Securing Network
Devices
CCNA-Security
Presentation_ID
Cisco Confidential
Chapter 2: Objectives
In this chapter you will:
Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image and configuration files.
Presentation_ID
Cisco Confidential
Chapter 2
2.0 Introduction
2.1 Securing Device Access
2.2 Assigning Administrative Roles
2.3 Monitoring and Managing Devices
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Implementing Security
Single Router Approach
Defense-in-Depth Approach
DMZ Approach
Presentation_ID
Cisco Confidential
Securing Routers
Three areas of router security must be maintained:
Presentation_ID
Cisco Confidential
Log and account for all access - Records anyone who accesses
a device, including what occurs and when.
Authenticate access - Ensures that access is granted only to
authenticated users, groups, and services.
Presentation_ID
Cisco Confidential
Securing Passwords
Presentation_ID
Cisco Confidential
ITE PC v4.1
Chapter 1
Cisco Public
10
Presentation_ID
Cisco Confidential
11
Presentation_ID
Cisco Confidential
12
Presentation_ID
Cisco Confidential
13
ITE PC v4.1
Chapter 1
Cisco Public
14
ITE PC v4.1
Chapter 1
Cisco Public
15
ITE PC v4.1
Chapter 1
Cisco Public
16
ITE PC v4.1
Chapter 1
Cisco Public
17
Presentation_ID
Cisco Confidential
18
Presentation_ID
Cisco Confidential
19
Presentation_ID
Cisco Confidential
20
Configuring SSH
Presentation_ID
Cisco Confidential
21
Configuring SSH
Configuring SSH
Using the CLI, there are four steps to configure a Cisco router to
support SSH:
Step 1. Configure domain name using the ip domain-name
domain-name command in global configuration mode.
Step 2. Generate one-way secret keys must be generated for a
router to encrypt the SSH traffic. To create the RSA key, use
the crypto key generate rsa general-keys
modulus modulus-size command in global configuration
mode.
Step 3. Ensure that there is a valid local database username
entry. If not, create one using the
username name secret secret command.
Step 4. Enable vty inbound SSH sessions using the login
local and transport input ssh commands in line
vty configuration mode.
To verify SSH and display the generated keys, use the show crypto
key mypubkey rsa command.
Presentation_ID
Cisco Confidential
22
Configuring SSH
Presentation_ID
Cisco Confidential
23
Configuring SSH
Presentation_ID
Cisco Confidential
24
Configuring SSH
RSA key is not set on this router - If there is no key configured, enter a
modulus size and generate a key.
RSA key is set on this router - Means a cryptographic key has been
generated and SSH is enabled.
Presentation_ID
Cisco Confidential
25
2.2 Assigning
Administrative Roles
Presentation_ID
Cisco Confidential
26
privilege level
role-based CLI
Presentation_ID
Cisco Confidential
27
Privilege Levels
Level 0:
Predefined for user-level access privileges.
Seldom used, but includes five commands: disable, enable, exit,
help, and logout
Levels 2 14:
May be customized for user-level privileges.
Commands from lower levels may be moved up to a higher level, or
commands from higher levels may be moved down to a lower level.
Presentation_ID
Cisco Confidential
28
Presentation_ID
Cisco Confidential
29
Presentation_ID
Cisco Confidential
30
Presentation_ID
Cisco Confidential
31
Presentation_ID
Cisco Confidential
32
Role-Based Views
Root view:
Can configure any view for the system, the administrator must be in root
view.
Has the same access privileges as a user who has level 15 privileges.
However, a root view is not the same as a level 15 user.
Only a root view user can configure a new view and add or remove
commands from the existing views.
CLI view
A specific set of commands can be bundled into a CLI view
Superview
A superview consists of one or more CLI views. Administrators can
define which commands are accepted and which configuration
information is visible.
Presentation_ID
Cisco Confidential
33
Cisco Confidential
34
Step 1. Create a view using the parser view viewname superview command and enter superview
configuration mode.
Step 2. Assign a secret password to the view using
the secret encrypted-password command.
Step 3. Assign an existing view using the view viewname command in view configuration mode.
Step 4. Exit superview configuration mode by typing
the exit command.
To access existing views, enter the enable view viewname command in user mode and enter the password that was
assigned to the custom view.
