chapter 2

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

SC Labs | CCNA notes

Home Routing Protocols Comparison / Subnetting To do list Links About

CCNA Security Chapter 2 - Securing Network Devices

Securing outgoing network traffic and scrutinizing (analyze) incoming traffic are critical aspects of network security. Securing the edge router, which connects to the outside network,is an important first step in securing the network.Summary: - Secure the physical installation of and the administrative access to Cisco routers based on different network requirements using the CLI and CCP. (Many router services areenabled by default. ) - Configure administrative roles using privilege levels and role-based CLI. - Implement the management and reporting features of syslog, SNMP, SSH, and NTP. - Examine router configurations with the Security Audit feature of CCP, and make the router and network more secure by using the auto secure command or the One-StepLockdown feature of CCP. - A hands-on lab for the chapter, Securing the Router for Administrative Access. - A Packet Tracer activity, Configure Cisco Routers for Syslog, NTP, and SSH Operations.

1) Securing the Edge router

1.1) Securing edge devicesEdge devices are routers, routing switches and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices that provide entry points into enterpriseor service provider core networks. Edge devices also provide connections into carrier and service provider networks.The edge router is the last router between the internal network and an untrusted network such as the Internet. All of an organization's Internet traffic goes through this edge router;therefore, it often functions as the first and last line of defense for a network.The edge router implementation: - Single Router Approach (All security policies are configured on this device. SOHO) - Defense-in-Depth Approach (It passes all connections that are intended for the internal LAN to the firewall) - DMZ (demilitarized zone) Approach - can be used for servers that must be accessible from the Internet or some other external network.

Three areas of router security must be maintained: - Physical Security (UPS, secure locked room that is accessible only to authorized personnel) - Router Hardening (only authorized personnel have access, disable unused ports,services, interfaces) - Operating System Security (maximum amount of memory, latest stable version, keep a secure copy of IOS and config)

Administrative access is required for router management purposes: - Restrict device accessibility - Log and account for all access - Authenticate access (access is granted only to authenticated users, groups, and service) - Authorize actions (restrict the actions and views permitted by any particular user, group, or servic)

Share 0 More Next Blog Create Blog Sign In


- Present legal notification - Ensure the confidentiality of data

There are two ways to access a device for administrative purposes: - Local (console) - Remote (telnet, ssh, http, https, snmp, aux-modem)

1.2) Secure Administrative AccessMake passwords less easily discovered by intelligent guessing and cracking tools: - length of 10 or more characters,

R1(config)#security passwords min-length ? Minimum length of all user/enable passwords

- complex password (a mix of uppercase and lowercase letters, numbers, symbols, and spaces), - passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, - deliberately misspell a password (Security = 5ecur1ty), - change passwords often, - do not write passwords down and leave them in obvious places such as on the desk or monitor, - time out session

# exec-timeout

- encrypt all passwords

# service password-encryption # username name password password


the show running-config command. Sniffers can also see these passwords if the TFTP server configuration files traverse an unsecured intranet or Internet connection. If an intrudergains access to the TFTP server where the router configuration files are stored, the intruder is able to obtain these passwords.

1.3) Virtual Login Security Enhancements: - Implement delays between successive login attempts. - Enable login shutdown if DoS attacks are suspected. - Generate system-logging messages for login detection.

Router# configure terminalRouter(config)# login block-for attempts within Router(config)# login quiet-mode access-class {acl-name | acl-number}Router(config)# login delay secondsRouter(config)# login on-failure log [every login]Router(config)# login on-success log [every login]

All login enhancement features are disabled by default. Commands to enable login enhancements:1) login block-for

# login block-for attempts within Block for a_seconds with nr auth attemps failswithin b_seconds.

Operates in two modes:- Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time. - Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.2) login quiet-mode access-class

# login quiet-mode access-class Command specifies an ACL is applied to the router when switched to Quiet-Mode and identifies hosts that are exempt from theQuiet-Mode failure time.If not configured, all login requests will be denied during the Quiet-Mode.

3) login delay

login delay Helps mitigate dictionary attacks

This is an optional command. If not set, a default delay of one second is enforced after the login block-for command is configured.

The command auto secure enables message logging for failed login attempts. Logging successful login attempts is not enabled by default

login on-failure log [every login] generates logs for failed login requests.login on-success log [every login] generates log messages for successful login requests.

