1
CH2 Securing Network Devices Authentication (local) (config)# username name secret { [0] password | 5 encrypted-secret} (config)# username name password { [0] password | 7 encrypted-password} ISR : Integrated Services Router Passwords Enforce minimum password lengths: (config)# security passwords min-length length Disable unattended connections: - By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. - (config-line)# exec-timeout Encrypt all passwords in the configuration file: (config)# service password-encryption Enhanced Security (Not for console) # Delays between successive login attempts: # Login shutdown if DoS attacks are suspected: (config)# login block-for seconds attempts tries within seconds - This command enables the login enhancements (config)# login quiet-mode access-class {acl-name | acl-number} (config)# login delay seconds - Delay between login attempts ( default = 1 second ) # Generation of system logging messages for login detection: (config)# login on-success log [every login] (config)# login on-failure log [every login] OR (config)# security authentication failure rate threshold-rate log # BANNERS: (config)# banner {exec | incoming | login | motd | slip-ppp} d message d Privilege Levels # Predefined: Level 0: only five commands (disable, enable, exit, help and logout) Level 1: User EXEC mode Level 15: Privileged EXEC mode - A user authorized for privilege level 10 is granted access to commands allowed at privilege levels 0 through 10 # Custom Levels (2 -14): (config)# privilege mode {level level command | reset} command If we create a privilege level for the command "show ip route" then all the three commands and their subcommands will be included # Example: (config)# privilege exec level 5 ping (config)# enable secret level 5 cisco (config)# username SUPPORT privilege 5 secret cisco5 Cisco IOS Resilient Configuration available for systems that support a PCMCIA Advanced Technology Attachment (ATA) flash bootset ! The feature can be disabled only through a console session (config)# secure boot-image (config)# secure boot-config # show secure bootset functions properly only when the system is configured to run an image from a flash drive with an ATA interface # steps to restore a primary bootset from a secure archive: 1. Reload and enter ROMmon mode 2. dir (to list contents and see image name) 3. boot image-name 4. after bootup enter Global Config mode and : 5. secure boot-config restore filename Role-Based CLI (Views) - Root View (the only view from which we can create or modify other views) - CLI View - Superview (one or more CLI views, no command can be directly configured here) # Configs: 1. (config)# aaa new-model 2. # enable view (to enter the root view, the root keyword can be added, enable secret must be configured) 3. (config)# parser view view-name (add superview keyword for superviews) 4. (config-view)# secret encrypted-password (must be created immediately after creating a view) 5. (config-view)# commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] # show parser view (to show the current view) # show parser view all (to show all views) SSH # Conditions: 1. The right IOS version (12.1(1)T or later with IPSec feature set) 2. Unique hostname 3. Domain name 4. Local authentication or AAA services # Steps: 1. (config)# hostname hostname 2. (config)# ip domain-name domain-name 3. (config)# crypto key generate rsa general-keys modulus modulus-size 4. (config)# username name secret secret 5. (config-line)# login local 6. (config-line)# transport input ssh Other Commands: # show crypto key mypubkey rsa (to show RSA key) (config)# crypto key zeroize rsa (to remove RSA key) # Additional Commands: (config)# ip ssh version 2 - version 2 uses DH and the strong integrity-checking message authentication code (MAC) (config)# ip ssh time-out 60 (default = 120 seconds) - time interval that the router waits for the SSH client to respond during the SSH negotiation (config)# ip ssh authentication-retries 2 (default = 3) # ssh -l username 192.168.1.101 - SSH client NTP UDP port 123 (config)# ntp master [stratum] (config)# ntp server {ip-address | hostname} [version number] [key key-id] [source interface] [prefer] (config-if)# ntp broadcast client - for NTP version 3 (config)# ntp authenticate (config)# ntp authentication-key key-number md5 key-value (config)# ntp trusted-key key-number # show ntp associations detail Management & Logging Syslog # Logs can be sent to: - Console (on by default) - Terminal lines - Buered logging (stored in router memory, cleared when rebooting) - SNMP traps - Syslog service Severity Levels From: 0 (most severe) To: 7 (lowest) # Contains three main parts: - Timestamp - Log message name and severity level - Message text # Configs: (config)# logging host [ hostname | ip-address ] (config)# logging trap level (config)# logging source-interface int-type int-number (specifies the source in the syslog packets regardless of the exit interface) (config)# logging on SNMP # Components: Manager, Agent and MIBs - Community String: to authenticate messages between the manager and agent. (Read only or Read Write) - Versions: 1,2 and 3 SNMPv3: added security features : 1. Message integrity 2. Authentication 3. Encryption 4. Access Control - Security Levels: 1. noAuth: using string match of the username or community string 2. auth: using Hashed Message Authentication Code (HMAC) with MD5 or Secure Hash Algorithms (SHA) 3. priv: using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using (DES), (3DES), or (AES) algorithms. Edge Router Types Single Router Approach Defense-In-Depth Approach Screening Router DMZ Approach Security Physical Hardening Secure administrative control: - Restrict device accessibility - Log and account for all access - Authenticate access - Authorize actions - Present legal notification - Ensure the confidentiality of data Disable unused ports and interfaces Disable unnecessary services OS security Configure the router with the maximum amount of memory possible Use the latest stable version Keep a secure copy of the router operating system image and router configuration file as a backup.

