Professional Documents
Culture Documents
Copyright © www.ine.com
Module Overview
Terminal Lines
Password security
Device hardening
Copyright © www.ine.com
Administrative Access Overview
Device Access methods
Local (Console)
Remote (Telnet, SSH, HTTP, HTTPS)
In-Band
Out-of-Band (OOB)
Copyright © www.ine.com
Line Security
Line Access can be restricted to certain protocols
Inbound sessions via transport input
Outbound sessions via transport output
Access can be disabled using transport input/output none
Copyright © www.ine.com
Protecting CLI Modes
User EXEC
Line passwords (password)
Not secure (shared by all users)
No SSH
Identity-based protection (login local)
More secure & supports SSH
Requires at least one user account
username [password | secret]
Copyright © www.ine.com
Protecting CLI Modes
Privileged EXEC
Password-based
Local & Remote sessions
Configuration
Clear-text password (enable password)
Optionally add service password-encryption (weak)
Recommended : MD-5 or SHA-2 (256 bits) based password via enable secret
Copyright © www.ine.com
Protecting CLI Modes
Default Settings
User EXEC
Console
No password checking (no login)
VTY
Password is required (login), but not set
Privileged EXEC
If no password was set, this mode can be only accessed via the console
HTTP[S]
Enable password
Change with ip http authentication [enable | local | aaa]
Copyright © www.ine.com
Password Security
Password Security Guidelines
Use at least 8-10 characters (Brute Force attacks)
Enforce with security passwords min-length
Avoid dictionary words (Dictionary attacks)
User characters from at least three different groups of characters
Lower/upper
Special
Digits
Copyright © www.ine.com
Device Access Best Practices
Limit management sessions to known IPs (VTY Access Control)
Permit ACL entries define trusted addresses
On VTY apply with [ipv6] access-class
For HTTP[S] use ip http access-class
Copyright © www.ine.com
Device Hardening
Many Management/Control Plane services will never be used
E.g. BOOTP, UDP/TCP Small Servers, Finger, Proxy ARP & more
Disabling unnecessary services is also referred to as “hardening”
Preserves resources
Eliminates a risk of potential service exploitation
Unnecessary services can be disabled manually or with AutoSecure
Copyright © www.ine.com
Role-Based CLI Access
Copyright © www.ine.com
Module Overview
Role-Based CLI overview
Configuration
Copyright © www.ine.com
Role-Based CLI Access Overview
Role-Based CLI Access (RBCA) allows to selectively control access to CLI
commands
Uses a concept of Views
A View stores all included commands (or excludes unnecessary ones)
Resembles Privilege Levels
Must be assigned to the user to take effect
Locally (username view)
Shell attribute (cli-view-name)
Copyright © www.ine.com
RBCA Configuration
Pre-requisites
AAA (aaa new-model)
Root View Mode (enable view)
View Configuration
parser view name [superview]
secret
commands [exclude | include | include-exclusive | all]
Verification
enable view name
Copyright © www.ine.com
Logging
Copyright © www.ine.com
Module Overview
Logging Overview
Configuration syntax
Copyright © www.ine.com
Logging Overview
Logging allows to record & store system messages
The Severity setting determines what logs will be generated
The „debugging” level produces all log messages (plus debugs on IOS)
Copyright © www.ine.com
Securing SNMP
Copyright © www.ine.com
Module Overview
SNMP overview
SNMP versions
SNMPv3
Configuration
Copyright © www.ine.com
SNMP Overview
Simple Network Management Protocol (SNMP) is an application Layer
protocol used for network monitoring & administration
SNMP Framework
Network Management Station (NMS)
SNMP Agent
Management Information Base (MIB)
SNMP Operations
Polling (GET, SET)
Notifications (TRAPS, INFORMS)
Copyright © www.ine.com
SNMP Versions
Version 1
Full Internet standard, community-based authentication
Version 2c
Introduces views, still uses communities for authentication
Version 3
Message Integrity (HMAC MD5/SHA)
Encryption (originally DES)
Username-based authentication
Copyright © www.ine.com
SNMPv3
SNMPv3 Security Model
noAuthNoPriv
No encryption, authentication based on usernames
authNoPriv
No encryption, HMAC MD5/SHA integrity
authPriv
Encryption (DES/3DES/AES) & integrity (HMAC MD5/SHA)
Copyright © www.ine.com
SNMP Configuration
Polling
Version 1/2c
snmp-server community [acl]
Version 3
snmp-server group [access acl] & snmp-server user
Notifications
snmp-server enable traps & snmp-server host
Verification
show snmp
Copyright © www.ine.com
Securing NTP
Copyright © www.ine.com
Module Overview
NTP overview
NTP security
Configuration
Copyright © www.ine.com
NTP Overview
Network Time Protocol (NTP) is used to synchronize time in a network
Time information is sent from Time Server(s) to the Clients
No DST or time zone information is transmitted in NTP Updates (UTC time is sent)
A hierarchical structure of Stratums defines accuracy of time information
A Stratum defines how „close” you are to the real time source
Stratum 1 means most precise time server (e.g. connected to an atomic clock)
Copyright © www.ine.com
NTP Configuration
Server
ntp master
Client
ntp server [key]
Peer
ntp peer [key]
Verification
show ntp
Copyright © www.ine.com
NTP Security
IPsec
Access-Lists
Allows to control addresses of Servers/Clients
ntp access-group [peer | serve]
MD-5 Authentication
Used to authenticate a time source
ntp authenticate
ntp authentication-key
ntp trusted-key
Copyright © www.ine.com