Internetwork Expert s CCNA Security Bootcamp. Securing Cisco Routers. Router Security Challenges

Size: px

Start display at page:

Download "Internetwork Expert s CCNA Security Bootcamp. Securing Cisco Routers. Router Security Challenges"

Martin Melton
5 years ago
Views:

Internetwork Expert s CCNA Security Bootcamp Securing Cisco Routers http:// Router Security Challenges As

1 Internetwork Expert s CCNA Security Bootcamp Securing Cisco Routers Router Security Challenges As the system gets more complex, as do the vulnerabilities Key part of security team s job is to be aware of common security holes and new ones Subscribe to Cisco Product Security Incident Response Team (PSIRT) announcements What are the common problems? Copyright 2010 Internetwork Expert

2 Security Audit & One-Step Lockdown SDM s Security Audit is used to automatically identify potential common security problems SDM s One-Step Lockdown is used to automatically fix the issues found IOS Passwords IOS Command Line process (exec) uses passwords to authenticate Access attacks against IOS exec process are common Attacker runs ping sweep, scans port 23, launches brute force/dictionary attack against login Strong password policy is a must IOS passwords, such as enable, username, or line passwords, come in three types Type 0 Unencrypted clear-text Type 5 One-way MD5 hash i.e. enable secret, username secret Type 7 Low security reversible encryption E.g. service password encryption Copyright 2010 Internetwork Expert

3 Password Policies Weak passwords should never be used cisco, password, san-fran, etc. Allows vulnerability to dictionary attack Short passwords should never be used Allows vulnerability to brute force attack security passwords min-length length CLI Timeouts exec-timeout determines how long an idle line (console, aux, or vty) will stay logged into the CLI (exec) process Setting the exec-timeout to zero disables the idle timeout, but can be a security risk I.e. if the console has exec-timeout of zero, a user who forgets to logout will remain authenticated indefinitely Copyright 2010 Internetwork Expert

4 Disabling Password Recovery Normally a user with physical console access can perform password recovery via ROMMON to access saved config & CLI no service-password recovery command disables ability to recover config Technically still allows ROMMON access, but password recovery attempt deletes NVRAM as a security measure IOS Login Enhancements Even with strong password policy, brute force attack on login is still possible Login enhancements deter this, and add visibility through logging Accomplished through Delaying the login prompt after failure login delay seconds Blocking login prompt after failure login block-for seconds attempts tries within seconds Generating log message on success or failure login on-failure log [every login] login on-success log [every login] Still permitting authorized stations login quiet-mode access-class {acl-name aclnumber} Copyright 2010 Internetwork Expert

5 Exec Privilege Levels Once a user is authenticated, they must authorize in order to run commands Called local command authorization IOS uses privilege levels to control access to exec commands Default privilege levels 0 no access 1 user mode access 15 privilege (enable) mode access User defined privilege levels Levels 2 14 available for assignment Assigning Privilege Levels Privilege level can be assigned with globally, per user, or per line Globally enable password cisco Grants privilege level 15 enable password level 2 cisco2 Grants privilege level 2 Per user username bob privilege 2 password cisco Grants privilege level 2 Per line Router(config)#line vty 0 4 Router(config-line)#privilege level 15 Grants privilege level 15 to all telnet users Copyright 2010 Internetwork Expert

6 Issuing Privileged Commands Once authorized to a privilege level, user can run all commands at level zero through current privilege i.e. privilege 10 can run 0 10 commands Current privilege can be verified with show privilege command A command s privilege can be verified with the show parser dump command Modifying a Command s s Privilege A command s privilege is always 0, 1, or 15 by default Level can be modified down or up to grant or revoke user s access to a certain command privilege mode [all] {level level reset} command-string Mode determines where the command exists in the CLI hierarchy exec command router# configure command router(config)# interface command router(config-if)# Copyright 2010 Internetwork Expert

7 Role Based CLI Local command authorization has limited application due to complex hierarchy Role Based CLI simplifies local authorization by removing the command s privilege level from the picture How Role Based CLI Works User authenticates and is assigned to a view View controls what commands user can or cannot run Allows for explicit exclusion (deny) of commands Superviews can be defined that consist of multiple views at the same time Allows hierarchical grouping of commands Copyright 2010 Internetwork Expert

8 Cisco IOS Resilient Configuration Protects IOS image and configuration files from accidental or malicious deletion Moves IOS image to a hidden file on disk that can t be listed with dir command Copies running configuration to a hidden archive on disk Configured as secure boot-image secure boot-config Verified as show secure bootset Securing Cisco Routers Q&A Copyright 2010 Internetwork Expert

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel CCNA4 Chapter 4 * DoS Attacks DoS attacks are the most publicized form of attack and also among the most difficult to eliminate. DoS attacks prevent authorized people from using a service by consuming