0% found this document useful (0 votes)
117 views11 pages

Term Paper: Security of Cisco Routers

This document provides an overview of securing Cisco IOS systems by discussing security features for the management, control, and data planes. It describes setting passwords, banners, and encryption to authenticate and authorize access. Centralized logging and use of secure protocols like SSH are also recommended for monitoring events and transferring sensitive data.

Uploaded by

Karan Gaba
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
117 views11 pages

Term Paper: Security of Cisco Routers

This document provides an overview of securing Cisco IOS systems by discussing security features for the management, control, and data planes. It describes setting passwords, banners, and encryption to authenticate and authorize access. Centralized logging and use of secure protocols like SSH are also recommended for monitoring events and transferring sensitive data.

Uploaded by

Karan Gaba
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 11

`

Term paper ON
Security of Cisco routers

(Submitted in the 5th semester Of Master of Computer Applications)

Submitted to:
Mr. Parvesh Mor

Submitted By: Amit kumar pandey Roll No.: RD1E26B18 Section: D1E43

Introduction
Cisco IOS is software se! o" #ost Cisco S$ste#s ro ters a"! c rre"t Cisco "etwor% switches. IOS is a &ac%a'e of ro ti"'( switchi"'( i"ter"etwor%i"' a"! te)eco## "icatio"s f "ctio"s i"te'rate! i"to a # )titas%i"' o&erati"' s$ste#.Cisco IOS (originally Internet or! Operating System) is soft are used on most

Cisco Systems routers and current Cisco net or! s itches" (#arlier s itches ran CatOS") IOS is a pac!age of routing$ s itching$ internet or!ing and telecommunications functions integrated into a multitas!ing operating system" The IOS Tcl command line interface pro%ides a fi&ed set of multiple' ord commands" The set a%ailable is determined by the (mode( and the pri%ilege le%el of the current user" ()lobal configuration mode( pro%ides commands to change the system*s configuration$ and (interface configuration mode( pro%ides commands to change the configuration of a specific interface" All commands are assigned a pri%ilege le%el$ from + to ,5$ and can only be accessed by users ith the necessary pri%ilege" Through the C-I$ the commands a%ailable to each pri%ilege le%el can be defined"This document contains information to help you secure your Cisco IOS . system de%ices$ hich increases the o%erall security of your net or!" Structured around the three planes into hich functions of a net or! de%ice can be categori/ed$ this document pro%ides an o%er%ie of each included feature and references to related documentation" The three functional planes of a net or!$ the management plane$ control plane$ and data plane$ each pro%ide different functionality that needs to be protected"

Management Plane0The management plane manages traffic that is sent to the Cisco IOS de%ice and is made up of applications and protocols such as SS1 and S2M3" Control Plane0The control plane of a net or! de%ice processes the traffic that is paramount to maintaining the functionality of the net or! infrastructure" The control plane consists of applications and protocols bet een net or! de%ices$ hich includes the 4order )ate ay 3rotocol (4)3)$ as ell as the Interior )ate ay 3rotocols (I)3s) such as the #nhanced Interior )ate ay 5outing 3rotocol (#I)53) and Open Shortest 3ath 6irst (OS36)" Data Plane0The data plane for ards data through a net or! de%ice" The data plane does not include traffic that is sent to the local Cisco IOS de%ice"

Versioning
2

Cisco IOS is %ersioned using three numbers and some letters$ in the general form a"b(c"d)e$ here7 ,)a is the ma8or %ersion number" 9)b is the minor %ersion number" :)c is the release number$ hich begins at one and increments as ne releases in the same a"b train are released" (Train( is Cisco'spea! for$ ("""a %ehicle for deli%ering Cisco soft are to a specific set of platforms and features""( ;)d (omitted from general releases) is the interim build number" 5)e (/ero$ one or t o letters) is the soft are release train identifier$ such as none ( hich designates the mainline$ see belo )$ T (for Technology)$ # (for #nterprise)$ S (for Ser%ice pro%ider)$ <A as a special functionality train$ <4 as a different special functionality train$ etc"

Bringing Up a Routers = po er'on = self'test (3OST) = load the Cisco IOS from flash memory = IOS loads and loo!s for a %alid configuration(stored by default in non%olatile 5AM$ or 2>5AM)
3

Logging into t e Router


= After the interface status messages appear and you press #nter$ the 5outer? prompt ill appear" This is called user exec mode (user mode) and it@s mostly used to %ie statistics$ but it@s also a stepping'stone to logging into pri%ileged mode" Aou can only %ie and change the configuration of a Cisco router in privileged exec mode (pri%ileged mode)$ hich you get into ith the enable command" = = = 5outer? 5outer?enable 5outerB

Security: !Router and S"itc #dministrati$e %unctions&security' = 1ostnames = = = 4anners 3ass ord Interface descriptions

