Please enable JavaScript.

Coggle requires JavaScript to display documents.

Mudule 4. Secure Device Access, image, Host-to-Router SSH, these clients…

- - - - Router(config)# banner { motd | exec | login } delimiter message delimiter
      - Banners protect the organization from a legal perspective. Choosing the appropriate wording to place in banner messages is important and should be reviewed by legal counsel before being placed on network routers.
      - Never use the word welcome or any other familiar greeting that may be misconstrued as an invitation to use the network.
  - - - Router(config)# login block-for seconds attempts tries within seconds
        
        Example
        
        R1(config)# login block-for 15 attempts 5 within 60
      - Router(config)# login quiet-mode access-class {acl-name | acl-number}
        
        Example
        
        R1(config)# login quiet-mode access-class PERMIT-ADMIN
      - Router(config)# login delay seconds
        
        Example
        
        R1(config)# login delay 10
      - Router(config)# login on-success log [every login]
      - Router(config)# login on-failure log [every login]
  - - - Specifically, the login block-for command monitors login device activity and operates in two modes:
        
        Quiet mode - This is also known as the quiet period. If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied for the time specified in the login block-for command.
        
        Normal mode - This is also known as watch mode. The router keeps count of the number of failed login attempts within an identified amount of time.
- - - - It is possible to configure a Cisco device to support SSH using the following six steps:
        
        Step 1. Configure a unique device hostname
        
        Step 2. Configure the IP domain name
        
        Step 3. Generate a key to encrypt SSH traffic
        
        Step 4. Verify or create a local database entry.
        
        Step 5. Authenticate against the local database.
        
        1 more item...
        
        To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If there are existing key pairs, it is recommended that they are overwritten using the crypto key zeroize rsa command. If there are existing key pairs, it is recommended that they are removed using the crypto key zeroize rsa command.
  - - - You can also modify the default SSH timeout interval and the number of authentication tries.
        
        You can also modify the default SSH timeout interval and the number of authentication tries. Use the ip ssh time-out seconds global configuration mode command to modify the default 120-second timeout interval.
        
        This configures the number of seconds that SSH can use to authenticate a user.
        
        After it is authenticated, an EXEC session starts and the standard exec-timeout configured for the vty applies.
        
        By default, a user logging in has three attempts to enter the correct password before being disconnected. To configure a different number of consecutive SSH retries, use the ip ssh authentication-retries integer global configuration mode command.
  - - - By default, when SSH is enabled, a Cisco router can act as an SSH server or SSH client. As a server, a router can accept SSH client connections. As a client, a router can connect via SSH to another SSH-enabled router shown in the following three steps.
        
        Router-to-Router SSH
        
        the administrator on R1 uses the show ssh command to check for current SSH connections. Then another administrator logs into R1 from R2. The administrator on R1 checks again for current SSH connection
  - - - The procedure for connecting to a Cisco router varies depending on the SSH client application being used. Generally, the SSH client initiates an SSH connection to the router. The router SSH service prompts for the correct username and password combination. After the login is verified, the router can be managed as if the administrator was using a standard Telnet sessio
- - - - The network infrastructure includes
        
        Servers
        
        Endpoints
        
        Switches
        
        And other devices
        
        Routers
    - - Shown in the figure is the last router between the internal network and an untrusted network, such as the internet. All of an organization’s internet traffic goes through an edge router, which often functions as the first and last line of defense for a network. The edge router helps to secure the perimeter of a protected network and implements security actions that are based on the security policies of the organization. For these reasons, securing network routers is imperative.
  - - - DMZ Approach
        
        is
        
        This approach includes an intermediate area, often called the demilitarized zone (DMZ). The DMZ can be used for servers that must be accessible from the internet or some other external network.
      - Single Router Approach
        
        is
        
        a single router connects the protected network or internal local area network (LAN), to the internet. All security policies are configured on this device. This is more commonly deployed in smaller site implementations, such as branch and small office, home office (SOHO) sites. In smaller networks, the required security features can be supported by Integrated Services Routers (ISRs) without impeding the router’s performance capabilities.
      - Defense-in-Depth Approach
        
        is
        
        A defense-in-depth approach is more secure than the single router approach. It uses multiple layers of security prior to traffic entering the protected LAN. The edge router acts as the first line of defense and is known as a screening router. After performing initial traffic filtering, the edge router passes all connections that are intended for the internal LAN to the second line of defense, which is the firewall.
        
        Primary layers of defense:
        
        The firewall
        
        Internal router that connects to the protected LAN
        
        The edge router
  - - - Eliminate potential abuse of unused ports and services:
        
        Disable unused ports and interfaces. Reduce the number of ways a device can be accessed.
        
        Disable unnecessary services. Similar to many computers, a router has services that are enabled by default. Some of these services are unnecessary and can be used by an attacker to gather information about the router and the network. This information can then be used in an exploitation attack.
        
        Secure administrative control. Ensure that only authorized personnel have access and that their level of access is controlled.
    - - There are a few procedures involved in securing the features and performance of router operating systems:
        
        Use the latest, stable version of the operating system that meets the feature specifications of the router or network device. Security and encryption features in an operating system are improved and updated over time, which makes it critical to have the most up-to-date version.
        
