Please enable JavaScript.
Coggle requires JavaScript to display documents.
Modulo 6: Device monitoring and management, 6.1.2 Enable the IOS Image…
Modulo 6:
Device monitoring and management
6.1 Secure Cisco IOS Image and Configuration Files
6.1.1 Cisco IOS Resilient Configuration Feature
Protected Files:
Stores a secure copy of the IOS image and the running configuration.
Primary Bootset:
Protected files cannot be deleted or listed using normal CLI commands.
Requirements:
Available only on older routers with PCMCIA ATA flash interfaces. It is not compatible with modern routers (e.g., ISR 4000).
Function:
Enables quick recovery if the flash memory is formatted or the configuration in NVRAM (non-volatile memory) is deleted.
6.1.3 The Primary Bootset Image
Primary Bootset Restoration:
Used to recover a router after an attack or critical failure.
Steps:
Restart the Router:
Use the reload command.
Enter ROMmon:
Interrupt the boot sequence using a break signal.
Load Secure Image:
Use the boot command to load the image from internal flash memory.
Restore Configuration:
Use secure boot-config restore to retrieve the saved configuration.
Apply Configuration:
Use copy commands to apply the recovered configuration to the running setup.
6.2 Lock Down a Router Using AutoSecure
6.2.1 Discovery Protocols CDP and LLDP
Definition:
CDP is a Cisco proprietary protocol enabled by default on Cisco devices to discover other connected Cisco devices.
Risk:
It provides sensitive information (IP addresses, OS version, platform details) that attackers can leverage.
Mitigation:
Disable it on interfaces where it’s not needed, especially on public-facing or untrusted interfaces.
Definition:
LLDP is an open standard protocol used to discover devices from various vendors at the data link layer.
Usage:
Functions similarly to CDP but must be manually enabled on Cisco devices.
Risk:
Exposed information can be intercepted using tools such as UNCLE and used in network attacks.
6.2.2 Settings for Protocols and Services
Vulnerable Services and Protocols
CDP
(Cisco Discovery Protocol)
LLDP
(Link Layer Discovery Protocol)
ICMP
(Internet Control Message Protocol)
6.2.3 Cisco AutoSecure
Management Plane Services and Functions
BOOTP, CDP, FTP, TFTP, PAD, MOP, ICMP (redirects, mask-replies)
UDP/TCP small servers
IP Source Routing
Finger service
Password encryption and login security
Secure NTP (Network Time Protocol)
SSH access
TCP intercept services
Forwarding Plane Services and Functions
Cisco Express Forwarding (CEF)
Traffic filtering with Access Control Lists (ACLs)
Cisco IOS Firewall inspection for common protocols
Benefits of AutoSecure
Baseline security:
Provides a quick security setup for new routers.
Customizable:
Security settings can be modified to align with the organization’s policies.
6.2.4 Cisco AutoSecure Command Syntax
Command Parameters
Interactive Mode (default):
Prompts user to enable/disable services.
Command: auto secure full
Non-Interactive Mode:
Uses recommended Cisco default settings.
Command: auto secure no-interact
Components
Management Plane Security: auto secure management
Forwarding Plane Security: auto secure forwarding
Additional Options
NTP Security: auto secure ntp
Login Security: auto secure login
SSH Access: auto secure ssh
Firewall Inspection: auto secure firewall
TCP Intercept Services: auto secure top-intercept
6.3 Routing Protocol Authentication
6.3.1 Dynamic Routing Protocols
Dynamic Routing
Routers automatically share and learn routes without manual configuration.
Network Discovery
Routers exchange information about known networks.
Routing Protocols
Algorithms for automatic route learning. Examples: RIP, OSPF, EIGRP, BGP.
Routing Table
Stores known networks and the best path to each.
Best Path Selection
Protocol selects the most efficient route based on metrics.
Automatic Route Updates
Routes change automatically when the network topology changes.
6.3.2 Routing Protocol Spoofing
Routing Attack
Disrupting or falsifying routing information.
Spoofing
Injecting false routing data to mislead routers.
Routing Loop
Traffic endlessly loops between routers due to misinformation.
Packet Redirection
Traffic sent through unintended or insecure paths.
DoS Attack
Routing misconfigurations cause service disruption.
6.3.3 OSPF MD5 Routing Protocol Authentication
Enable OSPF MD5 authentication globally:
ip ospf message-digest-key key md5 password interface configuration command.
area area-id authentication message-digest router configuration command.
This method forces authentication on all OSPF enabled interfaces. If an interface is not configured with the ip ospf message-digest-key command, it will not be able to form adjacencies with other OSPF neighbors.
Enable MD5 authentication on a per interface basis:
ip ospf message-digest-key key md5 password interface configuration command.
ip ospf authentication message-digest interface configuration command.
OSPF Configured Without Authentication
OSPF Configured With MD5 Authentication
6.3.4 OSPF SHA Routing Protocol Authentication
OSPF SHA authentication includes two major steps. The syntax for the commands is shown in the figure:
Step 1. Specify an authentication key chain in global configuration mode:
Configure a key chain name with the key chain command.
Assign the key chain a number and a password with the key and key-string commands.
Specify SHA authentication with the cryptographic-algorithm command.
(Optional) Specify when this key will expire with the send-lifetime command.
Step 2. Use the following syntax to assign the authentication key to the desired interfaces with the ip ospf authentication key-chain command.
Router(config)# interface type number
Router(config-if)# ip ospf authentication key-chain name
OSPF Configured with SHA Authentication
6.4 Secure Management and Reporting
6.4.1 Types of Management Access
When logging and managing information, the information flow between management hosts and the managed devices can take two paths:
In-band - Information flows across an enterprise production network, the internet, or both, using regular data channels.
