Mudule 4. Secure Device Access

4.3 Configure Enhanced Security for Virtual Logins

4.4 Configure SSH

4.1 Secure the Edge Router

4.2 Configure Secure Administrative Access

Secure the Network Infrastructure

Securing the network infrastructure is critical to overall network security.

The network infrastructure includes

Servers

Endpoints

Switches

And other devices

Routers

Enhance the Login Process

Assigning passwords and local authentication does not prevent a device from being targeted for attack. The Cisco IOS login enhancements provide more security by slowing down attacks, such as dictionary attacks and DoS attacks.

The edge Router

Banners are disabled by default and must be explicitly enabled. Use the banner global configuration mode command to specify appropriate messages.

Router(config)# banner { motd | exec | login } delimiter message delimiter

Shown in the figure is the last router between the internal network and an untrusted network, such as the internet. All of an organization’s internet traffic goes through an edge router, which often functions as the first and last line of defense for a network. The edge router helps to secure the perimeter of a protected network and implements security actions that are based on the security policies of the organization. For these reasons, securing network routers is imperative.

Banners protect the organization from a legal perspective. Choosing the appropriate wording to place in banner messages is important and should be reviewed by legal counsel before being placed on network routers.

Never use the word welcome or any other familiar greeting that may be misconstrued as an invitation to use the network.

image

Configure Login Enhancement Features

The Cisco IOS login enhancements commands, which are shown below, increase the security of virtual login connections.


Edge Router Security Approaches

Three Areas of Router Security

Secure Administrative Acces

Secure Local and Remote Access

The edge router implementation varies depending on the size of the organization and the complexity of the required network design. Router implementations can include a single router protecting an entire inside network or a router functioning as the first line of defense in a defense-in-depth approach.

DMZ Approach

Single Router Approach

Router(config)# login block-for seconds attempts tries within seconds

Router(config)# login quiet-mode access-class {acl-name | acl-number}

Router(config)# login delay seconds

Defense-in-Depth Approach

Router(config)# login on-success log [every login]

Router(config)# login on-failure log [every login]

is

is

is

Example

R1(config)# login block-for 15 attempts 5 within 60

Example

a single router connects the protected network or internal local area network (LAN), to the internet. All security policies are configured on this device. This is more commonly deployed in smaller site implementations, such as branch and small office, home office (SOHO) sites. In smaller networks, the required security features can be supported by Integrated Services Routers (ISRs) without impeding the router’s performance capabilities.

R1(config)# login quiet-mode access-class PERMIT-ADMIN

Example

R1(config)# login delay 10

Enable Login Enhancements

To help a Cisco IOS device provide DoS detection, use the login block-for command. All other login enhancement features are disabled until the login block-for command is configured.

Specifically, the login block-for command monitors login device activity and operates in two modes:


Quiet mode - This is also known as the quiet period. If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied for the time specified in the login block-for command.

Normal mode - This is also known as watch mode. The router keeps count of the number of failed login attempts within an identified amount of time.

Enable SSH

Telnet simplifies remote device access, but it is not secure. Data contained within a Telnet packet is transmitted unencrypted. For this reason, it is highly recommended to enable Secure Shell (SSH) on devices for secure remote access.

It is possible to configure a Cisco device to support SSH using the following six steps:

Step 1. Configure a unique device hostname

Step 2. Configure the IP domain name

Step 3. Generate a key to encrypt SSH traffic

Step 4. Verify or create a local database entry.

Step 5. Authenticate against the local database.

Step 6. Enable vty inbound SSH sessions.

image

To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If there are existing key pairs, it is recommended that they are overwritten using the crypto key zeroize rsa command. If there are existing key pairs, it is recommended that they are removed using the crypto key zeroize rsa command.

image

Enhance SSH Login Security

To verify the optional SSH command settings, use the show ip ssh command

You can also modify the default SSH timeout interval and the number of authentication tries.

You can also modify the default SSH timeout interval and the number of authentication tries. Use the ip ssh time-out seconds global configuration mode command to modify the default 120-second timeout interval.