2 Securing Network Devices

Embed Size (px)

DESCRIPTION

2 Securing Network Devices

Citation preview

Page 1: 2 Securing Network Devices

CH2Securing Network Devices

Authentication (local)

(config)# username name secret { [0] password | 5 encrypted-secret}

(config)# username name password { [0] password | 7 encrypted-password} ISR : Integrated Services Router

Passwords

Enforce minimum password lengths:

(config)# security passwords min-length length

Disable unattended connections:- By default, an administrative interface stays active and logged in for 10 minutes after the last session activity.- (config-line)# exec-timeout

Encrypt all passwords in the configuration file:

(config)# service password-encryption

Enhanced Security(Not for console)

# Delays between successive login attempts:# Login shutdown if DoS attacks are suspected:

(config)# login block-for seconds attempts tries within seconds- This command enables the login enhancements

(config)# login quiet-mode access-class {acl-name | acl-number}

(config)# login delay seconds- Delay between login attempts ( default = 1 second )

# Generation of system logging messages for login detection:

(config)# login on-success log [every login]

(config)# login on-failure log [every login]OR(config)# security authentication failure rate threshold-rate log

# BANNERS:

(config)# banner {exec | incoming | login | motd | slip-ppp} d message d

Privilege Levels

# Predefined:Level 0: only five commands (disable, enable, exit, help and logout)Level 1: User EXEC modeLevel 15: Privileged EXEC mode

- A user authorized for privilege level 10 is granted access to commands allowed at privilege levels 0 through 10

# Custom Levels (2 -14):

(config)# privilege mode {level level command | reset} command

If we create a privilege level for the command "show ip route" then all the three commands and their subcommands will be included

# Example:

(config)# privilege exec level 5 ping(config)# enable secret level 5 cisco(config)# username SUPPORT privilege 5 secret cisco5

Cisco IOS Resilient Configuration

available for systems that support a PCMCIA Advanced Technology Attachment (ATA) flash

bootset !

The feature can be disabled only through a console session

(config)# secure boot-image(config)# secure boot-config

# show secure bootset

functions properly only when the system is configured to run an image from a flash drive with an ATA interface

# steps to restore a primary bootset from a secure archive:1. Reload and enter ROMmon mode2. dir (to list contents and see image name)3. boot image-name4. after bootup enter Global Config mode and :5. secure boot-config restore filename

Role-Based CLI (Views)

- Root View (the only view from which we can create or modify other views)- CLI View- Superview (one or more CLI views, no command can be directly configured here)

