ccna security 02

7/31/2019 CCNA Security 02

1/86


2/86


3/86

333 2009 Cisco Learning Institute.

Major Concepts

Discuss the aspects of router hardening

Configure secure administrative access androuter resiliency

Configure network devices for monitoringadministrative access

Demonstrate network monitoring techniques

Secure IOS-based Routers using automatedfeatures


4/86


Lesson Objectives

Upon completion of this lesson, the successful participantwill be able to:

1. Describe how to configure a secure network perimeter

2. Demonstrate the configuration of secure router administrationaccess

3. Describe how to enhance the security for virtual logins

4. Describe the steps to configure an SSH daemon for secureremote management

5. Describe the purpose and configuration of administrative privilegelevels

6. Configure the role-based CLI access feature to providehierarchical administrative access


5/86


Lesson Objectives

7. Use the Cisco IOS resilient configuration feature to secure theCisco IOS image and configuration files

8. Describe the factors to consider when securing the data thattransmits over the network related to the network managementand reporting of device activity

9. Configure syslog for network security

10.Configure SNMP for network security

11.Configure NTP to enable accurate time stamping between alldevices

12.Describe the router services, interfaces, and managementservices that are vulnerable to network attacks and perform asecurity audit

13.Lock down a router using AutoSecure

14.Lock down a router using SDM


6/86


Securing Device Access

Securing the Edge Router

Configuring Secure Administrative Access

Configuring Support for Virtual Logins

Configuring SSH


7/86777 2009 Cisco Learning Institute.

The Edge Router

What is the edge router?- The last router between the internal network and an untrusted

network such as the Internet

- Functions as the first and last line of defense

- Implements security actions based on the organizations security

policies How can the edge router be secured?

- Use various perimeter router implementations

- Consider physical security, operating system security, and routerhardening

- Secure administrative access

- Local versus remote router access



Perimeter Implementations

Single Router ApproachA single router connects theinternal LAN to the Internet. Allsecurity policies areconfigured on this device.

Defense-in-depth Approach

Passes everything through tothe firewall. A set of rulesdetermines what traffic therouter will allow or deny.

DMZ Approach

The DMZ is set up betweentwo routers. Most trafficfiltering left to the firewall

LAN 1192.168.2.0

Router 1 (R1)

Internet

LAN 1192.168.2.0

R1

Internet

Firewall

LAN 1192.168.2.0

R1Internet

R2Firewall

DMZ



Areas of Router Security

Physical Security

- Place router in a secured, locked room

- Install an uninterruptible power supply

Operating System Security

- Use the latest stable version that meets network requirements

- Keep a copy of the O/S and configuration file as a backup

Router Hardening

- Secure administrative control

- Disable unused ports and interfaces

- Disable unnecessary services



Securing Administrative Access

Restrict Device Accessibility - Limit the accessible ports,restrict the permitted communicators and restrict thepermitted methods of access.

Log and Account for all Access - Record anyone whoaccesses a device.

-Authenticate Access: Ensure access is only granted toauthenticated users, groups, and services.

-Authorize Actions: Restrict the actions and views permitted by anyparticular user, group, or service.

Present Legal Notification - Display legal notice forinteractive sessions.

Ensure the Confidentiality of Data - Protect locally storedsensitive data from viewing and copying.



Local Versus Remote Access

InternetLAN 1

R1

Local Access

Administrator

Console Port

LAN 2

R1

Internet

R2Firewall

LAN 3

Management

LAN

Administration

Host

Logging

Host

Remote Access

Uses Telnet, SSH HTTP or SNMPconnections to the router from a computer

Requires a direct connection to aconsole port using a computer

running terminal emulation software



Secure Administrative Access

Passwords

Access Port Passwords

Password Security

Creating Users



Passwords

An acceptable password length is 10 or more characters

Complex passwords include a mixof upper and lowercase letters,numbers, symbols and spaces

Avoid any password based on repetition,dictionary words, letter or numbersequences, usernames, relative or petnames, or biographical information

