Please enable JavaScript.
Coggle requires JavaScript to display documents.
:star: Device Monitoring and Management :star:, image, image, image, image…
:star:
Device Monitoring and Management
:star:
:star:
Secure Cisco IOS Image and Configuration Files
:lock:
The Primary Bootset Image
Step 1. Reload the router using the reload command. If necessary, issue the break sequence to enter ROM monitor (ROMmon) mode.
Step 2. From ROMmon mode, enter the dir command to list the contents of the device that contains the secure bootset file.
Step 3. Boot the router with the secure bootset image using the boot command followed by the flash memory location (e.g. flash0), a colon, and the filename found in Step 2
Step 5. Exit global configuration mode and issue the copy command to copy the rescued configuration file to the running configuration
Step 4. Enter global configuration mode and restore the secure configuration to a filename of your choice using the secure boot-config restore command followed by the flash memory location (e.g. flash0), a colon, and a filename of your choice. In the figure, the filename rescue-cfg is used.
:lock:
Configure Secure Copy
:check: The Cisco IOS Resilient feature provides a method for securing the IOS image and configuration files locally on the device. The Secure Copy Protocol (SCP) feature is used to remotely copy these files. SCP provides a secure and authenticated method for copying router configuration or router image files to a remote location.
SCP relies on:
SSH to secure communication
AAA to provide authentication and authorization
Step 1. Configure SSH, if not already configured.
Step 2. For local authentication, configure at least one local database user with privilege level 15.
Step 3. Enable AAA with the aaa new-model global configuration mode command.
Step 4. Use the aaa authentication login default local command to specify that the local database be used for authentication.
Step 5. Use the aaa authorization exec default local command to configure command authorization. In this example, all local users will have access to EXEC commands.
Step 6. Enable SCP server-side functionality with the ip scp server enable command.
:lock:
Enable the IOS Image Resilience Feature
:fountain_pen: The commands to secure the IOS image and running configuration file are shown in the example. To secure the IOS image and enable Cisco IOS image resilience, use the secure boot-image global configuration mode command. When enabled for the first time, the running Cisco IOS image is secured and a log entry is generated. The Cisco IOS image resilience feature can only be disabled through a console session using the no form of the command. This command functions properly only when the system is configured to run an image from a flash drive with an ATA interface. Additionally, the running image must be loaded from persistent storage to be secured as primary.
:lock:
Recover a Router Password
If a router is compromised or needs to be recovered from a misconfigured password, an administrator must use password recovery procedures, such as those shown in the steps below. For security reasons, password recovery requires the administrator to have physical access to the router through a console cable. Depending on the device, the detailed procedure for password recovery varies.
:lock:
Cisco IOS Resilient Configuration Feature
:pencil2: The Cisco IOS resilient configuration feature allows for faster recovery if someone maliciously or unintentionally reformats flash memory or erases the startup configuration file in nonvolatile random-access memory (NVRAM). The feature maintains a secure working copy of the router IOS image file and a copy of the running configuration file. These secure files cannot be removed by the user and are referred to as the primary bootset.
Here are a few facts about the Cisco IOS resilient configuration:
-The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.
-The feature secures the smallest working set of files to preserve persistent storage space.
-No extra space is required to secure the primary Cisco IOS image file.
-The feature automatically detects image or configuration version mismatch.
-Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.
-The feature can be disabled only through a console session.
:lock:
Password Recovery
:pen: If someone gained physical access to a router, they could potentially gain control of that device through the password recovery procedure. This procedure, if performed correctly, leaves the router configuration intact. If the attacker makes no major changes, this type of attack is difficult to detect. An attacker can use this attack method to discover the router configuration and other pertinent information about the network, such as traffic flows and access control restrictions.
An administrator can mitigate this potential security breach by using the no service password-recovery global configuration mode command. This command is a hidden Cisco IOS command and has no arguments or keywords. If a router is configured with the no service password-recovery command, all access to ROMmon mode is disabled.
