Securing Network Devices

Securing Device Access

1. Configure Router Passwords

Enable Secret Password
R1(config)#enable secret csc5io
Console Line
R1(config)#line con 0
R1(config-line)#password csc5io
R1(config-line)#login
Virtual Terminal Lines
R1(config)#line vty 0 4
R1(config-line)#password csc5io
R1(config-line)#login
Auxiliary Lines
R1(config)#line aux 0
R1(config-line)#password csc5io
R1(config-line)#login
2. Increase Password Security
Minimum Character Length
R1(config)#security passwords min-length length
Disable Unattended Connections
R1(config-line)#exec-timeout minutes
Encrypt All Passwords
R1(config)#service password-encryption
3. Authentication
R1(config)#username admin password cisco123  Weak, uses standard type 7 algorithm
R1(config)#username admin secret cisco123  Stronger, uses MD5 algorithm

R1(config)#line con 0
R1(config-line)#login local
4. Enable Login Enhancements
Normal mode (watch mode)  The router keeps count of the number of failed login attempts within an identified amount of time.
Router(config)#login block-for seconds attempts tries within seconds
Router(config)#login block-for 120 attempts 5 within 60  Login will be disabled for 120 seconds if more than 5
login failures occurs within 60 seconds.
Quiet mode (quiet period)  When quiet mode is enabled, If the number of failed logins exceeds the configured threshold, all login attempts,
including valid administrative access, using Telnet, SSH, and HTTP are denied. However, to provide critical hosts access at all times, this behavior can be
overridden using an ACL.
Router(config)#login quiet-mode access-class {acl-name | acl-number}
Router(config)#ip access-list standard PERMIT-ADMIN
Router(config-std-nacl)#remark Permit only Administrative Hosts
Router(config-std-nacl)#permit 192.168.10.10
Router(config-std-nacl)#permit 192.168.11.10
Router(config-std-nacl)#exit
Router(config)# login quiet-mode access-class PERMIT-ADMIN  invokes an ACL named PERMIT-ADMIN. Hosts that
match the PERMIT-ADMIN statements are exempt from the quiet-mode
Login Delay  introduces a uniform delay between successive login attempts. This is an optional command. If not set, a default delay of one second is
enforced after the login block-for command is configured.
Router(config)#login delay seconds
Router(config)#login delay 3  configures a delay of 3 seconds between successive login attempts.
Login Log  used to keep track of the number of successful and failed login attempts.
Router(config)# login on-failure log [every login]  generates logs for failed login requests.
Router(config)# login on-success log [every login]  generates log messages for successful login requests.
The number of login attempts before a logging message is generated can be specified using the [every login] parameter. The default value is 1
attempt. The valid range is from 1 to 65,535.

As an alternative, the security authentication failure rate threshold-rate log command generates a log message when the
login failure rate is exceeded.

To verify that the login block-for command is configured and which mode the router is currently in, use the show login command. The
router is in either normal or quite mode, depending on whether login thresholds were exceeded.
 The show login failures command displays more information regarding the failed attempts, such as the IP address from which the failed login
attempts originated.

Banner  Use banner messages to present legal notification to potential intruders to inform them that they are not welcome on a network. Banners
are disabled by default and must be explicitly enabled.
Router(config)#banner {exec | incoming | login | motd | slip-ppp} d message d

5. Configure SSH
Step 1: Configure the IP domain name.
R1(config)#ip domain-name domain-name
R1(config)#ip domain-name span.com
Step 2: Generate one-way secret keys.
R1(config)#crypto key generate rsa general-keys modulus modulus-size
R1(config)#crypto key generate rsa general-keys modulus 1024
The modulus determines the size of the RSA key and can be configured from 360 bits to 2048 bits. The minimum recommended modulus key length is
1024 bits.
To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If there are
existing key pairs, it is recommended that they are overwritten using the crypto key zeroize rsa command.

Step 3: Verify or create a local database entry.

R1(config)#username name secret secret
R1(config)#username Bob secret cisco123
Step 4: Enable VTY inbound SSH sessions.
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#transport input ssh
Additional SSH Commands
SSH Version  ip ssh version {1 | 2}
SSH Timeout Period  ip ssh time-out seconds
Number of Authentication Retries  ip ssh authentication-retries integer  By default, a user logging in has three attempts before
being disconnected.
Verify SSH Connections  show ssh
Connect to SSH-enabled Router from other router  ssh –l Bob 192.168.1.1
Assigning Administrative Roles
1. Configuring Privilege Levels
Introduction
Privilege levels determine who should be allowed to connect to the device and what that person should be able to do with it. The Cisco IOS software
CLI has two levels of access to commands.
• User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and allows only user-level commands available at the
router> prompt.
• Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the router# prompt.
Although these two levels do provide control, sometimes a more precise level of control is required. Cisco IOS software has two methods of providing
infrastructure access: privilege level and role-based CLI.