Deliberately misspell a password

(Security = 5ecur1ty)

Change passwords often

Do not write passwords down andleave them in obvious places



Access Port Passwords

R1

R1(config)# enable secret cisco

R1(config)# line con 0

R1(config-line)#passwordcisco

R1(config-line)# login

R1(config)# line aux 0

R1(config-line)#password cisco


R1(config)# line vty 0 4

R1(config-line)#password cisco


Command to restrict access toprivileged EXEC mode

Commands to establish alogin password on theconsole line

Commands to establish a loginpassword on incoming Telnet sessions

Commands to establish alogin password for dial-upmodem connections



Password Security

To increase the security of passwords, use additionalconfiguration parameters:

- Minimum password lengths should be enforced

- Unattended connections should be disabled

-All passwords in the configuration file should be encrypted

R1(config)# service password-encryption

R1(config)# exit

R1# show running-configline con 0

exec-timeout 3 30password 7 094F471A1A0A

login

line aux 0

exec-timeout 3 30

password 7 094F471A1A0A

login



Creating Users

Parameter Description

name This parameter specifies the username.0 (Optional) This option indicates that the plaintext

password is to be hashed by the router using MD5.

password This parameter is the plaintext password to behashed using MD5.

5 This parameter indicates that the encrypted-secretpassword was hashed using MD5.

encrypted-secret This parameter is the MD5 encrypted-secretpassword that is stored as the encrypted userpassword.

username name secret {[0]password|5encrypted-secret}



Virtual Logins

Virtual Login Security

Enhanced Login Features

System Logging Messages Banner Messages



Virtual Login Security

Welcome to SPAN

Engineering

User Access Verification

Password: cisco

Password: cisco1

Password: cisco12

Password: cisco123

Password: cisco1234

Password: cisco12345

Password: cisco123456

Implement delays between

successive login attempts

Enable login shutdown if DoSattacks are suspected

Generate system logging

messages for login detection

Tips:



Enhanced Login Features

The following commands are available to configure a Cisco

IOS device to support the enhanced login features:


20/86


login block-for Command

All login enhancement features are disabled bydefault. The login block-for command enablesconfiguration of the login enhancement features.

- The login block-for feature monitors login deviceactivity and operates in two modes:

o Normal-Mode (Watch-Mode) The router keeps count of thenumber of failed login attempts within an identified amount oftime.

o Quiet-Mode (Quiet Period) If the number of failed loginsexceeds the configured threshold, all login attempts madeusing Telnet, SSH, and HTTP are denied.


21/86


System Logging Messages

To generate log messages for successful/failed logins:- login on-failure log

- login on-success log

To generate a message when failure rate is exceeded:

- security authentication failure rate threshold-rate log

To verify that the login block-for command is configuredand which mode the router is currently in:

- show login

To display more information regarding the failed attempts:

- show login failures


22/86


23/86


SSH version 1, 2

Configuring Router

SSH Commands

Connecting to Router Using SDM to configure the SSH Daemon

What's the difference between versions 1and 2 of the SSH protocol?
http://www.snailbook.com/faq/ssh-1-vs-2.auto.htmlhttp://www.snailbook.com/faq/ssh-1-vs-2.auto.htmlhttp://www.snailbook.com/faq/ssh-1-vs-2.auto.htmlhttp://www.snailbook.com/faq/ssh-1-vs-2.auto.html


24/86


Preliminary Steps

Complete the following prior to configuring routers forthe SSH protocol:

1. Ensure that the target routers are running a Cisco IOS Release12.1(1)T image or later to support SSH.

2. Ensure that each of the target routers has a unique hostname.

3. Ensure that each of the target routers is using the correctdomain name of the network.

4. Ensure that the target routers are configured for localauthentication, or for authentication, authorization, and

accounting (AAA) services for username or passwordauthentication, or both. This is mandatory for a router-to-routerSSH connection.


25/86


Configuring the Router for SSH

R1# conf tR1(config)# ip domain-name span.com

R1(config)# crypto key generate rsa general-keys

modulus 1024

The name for the keys will be: R1.span.com

% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-

exportable...[OK]

R1(config)#

*Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has

been enabled

R1(config)# username Bob secret ciscoR1(config)# line vty 0 4

R1(config-line)# login local

R1(config-line)# transport input ssh

R1(config-line)# exit

1. Configure the IP domainname of the network

2. Generate one waysecret key

3. Verify or create a localdatabase entry

4.Enable VTY inboundSSH sessions


26/86


Optional SSH Commands

R1# show ip sshSSH Enabled - version 1.99

Authentication timeout: 120 secs; Authentication

retries: 3

R1#

R1# conf t

Enter configuration commands, one per line. Endwith CNTL/Z.

R1(config)# ip ssh version 2

R1(config)# ip ssh time-out 60

R1(config)# ip ssh authentication-retries 2

R1(config)# ^Z

R1#R1# show ip ssh

SSH Enabled - version 2.0

Authentication timeout: 60 secs; Authentication

retries: 2

R1#


27/86


Connecting to the Router

There are two different ways toconnect to an SSH-enabled router:

- Connect using an SSH-enabled Ciscorouter

- Connect using an SSH client running

on a host.

R1# sho ssh

Connection Version Mode Encryption Hmac State Username

0 2.0 IN aes128-cbc hmac-sha1 Session started Bob

0 2.0 OUT aes128-cbc hmac-sha1 Session started Bob

%No SSHv1 server connections running.

R1#

R1# sho ssh



R1#

R2# ssh -l Bob 192.168.2.101

Password:

R1>

1

2

3

There are no current SSH sessions ongoing with R1.

R2 establishes an SSH connection with R1.

There is an incoming and outgoing SSHv2 session user Bob.


28/86


Using SDM

1. Choose Configure > Additional Tasks > Router Access > SSH

2. Possible status options:

- RSA key is not set on this router- RSA key is set on this router

3. Enter a modulus size andgenerate a key, if there isno key configured4. To configure SSH on the vty lines,

choose Configure > AdditionalTasks > Router Access > VTY


29/86


Assigning Administrative Roles

Configuring Privilege Levels

Configuring Role-Based CLI Access


30/86


Configuring Privilege Levels

Introduction

Privilege CLI Command

Privilege Level for Users Assigning Usernames

Disadvantages


31/86


Config AAA, Show,

Firewall, IDS/IPS,

NetFlow

Configuring for Privilege Levels

By default:- User EXEC mode (privilege level 1)

- Privileged EXEC mode (privilege level 15)

Sixteen privilege levels available

Methods of providing privileged level accessinfrastructure access:

- Privilege Levels

- Role-Based CLI Access


32/86


Privilege CLI Command

router(config)# privilege mode {level levelcommand| reset command}

Command Description

mode Specifies the configuration mode. Use the privilege ?

command to see a complete list of router configurationmodes available

level (Optional) Enables setting a privilege level with aspecified command

level command (Optional) The privilege level associated with a

command (specify up to 16 privilege levels, usingnumbers 0 to 15)

reset (Optional) Resets the privilege level of a command

Command (Optional) Resets the privilege level


33/86


Privilege Levels for Users

A USER account with normal, Level 1 access.

A SUPPORT account with Level 1 and ping command access.

A JR-ADMIN account with the same privileges as the SUPPORTaccount plus access to the reload command.

An ADMIN account which has all of the regular privileged EXECcommands.