The number of login attempts before a logging message is generated can be specified using the [every login] parameter. The default value is 1 attempt. The valid range is from 1 to65,535.


As an alternative, the security authentication failure rate log command generates a log message when the login failure rate is exceeded.The show login failures command displays more information regarding the failed attempts, such as the IP address from which the failed login attempts originated.

Banners are disabled by default and must be explicitly enabled. Use the banner command from global configuration mode to specify appropriate messages.

banner {exec | incoming | login | motd | slip-ppp} d message d

Tokens are optional and can be used within the message section of the banner command:

$(hostname)-Displays the host name for the router.$(domain)-Displays the domain name for the router.$(line)-Displays the vty or tty (asynchronous) line number.$(line-desc)-Displays the description that is attached to the line.

1.4) Configure SSHFour steps must be completed prior to configuring routers for the SSH protocol:1) Cisco IOS Release > 12.1(1)T (the IPsec feature set support SSH)2) Ensure that each of the target routers has a unique host name.3) Ensure that each of the target routers is using the correct domain name of the network.4) Ensure that the target routers are configured for local authentication or AAA services for username and password authentication. This is mandatory for a router-to-router SSHconnection.

Configure:1) Configure the IP domain name

# ip domain-name

2) Generate one-way secret keys

# crypto key generate rsa general-keys modulus

CORP(config)#crypto key generate rsa The name for the keys will be: CORP.theccnas.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus [512]: 1024

# show crypto key mypubkey rsa ( verify RSA keys)% Key pair was generated at: 00:24:45 UTC Apr 15 2013Key name: R1.CCNA-Sec.com Storage Device: not specified Usage: General Purpose Key Key is not exportable.


Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00BB8E0C 241DDAE3 7994B461 B3D62D26 A6E7F980 B3C406A8 EAEEEBAF D6480CA7 8EC5A0BB E8675CFF 22BEEB06 5016D1B6 3296B904 3007D48B 15582DA9 49F86F89 6B020301 0001% Key pair was generated at: 00:24:47 UTC Apr 15 2013Key name: R1.CCNA-Sec.com.serverTemporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 008E52D8 5D3B60EE 4A484C83 B8AEB54C CC392430 3D19024B 174EF16F AF06E359 E73B6EF2 E0570D11 FB9672BA BEECBF6B BC976CFE 36D46D69 5AB471C6 DCFCEDE4 DD06B6A4 2110B69A 91E0B00C 3D4AED06 90814CEA 05DD3DF7 A3D93131 0E291A17 05020301 0001

3) Verify or create a local database entry

# username secret

4) Enable VTY inbound SSH sessions.(config)# line vty 0 4(config-line)# login local(config-line)# transport input ssh

Optionally, SSH commands can be used to configure the following:- SSH version # ip ssh version 2- SSH timeout period # ip ssh time-out 60- Number of authentication retries # ip ssh auth-retries 3

2) Privelege levels2.1) 16 level system (0-15)

Level 0: Predefined for user-level access privileges. Seldom (rarely) used, but includes five commands: disable, enable, exit, help, and logout.Level 1: The default level for login with the router prompt Router>. A user cannot make any changes or view the running configuration file.Levels 2 14: May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moveddown to a lower level.Level 15: Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.

Router(config)# privilege {level level command | reset} command

There are two methods for assigning passwords to the different levels: - To the privilege level using the global configuration command enable secret level password. - To a user that is granted a specific privilege level, using the global configuration command username name privilege level secret password.


Level 10 automatically inherits all the commands from the lower levels.

privilege exec level 10 reloadusername jr-admin privilege 10 secret cisco10enable secret level 10 cisco10

2.2) Role-Based CLIAdvantages: Security, Availability, Operational Efficiency.Role-based CLI provides three types of views:- Root viewRoot view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. - CLI viewA specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views- SuperviewA superview consists of one or more CLI views.

Config:

R7>en view ! Enable the root view% AAA must be configured.R7#conf tR7(config)#aaa new-modelR7(config)#enable password 123456R7(config)#exiR7#disable

R7>en viewPassword:


Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system informationR7#

2.3) Monitoring and Managing devices2.3.1) Securing IOS and configuration filesCisco IOS Resilient ConfigurationExample config - http://packetlife.net/blog/2010/oct/18/ios-resilient-configuration/The Cisco IOS Resilient Configuration feature allows for faster recovery if someone reformats flash memory or erases the startup configuration file in NVRAM. Thisfeature allows a router to withstand malicious attempts at erasing the files by securing the router image and maintaining a secure working copy of the runningconfiguration. The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.The feature automatically detects image or configuration version mismatch.Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.The feature can be disabled only through a console session.

