ccna security commands
TRANSCRIPT
Configure secure administrative access:
username name password password
username name secret password
Configure enhanced security for virtual logins
The following commands are available to configure a Cisco IOS device to support the enhanced login features.
Router# configure terminal
Router(config)# login block-for seconds attempts tries within seconds
Router(config)# login quiet-mode access-class {acl-name | acl-number}
Router(config)# login delay seconds
Router(config)# login on-failure log [every login]
Router(config)# login on-success log [every login]
SSH configuration
Configure privilege level
Configure Role based CLI Access
Securing the Cisco IOS image & configuration files
Using syslog for Network security
Use the following steps to configure system logging.
Step 1. Set the destination logging host using the logging host command.
Step 2. (Optional) Set the log severity (trap) level using the logging trap level command.
Step 3. Set the source interface using the logging source-interface command. This specifies that syslog packets contain the IPv4 or IPv6 address of a particular interface, regardless of which interface the packet uses to exit the router.
Step 4. Enable logging with the logging on command. You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands. However, if the logging on command is disabled, no messages are sent to these destinations. Only the console receives messages.
Using NTP
Performing security audit
Locking down the router using auto secure
AAA
AAA accounting functions
In this case, a standard ACL can be applied outbound on interface Fa0/0:
R1(config)# access-list 1 deny 172.16.4.0 0.0.0.255
R1(config)# access-list 1 permit any
R1(config)# interface FastEthernet 0/0
R1(config-if)# ip access-group 1 out
As compared to standard ACLs, extended ACLs allow for specific types of traffic to be denied or permitted. Imagine a scenario in which FTP traffic from one subnet must be denied on another subnet. In this case, an extended ACL is required because a specific traffic type is filtered.
R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
R1(config)# access-list 101 permit ip any any
Router(config)# interface fastethernet 0/1
Router(config-if)# ip access-group 101 in
A network administrator has a situation that requires time-based ACLs. Users are not allowed to access the Internet during business hours, except during lunch and after hours until 7 p.m. when the office closes. This is a time-based ACL that supports the requirement:
R1(config)# time-range employee-time
R1(config-time-range)# periodic weekdays 12:00 to 13:00
R1(config-time-range)# periodic weekdays 17:00 to 19:00
R1(config-time-range)# exit
R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range employee-time
R1(config)# access-list 100 deny ip any any
R1(config)# interface FastEthernet 0/1
R1(config-if)# ip access-group 100 in R1(config-if)# exit
CBAC provides four main functions: traffic filtering, traffic inspection, intrusion detection, and generation of audits and alerts.
The first CBAC commands were introduced to Cisco IOS software in 1997. CBAC is a dramatic improvement over the TCP established and reflexive ACL firewall options in several fundamental ways:
Monitors TCP connection setup Tracks TCP sequence numbers Inspects DNS queries and replies Inspects common ICMP message types Supports applications that rely on multiple connections Inspects embedded addresses Inspects Application Layer information
Router(config)# ip inspect alert-offRouter(config)# ip inspect audit-trail
Router# show ip inspect [parameter]
Router# debug ip inspect protocol parameter
Router# show policy-map type inspect zone-pair session
Step 1. Download the IOS IPS files. Step 2. Create an IOS IPS configuration directory in flash.
Step 3. Configure an IOS IPS crypto key.
Step 4. Enable IOS IPS.
Step 5. Load the IOS IPS signature package to the router.
These are the steps for configuring port security on an access port:
Step 1. Configure an interface as an access interface.
Switch(config-if)# switchport mode access
If an interface is in the default mode (dynamic auto), it cannot be configured as a secure port.
Step 2. Enable port security on the interface using the switchport port-security.
The complete syntax includes a number of optional parameters.
Switch(config-if)# switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}]] | [mac-address sticky [mac-address| vlan {vlan-id | {access | voice}}]] [maximum value [vlan {vlan-list | {access | voice}}]]
Step 3. (Optional) Set the maximum number of secure MAC addresses for the interface.
Switch(config-if)# switchport port-security maximum value
The range is 1 to 132. The default is 1.
