Accessing the WAN Chapter 4 - PART II Modified by Tony Chen 07/20/2008

Transcription

1 Network Security Accessing the WAN Chapter 4 - PART II Modified by Tony Chen 07/20/2008 ITE I Chapter Cisco Systems, Inc. All rights reserved. Cisco Public 1

2 Notes: If you see any mistake on my PowerPoint slides or if you have any questions about the materials, please feel free to me at Thanks! Tony Chen College of DuPage Cisco Networking Academy 2

3 What is Cisco SDM? The Cisco Security Device Manager (SDM) is a web-based device-management tool designed for configuring LAN, WAN, and security features on Cisco IOS softwarebased routers. It provides easy-to-use smart wizards, automates router security management, assists through comprehensive online help. Cisco SDM ships preinstalled by default on all new Cisco integrated services routers. If it is not preinstalled, you will have to install it. If SDM is pre-installed, Cisco recommends using Cisco SDM to perform the initial configuration SDM files can be installed on router, PC, or both. An advantage of installing SDM on the PC is 3

4 Cisco SDM Features Cisco SDM simplifies router and security configuration through the use of intelligent wizards to enable efficient configuration of key router VPN and Cisco IOS firewall parameters. Cisco SDM smart wizards guide users step-by-step through router and security configuration workflow by systematically configuring LAN and WAN interfaces, firewall, IPS, and VPNs. intelligently detect incorrect configurations and propose fixes, such as allowing DHCP traffic through a firewall if the WAN interface is DHCPaddressed. Online help embedded within Cisco SDM contains appropriate background information. 4

5 Configuring Router to Support SDM Before you can install SDM on an operational router, you must ensure that a few configuration settings are present in the router configuration file. Step 1. Access the router's Cisco CLI interface using Telnet or the console connection Step 2. Enable the HTTP and HTTPS servers on the router Step 3 Create a user account defined with privilege level 15 (enable privileges). Step 4 Configure SSH and Telnet for local login and privilege level 15. 5

6 Starting Cisco SDM To launch the Cisco SDM use the HTTPS protocol and put the IP address of the router into the browser. The figure shows the browser with an address of and the launch page for Cisco SDM. The prefix can be used if SSL is not available. When the username and password dialog box appears (not shown), enter a username and password for the privileged (privilege level 15) account on the router. After the launch page appears a signed Cisco SDM Java applet appears which must remain open while Cisco SDM is running. Because it is a signed Cisco SDM Java applet you may be prompted to accept a certificate. 6

7 Cisco SDM Home Page Overview After you logged in, the Overview page displays the router model, total amount of memory, the versions of flash, IOS, and SDM, the hardware installed, a summary of security features, such as firewall status and the number of active VPN connections. Specifically, it provides basic information about: Menu bar - The top of the screen has a typical menu bar with File, Edit, View, Tools, and Help. Tool bar - Below the menu bar, it has the SDM wizards and modes you can select. Router information - The current mode is displayed on the left side under the tool bar. 7

8 About Your Router Area The area of the SDM page that shows: Host Name - It shows the configured hostname for the router, which is RouterX Hardware - It shows the router model number, the available and total amounts of RAM available, and the amount of Flash memory available. Software - It describes the Cisco IOS software and Cisco SDM versions running on the router. The Feature Availability bar, found across the bottom of the About Your Router tab, shows the features available in the Cisco IOS image that the router is using. If the indicator beside each feature is green, the feature is available. If it is red it is not available. Check marks show that the feature is configured. In the figure, it shows that IP, firewall, VPN, 8

9 Configuration Overview Area Interfaces and Connections the number of connections that are up and down, the total number of LAN and WAN interfaces that are present in the router, and the number of LAN and WAN interfaces currently configured on the router. It also displays DHCP information. Firewall Policies if a firewall is in place, it displays the number of trusted (inside) interfaces, untrusted (outside) interfaces, and DMZ interfaces. It also displays the name of the interface to which a firewall has been applied, and if the NAT rule has been applied to this interface. 9

10 Configuration Overview Area VPN It displays the number of active VPN connections, the number of configured site-to-site VPN connections, the number of active VPN clients. Routing This area displays the number of static routes and which routing protocols are configured. Intrusion Prevention View Running Config 10

11 Cisco SDM Wizard Cisco SDM provides a number of wizards to help you configure a Cisco ISR router. The figure shows various Cisco SDM GUI screens for the Basic NAT wizard. NAT is discussed later in the IP Addressing Services sections course. Check for the latest information about the Cisco SDM wizards and the interfaces they support. 11

