7/31/2019 CCNA Security 02
1/86
7/31/2019 CCNA Security 02
2/86
7/31/2019 CCNA Security 02
3/86
333 2009 Cisco Learning Institute.
Major Concepts
Discuss the aspects of router hardening
Configure secure administrative access androuter resiliency
Configure network devices for monitoringadministrative access
Demonstrate network monitoring techniques
Secure IOS-based Routers using automatedfeatures
7/31/2019 CCNA Security 02
4/86
444 2009 Cisco Learning Institute.
Lesson Objectives
Upon completion of this lesson, the successful participantwill be able to:
1. Describe how to configure a secure network perimeter
2. Demonstrate the configuration of secure router administrationaccess
3. Describe how to enhance the security for virtual logins
4. Describe the steps to configure an SSH daemon for secureremote management
5. Describe the purpose and configuration of administrative privilegelevels
6. Configure the role-based CLI access feature to providehierarchical administrative access
7/31/2019 CCNA Security 02
5/86
555 2009 Cisco Learning Institute.
Lesson Objectives
7. Use the Cisco IOS resilient configuration feature to secure theCisco IOS image and configuration files
8. Describe the factors to consider when securing the data thattransmits over the network related to the network managementand reporting of device activity
9. Configure syslog for network security
10.Configure SNMP for network security
11.Configure NTP to enable accurate time stamping between alldevices
12.Describe the router services, interfaces, and managementservices that are vulnerable to network attacks and perform asecurity audit
13.Lock down a router using AutoSecure
14.Lock down a router using SDM
7/31/2019 CCNA Security 02
6/86
666 2009 Cisco Learning Institute.
Securing Device Access
Securing the Edge Router
Configuring Secure Administrative Access
Configuring Support for Virtual Logins
Configuring SSH
7/31/2019 CCNA Security 02
7/86777 2009 Cisco Learning Institute.
The Edge Router
What is the edge router?- The last router between the internal network and an untrusted
network such as the Internet
- Functions as the first and last line of defense
- Implements security actions based on the organizations security
policies How can the edge router be secured?
- Use various perimeter router implementations
- Consider physical security, operating system security, and routerhardening
- Secure administrative access
- Local versus remote router access
7/31/2019 CCNA Security 02
8/86888 2009 Cisco Learning Institute.
Perimeter Implementations
Single Router ApproachA single router connects theinternal LAN to the Internet. Allsecurity policies areconfigured on this device.
Defense-in-depth Approach
Passes everything through tothe firewall. A set of rulesdetermines what traffic therouter will allow or deny.
DMZ Approach
The DMZ is set up betweentwo routers. Most trafficfiltering left to the firewall
LAN 1192.168.2.0
Router 1 (R1)
Internet
LAN 1192.168.2.0
R1
Internet
Firewall
LAN 1192.168.2.0
R1Internet
R2Firewall
DMZ
7/31/2019 CCNA Security 02
9/86999 2009 Cisco Learning Institute.
Areas of Router Security
Physical Security
- Place router in a secured, locked room
- Install an uninterruptible power supply
Operating System Security
- Use the latest stable version that meets network requirements
- Keep a copy of the O/S and configuration file as a backup
Router Hardening
- Secure administrative control
- Disable unused ports and interfaces
- Disable unnecessary services
7/31/2019 CCNA Security 02
10/86101010 2009 Cisco Learning Institute.
Securing Administrative Access
Restrict Device Accessibility - Limit the accessible ports,restrict the permitted communicators and restrict thepermitted methods of access.
Log and Account for all Access - Record anyone whoaccesses a device.
-Authenticate Access: Ensure access is only granted toauthenticated users, groups, and services.
-Authorize Actions: Restrict the actions and views permitted by anyparticular user, group, or service.
Present Legal Notification - Display legal notice forinteractive sessions.
Ensure the Confidentiality of Data - Protect locally storedsensitive data from viewing and copying.
7/31/2019 CCNA Security 02
11/86111111 2009 Cisco Learning Institute.
Local Versus Remote Access
InternetLAN 1
R1
Local Access
Administrator
Console Port
LAN 2
R1
Internet
R2Firewall
LAN 3
Management
LAN
Administration
Host
Logging
Host
Remote Access
Uses Telnet, SSH HTTP or SNMPconnections to the router from a computer
Requires a direct connection to aconsole port using a computer
running terminal emulation software
7/31/2019 CCNA Security 02
12/86121212 2009 Cisco Learning Institute.
