and the complexity of the required
network design.
• Single Router Approach
– In the single router approach, a single router connects the
protected network, or internal LAN, to the Internet.
– This is more commonly deployed in smaller site
implementations such as branch and SOHO sites.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Edge Router
• Defense-in-Depth Approach
– In this approach, the edge router acts as the first line of defense and is
known as a screening router.
– It passes all connections that are intended for the internal LAN to the
firewall.
– The second line of defense is the firewall, they typically picks up where
the edge router leaves off and performs additional filtering.
– It provides additional access control by tracking the state of the
connections and acts as a checkpoint device.
authentication proxy ?
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Edge Router
• DMZ Approach
– A variation of the defense-in-depth approach is to offer an intermediate
area, often called the demilitarized zone (DMZ)
– The DMZ can be used for servers that must be accessible from the
Internet or some other external network.
– The DMZ can be set up between two routers, with an internal router
connecting to the protected network and an external router connecting
to the unprotected network, or simply be an additional port off of a
single router
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Edge Router
• Three areas of router security must be maintained.
– Physical Security
– Operating System Security
– Router Hardening
Refer to 2.1.1.3
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Edge Router
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Edge Router
• There are 2 ways to access a device for administrative
purposes, locally and remotely.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Edge Router
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Secure Administrative Access
• Attackers deploy various methods of discovering administrative passwords.
– They can shoulder surf, attempt to guess passwords based on the
user's personal information, or sniff TFTP packets containing plaintext
configuration files.
– Attackers can also use tools such as L0phtCrack and Cain & Abel to
attempt brute force attacks and guess passwords.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Secure Administrative Access
• These guidelines to make password:
1. Use a password length of 10 or more characters. The longer, the
better.
2. Make passwords complex. Include a mix of uppercase and
lowercase letters, numbers, symbols, and spaces.
3. Avoid passwords based on repetition, dictionary words, letter or
number sequences, usernames, relative or pet names,
biographical information, such as birthdates, ID numbers,
ancestor names, or other easily identifiable pieces of
information..
4. Deliberately misspell a password. For example, Smith = Smyth =
5mYth or Security = 5ecur1ty.
5. Change passwords often. If a password is unknowingly
compromised, the window of opportunity for the attacker to use
the password is limited.
6. Do not write passwords down and leave them in obvious places
such as on the desk or monitor.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Secure Administrative Access
• Configure password:
pass phrase ?
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Secure Administrative Access
• To increase the security of passwords, the following
should be configured:
– Enforce minimum password lengths.
– Disable unattended connections.
– Encrypt all passwords in the configuration file.
1. Minimum password lengths
Beginning with the Cisco IOS Release 12.3(1) and
later, administrators can set the minimum character
length for all router passwords from 0 to 16 characters
using the global configuration command security
passwords min-length length.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Secure Administrative Access
2. Disable Unattended Connections
– By default, an administrative interface stays active and logged in
for 10 minutes after the last session activity.
– After that, the interface times out and logs out of the session.
– These timers can be adjusted using the exec-timeout
command in line configuration mode for each of the line types
that are used.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Secure Administrative Access
Example:
line vty 0
exec-timeout 0 10
password cisco
T1
T1+10”
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Secure Administrative Access
3. Encryption Passwords
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Secure Administrative Access
• Another available security feature is
authentication.
• Cisco routers can maintain a list of usernames
and passwords in a local database on the router
for performing local login authentication.
• There are two methods of configuring local
username accounts.
1. username name password password
2. username name secret password
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Secure Administrative Access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Secure Administrative Access
Configuring Secure Administrative Access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
• The following commands are available to configure a Cisco IOS
device to support the enhanced login features.
• Router# configure terminal
• Router(config)# login block-for seconds attempts
tries within seconds
• Router(config)# login quiet-mode access-class {acl-
name | acl-number}
• Router(config)# login delay seconds
• Router(config)# login on-failure log [every login]
• Router(config)# login on-success log [every login]
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
(Virtual TeletYpe)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
• All login enhancement features are disabled by default.
