Share

More

Next Blog

Create Blog

Sign In

SC Labs | CCNA notes

Home Routing Protocols Comparison / Subnetting To do list Links About

CCNA Security Chapter 2 - Securing Network Devices

Securing outgoing network traffic and scrutinizing (analyze) incoming traffic are critical aspects of network security. Securing the edge router, which connects to the outside network, is an important first step in securing the network. Summary: - Secure the physical installation of and the administrative access to Cisco routers based on different network requirements using the CLI and CCP. (Many router services are enabled by default. ) - Configure administrative roles using privilege levels and role-based CLI. - Implement the management and reporting features of syslog, SNMP, SSH, and NTP. - Examine router configurations with the Security Audit feature of CCP, and make the router and network more secure by using the auto secure command or the One-Step Lockdown feature of CCP. - A hands-on lab for the chapter, Securing the Router for Administrative Access. - A Packet Tracer activity, Configure Cisco Routers for Syslog, NTP, and SSH Operations.

1) Securing the Edge router

1.1) Securing edge devices Edge devices are routers, routing switches and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices that provide entry points into enterprise or service provider core networks. Edge devices also provide connections into carrier and service provider networks. The edge router is the last router between the internal network and an untrusted network such as the Internet. All of an organization's Internet traffic goes through this edge router; therefore, it often functions as the first and last line of defense for a network. The edge router implementation: - Single Router Approach (All security policies are configured on this device. SOHO) - Defense-in-Depth Approach (It passes all connections that are intended for the internal LAN to the firewall) - DMZ (demilitarized zone) Approach - can be used for servers that must be accessible from the Internet or some other external network. Three areas of router security must be maintained: - Physical Security (UPS, secure locked room that is accessible only to authorized personnel) - Router Hardening (only authorized personnel have access, disable unused ports,services, interfaces) - Operating System Security (maximum amount of memory, latest stable version, keep a secure copy of IOS and config) Administrative access is required for router management purposes: - Restrict device accessibility - Log and account for all access - Authenticate access (access is granted only to authenticated users, groups, and service) - Authorize actions (restrict the actions and views permitted by any particular user, group, or servic)

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

- Present legal notification - Ensure the confidentiality of data There are two ways to access a device for administrative purposes: - Local (console) - Remote (telnet, ssh, http, https, snmp, aux-modem) 1.2) Secure Administrative Access Make passwords less easily discovered by intelligent guessing and cracking tools: - length of 10 or more characters, R1(config)#security passwords min-length ? <0-16> Minimum length of all user/enable passwords - complex password (a mix of uppercase and lowercase letters, numbers, symbols, and spaces), - passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, - deliberately misspell a password (Security = 5ecur1ty), - change passwords often, - do not write passwords down and leave them in obvious places such as on the desk or monitor, - time out session # exec-timeout <minutes> <second> - encrypt all passwords # service password-encryption # username name password password # username name secret password

<- low encryption ( type 7) < strong encryption ( MD5 )

On Cisco routers and many other systems, password-leading spaces are ignored, but spaces after the first character are not ignored. Therefore, one method to create a strong password is to use the space bar in the password and create a phrase made of many words. This is called a pass phrase . Many access ports require passwords on a Cisco router, including the console port, auxiliary port, and virtual terminal connections. Password management in a large network should be maintained using a central TACACS+ or RADIUS authentication server such as the Cisco Secure Access Control Server (ACS). A local username database is also recommended as backup if access to an authentication, authorization, and accounting (AAA) server is compromised. - Enable Secret Password global configuration command restricts access to privileged EXEC mode. The enable secret password is always hashed inside the router configuration using a Message Digest 5 (MD5) hashing algorithm. If the enable secret password is lost or forgotten, it must be replaced using the Cisco router password recovery procedure. - Console Line (by default, the console port does not require a password) use the line console 0 command followed by the login and password subcommands to require login and establish a login password on the console line. - Virtual Terminal Lines (VTY) (by default, Cisco routers support up to five simultaneous vty (Telnet or SSH) sessions) are numbered from 0 through 4. Use the line vty 0 4 command followed by the login and password subcommands to require login and establish a login password on incoming Telnet sessions. - Auxiliary Line (AUX) (by default, Cisco router auxiliary ports do not require a password for remote administrative access) administrators sometimes use this port to remotely configure and monitor the router using a dialup modem connection. To access the auxiliary line use the line aux 0 command. Use the login and password subcommands to require login and establish a login password on incoming connections. By default, with the exception of the enable secret password, all Cisco router passwords are stored in plaintext within the router configuration. These passwords can be viewed with

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

the show running-config command. Sniffers can also see these passwords if the TFTP server configuration files traverse an unsecured intranet or Internet connection. If an intruder gains access to the TFTP server where the router configuration files are stored, the intruder is able to obtain these passwords. 1.3) Virtual Login Security Enhancements: - Implement delays between successive login attempts. - Enable login shutdown if DoS attacks are suspected. - Generate system-logging messages for login detection. Router# configure terminal Router(config)# login block-for <1-65535> attempts <1-65535> within <1-65535> Router(config)# login quiet-mode access-class {acl-name | acl-number} Router(config)# login delay seconds Router(config)# login on-failure log [every login] Router(config)# login on-success log [every login] All login enhancement features are disabled by default. Commands to enable login enhancements: 1) login block-for # login block-for <a_seconds> attempts <nr> within <b_seconds> Block for a_seconds with nr auth attemps failswithin b_seconds. Operates in two modes: - Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time. - Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied. 2) login quiet-mode access-class # login quiet-mode access-class <ACL_name> Command specifies an ACL is applied to the router when switched to Quiet-Mode and identifies hosts that are exempt from the Quiet-Mode failure time. If not configured, all login requests will be denied during the Quiet-Mode. 3) login delay login delay <seconds> Helps mitigate dictionary attacks This is an optional command. If not set , a default delay of one second is enforced after the login block-for command is configured. The command auto secure enables message logging for failed login attempts. Logging successful login attempts is not enabled by default login on-failure log [every login] generates logs for failed login requests. login on-success log [every login] generates log messages for successful login requests. The number of login attempts before a logging message is generated can be specified using the [every login] parameter. The default value is 1 attempt. The valid range is from 1 to 65,535.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

As an alternative, the security authentication failure rate < threshold-rate> log command generates a log message when the login failure rate is exceeded. The show login failures command displays more information regarding the failed attempts, such as the IP address from which the failed login attempts originated.

Banners are disabled by default and must be explicitly enabled. Use the banner command from global configuration mode to specify appropriate messages. banner {exec | incoming | login | motd | slip-ppp} d message d Tokens are optional and can be used within the message section of the banner command: $(hostname)-Displays the host name for the router. $(domain)-Displays the domain name for the router. $(line)-Displays the vty or tty (asynchronous) line number. $(line-desc)-Displays the description that is attached to the line. 1.4) Configure SSH Four steps must be completed prior to configuring routers for the SSH protocol: 1) Cisco IOS Release > 12.1(1)T (the IPsec feature set support SSH) 2) Ensure that each of the target routers has a unique host name. 3) Ensure that each of the target routers is using the correct domain name of the network. 4) Ensure that the target routers are configured for local authentication or AAA services for username and password authentication. This is mandatory for a router-to-router SSH connection. Configure: 1) Configure the IP domain name # ip domain-name <domain-name> 2) Generate one-way secret keys # crypto key generate rsa general-keys modulus <modulus-size (368-2048)> CORP(config)#crypto key generate rsa The name for the keys will be: CORP.theccnas.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 # show crypto key mypubkey rsa ( verify RSA keys) % Key pair was generated at: 00:24:45 UTC Apr 15 2013 Key name: R1.CCNA-Sec.com Storage Device: not specified Usage: General Purpose Key Key is not exportable.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Key Data: 305C300D 06092A86 4886F70D 01010105 7994B461 B3D62D26 A6E7F980 B3C406A8 22BEEB06 5016D1B6 3296B904 3007D48B % Key pair was generated at: 00:24:47 Key name: R1.CCNA-Sec.com.server Temporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 4A484C83 B8AEB54C CC392430 3D19024B FB9672BA BEECBF6B BC976CFE 36D46D69 91E0B00C 3D4AED06 90814CEA 05DD3DF7 3) Verify or create a local database entry # username <name> secret <secret> 4) Enable VTY inbound SSH sessions. (config)# line vty 0 4 (config-line)# login local (config-line)# transport input ssh

00034B00 30480241 00BB8E0C 241DDAE3 EAEEEBAF D6480CA7 8EC5A0BB E8675CFF 15582DA9 49F86F89 6B020301 0001 UTC Apr 15 2013

00036B00 174EF16F 5AB471C6 A3D93131

30680261 AF06E359 DCFCEDE4 0E291A17

008E52D8 E73B6EF2 DD06B6A4 05020301

5D3B60EE E0570D11 2110B69A 0001

Optionally, SSH commands can be used to configure the following: - SSH version # ip ssh version 2 - SSH timeout period # ip ssh time-out 60 - Number of authentication retries # ip ssh auth-retries 3

2) Privelege levels
2.1) 16 level system (0-15) Level 0: Predefined for user-level access privileges. Seldom (rarely) used, but includes five commands: disable, enable, exit, help, and logout. Level 1: The default level for login with the router prompt Router>. A user cannot make any changes or view the running configuration file. Levels 2 14: May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level. Level 15: Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.