Secure Administrative Access
Passwords
Access Port Passwords
Password Security
Creating Users
7/31/2019 CCNA Security 02
13/86131313 2009 Cisco Learning Institute.
Passwords
An acceptable password length is 10 or more characters
Complex passwords include a mixof upper and lowercase letters,numbers, symbols and spaces
Avoid any password based on repetition,dictionary words, letter or numbersequences, usernames, relative or petnames, or biographical information
Deliberately misspell a password
(Security = 5ecur1ty)
Change passwords often
Do not write passwords down andleave them in obvious places
7/31/2019 CCNA Security 02
14/86141414 2009 Cisco Learning Institute.
Access Port Passwords
R1
R1(config)# enable secret cisco
R1(config)# line con 0
R1(config-line)#passwordcisco
R1(config-line)# login
R1(config)# line aux 0
R1(config-line)#password cisco
R1(config-line)# login
R1(config)# line vty 0 4
R1(config-line)#password cisco
R1(config-line)# login
Command to restrict access toprivileged EXEC mode
Commands to establish alogin password on theconsole line
Commands to establish a loginpassword on incoming Telnet sessions
Commands to establish alogin password for dial-upmodem connections
7/31/2019 CCNA Security 02
15/86151515 2009 Cisco Learning Institute.
Password Security
To increase the security of passwords, use additionalconfiguration parameters:
- Minimum password lengths should be enforced
- Unattended connections should be disabled
-All passwords in the configuration file should be encrypted
R1(config)# service password-encryption
R1(config)# exit
R1# show running-configline con 0
exec-timeout 3 30password 7 094F471A1A0A
login
line aux 0
exec-timeout 3 30
password 7 094F471A1A0A
login
7/31/2019 CCNA Security 02
16/86161616 2009 Cisco Learning Institute.
Creating Users
Parameter Description
name This parameter specifies the username.0 (Optional) This option indicates that the plaintext
password is to be hashed by the router using MD5.
password This parameter is the plaintext password to behashed using MD5.
5 This parameter indicates that the encrypted-secretpassword was hashed using MD5.
encrypted-secret This parameter is the MD5 encrypted-secretpassword that is stored as the encrypted userpassword.
username name secret {[0]password|5encrypted-secret}
7/31/2019 CCNA Security 02
17/86171717 2009 Cisco Learning Institute.
Virtual Logins
Virtual Login Security
Enhanced Login Features
System Logging Messages Banner Messages
7/31/2019 CCNA Security 02
18/86181818 2009 Cisco Learning Institute.
Virtual Login Security
Welcome to SPAN
Engineering
User Access Verification
Password: cisco
Password: cisco1
Password: cisco12
Password: cisco123
Password: cisco1234
Password: cisco12345
Password: cisco123456
Implement delays between
successive login attempts
Enable login shutdown if DoSattacks are suspected
Generate system logging
messages for login detection
Tips:
7/31/2019 CCNA Security 02
19/86191919 2009 Cisco Learning Institute.
Enhanced Login Features
The following commands are available to configure a Cisco
IOS device to support the enhanced login features:
7/31/2019 CCNA Security 02
20/86
202020 2009 Cisco Learning Institute.
login block-for Command
All login enhancement features are disabled bydefault. The login block-for command enablesconfiguration of the login enhancement features.
- The login block-for feature monitors login deviceactivity and operates in two modes:
o Normal-Mode (Watch-Mode) The router keeps count of thenumber of failed login attempts within an identified amount oftime.
o Quiet-Mode (Quiet Period) If the number of failed loginsexceeds the configured threshold, all login attempts madeusing Telnet, SSH, and HTTP are denied.
7/31/2019 CCNA Security 02
21/86
212121 2009 Cisco Learning Institute.
System Logging Messages
To generate log messages for successful/failed logins:- login on-failure log
- login on-success log
To generate a message when failure rate is exceeded:
- security authentication failure rate threshold-rate log
To verify that the login block-for command is configuredand which mode the router is currently in:
- show login
To display more information regarding the failed attempts:
- show login failures
7/31/2019 CCNA Security 02
22/86
7/31/2019 CCNA Security 02
23/86
232323 2009 Cisco Learning Institute.