12 Locking Down a Router with Cisco SDM The one-step lockdown wizard is accessed from the Configure GUI interface by clicking the Security Audit task. The Cisco SDM one-step lockdown wizard implements almost all of the security configurations that Cisco AutoSecure offers. Do not assume that the network is secure simply because you executed a one-step lockdown. Not all the features of Cisco AutoSecure are implemented in Cisco SDM. AutoSecure features that are implemented differently in Cisco SDM include the following: SDM Disables SNMP, and does not configure SNMP version 3. Enables and configures SSH on crypto Cisco IOS images Does not enable Service Control Point or disable other access and file transfer services, such as FTP. Check the accuracy of these statements 12

13 Locking Down a Router with Cisco SDM 13

14 Maintaining Cisco IOS Software Images There are certain guidelines that you must follow when changing the Cisco IOS software on a router. Updates: An update replaces one release with another without upgrading the feature set. The software might be updated to fix a bug Updates are free. Upgrades: An upgrade replaces a release with one that has an upgraded feature set. Software is upgraded to add new features or technologies Upgrades are not free. It is not always a good idea to upgrade to the latest version of IOS software. Many times that release is not stable. Cisco recommends a four-phase migration process to simplify network operations and management. Plan - Set goals, identify resources, profile network hardware and software, and create a schedule for migrating to new releases. Design - Choose new Cisco IOS releases. Implement - Schedule and execute the migration. Operate - Monitor the migration progress and make backup copies of images that are running on your network. 14

15 Maintaining Cisco IOS Software Images There are a number of tools available on Cisco.com to aid in migrating Cisco IOS software. The following tools do not require a Cisco.com login: Cisco IOS Reference Guide - Covers the basics of the Cisco IOS software family Cisco IOS software technical documents - Documentation for each release of Cisco IOS software Cisco Feature Navigator - Finds releases that support a set of software features and hardware, and compares releases The following tools require valid Cisco.com login accounts: Download Software - Cisco IOS software downloads Bug Toolkit - Searches for known software fixes based on software version, feature set, and keywords Software Advisor - Compares releases, matches Cisco IOS software and Cisco Catalyst OS features to releases, and finds out which software release supports a given hardware device Cisco IOS Upgrade Planner - Finds releases by hardware, release, and feature set, and downloads images of Cisco IOS software For a complete listing of tools available, go to 15

16 Cisco IOS File Systems and Devices Cisco IOS devices provide a feature called the Cisco IOS Integrated File System (IFS). Flash The directories available depend on the platform. The show file systems command lists all file systems. It provides information such as the amount of available and free memory, type of file system and its permissions. Permissions include read only (ro), write only (wo), and read and write (rw). The flash file system has an asterisks preceding it indicates that this is the current default file system. the pound symbol (#) appended to the flash listing indicates that this is a bootable disk. It contains the file of the current IOS running in RAM. NVRAM To change the file system using the cd command. The pwd command verifies that are in NVRAM 16

17 URL Prefixes for Cisco Devices Administrators do not have visual cues when working at a router CLI. File locations are specified in Cisco IFS using the URL convention. The URLs used by Cisco IOS platforms look similar to the format you know from the web. For instance, the TFTP example in the figure is: tftp:// /configs/backupconfigs. The expression "tftp:" is called the prefix. Everything after the double-slash (//) defines the location is the location of the TFTP server. "configs" is the master directory. "backup-configs" is the filename. 17

18 Commands for Managing Configuration Files The copy command is used to move files from one device to another, such as RAM, NVRAM, or a TFTP server. The examples list two methods to accomplish the same tasks. Copy the running configuration from RAM to the startup configuration in NVRAM: R2# copy running-config startup-config R2# copy system:running-config nvram:startup-config Copy running configuration from RAM to a remote location: R2# copy running-config tftp: R2# copy system:running-config tftp: Copy configuration from a remote to the running configuration: R2# copy tftp: running-config R2# copy tftp: system:running-config Copy configuration from a remote to the startup configuration: R2# copy tftp: startup-config R2# copy tftp: nvram:startup-config 18

19 Cisco IOS File Naming Conventions The IOS image file is based on a special naming convention. The name for the Cisco IOS image file contains multiple parts, each with a specific meaning. The first part, c1841, identifies the platform on which the image runs. In this example, is a Cisco The second part, ipbase, specifies the feature set. In this case, "ipbase" refers to the basic IP internetworking image. Other feature set possibilities: i - Designates the IP feature set j - Designates the enterprise feature set (all protocols) s - Designates a PLUS feature set 56i - Designates 56-bit IPsec DES encryption 3 - Designates the firewall/ids k2 - Designates the 3DES IPsec encryption (168 bit) The third part, mz, indicates where the image runs and if the file is compressed. For example, "mz" indicates that the file runs from RAM and is compressed. The fourth part, T7, is the version number. 19