Assigning Privilege Levels

There are 16 privilege levels in total. Levels 0, 1, and 15 have predefined settings.
• Level 0: Predefined for user-level access privileges. Seldom used, but includes five commands: disable, enable, exit, help, and logout.
• Level 1: The default level for login with the router prompt Router>. A user cannot make any changes or view the running configuration file.
• Levels 2 –14: May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or
commands from higher levels may be moved down to a lower level.
• Level 15: Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.
To assign commands to a custom privilege level, use the privilege command from global configuration mode.
Router(config)# privilege mode {level level command | reset} command
Privilege Level Limitations
• The higher the privilege level, the more router access a user has. Commands that are available at lower privilege levels are also executable at
higher levels, because a privilege level includes the privileges of all lower levels.
• Assigning a command with multiple keywords, such as show ip route, to a specific privilege level automatically assigns all commands
associated with the first few keywords to the specified privilege level. For example, both the show command and the show ip command
are automatically set to the privilege level where show ip route is set.
Privilege Level Authentication
Privilege levels should be configured for authentication. There are two methods for assigning passwords to the different levels:
• To the privilege level using the global configuration command enable secret level level password.
• To a user that is granted a specific privilege level, using the global configuration command username name privilege level
secret password.
 Examples
• A USER account with normal, Level 1 access.
Router(config)#username USER privilege 1 secret cisco
• A SUPPORT account with Level 5 and ping command access.
Router(config)#privilege exec level 5 ping
Router(config)#enable secret level 5 cisco5
Router(config)#username SUPPORT privilege 5 secret cisco5
• A JR-ADMIN account with the same privileges as the SUPPORT account plus access to the reload command.
Router(config)#privilege exec level 10 reload
Router(config)#enable secret level 10 cisco10
Router(config)#username JR-ADMIN privilege 10 secret cisco10
• An ADMIN account which has all of the regular privileged EXEC commands.
Router(config)#username ADMIN privilege 15 secret cisco123
• To access established privilege levels, enter the enable level command from user mode, and enter the password that was assigned to
the custom privilege level.
Router#enable 10
• Use the show privilege command to display and confirm the current privilege level.
Router#show privilege

2. Role-Based CLI
Introduction
Role-Based CLI provides more flexibility than privilege levels. It provides finer, more granular access by controlling specifically which commands are
available to specific roles. Role-based CLI access enables the network administrator to create different views of router configurations for different
users. Each view defines the CLI commands that each user can access.
Role-Based Views
Role-based CLI provides three types of views:
• Root view  To configure any view for the system, the administrator must be in the root view. Root view has all of the access privileges as a
user who has level 15 privileges.
• CLI view  A specific set of commands can be bundled into a “CLI view”. Each view must be assigned all commands associated with that view
and there is no inheritance of commands from other views. Additionally, commands may be reused within several views.
• Superview  Allow a network administrator to assign users and groups of users multiple CLI views at once instead of having to assign a
single CLI view per user with all commands associated to that one CLI view.
Creating and Managing a View
Step 1: Enable aaa with the global configuration command aaa new-model. Exit, and enter the root view with the command enable
view command.
Step 2: Create a view using the parser view view-name command.
Step 3: Assign a secret password to the view using the secret encrypted-password command.
Step 4: Assign commands to the selected view using the commands parser-mode {include | include-exclusive |
exclude} [all] [interface interface-name | command] command in view configuration mode.
Step 5: Exit the view configuration mode by typing the command exit.
Creating and Managing a Superview
Step 1: Create a view using the parser view view-name superview command and enter superview configuration mode.
Step 2: Assign a secret password to the view using the secret encrypted-password command.
Step 3: Assign an existing view using the view view-name command in view configuration mode.
Step 4: Exit the superview configuration mode by typing the command exit.

Example
R1(config)#parser view SHOWVIEW
R1(config-view)#secret cisco
R1(config-view)#commands exec include show
R1(config-view)#exit

R1(config)#parser view VERIFYVIEW

R1(config-view)#secret cisco5
R1(config-view)#commands exec include ping
R1(config-view)#exit

R1(config)#parser view REBOOTVIEW

R1(config-view)#secret cisco10
R1(config-view)#commands exec include reload
R1(config-view)#exit

R1(config)#parser view USER superview

R1(config-view)#secret cisco
R1(config-view)#view SHOWVIEW
R1(config-view)#exit

R1(config)#parser view SUPPORT superview

R1(config-view)#secret cisco1
R1(config-view)#view SHOWVIEW
R1(config-view)#view VERIFYVIEW
R1(config-view)#exit
 Verify Views
o To verify a view, use the enable view command. Enter the name of the view, and provide the password to log in to the view.
R1#enable view USER
o From the root view, use the show parser view all command to see a summary of all views.
R1#enable view
R1#show parser view
R1#show parser view all

Securing the Cisco IOS Image and Configuration Files

You can secure copies of the IOS and your configuration file in memory so that they cannot be maliciously or accidentally erased. The secure
boot-image command protects the IOS image, and the command secure boot-config protects the running configuration. These protected
files will not even appear in a dir listing of flash. To see these protected files, use the show secure bootset command.