(config)# username name secret { [0] password | 5 encrypted-secret}

Authentication (local)
(config)# username name password { [0] password | 7 encrypted-password}

ISR : Integrated Services Router

# Delays between successive login attempts:

# Login shutdown if DoS attacks are suspected:

Enforce minimum password lengths:

(config)# security passwords min-length length

(config)# login block-for seconds attempts tries within seconds

- This command enables the login enhancements

Disable unattended connections:

- By default, an administrative interface stays
active and logged in for 10 minutes after the last
session activity.
- (config-line)# exec-timeout

(config)# login quiet-mode access-class {acl-name | acl-number}

Passwords

(config)# login delay seconds

- Delay between login attempts ( default = 1 second )
Enhanced Security
(Not for console)

Encrypt all passwords in the configuration file:

# Generation of system logging messages for login detection:

(config)# login on-success log [every login]

(config)# service password-encryption

(config)# login on-failure log [every login]

OR
(config)# security authentication failure rate threshold-rate log

# Predefined:
Level 0: only five commands (disable, enable, exit, help and logout)
Level 1: User EXEC mode
Level 15: Privileged EXEC mode

# BANNERS:
(config)# banner {exec | incoming | login | motd | slip-ppp} d message d

- A user authorized for privilege level 10 is granted access to

commands allowed at privilege levels 0 through 10

available for systems that support a PCMCIA

Advanced Technology Attachment (ATA) flash

# Custom Levels (2 -14):

Privilege Levels

(config)# privilege mode {level level command | reset} command

bootset !

If we create a privilege level for the command "show ip route" then

all the three commands and their subcommands will be included

The feature can be disabled only through a

console session

# Example:

(config)# secure boot-image

(config)# secure boot-config

(config)# privilege exec level 5 ping

(config)# enable secret level 5 cisco
(config)# username SUPPORT privilege 5 secret cisco5

Cisco IOS Resilient Configuration

# show secure bootset

functions properly only when the system is

configured to run an image from a flash drive
with an ATA interface

- Root View (the only view from which we can create or

modify other views)
- CLI View
- Superview (one or more CLI views, no command can be
directly configured here)

# steps to restore a primary bootset from a secure archive:

1. Reload and enter ROMmon mode
2. dir (to list contents and see image name)
3. boot image-name
4. after bootup enter Global Config mode and :
5. secure boot-config restore filename

# Configs:
1. (config)# aaa new-model
2. # enable view
(to enter the root view, the root keyword can be added, enable secret must be
configured)
3. (config)# parser view view-name (add superview keyword for superviews)
4. (config-view)# secret encrypted-password (must be created immediately
after creating a view)
5. (config-view)# commands parser-mode {include | include-exclusive |
exclude} [all] [interface interface-name | command]

Role-Based CLI (Views)

# Conditions:
1. The right IOS version (12.1(1)T or later with IPSec feature set)
2. Unique hostname
3. Domain name
4. Local authentication or AAA services

CH2
Securing Network Devices

# Steps:
1. (config)# hostname hostname
2. (config)# ip domain-name domain-name
3. (config)# crypto key generate rsa general-keys modulus modulus-size
4. (config)# username name secret secret
5. (config-line)# login local
6. (config-line)# transport input ssh

# show parser view (to show the current view)

# show parser view all (to show all views)

UDP port 123

(config)# ntp master [stratum]

SSH

(config)# ntp server {ip-address | hostname} [version number] [key key-id] [source interface] [prefer]
(config-if)# ntp broadcast client

Other Commands:
# show crypto key mypubkey rsa
(config)# crypto key zeroize rsa

(to show RSA key)

(to remove RSA key)

NTP

- for NTP version 3

(config)# ntp authenticate
(config)# ntp authentication-key key-number md5 key-value
(config)# ntp trusted-key key-number

# Additional Commands:

# show ntp associations detail

(config)# ip ssh time-out 60

(default = 120 seconds)
- time interval that the router waits for the SSH client to respond during the SSH negotiation

(config)# ip ssh version 2

- version 2 uses DH and the strong integrity-checking message authentication code (MAC)

(config)# ip ssh authentication-retries 2

# Logs can be sent to:

- Console (on by default)
- Terminal lines
- Buffered logging (stored in router memory,
cleared when rebooting)
- SNMP traps
- Syslog service

From: 0 (most severe) To: 7 (lowest)

# ssh -l username 192.168.1.101

- SSH client

Single Router Approach

Severity Levels

# Contains three main parts:

- Timestamp
- Log message name and severity level
- Message text

(default = 3)

Types
Syslog

Defense-In-Depth Approach

Screening Router

DMZ Approach

Physical

# Configs:
(config)# logging host [ hostname | ip-address ]
(config)# logging trap level
(config)# logging source-interface int-type int-number
(specifies the source in the syslog packets regardless of the exit interface)
(config)# logging on

Management & Logging

Edge Router

Hardening

# Components:
Manager, Agent and MIBs

Secure administrative control:

- Restrict device accessibility
- Log and account for all access
- Authenticate access
- Authorize actions
- Present legal notification
- Ensure the confidentiality of data

Disable unused ports and interfaces

Security

- Community String: to authenticate messages between the manager

and agent. (Read only or Read Write)
- Versions: 1,2 and 3
SNMPv3: added security features :
1. Message integrity
2. Authentication
3. Encryption
4. Access Control
- Security Levels:
1. noAuth: using string match of the username or community string
2. auth: using Hashed Message Authentication Code (HMAC) with
MD5 or Secure Hash Algorithms (SHA)
3. priv: using either the HMAC MD5 or HMAC SHA algorithms and
encrypts the packet using (DES), (3DES), or (AES) algorithms.

Disable unnecessary services

Configure the router with the maximum

amount of memory possible
SNMP
OS security

Use the latest stable version

Keep a secure copy of the router

operating system image and router
configuration file as a backup.