Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 4: Secure Device Access, image, image, image, image, image, image,…
Module 4: Secure Device Access
4.0.1 Why Should I Take This Module?
Securing device access is a critical task for a network security professional. You can think of a router as the locked gate to your fenced in yard.
4.1. Secure the Edge Router
4.1.1 Secure the Network Infrastucture
Securing the network infrastructure is critical to overall network security. The network infrastructure includes routers, switches, servers, endpoints, and other devices.
4.1.2 Edge Router Security Approaches
The edge router implementation varies depending on the size of the organization and the complexity of the required network design
4.1.3 Three Areas of Router Security
Securing the edge router is a critical first step in securing the network. If there are other internal routers, they also must be securely configured.
Phisical Security
Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel
Operating System Security
Equip routers with the maximum amount of memory possible
Router Haedening
Secure administrative control. Ensure that only authorized personnel have access and that their level of access is controlled.
4.1.4 Secure Administrative Access
Securing administrative access is an extremely important security task
4.1.5 Secure Local and Remote Access
Some remote access protocols send data, including usernames and passwords, to the router in plaintext.
4.2. Configure Secure Administrative Access
4.2.1 Passwords
To protect network devices, it is important to use strong passwords.
4.2.2 Configure Passwords
To secure user EXEC mode access, enter line console configuration mode using the line console 0 global configuration command.
4.2.3 Encrypt Passwords
Strong passwords are only useful if they are secret. There are several steps that can be taken to help ensure that passwords remain secret on a Cisco router and switch
4.2.4 Additional Password Security
As shown in the sample configuration, the service password-encryption global configuration command prevents unauthorized individuals from viewing plaintext passwords in the configuration file.
4.2.5 Secret Password Algorithms
MD5 hashes are no longer considered secure because attackers can reconstruct valid certificates. This can allow attackers to spoof any website
4.2.6 Syntax Checker - Secure Administrative Access on R2
In this Syntax Checker activity, you will configure secure administrative access on R2
4.3. Configure Enhanced Security for Virtual Logins
4.3.1 Enhance the Login Process
Assigning passwords and local authentication does not prevent a device from being targeted for attack.
4.3.2 Configure Login Enhancement Features
The Cisco IOS login enhancements commands, which are shown below, increase the security of virtual login connections
The login on-success and login on-failure commands log successful and unsuccessful login attempts.
4.3.3 Enable Login Enhancements
All other login enhancement features are disabled until the login block-for command is configured.
4.3.4 Log Failed Attempts
The first two commands, login on-success log and login on-failure log, generate syslog messages for successful and unsuccessful login attempts.
4.4 Configure SSH
4.4.2 Enable SSH
Telnet simplifies remote device access, but it is not secure. Data contained within a Telnet packet is transmitted unencrypted.
4.4.3 Enhance SSH Login Security
You can also modify the default SSH timeout interval and the number of authentication tries.
4.4.5 Connect a Router to an SSH-Enabled Router
By default, when SSH is enabled, a Cisco router can act as an SSH server or SSH client.
4.4.6 Connect a Host to an SSH-Enabled Router
The procedure for connecting to a Cisco router varies depending on the SSH client application being used. Generally, the SSH client initiates an SSH connection to the router.
4.5 Secure Device Access Summary
4.5.1 What Did I Learn in this Module?
Routers are a primary target for attacks because these devices act as traffic police, which direct traffic into, out of, and between networks
The edge router is the last router between the internal network and an untrusted network, such as the internet. Securing the router is imperative.