• Use the login block-for command to enable login enhancements.
• The login block-for feature monitors login device activity and operates
in two modes:
1. Normal mode (watch mode) - The router keeps count of the
number of failed login attempts within an identified amount of
time.
2. Quiet mode (quiet period) - If the number of failed logins exceeds
the configured threshold, all login attempts using Telnet, SSH,
and HTTP are denied.
• When quiet mode is enabled, all login attempts, including valid
administrative access, are not permitted.
• However, to provide critical hosts access at all times, this behavior can
be overridden using an ACL.
• The ACL must be created and identified using the login quiet-mode
access-class command.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
For example
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
• By default, Cisco IOS devices can accept connections,
such as Telnet, SSH, and HTTP, as quickly as they can
be processed.
• This makes devices susceptible to dictionary attack
tools, such as Cain or L0phtCrack, which are capable
of thousands of password attempts per second.
• The login block-for command invokes an
automatic delay of 1 second between login
attempts.
• Attackers have to wait 1 second before they
can try a different password.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
• This delay time can be changed using the login delay command.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
• login on-failure log [every login] generates logs for failed login requests.
• login on-success log [every login] generates log messages for
successful login requests.
• The number of login attempts before a message is generated can be
specified using the [every login] parameter.
• The default value is 1 attempt. The valid range is from 1 to 65,535.
• As an alternative, the security authentication failure rate threshold-rate
log command generates a log message when the login failure rate is
exceeded.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
• Use banner messages to present legal notification to potential
intruders to inform them that they are not welcome on a network.
• Banners are disabled by default and must be explicitly enabled.
• Tokens are optional and can be used within the message section of
the banner command:
– $(hostname) - Displays the host name for the router.
– $(domain) - Displays the domain name for the router.
– $(line) - Displays the vty or tty (asynchronous) line number.
– $(line-desc) - Displays the description that is attached to the
line.
Refer to 2.1.3.5
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Enhanced Security for Virtual Logins
• darkstar(config)# banner login %
• Enter TEXT message. End with the character '%'.
• You have entered $(hostname).$(domain) on line
$(line) ($(line-desc)) %
• When the login banner is executed, the user will see the
following banner. Notice that the $(token) syntax is
replaced by the corresponding configuration variable.
• You have entered darkstar.ourdomain.com on line 5
(Dialin Modem)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
• SSH has replaced Telnet as the
recommended practice for providing
remote router administration with
connections that support confidentiality
and session integrity.
• It provides functionality that is similar to an
outbound Telnet connection, except that
the connection is encrypted and operates
on port 22.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
• Step 1. Ensure that the target routers are running a
Cisco IOS Release 12.1(1)T image or later to support
SSH.
• Step 2. Ensure that each of the target routers has a
unique host name.
• Step 3. Ensure that each of the target routers is
using the correct domain name of the network.
• Step 4. Ensure that the target routers are configured
for local authentication or AAA services for
username and password authentication.This is
mandatory for a router-to-router SSH connection.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
• Optionally, SSH commands can be used to configure the following:
– SSH version
– SSH timeout period
– Number of authentication retries
• The time interval that the router waits for the SSH client to respond during the SSH
negotiation phase can be configured using the ip ssh time-out seconds command
in global configuration mode. The default is 120 seconds.
• By default, a user logging in has 3 attempts before being disconnected.
• To configure a different number of consecutive SSH retries, use the ip ssh
authentication-retries integer command in global configuration mode.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
• There are two different ways to connect to
an SSH-enabled router:
1. Connect using an SSH-enabled Cisco router
using the privileged EXEC mode ssh
command.
2. Connect using a publicly and commercially
available SSH client running on a host.
Examples of these clients are PuTTY,
OpenSSH, and TeraTerm.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
• CCP can be used to configure an SSH daemon on a
router.
• To see the current SSH key settings, choose Configure
> Router > Router Access > SSH.
