CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices

Chapter Outline:

2.0 Introduction
2.1 Securing Device Access
2.2 Assigning Administrative Roles
2.3 Monitoring and Managing Devices
2.4 Using Automated Security Features
2.5 Securing the Control Plane
2.6 Summary

Section 2.1: Securing Device Access

Upon completion of this section, you should be able to:

  • Explain how to secure a network perimeter.
  • Configure  secure administrative access to Cisco routers.
  • Configure enhanced security for virtual logins.
  • Configure an SSH daemon for secure remote management.

Topic 2.1.1: Securing the Edge Router

Securing the Network Infrastructure

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 77

Edge Router Security Approaches

Single Router Approach

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 78

Single Router Approach

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 79

DMZ Approach

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 80

Three Areas of Router Security

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 81

Secure Administrative Access

Tasks:

  • Restrict device accessibility
  • Log and account for all access
  • Authenticate access
  • Authorize actions
  • Present legal notification
  • Ensure the confidentiality of data

Secure Local and Remote Access

Local Access

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 82

Remote Access Using Telnet

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 83

Remote Access Using Modem and Aux Port

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 84

Dedicated Management Network

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 85

Topic 2.1.2: Configuring Secure Administrative Access

Strong Passwords

Guidelines:

  • Use a password length of 10 or more characters.
  • Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.
  • Avoid passwords based on easily identifiable pieces of information.
  • Deliberately misspell a password (Smith = Smyth = 5mYth).
  • Change passwords often.
  • Do not write passwords down and leave them in obvious places.

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 86

Increasing Access Security

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 87

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 88

Secret Password Algorithms

Guidelines:

  • Configure all secret passwords using type 8 or type 9 passwords
  • Use the enable algorithm-type command syntax to enter an unencrypted password

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 89

Use the username name algorithm-type command to specify type 9 encryption

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 90

Securing Line Access

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 91

Topic 2.1.3: Configuring Enhanced Security for Virtual Logins

Enhancing the Login Process

Virtual login security enhancements:

  • Implement delays between successive login attempts
  • Enable login shutdown if DoS attacks are suspected
  • Generate system-logging messages for login detection

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 92

Configuring Login Enhancement Features

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 93

Enable Login Enhancements

Command Syntax: login block-for

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 94

Example: login quiet-mode access-class

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 95

Example: login delay

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 96

Logging Failed Attempts

Generate Login Syslog Messages

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 97

Example: show login failures

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 98

Topic 2.1.4: Configuring SSH

Steps for Configuring SSH

Example SSH Configuration

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 99

Example Verification of SSH

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 100

Modifying the SSH Configuration

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 101

Connecting to an SSH-Enabled Router

Two ways to connect:

  • Enable SSH and use a Cisco router as an SSH server or SSH client.
    • As a server, the router can accept SSH client connections
    • As a client, the router can connect via SSH to another SSH-enabled router
  • Use an SSH client running on a host, such as PuTTY, OpenSSH, or TeraTerm.

Section 2.2: Assigning Administrative Roles

Upon completion of this section, you should be able to:

  • Configure administrative privilege levels to control command availability.
  • Configure role-based CLI access to control command availability.

Topic 2.2.1: Configuring Privilege Levels

Limiting Command Availability

Privilege levels:

  • Level 0: Predefined for user-level access privileges.
  • Level 1: Default level for login with the router prompt.
  • Level 2-14: May be customized for user-level privileges.
  • Level 15: Reserved for the enable mode privileges.

 

Levels of access commands:

  • User EXEC mode (privilege level 1)
    • Lowest EXEC mode user privileges
    • Only user-level command available at the router> prompt
  • Privileged EXEC mode (privilege level 15)
    • All enable-level commands at the router# prompt
Privilege Level Syntax

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 102

Configuring and Assigning Privilege Levels

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 103

Limitations of Privilege Levels

  • No access control to specific interfaces, ports, logical interfaces, and slots on a router
  • Commands available at lower privilege levels are always executable at higher privilege levels
  • Commands specifically set at higher privilege levels are not available for lower privilege users
  • Assigning a command with multiple keywords allows access to all commands that use those

Topic 2.2.2: Configuring Role-Based CLI

Role-Based CLI Access

For example:

  • Security operator privileges
    • Configure AAA
    • Issue show commands
    • Configure firewall
    • Configure IDS/IPS
    • Configure NetFlow
  • WAN engineer privileges
    • Configure routing
    • Configure interfaces
    • Issue show commands

Role-Based Views

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 104

Configuring Role-Based Views

Step 1

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 105

Step 2

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 106

Step 3

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 107

Step 4

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 108

Configuring Role-Based CLI Superviews

Step 1

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 109

Step 2

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 110

Step 3

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 111

Verify Role-Based CLI Views

Enable Root View and Verify All Views

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 112

Section 2.3: Monitoring and Managing Devices

Upon completion of this section, you should be able to:

  • Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image and configuration files.
  • Compare in-band and out-of band management access.
  • Configure syslog to log system events.
  • Configure secure SNMPv3 access using ACL
  • Configure NTP to enable accurate timestamping between all devices.

