Network security session 9-2 Router Security. Network II

Similar documents
Note that you can also use the password command but the secret command gives you a better encryption algorithm.

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

Cisco Router Security: Principles and Practise. The foundation of network security is router security.

AutoSecure. Finding Feature Information. Last Updated: January 18, 2012

Chapter 2. Switch Concepts and Configuration. Part II

CCNA Security PT Practice SBA

Welcome! APNIC Security Tutorial. Securing edge network devices. Overview

Network Infrastructure Filtering at the border. PacNOG19 28th November - 2nd December 2016 Nadi, Fiji

Lab Configuring and Verifying Extended ACLs Topology

Lab 8.5.2: Troubleshooting Enterprise Networks 2

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

!! Configuration of RFS4000 version R!! version 2.3!! ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10

Examples of Cisco APE Scenarios

Chapter 4. Network Security. Part II

TACACS Device Access Control with Cisco Active Network Abstraction

CCNA Security 1.0 Student Packet Tracer Manual

Lab 7 Configuring Basic Router Settings with IOS CLI

Chapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

CCNA Semester 2 labs. Labs for chapters 2 10

Configuring Authentication Proxy

Teacher s Reference Manual

Configuring Authentication Proxy

Lab Configuring Switch Security Features Topology

PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC.

co Configuring PIX to Router Dynamic to Static IPSec with

Cisco IOS Firewall Authentication Proxy

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Three interface Router without NAT Cisco IOS Firewall Configuration

Configuring Local Authentication

This document is a tutorial related to the Router Emulator which is available at:

Managing GSS User Accounts Through a TACACS+ Server

Configuring Secure Shell (SSH)

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

Configuring Authentication Proxy

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

Network Monitoring and Management Cisco Configuration

PT Activity: Configure AAA Authentication on Cisco Routers

Configuring the Management Interface and Security

Cisco IOS Login Enhancements-Login Block

Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations (Instructor Version)

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

CISCO SWITCH BEST PRACTICES GUIDE

Cisco Configuration. Network Monitoring and Management

Configuring Secure Shell

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

Configuring Secure Shell (SSH)

Deployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

Configuring Management Access

How to configure MB5000 Serial Port Bridge mode

Lab 5.6b Configuring AAA and RADIUS

Lab Securing Network Devices

Lab - Examining Telnet and SSH in Wireshark

Network Infrastructure Filtering at the border. Cyber Security & Network Security March, 2017 Dhaka, Bangladesh

Network Infra Security Filtering at the Border. Network Security Workshop April 2017 Bali Indonesia

CISCO EXAM QUESTIONS & ANSWERS

CyberPatriot Packet Tracer Tool Kit

Interconnecting Cisco Networking Devices Part 1 ( )

Numerics. Index 1. SSH See SSH. connection inactivity time 2-3 console, for configuring authorized IP managers 11-5 DES 6-3, 7-3

Platform Settings for Classic Devices

1. Which OSI layers offers reliable, connection-oriented data communication services?

Lab Using the CLI to Gather Network Device Information Topology

Overview of the Cisco NCS Command-Line Interface

User Security Configuration Guide, Cisco IOS Release 15MT

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

XML Transport and Event Notifications

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

Fundamentals of Network Security v1.1 Scope and Sequence

Firewall Authentication Proxy for FTP and Telnet Sessions

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Payload Types At Different OSI Layers: Layer 2 - Frame Layer 3 - Packet Layer 4 - Datagram

Cisco Networking Academy CCNP

Technology Scenarios. INE s CCIE Security Bootcamp - 1 -

Configuring Security for the ML-Series Card

Configuring Security with Passwords, Privileges, and Logins

Configuring a Terminal/Comm Server

Wireless Access Points (Part 2)

Platform Settings for Firepower Threat Defense

Setting Up the Sensor

CCNP TSHOOT. Quick Reference Sheet Exam

Configuring the Cisco NAM 2220 Appliance

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

CCNA Security Instructor Packet Tracer Manual

XML Transport and Event Notifications

Configuring Secure Shell (SSH)

This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501.

AAA and the Local Database

Connecting to the Management Network and Securing Access

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

CCENT Practice Certification Exam # 2 - CCNA Exploration: Accessing the WAN (Version 4.0)

Lab - Troubleshooting ACL Configuration and Placement Topology

Loading Internet Protocol Security (IPSec) (CDR-882/780/790/990 Cellular Router)

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Table of Contents. Cisco Configuring IP Access Lists

Index. Numerics. Index 1

Numerics INDEX. 2.4-GHz WMIC, contrasted with 4.9-GHz WMIC g 3-6, x authentication 4-13

Configuring Secure Shell (SSH)

Chapter 3 Lab 3-1, Assembling Maintenance and Troubleshooting Tools

Transcription:

Network security session 9-2 Router Security Network II

Router security First line of defense of the network Compromise of a router can lead to many issues: Denial of network services Degrading of network performance Exposure of network configuration details Exposure of the network topology Exposure of the sensitive data

Security issue Pysical security lock and key Easiest access is via console port Password recovery possible Up to date Operating system most stable release of IOS Configuration hardening

Configuration hardening Local access restriction console line Remote access restriction Vty line Use line & Exec password to gain access to the router Service password encryption command encrypts the line passwords EXEC level password enable secret command

Configuration hardening (cont ) Two password protection schemes used in Cisco IOS: Type 7 uses a Cisco encryption algorithm, which is not as strong as Type 5 protection, which uses MD5 hash.

