Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 6: Device Monitoring and Management, image, image, image, image,…
Module 6: Device Monitoring and Management
6.0 Introduction
6.0.1 Why Should I Take this Module?
Cybercriminals try to exploit every vulnerability possible.
Gain access to your core edge router and erase the IOS and Startup configuration files (known collectively as the bootset files).
Access an unused service that is still operational on the device.
Inject false routing information into a converged OSPF network.
6.1 Secure Cisco IOS Image and Configuration Files
6.1 Secure Cisco IOS Image and Configuration Files
The Cisco IOS resilient configuration feature allows for faster recovery if someone maliciously or unintentionally reformats flash memory or erases the startup configuration file in nonvolatile random-access memory (NVRAM).
6.1.2 Enable the IOS Image Resilience Feature
To secure the IOS image and enable Cisco IOS image resilience, use the secure boot-image global configuration mode command.
6.1.3 The Primary Bootset Image
Restore a primary bootset from a secure archive after the router has been tampered with, as shown in the following steps and example:
Step 1. Reload the router using the reload command. If necessary, issue the break sequence to enter ROM monitor (ROMmon) mode.
Step 2. From ROMmon mode, enter the dir command to list the contents of the device that contains the secure bootset file.
Step 3. Boot the router with the secure bootset image using the boot command followed by the flash memory location (e.g. flash0), a colon, and the filename found in Step 2.
Step 4. Enter global configuration mode and restore the secure configuration to a filename of your choice using the secure boot-config restore command followed by the flash memory location (e.g. flash0), a colon, and a filename of your choice. In the figure, the filename rescue-cfg is used.
Step 5. Exit global configuration mode and issue the copy command to copy the rescued configuration file to the running configuration.
6.1.4 Configure Secure Copy
Step 1. Configure SSH, if not already configured.
Step 2. For local authentication, configure at least one local database user with privilege level 15.
Step 3. Enable AAA with the aaa new-model global configuration mode command.
Step 4. Use the aaa authentication login default local command to specify that the local database be used for authentication.
Step 5. Use the aaa authorization exec default local command to configure command authorization. In this example, all local users will have access to EXEC commands.
Step 6. Enable SCP server-side functionality with the ip scp server enable command.
6.4 Secure Managment and Reporting
6.4.1 Types of Managment Access
In-band - Information flows across an enterprise production network, the internet, or both, using regular data channels.
Out-of-band (OOB) - Information flows on a dedicated management network on which no production traffic resides.
6.4.2 Out-of-Band and In-Band Access
As a general rule, for security purposes, OOB management is appropriate for large enterprise networks. However, it is not always desirable.
In-band management is recommended in smaller networks as a means of achieving a more cost-effective security deployment.
6.5 Network Security Using Syslog
6.5.1 Introduction to Syslog
Syslog is a term used to describe a standard. It is also used to describe the protocol developed for that standard. The syslog protocol was developed for UNIX systems in the 1980s but was first documented as RFC 3164 by IETF in 2001.
6.5.2 Syslog Operation
On Cisco network devices, the syslog protocol starts by sending system messages and debug output to a local logging process that is internal to the device.
Alternatively, syslog messages may be sent to an internal buffer.S
6.5.3 Syslog Message Format
Every syslog message contains a severity level and a facility.
6.2 Lock Down a Router Using AutoSecure
6.2.1 Discovery Protocols CDP and LLDP
The Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default on Cisco routers. The Link Layer Discovery Protocol (LLDP) is an open standard that can be enabled on Cisco devices, as well as other vendor devices that support LLDP.
6.2.2 Settings for Protocols and Services
Attackers choose services and protocols that make the network more vulnerable to malicious exploitation.
6.2.3 Cisco AutoSecure
Released in IOS version 12.3, Cisco AutoSecure is a feature that is initiated from the CLI and executes a script.
6.2.4 Cisco AutoSecure Command Syntax
6.3 Routing Protocol Authentication
Dynamic routing protocols are used by routers to automatically share information about the reachability and status of remote networks.
6.3.2 Routing Protocol Spoofing
Routing systems can be attacked by disrupting peer network routers, or by falsifying or spoofing the information carried within the routing protocols.
6.3.3 OSPF MD5 Routing Protocol Authentication
OSPF supports routing protocol authentication using MD5. MD5 authentication can be enabled globally for all interfaces or on a per interface basis.
6.3.4 OSPF SHA Routing Protocol Authentication
MD5 is now considered vulnerable to attacks and should only be used when stronger authentication is not available. Cisco IOS release 15.4