Two global configurations commands are available to configure the Cisco IOS resilient configuration features:

(config)# secure boot-image (Secure the running image)(config)# secure boot-config (Archive the startup configuration)# show secure bootset# secure boot-config restore filename(config)#secure boot-config restore flash:/test - Restore the config to a file on flash. (config)#no secure boot-config - Disable boot config. Must be connected to the console

The secure boot-image command enables Cisco IOS image resilience. When enabled for the first time, the running Cisco IOS image is secured, and a log entry is generated. This feature can be disabled only through a console sessionusing the no form of the command.

The configuration archive is hidden and cannot be viewed or removed directly from the CLI prompt.

Secured files do not appear in the output of a dir command that is issued from the CLI. This is because the Cisco IOS file system prevents secure files from being listed. Becausethe running image and running configuration archives are not visible in the dir command output, use the show secure bootset command to verify the existence of the archive. Thisstep is important to verify that the Cisco IOS image and configuration files have been properly backed up and secured.

Cisco router password recovering procedure: 1) Connect to the console port.2) Use the show version command to view and record the configuration register. (Configuration register is 0x2102).If there is no longer access to the router (because of a lost login orTACACS password), an administrator can safely assume that the configuration register is set to 0x2102.3) Use the power switch to power cycle the router.4) Issue the break sequence within 60 seconds of power up to put the router into ROMmon.5) rommon 1> confreg 0x2142


5) rommon 1> confreg 0x21426) rommon 2> reset7) Type no after each setup question, or press Ctrl-C to skip the initial setup procedure. 8) Router> enable9) Router# copy startup-config running-config, show running-config.10) Router(config)# enable secret cisco11) Router(config)# config-register 0x210212) Router# copy running-config startup-config

An administrator can mitigate this potential security breach by using the no service password-recovery.If a router is configured with the no service password-recovery command, all access to ROMmon mode is disabled.

To recover a device after the no service password-recovery command is entered, initiate the break sequence within five seconds after the image decompresses during the boot.You are prompted to confirm the break key action. After the action is confirmed, the startup configuration is completely erased, the password recovery procedure is enabled, and therouter boots with the factory default configuration. If you do not confirm the break action, the router boots normally with the no service password-recovery command enabled.

CAUTION: If the router flash memory does not contain a valid Cisco IOS image because of corruption or deletion, the ROMmon xmodem command cannot be used to load a newflash image. To repair the router, an administrator must obtain a new Cisco IOS image on a flash SIMM or on a PCMCIA card. Refer to Cisco.com for more information regardingbackup flash images.

2.3.2) Securing IOS and configuration files Several factors should be considered when implementing secure management. - configuration change management,- automated logging and reporting of information from identified devices to management hosts.

Many applications and protocols are also available, such as SNMP, which is used in network management systems to monitor and make configuration changes to devices remotely.

When logging and managing information, the information flow between management hosts and the managed devices can take two paths:- Out-of-band (OOB) - Information flows on a dedicated management network,- In-band - Information flows across an enterprise production network, the Internet, or both using regular data channels.

: - network devices configured to accommodate SSH, - encryption of all remote access management traffic, -

Because the management network has administrative access to nearly every area of the network, it can be a very attractive target to hackers. To mitigate the threat of acompromised device, strong access control should be implemented at the firewall and at every other device. Additionally, management devices should be set up in a fashion thatprevents direct communication with other hosts on the same management subnet, using separate LAN segments or VLANs.

2.3.3) SyslogImplementing a router logging facility is an important part of any network security policy.The router can send log messages to one or more of the following items: - Console - Console logging is on by default. - Terminal lines - Enabled EXEC sessions can be configured to receive log messages on any terminal lines. Similar to console logging, this type of logging is not stored by therouter and, therefore, is only valuable to the user on that line.

Requirements that must be met if an administrator wants to maintain device configurations via secure in-band management

connection to network devices through a production network or the Internet.