SSH version 1, 2
Configuring Router
SSH Commands
Connecting to Router Using SDM to configure the SSH Daemon
What's the difference between versions 1and 2 of the SSH protocol?
http://www.snailbook.com/faq/ssh-1-vs-2.auto.htmlhttp://www.snailbook.com/faq/ssh-1-vs-2.auto.htmlhttp://www.snailbook.com/faq/ssh-1-vs-2.auto.htmlhttp://www.snailbook.com/faq/ssh-1-vs-2.auto.html7/31/2019 CCNA Security 02
24/86
242424 2009 Cisco Learning Institute.
Preliminary Steps
Complete the following prior to configuring routers forthe SSH protocol:
1. Ensure that the target routers are running a Cisco IOS Release12.1(1)T image or later to support SSH.
2. Ensure that each of the target routers has a unique hostname.
3. Ensure that each of the target routers is using the correctdomain name of the network.
4. Ensure that the target routers are configured for localauthentication, or for authentication, authorization, and
accounting (AAA) services for username or passwordauthentication, or both. This is mandatory for a router-to-routerSSH connection.
7/31/2019 CCNA Security 02
25/86
252525 2009 Cisco Learning Institute.
Configuring the Router for SSH
R1# conf tR1(config)# ip domain-name span.com
R1(config)# crypto key generate rsa general-keys
modulus 1024
The name for the keys will be: R1.span.com
% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-
exportable...[OK]
R1(config)#
*Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has
been enabled
R1(config)# username Bob secret ciscoR1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit
1. Configure the IP domainname of the network
2. Generate one waysecret key
3. Verify or create a localdatabase entry
4.Enable VTY inboundSSH sessions
7/31/2019 CCNA Security 02
26/86
262626 2009 Cisco Learning Institute.
Optional SSH Commands
R1# show ip sshSSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication
retries: 3
R1#
R1# conf t
Enter configuration commands, one per line. Endwith CNTL/Z.
R1(config)# ip ssh version 2
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 2
R1(config)# ^Z
R1#R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication
retries: 2
R1#
7/31/2019 CCNA Security 02
27/86
272727 2009 Cisco Learning Institute.
Connecting to the Router
There are two different ways toconnect to an SSH-enabled router:
- Connect using an SSH-enabled Ciscorouter
- Connect using an SSH client running
on a host.
R1# sho ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-sha1 Session started Bob
0 2.0 OUT aes128-cbc hmac-sha1 Session started Bob
%No SSHv1 server connections running.
R1#
R1# sho ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.
R1#
R2# ssh -l Bob 192.168.2.101
Password:
R1>
1
2
3
There are no current SSH sessions ongoing with R1.
R2 establishes an SSH connection with R1.
There is an incoming and outgoing SSHv2 session user Bob.
7/31/2019 CCNA Security 02
28/86
282828 2009 Cisco Learning Institute.
Using SDM
1. Choose Configure > Additional Tasks > Router Access > SSH
2. Possible status options:
- RSA key is not set on this router- RSA key is set on this router
3. Enter a modulus size andgenerate a key, if there isno key configured4. To configure SSH on the vty lines,
choose Configure > AdditionalTasks > Router Access > VTY
7/31/2019 CCNA Security 02
29/86
292929 2009 Cisco Learning Institute.
Assigning Administrative Roles
Configuring Privilege Levels
Configuring Role-Based CLI Access
7/31/2019 CCNA Security 02
30/86
303030 2009 Cisco Learning Institute.
Configuring Privilege Levels
Introduction
Privilege CLI Command
Privilege Level for Users Assigning Usernames
Disadvantages
7/31/2019 CCNA Security 02
31/86
313131 2009 Cisco Learning Institute.
Config AAA, Show,
Firewall, IDS/IPS,
NetFlow
Configuring for Privilege Levels
By default:- User EXEC mode (privilege level 1)
- Privileged EXEC mode (privilege level 15)
Sixteen privilege levels available
Methods of providing privileged level accessinfrastructure access:
- Privilege Levels
- Role-Based CLI Access
7/31/2019 CCNA Security 02
32/86
323232 2009 Cisco Learning Institute.