20 Using TFTP Servers to Manage IOS Images For any network, it is always prudent to retain a backup copy of the IOS image in case the image in the router becomes corrupted or accidentally erased. Using a network TFTP server allows image and configuration uploads and downloads over the network. TFTP server can be another router, or a workstation. Before changing a Cisco IOS image on the router, you need to complete these tasks: Determine the memory required for the update. Set up and test the file transfer capability. Schedule the required downtime. When you are ready to do the update, follow steps: Shut down all interfaces not needed to perform the update. Back up the current operating system and the current configuration file to a TFTP server. Load the update for either the operating system or the configuration file. Test to confirm that the update works properly. If the tests are successful, you can then re-enable the interfaces you 20

21 Using TFTP Servers to Manage IOS Images A new Cisco IOS software resilient configuration feature enables a router to secure and maintain a working copy of the running operating system image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash). This feature is available only on platforms that support a Personal Computer Memory Card International Association (PCMCIA) Advanced Technology Attachment (ATA) disk. /12_3t8/feature/guide/gtrescfg.html 21

22 Backing up IOS Software Images To copy a IOS image software from flash to the network TFTP server, follow these steps. Step 1. Ping the TFTP server to make sure you have access to it. Step 2. Verify that the TFTP server has sufficient disk space for the Cisco IOS image. Use the show flash: command to determine : Total amount of flash memory on the router Amount of flash memory available Name of all the files stored in the flash memory Step 3. Copy current file from the router to TFTP server, using the copy flash: tftp: command. The command requires that you to enter the IP address of the remote host and the name of the source and destination system image files. During the copy process, exclamation points (!) indicate the progress. Each exclamation point signifies 22

23 Upgrade IOS Software Images Upgrading a system to a newer version requires a different system image file to be loaded. Use the copy tftp: flash: command to download the new image from the network TFTP server. The command prompts you for the IP address of the remote host and the name of the source and destination system image file. After these entries are confirmed, the Erase flash: prompt appears. Erase flash memory if there is not sufficient flash memory for more than one Cisco IOS image. If no free flash memory is available, the erase routine is required before new files can be copied. Each exclamation point (!) means that one UDP segment has successfully transferred. Note: Make sure that the Cisco IOS image loaded is appropriate for the router platform. If the wrong Cisco IOS image is loaded, the router could be made unbootable, requiring 23

24 Using tftpdnld to Restore an IOS Image When an IOS on a router is accidentally deleted from flash, the router is still operational because the IOS is running in RAM. However, it is crucial that the router is not rebooted since it would not be able to find a valid IOS in flash. When the router is rebooted and can no longer load an IOS. It is now loading the ROMmon prompt by default. In the figure, the IOS on router R1 has accidentally been deleted from flash. Unfortunately, the router has been rebooted and can no longer load an IOS. Follow the 3 steps below to restore the IOS. Step 1. Connect the devices. Connect the PC to the console port on the affected router. Connect the TFTP server to the first Ethernet port on the router. Configure it with a static IP address /24. 24

25 Using tftpdnld to Restore an IOS Image Step 2. Set the ROMmon variables. Because the router does not have a valid Cisco IOS image, the router boots into ROMmon mode. You must enter all of the variables listed in the figure. Be aware of the following: Variable names are case sensitive. Do not include any spaces before or after the = symbol. Navigational keys are not operational. Although the IP addresses, subnet mask, and image name in the figure are only examples. The actual variables will vary depending on your configuration. Step 3. Enter the tftpdnld command at the prompt. The command displays the required variables and warns that all existing data in flash will be erased. Type y to proceed, and press Enter. When connected, the download begins as indicated by the exclamation mark (!) marks. You can use the reset command to reload the router with the new Cisco IOS image. 25

26 Using xmodem to Restore an IOS Image Using the tftpdnld command is a very quick way of copying the image file. Another method for restoring a Cisco IOS image to a router is by using Xmodem. However, the file transfer is accomplished using the console cable and is therefore very slow when compared to the tftpdnld command. Follow the 4 steps below to restore the IOS. Step 1. Connect the PC of the system administrator to the console port on the affected router. 26

27 Using xmodem to Restore an IOS Image Step 2. Boot the router and issue the xmodem command at the ROMmon command prompt. The command syntax is xmodem [-cyr] [filename]. The cyr option varies depending on the configuration. For instance, -c specifies CRC-16, y specifies the Ymodem protocol, and r copies the image to RAM. Step 3. The figure shows the process for sending a file using HyperTerminal. In this case, Select Transfer > Send File. Step 4. Browse to the location of the IOS image you want to transfer and choose the Xmodem protocol. Click Send. A dialog box appears displaying the status of the download. It takes several seconds before the host and the router begin transferring the information. The download time could be dramatically improved if you change the connection speed of HyperTerminal and the router from 9600 b/s to b/s. 27