- Buffered logging - Buffered logging is a little more useful as a security tool because log messages are stored in router memory for a time. However, events are cleared wheneverthe router is rebooted. - SNMP traps - Certain thresholds can be preconfigured on routers and other devices. Router events, such as exceeding a threshold, can be processed by the router and forwardedas SNMP traps to an external SNMP server. SNMP traps are a viable security logging facility but require the configuration and maintenance of an SNMP system. - Syslog - Cisco routers can be configured to forward log messages to an external syslog service. This service can reside on any number of servers or workstations, includingMicrosoft Windows and UNIX-based systems. Syslog is the most popular message logging facility, because it provides long-term log storage capabilities and a central location forall router messages.

Cisco router log messages fall into one of eight levels. The lower the level number, the higher the severity level.

Syslog levels:

Logging severity level emergencies System is unusable (severity=0) alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) errors Error conditions (severity=3) warnings Warning conditions (severity=4) notifications Normal but significant conditions (severity=5) informational Informational messages (severity=6) debugging Debugging messages (severity=7)

Cisco router log messages contain three main parts:

Timestamp | Log message name and severity level | Message text *Apr 15 10:57:35.695: %SYS-5-CONFIG_I: Configured from console by console

Syslog is the standard for logging system events:


Syslog is the standard for logging system events: - Syslog servers - Also known as log hosts, these systems accept and process log messages from syslog clients. - Syslog clients - Routers or other types of equipment that generate and forward log messages to syslog servers.

Syslog questions:What are the most important logs?How are important messages separated from routine notifications?How do you prevent tampering with logs?How do you ensure the time stamps match?What log data is needed in criminal investigations?How do you deal with the volume of messages?How do you manage all of the devices?How can you track when attacks or network failures occur?

Configure syslog on Cisco device:Router# configure terminalRouter(config)# service timestamps type datetime [msec] [localtime] [show-timezone]R1(config)#service timestamps log datetime msecR1(config)#service timestamps debug datetime msecRouter(config)# logging on Router(config)# logging host Router(config)# logging trap Router(config)# logging facility Router(config)# logging source-interface Router(config)# endRouter# show logging

2.3.4) SNMP - Simple Network Management ProtocolSNMP was developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances, on an IP network. SNMP is an Application Layer protocolthat facilitates the exchange of management information between network devices.There are different versions of SNMP: - SNMP version 1 (SNMPv1), - SNMP version 2 (SNMPv2), - SNMP version 3 (SNMPv3). All three versions use managers (network management systems [NMSs]), agents (managed nodes), and Management Information Bases (MIBs).

SNMP traps (SNMP v1, in v2 - notifications) - asynchronous messages from devices.Community strings- authentication messages between a management station and an SNMPv1 or SNMPv2 engine.Read-write community strings can get and set information in an agent.Set access is equivalent to having the enable password for a device.By default, most SNMP systems use "public" as a community string.It is extremely important that you create your own custom SNMP community strings. However, even if the community string is changed, the strings are sent in plaintext. This is a huge vulnerability of the SNMPv1 and SNMPv2 architecture. SNMPv3 authenticates and encrypts packets over the network to provide secure access to devices.

SNMPv3 provides the following security features:


- Message integrity: Ensures that a packet has not been tampered with in transit. - Authentication: Determines that the message is from a valid source. - Encryption: Scrambles the contents of a packet to prevent it from being seen by an unauthorized source. - Access Control: Restricts each principal to certain actions on specific portions of data.

When enabling SNMP, it is important to consider the security model and the security level. 1) The security model is an authentication strategy that is set up for a user and the group in which the user resides. * Currently, Cisco IOS software supports three security models: SNMPv1, SNMPv2c, and SNMPv3. 2) A security level is the permitted level of security within a security model. The security level is a type of security algorithm that is performed on each SNMP packet. There are three security levels: - noAuth - Authenticates a packet by a string match of the username or community string. - auth - Authenticates a packet by using either the Hashed Message Authentication Code (HMAC) with MD5 method or Secure Hash Algorithms (SHA) method. The HMAC method is described in RFC 2104, HMAC: Keyed-Hashing for Message Authentication. - priv - Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using the Data Encryption Standard (DES), Triple DES (3DES),or Advanced Encryption Standard (AES) algorithms.