Topic 2.3.1: Securing Cisco IOS Image and Configuration Files

Cisco IOS Resilient Configuration Feature

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 113

Enabling the IOS Image Resilience Feature

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 114

The Primary Bootset Image

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 115

Configuring Secure Copy

Configure the router for server-side SCP with local AAA:

  1. Configure SSH
  2. Configure at least one user with privilege level 15
  3. Enable AAA
  4. Specify that the local database is to be used for authentication
  5. Configure command authorization
  6. Enable SCP server-side functionality

Recovering a Router Password

  1. Connect to the console port.
  2. Record the configuration register setting.
  3. Power cycle the router.
  4. Issue the break sequence.
  5. Change the default configuration register with the confreg 0x2142 command.
  6. Reboot the router.
  7. Press Ctrl-C to skip the initial setup procedure.
  8. Put the router into privileged EXEC mode.
  9. Copy the startup configuration to the running configuration.
  10. Verify the configuration.
  11. Change the enable secret password.
  12. Enable all interfaces.
  13. Change the config-register with the config-register configuration_register_setting.
  14. Save the configuration changes.

Password Recovery

Disable Password Recovery

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 116

No Service Password Recovery

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 117

Password Recovery Functionality is Disabled

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 118

Topic 2.3.2: Secure Management and Reporting

Determining the Type of Management Access

In-Band Management:

  • Apply only to devices that need to be managed or monitored
  • Use IPsec, SSH, or SSL when possible
  • Decide whether the management channel need to be open at all time

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 119

Out-of-Band (OOB) Management:

  • Provide highest level of security
  • Mitigate the risk of passing management protocols over the production network

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 120

Topic 2.3.3: Using Syslog for Network Security

Introduction to Syslog

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 121

Syslog Operation

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 122

Syslog Message

Security Levels

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 123

Example Severity Levels

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 124

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 125

Syslog Systems

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 126

Configuring System Logging

Step 1

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 127

Step 2 (optional)

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 128

Step 3

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 129

Step 4

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 130

Topic 2.3.4: Using SNMP for Network Security

Introduction to SNMP

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 131

Management Information Base

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 132

SNMP Versions

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 133

SNMP Vulnerabilities

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 134

SNMPv3

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 135

  • Transmissions from manager to agent may be authenticated to guarantee the identity of the sender and the integrity and timeliness of a message.
  • SNMPv3 messages may be encrypted to ensure privacy.
  • Agent may enforce access control to restrict each principal to certain actions on specific portions of data.

Configuring SNMPv3 Security

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 136

Secure SNMPv3 Configuration Example

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 137

Verifying the SNMPv3 Configuration

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 138

Topic 2.3.5: Using NTP

Network Time Protocol

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 139

NTP Server

Sample NTP Topology

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 140

Sample NTP Configuration on R1

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 141

Sample NTP Configuration on R2

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 142

NTP Authentication

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 143

Section 2.4: Using Automated Security Features

Topic 2.4.1: Performing a Security Audit

Discovery Protocols CDP and LLDP

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 144

Settings for Protocols and Services

There is a detailed list of security settings for protocols and services provided in Figure 2 of this page in the course.

Additional recommended practices to ensure a device is secure:

  • Disable unnecessary services and interfaces.
  • Disable and restrict commonly configured management services.
  • Disable probes and scans. Ensure terminal access security.
  • Disable gratuitous and proxy ARPs
  • Disable IP-directed broadcasts.

Topic 2.4.2: Locking Down a Router Using AutoSecure

Cisco AutoSecure

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 145

Using the Cisco AutoSecure Feature

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 146

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 147

Using the auto secure Command

  1. The auto secure command is entered
  2. Wizard gathers information about the outside interfaces
  3. AutoSecure secures the management plane by disabling unnecessary services
  4. AutoSecure prompts for a banner
  5. AutoSecure prompts for passwords and enables password and login features
  6. Interfaces are secured
  7. Forwarding plane is secured

Section 2.5: Securing the Control Plane

Topic 2.5.1: Routing Protocol Authentication

Routing Protocol Spoofing

Consequences of protocol spoofing:

  • Redirect traffic to create routing loops.
  • Redirect traffic so it can be monitored on an insecure link.
  • Redirect traffic to discard it.

OSPF MD5 Routing Protocol Authentication

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 148

OSPF SHA Routing Protocol Authentication

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 149

Topic 2.5.2: Control Plane Policing

Network Device Operations

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 150

Control and Management Plane Vulnerabilities

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 151

CoPP Operation

CCNA Security 2.0 Study Material – Chapter 2: Securing Network Devices 152

Section 2.6: Summary

Chapter Objectives:

  • Configure secure administrative access.
  • Configure command authorization using privilege levels and role-based CLI.
  • Implement the secure management and monitoring of network devices.
  • Use automated features to enable security on IOS-based routers.
  • Implement control plane security.

Download Slide PowerPoint (pptx):

[sociallocker id=”54558″]

Icon

CCNASv2_InstructorPPT_CH2.pptx 4.64 MB 1804 downloads

...
[/sociallocker]


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments