Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 4: Secure device access, COMMANDS - Coggle Diagram
Module 4: Secure device access
Configure Secure Administrative Access
To protect network devices, it is important to use strong passwords.
Here are standard guidelines to follow
Use a password length of at least eight characters, preferably 10 or more characters. A longer password is a more secure password.
Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.
Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
Change passwords often. If a password is unknowingly compromised, the window of opportunity for the threat actor to use the password is limited.
Do not write passwords down and leave them in obvious places such as on the desk or monitor.
Password Managers
Use a password manager to secure passwords for your online internet activity. Considered to be the best practice to secure passwords, the password manager automatically generates complex passwords for you and will automatically enter them when you access those sites. You only have to enter a primary password to enable this feature.
Multi-Factor Authentication
Use multi-factor authentication when available. This means that authentication requires two or more independent means of verification. For example when you enter a password, you would also have to enter a code that is sent to you through email or text message.
Configure Passwords in cisco devices
To secure user EXEC mode access:
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# line console 0
Sw-Floor-1(config-line)# password cisco
Sw-Floor-1(config-line)# login
Sw-Floor-1(config-line)#end
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# enable secret class
Sw-Floor-1(config)# exit
An example of securing the VTY lines on a switch is shown.
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# line vty 0 15
Sw-Floor-1(config-line)# password cisco
Sw-Floor-1(config-line)# login
Sw-Floor-1(config-line)# end
Encrypt Passwords
Encrypting all plaintext passwords
To encrypt all plaintext passwords, use the service password-encryption global config command as shown in the example.
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# service password-encryption
Setting a minimum acceptable password length
Deterring brute-force password guessing attacks
Disabling an inactive privileged EXEC mode access after a specified amount of time.
Additional Password Security
As shown in the sample configuration, the service password-encryption global configuration command prevents unauthorized individuals from viewing plaintext passwords in the configuration file. This command encrypts all plaintext passwords.
For example, the following commands configure:
All plaintext passwords are encrypted.
New configured passwords must be eight characters or more.
If there are more than three failed VTY login attempts within 60 seconds, then lockout the VTY lines for 120 seconds.
Set the router to automatically disconnect an inactive user on a VTY line if the line has been idle for 5 minutes and 30 seconds.
Secret Password Algorithms
MD5 hashes are no longer considered secure because attackers can reconstruct valid certificates. This can allow attackers to spoof any website. The enable secret password command shown in the figure uses an MD5 hash by default. Therefore, it is now recommended that you configure all secret passwords using either type 8 or type 9 passwords. Type 8 and type 9 were introduced in Cisco IOS 15.3(3)M. Type 8 and type 9 use SHA encryption. Because type 9 is slightly stronger than type 8, it will be used throughout this course whenever it is allowed by the Cisco IOS.
Router(config)# enable algorithm-type { md5 | scrypt | sha256 | secret } unencrypted password
Configure Enhanced Security for Virtual Logins
Enhance the Login Process
Assigning passwords and local authentication does not prevent a device from being targeted for attack. Access control lists (ACLs) can be used to permit legitimate connections from addresses of known system administrators.
Banners are disabled by default and must be explicitly enabled. Use the banner global configuration mode command to specify appropriate messages.
Router(config)# banner { motd | exec | login } delimiter message delimiter
Configure Login Enhancement Features
The Cisco IOS login enhancements commands, which are shown below, increase the security of virtual login connections.
Router(config)# login block-for seconds attempts tries within seconds
Router(config)# login quiet-mode access-class {acl-name | acl-number}
Router(config)# login delay seconds
Router(config)# login on-success log [every login]
Router(config)# login on-failure log [every login]
These login enhancements do not apply to console connections. When dealing with console connections, it is assumed that only authorized personnel have physical access to the devices.
R1(config-std-nacl)# permit 192.168.11.10
R1(config-std-nacl)# exit
R1(config-std-nacl)# permit 192.168.10.10
R1(config-std-nacl)# remark Permit only Administrative hosts
R1(config)# ip access-list standard PERMIT-ADMIN
R1(config)# login block-for 15 attempts 5 within 60
R1(config)# login quiet-mode access-class PERMIT-ADMIN
R1(config)# login delay 10
R1(config)# login on-success log
R1(config)# login on-failure log
R1(config)#
Enable Login Enhancements
To help a Cisco IOS device provide DoS detection, use the login block-for command. All other login enhancement features are disabled until the login block-for command is configured.
R1(config)# ip access-list standard PERMIT-ADMIN
R1(config-std-nacl)# remark Permit only Administrative hosts
R1(config-std-nacl)# permit 192.168.10.10
R1(config-std-nacl)# permit 192.168.11.10
R1(config-std-nacl)# exit
R1(config)# login quiet-mode access-class PERMIT-ADMIN
R1(config)# login delay 3
Log Failed Attempts
There are three commands that can be configured to help an administrator detect a password attack, as shown in the figure. Each command enables a device to generate syslog messages for failed or successful login attempts.
Router(config)# login on-success log [every login]
Router(config)# login on-failure log [every login]
Router(config)# security authentication failure rate threshold-rate log
Configure SSH
Telnet simplifies remote device access, but it is not secure. Data contained within a Telnet packet is transmitted unencrypted. For this reason, it is highly recommended to enable Secure Shell (SSH) on devices for secure remote access.