A defense-in-depth approach is more secure than the single router approach. It uses multiple layers of security prior to traffic entering the protected LAN. The edge router acts as the first line of defense and is known as a screening router. After performing initial traffic filtering, the edge router passes all connections that are intended for the internal LAN to the second line of defense, which is the firewall.

This configures the number of seconds that SSH can use to authenticate a user.

Primary layers of defense:

After it is authenticated, an EXEC session starts and the standard exec-timeout configured for the vty applies.


The firewall

By default, a user logging in has three attempts to enter the correct password before being disconnected. To configure a different number of consecutive SSH retries, use the ip ssh authentication-retries integer global configuration mode command.

Internal router that connects to the protected LAN

The edge router

This approach includes an intermediate area, often called the demilitarized zone (DMZ). The DMZ can be used for servers that must be accessible from the internet or some other external network.

If an unauthorized person gains administrative access to a router, that person could alter routing parameters, disable routing functions, or discover and gain access to other systems within the network.

Syntax Checker - Enable SSH on R2

Use the Syntax Checker to enable SSH on R2.

Several important tasks are involved in securing administrative access to an infrastructure device:

Authorize actions

Authenticate access

Present legal notification

Log and account for all access

Ensure the confidentiality of data

Restrict device accessibility

image

image

image

image

image

image

A router can be accessed for administrative purposes locally or remotely:

image

Remote access

Local access

image

Administrative Access Methods

Connect a Router to an SSH-Enabled Router

Local access to a router usually requires a direct connection to a console port on the Cisco router, and using a computer that is running terminal emulation software

Administrators can also access infrastructure devices remotely. Although the aux port option is available, the most common remote access method involves allowing Telnet, SSH, HTTP, HTTPS, or SNMP connections to the router from a computer.

Remote Access Using Modem and Aux Port

Remote Access Using SSH

Local Access

To verify the status of the client connections, use the show ssh command. There are two different ways to connect to an SSH-enabled router.

By default, when SSH is enabled, a Cisco router can act as an SSH server or SSH client. As a server, a router can accept SSH client connections. As a client, a router can connect via SSH to another SSH-enabled router shown in the following three steps.

image

image

image

Router-to-Router SSH

the administrator on R1 uses the show ssh command to check for current SSH connections. Then another administrator logs into R1 from R2. The administrator on R1 checks again for current SSH connection

Router Hardening

Operating System Security

image

Physical Security

Provide physical security for the routers:

Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel, is free of electrostatic or magnetic interference, has fire suppression, and has temperature and humidity controls.

Install an uninterruptible power supply (UPS) or diesel backup power generator. Use redundant power supplies in network devices if possible. This reduces the possibility of a network outage from power loss or failed power equipment.

There are a few procedures involved in securing the features and performance of router operating systems:

image

Use the latest, stable version of the operating system that meets the feature specifications of the router or network device. Security and encryption features in an operating system are improved and updated over time, which makes it critical to have the most up-to-date version.

Keep a secure copy of router operating system images and router configuration files as backups.

Equip routers with the maximum amount of memory possible. The availability of memory can help mitigate risks to the network from some denial of service (DoS) attacks while supporting the widest range of security services.

image

image

Eliminate potential abuse of unused ports and services:

Disable unused ports and interfaces. Reduce the number of ways a device can be accessed.

Disable unnecessary services. Similar to many computers, a router has services that are enabled by default. Some of these services are unnecessary and can be used by an attacker to gather information about the router and the network. This information can then be used in an exploitation attack.

Secure administrative control. Ensure that only authorized personnel have access and that their level of access is controlled.

Connect a Host to an SSH-Enabled Router

Connect using an SSH client running on a host.

The procedure for connecting to a Cisco router varies depending on the SSH client application being used. Generally, the SSH client initiates an SSH connection to the router. The router SSH service prompts for the correct username and password combination. After the login is verified, the router can be managed as if the administrator was using a standard Telnet sessio

image

Host-to-Router SSH

these clients include PuTTY, OpenSSH, and TeraTerm.

Passwords

To protect network devices, it is important to use strong passwords.

Use a password length of at least eight characters, preferably 10 or more characters.

Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.

Avoid passwords based on repetition, common words.

Deliberately misspell a password.

Aditional Password Security

Change passwords often.

Do not write passwords down and leave them in obvious places such as on the desk or monitor.

One method to create a strong password is to use the space bar and create a phrase made of many words.

As shown in the sample configuration

the service password-encryption global configuration command prevents unauthorized individuals from viewing plaintext passwords in the configuration file. This command encrypts all plaintext passwords. Notice in the example, that the password "cisco" has been encrypted as "094F471A1A0A".


To ensure that all configured passwords are a minimum of a specified length, use the security passwords min-length length command in global configuration mode.

This is called a passphrase. A passphrase is often easier to remember than a simple password. It is also longer and harder to guess.

Network administrators can become distracted and accidently leave a privileged EXEC mode session open on a terminal

This could enable an internal threat actor access to change or erase the device configuration. By default, Cisco routers will logout an EXEC session after 10 minutes of inactivity. However, you can reduce this setting using the exec-timeout minutes seconds line configuration command. This command can be applied online console, auxiliary, and vty lines.

For example, the following commands configure:

Multi-Factor Authentication

Password Managers

Use to secure passwords for your online internet activity.

R1(config-line)# end

R1#

R1(config-line)# transport input ssh

R1# show running-config | section line vty

R1(config-line)# exec-timeout 5 30

line vty 0 4

R1(config-line)# password cisco123

password 7 094F471A1A0A

R1(config)# line vty 0 4

login

R1(config)# service password-encryption

exec-timeout 5 30

R1(config)# security passwords min-length 8

R1(config)# login block-for 120 attempts 3 within 60

R1#

Configure Passwords

To secure user EXEC mode access, enter line console configuration mode using the line console 0 global configuration

transport input ssh

image

Secret Password Algorithms

specify the user EXEC mode password using the password password command. Finally, enable user EXEC access using the login command

MD5 hashes are no longer considered secure because attackers can reconstruct valid certificates. This can allow attackers to spoof any website. The enable secret password command shown in the figure uses an MD5 hash by default. Therefore, it is now recommended that you configure all secret passwords using either type 8 or type 9 passwords

Console access will now require a password before allowing access to the user EXEC mode.

Type 8 and type 9 were introduced in Cisco IOS 15.3(3)M.

Type 8 and type 9 use SHA encryption. Because type 9 is slightly stronger than type 8, it will be used throughout this course whenever it is allowed by the Cisco IOS.

image

To secure privileged EXEC access, use the enable secret password global config command

Virtual terminal (VTY) lines enable remote access using Telnet or SSH to the device. Many Cisco switches support up to 16 VTY lines that are numbered 0 to 15.

Para proteger las líneas VTY, ingrese al modo VTY de línea usando el comando de configuración global line vty 0 15.

image

Next, specify the VTY password using the password password command.

image

Last, enable VTY access using the login command.

Encrypt Passwords

Strong passwords are only useful if they are secret. There are several steps that can be taken to help ensure that passwords remain secret on a Cisco router and switch

Encrypting all plaintext passwords

Setting a minimum acceptable password length

To enter an unencrypted password, use the enable algorithm-type command syntax:

Router(config)# enable algorithm-type { md5 | scrypt | sha256 | secret } unencrypted password

Deterring brute-force password guessing attacks

Disabling an inactive privileged EXEC mode access after a specified amount of time.

scrypt

sha256

md5

Type 5; selects the message digest alogrithm

The startup-config and running-config files display most passwords in plaintext. This is a security threat because anyone can discover the passwords if they have access to these files.


Type 8; selects Password-Based Key Derivation Function 2 (PBKDF2) whit Secure Hash Algorithm, 256-bits (SHA-256) as the hashing algorithm.

Type 9; selects scrypt as the hashing algorithm

image

To encrypt all plaintext passwords, use the service password-encryption global config command

The command applies weak encryption to all unencrypted passwords. This encryption applies only to passwords in the configuration file, not to passwords as they are sent over the network. The purpose of this command is to keep unauthorized individuals from viewing passwords in the configuration file.