Professional Documents
Culture Documents
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 2.1:
Securing Device Access
Upon completion of this section, you should be able to:
• Explain how to secure a network perimeter.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Topic 2.1.1:
Securing the Edge Router
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Securing the Network Infrastructure
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Edge Router Security Approaches
Single Router Approach
DMZ Approach
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Three Areas of Router Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Secure Administrative Access
Tasks:
• Restrict device accessibility
• Authenticate access
• Authorize actions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Secure Local and Remote Access
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Secure Local and Remote Access (Cont.)
Dedicated Management Network
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Topic 2.1.2:
Configuring Secure Administrative Access
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Strong Passwords
Guidelines:
• Use a password length of 10 or more characters.
• Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Increasing Access Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Secret Password Algorithms
Guidelines:
• Configure all secret passwords using type 8 or type 9 passwords
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Securing Line Access
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Topic 2.1.3:
Configuring Enhanced Security for Virtual Logins
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Enhancing the Login Process
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Configuring Login Enhancement Features
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Enable Login Enhancements
Command Syntax: login block-for
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Logging Failed Attempts
Generate Login Syslog Messages
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Topic 2.1.4:
Configuring SSH
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Steps for Configuring SSH
Example SSH Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Modifying the SSH Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Connecting to an SSH-Enabled Router
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Section 2.2:
Assigning Administrative Roles
Upon completion of this section, you should be able to:
• Configure administrative privilege levels to control command availability.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Topic 2.2.1:
Configuring Privilege Levels
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Limiting Command Availability
Privilege levels: Levels of access commands:
• Level 0: Predefined for user-level access privileges. • User EXEC mode (privilege level 1)
Lowest EXEC mode user privileges
• Level 1: Default level for login with the router prompt.
Only user-level command available at the router>
• Level 2-14: May be customized for user-level privileges. prompt
• Level 15: Reserved for the enable mode privileges. • Privileged EXEC mode (privilege level 15)
All enable-level commands at the router# prompt
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Configuring and Assigning Privilege Levels
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Limitations of Privilege Levels
• No access control to specific interfaces, ports, logical interfaces, and
slots on a router
• Commands available at lower privilege levels are always executable at
higher privilege levels
• Commands specifically set at higher privilege levels are not available
for lower privilege users
• Assigning a command with multiple keywords allows access to all
commands that use those
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Topic 2.2.2:
Configuring Role-Based CLI
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Role-Based CLI Access
For example:
• Security operator privileges
Configure AAA
Issue show commands
Configure firewall
Configure IDS/IPS
Configure NetFlow
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Role-Based Views
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Configuring Role-Based Views
Step 1
Step 2
Step 3
Step 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Configuring Role-Based CLI Superviews
Step 1
Step 2
Step 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Verify Role-Based CLI Views
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Section 2.3:
Monitoring and Managing Devices
Upon completion of this section, you should be able to:
• Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image
and configuration files.
• Compare in-band and out-of band management access.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Topic 2.3.1:
Securing Cisco IOS Image and Configuration Files
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cisco IOS Resilient Configuration Feature
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Enabling the IOS Image Resilience Feature
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
The Primary Bootset Image
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Configuring Secure Copy
Configure the router for server-side SCP with local AAA:
1. Configure SSH
3. Enable AAA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Recovering a Router Password
1. Connect to the console port.
5. Change the default configuration register with the confreg 0x2142 command.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Password Recovery
Password Recovery
Functionality is Disabled
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Topic 2.3.2:
Secure Management and Reporting
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Determining the Type of Management Access
In-Band Management:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Topic 2.3.3:
Using Syslog for Network Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Introduction to Syslog
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Syslog Operation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Syslog Message
Security Levels
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Syslog Message (Cont.)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Syslog Systems
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Configuring System Logging
Step 1
Step 2 (optional)
Step 3
Step 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Topic 2.3.4:
Using SNMP for Network Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Introduction to SNMP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Management Information Base
Cisco MIB
Hierarchy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
SNMP Versions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
SNMP Vulnerabilities
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
SNMPv3
Message integrity & authentication
Encryption
Access control
• Agent may enforce access control to restrict each principal to certain actions on specific
portions of data.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Configuring SNMPv3 Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Secure SNMPv3 Configuration Example
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Verifying the SNMPv3 Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Topic 2.3.5:
Using NTP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Network Time Protocol
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
NTP Server
Sample NTP
Configuration on R1
Sample NTP
Configuration on R2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
NTP Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Section 2.4:
Using Automated Security Features
Upon completion of this section, you should be able to:
• Use security audit tools to determine IOS-based router vulnerabilities.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Topic 2.4.1:
Performing a Security Audit
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Discovery Protocols CDP and LLDP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Settings for Protocols and Services
There is a detailed list of security settings for protocols and services
provided in Figure 2 of this page in the course.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Topic 2.4.2:
Locking Down a Router Using AutoSecure
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Cisco AutoSecure
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Using the Cisco AutoSecure Feature
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Using the auto secure Command
1. The auto secure command is entered
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Section 2.5:
Securing the Control Plane
Upon completion of this section, you should be able to:
• Configure a routing protocol authentication.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Topic 2.5.1:
Routing Protocol Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Routing Protocol Spoofing
Consequences of protocol spoofing:
• Redirect traffic to create routing loops.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
OSPF MD5 Routing Protocol Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
OSPF SHA Routing Protocol Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Topic 2.5.2:
Control Plane Policing
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Network Device Operations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Control and Management Plane Vulnerabilities
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
CoPP Operation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Section 2.6:
Summary
Chapter Objectives:
• Configure secure administrative access.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Thank you.
Instructor Resources
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 85