Privilege CLI Command
router(config)# privilege mode {level levelcommand| reset command}
Command Description
mode Specifies the configuration mode. Use the privilege ?
command to see a complete list of router configurationmodes available
level (Optional) Enables setting a privilege level with aspecified command
level command (Optional) The privilege level associated with a
command (specify up to 16 privilege levels, usingnumbers 0 to 15)
reset (Optional) Resets the privilege level of a command
Command (Optional) Resets the privilege level
7/31/2019 CCNA Security 02
33/86
333333 2009 Cisco Learning Institute.
Privilege Levels for Users
A USER account with normal, Level 1 access.
A SUPPORT account with Level 1 and ping command access.
A JR-ADMIN account with the same privileges as the SUPPORTaccount plus access to the reload command.
An ADMIN account which has all of the regular privileged EXECcommands.
R1# conf t
R1(config)# username USER privilege 1 secret ciscoR1(config)#
R1(config)#privilege exec level 5 ping
R1(config)# enable secret level 5 cisco5
R1(config)# username SUPPORT privilege 5 secret cisco5
R1(config)#
R1(config)#privilege exec level 10 reload
R1(config)# enable secret level 10 cisco10
R1(config)# username JR-ADMIN privilege 10 secret cisco10
R1(config)#
R1(config)# username ADMIN privilege 15 secret cisco123
R1(config)#
7/31/2019 CCNA Security 02
34/86
343434 2009 Cisco Learning Institute.
Privilege Levels
R1> enable 5
Password:
R1#
R1# show privilege
Current privilege level is 5R1#
R1# reload
Translating "reload"
Translating "reload"
% Unknown command or computer name, or unable to find computer
address
R1#
The enable level command is used to switchfrom Level 1 to Level 5
The show privilege command displaysThe current privilege level
The user cannot us the reload command
7/31/2019 CCNA Security 02
35/86
7/31/2019 CCNA Security 02
36/86
363636 2009 Cisco Learning Institute.
Configuring Role-Based CLI Access
Role-Based CLI
Types of Views
Creating and Managing a View View Commands
Verifying a View
7/31/2019 CCNA Security 02
37/86
373737 2009 Cisco Learning Institute.
Role-Based CLI
Controls which commands are available to specific roles
Different views of router configurations created fordifferent users providing:
- Security: Defines the set of CLI commands that is accessible bya particular user by controlling user access to configure specificports, logical interfaces, and slots on a router
-Availability: Prevents unintentional execution of CLI commandsby unauthorized personnel
- Operational Efficiency: Users only see the CLI commandsapplicable to the ports and CLI to which they have access
7/31/2019 CCNA Security 02
38/86
383838 2009 Cisco Learning Institute.
Role-Based Views
Root View
To configure any view for the system, the administrator must be inthe root view. Root view has all of the access privileges as a userwho has level 15 privileges.
ViewA specific set of commands can be bundled into a CLI view.Each view must be assigned all commands associated with thatview and there is no inheritance of commands from other views.Additionally, commands may be reused within several views.
Superview
Allow a network administrator to assign users and groups of usersmultiple CLI views at once instead of having to assign a singleCLI view per user with all commands associated to that one CLIview.
7/31/2019 CCNA Security 02
39/86
393939 2009 Cisco Learning Institute.
Creating and Managing a View
1. Enable aaa with the global configuration command aaa new-model. Exit, and enter the root view with the command enableview command.
2. Create a view using theparser view view-namecommand.
3. Assign a secret password to the view using the secretencrypted-passwordcommand.
4. Assign commands to the selected view using theparser-mode{include | include-exclusive | exclude} [all][interface interface-name | command] command in viewconfiguration mode.
5. Exit the view configuration mode by typing the command exit.
7/31/2019 CCNA Security 02
40/86
404040 2009 Cisco Learning Institute.
View Commands
router# enable [view [view-name]]
Command is used to enter the CLI view.
Parameter Description
view Enters view, which enables users to configure CLI views.This keyword is required if you want to configure a CLI view.
view-name (Optional) Enters or exits a specified CLI view.This keyword can be used to switch from one CLI view toanother CLI view.
router(config)#parser view view-name
Creates a view and enters view configuration mode.router(config-view)# secret encrypted-password Sets a password to protect access to the View.
