Please enable JavaScript.
Coggle requires JavaScript to display documents.
Secure Device Access - Coggle Diagram
Secure Device Access
Secure the Edge Router
Secure the Network Infrastructure
To prevent unauthorrized access to all infrastructure devices, appropriate security policies and controls must be implemented.
The last router between the internal network and an untrusted network, such as the internet.
The edge router helps to secure the perimeter of a protected network and implements security actions that are based on the security policies of the organization
Edge Router Security Approaches
Single Router Approach
A single router connects the protected network or internal local area network (LAN), to the internet. All security policies are configured on this device.
Is more commonly deployed in smaller site implementations,such as SOHO sites.
Required security features can be supported by ISRs without impeding the router's performance capabilities.
Defense-in-Depth-Approach
It uses multiple layers of security prior to traffic entering the protected LAN. There are three primary layers of defense
The edge router
Acts as the first line of defense and is know as a screening router
1 more item...
The firewall
Typically picks up where the edge router leaves off and performs additional filtering. It provides additional access control by tracking the state of the connections and acts as a checkpoint device.
1 more item...
Internal router
DMZ Approach
Includes an intermediate area, often callen the demilitarized zone (DMZ). can be used for servers that must be accessible form the internet or some other external network.
Can be set up between two routers, with an internal router connecting to the protected network and an external router connecting to the unprotected netwrok
The edge router implementation varies depending on the size of the organization and the complexity of the required netwrok design.
Router implementations can incude a single router protecting an entire inside network or a router functioning as the first line of defense in a defense-in-depth approach.
Three Areas of Router Security
Physical Security
Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel
Install an UPS. Use redundant power supplies to reduce the possibility of a network outage from power loss or failed power equiment
Operating System Security
Equip router with the maximum amount of memory possible to help mitigate risks to DoS attacks.
Use the latest, stable version of the OS. Security and encryption features in an OS are improved and updated over time, which makes it critical to have the most up-to-date version
Keep a secure copy of the router OS images and router configuration files as backups
Router Hardening
Secure administrative control. Ensure that only authorized personnel have access and that their level of access is controlled
Disable unused ports and interfaces. Reduce the number of ways a device can be accessed.
Disable unnecessary services. Some of these can be used by an attacker to gather information about the router and the network
Secure Administrative Access
Restrict device accessibility
Log and account for all access
Authenticate access
Authorize actions
Present legal notification
Ensure the confidentiality of data
Secure local and remote access
Local access
Usually requires a direct connection to a console port, and using a computer running terminal emulation
The administrator must have physical access to the router and use a console cable to connect to the console port
Remote access
Most common methods involes allowing Telnet, SSH, HTTP, HTTPS, or SNMP connections to the router from a computer
Computer can be on the local network or a remote network. If network connectivity to the device is down, the only way to acces it might be over telephone lines
Precautions for when accessing network remotely
Encrypt all traffic between the administrator computer and the router
Establish a dedicated management network that should include only identified administration hosts and connections to a dedicated interface on the router
Configure a packet filter to allow only the identified administration hosts and preferred protocols to access the router
Configure and establish a VPN connection to the local network before connecting to a router management interface
Configure Secure Administrative Access
Passwords
Use a password lenght of at least eight characters
Make passwords complex with uppercase and lowercase letters, numbers, symbols, and spaces
Avoid repetition, common words, letter o number sequences, usernames, relative or pet name, or identifiable information
Deliberately misspell a password
Change passwords often
Do not write passwords down and leave them in obvious places
Use password manager to secure passwords
Use a multi-factor authentication when available
Configure passwords
Secure user EXEC mode access
Secure privileged EXEC access
Secure VTY lines
Encrypt passwords
Encrypt all plaintext passwords.
Additional password security
To ensure all passwords are a minimum of a specified length
security passwords min-length
To deter brute-force attack
login block-for
seconds
attempts
number
within
seconds
To logout an EXEC session after inactivity
exec-timeout
minutes seconds
Secure password algorithms
md5
Type 5; selects the message digest algorithm 5 (MD5) as the hashing algorithm
scrypt
Type 9; selects scrypt as the hashing algorithm
sha256
Type 8; selects Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 256-bits (SHA-256) as the hashing algorithm
Configure Enhanced Security for Virtual Logins
Enhance the Login Process
Enabling a detection profile allows to configure a network device to reacto to repeated failed login attempts
Banner are disabled by default and must be explicity enable. Use the banner command to specify appropiate messages
Banners protect the organization from a legal perspective.
Configure Login Enhancement Features
login block-for command can defend against DoS attacks by disabling logins after a specified number of failed login attempts
login quiet-mode command mpas to an ACL that identifies the permitted hosts
login delay command specifies a number of seconds the user must wait between unsuccessful login attempts
login on-success and login on-failure commands log successful and unsuccessful login attempts
Enable Login Enhancements
login block-for
Normal mode
The router keeps count of the number of failed login attempts within an identified amount of time
Quiet mode
If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied for the time specified
All login attempts are not permitted. to provide access can be overriden with ACL
login quiet-mode access-class
login delay
Help block failed login attempts for a limited period of time
Log Failed Attempts
There are three commands that can be configured to help an admin detect a password attack
login on-success log
Generate syslog messages for successful and unsuccessful login attempts
login on-failure log
security authentication failure rate
Generate a log message when the login failure rate is exceede
Configure SSH
Enable SSH
Step 1. Configure a unique device hostname
Step 2. Configure the IP domain name
Step 3. Generate a key to encrypt SSH traffic
Step 4. Verify or create a local database entry
Step 5. Authenticate against the local database
Step 6. Enable vty inbound SSH sessions
Enhance SSH login security