• The SSH key settings have two status options
1. RSA key is not set on this router - This notice
appears if there is no cryptographic key configured
for the device. If there is no key configured, enter a
modulus size and generate a key.
2. RSA key is set on this router - This notice
appears if a cryptographic key has been generated,
in which case SSH is enabled on this router.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure SSH
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Assigning
Administrative
Roles
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
• Configuring privilege levels is the next step for the system
administrator who wants to secure the network.
• Privilege levels determine who should be allowed to connect to the
device and what that person should be able to do with it.
• The Cisco IOS software CLI has 2 levels of access to commands.
1. User EXEC mode (privilege level 1) - Provides the
lowest EXEC mode user privileges and allows only
user-level commands available at the router>
prompt.
2. Privileged EXEC mode (privilege level 15) -
Includes all enable-level commands at the router#
prompt.
• Cisco IOS software has two methods of providing infrastructure
access: privilege level and role-based CLI.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
• It is important to note that assigning a
command with multiple keywords,
such as show ip route, to a specific
privilege level automatically assigns
all commands associated with the
first few keywords to the specified
privilege level.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
• For example,
• Subcommands coming under show ip route are
also automatically assigned to the same
privilege level. Assigning the show ip route
allows the user to issue all show commands,
such as show version.
• Both the show command and the show ip
command are automatically set to the privilege
level where show ip route is set. This is
necessary because the show ip route command
cannot be executed without access to the show
and show ip commands.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
• To assign level 10 to the privileged EXEC mode reload command,
use the following command sequence.
– privilege exec level 10 reload
– username jr-admin privilege 10 secret cisco10
– enable secret level 10 cisco10
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Privilege levels
• Limitations:
1. No access control to specific interfaces, ports,
logical interfaces, and slots on a router.
2. Commands available at lower privilege levels
are always executable at higher levels.
3. Commands specifically set on a higher privilege
level are not available for lower privileged users.
4. Assigning a command with multiple keywords to
a specific privilege level also assigns all
commands associated with the first keywords to
the same privilege level. An example is the show
ip route command.
Configuring Privilege levels
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện mạng Bách khoa - www.bkacad.com
Configuring Privilege levels
For Example,
username student14 privilege 14 secret cisco14
privilege router level 14 default-information originate
privilege router level 14 redistribute
privilege router level 14 network
privilege configure level 14 router
privilege interface level 14 ip address
privilege interface level 14 no shutdown
privilege configure level 14 interface
privilege exec level 14 configure terminal
privilege exec level 14 show running-config
line vty 0 4
login local
Học viện mạng Bách khoa - www.bkacad.com
Configuring Privilege levels
Router(config)# enable secret level 15 class15
Or
Router(config)# enable secret class15
default level: 15
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
• To provide more flexibility than privilege levels, Cisco
introduced the Role-Based CLI Access feature in Cisco
IOS Release 12.3(11)T.
• Role-based CLI access enhances the security of the
device by defining the set of CLI commands that is
accessible by a particular user.
• Role-based CLI access prevents unintentional execution of
CLI commands by unauthorized personnel, which could
result in undesirable results.
• Users only see the CLI commands applicable to the ports
and CLI to which they have access; therefore, the router
appears to be less complex, and commands are easier to
identify when using the help feature on the device.
• Role-based CLI provides 3 types of views:
1. Root view
2. CLI view
3. Superview
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
Refer: 2.2.2.2
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
• Root View
– To configure any view for the system, the administrator
must be in root view.
– Root view has the same access privileges as a user who
has level 15 privileges.
– However, a root view is not the same as a level 15 user.
– Only a root view user can configure a new view and add
or remove commands from the existing views.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
• CLI View
– Unlike privilege levels, a CLI view has no command
hierarchy and, therefore, no higher or lower views.
– Each view must be assigned all commands associated
with that view, and a view does not inherit commands
from any other views.
– Additionally, the same commands can be used in multiple
views.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
• Superview
– A superview consists of one or more CLI views.