It is possible to configure a Cisco device to support SSH using the following six steps:
Step 1. Configure a unique device hostname
Router(config)# hostname R1
Step 4. Verify or create a local database entry.
R1(config)# username Bob secret cisco
Step 3. Generate a key to encrypt SSH traffic.
R1(config)# crypto key generate rsa general-keys modulus 1024
Step 5. Authenticate against the local database
R1(config-line)# login local
Step 2. Configure the IP domain name.
R1(config)# ip domain name span.com
Step 6. Enable vty inbound SSH sessions
R1(config-line)# transport input ssh
To verify SSH and display the generated keys, use
R1# show crypto key mypubkey rsa
Enhance SSH Login Security
To verify the optional SSH command settings, use:
R1# show ip ssh
To configure a different number of consecutive SSH retries, use:
R1(config)# ip ssh authentication-retries 2
To modify the default 120-second timeout interval, use:
R1(config)# ip ssh time-out 60
Connect devices with SSH
Router
To verify the status of the client connections, use the show ssh command. There are two different ways to connect to an SSH-enabled router.
R2# ssh -l Bob 192.168.2.101
R1# show ssh
Host
Connect using an SSH client running on a host as shown in the following four figures. Examples of these clients include PuTTY, OpenSSH, and TeraTerm..
Secure the Edge Router
Secure the Network Infrastructure
Securing the network infrastructure is critical to overall network security. The network infrastructure includes routers, switches, servers, endpoints, and other devices.
If an attacker gains access to a router, the security and management of the entire network can be compromised. For example, an attacker can erase the startup configuration and is make the router reload in five minutes. When the router reboots, it will not have a startup configuration.
To prevent unauthorized access to all infrastructure devices, appropriate security policies and controls must be implemented. Routers are a primary target for attacks because these devices act as traffic police, which direct traffic into, out of, and between networks.
Edge Router Security Approaches
The edge router implementation varies depending on the size of the organization and the complexity of the required network design. Router implementations can include a single router protecting an entire inside network or a router functioning as the first line of defense in a defense-in-depth approach.
Three Areas of Router Security
Securing the edge router is a critical first step in securing the network. If there are other internal routers, they also must be securely configured. Three areas of router security must be maintained.
Provide physical security
Provide physical security for the routers:
Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel, is free of electrostatic or magnetic interference, has fire suppression, and has temperature and humidity controls.
Install an uninterruptible power supply (UPS) or diesel backup power generator. Use redundant power supplies in network devices if possible. This reduces the possibility of a network outage from power loss or failed power equipment.
Operating System Security
There are a few procedures involved in securing the features and performance of router operating systems:
Equip routers with the maximum amount of memory possible. The availability of memory can help mitigate risks to the network from some denial of service (DoS) attacks while supporting the widest range of security services.
Use the latest, stable version of the operating system that meets the feature specifications of the router or network device. Security and encryption features in an operating system are improved and updated over time, which makes it critical to have the most up-to-date version.
Keep a secure copy of router operating system images and router configuration files as backups.
Router Hardening
Eliminate potential abuse of unused ports and services:
Secure administrative control. Ensure that only authorized personnel have access and that their level of access is controlled.
Disable unused ports and interfaces. Reduce the number of ways a device can be accessed.
Disable unnecessary services. Similar to many computers, a router has services that are enabled by default. Some of these services are unnecessary and can be used by an attacker to gather information about the router and the network. This information can then be used in an exploitation attack.
Secure Administrative Access
Securing administrative access is an extremely important security task. If an unauthorized person gains administrative access to a router, that person could alter routing parameters, disable routing functions, or discover and gain access to other systems within the network.
Several important tasks are involved in securing administrative access to an infrastructure device:
Restrict device accessibility - Limit the accessible ports, restrict the permitted communicators, and restrict the permitted methods of access.
Log and account for all access - Record anyone who accesses a device, what happened during the access, and when the access occurred for auditing purposes.
Authenticate access - Ensure that access is granted only to authenticated users, groups, and services. Limit the number of failed login attempts and the time allowed between logins.
Authorize actions - Restrict the actions and views permitted by any particular user, group, or service.
Present legal notification
Ensure the confidentiality of data - Protect locally stored and sensitive data from being viewed and copied. Consider the vulnerability of data in transit over a communication channel to sniffing, session hijacking, and man-in-the-middle (MITM) attacks.
Secure Local and Remote Access
A router can be accessed for administrative purposes locally or remotely:
Local access - All network infrastructure devices can be accessed locally. Local access to a router usually requires a direct connection to a console port on the Cisco router, and using a computer that is running terminal emulation software, as shown in the figure. The administrator must have physical access to the router and use a console cable to connect to the console port. Local access is typically used for initial configuration of the device.
Remote access - Administrators can also access infrastructure devices remotely, as shown in the figure. Although the aux port option is available, the most common remote access method involves allowing Telnet, SSH, HTTP, HTTPS, or SNMP connections to the router from a computer. The computer can be on the local network or a remote network. However, if network connectivity to the device is down, the only way to access it might be over telephone lines.
COMMANDS