Password must be created immediately after creating a view
7/31/2019 CCNA Security 02
41/86
414141 2009 Cisco Learning Institute.
Creating and Managing a Superview
1. Create a view using theparser view view-name superviewcommand and entersuperview configuration mode.
2. Assign a secret password to the view using thesecret encrypted-password command.
3. Assign an existing view using the view view-namecommand in view configuration mode.
4. Exit the superview configuration mode by typingthe command exit.
7/31/2019 CCNA Security 02
42/86
424242 2009 Cisco Learning Institute.
Verifying a View
R1# show parser view
No view is active ! Currently in Privilege Level Context
R1#
R1# enable view
Password:
*Mar 1 10:38:56.233: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.R1#
R1# show parser view
Current view is 'root'
R1#
R1# show parser view all
Views/SuperViews Present in System:
SHOWVIEW
VERIFYVIEW
7/31/2019 CCNA Security 02
43/86
434343 2009 Cisco Learning Institute.
Monitoring and Managing Devices
Securing the IOS Image and Configuration Files
Secure Management and Reporting
Using syslog Using SNMP
Using NTP
7/31/2019 CCNA Security 02
44/86
7/31/2019 CCNA Security 02
45/86
454545 2009 Cisco Learning Institute.
Resilient Configuration Facts
The configuration file in the primarybootset is a copy of the runningconfiguration that was in the router whenthe feature was first enabled.
The feature secures the smallest workingset of files to preserve persistent storagespace. No extra space is required tosecure the primary IOS image file.
The feature automatically detects imageor configuration version mismatch.
Only local storage is used for securing
files. The feature can be disabled only through
a console session.
R1# erasestartup-config
Erasing the
nvram filesystemwill remove all
configuration
files! Continue?
[confirm]
7/31/2019 CCNA Security 02
46/86
464646 2009 Cisco Learning Institute.
CLI Commands
router(config)#
secure boot-image
Enables Cisco IOS image resilience
secure boot-config
router(config)#
Takes a snapshot of the router running configuration and securely
archives it in persistent storage
7/31/2019 CCNA Security 02
47/86
474747 2009 Cisco Learning Institute.
Restoring Primary bootset
To restore a primary bootset from a secure archive:
1. Reload the router using the reloadcommand.
2. From ROMMON mode, enter the dircommand to list the contentsof the device that contains the secure bootset file. The device namecan be found in the output of the show secure bootset
command.3. Boot up the router using the secure bootset image using theboot
command with the filename found in step 2. Once the compromisedrouter boots, proceed to privileged EXEC mode and restore theconfiguration.
4. Enter global configuration mode using conf t.
5. Restore the secure configuration to the supplied filename using thesecure boot-config restore filename.
7/31/2019 CCNA Security 02
48/86
484848 2009 Cisco Learning Institute.
Password Recovery Procedures
1. Connect to the console port.
2. Use the show version command to view and record theconfiguration register
3. Use the power switch to turn off the router, and then turn the routerback on.
4. Press Break on the terminal keyboard within 60 seconds of powerup to put the router into ROMmon.
5. At the rommon 1> prompt Type config 0x2142.
6. Type reset at the rommon 2> prompt. The router reboots, butignores the saved configuration.
7. Type no after each setup question, or press Ctrl-C to skip the initialsetup procedure.
8. Type enable at the Router> prompt.
7/31/2019 CCNA Security 02
49/86
494949 2009 Cisco Learning Institute.
Password Recovery Procedures, 2
9. Typecopy startup-config running-config to copy theNVRAM into memory.
10. Type show running-config.
11. Enter global configuration and type the enable secret command
to change the enable secret password.12. Issue the no shutdown command on every interface to be used.
Once enabled, issue a show ip interface brief command.Every interface to be used should display up up.
13. Type config-registerconfiguration_register_setting.
The configuration_register_settingis either the value recorded inStep 2 or 0x2102 .
14. Save configuration changes using the copy running-configstartup-config command.
7/31/2019 CCNA Security 02
50/86
505050 2009 Cisco Learning Institute.
Preventing Password Recovery
R1(config)# no service password-recoveryWARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for password recovery.
Are you sure you want to continue? [yes/no]: yesR1(config)
R1# sho run
Building configuration...
