CCNA Security Chapter 2

Securing Network Devices

Preview Professor Deb Keller Network Authentication and Security

Major Concepts
Discuss the aspects of router hardening Configure secure administrative access and router resiliency Configure network devices for monitoring administrative access Demonstrate network monitoring techniques Secure IOS-based Routers using automated features

Lesson Objectives
Upon completion, the successful student will be able to:
1. 2.

3.
4. 5. 6. 7.

Describe how to configure a secure network perimeter Configure secure router administration access Describe and configure enhanced security for virtual logins Describe and configure an SSH daemon for secure remote management (use Putty client) Describe the purpose of and configure administrative privilege levels Configure the role-based CLI access feature to provide hierarchical administrative access Describe the factors to consider when securing the data that transmits over the network related to the network management and reporting of device activity

Lesson Objectives
7. 8. 9. 10.

11.
12.

Describe and configure syslog for network security (use Solarwinds syslog server on PC) Describe and configure SNMP for network security Describe and configure NTP to enable accurate time stamping between all devices Describe the router services, interfaces, and management services that are vulnerable to network attacks and perform a security audit Lock down a router using AutoSecure and know its purposes and limitations Lock down a router using CCP and know its purposes and limitations

Perimeter Implementations

Single Router Approach

Router 1 (R1) Internet LAN 1

192.168.2.0

Defense-in-depth Approach

R1 Internet

Firewall

LAN 1
192.168.2.0

DMZ Approach

R1 Firewall R2 Internet DMZ

LAN 1
192.168.2.0

The Edge Router

What is the edge router?

The

How can the edge router be secured?

Use

last router between the internal network and an untrusted network such as the Internet Functions as the first and last line of defense Implements security actions based on the organizations security policies various perimeter router implementations Consider physical security, operating system security, and router hardening Secure administrative access Local versus remote router access

Router Configuration

CLI Configuration CCP Configuration Privilege levels

16 levels Root View CLI View Superview

Role-based view configuration

Router Configuration

Banners

Generally do not publish any information about the device or corporation

SSH Secure the IOS and configuration Password recovery Disabling password recovery

Secure Management

Change management Logging Out-of-band vs. in-band management Syslog SNMP NTP

Configuration

Logging to the console and terminal lines Setting up a syslog server Logging to a syslog server NTP server NTP client Disable unnecessary services CCP security audit

Security Audit Wizard vs. One-step Lockdown

Cisco AutoSecure

Lab Tasks

Basic CCNA-level network configuration and cabling Encrypt all passwords Warning banner Enhanced username security Enhanced virtual login security SSH router as server and PC as client Role Views

Lab Tasks (continued)

Secure IOS and configuration files Router as NTP client and as NTP server Router as syslog client and PC as syslog server Router as SNMP client with trap reporting Cisco AutoSecure CCP Security Audit

Properly Setting the Date and Time

Tasks

Set the timezone

Set the dates for which the time changes in the timezone

We are in the Eastern timezone, which is 5 hours behind UTC # clock timezone ET -5
Daylight Saving Time in the United States begins at 2:00 a.m. on the second Sunday of March and ends at 2:00 a.m. on the first Sunday of November # clock summer-time ET recurring 2 Sunday March 2:00 1 Sunday November 2:00 # clock set 14:05:00 Jan 10 2011

Set the date and time

Some devices have a hardware clock (called the calendar) and a

software clock (called clock).

For these devices, must copy the date and time to hardware clock, or else the device reverts to default time when it is rebooted #clock update-calendar There are other commands that operate between the hardware and software clock, but they are not necessary for this purpose.

Lab Day

Plan (continued)

Cable lab (assigned cable technician) Complete lab Parts and Tasks with these exceptions

Skip Part 4, Task 2, Step 3 (Configure NTP clients using CCP) Skip Part 4, Task 3, Step 5 (Configure syslog using CCP) When instructed to set the time, configure the timezone as instructed in class and in these slides.

Files and Information into springboard dropbox as instructed on the dropbox. One per team, submitted by the team leader. While only one is required, every student is expected to keep a copy of these files. Every student will submit the team evaluation survey on springboard.

Because you do not have a lot of time on lab day, many lab questions will need to be answered outside of class time.