R1# conf t

R1(config)# username USER privilege 1 secret ciscoR1(config)#

R1(config)#privilege exec level 5 ping

R1(config)# enable secret level 5 cisco5

R1(config)# username SUPPORT privilege 5 secret cisco5

R1(config)#

R1(config)#privilege exec level 10 reload

R1(config)# enable secret level 10 cisco10

R1(config)# username JR-ADMIN privilege 10 secret cisco10

R1(config)#

R1(config)# username ADMIN privilege 15 secret cisco123

R1(config)#


34/86


Privilege Levels

R1> enable 5

Password:

R1#

R1# show privilege

Current privilege level is 5R1#

R1# reload

Translating "reload"

Translating "reload"

% Unknown command or computer name, or unable to find computer

address

R1#

The enable level command is used to switchfrom Level 1 to Level 5

The show privilege command displaysThe current privilege level

The user cannot us the reload command


35/86


36/86


Configuring Role-Based CLI Access

Role-Based CLI

Types of Views

Creating and Managing a View View Commands

Verifying a View


37/86


Role-Based CLI

Controls which commands are available to specific roles

Different views of router configurations created fordifferent users providing:

- Security: Defines the set of CLI commands that is accessible bya particular user by controlling user access to configure specificports, logical interfaces, and slots on a router

-Availability: Prevents unintentional execution of CLI commandsby unauthorized personnel

- Operational Efficiency: Users only see the CLI commandsapplicable to the ports and CLI to which they have access


38/86


Role-Based Views

Root View

To configure any view for the system, the administrator must be inthe root view. Root view has all of the access privileges as a userwho has level 15 privileges.

ViewA specific set of commands can be bundled into a CLI view.Each view must be assigned all commands associated with thatview and there is no inheritance of commands from other views.Additionally, commands may be reused within several views.

Superview

Allow a network administrator to assign users and groups of usersmultiple CLI views at once instead of having to assign a singleCLI view per user with all commands associated to that one CLIview.


39/86


Creating and Managing a View

1. Enable aaa with the global configuration command aaa new-model. Exit, and enter the root view with the command enableview command.

2. Create a view using theparser view view-namecommand.

3. Assign a secret password to the view using the secretencrypted-passwordcommand.

4. Assign commands to the selected view using theparser-mode{include | include-exclusive | exclude} [all][interface interface-name | command] command in viewconfiguration mode.

5. Exit the view configuration mode by typing the command exit.


40/86


View Commands

router# enable [view [view-name]]

Command is used to enter the CLI view.

Parameter Description

view Enters view, which enables users to configure CLI views.This keyword is required if you want to configure a CLI view.

view-name (Optional) Enters or exits a specified CLI view.This keyword can be used to switch from one CLI view toanother CLI view.

router(config)#parser view view-name

Creates a view and enters view configuration mode.router(config-view)# secret encrypted-password Sets a password to protect access to the View.

Password must be created immediately after creating a view


41/86


Creating and Managing a Superview

1. Create a view using theparser view view-name superviewcommand and entersuperview configuration mode.

2. Assign a secret password to the view using thesecret encrypted-password command.

3. Assign an existing view using the view view-namecommand in view configuration mode.

4. Exit the superview configuration mode by typingthe command exit.


42/86


Verifying a View

R1# show parser view

No view is active ! Currently in Privilege Level Context

R1#

R1# enable view

Password:

*Mar 1 10:38:56.233: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.R1#

R1# show parser view

Current view is 'root'

R1#

R1# show parser view all

Views/SuperViews Present in System:

SHOWVIEW

VERIFYVIEW


43/86


Monitoring and Managing Devices

Securing the IOS Image and Configuration Files

Secure Management and Reporting

Using syslog Using SNMP

Using NTP


44/86


45/86


Resilient Configuration Facts

The configuration file in the primarybootset is a copy of the runningconfiguration that was in the router whenthe feature was first enabled.

The feature secures the smallest workingset of files to preserve persistent storagespace. No extra space is required tosecure the primary IOS image file.

The feature automatically detects imageor configuration version mismatch.

Only local storage is used for securing

files. The feature can be disabled only through

a console session.

R1# erasestartup-config

Erasing the

nvram filesystemwill remove all

configuration

files! Continue?

[confirm]


46/86


CLI Commands

router(config)#

secure boot-image

Enables Cisco IOS image resilience

secure boot-config

router(config)#

Takes a snapshot of the router running configuration and securely

archives it in persistent storage


47/86


Restoring Primary bootset

To restore a primary bootset from a secure archive:

1. Reload the router using the reloadcommand.

2. From ROMMON mode, enter the dircommand to list the contentsof the device that contains the secure bootset file. The device namecan be found in the output of the show secure bootset

command.3. Boot up the router using the secure bootset image using theboot

command with the filename found in step 2. Once the compromisedrouter boots, proceed to privileged EXEC mode and restore theconfiguration.

4. Enter global configuration mode using conf t.

5. Restore the secure configuration to the supplied filename using thesecure boot-config restore filename.


48/86


Password Recovery Procedures

1. Connect to the console port.

2. Use the show version command to view and record theconfiguration register

3. Use the power switch to turn off the router, and then turn the routerback on.

4. Press Break on the terminal keyboard within 60 seconds of powerup to put the router into ROMmon.

5. At the rommon 1> prompt Type config 0x2142.

6. Type reset at the rommon 2> prompt. The router reboots, butignores the saved configuration.

7. Type no after each setup question, or press Ctrl-C to skip the initialsetup procedure.

8. Type enable at the Router> prompt.


49/86


Password Recovery Procedures, 2

9. Typecopy startup-config running-config to copy theNVRAM into memory.

10. Type show running-config.

11. Enter global configuration and type the enable secret command

to change the enable secret password.12. Issue the no shutdown command on every interface to be used.

Once enabled, issue a show ip interface brief command.Every interface to be used should display up up.

13. Type config-registerconfiguration_register_setting.

The configuration_register_settingis either the value recorded inStep 2 or 0x2102 .

14. Save configuration changes using the copy running-configstartup-config command.


50/86


Preventing Password Recovery

R1(config)# no service password-recoveryWARNING:

Executing this command will disable password recovery mechanism.

Do not execute this command without another plan for password recovery.

Are you sure you want to continue? [yes/no]: yesR1(config)

R1# sho run

Building configuration...

Current configuration : 836 bytes!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

no service password-recovery

System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupportCopyright (c) 2006 by cisco Systems, Inc.

PLD version 0x10

GIO ASIC version 0x127

c1841 platform with 131072 Kbytes of main memory

Main memory is configured to 64 bit mode with parity disabled

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

program load complete, entry point: 0x8000f000, size: 0xcb80


51/86


Secure Management and Reporting

Implementing Secure Management

Planning

Factors to Consider


52/86


53/86


Planning

When logging and managing information, theinformation flow between management hosts andthe managed devices can take two paths:

- Out-of-band (OOB): Information flows on adedicated management network on which noproduction traffic resides.

- In-band: Information flows across an enterprise

production network, the Internet, or both using regulardata channels.


54/86


Factors to Consider

OOB management appropriate for largeenterprise networks

In-band management recommended in smaller

networks providing a more cost-effective securitydeployment

Be aware of security vulnerabilities of using

remote management tools with in-bandmanagement


55/86


Using Syslog

Implementing Router Logging

Syslog

Configuring System Logging Enabling Syslog using SDM/CCP


56/86



Configure the router to send log messages to:

Console: Console logging is used when modifying ortesting the router while it is connected to the console.Messages sent to the console are not stored by the

router and, therefore, are not very valuable as securityevents.

Terminal lines: Configure enabled EXEC sessions toreceive log messages on any terminal lines. Similar to

console logging, this type of logging is not stored by therouter and, therefore, is only valuable to the user on thatline.


57/86



Buffered logging: Store log messages in router memory.Log messages are stored for a time, but events arecleared whenever the router is rebooted.

SNMP traps: Certain thresholds can be preconfigured.

Events can be processed by the router and forwarded asSNMP traps to an external SNMP server. Requires theconfiguration and maintenance of an SNMP system.

Syslog: Configure routers to forward log messages to anexternal syslog service. This service can reside on anynumber of servers, including Microsoft Windows andUNIX-based systems, or the Cisco Security MARSappliance.


58/86


Syslog

Syslog servers: Known as log hosts, these systemsaccept and process log messages from syslog clients.