Router(config)# privilege <mode> {level level command | reset} command There are two methods for assigning passwords to the different levels: - To the privilege level using the global configuration command enable secret level password. - To a user that is granted a specific privilege level, using the global configuration command username name privilege level secret password.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Level 10 automatically inherits all the commands from the lower levels. privilege exec level 10 reload username jr-admin privilege 10 secret cisco10 enable secret level 10 cisco10

2.2) Role-Based CLI Advantages: Security, Availability, Operational Efficiency. Role-based CLI provides three types of views: - Root view Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. - CLI view A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views - Superview A superview consists of one or more CLI views. Commands cannot be configured for a specific superview. Users logged in to a superview can access all commands specified within the associated CLI views. Config: R7>en view ! Enable the root view % AAA must be configured. R7#conf t R7(config)#aaa new-model R7(config)#enable password 123456 R7(config)#exi R7#disable R7>en view Password: <- 123456 R7#conf t R7(config)#parser view MONITOR R7(config-view)# *Sep 2 17:50:14.227: %PARSER-6-VIEW_CREATED: view 'MONITOR' successfully created. R7(config-view)#command exec include show version % Password not set for the view MONITOR R7(config-view)#secret 0 1234567 R7(config-view)#command exec include show version R7(config-view)#command exec include configure terminal R7(config-view)#command exec include all show ip R7(config-view)#exi R7(config)#exi R7#enable view MONITOR Password: <- 1234567 R7#?

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system information R7#

2.3) Monitoring and Managing devices

2.3.1) Securing IOS and configuration files Cisco IOS Resilient Configuration Example config - http://packetlife.net/blog/2010/oct/18/ios-resilient-configuration/ The Cisco IOS Resilient Configuration feature allows for faster recovery if someone reformats flash memory or erases the startup configuration file in NVRAM. This feature allows a router to withstand malicious attempts at erasing the files by securing the router image and maintaining a secure working copy of the running configuration. The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled. The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file. The feature automatically detects image or configuration version mismatch. Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers. The feature can be disabled only through a console session. Two global configurations commands are available to configure the Cisco IOS resilient configuration features: (config)# secure boot-image (Secure the running image) (config)# secure boot-config (Archive the startup configuration) # show secure bootset # secure boot-config restore filename(config)#secure boot-config restore flash:/test - Restore the config to a file on flash. (config)#no secure boot-config - Disable boot config. Must be connected to the console The secure boot-image command enables Cisco IOS image resilience. When enabled for the first time, the running Cisco IOS image is secured, and a log entry is generated. This feature can be disabled only through a console session using the no form of the command. The configuration archive is hidden and cannot be viewed or removed directly from the CLI prompt. Secured files do not appear in the output of a dir command that is issued from the CLI. This is because the Cisco IOS file system prevents secure files from being listed. Because the running image and running configuration archives are not visible in the dir command output, use the show secure bootset command to verify the existence of the archive. This step is important to verify that the Cisco IOS image and configuration files have been properly backed up and secured. Cisco router password recovering procedure: 1) Connect to the console port. 2) Use the show version command to view and record the configuration register. (Configuration register is 0x2102).If there is no longer access to the router (because of a lost login or TACACS password), an administrator can safely assume that the configuration register is set to 0x2102. 3) Use the power switch to power cycle the router. 4) Issue the break sequence within 60 seconds of power up to put the router into ROMmon. 5) rommon 1> confreg 0x2142 browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com

open in

5) rommon 1> confreg 0x2142 6) rommon 2> reset 7) Type no after each setup question, or press Ctrl-C to skip the initial setup procedure. 8) Router> enable 9) Router# copy startup-config running-config, show running-config. 10) Router(config)# enable secret cisco 11) Router(config)# config-register 0x2102 12) Router# copy running-config startup-config An administrator can mitigate this potential security breach by using the no service password-recovery. If a router is configured with the no service password-recovery command, all access to ROMmon mode is disabled. To recover a device after the no service password-recovery command is entered, initiate the break sequence within five seconds after the image decompresses during the boot. You are prompted to confirm the break key action. After the action is confirmed, the startup configuration is completely erased, the password recovery procedure is enabled, and the router boots with the factory default configuration. If you do not confirm the break action, the router boots normally with the no service password-recovery command enabled. CAUTION: If the router flash memory does not contain a valid Cisco IOS image because of corruption or deletion, the ROMmon xmodem command cannot be used to load a new flash image. To repair the router, an administrator must obtain a new Cisco IOS image on a flash SIMM or on a PCMCIA card. Refer to Cisco.com for more information regarding backup flash images. 2.3.2) Securing IOS and configuration files Several factors should be considered when implementing secure management. - configuration change management, - automated logging and reporting of information from identified devices to management hosts. Many applications and protocols are also available, such as SNMP, which is used in network management systems to monitor and make configuration changes to devices remotely. When logging and managing information, the information flow between management hosts and the managed devices can take two paths: - Out-of-band (OOB) - Information flows on a dedicated management network, - In-band - Information flows across an enterprise production network, the Internet, or both using regular data channels. Requirements that must be met if an administrator wants to maintain device configurations via secure in-band management : - network devices configured to accommodate SSH, - encryption of all remote access management traffic, - connection to network devices through a production network or the Internet. Because the management network has administrative access to nearly every area of the network, it can be a very attractive target to hackers. To mitigate the threat of a compromised device, strong access control should be implemented at the firewall and at every other device. Additionally, management devices should be set up in a fashion that prevents direct communication with other hosts on the same management subnet, using separate LAN segments or VLANs.

2.3.3) Syslog Implementing a router logging facility is an important part of any network security policy. The router can send log messages to one or more of the following items: - Console - Console logging is on by default. - Terminal lines - Enabled EXEC sessions can be configured to receive log messages on any terminal lines. Similar to console logging, this type of logging is not stored by the router and, therefore, is only valuable to the user on that line.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

- Buffered logging - Buffered logging is a little more useful as a security tool because log messages are stored in router memory for a time. However, events are cleared whenever the router is rebooted. - SNMP traps - Certain thresholds can be preconfigured on routers and other devices. Router events, such as exceeding a threshold, can be processed by the router and forwarded as SNMP traps to an external SNMP server. SNMP traps are a viable security logging facility but require the configuration and maintenance of an SNMP system. - Syslog - Cisco routers can be configured to forward log messages to an external syslog service. This service can reside on any number of servers or workstations, including Microsoft Windows and UNIX-based systems. Syslog is the most popular message logging facility, because it provides long-term log storage capabilities and a central location for all router messages. Cisco router log messages fall into one of eight levels. The lower the level number, the higher the severity level.

Syslog levels: <0-7> emergencies alerts critical errors warnings notifications informational debugging Logging severity level System is unusable Immediate action needed Critical conditions Error conditions Warning conditions Normal but significant conditions Informational messages Debugging messages

(severity=0) (severity=1) (severity=2) (severity=3) (severity=4) (severity=5) (severity=6) (severity=7)

Cisco router log messages contain three main parts: Timestamp | Log message name and severity level | Message text *Apr 15 10:57:35.695: %SYS-5-CONFIG_I: Configured from console by console

open in browser PRO version

Syslog is the standard for logging system events: Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Syslog is the standard for logging system events: - Syslog servers - Also known as log hosts, these systems accept and process log messages from syslog clients. - Syslog clients - Routers or other types of equipment that generate and forward log messages to syslog servers. Syslog questions: What are the most important logs? How are important messages separated from routine notifications? How do you prevent tampering with logs? How do you ensure the time stamps match? What log data is needed in criminal investigations? How do you deal with the volume of messages? How do you manage all of the devices? How can you track when attacks or network failures occur? Configure syslog on Cisco device: Router# configure terminal Router(config)# service timestamps type datetime [msec] [localtime] [show-timezone] R1(config)#service timestamps log datetime msec R1(config)#service timestamps debug datetime msec Router(config)# logging on Router(config)# logging host <IP | hostname> Router(config)# logging trap <level> Router(config)# logging facility <facility-type> Router(config)# logging source-interface <interface-type> <interface-number> Router(config)# end Router# show logging

2.3.4) SNMP - Simple Network Management Protocol SNMP was developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances, on an IP network. SNMP is an Application Layer protocol that facilitates the exchange of management information between network devices. There are different versions of SNMP: - SNMP version 1 (SNMPv1), - SNMP version 2 (SNMPv2), - SNMP version 3 (SNMPv3). All three versions use managers (network management systems [NMSs]), agents (managed nodes), and Management Information Bases (MIBs). SNMP traps (SNMP v1, in v2 - notifications) - asynchronous messages from devices. Community strings- authentication messages between a management station and an SNMPv1 or SNMPv2 engine. Read-write community strings can get and set information in an agent. Set access is equivalent to having the enable password for a device. By default, most SNMP systems use "public" as a community string. It is extremely important that you create your own custom SNMP community strings. However, even if the community string is changed, the strings are sent in plaintext. This is a huge vulnerability of the SNMPv1 and SNMPv2 architecture. SNMPv3 authenticates and encrypts packets over the network to provide secure access to devices. SNMPv3 provides the following security features:

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

- Message integrity: Ensures that a packet has not been tampered with in transit. - Authentication: Determines that the message is from a valid source. - Encryption: Scrambles the contents of a packet to prevent it from being seen by an unauthorized source. - Access Control: Restricts each principal to certain actions on specific portions of data. When enabling SNMP, it is important to consider the security model and the security level. 1) The security model is an authentication strategy that is set up for a user and the group in which the user resides. * Currently, Cisco IOS software supports three security models: SNMPv1, SNMPv2c, and SNMPv3. 2) A security level is the permitted level of security within a security model. The security level is a type of security algorithm that is performed on each SNMP packet. There are three security levels: - noAuth - Authenticates a packet by a string match of the username or community string. - auth - Authenticates a packet by using either the Hashed Message Authentication Code (HMAC) with MD5 method or Secure Hash Algorithms (SHA) method. The HMAC method is described in RFC 2104, HMAC: Keyed-Hashing for Message Authentication. - priv - Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using the Data Encryption Standard (DES), Triple DES (3DES), or Advanced Encryption Standard (AES) algorithms. The combination of the model and level determines which security mechanism is employed when handling an SNMP packet. Only SNMPv3 supports the auth and priv security levels. However, CCP does not support configuration of SNMPv3. 2.3.4) NTP - Network Time Protocol Many things involved in the security of a network, such as security logs, depend on an accurate date and timestamp. NTP is designed to synchronize the time on a network of machines. NTP allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings. When NTP is implemented in the network, it can be set up to synchronize to a private master clock, or it can synchronize to a publicly available NTP server on the Internet. NTP uses UDP port 123 and is documented in RFC 1305. The software and hardware clocks on a Cisco router can have different times and how we can synchronise them between each other. The following two commands show the difference in time between the two clocks on our Cisco router: R1# show clock 01:51:31.532 Athens Sun Apr 19 2009 R1# show calendar 01:51:42 Athens Sun Apr 19 2009 While the difference is minor, we want to keep everything in our network synchronised as precisely as possible. Keep in mind that 'show clock' refers to the software clock and 'show calendar' refers to the hardware clock of your router. ntp update-calendar - To periodically update the hardware clock (calendar) from a Network Time Protocol (NTP) time source, use the ntp update-calendar command in global configuration mode. To disable the periodic updates, use the no form of this command.

R1#show clock detail *15:14:22.258 UTC Mon Apr 15 2013

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Time source is hardware calendar

Configure Cisco device as authoritative NTP server Router(config)# ntp master <stratum> The stratum number is the number of hops away from an authoritative source such as an atomic clock. Allows the software clock to be synchronized by an NTP time server. Router(config)# ntp server <IP | hostname> [version <number>] [key <keyid>] [source <interface>] [prefer] Configures device to receive NTP broadcast messages on the interface. Router(config-if)# ntp broadcast client The time that a device keeps is critical; therefore, the security features of NTP should be used to avoid the accidental or malicious setting of incorrect times. There are two security mechanisms available: - ACL-based restriction scheme - Encrypted authentication mechanism offered by NTP version 3 or later. Use the following commands on both the NTP master and the NTP client: ntp authenticate ntp authentication-key key-number md5 key-value ntp trusted-key key-number show ntp associations detail

RT1#sh ntp associations Load for five secs: 30%/27%; one minute: 30%; five minutes: 29% Time source is NTP, 16:02:42.875 EET Fri Aug 17 2012 address ref clock st when poll reach delay offset disp ~127.127.7.1 127.127.7.1 7 52 64 377 0.0 0.00 0.0 *~195.66.241.2 .PPS. 1 649 1024 377 57.0 -0.11 1.7 +~140.203.16.5 .GPS. 1 761 1024 377 81.8 0.83 1.2 -~129.69.1.153 .PPS. 1 23 1024 377 45.7 -2.10 1.1 +~131.188.3.220 .GPS. 1 1005 1024 377 92.2 3.56 0.9 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

RT1#sh ntp associations detail 195.66.241.2 configured, our_master, sane, valid, stratum 1 ref ID .PPS., time D3D8BCE2.72AC1DF2 (15:51:46.447 EET Fri Aug 17 2012) our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

root delay 0.00 msec, root disp 0.34, reach 377, sync dist 43.533 delay 57.02 msec, offset -0.1123 msec, dispersion 1.68 precision 2**19, version 3...

