Lecture 5

Secure Access for Network Devices

Presented By
Dr.Marwa Sharaf El-Din

NETWORK SECURITY 1
 Attention !
THE CONTENTS OF THIS PRESENTATION FOR
EDUCATION PURPOSE ONLY

NETWORK SECURITY 2
Outlines
Secure the Network Infrastructure

Router Security

Secure Administrative Access

Outlines

Configure Secure Administrative Access

Configure Enhanced Security for Virtual Logins

Configure SSH

Conclusion

NETWORK SECURITY 3
Secure the Network Infrastructure

NETWORK SECURITY 4
Secure the Network Infrastructure
✓ Securing the network infrastructure is critical to overall network security.
✓ The network infrastructure includes routers, switches, servers, endpoints, and
other devices.
✓ Routers are a primary target for attacks because these devices direct traffic into,
out of, and between networks.
✓ The edge router shown in the figure is the last router between the internal network
(Trusted network) and an untrusted network, such as the internet. All an
organization’s internet traffic goes through an edge router, which often functions as
the first and last line of defense for a network.

NETWORK SECURITY 5
Edge Router Security Approaches
✓ Single Router: A single router connects the protected network or
internal local area network (LAN), to the internet.
✓ All security policies are configured on this device.

NETWORK SECURITY 6
Edge Router Security Approaches (Cont.)
✓ Defense-in-Depth: This uses multiple layers of security prior to traffic
entering the protected LAN.
✓ There are three primary layers of defense: the edge router, the
firewall, and an internal router that connects to the protected LAN.

NETWORK SECURITY 7
Edge Router Security Approaches (Cont.)
✓ Demilitarized Zone (DMZ): The DMZ can be used for servers that must
be accessible from the internet or another external network.
✓ The DMZ can be set up between two routers, with an internal router
connecting to the protected network and an external router connecting
to the unprotected network.

NETWORK SECURITY 8
Router Security

NETWORK SECURITY 9
Router Security
Three areas of router security must be maintained:
• Physical: Place the router and physical devices that connect to it in a secure locked
room that is accessible only to authorized personnel. Install an uninterruptible power
supply (UPS) or diesel backup power generator.
• Operating System: Configure the router with the maximum amount of memory
possible. The availability of memory can help mitigate DoS attacks. Use the latest,
stable version of the operating system that meets the feature specifications of the
router or network device. Keep a secure copy of router operating system images and
router configuration files as backups.
• Router Hardening: Ensure that only authorized personnel have access and that
their level of access is controlled. Disable unused ports and interfaces. Disable
unnecessary services. A router has services that are enabled by default. Some of
these services can be used by an attacker to gather information about the router and
the network.
NETWORK SECURITY 10
Secure Administrative Access

NETWORK SECURITY 11
Secure Administrative Access
✓ Securing administrative access is important. If an unauthorized
person gains administrative access to a router, that person could
alter routing parameters, disable routing functions, or discover and
gain access to other systems within the network.

✓ Several tasks are involved in securing administrative access to

an infrastructure device:
• Restrict device accessibility
• Log and account for all access
• Authenticate access
• Authorize actions
• Ensure the confidentiality of data
NETWORK SECURITY 12
Secure Local Access
A router can be accessed for administrative purposes locally or remotely:
• Local access: The administrator must have physical access to the router and
use a console cable to connect to the console port.
• Local access is typically used for initial configuration of the device.

NETWORK SECURITY 13
Secure Remote Access
• Remote access: Although the aux port option is available, the most common
remote access method involves allowing Telnet, SSH, HTTP, HTTPS, or SNMP
connections to the router from a computer.
• The computer can be on the local network or a remote network.

NETWORK SECURITY 14
Configure Secure Administrative Access

NETWORK SECURITY 15
Configure Passwords
✓ To secure user EXEC mode access, enter line console configuration mode using
the line console 0 global configuration command.
✓ Specify the user EXEC mode password using the password password
command.
✓ Enable user EXEC access using the login command.

NETWORK SECURITY 16
Configure Passwords (Cont.)
✓ To have administrator access to all IOS commands including configuring a
device, you must gain privileged EXEC mode access.
✓ To secure privileged EXEC access, use the enable secret password global
config command.