Current configuration : 836 bytes!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service password-recovery
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupportCopyright (c) 2006 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c1841 platform with 131072 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x8000f000, size: 0xcb80
7/31/2019 CCNA Security 02
51/86
515151 2009 Cisco Learning Institute.
Secure Management and Reporting
Implementing Secure Management
Planning
Factors to Consider
7/31/2019 CCNA Security 02
52/86
7/31/2019 CCNA Security 02
53/86
535353 2009 Cisco Learning Institute.
Planning
When logging and managing information, theinformation flow between management hosts andthe managed devices can take two paths:
- Out-of-band (OOB): Information flows on adedicated management network on which noproduction traffic resides.
- In-band: Information flows across an enterprise
production network, the Internet, or both using regulardata channels.
7/31/2019 CCNA Security 02
54/86
545454 2009 Cisco Learning Institute.
Factors to Consider
OOB management appropriate for largeenterprise networks
In-band management recommended in smaller
networks providing a more cost-effective securitydeployment
Be aware of security vulnerabilities of using
remote management tools with in-bandmanagement
7/31/2019 CCNA Security 02
55/86
555555 2009 Cisco Learning Institute.
Using Syslog
Implementing Router Logging
Syslog
Configuring System Logging Enabling Syslog using SDM/CCP
7/31/2019 CCNA Security 02
56/86
565656 2009 Cisco Learning Institute.
Implementing Router Logging
Configure the router to send log messages to:
Console: Console logging is used when modifying ortesting the router while it is connected to the console.Messages sent to the console are not stored by the
router and, therefore, are not very valuable as securityevents.
Terminal lines: Configure enabled EXEC sessions toreceive log messages on any terminal lines. Similar to
console logging, this type of logging is not stored by therouter and, therefore, is only valuable to the user on thatline.
7/31/2019 CCNA Security 02
57/86
575757 2009 Cisco Learning Institute.
Implementing Router Logging
Buffered logging: Store log messages in router memory.Log messages are stored for a time, but events arecleared whenever the router is rebooted.
SNMP traps: Certain thresholds can be preconfigured.
Events can be processed by the router and forwarded asSNMP traps to an external SNMP server. Requires theconfiguration and maintenance of an SNMP system.
Syslog: Configure routers to forward log messages to anexternal syslog service. This service can reside on anynumber of servers, including Microsoft Windows andUNIX-based systems, or the Cisco Security MARSappliance.
7/31/2019 CCNA Security 02
58/86
585858 2009 Cisco Learning Institute.
Syslog
Syslog servers: Known as log hosts, these systemsaccept and process log messages from syslog clients.
Syslog clients: Routers or other types of equipment thatgenerate and forward log messages to syslog servers.
e0/0
10.2.1.1 e0/1
10.2.2.1e0/210.2.3.1
User 10.2.3.3
Public WebServer10.2.2.3
MailServer10.2.2.4
AdministratorServer
10.2.2.5
SyslogServer 10.2.3.2
Protected LAN10.2.3.0/24
DMZ LAN 10.2.2.0/24
Syslog Client
R3
f
7/31/2019 CCNA Security 02
59/86
595959 2009 Cisco Learning Institute.
Configuring System Logging
R3(config)# logging 10.2.2.6
R3(config)# logging trap informational
R3(config)# logging source-interface loopback 0
R3(config)# logging on
1. Set the destination logging host
2. Set the log severity (trap) level
3. Set the source interface4. Enable logging
Turn logging on and off using thelogging buffered, loggingmonitor, and logging commands
E bli S l U i SDM/CCP
7/31/2019 CCNA Security 02
60/86
606060 2009 Cisco Learning Institute.
Enabling Syslog Using SDM/CCP
1. Choose Configure > Additional Tasks > Router Properties > Logging
2. Click Edit
3. Check Enable LoggingLevel and choose thedesired logging level
4. Click Add, and enteran IP address of alogging host
5. Click OK
M it L i ith SDM
7/31/2019 CCNA Security 02
61/86
616161 2009 Cisco Learning Institute.
Monitor Logging with SDM
1. Choose Monitor > Logging
4. Monitor the messages, update thescreen to show the most current logentries, and clear all syslogmessages from the router log buffer
2. See the logging hosts to which
the router logs messages
3. Choose the minimum severity level
7/31/2019 CCNA Security 02
62/86
U i SNMP f N t k S it
7/31/2019 CCNA Security 02
63/86
636363 2009 Cisco Learning Institute.