2.4) Using automated auditing features

2.4.1) Performing a security audit Cisco routers are initially deployed with many services that are enabled by default. This is done for convenience and to simplify the configuration process required to get the device operational. However, some of these services can make the device vulnerable to attack if security is not enabled. Many practices help ensure a device is secure: - Disable unnecessary services and interfaces. - Disable and restrict commonly configured management services, such as SNMP. - Disable probes and scans, such as ICMP. - Ensure terminal access security. - Disable gratuitous and proxy Address Resolution Protocol (ARP). - Disable IP-directed broadcasts. Cisco Protocols and services default settings: 1) CDP Cisco Discovery Protocol Default: enabled Description: CDP periodically advertises information between Cisco devices, such as the type of device and Cisco IOS version. Such information could be used to determine vulnerabilites and launch specific attachsl. Unless needed inside the network, this service should be disabled globally or disabled on unneccessary interfaces. (config) no cdp run (config-if) no cdp enable 2) Configuration autoloading Default: Enabled (globally and interfaces) Description: This service permits a router to automatically load a configuration file from a network server upon boot. This service should remain disabled when not needed (config) no service config 3) FTP server Default: Disabled Description: This service permits the router to act as an FTP server for specific files in flash memory. It should remain disabled when not needed. (config) no ftp-server enable 4) TFTP Server Default: Disabled Description: This service permits the router to act as a TFTP server for specific files in flash memory. It should remain disabled when not in use.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

(config) no tftp-server file-sys:image-name 5) NTP service Default: Disabled Description: This service both receives a time-of-day clock from an NTP server and allows the router to act as an NTP server to NTP clients. Correct time is necessary for accurate time stamps when logging messages. This service should be disabled if not needed, or restricted to only devices that require NTP services. (config) no ntp server ip-address 6) Packet assembler/disassembler (PAD) service Default: enabled Description: This service allows access to X.25 PAD commands in an X.25 network. Such a service is rarely needed in modern networks and should be disabled (config) no service pad 7) TCP and User Datagram Protocol (UDP) minor services Default: Enabled before 11.3, disabled after 11.3 Description: These services execute small servers (daemons) in the router, typically used for diagnostics. They are rarely used and should be disabled. (config) no service tcp-small-servers (config) no service udp-small-servers 8) Maintenance Operation Protocol (MOP) service Default: Enabled (most ethernet interfaces) Description: This service is a Digital Equipment Corporation (DEC) maintenance protocol. Such a service is rarely needed in modern networks and should be disabled. (config-if) no mop enable 9) Simple Network Management Protocol (SNMP) Default: Enabled Description: This service permits the router to respond to queries and configuration requests. If not used, this service should be disabled. If needed, restrict access to the router via access controls lists (ACL) and use SNMPv3 for additional security features. (config) no snmp-server enable 10) HTTP or HTTPS configuration and monitoring Default: Device dependent Description: This service allows the router to be monitored and configured from a web browser. SDM uses secure HTTP (HTTPS). If not used, this service should be disabled. If needed, restrict access to the router via ACLs and use HTTPS for encrypted data transfer. (config) no ip http server (config) no ip http secure-server 11) Domain Name System (DNS)

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Default: Enabled (client services) Description: Cisco routers use 255.255.255.255 as the default address to reach a DNS server for name resolution. If not used, this service should be disabled. If needed, explicitly set the address of the DNS server. (config) no ip domain-lookup 12) ICMP Redirects Default: Enabled Description: This service causes the router to send an ICMP redirect message when a packet is forwarded out the interface it arrived on. An attacker can use such information to redirect packets to an untrusted device. This service should be disabled when not needed. If a host tries to send data through a router (R1) and R1 sends the data on another router (R2) and a direct path from the host to R2 is available (that is, the host and R2 are on the same Ethernet segment), then R1 will send a redirect message to inform the host that the best route for the destination is via R2. The host should then send packets for the destination directly to R2. (config) no ip icmp redirect (config-if) no ip redirects 13) IP Source Routing Default: Enabled Description: This service allows the sender to control the route that a packet travels through a network. Such a service can permit an attacker to bypass the normal forwarding path and security mechanisms in a network. Because most network devices should not attempt to dictate their preferred path through the network, this service should be disabled. (config)no ip source-route 14) Finger service Default: Enabled Description: The finger protocol (port 79) retrieves a list of users from a network device, which includes the line number, connection name, idle time and terminal location. Such information is also seen in the show users Cisco IOS command and can be used for reconnaissance attacks. This service should be disabled when not needed. (config) no service finger 15) ICMP unreachable notification Default: Enabled Description: This service notifies a sender of invalid destination IP subnets or specific addresses. Such information can be used to map a network . This service should be disabled. (config-if) no ip unreachables 16) ICMP mask reply Default: Disabled Description: This service sends the IP subnet mask when it is requested. Such information can be used to to map a network. This service should be disabled on interfaces to untrusted networks. (config-if) no ip mask-reply