– Superviews allow a network administrator to assign users and
groups of users multiple CLI views at once, instead of having to
assign a single CLI view per user with all commands associated
to that one CLI view.
• Superviews have the following characteristics:
– A single CLI view can be shared within multiple superviews.
– Commands cannot be configured for a superview.
– An administrator must add commands to the CLI view and add
that CLI view to the superview.
– Users who are logged into a superview can access all the
commands that are configured for any of the CLI views that are
part of the superview.
– Each superview has a password that is used to switch between
superviews or from a CLI view to a superview.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
• To configure and alter views, an administrator must log in as the
root view, using the enable view privileged EXEC command.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
For example
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
View “admin1”
• R1(config)# enable secret cisco
• R1(config)# aaa new-model
• R1#enable view
• Password:
• R1(config)#parser view admin1
– Secret admin1
– Commands exec include show running-config
• Testing:
• R1#enable view admin1
• Password:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
View “admin2”
• R1#enable view
• Password:
• R1(config)#parser view admin2
– Secret admin2
– Commands exec include configure terminal
– Commands configure include interface
– Commands configure include interface Loopback0
• Testing:
• R1#enable view admin2
• Password:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
Configure Superview
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
The steps to configure a superview are essentially the same as
configuring a CLI view, except that instead of using the
commands command to assign commands, use the view view-
name command to assign views.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
For example
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
To verify
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Role-Based CLI Access
Superview “admin”
• R1#enable view
• Password:
• R1(config)# parser view admin superview
– Secret admin
– View admin1
– View admin1
• Testing
• R1#enable view admin
• Password:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example: view
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example: superview
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example: superview
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Monitoring and
Managing Devices
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Cisco IOS Image and Configuration Files
• If attackers gain access to a router there are many things that they
could do.
• For example, they could alter traffic flows, alter configurations, and
even erase the startup configuration file and Cisco IOS image.
• If the configuration or IOS image is erased, the operator might need
to retrieve an archived copy to restore the router.
• The Cisco IOS Resilient Configuration feature allows for faster
recovery if someone reformats flash memory or erases the startup
configuration file in NVRAM.
• When a Cisco IOS image is secured, the resilient configuration
feature denies all requests to copy, modify, or delete it. The secure
copy of the startup configuration is stored in flash along with the
secure IOS image. This set of Cisco IOS image and router running
configuration files is referred to as the bootset.
Securing the Cisco IOS Image and Configuration Files
• The Cisco IOS resilient configuration feature is only
available for systems that support a PCMCIA Advanced
Technology Attachment (ATA) flash interface.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Cisco IOS Image and Configuration Files
• Two global configurations commands are available to configure the
Cisco IOS resilient configuration features:
– secure boot-image
– secure boot-config
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Cisco IOS Image and Configuration Files
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Cisco IOS Image and Configuration Files
• The secure boot-image command
– This feature can be disabled only through a console session using the no form
of the command.
– This command functions properly only when the system is configured to run an
image from a flash drive with an ATA interface.
– Images that are booted from the network, such as a TFTP server, cannot be
secured.
– If the router is configured to boot with Cisco IOS resilience and an image with a
different version of the Cisco IOS software is detected, is displayed at bootup:
ios resilience: Archived image and configuration version 12.2 differs from
running version 12.3
Securing the Cisco IOS Image and Configuration Files
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Cisco IOS Image and Configuration Files
• The secure boot-config command
– A log message is displayed on the console notifying the user that configuration
resilience is activated.
– The configuration archive is hidden and cannot be viewed or removed directly
from the CLI prompt.
– This feature detects a different version of Cisco IOS configurations and notifies
the user of a version mismatch.
– The secure boot-config command can be run to upgrade the configuration
archive to a newer version after new configuration commands have been
issued.
Securing the Cisco IOS Image and Configuration Files
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Cisco IOS Image and Configuration Files
• Secured files do not appear in the output of a dir command that is
issued from the CLI because the Cisco IOS file system prevents
secure files from being listed.
• use the show secure bootset command to verify the existence of
the archive.