Configuration hardening (cont ) Create a user account for authorized personnel for keeping track and log each time a system is accessed Create a local user account on the router Username [name] privilege [level] password [password_string]

Configuration hardening (cont ) Cisco provides 16 levels (0-15) of privileges level 15 the highest equivalent to privileged EXEC mode Local user admin is created with level 10 Disadvantage of creating local user: The same user to be created on all routers in the network! Mmmmh where is scalability?

Configuration hardening (cont ) Cisco offers Authentication, Authorization and Accountability (AAA) service to centrally manage and control user access RADIUS (Remote Authentication Dial In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus), are supported with AAA Implies that cisco routers can communicate with RADIUS or TACACS+ servers for central authentication

Configuration hardening (cont ) AAA enables authentication based on the router s local user database, enable, line passwords, as well as other access protocols Configuration example define authentication method

Configuration hardening (cont ) Apply authentication to any access entry point. Line console Auxiliary port Virtual terminal vty lines Enforces authentication using the local user database and the timeout of 5 minutes if the user input is not detected Prevents the remote access to the console port via reverse-telnet -transport input none:

Configuration hardening (cont ) Demo configuration **Login authentication required

To enable SSH Need to generate an RSA key You require to pre-configure a hostname and a domain name on the router to generate an RSA key will be used as part of the key ip domain-name test? crypto key generate rsa Command After the RSA key is generated, the remote VTY access can be configured with SSH as the transport

To enable SSH The command transport input ssh enforces SSH as the only access method

Router Services Routers have many services enabled by default Disable unnecessary service & Tighten the necessary services Enabled TCP/IP services by default echo, discard, daytime, chargen, finger, identd, and Snmp bootps,

Router Services To disable them globally use the following commands: The following services: echo, discard, daytime, and chargen are considered TCP and UDP small services Disabled using no service tcp-smallservers and no service udp-small-servers

Router Services Tighten security for needed services like: Simple Network Management Protocol (SNMP) HTTP SNMP default community string must not be used Use a new community string which should be difficult to guess Avoid read-write access - use read only access

Router Services SNMP access should be restricted to certain known SNMP agents Use SNMP version 3 Example with a read-only configuration RouterA(config)#snmp-server community M@ke1tD1ff1cuLT ro 10 Web-based administration via HTTP can reveal passwords option, HTTPS

Router Services HTTPS that provides end-to-end SSL encryption, as shown: Normal HTTP service disabled HTTPS service enabled HTTP access is restricted with the accesslist 15 HTTP will use AAA authentication

Router Services Other services to disable includes CDP Remote configuration downloading & Source-routing Source-routing can be used in many kinds of attacks. disabling the feature - the router will disregard the IP packet with source routes information

Securing router Interface level Shutdown unused ports Disable Directed broadcasts can usedas a DoS attack fx smurf attact (new IOS disabled) Disable interface acting as intermediary for ARP or ARP-proxy

Securing router Router Logging and Access-List Administrator to analyze the events that occur and use the given information to correlate and find the issues To keep accurate logs, the correct time on a router has to be set up Cisco routers support the Network Time Protocol (NTP), which can be set up to synchronize the router s clock with the time server

There are 8 levels (0 7) of log severity: Emergencies (0) Alerts (1) Critical (2) Errors (3) Warnings (4) Notifications (5) Informational (6) Debugging (7)

Securing router To correlate the time with the log events, a timestamp service will need to be initiated To keep accurate logs, the correct time on a router has to be set up Cisco routers support the Network Time Protocol (NTP), which can be set up to synchronize the router s clock with the time server

Log example OR by using access list The following example shows an access-list 102 that contains an IP address spoofing protection for the internal network of access-list 101 permit ip 192.168.0.0 0.0.255.255 any access-list 101 permit tcp any any eq 80 access-list 101 deny ip any any log Applied to the outbound interface 12.12.12.0/24. access-list 102 deny ip 12.12.12.0 0.0.0.255 any log access-list 102 deny ip 10.0.0.0 0.255.255.255 any log access-list 102 deny ip 172.16.0.0 0.15.255.255 any log access-list 102 deny ip 192.168.0.0 0.0.255.255 any log access-list 102 permit ip any any

Switch Security Switch Port Security To configure the maximum number of MAC addresses on a switch port, use the command switchport port-security maximum [number] To configure a port to allow certain MAC addresses to pass traffic, use the command switchport port-security mac-address [mac_address] or switchport port-security

Switch Security Switch Port Security To configure a port to allow certain MAC addresses to pass traffic, use the command switchport port-security mac-address [mac_address] or switchport port-security mac-address sticky [mac_address]. Define a violation action as: protected, restrict, and shutdown

Switch Security Switch Port Security Define a violation action as: protected, restrict, and shutdown The violation action protected will drop packets from the violated MAC address(es) violation action restrict is the same as the protected mode, but it will also send SNMP trap messages to the SNMP server

Switch Security Switch Port Security Violation action shutdown is to shutdown the port and put the port in ERRDISABLE state.

example of a port security configuration

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback