securing the router chris cunningham. chris cunningham [email protected] ccsi...
TRANSCRIPT
Chris Cunningham [email protected]
CCSI #33650
CCNA & CCNP Routing and Switching / CCNA Security
MCITP (Server Enter. Admin & Vista),
MCTS (Server 08 & Vista)
A+, Network+, Security+
Before Implementing Security Changes• Consult Change Management Documents and Processes
• Lab it up to be sure it will do what you think it will do
• Consult Security Documentation to verify it fits in with the Security Policy of the organization
• Above all else, when finished. . . Document!!
Management Plane
Data Plane
Control Plane
How Tech’s Connect to the device
How the Router Decides to forward traffic
The data being forwarded
Secure Login• Use Radius or TACACS+
Router(config)# aaa new-model
Router(config)# radius server
Router(config-radius-server)#address ipv4 10.0.0.1 acct-port 1813 auth-port 1812 key apple
Router(config)# aaa authentication login default group radius local
Router(config)# username admin secret 0 apple
• Login Lockouts (local accounts)
Router(config)# aaa local authentication attempts max-fail 3
Router# clear aaa local user lockout [username | all]
• Disable Password Recovery (disables access to RMON by disabling the BREAK sequence)
Router (config)#no service password-recovery
• Access Class
• Exec-timeout
Network Monitoring• Use SNMP Version 3 with ACL to limit which SNMP Servers can
connect
Router(config)#ip access-list extended snmp-server
Router(config-ext-nacl)#permit ip 10.1.0.100 any
Router(config)# snmp-server group group1 v3 auth access snmp-server
Router(config)# snmp-server engineID remote 10.1.0.100 udp-port 120 1a2833c0129a
Router(config)# snmp-server user user1 group1 v3 auth md5 password123
Or
Router(config)#snmp-server community server1 RO snmp-serverRouter(config)#snmp-server community server2 RW snmp-server
• Use Syslog with separate Network (VLAN) for communication• Disable Console Logging to reduce the CPU load on the device
Secure Configurations• Use the Archive Feature to allow for rapid recovery when device is
misconfigured
• Use Secure Boot-Image to secure the IOS so it can’t be deleted
Router(config)# secure boot-image
• Use Secure Boot-Config to secure the startup-config from being removed
Router(config)# secure boot-config
Verify
Router# show secure bootset
Secure Routing Protocols• Use MD5 Password Hashes
Router(config)# enable secret apple
Router(config)# username chris secret 0 apple
• Passive interfaces
• Also Secure FHRP (HSRP, VRRP, GLBP) with Authentication
Router(config)# key chain secure
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string apple
Router(config-keychain-key)#inter fa 0/0
Router(config-if#standby 1 authentication md5 key-chain secure
Control Plane Policing (CoPP)• Allows you more control over what protocols and data are allowed to
enter the router and thus the Control Plane
IP Traffic• Fragmentation
Router(config)# ip access-list extended SecureRouter(config-ext-nacl)#deny tcp any any fragmentsRouter(config-ext-nacl)# deny udp any any fragmentsRouter(config-ext-nacl)# deny icmp any any fragmentsRouter(config-ext-nacl)# deny ip any any fragments
• IP Options
Router(config-ext-nacl)# deny ip any any option any-options
• TTL to short to make it through the network
Router(config-ext-nacl)# deny ip any any ttl lt 6
* All this traffic gets Process Switched instead of using CEF
Prevent Spoofed Packets• Unicast Reverse Path Forwarding (Unicast RPF)
Router(config-if)#ip verify unicast source reachable-via rx
Secure All Planes of a Device• Management Plane
• Control Plane
• Data Plane
• Document, Document, Document