When it is configured, the show running-config command displays a no service password-recovery statement, as shown here.
As shown below, when the router is booted, the initial boot sequence displays a message stating PASSWORD RECOVERY FUNCTIONALITY IS DISABLED.
6.5 Network Security Using Syslog
6.5.2 Syslog Operation
On Cisco network devices, the syslog protocol begins by sending system messages and debug output to a local logging process that is internal to the device. How the logging process handles these messages and output is based on the device configurations. Alternatively, syslog messages can be sent to an internal buffer. Messages sent to the internal buffer can only be viewed through the device CLI. Finally, the network administrator can specify that only certain types of system messages be sent to various destinations.
The smaller numerical levels are the most critical syslog alarms. The severity level of the messages can be set to control where each type of message is displayed (i.e. on the console or the other destinations). The complete list of syslog levels is shown in the table.
6.5.4 Syslog Facilities
In addition to specifying the severity, syslog messages also contain information on the facility. Syslog facilities are service identifiers that identify and categorize system state data for error and event message reporting. The logging facility options that are available are specific to the networking device. For example, Cisco 2960 Series switches running Cisco IOS Release 15.0(2) and Cisco 1941 routers running Cisco IOS Release 15.2(4) support 24 facility options that are categorized into 12 facility types.
6.5.4 Syslog Facilities
In addition to specifying the severity, syslog messages also contain information on the facility. Syslog facilities are service identifiers that identify and categorize system state data for error and event message reporting. The logging facility options that are available are specific to the networking device. For example, Cisco 2960 Series switches running Cisco IOS Release 15.0(2) and Cisco 1941 routers running Cisco IOS Release 15.2(4) support 24 facility options that are categorized into 12 facility types.
6.5.5 Configure Syslog Timestamps
By default, log messages are not timestamped. In the example, the R1 GigabitEthernet 0/0/0 interface is shutdown. The message logged to the console does not identify when the interface state was changed. Log messages should be timestamped so that when they are sent to another destination, such as a Syslog server, there is record of when the message was generated.
Use the command service timestamps log datetime to force logged events to display the date and time. As shown in the command output, when the R1 GigabitEthernet 0/0/0 interface is reactivated, the log messages now contain the date and time.
6.5.7 Syslog Systems
Syslog implementations always contain two types of systems:
Syslog servers - Also known as log hosts, these systems accept and process log messages from syslog clients.
Syslog clients - Routers or other types of equipment that generate and forward log messages to syslog servers.
:star:
Lock Down a Router Using AutoSecure
:check:
Cisco AutoSecure
Released in IOS version 12.3, Cisco AutoSecure is a feature that is initiated from the CLI and executes a script. AutoSecure first makes recommendations for fixing security vulnerabilities and then modifies the security configuration of the router, as shown in the figure.
AutoSecure can lock down the management plane functions and the forwarding plane services and functions of a router. There are several management plane services and functions:
Secure BOOTP, CDP, FTP, TFTP, PAD, UDP, and TCP small servers, MOP, ICMP (redirects, mask-replies), IP source routing, Finger, password encryption, TCP keepalives, gratuitous ARP, proxy ARP, and directed broadcast
Legal notification using a banner
Secure password and login functions
Secure NTP
Secure SSH access
There are three forwarding plane services and functions that AutoSecure enables:
Cisco Express Forwarding (CEF)
Traffic filtering with ACLs
Cisco IOS firewall inspection for common protocols
TCP intercept services
:check:
Cisco AutoSecure Command Syntax
:pen: Use the auto secure command to enable the Cisco AutoSecure feature setup. This setup can be interactive or non-interactive. The figure shows the command syntax for the auto secure command.
Here are the command parameters.
Options may vary by platform.
In interactive mode, the router prompts with options to enable and disable services and other security features. This is the default mode, but it can also be configured using the auto secure full command.