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

17) IP identification service Default: Enabled Description: The identification protocol (RFC 1413) reports the identity of the TCP connection initiator. Such information can be used in reconnaissance attacks. This service should be disabled. (config) no ip identd 18) IP directed broadcasts Default: Enabled (Enabled Cisco IOS prior to 12.0, disabled Cisco IOS later than 12.0) Description: A directed broadcast can be used to probe or deny service to (via a DoS attack) an entire subnet. The directed broadcast packet is unicast until it reaches the router that is responsible for the segment. At that time, the packet becomes a broadcast for the specific segment. This service should be disabled. (config-if) no ip directed-broadcast 19) TCP keepalives Default: Disabled Description: TCP keepalives help clean up TCP connections when a remote host has stopped processing TCP packets (such as after a reboot). This service should be enabled to help prevent certain DoS attacks. (config) service tcp-keepalives-in (config) service tcp-keepalives-out 20) Gratuitous ARP Default: Enabled Description: This service is the primary means used in ARP poisoning attacks. Unless needed, this service should be disabled. Gratuitous ARP could mean both gratuitous ARP request or gratuitous ARP reply. Gratuitous in this case means a request/reply that is not normally needed according to the ARP specification (RFC 826) but could be used in some cases. A gratuitous ARP request is an AddressResolutionProtocol request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. A gratuitous ARP reply is a reply to which no request has been made. Gratuitous ARPs are useful for four reasons: - They can help detect IP conflicts. - They assist in the updating of other machines' ARP tables. - They inform switches of the MAC address of the machine on a given switch port. - Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. (config) no ip arp gratuitous 21) Proxy ARP Default: Enabled Description: This service permits the router to resolve layer 2 addresses. This feature is only useful if the router is acting as a layer 2 bridge. Because this is unlikely in modern networks, this service should be disabled. (config) no ip arp proxy

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Security audit tools

The three security audit tools that are available include: - Cisco AutoSecure (IOS CLI), introduced with IOS 12.3 - Security Audit wizard (GUI CCP), - One-Step Lockdown (GUI CCP). Both Security Audit wizard and One-Step Lockdown are based on the Cisco IOS AutoSecure feature. 1) Security Audit wizard - a security audit feature provided through CCP. The Security Audit wizard provides a list of vulnerabilities and then allows the administrator to choose which potential security-related configuration changes to implement on a router. The wizard compares a router configuration against recommended settings. The Security Audit wizard compares a router configuration against recommended settings and performs the following: - Shuts down unneeded servers. - Disables unneeded services. - Applies the firewall to the outside interfaces. - Disables or hardens SNMP. - Shuts down unused interfaces. - Checks password strength. - Enforces the use of ACLs. A security audit feature is available through the Cisco IOS CLI. The autosecure command initiates a security audit and then allows for configuration changes. Based on the mode selected, configuration changes can be automatic or require network administrator input. * Interactive mode: prompts the user with options to enable and disable services and other security features * Non-interactive mode: automatically executes the Cisco AutoSecure command with the recommended Cisco default setting. ! auto secure INTERACTIVE Router# auto secure full ! auto secure no-interact - recommended setting are set Router# auto secure no-interact ! *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. Some options to know that can be configured by Cisco AutoSecure: - CBAC (Context-Based Access Control) - provides advanced traffic filtering functionality and can be used as an integral part of your network's firewall (based on application-layer protocol session information: SMTP, TFTP, Java, FTP, h323), - security banner (motd), - enable secret password. 2) One-Step Lockdown - a security audit feature provided through CCP. The One-Step Lockdown feature provides a list of vulnerabilities and then automatically makes all recommended security-related configuration changes.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Some three services does CCP One-Step Lockdown enable : - password encryption, - SSH access to the router, - firewall on all outside interfaces.