NETWORK SECURITY 17
Configure Passwords (Cont.)
✓ To secure vty lines, enter line vty mode using the line vty 0 15 global config
command.
✓ Specify the vty password using the password password command.
✓ Enable vty access using the login command.

NETWORK SECURITY 18
Encrypt Passwords
✓ Strong passwords are only useful if they are secret.

✓ There are several steps that can be taken to help ensure that
passwords remain secret on a Cisco router and switch including
these:
▪ Encrypting all plaintext passwords
▪ Setting a minimum acceptable password length
▪ Deterring brute-force password guessing attacks
▪ Disabling an inactive privileged EXEC mode access after a specified
amount of time.
NETWORK SECURITY 19
Encrypt Passwords (Cont.)
✓ To encrypt all plaintext passwords, use the service password-encryption global
config command.

✓ Use the show running-config command to verify that passwords are now encrypted.

NETWORK SECURITY 20
Configure Enhanced Security for Virtual Logins

NETWORK SECURITY 21
Enhance the Login Process
✓ Login blocking is enabling a detection profile that lets you configure a network device to react to
repeated failed login attempts by refusing further connection requests.

✓ Access control lists (ACLs) can be used to permit legitimate connections from addresses of
known system administrators.

✓ Use the banner global configuration mode command to specify appropriate messages. Banners
protect the organization from a legal perspective.

NETWORK SECURITY 22
Configure Login Enhancement Features
✓ The login block-for command can defend against DoS attacks by disabling
logins after a specified number of failed login attempts.
✓ The login quiet-mode command maps to an ACL that identifies the permitted
hosts.
✓ The login delay command specifies the number of seconds the user must wait
between unsuccessful login attempts.
✓ The login on-success and login on-failure commands log successful and
unsuccessful login attempts.

NETWORK SECURITY 23
Enable Login Enhancements
✓ To help a Cisco IOS device provide DoS detection, use the login block-for
command, which must be issued before any other login command. The login block-
for command monitors login device activity and operates in two modes:
• Normal mode: Also called watch mode, the router keeps count of the number
of failed login attempts within an identified amount of time.
• Quiet mode: Also called the quiet period. If the number of failed logins
exceeds the configured threshold, all login attempts using Telnet, SSH, and
HTTP are denied for the time specified in the login block-for command.

NETWORK SECURITY 24
Log Failed Attempts
✓ There are three commands that can be configured to help an administrator
detect a password attack. Each lets a device to generate syslog messages
for failed or successful login attempts.
✓ The first two commands, login on-success log and login on-failure log,
generate syslog messages for successful and unsuccessful login attempts.
✓ An alternative to the login on-failure log command is the security
authentication failure rate command can be configured to generate a log
message when the login failure rate is exceeded.

NETWORK SECURITY 25
Log Failed Attempts (Cont.)
✓ Use the show login command to verify the login block-for command settings and
current mode.

✓ The show login failures command displays additional information regarding the
failed attempts, such as the IP address from which the failed login attempts
originated.

NETWORK SECURITY 26
Configure SSH

NETWORK SECURITY 27
NETWORK SECURITY 28
Enable SSH
Configure a Cisco device to support SSH using the following six steps:
Step 1. Configure a unique device hostname.
Step 2. Configure the IP domain name.
Step 3. Generate a key to encrypt SSH traffic.
Step 4. Verify or create a local database entry.
Step 5. Authenticate against the local database.
Step 6. Enable vty inbound SSH sessions.

NETWORK SECURITY 29
Enable SSH

NETWORK SECURITY 30
Enhance SSH Login Security
✓ To verify the optional SSH command settings, use
the show ip ssh command.
✓ Use the ip ssh time-out seconds global
configuration mode command to modify the default
120-second timeout interval.
✓ This configures the number of seconds that SSH
can use to authenticate a user. By default, a user
logging in has three attempts to enter the correct
password before being disconnected.
✓ To configure a different number of consecutive SSH
retries, use the ip ssh authentication-retries integer
global configuration mode command.