Syslog clients: Routers or other types of equipment thatgenerate and forward log messages to syslog servers.

e0/0

10.2.1.1 e0/1

10.2.2.1e0/210.2.3.1

User 10.2.3.3

Public WebServer10.2.2.3

MailServer10.2.2.4

AdministratorServer

10.2.2.5

SyslogServer 10.2.3.2

Protected LAN10.2.3.0/24

DMZ LAN 10.2.2.0/24

Syslog Client

R3

f


59/86


Configuring System Logging

R3(config)# logging 10.2.2.6

R3(config)# logging trap informational

R3(config)# logging source-interface loopback 0

R3(config)# logging on

1. Set the destination logging host

2. Set the log severity (trap) level

3. Set the source interface4. Enable logging

Turn logging on and off using thelogging buffered, loggingmonitor, and logging commands

E bli S l U i SDM/CCP


60/86


Enabling Syslog Using SDM/CCP

1. Choose Configure > Additional Tasks > Router Properties > Logging

2. Click Edit

3. Check Enable LoggingLevel and choose thedesired logging level

4. Click Add, and enteran IP address of alogging host

5. Click OK

M it L i ith SDM


61/86


Monitor Logging with SDM

1. Choose Monitor > Logging

4. Monitor the messages, update thescreen to show the most current logentries, and clear all syslogmessages from the router log buffer

2. See the logging hosts to which

the router logs messages

3. Choose the minimum severity level


62/86

U i SNMP f N t k S it


63/86


Using SNMP for Network Security

SNMP

Community Strings

SNMPv3 Security Levels

Trap Receivers

SNMP


64/86


SNMP

Developed to manage nodes, such as servers,workstations, routers, switches, hubs, and securityappliances on an IP network

All versions are Application Layer protocols that facilitate

the exchange of management information betweennetwork devices

Part of the TCP/IP protocol suite

Enables network administrators to manage network

performance, find and solve network problems, and planfor network growth

Three separate versions of SNMP

C it St i


65/86


Community Strings

Provides read-only access to allobjects in the MIB except thecommunity strings.

Provides read-write access toall objects in the MIB except thecommunity strings.

A text string that can authenticate messagesbetween a management station and an SNMPagent and allow access to the information in MIBs

SNMP 3


66/86


SNMPv3

Agent may enforce accesscontrol to restrict each principalto certain actions on certainportions of its data.

ManagedNode

ManagedNode

ManagedNode

ManagedNode

Messages may beencrypted to ensureprivacy

NMS

NMS

Transmissions from manager toagent may be authenticated toguarantee the identity of the senderand the integrity and timeliness of amessage.

Encrypted Tunnel


67/86

T ap Recei e s


68/86


Trap Receivers

1. Click Edit

2. Click Add

3. Enter the IP address or

the hostname of thetrap receiver and thepassword

4. Click OK6. When the trap receiver listis complete, click OK

5. To edit or delete an existing trap receiver,choose a trap receiver from the trapreceiver list and click Edit orDelete


69/86

Uses


70/86


Uses

Clocks on hosts and network devices must bemaintained and synchronized to ensure that logmessages are synchronized with one another

The date and time settings of the router can beset using one of two methods:

- Manually edit the date and time

- Configure Network Time Protocol

Timekeeping


71/86


Timekeeping

Pulling the clock time from the Internet means that unsecuredpackets are allowed through the firewall

Many NTP servers on the Internet do not require any authenticationof peers

Devices are given the IP address of NTP masters. In an NTPconfigured network, one or more routers are designated as themaster clock keeper (known as an NTP Master) using the ntp

masterglobal configuration command.

NTP clients either contact the master or listen for messages from themaster to synchronize their clocks. To contact the server, use the

ntp server ntp-server-addresscommand. In a LAN environment, NTP can be configured to use IP broadcast

messages instead, by using the ntp broadcast client command.

Features/Functions


72/86


Features/Functions

There are two security mechanisms available:

-An ACL-based restriction scheme

-An encrypted authentication mechanism such as offered by NTPversion 3 or higher

Implement NTP version 3 or higher. Use the followingcommands on both NTP Master and the NTP client.

