Beruflich Dokumente
Kultur Dokumente
• Router Hardening
Secure administrative control
Disable unused ports and interfaces
Disable unnecessary services
2.1.1.5
• Logs can easily be viewed through the SDM, or for easier use,
through a syslog viewer on any remote system.
• There are numerous Free remote syslog viewers, Kiwi is
When accessing the network relatively basic and free.
remotely, what precautions should • Configure the router/switch/etc to send logs to the PC’s ip
be taken? address that has kiwi installed.
• Kiwi automatically listens for syslog messages and displays
them.
2.1.2.1
1. Cain and Abel
2. John the Ripper
3. THC Hydra
4. Aircrack
Visit: 5. L0phtcrack
http://sectools.org/crackers.html to 6. Airsnort
see a list of password attack tools.
7. SolarWinds
8. Pwdump
9. RainbowCrack :
10. Brutus
2.1.2.1
• Use at least eight characters, the more characters the
better really, but most people will find anything more than
about 15 characters difficult to remember.
• Use a random mixture of characters, upper and lower case,
numbers, punctuation, spaces and symbols.
• Don't use a word found in a dictionary, English or foreign.
Describe some common guidelines • Never use the same password twice.
for choosing strong passwords: • Choose a password that you can remember so that you don't
need to keep looking it up, this reduces the chance of
somebody discovering where you have written it down.
• Choose a password that you can type quickly, this reduces the
chance of somebody discovering your password by looking
over your shoulder.
2.1.2.2
Router>enable
Router#config
Describe the enable secret
password global configuration Router#configure terminal
command: Router(config)#enable secret cisco
Router(config)#
2.1.2.2
Router#config t
How can you protect Console Port
Router(config)#line console 0
access?
Router(config-line)#password cisco
Router(config-line)#login
2.1.2.2
Router#config t
How can you protect Virtual
Router(config)#line vty 0 4
Terminal Line (vty) access?
Router(config-line)#password class
Router(config-line)#login
2.1.2.2
It is equally important to configure a password on it. Router# config
How can you protect Auxiliary Port
t
(aux) access?
Router(config)# line aux 0
Router(config-line)#password SecR3t!pass
Router(config-line)# login
2.1.2.3
• changing your password regularly can definitely
What can be done toincrease • Be sure to use a complex password for user log in purposes
the security of passwords?
2.1.2.4
R1# conf t
R1(config)# ip domain-name span.com
R1(config)# crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R1.span.com
What command creates a secure % The key modulus size is 1024 bits
list of usernames and passwords in % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
a database on the router for local
login authentication? R1(config)#
*Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has been
enabled
R1(config)# username Bob secret cisco
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit
2.1.3.1 What should be done to better To better configure security for virtual login connections, the login
configure security for virtual login process should be configured with specific parameters:
connections?
2.1.3.4 What commands can be used to login on-failure log [every login] generates logs for failed login
keep track of the number of requests.
successful and failed login
attempts.?
login on-success log [every login] generates log messages for
successful login requests.
2.1.3.4
How can you verify that the login Router# show login
block-for command is configured
and which mode the router is
currently in?
2.1.3.5
Banners can be grateful they can provide user with warnings like do
not enter if you are not authorized
Why are banners important and
how can they be configured?
Router# config t
Router (config)#banner motd %Authorized Access Only!%
2.1.4.5
To configure SSH on the vty lines,
Using Cisco SDM how are the vty
choose Configure > Additional
lines configured to support SSH?
Tasks > Router Access > VTY
assigning passwords to different Message Authentication Code (HMAC) with Message Digest 5
levels for authentication? (MD5) method or Secure Hash Algorithms (SHA) method.
• Priv: Authenticates a packet by using either the HMAC MD5 or
HMAC SHA algorithms and encrypts the packet using the Data
Encryption Standard (DES), Triple DES (3DES), or Advanced
Encryption Standard (AES) algorithms.
2.2.2.1 How can the limitations of • There is no access control to specific interfaces, ports, logical
assigning privilege levels be interfaces, and slots on a router
overcome?
2.2.2.2 Describe the characteristics of Allow a network administrator to assign users and groups of users
Superviews: multiple CLI views at once instead of having to assign a single CLI
view per user with all commands associated to that one CLI view.
2.2.2.3 Describe the steps to create and
manage a specific view: 1. Enable aaa with the global configuration command aaa new-
model. Exit, and enter the root view with the command enable
view command.
2. Create a view using the parser view view-name command.
3. Assign a secret password to the view using the secret
encrypted-password command.
4. Assign commands to the selected view using the parser-mode
{include | include-exclusive | exclude} [all] [interface
interface-name | command] command in view configuration
mode.
5. Exit the view configuration mode by typing the command exit.
encrypted-password command.
3. Assign an existing view using the view view-name command in
view configuration mode.
4. Exit the superview configuration mode by typing the command
exit.
Forwarding plane:
a router is designed to minimize the state information on individual
packets. The main purpose of a router is to connect multiple
networks and forward packets destined either for its own networks
or other networks. A router is considered a Layer 3 device because
its primary forwarding decision is based on the information in the
Layer 3 IP packet, specifically the destination IP address. This
process is known as routing. When each router receives a packet, it
searches its routing table to find the best match between the
destination IP address of the packet and one of the network
addresses in the routing table. Once a match is found, the packet is
encapsulated in the layer 2 data link frame for that outgoing
interface. A router does not look into the actual data contents that
the packet carries, but only at the layer 3 addresses to make a
forwarding decision, plus optionally other information in the header
for hint on, for example, QoS. Once a packet is forwarded, the
router does not retain any historical information about the packet,
but the forwarding action can be collected into the statistical data,
if so configured