Please enable JavaScript.
Coggle requires JavaScript to display documents.
Device Monitoring and Management - Coggle Diagram
Device Monitoring and Management
Cisco IOS Resilient Configuration Feature
The Primary Bootset Image
Step 2. From ROMmon mode, enter the dir command to list the contents of the device that contains the secure bootset file.
Step 3. Boot the router with the secure bootset image using the boot command followed by the flash memory location
Step 1. Reload the router using the reload command.
Step 4. Enter global configuration mode and restore the secure configuration to a filename of your choice using the secure boot-config restore command followed by the flash memory location
Configure Secure Copy
The Cisco IOS Resilient feature provides a method for securing the IOS image and configuration files locally on the device.
Step 2. For local authentication, configure at least one local database user with privilege level 15.
Step 3. Enable AAA with the aaa new-model global configuration mode command.
Step 1. Configure SSH, if not already configured.
Step 4. Use the aaa authentication login default local command to specify that the local database be used for authentication.
Step 5. Use the aaa authorization exec default local command to configure command authorization.
Step 6. Enable SCP server-side functionality with the ip scp server enable command.
Enable the IOS Image Resilience Feature
To secure the IOS image and enable Cisco IOS image resilience, use the secure boot-image global configuration mode command.
To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config global configuration mode command, as shown in the figure
Recover a Router Password
Step 1. Connect to the console port.
Step 2. Use the show version command to display the configuration register setting and document the value (e.g., 0x2102).
Step 3. Power cycle the router.
Step 4. Issue the break sequence (e.g., CTRL-BREAK) to enter ROMMON mode.
Step 5. Change the default configuration register with the confreg 0x2142 command.
Step 6. Reboot the router by using the reset command in ROMMON mode.
Step 7. Press Ctrl-C to skip the initial setup procedure.
Step 8. Enter privileged EXEC mode.
Step 9. Copy the startup configuration to the running configuration using the copy startup-config running-config command.
Step 10. Verify the configuration.
Step 11. Change the enable secret password.
Step 12. Enable all interfaces using the no shutdown command.
Step 13. Return the configuration register setting to the original setting that was documented in Step 2 with the config-register global configuration command.
Step 14. Save the configuration changes.
Lock Down a Router Using AutoSecure
Discovery Protocols CDP and LLDP
Cisco routers are initially deployed with many services that are enabled by default. This is done for convenience and to simplify the configuration process required to get the device operational.
Settings for Protocols and Services
Attackers choose services and protocols that make the network more vulnerable to malicious exploitation.
Many of these features should be disabled or restricted in their capabilities based on the security needs of an organization.
Cisco AutoSecure
Cisco AutoSecure Command Syntax
Released in IOS version 12.3, Cisco AutoSecure is a feature that is initiated from the CLI and executes a script. AutoSecure first makes recommendations for fixing security vulnerabilities and then modifies the security configuration of the router, as shown in the figure.
Routing Protocol Authentication
OSPF SHA Routing Protocol Authentication
MD5 is now considered vulnerable to attacks and should only be used when stronger authentication is not available. Cisco IOS release 15.4(1)T added support for OSPF SHA authentication, as detailed in RFC 5709.
OSPF MD5 Routing Protocol Authentication
OSPF supports routing protocol authentication using MD5. MD5 authentication can be enabled globally for all interfaces or on a per interface basis.
Enable OSPF MD5 authentication globally:
ip ospf message-digest-key key md5 password interface configuration command.
area area-id authentication message-digest router configuration command.
This method forces authentication on all OSPF enabled interfaces. If an interface is not configured with the ip ospf message-digest-key command, it will not be able to form adjacencies with other OSPF neighbors.
Routing Protocol Spoofing
Routing systems can be attacked by disrupting peer network routers, or by falsifying or spoofing the information carried within the routing protocols. Spoofing routing information may generally be used to cause systems to misinform (lie to) each other, cause a DoS attack, or cause traffic to follow a path it would not normally follow. There are several consequences of routing information being spoofed:
Redirecting traffic to create routing loops
Redirecting traffic so it can be monitored on an insecure link
Redirecting traffic to discard it
Dynamic Routing Protocols
Dynamic routing protocols are used by routers to automatically share information about the reachability and status of remote networks. Dynamic routing protocols perform several activities, including network discovery and maintaining routing tables.
Network Security Using Syslog
Syslog Operation
On Cisco network devices, the syslog protocol starts by sending system messages and debug output to a local logging process that is internal to the device.
As shown in the figure, popular destinations for syslog messages include the:
Logging buffer (RAM inside a router or switch)
Console line
Terminal line
Syslog server
Syslog Message Format
Syslog Facilities
Some common syslog message facility codes reported on Cisco IOS routers include:
IF - Identifies that the syslog message was generated by an interface.
IP - Identifies that the syslog message was generated by IP.
OSPF - Identifies that the syslog message was generated by the OSPF routing protocol.
SYS - Identifies that the syslog message was generated by the device operating system.
IPSEC - Identifies that the syslog message was generated by the IP Security encryption protocol.
Configure Syslog Timestamps
Secure Management and Reporting
Types of Management Access
In a small network, managing and monitoring a small number of network devices is a straightforward operation. However, in a large enterprise with hundreds of devices, monitoring, managing, and processing log messages can be challenging.
Out-of-band (OOB) - Information flows on a dedicated management network on which no production traffic resides.
In-band - Information flows across an enterprise production network, the internet, or both, using regular data channels
NTP Configuration
Time and Calendar Services
Before you get really deep into network management, the one thing that will help keep you on track is ensuring that all of your components are set to the same time and date.
The software clock on a router or switch starts when the system boots. It is the primary source of time for the system. It is important to synchronize the time across all devices on the network because all aspects of managing, securing, troubleshooting, and planning networks require accurate timestamping. When the time is not synchronized between devices, it will be impossible to determine the order of the events and the cause of an event.
NTP Operation
Configure and Verify NTP
SNMP Configuration
Management Information Base (MIB)
SNMP Versions
SNMP Versions
SNMPv1 - This is the Simple Network Management Protocol, a Full Internet Standard, that is defined in RFC 1157.
SNMPv2c - This is defined in RFCs 1901 to 1908. It uses a community-string-based Administrative Framework.
SNMPv3 - This is an interoperable standards-based protocol originally defined in RFCs 2273 to 2275. It provides secure access to devices by authenticating and encrypting packets over the network. It includes these security features: message integrity to ensure that a packet was not tampered with in transit, authentication to determine that the message is from a valid source, and encryption to prevent the contents of a message from being read by an unauthorized source.
SNMPv3
SNMPv3 authenticates and encrypts packets over the network to provide secure access to devices. This addressed the vulnerabilities of earlier versions of SNMP.
SNMPv3 provides three security features:
Message integrity and authentication - Ensures that a packet has not been tampered with in transit, and is from a valid source.
Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.
Access control - Restricts each principal to certain actions on specific portions of data.
SNMP Operation
SNMP Vulnerabilities