The combination of the model and level determines which security mechanism is employed when handling an SNMP packet. Only SNMPv3 supports the auth and priv security levels. However, CCP does not support configuration of SNMPv3.

2.3.4) NTP - Network Time ProtocolMany things involved in the security of a network, such as security logs, depend on an accurate date and timestamp.

NTP allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source havemore consistent time settings.When NTP is implemented in the network, it can be set up to synchronize to a private master clock, or it can synchronize to a publicly available NTP server on the Internet.NTP uses UDP port 123 and is documented in RFC 1305.

The software and hardware clocks on a Cisco router can have different times and how we can synchronise them between each other.The following two commands show the difference in time between the two clocks on our Cisco router:

R1# show clock 01:51:31.532 Athens Sun Apr 19 2009

R1# show calendar 01:51:42 Athens Sun Apr 19 2009

While the difference is minor, we want to keep everything in our network synchronised as precisely as possible.Keep in mind that 'show clock' refers to the software clock and 'show calendar' refers to the hardware clock of your router.

R1#show clock detail*15:14:22.258 UTC Mon Apr 15 2013

NTP is designed to synchronize the time on a network of machines.

ntp update-calendar - To periodically update the hardware clock (calendar) from a Network Time Protocol (NTP) time source, use the ntp update-calendar command in globalconfiguration mode. To disable the periodic updates, use the no form of this command.


Time source is hardware calendar

Configure Cisco device as authoritative NTP server

Router(config)# ntp master The stratum number is the number of hops away from an authoritative source such as an atomic clock.

Allows the software clock to be synchronized by an NTP time server.

Router(config)# ntp server [version ] [key ] [source ] [prefer]

Router(config-if)# ntp broadcast client

The time that a device keeps is critical; therefore, the security features of NTP should be used to avoid the accidental or malicious setting of incorrect times. There are two securitymechanisms available: - ACL-based restriction scheme - Encrypted authentication mechanism offered by NTP version 3 or later.

Use the following commands on both the NTP master and the NTP client:ntp authenticatentp authentication-key key-number md5 key-valuentp trusted-key key-numbershow ntp associations detail

RT1#sh ntp associations Load for five secs: 30%/27%; one minute: 30%; five minutes: 29%Time source is NTP, 16:02:42.875 EET Fri Aug 17 2012 address ref clock st when poll reach delay offset disp ~127.127.7.1 127.127.7.1 7 52 64 377 0.0 0.00 0.0*~195.66.241.2 .PPS. 1 649 1024 377 57.0 -0.11 1.7+~140.203.16.5 .GPS. 1 761 1024 377 81.8 0.83 1.2-~129.69.1.153 .PPS. 1 23 1024 377 45.7 -2.10 1.1+~131.188.3.220 .GPS. 1 1005 1024 377 92.2 3.56 0.9 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

RT1#sh ntp associations detail 195.66.241.2 configured, our_master, sane, valid, stratum 1ref ID .PPS., time D3D8BCE2.72AC1DF2 (15:51:46.447 EET Fri Aug 17 2012)our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024

Configures device to receive NTP broadcast messages on the interface.


root delay 0.00 msec, root disp 0.34, reach 377, sync dist 43.533delay 57.02 msec, offset -0.1123 msec, dispersion 1.68precision 2**19, version 3...

2.4) Using automated auditing features

2.4.1) Performing a security auditCisco routers are initially deployed with many services that are enabled by default. This is done for convenience and to simplify the configuration process required to get the deviceoperational. However, some of these services can make the device vulnerable to attack if security is not enabled.

Many practices help ensure a device is secure: - Disable unnecessary services and interfaces. - Disable and restrict commonly configured management services, such as SNMP. - Disable probes and scans, such as ICMP. - Ensure terminal access security. - Disable gratuitous and proxy Address Resolution Protocol (ARP). - Disable IP-directed broadcasts.

Cisco Protocols and services default settings:1) CDP Cisco Discovery ProtocolDefault: enabledDescription: CDP periodically advertises information between Cisco devices, such as the type of device and Cisco IOS version. Such information could be used to determinevulnerabilites and launch specific attachsl. Unless needed inside the network, this service should be disabled globally or disabled on unneccessary interfaces.