# Configs:

1. (config)# aaa new-model2. # enable view (to enter the root view, the root keyword can be added, enable secret must be configured)3. (config)# parser view view-name (add superview keyword for superviews)4. (config-view)# secret encrypted-password (must be created immediately after creating a view)5. (config-view)# commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]

# show parser view (to show the current view)# show parser view all (to show all views)

SSH

# Conditions:1. The right IOS version (12.1(1)T or later with IPSec feature set)2. Unique hostname3. Domain name4. Local authentication or AAA services

# Steps:1. (config)# hostname hostname2. (config)# ip domain-name domain-name3. (config)# crypto key generate rsa general-keys modulus modulus-size4. (config)# username name secret secret5. (config-line)# login local6. (config-line)# transport input ssh

Other Commands:# show crypto key mypubkey rsa (to show RSA key)(config)# crypto key zeroize rsa (to remove RSA key)

# Additional Commands:

(config)# ip ssh version 2- version 2 uses DH and the strong integrity-checking message authentication code (MAC)

(config)# ip ssh time-out 60 (default = 120 seconds)- time interval that the router waits for the SSH client to respond during the SSH negotiation

(config)# ip ssh authentication-retries 2 (default = 3)

# ssh -l username 192.168.1.101- SSH client

NTP

UDP port 123

(config)# ntp master [stratum]

(config)# ntp server {ip-address | hostname} [version number] [key key-id] [source interface] [prefer]

(config-if)# ntp broadcast client

- for NTP version 3(config)# ntp authenticate(config)# ntp authentication-key key-number md5 key-value(config)# ntp trusted-key key-number

# show ntp associations detail

Management & Logging

Syslog

# Logs can be sent to:- Console (on by default)- Terminal lines- Buffered logging (stored in router memory, cleared when rebooting)- SNMP traps- Syslog service

Severity LevelsFrom: 0 (most severe) To: 7 (lowest)

# Contains three main parts:- Timestamp- Log message name and severity level- Message text

# Configs:(config)# logging host [ hostname | ip-address ](config)# logging trap level(config)# logging source-interface int-type int-number(specifies the source in the syslog packets regardless of the exit interface)(config)# logging on

SNMP

# Components:Manager, Agent and MIBs

- Community String: to authenticate messages between the manager and agent. (Read only or Read Write)

- Versions: 1,2 and 3SNMPv3: added security features : 1. Message integrity 2. Authentication 3. Encryption 4. Access Control

- Security Levels: 1. noAuth: using string match of the username or community string 2. auth: using Hashed Message Authentication Code (HMAC) with MD5 or Secure Hash Algorithms (SHA) 3. priv: using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using (DES), (3DES), or (AES) algorithms.

Edge Router

Types

Single Router Approach

Defense-In-Depth Approach Screening Router

DMZ Approach

Security

Physical

Hardening

Secure administrative control:- Restrict device accessibility- Log and account for all access- Authenticate access- Authorize actions- Present legal notification- Ensure the confidentiality of data

Disable unused ports and interfaces

Disable unnecessary services

OS security

Configure the router with the maximum amount of memory possible

Use the latest stable version

Keep a secure copy of the router operating system image and router configuration file as a backup.

v1428
Highlight
v1428
Highlight
v1428
Highlight

SECURING NETWORK COMMUNICATION

SECURING NETWORK COMMUNICATION

Documents
Securing Data and Email on Android Devices

Securing Data and Email on Android Devices

Technology
9workplace devices Steps to securing your

9workplace devices Steps to securing your

Documents
Securing Medical Devices From Cyber Threats

Securing Medical Devices From Cyber Threats

Technology
Securing Mobile Devices in the Business Environment

Securing Mobile Devices in the Business Environment

Technology
Securing the Intelligent Network...WHITE PAPER Securing the Intelligent Network Securing the Intelligent Network Figure 1. Security in the network WAN Content Security WAN Optimization

Securing the Intelligent Network...WHITE PAPER Securing the Intelligent Network Securing the Intelligent Network Figure 1. Security in the network WAN Content Security WAN Optimization