Presentation_ID
Cisco Confidential
35
Presentation_ID
Cisco Confidential
36
Presentation_ID
Cisco Confidential
37
Presentation_ID
Cisco Confidential
38
To secure the IOS image and enable Cisco IOS image resilience,
use the secure boot-image command.
To take a snapshot of the router running configuration and
securely archive it in persistent storage, use the secure bootconfig global configuration mode command.
Presentation_ID
Cisco Confidential
39
Cisco Confidential
40
Presentation_ID
Cisco Confidential
41
Cisco Confidential
42
Presentation_ID
Cisco Confidential
43
Presentation_ID
Cisco Confidential
44
Introduction to Syslog
The syslog logging service provides three primary functions:
The ability to gather logging information for monitoring and
troubleshooting
The ability to select the type of logging information that is captured
The ability to specify the destinations of captured syslog messages
Presentation_ID
Cisco Confidential
45
Syslog Operation
Cisco routers can log information regarding configuration changes, ACL
violations, interface status, and many other types of events.
The router can be configured to send syslog messages to one or more
of the locations in diagram below.
Presentation_ID
Cisco Confidential
46
Presentation_ID
Cisco Confidential
47
Syslog Systems
Syslog implementations always contain two types of systems:
Syslog servers - Also known as log hosts, these systems accept and
process log messages from syslog clients.
Syslog clients - Routers or other types of equipment that generate
and forward log messages to syslog servers.
Presentation_ID
Cisco Confidential
48
Presentation_ID
Cisco Confidential
49
Step 6. Click OK to accept the changes and return to the Logging pane.
Presentation_ID
Cisco Confidential
50
Introduction to SNMP
The SNMP system
consists of three
elements:
SNMP manager
SNMP agents
(managed node)
Management
Information Base (MIB)
Presentation_ID
Cisco Confidential
51
SNMP Operation
SNMP agents that reside on managed devices collect and store
information about the device and its operation.
This information is stored by the agent locally in the MIB.
The SNMP manager then uses the SNMP agent to access information
within the MIB.
Presentation_ID
Cisco Confidential
52
Presentation_ID
Cisco Confidential
53
SNMP Vulnerabilities
The get and set actions create vulnerabilities that open SNMP to attack.
Presentation_ID
Cisco Confidential
54
Presentation_ID
Cisco Confidential
55
SNMPv3
SNMPv3 provides the following security features:
Message integrity and authentication - Ensures that a packet has not
been tampered with in transit and is from a valid source.
Encryption - Scrambles the contents of a packet to prevent it from
being seen by an unauthorized source.
Access Control - Restricts each principal to certain actions on specific
portions of data.
Presentation_ID
Cisco Confidential
56
Presentation_ID
Cisco Confidential
57
Step 5. To edit an existing trap receiver, choose a trap receiver from the trap
receiver list and click Edit. To delete an existing trap receiver, choose a
trap receiver from the trap receiver list and click Delete.
Step 6. When the trap receiver list is complete, click OK to return to the SNMP
pane.
Presentation_ID
Cisco Confidential
58
Using NTP
Presentation_ID
Cisco Confidential
59
Using NTP
Presentation_ID
Cisco Confidential
60
Using NTP
NTP Server
Sample NTP Configuration
Presentation_ID
Cisco Confidential
61
Using NTP
NTP Authentication
There are two security mechanisms available:
ACL-based restriction scheme
Encrypted authentication mechanism offered by NTP version 3 or later
Presentation_ID
Cisco Confidential
62
Using NTP
Cisco Confidential
63
Presentation_ID
Cisco Confidential
64
Presentation_ID
Cisco Confidential
65
Presentation_ID
Cisco Confidential
66
Presentation_ID
Cisco Confidential
67
Presentation_ID
Cisco Confidential
68
Cisco AutoSecure
The Cisco AutoSecure feature is initiated from the CLI and executes a
script. It first makes recommendations for fixing security vulnerabilities,
and then modifies the security configuration of the router.
Presentation_ID
Cisco Confidential
69
Presentation_ID
Cisco Confidential
70
Presentation_ID
Cisco Confidential
71
CCP disables SNMP. However, unlike Cisco AutoSecure, CCP does not
provide an option for configuring SNMPv3.
Presentation_ID
Cisco Confidential
72
Chapter 2
Summary
When securing a network device, hardening should be the first step, which
includes:
Using secure protocols like SSH, instead of Telnet, and HTTPS instead of HTTP.
Cisco Confidential
73
Presentation_ID
Cisco Confidential
74