Using SNMP for Network Security
SNMP
Community Strings
SNMPv3 Security Levels
Trap Receivers
SNMP
7/31/2019 CCNA Security 02
64/86
646464 2009 Cisco Learning Institute.
SNMP
Developed to manage nodes, such as servers,workstations, routers, switches, hubs, and securityappliances on an IP network
All versions are Application Layer protocols that facilitate
the exchange of management information betweennetwork devices
Part of the TCP/IP protocol suite
Enables network administrators to manage network
performance, find and solve network problems, and planfor network growth
Three separate versions of SNMP
C it St i
7/31/2019 CCNA Security 02
65/86
656565 2009 Cisco Learning Institute.
Community Strings
Provides read-only access to allobjects in the MIB except thecommunity strings.
Provides read-write access toall objects in the MIB except thecommunity strings.
A text string that can authenticate messagesbetween a management station and an SNMPagent and allow access to the information in MIBs
SNMP 3
7/31/2019 CCNA Security 02
66/86
666666 2009 Cisco Learning Institute.
SNMPv3
Agent may enforce accesscontrol to restrict each principalto certain actions on certainportions of its data.
ManagedNode
ManagedNode
ManagedNode
ManagedNode
Messages may beencrypted to ensureprivacy
NMS
NMS
Transmissions from manager toagent may be authenticated toguarantee the identity of the senderand the integrity and timeliness of amessage.
Encrypted Tunnel
7/31/2019 CCNA Security 02
67/86
T ap Recei e s
7/31/2019 CCNA Security 02
68/86
686868 2009 Cisco Learning Institute.
Trap Receivers
1. Click Edit
2. Click Add
3. Enter the IP address or
the hostname of thetrap receiver and thepassword
4. Click OK6. When the trap receiver listis complete, click OK
5. To edit or delete an existing trap receiver,choose a trap receiver from the trapreceiver list and click Edit orDelete
7/31/2019 CCNA Security 02
69/86
Uses
7/31/2019 CCNA Security 02
70/86
707070 2009 Cisco Learning Institute.
Uses
Clocks on hosts and network devices must bemaintained and synchronized to ensure that logmessages are synchronized with one another
The date and time settings of the router can beset using one of two methods:
- Manually edit the date and time
- Configure Network Time Protocol
Timekeeping
7/31/2019 CCNA Security 02
71/86
717171 2009 Cisco Learning Institute.
Timekeeping
Pulling the clock time from the Internet means that unsecuredpackets are allowed through the firewall
Many NTP servers on the Internet do not require any authenticationof peers
Devices are given the IP address of NTP masters. In an NTPconfigured network, one or more routers are designated as themaster clock keeper (known as an NTP Master) using the ntp
masterglobal configuration command.
NTP clients either contact the master or listen for messages from themaster to synchronize their clocks. To contact the server, use the
ntp server ntp-server-addresscommand. In a LAN environment, NTP can be configured to use IP broadcast
messages instead, by using the ntp broadcast client command.
Features/Functions
7/31/2019 CCNA Security 02
72/86
727272 2009 Cisco Learning Institute.
Features/Functions
There are two security mechanisms available:
-An ACL-based restriction scheme
-An encrypted authentication mechanism such as offered by NTPversion 3 or higher
Implement NTP version 3 or higher. Use the followingcommands on both NTP Master and the NTP client.
- ntp authenticate
- ntp authenticationkeymd5value- ntp trusted-key key-value
Enabling NTP
7/31/2019 CCNA Security 02
73/86
737373 2009 Cisco Learning Institute.
Enabling NTP
1. Choose Configure > Additional Tasks > Router Properties > NTP/SNTP
2. Click Add
3. Add an NTP server by
name or by IP address
4. Choose the interfacethat the router will useto communicate withthe NTP server
5. Check Prefer if thisNTP server is apreferred server (morethan one is allowed)
6. If authentication is used,check AuthenticationKey and enter the keynumber, the key value,and confirm the key value.
7. Click OK
Automated Security Features
7/31/2019 CCNA Security 02
74/86
747474 2009 Cisco Learning Institute.
