Please enable JavaScript.
Coggle requires JavaScript to display documents.
Secure Device Access, image, image, image, image, image, image, image,…
Secure Device Access
4.3 Configure Enhanced Security for Virtual Logins
4.3.1 Enhance the Login Process
Assigning passwords and local authentication does not prevent a device from being targeted for attack. The Cisco IOS login enhancements provide more security by slowing down attacks, such as dictionary attacks and DoS attacks.
4.3.2 Configure Login Enhancement Features
The Cisco IOS login enhancements commands, which are shown below, increase the security of virtual login connections.
Router(config)# login block-for seconds attempts tries within seconds
Router(config)# login quiet-mode access-class {acl-name | acl-
number}
Router(config)# login delay seconds
Router(config)# login on-success log [every login]
Router(config)# login on-failure log [every login]
4.3.3 Enable Login Enhancements
To help a Cisco IOS device provide DoS detection, use the login block-for command
Normal mode - This is also known as watch mode. The router keeps count of the number of failed login attempts within an identified amount of time.
Quiet mode - This is also known as the quiet period. If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied for the time specified in the login block-for command.
4.3.4 Log Failed Attempts
The first two commands, login on-success log and login on-failure log, generate syslog messages for successful and unsuccessful login attempts. The number of login attempts before a logging message is generated can be specified using the [every login] syntax, where the default login value is 1 attempt. The valid range is from 1 to 65,535.
Router(config)# login on-success log [every login]
Router(config)# login on-failure log [every login]
4.3.5 Syntax Checker - Configure Enhanced Login Security on R2
Use the Syntax Checker to configure enhanced login security on R2.
On R2, create a named standard access list called:
Permit the host at IP address 192.168.10.10.
Use the name PERMIT-ADMIN.
After configuration, return to global configuration mode.
4.2 Configure Secure Administrative Access
4.2.1 Passwords
Use a password length of at least eight characters, preferably 10 or more characters. A longer password is a more secure password.
Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.
Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
Password Managers
Use a password manager to secure passwords for your online internet activity.
Multi-Factor Authentication
Use multi-factor authentication when available. This means that authentication requires two or more independent means of verification
4.2.2 Configure Passwords
When you initially connect to a device, you are in user EXEC mode. This mode is secured using the console
To secure privileged EXEC access, use the enable secret password global config command
Virtual terminal (VTY) lines enable remote access using Telnet or SSH to the device
4.2.3 Encrypt Passwords
To encrypt all plaintext passwords, use the service password-encryption global config command
Use the show running-config command to verify that passwords are now encrypted.
4.2.4 Additional Password Security
To ensure that all configured passwords are a minimum of a specified length, use the security passwords min-length length command in global configuration mode.
The following commands configure
:
All plaintext passwords are encrypted.
New configured passwords must be eight characters or more
If there are more than three failed VTY login attempts within 60 seconds, then lockout the VTY lines for 120 seconds.
Set the router to automatically disconnect an inactive user on a VTY line if the line has been idle for 5 minutes and 30 seconds
.
4.2.5 Secret Password Algorithms
MD5 hashes are no longer considered secure because attackers can reconstruct valid certificates. This can allow attackers to spoof any website. The enable secret password command shown in the figure uses an MD5 hash by default.
To use this form of the command, you must paste in the encrypted password, which can be copied from another router configuration.
To enter an unencrypted password, use the enable algorithm-type command syntax:
configuration is shown in the figure. Notice that the running configuration now shows a type 9 enable secret pssword.
4.1 Secure the Edge Router
4.1.1 Secure the Network Infrastructure
Securing the network infrastructure is essential. An attacker who gains access to a router can compromise the entire network. Routers, especially edge routers, are key targets as they manage traffic between internal and external networks. Implementing proper security controls is crucial to prevent unauthorized access.