Securing the Cisco IOS Image and Configuration Files
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Cisco IOS Image and Configuration Files
• There are five steps to restore a primary bootset from a secure
archive after the router has been tampered with (by an NVRAM
erase or a disk format):
1. Step 1. Reload the router using the reload command.
2. Step 2. From ROMmon mode, enter the dir command to list
the contents of the device that contains the secure bootset file.
From the CLI, the device name can be found in the output of
the show secure bootset command.
3. Step 3. Boot the router with the secure bootset image using
the boot command with the filename found in Step 2. When
the compromised router boots, change to privileged EXEC
mode and restore the configuration.
4. Step 4. Enter global configuration mode using conf t
5. Step 5. Restore the secure configuration to the supplied
filename using the
command.
Securing the Cisco IOS Image and Configuration Files
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Cisco IOS Image and Configuration Files
Recover password
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Cisco IOS Image and Configuration Files
• An administrator can mitigate this potential security breach by using the no
service password-recovery global configuration command.
• If a router is configured with the no service password-recovery
command, all access to ROMmon mode is disabled.
• To recover a device after the no service password-recovery command is
entered, issue the break sequence within 5 seconds after the image
decompresses during the boot.
– You are prompted to confirm the break action.
– After the action is confirmed, the startup configuration is completely
erased, the password recovery procedure is enabled, and the router
boots with the factory default configuration.
• One note of caution, if the router flash memory does not contain a valid
Cisco IOS image because of corruption or deletion, the ROMmon xmodem
command cannot be used to load a new flash image.
• To repair the router, an administrator must obtain a new Cisco IOS
image on a flash SIMM or on a PCMCIA card.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the Cisco IOS Image and Configuration Files
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Secure Management and Report
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Secure Management and Report
• When logging and managing information, the information flow
between management hosts and the managed devices can take
two paths:
– Out-of-band (OOB) - Information flows on a dedicated
management network on which no production traffic resides.
– In-band - Information flows across an enterprise production
network, the Internet, or both using regular data channels.
• The primary threat is a hacker attempting to gain access to the
management network itself.
• To mitigate the threat of a compromised device, strong access
control should be implemented at the firewall and at every other
device.
• Additionally, management devices should be set up in a fashion
that prevents direct communication with other hosts on the same
management subnet, using separate LAN segments or VLANs.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Secure Management and Report
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Secure Management and Report
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• You should configure the router to send log messages to one or
more of the following items.
– Console - Console logging is on by default.
• Messages log to the console and can be viewed when
modifying or testing the router using terminal emulation
software while connected to the console port of the router.
– Terminal lines - Enabled EXEC sessions can be configured to
receive log messages on any terminal lines.
– Buffered logging - Buffered logging is a little more useful as a
security tool because log messages are stored in router memory
for a time.
– SNMP traps - Certain thresholds can be preconfigured on
routers and other devices
– Syslog - Cisco routers can be configured to forward log
messages to an external syslog service.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• Cisco router log messages fall into one of 8 levels.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• Examples:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• Log message:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• Syslog is the standard for logging system events.
• Syslog implementations contain 2 types of systems.
1. Syslog servers - Also known as log hosts, these systems accept and
process log messages from syslog clients.
2. Syslog clients - Routers or other types of equipment that generate
and forward log messages to syslog servers.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• Use the following steps to configure system logging.
• Step 1. Set the destination logging host using the logging host
command.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• Step 2. (Optional) Set the log severity (trap) level using the logging
trap level command.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• Step 3. Set the source interface using the logging source-interface
command.
• This specifies that syslog packets contain the IPv4 or IPv6 address
of a particular interface, regardless of which interface the packet
uses to exit the router.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• Step 4. Enable logging with the logging on command.
• You can turn logging on and off for these destinations individually
using the logging buffered, logging monitor, and logging global
configuration commands
• However, if the logging on command is disabled, no messages are
sent to these destinations.
• Only the console receives messages.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• For Example:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• To enable syslog logging on your router using Cisco Router and Security
Device Manager (SDM), follow these steps.