(config) no cdp run (config-if) no cdp enable

2) Configuration autoloading Default: Enabled (globally and interfaces)Description: This service permits a router to automatically load a configuration file from a network server upon boot. This service should remain disabled when not needed

(config) no service config

3) FTP serverDefault: DisabledDescription: This service permits the router to act as an FTP server for specific files in flash memory. It should remain disabled when not needed.

(config) no ftp-server enable

4) TFTP ServerDefault: DisabledDescription: This service permits the router to act as a TFTP server for specific files in flash memory. It should remain disabled when not in use.


(config) no tftp-server file-sys:image-name

5) NTP serviceDefault: DisabledDescription: This service both receives a time-of-day clock from an NTP server and allows the router to act as an NTP server to NTP clients. Correct time is necessary for accuratetime stamps when logging messages. This service should be disabled if not needed, or restricted to only devices that require NTP services.

(config) no ntp server ip-address

6) Packet assembler/disassembler (PAD) serviceDefault: enabledDescription: This service allows access to X.25 PAD commands in an X.25 network. Such a service is rarely needed in modern networks and should be disabled

(config) no service pad

7) TCP and User Datagram Protocol (UDP) minor servicesDefault: Enabled before 11.3, disabled after 11.3Description: These services execute small servers (daemons) in the router, typically used for diagnostics. They are rarely used and should be disabled.

(config) no service tcp-small-servers(config) no service udp-small-servers

8) Maintenance Operation Protocol (MOP) serviceDefault: Enabled (most ethernet interfaces)Description: This service is a Digital Equipment Corporation (DEC) maintenance protocol. Such a service is rarely needed in modern networks and should be disabled.

(config-if) no mop enable

9) Simple Network Management Protocol (SNMP)Default: EnabledDescription: This service permits the router to respond to queries and configuration requests. If not used, this service should be disabled. If needed, restrict access to the router viaaccess controls lists (ACL) and use SNMPv3 for additional security features.

(config) no snmp-server enable

10) HTTP or HTTPS configuration and monitoringDefault: Device dependentDescription: This service allows the router to be monitored and configured from a web browser. SDM uses secure HTTP (HTTPS). If not used, this service should be disabled. Ifneeded, restrict access to the router via ACLs and use HTTPS for encrypted data transfer.

(config) no ip http server(config) no ip http secure-server

11) Domain Name System (DNS)


Default: Enabled (client services)Description: Cisco routers use 255.255.255.255 as the default address to reach a DNS server for name resolution. If not used, this service should be disabled. If needed, explicitlyset the address of the DNS server.

(config) no ip domain-lookup

12) ICMP RedirectsDefault: EnabledDescription: This service causes the router to send an ICMP redirect message when a packet is forwarded out the interface it arrived on. An attacker can use such information toredirect packets to an untrusted device. This service should be disabled when not needed.If a host tries to send data through a router (R1) and R1 sends the data on another router (R2) and a direct path from the host to R2 is available (that is, the host and R2 are on thesame Ethernet segment), then R1 will send a redirect message to inform the host that the best route for the destination is via R2. The host should then send packets for thedestination directly to R2.

(config) no ip icmp redirect(config-if) no ip redirects

13) IP Source RoutingDefault: EnabledDescription: This service allows the sender to control the route that a packet travels through a network. Such a service can permit an attacker to bypass the normal forwarding pathand security mechanisms in a network. Because most network devices should not attempt to dictate their preferred path through the network, this service should be disabled.

(config)no ip source-route

14) Finger serviceDefault: EnabledDescription: The finger protocol (port 79) retrieves a list of users from a network device, which includes the line number, connection name, idle time and terminal location. Suchinformation is also seen in the show users Cisco IOS command and can be used for reconnaissance attacks. This service should be disabled when not needed.

(config) no service finger

15) ICMP unreachable notificationDefault: EnabledDescription: This service notifies a sender of invalid destination IP subnets or specific addresses. Such information can be used to map a network . This service should be disabled.

(config-if) no ip unreachables

16) ICMP mask replyDefault: DisabledDescription: This service sends the IP subnet mask when it is requested. Such information can be used to to map a network. This service should be disabled on interfaces tountrusted networks.

(config-if) no ip mask-reply


17) IP identification serviceDefault: EnabledDescription: The identification protocol (RFC 1413) reports the identity of the TCP connection initiator. Such information can be used in reconnaissance attacks. This service shouldbe disabled.