Cisco One-Step Lockdown disables: Finger service PAD service TCP small servers service UDP small servers service IP BOOTP server service IP identification service Cisco Discovery Protocol IP source route

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

IP GARPs SNMP IP redirects IP proxy ARP IP directed broadcast MOP service IP unreachables IP mask reply IP unreachables on null interface Cisco One-Step Lockdown enables: Password encryption service TCP keepalives for inbound and outbound Telnet sessions Sequence numbers and timestamps on debugs Cisco Express Forwarding with integrated NetFlow switching Unicast Reverse Path Forwarding (RPF) on outside interfaces Firewall on all outside interfaces SSH for access to the router AAA Cisco One-Step Lockdown configures: Minimum password length to six characters Authentication failure rate to less than three retries TCP synwait time Notification banner Logging parameters Enable secret password Scheduler interval Scheduler allocate Users Telnet settings Access class on HTTP server service Access class on vty lines Security Audit recommended settings Preparing commands for delivery... Submitting 57 commands, please wait... Configuration delivered to device. Copying the Running config to Startup config of your router. Please wait... Running config copied successfully to Startup Config of your router.

aaa new-model

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

aaa authorization exec local_author local aaa authentication login local_authen local access-list 1 remark HTTP Access-class list access-list 1 remark CCP_ACL Category=1 access-list 1 permit 10.10.10.10 0.0.0.255 access-list 1 deny any line vty 0 4 login authentication local_authen authorization exec local_author transport input telnet ssh exit line con 0 login authentication local_authen exec-timeout 10 0 transport output telnet exit line aux 0 login authentication local_authen exec-timeout 10 0 transport output telnet exit no service pad service tcp-keepalives-in service tcp-keepalives-out no ip bootp server no ip source-route service sequence-numbers service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone scheduler allocate 4000 1000 ip http access-class 1 ip tcp synwait-time 10 no cdp run security authentication failure rate 3 log ip ssh time-out 60 ip ssh authentication-retries 2 banner login ~ -= Welcome To CCNA Security Test Router =-~ interface Null0 exit default interface Null0 interface Null0 no ip unreachables exit interface GigabitEthernet1/0 description $FW_INSIDE$ no ip proxy-arp

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

no ip redirects no ip unreachables ip route-cache flow exit interface FastEthernet0/0 no ip proxy-arp no ip redirects no ip unreachables ip route-cache flow exit

Chapter 2 Lab
Configure NTP, Syslog, SSH on VTY NTP R3(config)#ntp server 192.168.1.5 R3(config)#ntp update-calendar R3(config)#service timestamps log datetime msec Syslog R3(config)#logging host 192.168.1.6 SSH R3(config)#ip domain-name ccnasecurity.com R3(config)#username SSHadmin privilege 15 secret ciscosshpa55 R3(config)#line vty 0 4 R3(config-line)#login local R3(config-line)#transport input ssh R3(config)#crypto key zeroize rsa R3(config)#crypto key generate rsa The name for the keys will be: R3.ccnasecurity.com How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] R3(config)#ip ssh time-out 90 R3(config)#ip ssh authentication-retries 2 R3(config)#ip ssh version 2 R3(config)#do sh ip ssh SSH Enabled - version 2.0 Authentication timeout: 90 secs; Authentication retries: 2 CHECK on PC PC>ssh -l SSHadmin 192.168.3.1 Open Password: R3#

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Bonus
Cisco IOS Hardening http://ecks90.com/?p=176 Cisco CDP Monitor http://www.tallsoft.com/cdpmonitor.htm Hardening Cisco IOS Devices Video presentation http://www.cisco.com/web/learning/le31/le46/cln/qlm/Learning_Center/Security/Hardening_Cisco_IOS_Devices/player.html Cisco IOS hardening template http://thenetworkguy.blogspot.com/2006/08/cisco-ios-hardening.html http://www.softperfect.com/products/networkscanner/
at Sunday, July 15, 2012

No comments : Post a Comment

Enter your comment...

Comment as:

Select profile...

Publish

Preview

Newer Post Subscribe to: Post Comments ( Atom )

Home

Older Post

ARCHIVE

STATCOUNTER
Are you a developer? Try out the HTML to PDF API

open in browser PRO version

pdfcrowd.com

 2015 ( 1 ) 2014 ( 7 ) 2013 ( 26 ) 2012 ( 17 ) December ( 1 ) November ( 1 ) October ( 1 ) September ( 4 ) August ( 1 ) July ( 2 ) CCNA Security Chapter 2 - Securing Network Devices... CCNA Security Chapter 1 - Modern Security Threats June ( 1 ) May ( 2 ) April ( 1 ) March ( 1 ) January ( 2 ) 2011 ( 16 ) 2010 ( 37 )

Powered by Blogger.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com