The non-interactive mode is configured with the auto secure no-interact command. This will automatically execute the Cisco AutoSecure feature with the recommended Cisco default settings. The auto secure command can also be entered with keywords to configure specific components, such as the management plane (management keyword) and forwarding plane (forwarding keyword).
:check:
Settings for Protocols and Services
Attackers choose services and protocols that make the network more vulnerable to malicious exploitation.
Many of these features should be disabled or restricted in their capabilities based on the security needs of an organization. These features range from network discovery protocols, such as CDP and LLDP, to globally available protocols such as ICMP and other scanning tools.
Some of the default settings in Cisco IOS software are there for historical reasons. They were logical default settings at the time the software was originally written. Other default settings make sense for most systems, but can create security exposures if they are used in devices that form part of a network perimeter defense. Still other defaults are required by standards but are not always desirable from a security point of view.
The table below shows recommended security settings for protocols and services.
There are several important practices available to help ensure a device is secure:
-Disable unnecessary services and interfaces.
-Disable and restrict commonly configured management services, such as SNMP.
-Disable probes and scans, such as ICMP. Ensure terminal access security.
-Disable gratuitous and proxy Address Resolution Protocols (ARPs)
-Disable IP-directed broadcasts
:check:
Cisco AutoSecure Configuration Example
:pen: When the auto secure command is initiated, a CLI wizard steps the administrator through the configuration of the device. User input is required.
:check:
Discovery Protocols CDP and LLDP
:pen: Cisco routers are initially deployed with many services that are enabled by default. This is done for convenience and to simplify the configuration process required to get the device operational. However, some of these services can make the device vulnerable to attack if security is not enabled. Administrators can also enable services on Cisco routers that can expose the device to significant risk. Both of these scenarios must be considered when securing the network.
The Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default on Cisco routers. The Link Layer Discovery Protocol (LLDP) is an open standard that can be enabled on Cisco devices, as well as other vendor devices that support LLDP.
LLDP configuration and verification is similar to CDP. In the figure, R1 and S1 are both configured with LLDP, using the lldp run global configuration command. Both devices are running CDP by default. The output for show cdp neighbors detail and show lldp neighbors detail will reveal a device’s address, platform, and operating system details.
:star: NMP Configuration
Naw
:lock:Introdution SNMP
Now that the network is mapped it is now possible to manage your own using Simple Network Management Protocol (SNMP). This was developed for administrators who manage nodes such as servers, workstations, routers, etc. Allows network administrators to monitor network performance, find and solve problems, and plan the network
It is defined how data is exchanged between network management applications, this is an application layer protocol that sends a message for the communication of managers and agents. It consists of three elements:
SNMP manager
SNMP agent (administered node)
Management Information Base (MIB)
To achieve this configuration, a relationship between administrator and agent is required.
:lock: SNPM Operation
The SNMP agents that are in managed devices collect and store data of this same and its operation, the data is stored in the MIB, where the SNMP manager uses the SNMP agent to access the MIB and the data
There are two requests for SNMP aministrator green_cross:
Get Request: Used by the NMS to consult the device for data.
Establ Request: Used by NMS to change configuration variables.
:lock: Management Information Base (MIB)
MIB variables enable the management software to monitor and control the network device. Formally, the MIB defines each variable as an object ID (OID). OIDs uniquely identify managed objects in the MIB hierarchy.
The MIB organizes the OIDs based on RFC standards into a hierarchy of OIDs, usually shown as a tree.
The MIB tree for any given device includes some branches with variables common to many networking devices and some branches with variables specific to that device or vendor. RFCs define some common public variables. In addition, networking equipment vendors, like Cisco, can define their own private branches of the tree to accommodate new variables specific to their devices.
:lock: SNMP Versions
There are several versions of SNMP:
SNMPv1 - This is the Simple Network Management Protocol, a Full Internet Standard, that is defined in RFC 1157.
SNMPv3 - This is an interoperable standards-based protocol originally defined in RFCs 2273 to 2275.