4.1.2 Edge Router Security Approaches
The edge router implementation varies depending on the organization’s size and network complexity. There are three main approaches:
Single Router Approach: A single router connects the protected internal network to the internet and manages all security policies. It’s ideal for small offices and branch locations.
Defense-in-Depth Approach: Uses multiple security layers: an edge router, a firewall, and an internal router. The edge router filters traffic, the firewall adds further controls, and only allows connections from the internal network to the external.
DMZ Approach: Introduces a demilitarized zone (DMZ) between the protected and external networks. The DMZ hosts servers accessible from the internet, with a firewall securing connections between the internal network and DMZ devices.
4.1.3 Three Areas of Router Security
Physical Security: Place the router in a secure, locked room accessible only to authorized personnel, with fire suppression and temperature control. Use an uninterruptible power supply (UPS) or backup generator.
Operating System Security: Equip routers with maximum memory and use the latest stable operating system version. Keep secure backups of router configurations.
Router Hardening: Control administrative access, disable unused ports and services to minimize vulnerabilities.
4.1.4 Secure Administrative Access
Securing administrative access is crucial to prevent unauthorized control of the router, which could lead to altered settings, disabled functions, or access to other systems.
Key tasks for securing administrative access include:
Restrict access: Limit accessible ports, communicators, and methods.
Log all access: Record who accessed the device, what they did, and when.
Authenticate users: Only allow authenticated users, limit failed logins, and set time limits between attempts.
Authorize actions: Control what each user, group, or service can do.
Display legal notices: Show legal warnings for access, prepared with legal counsel.
Protect data confidentiality: Secure local data and guard against data interception or attacks like session hijacking and MITM.
4.1.5 Secure Local and Remote Access
A router can be managed locally or remotely:
Local access: Involves connecting a console cable to the router’s port and using terminal emulation software on a computer. This method is ideal for initial setup.
Remote access: Uses connections like Telnet, SSH, HTTP, or HTTPS. If the network fails, access can be made via telephone lines and the auxiliary port.
Precautions for remote access:
Encrypt all traffic (use SSH instead of Telnet, HTTPS instead of HTTP).
Set up a dedicated management network, restricting access to authorized hosts.
Configure filters to allow only secure access.
Establish a VPN before connecting to the router.
Additionally, secure passwords are crucial for strengthening security.
4.4 Configure SSH
4.4.2 Enable SSH
Telnet allows remote access but is insecure due to unencrypted data transmission. It's recommended to use SSH for secure remote access.
To configure SSH on a Cisco device, follow these six steps:
Set a unique hostname: Ensure the device has a unique hostname.
Configure IP domain name: Use the ip domain-name command to set the network’s domain name.
Generate an encryption key: Create an RSA key with the crypto key generate rsa command (1024 bits minimum recommended).
Create a local user: Add a username and encrypted password.
Authenticate using local database: Use the login local command to authenticate users.
Enable SSH on vty lines: Use transport input ssh to allow SSH sessions.
To verify SSH and view the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If key pairs already exist, it’s recommended to remove them using the crypto key zeroize rsa command. This process ensures outdated keys are cleared before generating new ones.
4.4.3 Enhance SSH Login Security
To verify optional SSH command settings, use the show ip ssh command. You can modify the default SSH timeout interval and the number of authentication attempts. Use the ip ssh time-out seconds command to change the default 120-second timeout for user authentication. Once authenticated, a standard EXEC session begins, applying the configured exec-timeout for the vty.
By default, users have three attempts to enter the correct password before disconnection. To change the number of consecutive SSH retries, use the ip ssh authentication-retries integer command.
4.4.5 Connect a Router to an SSH-Enabled Router
To verify the status of the client connections, use the show ssh command. There are two different ways to connect to an SSH-enabled router.
By default, when SSH is enabled, a Cisco router can act as an SSH server or SSH client. As a server, a router can accept SSH client connections. As a client, a router can connect via SSH to another SSH-enabled router shown in the following three steps.