NETWORK SECURITY 31
Enhance SSH Login Security

NETWORK SECURITY 32
Connect a Router to an SSH-Enabled Router
✓ To verify the status of the client connections, use the show ssh command. There are two
different ways to connect to an SSH-enabled router. By default, when SSH is enabled, a Cisco
router can act as an SSH server or SSH client. As a server, a router can accept SSH client
connections. As a client, a router can connect via SSH to another SSH-enabled router.
Check SSH Status Connect from R2 To R1

View SSH Connections

NETWORK SECURITY 33
Connect a Router to an SSH-Enabled Router
Connect from R2 To R1
Check SSH Status

View SSH Connections

NETWORK SECURITY 34
Connect a Host to an SSH-Enabled Router (Cont.)
✓ Connect using an SSH client (e.g., PuTTY, OpenSSH, TeraTerm) running on a host.
✓ Generally, the SSH client initiates an SSH connection to the router.
✓ The router SSH service prompts for the correct username and password
combination.
✓ After the login is verified, the router can be managed as if the administrator was
using a standard Telnet session.

NETWORK SECURITY 35
Virtualization
➢ Today, virtualization technology change the way of digital content storing, managing
and delivering for organizations. Benefits of virtualization such as reduce cost, high
efficiency and best utilization of hardware resources.
Virtualization

It is a technique of abstracting the physical compute hardware and enabling multiple operating systems
(OSs) to run concurrently on a single or clustered physical machine(s).

Virtualization Layer (Hypervisor)

x86 Architecture

CPU NIC Card Memory Hard Disk

11/20/2024 36
Before and After Virtualization

Virtualization Layer (Hypervisor)

x86 Architecture x86 Architecture

CPU NIC Card Memory Hard Disk CPU NIC Card Memory Hard Disk

Before Virtualization After Virtualization

• Runs single operating system (OS) per machine at a • Runs multiple operating systems (OSs) per physical
time machine concurrently
• Couples s/w and h/w tightly • Makes OS and applications h/w independent
• May create conflicts when multiple applications • Isolates VM from each other, hence, no conflict
run on the same machine • Improves resource utilization
• Underutilizes resources • Offers flexible infrastructure at low cost
• Is inflexible and expensive

11/20/2024 37
Types of Hypervisor
✓ There are two types of hypervisors as follows:
1. Type 1: Bare-metal Hypervisor
➢ The Bare-metal Hypervisor straight operates on a physical hardware system, such as VMware ESXi

2. Type 2: Hosted-based Hypervisor

➢ The Hosted based hypervisor runs on top of an already installed standard operating systems such as
Linux, Mac, and Windows, such as Virtual box or VMware Workstation

11/20/2024 38
Virtual Server Using VMware ESXi

11/20/2024 39
Virtual Data Center
vSphere Client

11/20/2024 40
Cloud Networks and Virtualization
The terms “cloud computing” and “virtualization” are often used interchangeably; however, they mean different
things. Virtualization is the foundation of cloud computing. Without it, cloud computing, as it is most-widely
implemented, would not be possible. Cloud computing separates the application from the hardware. Virtualization
separates the operating system from the hardware. The cloud network consists of physical and virtual servers usually
found in data centers. Data centers are increasingly using virtual machines (VM) to provide server services to their
clients. This allows for multiple operating systems to exist on a single hardware platform. VMs are prone to specific
targeted attacks:
• Hyperjacking -An attacker could hijack a VM hypervisor (VM controlling software) and then use it as a launch
point to attack other devices on the data center network.
• Instant On Activation - When a VM that has not been used for a period of time is brought online, it may have
outdated security policies that deviate from the baseline security and can introduce security vulnerabilities.
• Antivirus Storms - This happens when all VMs attempt to download antivirus data files at the same time.

11/20/2024 41
 Practical Hacking Scenario

11/20/2024 42
Practical Hacking Scenario
Victim

Internet

Attacker
11/20/2024 43
Practical Hacking Scenario (cont.)

Hack

Attacker Under Control Victim

10.10.9.101 10.10.9.100

11/20/2024 44
 Hands On:
Practical Hacking Scenario Demo

11/20/2024 45
Conclusion
In This presentation we covered

✓ Secure the Network Infrastructure

✓ Router Security
✓ Secure Administrative Access
✓ Configure Secure Administrative Access
✓ Configure Enhanced Security for Virtual Logins
✓ Configure SSH

NETWORK SECURITY 46
NETWORK SECURITY 47
NETWORK SECURITY 48