(config) no ip identd

18) IP directed broadcastsDefault: Enabled (Enabled Cisco IOS prior to 12.0, disabled Cisco IOS later than 12.0)Description: A directed broadcast can be used to probe or deny service to (via a DoS attack) an entire subnet. The directed broadcast packet is unicast until it reaches the routerthat is responsible for the segment. At that time, the packet becomes a broadcast for the specific segment. This service should be disabled.

(config-if) no ip directed-broadcast

19) TCP keepalivesDefault: DisabledDescription: TCP keepalives help clean up TCP connections when a remote host has stopped processing TCP packets (such as after a reboot). This service should be enabled tohelp prevent certain DoS attacks.

(config) service tcp-keepalives-in(config) service tcp-keepalives-out

20) Gratuitous ARPDefault: EnabledDescription: This service is the primary means used in ARP poisoning attacks. Unless needed, this service should be disabled.

Gratuitous ARP could mean both gratuitous ARP request or gratuitous ARP reply. Gratuitous in this case means a request/reply that is not normally needed according to the ARPspecification (RFC 826) but could be used in some cases. A gratuitous ARP request is an AddressResolutionProtocol request packet where the source and destination IP are bothset to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. A gratuitous ARPreply is a reply to which no request has been made.

Gratuitous ARPs are useful for four reasons: - They can help detect IP conflicts. - They assist in the updating of other machines' ARP tables. - They inform switches of the MAC address of the machine on a given switch port. - Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts.

(config) no ip arp gratuitous

21) Proxy ARPDefault: EnabledDescription: This service permits the router to resolve layer 2 addresses. This feature is only useful if the router is acting as a layer 2 bridge. Because this is unlikely in modernnetworks, this service should be disabled.

(config) no ip arp proxy


Security audit tools The three security audit tools that are available include: - Cisco AutoSecure (IOS CLI), introduced with IOS 12.3 - Security Audit wizard (GUI CCP), - One-Step Lockdown (GUI CCP).

Both Security Audit wizard and One-Step Lockdown are based on the Cisco IOS AutoSecure feature.

1) Security Audit wizard - a security audit feature provided through CCP. The Security Audit wizard provides a list of vulnerabilities and then allows the administrator to choose which potential security-related configuration changes to implement on arouter.The wizard compares a router configuration against recommended settings.The Security Audit wizard compares a router configuration against recommended settings and performs the following: - Shuts down unneeded servers. - Disables unneeded services. - Applies the firewall to the outside interfaces. - Disables or hardens SNMP. - Shuts down unused interfaces. - Checks password strength. - Enforces the use of ACLs.

A security audit feature is available through the Cisco IOS CLI. The autosecure command initiates a security audit and then allows for configuration changes. Based on the mode selected, configuration changes can be automatic or requirenetwork administrator input. * Interactive mode: prompts the user with options to enable and disable services and other security features * Non-interactive mode: automatically executes the Cisco AutoSecure command with the recommended Cisco default setting.

! auto secure INTERACTIVERouter# auto secure full

! auto secure no-interact - recommended setting are set Router# auto secure no-interact!*** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all securityattacks ***AutoSecure will modify the configuration of your device.

:- CBAC (Context-Based Access Control) -

,-

2) One-Step Lockdown - a security audit feature provided through CCP. The One-Step Lockdown feature provides a list of vulnerabilities and then automatically makes allrecommended security-related configuration changes.

Some options to know that can be configured by Cisco AutoSecureprovides advanced traffic filtering functionality and can be used as an integral part of your network's firewall (based on application-layer

protocol session information: SMTP, TFTP, Java, FTP, h323)security banner (motd),

- enable secret password.


: -

- firewall on all outside interfaces.

Cisco One-Step Lockdown disables:

Finger servicePAD serviceTCP small servers serviceUDP small servers serviceIP BOOTP server serviceIP identification serviceCisco Discovery ProtocolIP source route

Some three services does CCP One-Step Lockdown enablepassword encryption,

- SSH access to the router,


IP GARPsSNMPIP redirectsIP proxy ARPIP directed broadcastMOP serviceIP unreachablesIP mask replyIP unreachables on null interface

Cisco One-Step Lockdown enables:

Password encryption serviceTCP keepalives for inbound and outbound Telnet sessions Sequence numbers and timestamps on debugsCisco Express Forwarding with integrated NetFlow switching Unicast Reverse Path Forwarding (RPF) on outside interfacesFirewall on all outside interfacesSSH for access to the routerAAA

