CCNA Security Chapter 2 筆記

CCNA Security Chapter 2

Securing the Edge Router

Single Router Approach
A single router connects the protected network, or internal LAN to the internet. All security policies configured on this device. This is more commonly deployed in smaller site implementation. In smaller networks, the required security features can be supported  by ISRs without impeding the router's performance capabilities.

Defense-in-Depth Approach

Is more secure than the single router approach. In this approach, the router act as the first line defense and is know as a screening router. It passes all connection that are intended for the internal LAN to the firewall.

The second line of defense is the firewall. The firewall typically picks up the router leave off and perform additional filtering.

DMZ  Approach

A variation of defense-in-depth approach is to offer an intermediate area often call demilitarized zone (DMZ). The DMZ can be used for servers that must be accessible from the internet or some other external network. In the DMZ approach, the router provides some protection by filtering some traffic, but leaves the bulk of the protection to the firewall.

Three areas of router security must be maintained:

Physical Security:

• Place the router and physical device that connects to it in a secure locked room that is accessible only to authorized personnel,

• Install an uninterruptible power supply (UPS) and keep spare components available. This reduces the possibility of a DoS attack from power loss to the building.

Router Hardening: Eliminate potential abuse of unused port and services 

• Secure administrator control. Ensure that only authorized personnel have access and that their level of access is controlled.

• Disable unused ports and interfaces. Reduce the  number of ways  a device can be accessed.

• Disable unnecessary services.

Operation System security: Secure the feature and performance of router operating system

• Configure the router with the maximum amount of memory possible.The availability of memory can help protect the network from some DoS attacks, while supporting the widest range of security services. 

• Use the latest stable version of the operation system that meet the feature requirement of network

• Keep a secure copy of  router operation system image and router configuration files as a backup

Task involved in securing administrative access to an infrastructure device

1. Restrict device accessibility : Limit the accessible port, restrict the permitted communications, and restrict the permitted method of access
2. Log and account for all access : Record anyone who accesses a device, including what occurs and when.
3. Authenticate access : Ensure that access is granted only to authenticated users, groups, and services. Limit the number of failed login attempts and the time between logins.
4. Authorize action : Restrict the actions and views permitted by any particular users, groups, or service.
5. Present legal notifications : Display a legal notice, developed in conjunction with company legal course, for interactive session
6. Ensure the confidentiality of data : Protect locally store sensitive data from viewing and copying 

Two ways to access a device for administrative purposes

Local Access : Local access to a router usually requires a direct connection to a console port on the Cisco router using a computer that is running terminal emulation software.

Remote Access : Some network devices can be accessed remotely. Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTPS, or Simple Network Management Protocol (SNMP) connections to the router from a computer For security reason, it is preferable to allow only local access to the router. However, remote access might still be necessary. When accessing the network remotely, a few precautions should be taken:

• Encrypt all traffic between administrator computer and router
• Establish a dedicated management network
• Configure packet filter allow only identified administration host and preferable protocol to access the router

Configure Secure Administrative Access

Attacker deploy various methods of discovering administrative passwords. Such as L0phtCrack and Cain & Abel to attempt brute force attacks and guess passwords.

Guidelines designed to make passwords less easily discovered:

• Use a password length of 10 or more characters
• Make password complex. Include mix upper, lower case letters, numbers, symbol, and spaces.
• Avoid password based on repetition or other easily identification information.
• Deliberately misspell password
• Change password often
• Do not write password down and leave them in obvious place.

Configure Router Password

Enable Secret Password

The enable secret password is global configuration commands restricts access to privileged EXEC mode. The password hashed by MD5. If password lost or forgotten, using the Cisco password recovery procedure.

Console Line

Default, console port does not require password. However, it should always configure as a console port line-level password. Use the line console 0 command followed by the login and password on the console line.

Virtual Terminal Lines

Default, Cisco routers support five simultaneous virtual terminal vty (Telnet or SSH) sessions. On the router, the vty ports are numbered from 0 through 4. Use the line vty 0 4 command followed by the login and password.

Auxiliary Line

Default, Cisco router auxiliary ports do not require a password for remote administrative access. Administrators sometimes use this port to remotely configure and monitor the router using a dialup modem connection.

Enhance Security for Virtual Logins

The Cisco IOS login enhancements feature provides more security for Cisco IOS devices when creating a virtual connection, such as Telnet, SSH, or HTTP, by slowing down dictionary attacks and stopping DoS attacks. To better configure security for virtual login connections, the login process should be configured with specific parameters:

• Implement delays between successive login attempts.
• Enable login shutdown if DoS attacks are suspected.
• Generate system-logging messages for login detection.

