The flashcards below were created by user
on FreezingBlue Flashcards.
the last router between the internal network and an untrusted network such as the Internet
- -Functions as the first and last
- line of defense
- -Implements security actions based
- on the organization’s security policies
single router Approach
connects the protected network, or internal LAN, to the Internet.
Passes everything through to the firewall. A set of rules determines what traffic the router will allow or deny
The DMZ is set up between two routers. Most traffic filtering left to the firewall
How can the edge router be secured?
Use various perimeter router implementations
- -Consider physical security,
- operating system security, and router hardening
-Secure administrative access
-Local versus remote router access
- Place router in a secured, locked
- -Install an uninterruptible power
Operating System Security
- -Use the latest stable version
- that meets network requirements
- -Keep a copy of the O/S and
- configuration file as a backup
-Secure administrative control
- -Disable unused ports and
-Disable unnecessary services
Things to do to secure administrative access to routers:
- Restrict device accessibility
- Log and account for all access
- Authenticate access
- Authorize actions
- Present legal notification
- Ensure the confidentiality of data
When accessing the network remotely,
- Encrypt all traffic
- Establish a dedicated management network
- Configure a packet filter to allow only the identified administration hosts
Password management in a large network should be maintained using a
central TACACS+ or RADIUS authentication server such as the Cisco Secure Access Control Server (ACS)
enable secret password global configuration command restricts access
to privileged EXEC mode, it used MD5
Cisco routers support up to five simultaneous
virtual terminal vty (Telnet or SSH) sessions.
To increase the security of passwords, the following should be configured:
Enforce minimum password lengths.Disable unattended connections.Encrypt all passwords in the configuration file.
minimum character length
- 0 to 16 characters, min 10
- security passwords min-length length.
Disable Unattended Connections
stays active and logged in for 10 minutes after the last session activity.
timers be fine-tuned to
- 2 TO 3 MIN MAX
encrypt all passwrods
use service password-encryption command., it hashes them
stringer password encryption
- enable secret command
- it uses md5
two methods of configuring local username accounts.
- username name password password
- username name secret password- more secure md55
Virtual Login Security Enhancements
- Implement delays between successive login attempts.
- Enable login shutdown if DoS attacks are suspected.
- Generate system logging messages for login detection.
which is used to gain administrative access to a device, floods a device with thousands of username and password combinations.
Use the login block-for command to enable
The login block-for feature monitors login device activity and operates in two modes:
- This command must be issued before any other login command can be used.
- This command can help provide DoS detection and prevention.
Normal mode (watch mode)
The router keeps count of the number of failed login attempts within an identified amount of time.
Quiet mode (quiet period)
If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.
Command specifies an ACL is applied to the router when switched to Quiet-Mode and identifies hosts that are exempt from the Quiet-Mode failure time.If not configured, all login requests will be denied during the Quiet-Mode.
- Helps mitigate dictionary attacks
- This is an optional command. If not set, a default delay of one second is enforced after the login block-for command is configured.
The command auto secure enables
message logging for failed login attempts.
Use banner messages to present to
present legal notification to potential intruders to inform them that they are not welcome on a network.
SSH has replaced Telnet as the recommended practice for providing
providing remote router administration with connections that support confidentiality and session integrity.
- Step 1: Configure the IP domain name
- Step 2: Generate one-way secret keys
- Step 3: Verify or create a local database entry
- Step 4: Enable VTY inbound SSH sessions
SSH version 1 (SSHv1)
more secure SSH version 2 (SSHv2).
SSHv2 provides better security using the
Diffie-Hellman key exchange and the strong integrity-checking message authentication code (MAC).
The time interval that the router waits for the SSH client to respond during the SSH negotiation phase can be configured using the ip ssh time-out seconds
default is 120 sec
To configure a different number of consecutive SSH retries, use the
- ip ssh authentication-retries integer
- default 3 attempts
There are two different ways to connect to an SSH-enabled router:
- using the privileged EXEC mode ssh command.
- using a publicly and commercially available SSH client running on a host.
The SSH key settings have two status options.
- RSA key is not set on this router
- RSA key is set on this router
Privilege levels determine who should be
allowed to connect to the device and what that person should be able to do with it.
CLI has two levels of access to commands.
- User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and allows only user-level commands available at the router> prompt.
- Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the router# prompt.
There are 16 privilege levels in total.
- Level 0: Predefined for user-level access privileges
- Level 1: The default level for login with the router prompt router>
- Levels 2 –14: May be customized for user-level privileges
- Level 15: Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.
Privileled level access infranstructure access
- privilege levels
- role based CLI access
two methods for assigning passwords to the different levels:
- enable secret level level password.
- username name privilege level secret password.
might not find them suitable because of the following limitations:
No access control to specific interfaces, ports, logical interfaces, and slots on a router.Commands available at lower privilege levels are always executable at higher levels.Commands specifically set on a higher privilege level are not available for lower privileged users.Assigning a command with multiple keywords to a specific privilege level also assigns all commands associated with the first keywords to the same privilege level. An example is the show ip route command.
•Controls which commands are available to specific roles
Each view defines the CLI commands that each user can access.
- -Security: Defines the set of CLI
- commands that is accessible by a particular user by controlling user access to
- configure specific ports, logical interfaces, and slots on a router
- -Availability: Prevents
- unintentional execution of CLI commands by unauthorized personnel
- -Operational Efficiency: Users only see the CLI commands applicable to
- the ports and CLI to which they have access
Role-based CLI provides three types of views:
- Root view
- CLI view
has all of the access privileges as a user who has level 15 privileges.
Each view must be assigned all commands associated with that view and there is no inheritance of commands from other views
- Allow a network
- administrator to assign users and groups of users multiple CLI views at once
- instead of having to assign a single CLI view per user with all commands
- associated to that one CLI view.
Cisco IOS Resilient Configuration facts
The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.The feature automatically detects image or configuration version mismatch.Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.The feature can be disabled only through a console session.
- Enables Cisco IOS image resilience. Prevents the IOS image from being deleted by a malicious
takes a snapshot of the routers running configuration and securley archives it in perstent storage
- Information flows on a
- dedicated management network on which no production traffic resides
- appropriate for large
- enterprise networks
Provide the highest level of security and mitigate the risk of passing insecure management protocols over the production network.
- •Configuration Change
- -Know the state of critical
- network devices
- -Know when the last modifications
- -Ensure the right people have
- access when new management methodologies are adopted
- -Know how to handle tools and
- devices no longer used
- •Automated logging and
- reporting of information from identified devices to management hosts
- •Available applications and
- protocols like SNMP
Information flows across an enterprise production network, the Internet, or both using regular data channels.
- recommended in smaller networks providing a
- more cost-effective security deployment
Apply only to devices that need to be managed or monitored.Use IPsec, SSH, or SSL when possible.Decide whether the management channel needs to be open at all times.
of using remote management tools with
Cisco router log messages contain three main parts:
- Log message name and severity level
- Message text
Syslog implementations contain two types of systems.
- Syslog servers - Also known as log hosts, these systems accept and process log messages from syslog clients.
- Syslog clients - Routers or other types of equipment that generate and forward log messages to syslog servers.
There are two types of community strings.
- Read-only community strings - Provides read-only access to all objects in the MIB, except the community strings.
- Read-write community strings - Provides read-write access to all objects in the MIB, except the community strings.
Community Strings Facts:
Used to authenticate messages between a management station and an SNMPv1 or SNMPv2 engineRead-write community strings can get and set information in an agent.Set access is equivalent to having the enable password for a device.
SNMPv3 provides three security features.
- Message integrity - Ensures that a packet has not been tampered with in transit.
- Authentication - Determines that the message is from a valid source.
- Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.
- •Clocks on hosts and
- network devices must be maintained and synchronized to ensure that log messages
- are synchronized with one another
The date and time settings of the router can be set using one of two methods
-Manually edit the date and time
-Configure Network Time Protocol
NTP allows routers on the network to synchronize their time settings with an NTP server
ntp trusted-key key-number
Authenticates the identity of a system to which NTP will synchronize
The intent of CDP is to make it easier for administrators to discover and troubleshoot other Cisco devices on the network. However,
it should not be everywhere in the network. Edge devices are an example
- •To ensure a device is
- -Disable unnecessary services and
- -Disable and restrict commonly
- configured management services, such as SNMP
- -Disable probes and scans, such as
-Ensure terminal access security
- -Disable gratuitous and proxy
- Address Resolution Protocol (ARP)
-Disable IP-directed broadcast
Three security audit tools available include:
- Security Audit Wizard - a security audit feature provided through Cisco SDM. The Security Audit Wizard provides a list of vulnerabilities and then allows the administrator to choose which potential security-related configuration changes to implement on a router.
- Cisco AutoSecure - a security audit feature available through the Cisco IOS CLI. The autosecure command initiates a security audit and then allows for configuration changes. Based on the mode selected, configuration changes can be automatic or require network administrator input.
- One-Step Lockdown - a security audit feature provided through Cisco SDM. The
- One-Step Lockdown feature provides a list of vulnerabilities and then automatically makes all recommended security-related configuration changes.
- Compares router configuration against
- recommended settings:
•Shut down unneeded servers
•Disable unneeded services
- •Apply the firewall to the
- outside interfaces
•Disable or harden SNMP
- •Shut down unused
•Check password strength
•Enforce the use of ACLs
Cisco One-step Lockdown
- Tests router configuration for any potential
- security problems and automatically makes the necessary configuration changes
- to correct any problems found
Command to enable the
auto secure [no-interact]
- •Initiated from CLI and
- executes a script. The AutoSecure feature first makes recommendations for
- fixing security vulnerabilities, and then modifies the security configuration
- of the router.
- •Can lockdown the
- management plane functions and the forwarding plane services and functions of a
- •Used to provide a baseline
- security policy on a new router
AutoSecure Versus SDM Security
Audit One-Step Lockdown
•Sets SPD values
•Enables TCP intercepts
•Configures anti-spoofing ACLs on
- implements some the following features differently:
- •SNMP is disabled but will not
- configure SNMPv3
- •SSH is enabled and configured
- with images that support this feature.
- Copy Protocol (SCP) is not enabled--unsecure FTP is