All versions use SNMP managers, agents, and MIBs. Both SNMPv1 and SNMPv2c use a community-based form of security.
The community of managers that is able to access the MIB of the agent is defined by a community string.
Unlike SNMPv1, SNMPv2c includes a bulk retrieval mechanism and more detailed error message reporting to management stations.
The SNMPv2c improved error-handling includes expanded error codes that distinguish different kinds of error conditions. -These conditions are reported through a single error code in SNMPv1.
:lock: SNMP Vulnerabilities
Network devices that can be managed, such as switches, routers, servers, and workstations, are equipped with the SNMP agent software module.
For example, a set request can cause a router to reboot, send a configuration file, or receive a configuration file.
An SNMP agent can also be configured to send out traps or notifications.
:lock: SNMPv3
SNMPv3 authenticates and encrypts packets over the network to provide secure access to devices. This addressed the vulnerabilities of earlier versions of SNMP. SNMPv3 provides three security features:
Message integrity and authentication - Ensures that a packet has not been tampered with in transit, and is from a valid source.
Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.
Access control - Restricts each principal to certain actions on specific portions of data.
:lock: SNMPv3 Security Configuration
can be secured with just a few commands, these are as follows:
Step 1
Router(config)# ip access-list acl-name
Router(config-std-nacl)# permit source_net
Step 2
Router(config)# snmp-server view view-name oid-tree
Step 3
Router(config)# snmp-server group group-name v3 priv read view-name access [acl-number | acl-name]
Step 4
Router(config)# snmp-server user username group-name v3 auth {md5 | sha} auth-password priv {des | 3des | aes {128 | 192 | 256} priv-password
:lock: SNMPv3 Security Configuration Example
Step 1
All hosts attached to this network will be allowed to access the SNMP agent running on R1.
Step 2
An SNMP view is named SNMP-RO and is configured to include the entire iso tree from the MIB. On a production network, the network administrator would probably configure this view to include only the MIB OIDs that were necessary for monitoring and managing the networ
Step 3
An SNMP group is configured with the name ADMIN.
SNMP is set to version 3 with authentication and encryption required. The group is allowed read-only access to the view (SNMP-RO). Access for the group is limited by the PERMIT-ADMIN ACL
Step 4
An SNMP user, BOB, is configured as a member of the group ADMIN. SNMP is set to version 3
:lock: SNMPv3 Verification
Verify most of the SNMPv3 security configuration by viewing the running configuration, as shown in in the figure. Notice that the snmp-server user configuration is hidden. Use the show snmp user command to view the user information.
:star: Device Monitoring and Management Summary
:lock:What Did I Learn in this Module?
Secure Cisco IOS Image and Configuration Files
The Cisco IOS resilient configuration feature allows for faster recovery if someone maliciously or unintentionally reformats flash memory or erases the startup configuration file in nonvolatile random-access memory (NVRAM). The feature maintains a secure working copy of the router IOS image file and a copy of the running configuration file. To secure the IOS image and enable Cisco IOS image resilience, use the secure boot-image global configuration mode command. To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config global configuration mode command.
Routing Protocol Authentication
Dynamic routing protocols are used by routers to automatically share information about the reachability and status of remote networks. Network discovery is the ability of a routing protocol to dynamically share information about the networks that it knows about with other routers that are using the same routing protocol. Routing systems can be attacked by disrupting peer network routers, or by falsifying or spoofing the information carried within the routing protocols. Routing protocol updates can be configured to use MD5 or SHA authentication.
Lock Down a Router Using AutoSecure
Cisco routers are initially deployed with many services that are enabled by default. Guidelines are provided for how each service on the router should be configured for maximum security. The Cisco AutoSecure feature executes a script that makes recommendations for fixing security vulnerabilities and then modifies the security configuration of the router. AutoSecure is often used in the field to provide a baseline security policy on a new router. AutoSecure will then gather information about the current device configuration and enter a configuration dialog.