Automated Security Features
Performing Security Audits
Using Automated Tools
Locking Down a Router Using SDM
Performing a Security Audit
7/31/2019 CCNA Security 02
75/86
757575 2009 Cisco Learning Institute.
Performing a Security Audit
Security Practices
Security Audit
Security Audit Wizard
Security Practices
7/31/2019 CCNA Security 02
76/86
767676 2009 Cisco Learning Institute.
Security Practices
Determine what devices should use CDP
To ensure a device is secure:
- Disable unnecessary services and interfaces
- Disable and restrict commonly configured managementservices, such as SNMP
- Disable probes and scans, such as ICMP
- Ensure terminal access security
- Disable gratuitous and proxy Address Resolution Protocol (ARP)
- Disable IP-directed broadcast
SDM Security Audit
7/31/2019 CCNA Security 02
77/86
777777 2009 Cisco Learning Institute.
SDM Security Audit
Perform Security Auditletting theadministrator choose
configuration changesto implement
One-Step Lockdownautomatically makes
all recommendedsecurity-relatedconfiguration changes
Security Audit Wizard
7/31/2019 CCNA Security 02
78/86
787878 2009 Cisco Learning Institute.
Security Audit Wizard
Compares router configurationagainst recommended settings:
Shut down unneeded servers
Disable unneeded services
Apply the firewall to the outsideinterfaces
Disable or harden SNMP
Shut down unused interfaces
Check password strength Enforce the use of ACLs
Using Automated Tools
7/31/2019 CCNA Security 02
79/86
797979 2009 Cisco Learning Institute.
Using Automated Tools
Cisco AutoSecure
AutoSecure Command
Cisco AutoSecure
7/31/2019 CCNA Security 02
80/86
808080 2009 Cisco Learning Institute.
Cisco AutoSecure
Initiated from CLI and executes a script. TheAutoSecure feature first makesrecommendations for fixing securityvulnerabilities, and then modifies the security
configuration of the router. Can lockdown the management plane functions
and the forwarding plane services and functionsof a router
Used to provide a baseline security policy on anew router
Auto Secure Command
7/31/2019 CCNA Security 02
81/86
818181 2009 Cisco Learning Institute.
Auto Secure Command
Command to enable the Cisco AutoSecurefeature setup:
auto secure [no-interact]
In Interactive mode, the router prompts withoptions to enable and disable services and othersecurity features. This is the default mode butcan also be configured using the auto securefull command.
Auto Secure Command
7/31/2019 CCNA Security 02
82/86
828282 2009 Cisco Learning Institute.
Auto Secure Command
R1# auto secure ?
firewall AutoSecure Firewall
forwarding Secure Forwarding Plane
full Interactive full session of AutoSecure
login AutoSecure Login
management Secure Management Plane
no-interact Non-interactive session of AutoSecure
ntp AutoSecure NTP
ssh AutoSecure SSH
tcp-intercept AutoSecure TCP Intercept
R1#
auto secure [no-interact | full] [forwarding | management ][ntp | login | ssh | firewall | tcp-intercept]
router#
7/31/2019 CCNA Security 02
83/86
Cisco One-step Lockdown
7/31/2019 CCNA Security 02
84/86
848484 2009 Cisco Learning Institute.
Cisco One step Lockdown
Tests router configurationfor any potential securityproblems andautomatically makes thenecessary configurationchanges to correct anyproblems found
AutoSecure Versus SDM SecurityAudit One-Step Lockdown
7/31/2019 CCNA Security 02
85/86
858585 2009 Cisco Learning Institute.
Audit One Step Lockdown
R1# auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the
security of the router, but it will not make
it absolutely resistant to all security
attacks ***
AutoSecure will modify the configuration of
your device.
All configuration changes will be shown. For adetailed explanation of how the configuration
changes enhance security and any possible side
effects, please refer to Cisco.com for
Autosecure documentation.
Cisco AutoSecure also: Disables NTP
Configures AAA
Sets SPD values
Enables TCP intercepts
Configures anti-spoofing ACLs on
outside-facing interfaces
SDM implements some thefollowing features differently:
SNMP is disabled but will notconfigure SNMPv3
SSH is enabled and configured with
images that support this feature.
Secure Copy Protocol (SCP) is not
enabled--unsecure FTP is.
7/31/2019 CCNA Security 02
86/86