1. Step 1. Choose Configure > Router > Logging.
2. Step 2. From the Logging pane, click Edit.
3. Step 3. In the Logging window, select Enable Logging Level and
choose the logging level from the Logging Level list box. Messages will
be logged for the level selected and below.
4. Step 4. Click Add, and enter an IP address of a logging host in the IP
Address/Hostname field.
5. Step 5. Click OK to return to the Logging dialog box.
6. Step 6. Click OK to accept the changes and return to the Logging pane.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Syslog for Network Security
• Cisco SDM can be used to monitor logging by choosing Monitor >
Logging.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SNMP for Network Security
• SNMP was developed to manage nodes, such as
servers, workstations, routers, switches, hubs, and
security appliances, on an IP network. SNMP is an
Application Layer protocol that facilitates the exchange
of management information between network devices.
• SNMP version 1 (SNMPv1) and SNMP version 2
(SNMPv2) are based on managers (network
management systems [NMSs]), agents (managed
nodes), and Management Information Bases (MIBs)
• The SNMP manager can get information from the agent,
and change, or set, information in the agent.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SNMP for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SNMP for Network Security
• There are two types of community strings.
– Read-only community strings - Provides read-only access to
all objects in the MIB, except the community strings.
– Read-write community strings - Provides read-write access to
all objects in the MIB, except the community strings
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SNMP for Network Security
• The current version of SNMPv3 addresses the vulnerabilities of
earlier versions by including three important services:
authentication, privacy, and access control.
• SNMPv3 is an interoperable standards-based protocol for network
management.
• SNMPv3 provides three security features.
– Message integrity - Ensures that a packet has not been
tampered with in transit.
– Authentication - Determines that the message is from a valid
source.
– Encryption - Scrambles the contents of a packet to prevent it
from being seen by an unauthorized source.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SNMP for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SNMP for Network Security
• There are three security levels.
– noAuth - Authenticates a packet by a string match of the
username or community string.
– auth - Authenticates a packet by using either the Hashed
Message Authentication Code (HMAC) with MD5 method or
Secure Hash Algorithms (SHA) method. The HMAC method is
described in RFC 2104, HMAC: Keyed-Hashing for Message
Authentication.
– priv - Authenticates a packet by using either the HMAC MD5 or
HMAC SHA algorithms and encrypts the packet using the Data
Encryption Standard (DES), Triple DES (3DES), or Advanced
Encryption Standard (AES) algorithms.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SNMP for Network Security
• To enable SNMPv1 and SNMPv2 using CCP follow these steps:
• Step 1. Choose Configure > Router > SNMP. Click the Edit button.
• Step 2. From the SNMP Properties window, select Enable SNMP to
enable SNMP support.
• Set community strings and enter trap manager information from the
same SNMP Properties window used to enable support.
• Step 3. In the SNMP Properties window, click Add to create new
community strings, click Edit to edit an existing community string, or
click Delete to delete a community string.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SNMP for Network Security
• An example CLI command that SDM would generate
based on a read only community string of cisco123 is
snmp-server community cisco123 ro.
– ro - Assigns a read-only community string.
– rw - Assigns a read-write community string.
Using SNMP for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SNMP for Network Security
• CCP can be used to add, edit, or delete a trap receiver:
• Step 1. From the SNMP pane in CCP, click Edit. The SNMP Properties window
displays.
• Step 2. To add a new trap receiver, click Add in the Trap Receiver section of the
SNMP Properties window. The Add a Trap Receiver window displays.
• Step 3. Enter the IP address or host name of the trap receiver and the password that
is used to connect to the trap receiver. Typically, this is the IP address of the SNMP
management station that monitors the domain. Check with the site administrator to
determine the address if unsure.
• Step 4. Click OK to finish adding the trap receiver.
• Step 5. To edit an existing trap receiver, choose a trap receiver from the trap
receiver list and click Edit. To delete an existing trap receiver, choose a trap receiver
from the trap receiver list and click Delete.