28 Troubleshooting Cisco IOS Configurations Two commands that are used in network administration Show command. A show command lists the configured parameters and their values. Use the show command to verify configurations. Debug command The debug command allows you to trace the execution of a process. Use the debug command to identify traffic flows through interfaces and router processes. 28

29 Using the show Command The show command displays static information. Use show commands when gathering facts for isolating problems in an internetwork, including problems with interfaces, nodes, media, servers, clients, or applications. You may also use it frequently to confirm that configuration changes have been implemented. When you are at the command prompt, type show? for a list of available show commands for the level and mode you are operating. 29

30 Using the debug Command The debug command displays dynamic events. Use debug to check the flow of protocol traffic for problems, protocol bugs, or misconfigurations. By default, the router sends the output from debug commands to the console. You can redirect debug output to a syslog server. Debugging output is assigned high priority in the CPU process queue and can therefore interfere with normal production processes on a network. use debug commands during quiet hours and only to troubleshoot specific problems. All debug commands are entered in privileged EXEC mode. To list a brief description of all the debugging command options, enter the debug? command. The best way to ensure there are no lingering 30

31 Considerations when using the debug Command It is one thing to use debug commands to troubleshoot a lab network that lacks end-user application traffic. It is another thing to use debug commands on a production network that users depend on for data flow. Without proper precautions, the impact of a broadly focused debug command could make matters worse. With proper, selective, and temporary use of debug commands, you can obtain potentially useful information without needing a protocol analyzer or other third-party tool. 31

32 Commands Related to the debug Command To optimize your efficient use of the debug command, these commands can help you: The service timestamps command is used to add a time stamp to a debug message. This feature provide information about when debug elements occurred. The show processes command displays the CPU use for each process. This data can influence decisions about using a debug command if it indicates that the system is too heavily used for adding a debug command. The no debug all command disables all debug commands. This command can free up system resources after you finish debugging. The terminal monitor command displays debug output and system error messages for the current terminal and session. When you Telnet to a device and issue a debug command, you will not see output unless this commands is entered. 32

33 Recovering a Lost Router Password Recovering a Lost Router Password You need physical access to the router. You connect your PC to the router through a console cable. The enable password and the enable secret password protect access to privileged EXEC and configuration modes. The enable password can be recovered, The enable secret password is encrypted and must be replaced with a new password. The configuration register is similar to your PC BIOS settings, which control the bootup process. In a router, a configuration register, represented by a single hexadecimal value, tells the router what specific steps to take when powered on. Configuration registers have many uses, and password recovery is probably the most used. 33

34 Recovering a Lost Router Password Prepare the Device Step 1. Connect to the console port. Step 2. If still have access to user EXEC mode. Type show version at the prompt, and record the configuration register setting. R>#show version <show command output omitted> Configuration register is 0x2102 R1> Configuration register is usually set to 0x2102. If you can no longer access the router, you can assume it is set to 0x2102. Step 3. Use the power switch to turn off the router, and then turn the router back on. Step 4. Press Break on the terminal keyboard within 60 seconds of power up to put the router into ROMmon. 34

35 Recovering a Lost Router Password Bypass Startup Step 5. Type confreg 0x2142 at the rommon 1> prompt. This causes the router to bypass the startup configuration where the forgotten enable password is stored. Step 6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration. Step 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure. Step 8. Type enable at the Router> prompt. This puts you into enable mode, and you should be able to see the Router# prompt. 35

36 Recovering a Lost Router Password Access NVRAM Step 9. Type copy startup-config runningconfig to copy the NVRAM into memory. Be careful! Do not type copy runningconfig startup-config or you will erase your startup configuration. Step 10. Type show running-config to view passwords. In this configuration, the shutdown command appears under all interfaces because all the interfaces are currently shut down. Most importantly though, you can now see the passwords (enable password, enable secret, vty, console passwords) either in encrypted or unencrypted format. You can reuse unencrypted passwords. You must change encrypted passwords to a new password. 36

37 Recovering a Lost Router Password Reset Passwords Step 11. Type configure terminal. Step 12. Type enable secret password to change the enable secret password. R1(config)# enable secret cisco Step 13. Issue the no shutdown command on every interface that you want to use. You can issue a show ip interface brief command to confirm that your interface configuration is correct. Step 14. Type config-register configuration_register_setting. R1(config)#config-register 0x2102 Step 15. Press Ctrl-Z or type end. Step 16. Type copy running-config startupconfig to commit the changes. You have now completed password recovery. 37

38 Chapter Summary In this chapter, you have learned to: Identify security threats to enterprise networks Describe methods to mitigate Tony Chen security CODthreats to enterprise networks Cisco Networking Academy Configure basic router security Disable unused router services and interfaces Use the Cisco SDM one-step lockdown feature Manage files and software images with the Cisco IOS Integrated File System (IFS) 38