Scribd
Upload
88 views1 page

2 Securing Network Devices

This document provides configuration instructions and best practices for securing network devices. It covers topics such as user authentication, password encryption, login security, SNMP security, system logging, and securing the router boot configuration and image. Recommendations include enforcing strong passwords, limiting login attempts, disabling unused ports/interfaces, using the latest software version, and keeping backup configuration and image files. The goal is to implement defense-in-depth security measures to restrict unauthorized access and monitor network activity.

Uploaded by

Quang Anh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
88 views1 page

2 Securing Network Devices

This document provides configuration instructions and best practices for securing network devices. It covers topics such as user authentication, password encryption, login security, SNMP security, system logging, and securing the router boot configuration and image. Recommendations include enforcing strong passwords, limiting login attempts, disabling unused ports/interfaces, using the latest software version, and keeping backup configuration and image files. The goal is to implement defense-in-depth security measures to restrict unauthorized access and monitor network activity.

Uploaded by

Quang Anh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

(config)# username name secret { [0] password | 5 encrypted-secret}

Authentication (local)
(config)# username name password { [0] password | 7 encrypted-password}

ISR : Integrated Services Router

# Delays between successive login attempts:


# Login shutdown if DoS attacks are suspected:

Enforce minimum password lengths:


(config)# security passwords min-length length

(config)# login block-for seconds attempts tries within seconds


- This command enables the login enhancements

Disable unattended connections:


- By default, an administrative interface stays
active and logged in for 10 minutes after the last
session activity.
- (config-line)# exec-timeout

(config)# login quiet-mode access-class {acl-name | acl-number}


Passwords

(config)# login delay seconds


- Delay between login attempts ( default = 1 second )
Enhanced Security
(Not for console)

Encrypt all passwords in the configuration file:

# Generation of system logging messages for login detection:


(config)# login on-success log [every login]

(config)# service password-encryption

(config)# login on-failure log [every login]


OR
(config)# security authentication failure rate threshold-rate log

# Predefined:
Level 0: only five commands (disable, enable, exit, help and logout)
Level 1: User EXEC mode
Level 15: Privileged EXEC mode

# BANNERS:
(config)# banner {exec | incoming | login | motd | slip-ppp} d message d

- A user authorized for privilege level 10 is granted access to


commands allowed at privilege levels 0 through 10

available for systems that support a PCMCIA


Advanced Technology Attachment (ATA) flash

# Custom Levels (2 -14):


Privilege Levels

(config)# privilege mode {level level command | reset} command

bootset !

If we create a privilege level for the command "show ip route" then


all the three commands and their subcommands will be included

The feature can be disabled only through a


console session

# Example:

(config)# secure boot-image


(config)# secure boot-config

(config)# privilege exec level 5 ping


(config)# enable secret level 5 cisco
(config)# username SUPPORT privilege 5 secret cisco5

Cisco IOS Resilient Configuration

# show secure bootset

functions properly only when the system is


configured to run an image from a flash drive
with an ATA interface

- Root View (the only view from which we can create or


modify other views)
- CLI View
- Superview (one or more CLI views, no command can be
directly configured here)

# steps to restore a primary bootset from a secure archive:


1. Reload and enter ROMmon mode
2. dir (to list contents and see image name)
3. boot image-name
4. after bootup enter Global Config mode and :
5. secure boot-config restore filename

# Configs:
1. (config)# aaa new-model
2. # enable view
(to enter the root view, the root keyword can be added, enable secret must be
configured)
3. (config)# parser view view-name (add superview keyword for superviews)
4. (config-view)# secret encrypted-password (must be created immediately
after creating a view)
5. (config-view)# commands parser-mode {include | include-exclusive |
exclude} [all] [interface interface-name | command]

Role-Based CLI (Views)

# Conditions:
1. The right IOS version (12.1(1)T or later with IPSec feature set)
2. Unique hostname
3. Domain name
4. Local authentication or AAA services

CH2
Securing Network Devices

# Steps:
1. (config)# hostname hostname
2. (config)# ip domain-name domain-name
3. (config)# crypto key generate rsa general-keys modulus modulus-size
4. (config)# username name secret secret
5. (config-line)# login local
6. (config-line)# transport input ssh

# show parser view (to show the current view)


# show parser view all (to show all views)

UDP port 123

(config)# ntp master [stratum]


SSH

(config)# ntp server {ip-address | hostname} [version number] [key key-id] [source interface] [prefer]
(config-if)# ntp broadcast client

Other Commands:
# show crypto key mypubkey rsa
(config)# crypto key zeroize rsa

(to show RSA key)


(to remove RSA key)

NTP

- for NTP version 3


(config)# ntp authenticate
(config)# ntp authentication-key key-number md5 key-value
(config)# ntp trusted-key key-number

# Additional Commands:

# show ntp associations detail

(config)# ip ssh time-out 60


(default = 120 seconds)
- time interval that the router waits for the SSH client to respond during the SSH negotiation

(config)# ip ssh version 2


- version 2 uses DH and the strong integrity-checking message authentication code (MAC)

(config)# ip ssh authentication-retries 2

# Logs can be sent to:


- Console (on by default)
- Terminal lines
- Buffered logging (stored in router memory,
cleared when rebooting)
- SNMP traps
- Syslog service

From: 0 (most severe) To: 7 (lowest)

# ssh -l username 192.168.1.101


- SSH client

Single Router Approach

Severity Levels

# Contains three main parts:


- Timestamp
- Log message name and severity level
- Message text

(default = 3)

Types
Syslog

Defense-In-Depth Approach

Screening Router

DMZ Approach

Physical

# Configs:
(config)# logging host [ hostname | ip-address ]
(config)# logging trap level
(config)# logging source-interface int-type int-number
(specifies the source in the syslog packets regardless of the exit interface)
(config)# logging on

Management & Logging


Edge Router

Hardening

# Components:
Manager, Agent and MIBs

Secure administrative control:


- Restrict device accessibility
- Log and account for all access
- Authenticate access
- Authorize actions
- Present legal notification
- Ensure the confidentiality of data

Disable unused ports and interfaces


Security

- Community String: to authenticate messages between the manager


and agent. (Read only or Read Write)
- Versions: 1,2 and 3
SNMPv3: added security features :
1. Message integrity
2. Authentication
3. Encryption
4. Access Control
- Security Levels:
1. noAuth: using string match of the username or community string
2. auth: using Hashed Message Authentication Code (HMAC) with
MD5 or Secure Hash Algorithms (SHA)
3. priv: using either the HMAC MD5 or HMAC SHA algorithms and
encrypts the packet using (DES), (3DES), or (AES) algorithms.

Disable unnecessary services

Configure the router with the maximum


amount of memory possible
SNMP
OS security

Use the latest stable version

Keep a secure copy of the router


operating system image and router
configuration file as a backup.

You might also like