Cisco One-Step Lockdown configures:

Minimum password length to six charactersAuthentication failure rate to less than three retriesTCP synwait timeNotification bannerLogging parametersEnable secret passwordScheduler intervalScheduler allocateUsersTelnet settingsAccess class on HTTP server serviceAccess class on vty lines

Security Audit recommended settings

Preparing commands for delivery...Submitting 57 commands, please wait...Configuration delivered to device.Copying the Running config to Startup config of your router. Please wait...Running config copied successfully to Startup Config of your router.

aaa new-model


aaa authorization exec local_author localaaa authentication login local_authen localaccess-list 1 remark HTTP Access-class listaccess-list 1 remark CCP_ACL Category=1access-list 1 permit 10.10.10.10 0.0.0.255access-list 1 deny anyline vty 0 4 login authentication local_authen authorization exec local_author transport input telnet ssh exitline con 0 login authentication local_authen exec-timeout 10 0 transport output telnet exitline aux 0 login authentication local_authen exec-timeout 10 0 transport output telnet exitno service padservice tcp-keepalives-inservice tcp-keepalives-outno ip bootp serverno ip source-routeservice sequence-numbersservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezonescheduler allocate 4000 1000ip http access-class 1ip tcp synwait-time 10no cdp runsecurity authentication failure rate 3 logip ssh time-out 60ip ssh authentication-retries 2banner login ~ -= Welcome To CCNA Security Test Router =-~interface Null0 exitdefault interface Null0interface Null0 no ip unreachables exitinterface GigabitEthernet1/0 description $FW_INSIDE$ no ip proxy-arp


no ip redirects no ip unreachables ip route-cache flow exitinterface FastEthernet0/0 no ip proxy-arp no ip redirects no ip unreachables ip route-cache flow exit

Chapter 2 LabConfigure NTP, Syslog, SSH on VTY

NTPR3(config)#ntp server 192.168.1.5 R3(config)#ntp update-calendar R3(config)#service timestamps log datetime msec SyslogR3(config)#logging host 192.168.1.6SSHR3(config)#ip domain-name ccnasecurity.comR3(config)#username SSHadmin privilege 15 secret ciscosshpa55R3(config)#line vty 0 4R3(config-line)#login localR3(config-line)#transport input ssh R3(config)#crypto key zeroize rsaR3(config)#crypto key generate rsa The name for the keys will be: R3.ccnasecurity.comHow many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]R3(config)#ip ssh time-out 90R3(config)#ip ssh authentication-retries 2R3(config)#ip ssh version 2R3(config)#do sh ip sshSSH Enabled - version 2.0Authentication timeout: 90 secs; Authentication retries: 2

CHECK on PCPC>ssh -l SSHadmin 192.168.3.1OpenPassword: R3#


Newer Post Older PostHome

Subscribe to: Post Comments ( Atom )

at Sunday, July 15, 2012

BonusCisco IOS Hardeninghttp://ecks90.com/?p=176

Cisco CDP Monitor http://www.tallsoft.com/cdpmonitor.htm

Hardening Cisco IOS Devices Video presentation http://www.cisco.com/web/learning/le31/le46/cln/qlm/Learning_Center/Security/Hardening_Cisco_IOS_Devices/player.html

Cisco IOS hardening templatehttp://thenetworkguy.blogspot.com/2006/08/cisco-ios-hardening.html

http://www.softperfect.com/products/networkscanner/

Enter your comment...

Comment as: Select profile...

Publish

Preview

No comments :

Post a Comment

ARCHIVE STATCOUNTER


2015 ( 1 )

2014 ( 7 )

2013 ( 26 )

2012 ( 17 )

December ( 1 )

November ( 1 )

October ( 1 )

September ( 4 )

August ( 1 )

July ( 2 )

CCNA Security Chapter 2 - Securing NetworkDevices...

CCNA Security Chapter 1 - Modern Security Threats

June ( 1 )

May ( 2 )

April ( 1 )

March ( 1 )

January ( 2 )

2011 ( 16 )

2010 ( 37 )

Powered by Blogger.

chapter 2

Documents

access access

internal network

external network

untrusted network

outside network

personnel router

router services

areas of router security