Upload
quang-anh
View
4
Download
0
Embed Size (px)
DESCRIPTION
2 Securing Network Devices
Citation preview
CH2Securing Network Devices
Authentication (local)
(config)# username name secret { [0] password | 5 encrypted-secret}
(config)# username name password { [0] password | 7 encrypted-password} ISR : Integrated Services Router
Passwords
Enforce minimum password lengths:
(config)# security passwords min-length length
Disable unattended connections:- By default, an administrative interface stays active and logged in for 10 minutes after the last session activity.- (config-line)# exec-timeout
Encrypt all passwords in the configuration file:
(config)# service password-encryption
Enhanced Security(Not for console)
# Delays between successive login attempts:# Login shutdown if DoS attacks are suspected:
(config)# login block-for seconds attempts tries within seconds- This command enables the login enhancements
(config)# login quiet-mode access-class {acl-name | acl-number}
(config)# login delay seconds- Delay between login attempts ( default = 1 second )
# Generation of system logging messages for login detection:
(config)# login on-success log [every login]
(config)# login on-failure log [every login]OR(config)# security authentication failure rate threshold-rate log
# BANNERS:
(config)# banner {exec | incoming | login | motd | slip-ppp} d message d
Privilege Levels
# Predefined:Level 0: only five commands (disable, enable, exit, help and logout)Level 1: User EXEC modeLevel 15: Privileged EXEC mode
- A user authorized for privilege level 10 is granted access to commands allowed at privilege levels 0 through 10
# Custom Levels (2 -14):
(config)# privilege mode {level level command | reset} command
If we create a privilege level for the command "show ip route" then all the three commands and their subcommands will be included
# Example:
(config)# privilege exec level 5 ping(config)# enable secret level 5 cisco(config)# username SUPPORT privilege 5 secret cisco5
Cisco IOS Resilient Configuration
available for systems that support a PCMCIA Advanced Technology Attachment (ATA) flash
bootset !
The feature can be disabled only through a console session
(config)# secure boot-image(config)# secure boot-config
# show secure bootset
functions properly only when the system is configured to run an image from a flash drive with an ATA interface
# steps to restore a primary bootset from a secure archive:1. Reload and enter ROMmon mode2. dir (to list contents and see image name)3. boot image-name4. after bootup enter Global Config mode and :5. secure boot-config restore filename
Role-Based CLI (Views)
- Root View (the only view from which we can create or modify other views)- CLI View- Superview (one or more CLI views, no command can be directly configured here)
# Configs:
1. (config)# aaa new-model2. # enable view (to enter the root view, the root keyword can be added, enable secret must be configured)3. (config)# parser view view-name (add superview keyword for superviews)4. (config-view)# secret encrypted-password (must be created immediately after creating a view)5. (config-view)# commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
# show parser view (to show the current view)# show parser view all (to show all views)
SSH
# Conditions:1. The right IOS version (12.1(1)T or later with IPSec feature set)2. Unique hostname3. Domain name4. Local authentication or AAA services
# Steps:1. (config)# hostname hostname2. (config)# ip domain-name domain-name3. (config)# crypto key generate rsa general-keys modulus modulus-size4. (config)# username name secret secret5. (config-line)# login local6. (config-line)# transport input ssh
Other Commands:# show crypto key mypubkey rsa (to show RSA key)(config)# crypto key zeroize rsa (to remove RSA key)
# Additional Commands:
(config)# ip ssh version 2- version 2 uses DH and the strong integrity-checking message authentication code (MAC)
(config)# ip ssh time-out 60 (default = 120 seconds)- time interval that the router waits for the SSH client to respond during the SSH negotiation
(config)# ip ssh authentication-retries 2 (default = 3)
# ssh -l username 192.168.1.101- SSH client
NTP
UDP port 123
(config)# ntp master [stratum]
(config)# ntp server {ip-address | hostname} [version number] [key key-id] [source interface] [prefer]
(config-if)# ntp broadcast client
- for NTP version 3(config)# ntp authenticate(config)# ntp authentication-key key-number md5 key-value(config)# ntp trusted-key key-number
# show ntp associations detail
Management & Logging
Syslog
# Logs can be sent to:- Console (on by default)- Terminal lines- Buffered logging (stored in router memory, cleared when rebooting)- SNMP traps- Syslog service
Severity LevelsFrom: 0 (most severe) To: 7 (lowest)
# Contains three main parts:- Timestamp- Log message name and severity level- Message text
# Configs:(config)# logging host [ hostname | ip-address ](config)# logging trap level(config)# logging source-interface int-type int-number(specifies the source in the syslog packets regardless of the exit interface)(config)# logging on
SNMP
# Components:Manager, Agent and MIBs
- Community String: to authenticate messages between the manager and agent. (Read only or Read Write)
- Versions: 1,2 and 3SNMPv3: added security features : 1. Message integrity 2. Authentication 3. Encryption 4. Access Control
- Security Levels: 1. noAuth: using string match of the username or community string 2. auth: using Hashed Message Authentication Code (HMAC) with MD5 or Secure Hash Algorithms (SHA) 3. priv: using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using (DES), (3DES), or (AES) algorithms.
Edge Router
Types
Single Router Approach
Defense-In-Depth Approach Screening Router
DMZ Approach
Security
Physical
Hardening
Secure administrative control:- Restrict device accessibility- Log and account for all access- Authenticate access- Authorize actions- Present legal notification- Ensure the confidentiality of data
Disable unused ports and interfaces
Disable unnecessary services
OS security
Configure the router with the maximum amount of memory possible
Use the latest stable version
Keep a secure copy of the router operating system image and router configuration file as a backup.