• Step 6. When the trap receiver list is complete, click OK to return to the SNMP pane.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SNMP for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using NTP
• Typically, the date and time settings of the router can be set using
one of two methods:
– Manually editing the date and time
– Configuring the Network Time Protocol (NTP)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using NTP
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using NTP
Stratum
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Stratum
• In the world of NTP, stratum levels define the distance from the reference clock. A
reference clock is a stratum-0 device that is assumed to be accurate and has lttle or no
delay associated with it. The reference clock typically synchronizes to the correct time
(UTC) using GPS transmissions, CDMA technology or other time signals such as Irig-B,
WWV, DCF77, etc. Stratum-0 servers cannot be used on the network, instead, they are
directly connected to computers which then operate as stratum-1 servers.
A server that is directly connected to a stratum-0 device is called a stratum-1
server. This includes all time servers with built-in stratum-0 devices, such as the
EndRun Time Servers, and also those with direct links to stratum-0 devices such as over
an RS-232 connection or via an IRIG-B time code. The basic definition of a stratum-1
time server is that it be directly linked (not over a network path) to a reliable
source of UTC time such as GPS, WWV, or CDMA transmissions. A stratum-1 time
server acts as a primary network time standard.
A stratum-2 server is connected to the stratum-1 server OVER A NETWORK
PATH. Thus, a stratum-2 server gets its time via NTP packet requests from a stratum-1
server. A stratum-3 server gets its time via NTP packet requests from a stratum-2
server, and so on.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using NTP
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using NTP
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using NTP
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using NTP
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using NTP
• CCP allows a network administrator to view the configured NTP server
information, add new information, and edit or delete existing
information.
• There are seven steps to add an NTP server using CCP:
• Step 1. Choose Configure > Router > Time > NTP and SNTP
• Step 2. To add a new NTP server, click Add.
• Step 3. Add an NTP server by name (if the router is configured to use a
Domain Name System server) or by IP address.
• Step 4. (Optional) From the NTP Source Interface drop-down list,
choose the interface that the router uses to communicate with the NTP
server.
• Step 5. Select Prefer if this NTP server has been designated as a
preferred NTP server.
• Step 6. If the NTP server uses authentication, select Authentication
Key and enter the key number and key value.
• Step 7. Click OK to finish adding the server.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using NTP
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Performing a Security Audit
• Cisco Discovery Protocol (CDP) is an example of a service that is
enabled by default in Cisco routers.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Performing a Security Audit
• Many practices help ensure a device is secure.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Performing a Security Audit
• Many practices help ensure a device is secure.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Performing a Security Audit
• Three security audit tools available include:
– Security Audit Wizard
– Cisco AutoSecure
– One-Step Lockdown
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Performing a Security Audit
• Security Audit Wizard
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Performing a Security Audit
• Security Audit Wizard
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Performing a Security Audit
• Security Audit Wizard
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Performing a Security Audit
• Security Audit Wizard
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Performing a Security Audit
• Security Audit Wizard
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
• Released in IOS version 12.3, Cisco AutoSecure is a feature that is
initiated from the CLI and executes a script.
• AutoSecure first makes recommendations for fixing security
vulnerabilities and then modifies the security configuration of the
router.
• There are three forwarding plane services and functions:
1. Enables Cisco Express Forwarding (CEF)
2. Enables traffic filtering with ACLs
3. Implements Cisco IOS firewall inspection for common
protocols
• AutoSecure is often used in the field to provide a baseline security
policy on a new router.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
• Config:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
• When the auto secure command is initiated, a wizard is displayed
to step the administrator through the configuration of the device.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router using AutoSecure
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router Using CCP
• Step 1:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router Using CCP
• Step 2:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router Using CCP
• Step 3:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router Using CCP
• Step 4:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router Using CCP
• Step 5:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Locking Down a Router Using CCP
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Các file đính kèm theo tài liệu này:
- ccna_security_chapter_2_securing_network_devices_0476_2082.pdf