(ostnames = 5outerBcon)ig t
4

= #nter configuration commands$ one per line" #nd ith = C2T-CD" = 5outer(config)B ostname *odd = Todd(config)B ostname #tlanta = Atlanta(config)B Banners
= A banner is more than 8ust a little cool0one %ery good reason for ha%ing a banner is to gi%e any and all ho dare attempt to telnet or dial into your internet or! a little security notice"

)our a$ailable banner types = e&ec process creation banner = incoming terminal line banner = login banner = message of the day banner = Message of the day (MOTE) is the most e&tensi%ely used banner" It gi%es a message to e%ery person dialing into or connecting to the router %ia Telnet or au&iliary port$ or e%en through a console port Setting Pass"ords = There are fi%e pass ords used to secure your Cisco routers7
*

F console F Au&iliary F telnet (>TA) F enable pass ord F enable secret" +nable Pass"ords = Console and Au&iliary used to set your enable pass ord that@s used to secure pri%ileged mode" This ill prompt a user for a pass ord hen the enable command is used"

e,ample o) setting t e enable pass"ords: = 5outer(config)Benable secret todd = 5outer(config)Benable pass ord todd = The enable pass ord you ha%e chosen is the same as your enable secret" This is not recommended" 5e'enter the enable pass ord"

User!mode pass"ords = 5outer(config)Bline G


6

= H+'I+? 6irst -ine number = au& Au&iliary line = console 3rimary terminal line = tty Terminal controller = %ty >irtual terminal = &Cy SlotC3ort for Modems = au, Sets the user'mode pass ord for the au&iliary port" = console Sets a console user'mode pass ord" $ty Sets a Telnet pass ord on the router *elnet Pass"ord
= = = = = = 5outer(config'line)Bline %ty + G H,';? -ast -ine 2umber Hcr? 5outer(config'line)Bline %ty + ; 5outer(config'line)B pass ord todd9 5outer(config'line)B login #ncrypting Aour 3ass ords = 4ecause only the enable secret pass ord is encrypted by default$ you@ll need to manually configure the user'mode and enable pass ords for encryption"

To manually encrypt your pass ords$ use the ser%ice pass ord'encryption command"

= = =

5outerBconfig t #nter configuration commands$ one per line" #nd ith C2T-CD" 5outer(config)Bser%ice pass ord'encryption

Secure Operations
Secure net or! operations is a substantial topic" Although most of this document is de%oted to the secure configuration of a Cisco IOS de%ice$ configurations alone do not completely secure a net or!" The operational procedures in use on the net or! contribute as much to security as the configuration of the underlying de%ices"

1))Monitor Cisco Security Advisories and Responses


The Cisco 3roduct Security Incident 5esponse Team (3SI5T) creates and maintains publications$ commonly referred to as 3SI5T Ad%isories$ for security'related issues in Cisco products" The method used for communication of less se%ere issues is the Cisco Security 5esponse" 9) * e #ut entication- #ut ori.ation- and #ccounting &###' frame or! is %ital to securing net or! de%ices" The AAA frame or! pro%ides authentication of management sessions and can also limit users to specific$ administrator'defined commands and log all commands entered by all users" See the Jsing Authentication$ Authori/ation$ and Accounting section of this document for more information about le%eraging AAA"

3) Centralize Log Collection and Monitoring


In order to gain an understanding of e&isting$ emerging$ and historic e%ents related to security incidents$ your organi/ation needs to ha%e a unified strategy for e%ent logging and correlation" This strategy must le%erage logging from all net or! de%ices and use pre' pac!aged and customi/able correlation capabilities" After centrali/ed logging is implemented$ you must de%elop a structured approach to log analysis and incident trac!ing" 4ased on the needs of your organi/ation$ this approach can range from a simple diligent re%ie of log data to ad%anced rule'based analysis"

4) Use Secure Protocols W en Possi!le


Many protocols are used in order to carry sensiti%e net or! management data" Aou must use secure protocols hene%er possible" A secure protocol choice includes the use of SS1 instead of Telnet so that both authentication data and management information are encrypted" In addition$ you must use secure file transfer protocols hen you copy
8

configuration data" An e&ample is the use of the Secure Copy 3rotocol (SC3) in place of 6T3 or T6T3"

Re)erences /' ttp:00""".cisco.com0en0US0products0ps12340 5' ttp:00""".cisco.com0en0US0tec 0t61370t681/0tec nologie s9tec 9note4:/71a4474/54)37.s tml 8' ttp:00""".cisco.com0en0US0tec 0t61370t681/0tec nologie s9tec 9note4:/71a4474/54)37.s tml 3' ttp:00""".cisco.com0en0US0products0ps:8420inde,. tml 2' ttp:00""".cisco.com0en0US0products0s"0securs"0ps28/70

1-

Key fingerprint L A6,M 6A9I 96M; MMNE 6E45 E#:E 6N45 +O#; A,OM ;#;O

11

You might also like