Out-of-band (OOB) - Information flows on a dedicated management network on which no production traffic resides.
In-Band Management
OOB Management
Out-of-band access to manage devices outside the production network.
Access Control
Restricts access to the management network to prevent unauthorized access.
Out of-Band Management
6.4.2 Out-of-Band and In-Band Access
OOB management guidelines are:
Provide the highest level of security.
Mitigate the risk of passing insecure management protocols over the production network.
In-band management guidelines are:
Apply only to devices that need to be managed or monitored.
Use IPsec, SSH, or SSL when possible.
Decide whether the management channel needs to be open at all times.
6.5 Network Security Using Syslog
6.5.1 Introduction to Syslog
Syslog Protocol
A standard protocol for transmitting system messages from network devices to a central syslog server.
Developed for UNIX systems in the 1980s and later documented in RFC 3164 (2001) by the IETF.
Commonly used by devices such as routers, switches, firewalls, and application servers.
Message Transmission
Uses UDP port 514 to send event notifications across IP networks.
Messages can indicate non-critical events or significant issues requiring immediate attention.
Devices send these messages to syslog servers for storage, analysis, and alerts.
Syslog Server and Event Collection
Centralizes system messages from multiple devices for easy management.
Network administrators monitor, store, and interpret these messages to ensure network health.
Can issue alerts for messages with a high impact on network infrastructure.
6.5.2 Syslog Operation
As shown in the figure, popular destinations for syslog messages include the:
Logging buffer (RAM inside a router or switch)
Console line
Terminal line
Syslog server
6.5.3 Syslog Message Format
Each syslog level has its own meaning:
Emergency Level 0 - Warning Level 4: These messages are error messages about software or hardware malfunctions; these types of messages mean that the functionality of the device is affected. The severity of the issue determines the actual syslog level applied.
Notification Level 5: This notifications level is for normal, but significant events. For example, interface up or down transitions, and system restart messages are displayed at the notifications level.
Informational Level 6: This is a normal information message that does not affect device functionality. For example, when a Cisco device is booting, you might see the following informational message: %LICENSE-6-EULA_ACCEPT_ALL: The Right to Use End User License Agreement is accepted.
Debugging Level 7: This level indicates that the messages are output generated from issuing various debug commands.
6.5.4 Syslog Facilities
Some common syslog message facility codes reported on Cisco IOS routers include:
IF -
Identifies that the syslog message was generated by an interface.
IP -
Identifies that the syslog message was generated by IP.
OSPF
- Identifies that the syslog message was generated by the OSPF routing protocol.
SYS -
Identifies that the syslog message was generated by the device operating system.
IPSEC -
Identifies that the syslog message was generated by the IP Security encryption protocol.
6.5.5 Configure Syslog Timestamps
Timestamped Log Messages
Log messages include date and time information, allowing for better tracking of events and facilitating analysis when sent to destinations like Syslog servers.
6.6 NTP Configuration
6.6.1 Time and Calendar Services
Importance of Time Synchronization
Accurate Timestamping: Ensures all network components (routers, switches) have the same date and time, critical for managing, securing, troubleshooting, and planning networks.
Event Order and Cause Determination: Synchronized time allows administrators to determine the sequence of events and diagnose issues effectively.
6.6.2 NTP Operation
Stratum 0
This identifies a device providing the most authoritative time source. Stratum 0 devices including atomic and GPS clocks are the most accurate authoritative time sources.
Stratum 1
NTP stratum 1 devices are network devices that are directly connected to the authoritative time sources. They function as the primary network time standard to stratum 2 devices.
Stratum 2 and Lower
NTP stratum 2 servers are connected on a network to a stratum 1 device. Stratum 2 devices are NTP clients and synchronize their time by using the NTP packets from a stratum 1 server such as a router. They in turn can be NTP servers for stratum 3 devices.
6.6.3 Configure and Verify NTP
6.1.2 Enable the IOS Image Resilience Feature
Backup Activation:
secure boot-image:
Protects the IOS image. :
secure boot-config:
Archives the current running configuration.
Persistent Storage:
Works only if the IOS image and configuration are loaded from internal flash memory.
Verification:
Use the show secure bootset command to check protected files since they are not listed with dir.
Deactivation:
Can only be done via a physical console session using the no commands (e.g., no secure boot-image).
6.1.4 Configure Secure Copy
SCP:
Secure protocol for transferring files between devices (e.g., IOS images or configuration files).
Requirements:
SSH:
Provides secure communication between devices.
AAA:
Manages user authentication and authorization.
Configuration Steps:
SSH Setup:
Generate RSA keys and define a domain name.
Enable AAA:
Use aaa new-model and create local users with privilege level 15.
Enable SCP:
Use ip scp server enable to allow the router to act as an SCP server.
Usage:
Example Transfer:
Use the copy command to send files to or from the router via SCP.
6.1.5 Recover a Router Password
Password Recovery:
Procedure used to regain access to a router when the password is forgotten or misconfigured.
Steps:
Physical Access:
Connect via console cable.
Check Current Settings:
Use show version to view the configuration register (e.g., 0x2102).
Restart the Router:
Power off and back on.
Enter ROMmon:
Use a break signal to interrupt the boot process and enter ROMmon mode.
Change Configuration Register:
Use confreg 0x2142 to ignore the startup configuration on reboot.
Reset Password:
Modify the configuration once inside, and save it back to NVRAM.