Documents
Securing Network Printers and Forever Ending Unwanted Print Jobsprofessionalprograms.net/downloads/HDI_12017_8/PDFS/... · Print devices 120 Public facing 39 Staff print devices 81

Securing Network Printers and Forever Ending Unwanted Print Jobsprofessionalprograms.net/downloads/HDI_12017_8/PDFS/... · Print devices 120 Public facing 39 Staff print devices 81

Documents
securing the expanded network

securing the expanded network

Education
Securing mobile devices in the business environment€¦ · Securing mobile devices in the business environment. By I-Lung Kao, Global Strategist, IBM Security Services. 2. Securing

Securing mobile devices in the business environment€¦ · Securing mobile devices in the business environment. By I-Lung Kao, Global Strategist, IBM Security Services. 2. Securing

Documents
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Securing Network Devices

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Securing Network Devices

Documents
Securing the UC Network

Securing the UC Network

Documents
Securing Mobile Devices: Present and Future

Securing Mobile Devices: Present and Future

Documents
Securing network devices

Securing network devices

Education
Securing network connections - BlackBerry · Network type This setting specifies a configuration for the Wi-Fi network. Hotspot configurations apply only to iOS and macOS devices

Securing network connections - BlackBerry · Network type This setting specifies a configuration for the Wi-Fi network. Hotspot configurations apply only to iOS and macOS devices

Documents
Securing Millions of Devices

Securing Millions of Devices

Software
2009 SRS 03 Securing Network Devices

2009 SRS 03 Securing Network Devices

Documents
Securing Small-Business and Home Internet of …...PRELIMINARY DRAFT Securing Small-Business and Home Internet of Things (IoT) Devices Mitigating Network -Based Attacks Using Manufacturer

Securing Small-Business and Home Internet of …...PRELIMINARY DRAFT Securing Small-Business and Home Internet of Things (IoT) Devices Mitigating Network -Based Attacks Using Manufacturer

Documents
Securing wireless network

Securing wireless network

Technology
Public Safety Broadband Summit - SECURING YOUR CRITICAL ... · public safety devices operating on public safety network public safety devices operating on commercial network commercial

Public Safety Broadband Summit - SECURING YOUR CRITICAL ... · public safety devices operating on public safety network public safety devices operating on commercial network commercial

Documents
Securing the Network Infrastructure

Securing the Network Infrastructure

Documents
Principles of Network Applications - Department of …cannata/networking/Class Notes/… ·  · 2014-01-19network-core devices network-core devices do not run ... Securing TCP TCP

Principles of Network Applications - Department of …cannata/networking/Class Notes/… ·  · 2014-01-19network-core devices network-core devices do not run ... Securing TCP TCP

Documents
Securing the shared network

Securing the shared network

Technology
Securing Personal Devices on Your Network

Securing Personal Devices on Your Network

Documents
Securing Your Network

Securing Your Network

Technology
Securing the Healthcare Industry : Implantable Medical Devices

Securing the Healthcare Industry : Implantable Medical Devices

Technology
02 - CK - Securing Network Devices

02 - CK - Securing Network Devices

Documents
Best Practices for Securing Remote and Mobile Devices · PDF fileSecure access control to the corporate network over the VPN 8 ... remote machines, ... Best Practices for Securing

Best Practices for Securing Remote and Mobile Devices · PDF fileSecure access control to the corporate network over the VPN 8 ... remote machines, ... Best Practices for Securing

Documents
Securing Network Automation (Troopers 2017) · Securing Network Automation Ivan Pepelnjak (ip@ipSpace.net) Network Architect ipSpace.net AG

Securing Network Automation (Troopers 2017) · Securing Network Automation Ivan Pepelnjak ([email protected]) Network Architect ipSpace.net AG

Documents
Securing Mobile Devices for BYOD Environments

Securing Mobile Devices for BYOD Environments

Technology
Securing mobile devices 1

Securing mobile devices 1

Documents