        Keep a secure copy of router operating system images and router configuration files as backups.
        
        Equip routers with the maximum amount of memory possible. The availability of memory can help mitigate risks to the network from some denial of service (DoS) attacks while supporting the widest range of security services.
    - - Provide physical security for the routers:
        
        Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel, is free of electrostatic or magnetic interference, has fire suppression, and has temperature and humidity controls.
        
        Install an uninterruptible power supply (UPS) or diesel backup power generator. Use redundant power supplies in network devices if possible. This reduces the possibility of a network outage from power loss or failed power equipment.
  - - - Authorize actions
      - Authenticate access
      - Present legal notification
      - Log and account for all access
      - Ensure the confidentiality of data
      - Restrict device accessibility
  - - - Remote access
        
        Administrators can also access infrastructure devices remotely. Although the aux port option is available, the most common remote access method involves allowing Telnet, SSH, HTTP, HTTPS, or SNMP connections to the router from a computer.
      - Local access
        
        Local access to a router usually requires a direct connection to a console port on the Cisco router, and using a computer that is running terminal emulation software
      - Administrative Access Methods
        
        Remote Access Using Modem and Aux Port
        
        Remote Access Using SSH
        
        Local Access
- - - - Use a password length of at least eight characters, preferably 10 or more characters.
      - Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
      - Avoid passwords based on repetition, common words.
      - Deliberately misspell a password.
      - Change passwords often.
      - Do not write passwords down and leave them in obvious places such as on the desk or monitor.
    - - As shown in the sample configuration
        
        the service password-encryption global configuration command prevents unauthorized individuals from viewing plaintext passwords in the configuration file. This command encrypts all plaintext passwords. Notice in the example, that the password "cisco" has been encrypted as "094F471A1A0A".
        To ensure that all configured passwords are a minimum of a specified length, use the security passwords min-length length command in global configuration mode.
        
        Network administrators can become distracted and accidently leave a privileged EXEC mode session open on a terminal
        
        This could enable an internal threat actor access to change or erase the device configuration. By default, Cisco routers will logout an EXEC session after 10 minutes of inactivity. However, you can reduce this setting using the exec-timeout minutes seconds line configuration command. This command can be applied online console, auxiliary, and vty lines.
        
        For example, the following commands configure:
        
        R1(config-line)# end
        
        R1#
        
        R1(config-line)# transport input ssh
        
        R1# show running-config | section line vty
        
        R1(config-line)# exec-timeout 5 30
        
        line vty 0 4
        
        R1(config-line)# password cisco123
        
        password 7 094F471A1A0A
        
        R1(config)# line vty 0 4
        
        login
        
        R1(config)# service password-encryption
        
        exec-timeout 5 30
        
        R1(config)# security passwords min-length 8
        
        R1(config)# login block-for 120 attempts 3 within 60
        
        R1#
        
        transport input ssh
    - - This is called a passphrase. A passphrase is often easier to remember than a simple password. It is also longer and harder to guess.
        
        Multi-Factor Authentication
        
        Password Managers
    - - To secure user EXEC mode access, enter line console configuration mode using the line console 0 global configuration
        
        Console access will now require a password before allowing access to the user EXEC mode.
        
        Virtual terminal (VTY) lines enable remote access using Telnet or SSH to the device. Many Cisco switches support up to 16 VTY lines that are numbered 0 to 15.
        
        Para proteger las líneas VTY, ingrese al modo VTY de línea usando el comando de configuración global line vty 0 15.
        
        1 more item...
    - - MD5 hashes are no longer considered secure because attackers can reconstruct valid certificates. This can allow attackers to spoof any website. The enable secret password command shown in the figure uses an MD5 hash by default. Therefore, it is now recommended that you configure all secret passwords using either type 8 or type 9 passwords
      - Type 8 and type 9 were introduced in Cisco IOS 15.3(3)M.
      - Type 8 and type 9 use SHA encryption. Because type 9 is slightly stronger than type 8, it will be used throughout this course whenever it is allowed by the Cisco IOS.
      - To enter an unencrypted password, use the enable algorithm-type command syntax:
        
        Router(config)# enable algorithm-type { md5 | scrypt | sha256 | secret } unencrypted password
        
        scrypt
        
        Type 9; selects scrypt as the hashing algorithm
        
        sha256
        
        Type 8; selects Password-Based Key Derivation Function 2 (PBKDF2) whit Secure Hash Algorithm, 256-bits (SHA-256) as the hashing algorithm.
        
        md5
        
        Type 5; selects the message digest alogrithm
    - - Strong passwords are only useful if they are secret. There are several steps that can be taken to help ensure that passwords remain secret on a Cisco router and switch
        
        Encrypting all plaintext passwords
        
        Setting a minimum acceptable password length
        
        Deterring brute-force password guessing attacks
        
        Disabling an inactive privileged EXEC mode access after a specified amount of time.
        
        The startup-config and running-config files display most passwords in plaintext. This is a security threat because anyone can discover the passwords if they have access to these files.
      - The command applies weak encryption to all unencrypted passwords. This encryption applies only to passwords in the configuration file, not to passwords as they are sent over the network. The purpose of this command is to keep unauthorized individuals from viewing passwords in the configuration file.