Secure Management and Reporting
Most network devices can gather and transmit log information that can be very valuable for diagnosing network problems and detecting security incidents. However, in a large enterprise with hundreds of devices, monitoring, managing, and processing log messages can be challenging. Information flow between log file collecting hosts and managed network devices can take two paths. In-band information paths use the production network, the internet or both. Out-of-band (OOB) management paths use dedicated management networks which do not transmit user traffic. As a general rule, for security purposes, OOB management is appropriate for large enterprise networks. .
Network Security Using Syslog
The most common method of accessing system messages is to use a protocol called syslog. The syslog protocol allows networking devices to send their system messages across the network to syslog servers. The syslog logging service provides the ability to gather logging information, select the type of information that is logged, and specify the destination devices that will receive and store syslog messages. On Cisco network devices, the syslog protocol can send system messages and debug command output to a local logging process that is internal to the device or can send messages to an internal buffer. A device can be configured to send syslog messages to a logging buffer, the console line, a terminal line, or an external syslog server. Level 5 messages indicate normal operation but are significant.
NTP Configuration
Although the system time can be manually set, it is much more desirable to configure devices to use the Network Time protocol (NTP) to synchronize time between all network devices. NTP enables network devices (i. e. , NTP clients) to synchronize their time settings with an NTP authoritative time source such as an NTP server. g. , a router) on the network that is selected as the private primary clock or it can be a publicly available NTP server on the internet. NTP uses a hierarchical system of time sources that are arranged in strata. Stratum 0 is the most authoritative time source and it may use atomic or GPS clocks. Stratum 1 devices are connected to the Stratum 0 time sources and are also accessible to enterprise networks. Stratum 2 and lower devices function as network servers that provide time information to network devices. They are connected to Stratum 1 devices or other network devices that are acting as NTP servers.
SNMP Configuration
Simple Network Management Protocol (SNMP) was developed to allow administrators to manage nodes such as servers, workstations, routers, switches, and security appliances, on an IP network. SNMP defines how management information is exchanged between network management applications and management agents. It is an application layer protocol that provides a message format for communication between managers and agents. SNMP agents reside on network devices and enable network data collection and sharing.
The MIB stores standardized variables that contain network data. The network manager can send a get request to retrieve information from an agent`s local MIB, or it can send a set request to change the value of a variable in the MIB. MIB variables enable the management software to monitor and control the network device. Specifically, SNMPv1 and SNMPv2c can neither authenticate the source of a management message nor provide encryption. SNMPv3 adds methods to ensure the secure transmission of critical data between managed devices. SNMPv3 provides for both security models and security levels.s.
:star:Dynamic Routing Protocols:star:
OSPF MD5 Routing Protocol authentication
OSPF supports routing protocol authentication using MD5. MD5 authentication can be enabled globally for all interfaces or on a per interface basis.
Enable OSPF MD5 globally:
ip ospf message-digest-key key md5 password interface configuration command.
area area-id authentication message-digest router configuration command.
This method forces authentication on all OSPF enabled interfaces. If an interface is not configured with the ip ospf message-digest-key command, it will not be able to form adjacencies with other OSPF neighbors.
OSPF SHA Routing Protocol Authentication
6.6. NTP Configuration
6.6.1 Time and Calendar Services
Before you get really deep into network management, the one thing that will help keep you on track is ensuring that all of your components are set to the same time and date.
The software clock on a router or switch starts when the system boots. It is the primary source of time for the system. It is important to synchronize the time across all devices on the network because all aspects of managing, securing, troubleshooting, and planning networks require accurate timestamping. When the time is not synchronized between devices, it will be impossible to determine the order of the events and the cause of an event.
6.6.2 NTP Operation
NTP networks use a hierarchical system of time sources. Each level in this hierarchical system is called a stratum. The stratum level is defined as the number of hop counts from the authoritative source.
Types of management access
In Band Management
Out of-Band Management