- ntp authenticate

- ntp authenticationkeymd5value- ntp trusted-key key-value

Enabling NTP


73/86


Enabling NTP

1. Choose Configure > Additional Tasks > Router Properties > NTP/SNTP

2. Click Add

3. Add an NTP server by

name or by IP address

4. Choose the interfacethat the router will useto communicate withthe NTP server

5. Check Prefer if thisNTP server is apreferred server (morethan one is allowed)

6. If authentication is used,check AuthenticationKey and enter the keynumber, the key value,and confirm the key value.

7. Click OK

Automated Security Features


74/86


Automated Security Features

Performing Security Audits

Using Automated Tools

Locking Down a Router Using SDM

Performing a Security Audit


75/86


Performing a Security Audit

Security Practices

Security Audit

Security Audit Wizard

Security Practices


76/86


Security Practices

Determine what devices should use CDP

To ensure a device is secure:

- Disable unnecessary services and interfaces

- Disable and restrict commonly configured managementservices, such as SNMP

- Disable probes and scans, such as ICMP

- Ensure terminal access security

- Disable gratuitous and proxy Address Resolution Protocol (ARP)

- Disable IP-directed broadcast

SDM Security Audit


77/86


SDM Security Audit

Perform Security Auditletting theadministrator choose

configuration changesto implement

One-Step Lockdownautomatically makes

all recommendedsecurity-relatedconfiguration changes



78/86



Compares router configurationagainst recommended settings:

Shut down unneeded servers

Disable unneeded services

Apply the firewall to the outsideinterfaces

Disable or harden SNMP

Shut down unused interfaces

Check password strength Enforce the use of ACLs



79/86



Cisco AutoSecure

AutoSecure Command

Cisco AutoSecure


80/86


Cisco AutoSecure

Initiated from CLI and executes a script. TheAutoSecure feature first makesrecommendations for fixing securityvulnerabilities, and then modifies the security

configuration of the router. Can lockdown the management plane functions

and the forwarding plane services and functionsof a router

Used to provide a baseline security policy on anew router

Auto Secure Command


81/86


Auto Secure Command

Command to enable the Cisco AutoSecurefeature setup:

auto secure [no-interact]

In Interactive mode, the router prompts withoptions to enable and disable services and othersecurity features. This is the default mode butcan also be configured using the auto securefull command.

Auto Secure Command


82/86


Auto Secure Command

R1# auto secure ?

firewall AutoSecure Firewall

forwarding Secure Forwarding Plane

full Interactive full session of AutoSecure

login AutoSecure Login

management Secure Management Plane

no-interact Non-interactive session of AutoSecure

ntp AutoSecure NTP

ssh AutoSecure SSH

tcp-intercept AutoSecure TCP Intercept

R1#

auto secure [no-interact | full] [forwarding | management ][ntp | login | ssh | firewall | tcp-intercept]

router#


83/86

Cisco One-step Lockdown


84/86


Cisco One step Lockdown

Tests router configurationfor any potential securityproblems andautomatically makes thenecessary configurationchanges to correct anyproblems found

AutoSecure Versus SDM SecurityAudit One-Step Lockdown


85/86


Audit One Step Lockdown

R1# auto secure

--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the

security of the router, but it will not make

it absolutely resistant to all security

attacks ***

AutoSecure will modify the configuration of

your device.

All configuration changes will be shown. For adetailed explanation of how the configuration

changes enhance security and any possible side

effects, please refer to Cisco.com for

Autosecure documentation.

Cisco AutoSecure also: Disables NTP

Configures AAA

Sets SPD values

Enables TCP intercepts

Configures anti-spoofing ACLs on

outside-facing interfaces

SDM implements some thefollowing features differently:

SNMP is disabled but will notconfigure SNMPv3

SSH is enabled and configured with

images that support this feature.

Secure Copy Protocol (SCP) is not

enabled--unsecure FTP is.


86/86

ccna security 02

Documents