Command: login block-for seconds attempts tries within seconds

All login enhancement features are disabled by default. Use the login block-for command to enable login enhancements. The login block-for feature monitors login device activity and operates in two modes:

• Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time. 
• Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.

Login will disabled for 120 seconds if more than 5 login attempts within 60 seconds

• This command must be issued before any other login command can be used.
• This command can help provide DoS detection and prevention.

Command : login quiet-mode access-class {acl-name | acl-number}

When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts access at all times, this behavior can be overridden using an ACL.

The example shows a configuration that invokes on ACL named PERMIT-ADMIN. Hoste that match the PERMIT-ADMIN are exempt from the Quiet-Mode.

• Command specifies an ACL is applied to the router when switched to Quiet-Mode and identifies hosts that are exempt from the Quiet-Mode failure time.
• If not configured, all login requests will be denied during the Quiet-Mode.

Command : login delay seconds

This delay time can be changed using the login delay command. The login delay command introduces a uniform delay between successive login attempts. The delay occurs for all login attempts, including failed or successful attempts. 

• Helps mitigate dictionary attacks
• This is an optional command. If not set, a default delay of one second is enforced after the login block-for command is configured.

Command : log commands

1. login on-failure log [every login]
2. login on-success log [every login]

Configuring SSH

1. Configure the IP domain name. : If the router has a unique host name, configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode.
2. Generate one-way secret keys : To create the RSA key, use the crypto key generate rsa general-keys modulus modulus-size command in global configuration mode
3. Verify or create a local database entry : Ensure that there is a valid local database username entry. If not, create one using the username name secret secret command.
4. Enable VTY inbound SSH sessions : Enable vty inbound SSH sessions using the line vty commands login local and transport input ssh.

SSH timeouts and authentication retries

Router(config)#ip ssh time-out seconds

Router(config)#ip ssh authentication-retries tries

Version

Router(config)#ip ssh verison verison

version： 1 or 2

Configuring Privilege Levels

16 Privilege Levels

• Level 0 : Predefined for user-level access privileges. Seldom used, but includes five commands: disable, enable, exit, help, and logout.
• Level 1: The default level for login with the router prompt Router>. A user cannot make any changes or view the running configuration file.
• Levels 2 –14: May be customized for user-level privileges. 
• Level 15:  Users can change configurations and view configuration files.

Configuring Role-Based CLI Access

Role-based CLI provides three type of views:

Root View : To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views. 

CLI View : A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views. Each view must be assigned all commands associated with that view, and a view does not inherit commands from any other views. Additionally, the same commands can be used in multiple views. 

Superview : A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated to that one CLI view. 

Superview characteristics : 

• A single CLI view can share within multiple superviews.
• Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.
• User who logged into a superview can access all the commands configure by CLI views
• Each superview has a password that is used to switched between superviews or form a CLI view to superview

 

Create and manage specific view :

1.  Exit and enter the root view with the enable view command.
2.  Create a view using parser view command
3. Assign a secret password to the view using secret command
4. Assign commands to the view using the  commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] command in view configuration mode.

Create and manage superview :

1. Create a view using the parser view view-name superview command and enter superview configuration mode.
2. Assign a secret password to view
3. Assign an existing view using the view view_name
4. Exit superview

Restore a primary bootset

1. Reload the router using the reload command
2. The device name can be found in the output from show secure bootset
3. Ｕsing the boot command with the file name found in Step 2.
4.  Go to global configuration mode conf t
5.  Restore secure configuration files using secure boot-config restore filename command

Using Syslog for Network Security

Configure the router to send log messages:

• Console : Console logging is default. Message log to the console can viewed when modifying or testing the router using terminal emulation.
• Terminal lines : Enable EXEC mode can be configured to received log messages on any terminal lines
• Buffered logging : Is a little more useful as a security tool because log messages are stored in router memory for a time. However, the vent are cleared when the router reboot.
• SNMP traps : Can be preconfigured on routers. SNMP traps are a viable security logging facility but required the configuration and maintenance of an SNMP system
• Syslog : Cisco routers can be configured to forward log message to an external syslog service. Syslog is the most popular message logging facility, because it provides long-term log storage capabilities and a central location for all router message 

Cisco Router log message contain three main part:

1. Timestamp
2. Log message name and severity level
3. Message text

Severity Levels

Syslog implementations contains two types of system

• Syslog servers : Knows as log hosts, these systems accept and process log messages from syslog clients
• Syslog clients : Routers or other type devices that generate and forward log messages to syslog servers.

Configure system logging :

1. Set the destination host using the logging host command
2. (Optional) Set the log security level using logging trap level command
3. Set the source interface using the logging source-interface command
4. Enable logging 

Reference :

1) CCNA Security Cisco Network Academy