Chapter 2:

Securing Network Devices

Net Security
C. Leghris
2.0 Introduction ;
2.1 Securing Device Access ;
2.2 Assigning Administrative Roles ;
2.3 Monitoring and Managing Devices ;
2.4 Using Automated Security Features ;
2.5 Securing the Control Plane ;
2.6 Summary ;

2
Upon completion of this section, you should be able to:
• Explain how to secure a network perimeter ;

• Configure secure administrative access to Cisco routers ;

• Configure enhanced security for virtual logins ;

• Configure an SSH daemon for secure remote management.

3
4
• Securing the network infrastructure is critical to overall network security ;
o The network infrastructure includes routers, switches, servers, endpoints, and
other devices ;

• To prevent unauthorized access to all infrastructure devices, appropriate

security policies and controls must be implemented .

5
Single Router Approach
All security policies are
configured on this device

Defense in Depth Approach There are three primary

layers of defense: the edge
router, the firewall, and an
internal router.

DMZ Approach
The DMZ can be used for
servers that must be
accessible from the
Internet or some other
external network

6
7
• Securing administrative access is an extremely important security task ;
o If an unauthorized person gains administrative access to a router, that person could
alter routing parameters, disable routing functions, or discover and gain access to
other systems within the network.

• Several important tasks are involved in securing administrative access to an

infrastructure device :
o Restrict device accessibility ;

o Log and account for all access ;

o Authenticate access ;

o Authorize actions ;

o Present legal notification ;

o Ensure the confidentiality of data.

8
Local Access Remote Access Using Telnet

Remote Access Using Modem and Aux Port

9
Dedicated Management Network

10
11
Guidelines:
• Use a password length of 10 or more characters ;

• Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces ;

• Avoid passwords based on easily identifiable pieces of information ;

• Deliberately misspell a password (Smith = Smyth = 5mYth) ;

• Change passwords often ;

• Do not write passwords down and leave them in obvious places.

Weak Password Why it is Weak Strong Why it is Strong

Password
secret Simple dictionary password b67n42d39c Combines alphanumeric characters

smith Mother’s maiden name 12^h u4@1p7 Combines alphanumeric characters,

symbols, and includes a space
toyota Make of car

bob1967 Name and birthday of user

Blueleaf23 Simple words and numbers

12
• There are multiple router configuration
commands that can be used to increase
password security

13
Guidelines:
• Configure all secret passwords using type 8 or type 9 passwords ;

• Use the “enable algorithm-type” command syntax to enter an unencrypted

password ;

• Use the “username name algorithm-type” command to specify type 9

encryption

14
By default :
• The console and auxiliary ports do not require a password for administrative
access ;
• The password command configured on the console, vty, and auxiliary lines
can only use type 7;

15
16
Virtual login security enhancements :
• Implement delays between successive login attempts ;

• Enable login shutdown if DoS attacks are suspected ;

• Generate system-logging messages for login detection.

• Banners protect the organization

from a legal perspective.

17
• Disabling logins after a specified
number of failed login attempts ;

• Only authorized hosts can

attempt to login to the router ;

• Specifies a number of seconds

the user must wait between
unsuccessful login attempts ;
• Log successful login attempts ;

• Log unsuccessful login attempts

18
Command Syntax: login block-for

Example: login quiet-mode access-class

Example: login delay

19
Generate Login Syslog Messages

Example: show login failures

20
21
Example SSH Configuration

Example Verification of SSH

• To connect from PC :
PC> ssh –l SSHadmin 192.168.3.1

• To connect from Router :

R2# ssh –v 2 –l SSHadmin 10.2.2.1

22
• We can modify the default SSH timeout interval and the number of
authentication tries ;
• Use the ”ip ssh time-out seconds” global configuration mode command to
modify the default 120-second timeout interval ;

23
Two ways to connect:
• Enable SSH and use a Cisco router as an SSH server or SSH client :
o As a server, the router can accept SSH client connections ;
o As a client, the router can connect via SSH to another SSH-enabled router ;

• Use an SSH client running on a host, such as

o PuTTY ;
o OpenSSH ;
o TeraTerm.

24
Upon completion of this section, you should be able to:
• Configure administrative privilege levels to control command availability ;

• Configure role-based CLI access to control command availability.

25
26
Privilege levels:
• Level 0: Predefined for user-level access privileges.
• Level 1: Default level for login with the router prompt.
• Level 2-14: May be customized for user-level privileges.
• Level 15: Reserved for the enable mode privileges.
Privilege Level Syntax
Levels of access commands:
• User EXEC mode (privilege level 1)
Lowest EXEC mode user privileges
Only user-level command available at the router> prompt
• Privileged EXEC mode (privilege level 15)
All enable-level commands at the router# prompt
27
Two methods for assigning passwords to the different privilege levels :
• To a user that is granted a specific privilege level :
username name privilege level secret password ;
• To the privilege level :
enable secret level level password

28
The configured different privilege levels :

29
The use of privilege levels has its limitations :
• No access control to specific interfaces, ports, logical interfaces, and slots
on a router ;
• Commands available at lower privilege levels are always executable at
higher privilege levels ;
• Commands specifically set at higher privilege levels are not available for
lower privilege users ;
• Assigning a command with multiple keywords allows access to all
commands that use those ;
o Example : Allowing access to show ip route allows the user access to all show and show
ip commands.

30
31
For example:
• Security operator privileges :
o Configure AAA ;
o Issue show commands ;
o Configure Firewall ;
o Configure IDS/IPS ;
o Configure NetFlow.

• WAN engineer privileges :

o Configure routing ;
o Configure interfaces ;
o Issue show commands.

32
• Role-based CLI provides three types :
o Root View ;
o View ;
o Superview.

33
Step 1 :
• Create a view. Root one is
without name (enabling pwd ) ;
• Before, Enable AAA with the aaa
new-model ;

Step 2 ;
• This create and enables
the view configuration
mode

Step 3 :
• Assign a secret password to
the view using command
secret encrypted-password view

Step 4 :
• Assign commands to the
selected view using
commands parser-mode

34
Example of a tree Views config :

35
• Configure a superview is same to configuring a CLI view
o Except that the view view-name command is used to assign commands to the superview;
• The administrator must be in root view to configure a superview ;
o Use either “enable view” or ”enable view root” command ;

Step 1 :

Step 2 :

Step 3 :

36
• Enable Root View and Verify All Views

• Assign a View to a user :

R1(config)#username A view A password ciscoa

37
Upon completion of this section, you should be able to:
• Use the Cisco IOS resilient configuration feature to secure the Cisco IOS
image and configuration files ;
• Compare in-band and out-of band management access ;

• Configure syslog to log system events ;

• Configure secure SNMPv3 access using ACL ;

• Configure NTP to enable accurate timestamping between all devices.

38
39
40
• Allows for faster recovery if someone maliciously or unintentionally reformats
flash memory or erases the startup configuration file in NVRAM ;
• Maintains a secure working copy of the router IOS image file and a copy of the
running configuration file. These secure files cannot be removed by the user
and are referred to as the primary bootset.

41
• To secure the IOS image and enable Cisco IOS image resilience:
Router(config)# secure boot-image.
• To take a snapshot of the router running configuration and securely archive it :
Router(config)# secure boot-config
• To verify the existence of the
archive (could not use dir) :
Router# show secure bootset

42
• The Cisco IOS Resilient feature provides a method for securing the IOS image
and configuration files locally on the device.
• SCP(Secure Copy Protocol) feature is used to remotely copy these files ;

• Configure the router for server-side SCP with local AAA :

1. Configure SSH ;
2. Configure at least one user with privilege level 15 ;
3. Enable AAA ;
4. Specify that the local database is to be used for authentication ;
5. Configure command authorization ;
6. Enable SCP server-side functionality ;

43
44
1. Connect to the console port ;
2. Record the configuration register setting ;
3. Power cycle the router ;
4. Issue the break sequence ;
5. Change the default configuration register with the confreg 0x2142 command ;
6. Reboot the router ;
7. Press Ctrl-C to skip the initial setup procedure ;
8. Put the router into privileged EXEC mode ;
9. Copy the startup configuration to the running configuration ;
10. Verify the configuration ;
11. Change the enable secret password ;
12. Enable all interfaces ;
13. Change the config-register with the config-register
configuration_register_setting ;
14. Save the configuration changes.

45
 Disable Password Recovery

No Service Password Recovery

Password Recovery
Functionality is Disabled

46
47
• The most common method of accessing system messages from networking
devices is to use a protocol called syslog (RFC 5424) ;
• Syslog uses UDP, with port 514, to send event notification messages across IP
networks to event message collectors.
• The syslog logging service provides three primary functions:

o The ability to gather logging

information for monitoring and
troubleshooting ;

o The ability to select the type of

logging information that is
captured ;
o The ability to specify the
destinations of captured syslog
message.

48
49
• Syslog implementations always contain two types of systems :
o Syslog servers - Also known as log hosts, these systems accept and process log
messages from syslog clients ;

o Syslog clients - Routers or other types of equipment that generate and forward log
messages to syslog servers.

50
Step 1 : Set the destination logging host

Step 2 (optional) : Set the log severity (trap) level

Step 3 : Set the source interface

Step 4 : Enable logging to all enabled destinations

51
52
• Simple Network Management Protocol (SNMP) was developed to allow
administrators to manage devices on an IP network ;
• It enables network administrators to monitor network performance, manage
network devices, troubleshoot network problems, and plan for network growth;
• SNMP consists of 3 elements :
o SNMP manager ;
o SNMP agents (managed node) ;

o Management Information Base

(MIB)

• At least one manager node

should run SNMP management
software ;
• Network devices that can be
managed are equipped with the
SNMP agent software module ;

53
Cisco MIB
Hierarchy

54
• Several versions of SNMP are available:
o SNMPv1 - Defined in RFC 1157; provided no authentication or encryption
mechanism ;
o SNMPv2c - Defined in RFCs 1901 to 1908; improved upon SNMPv1 but provided no
authentication or encryption mechanism ;

o SNMPv3 - Defined in RFCs 2273 to 2275; provides secure access to devices by

authenticating and encrypting packets over the network.

55
• SNMP is vulnerable to attack precisely because SNMP agents can be polled
with get requests and accept configuration changes with set requests ;
• Example ;
o A set request can cause a router to reboot ;

o An agent can also be configured to send out traps or notifications ;

56
• SNMPv3 provides three security features :
o Transmissions from manager to agent may be authenticated to guarantee the
identity of the sender and the integrity and timeliness of a message ;

o SNMPv3 messages may be encrypted to ensure privacy ;

o Agent may enforce access control to restrict each principal to certain actions on
specific portions of data.

Message integrity & authentication

Encryption

Access control

57
• SNMPv3 can be secured with only a few commands

58
59
60
• The date and time settings on the router can be set using one of two methods:
o Manually edit the date and time ;
o Configure the Network Time Protocol (NTP) ;

• A better solution is to configure the NTP on the network ;

• Allows routers on the network to synchronize their time settings with an
NTP server ;
• When NTP is implemented in the network, it can be set up to synchronize to a
private master clock or it can synchronize to a publicly available NTP server on
the Internet.

61
Sample NTP Topology

Sample NTP
Configuration on R1

Sample NTP
Configuration on R2

62
• NTP version 3 (NTPv3), and later, supports a cryptographic authentication
mechanism between NTP peers ;
• Three commands are used on the NTP master and the NTP client:
o ntp authenticate ;
o ntp authentication-key key-number md5 key-value ;
o ntp trusted-key key-number ;

• To confirm that the server is an authenticated source, use the command :

o show ntp associations detail

63
Upon completion of this section, you should be able to:
• Use security audit tools to determine IOS-based router vulnerabilities.

• Use AutoSecure to enable security on IOS-based routers.

64
65
• Some of services can make the device vulnerable to attack if security is not
enabled ;
• The Link Layer Discovery Protocol (LLDP) is an open standard that can be
enabled on devices ;
o LLDP configuration and verification is similar to CDP (Cisco Discovery Protocol) ;
• The output for show lldp neighbors detail will reveal a device’s address,
platform, and operating system details.
o Available software, such as CDP Monitor, can be used also to gain the information ;

66
• Attackers choose services and protocols that make the network
more vulnerable to malicious exploitation ;
• Additional recommended practices to ensure a device is secure :
o Disable unnecessary services and interfaces ;
o Disable and restrict commonly configured management services ;
o Disable probes and scans. Ensure terminal access security ;
o Disable gratuitous and proxy ARPs ;
o Disable IP-directed broadcasts.

67
68
• Cisco AutoSecure is a feature that executes a script, from CLI ;
• It first makes recommendations for fixing security vulnerabilities and then
modifies the security configuration of the router ;
• It can lock down the management plane functions and the forwarding plane
services and functions of a router ;

69
• To enable AutoSecure feature setup : Router# auto secure

70
When the auto secure command is initiated, a CLI wizard steps the administrator
through the configuration of the device. User input is required :
1. The auto secure command is entered ;

2. Wizard gathers information about the outside interfaces ;

3. AutoSecure secures the management plane by disabling unnecessary

services ;
4. AutoSecure prompts for a banner ;

5. AutoSecure prompts for passwords and enables password and login features

6. Interfaces are secured ;

7. Forwarding plane is secured.

71
Upon completion of this section, you should be able to:
• Configure a routing protocol authentication ;

• Explain the function of Control Plane Policing.

72
73
• Spoofing routing information may generally be used to cause systems to
misinform (lie to) each other, cause a DoS attack, or cause traffic to
follow a path it would not normally follow.

• Consequences of protocol
spoofing :
o Redirect traffic to create
routing loops ;
o Redirect traffic so it can be
monitored on an insecure
link ;
o Redirect traffic to discard it.

74
• OSPF supports routing protocol authentication using MD5. MD5 authentication
can be enabled globally for all interfaces or on a per interface basis.
• Enable MD5 authentication on a per interface basis :
o ip ospf message-digest-key key md5 password .
o ip ospf authentication message-digest

75
• D5 is now considered vulnerable to attacks and should only be used when
stronger authentication is not available ;
• Cisco IOS release 15.4(1)T added support for OSPF SHA authentication (RFC
5709) ;
• OSPF SHA authentication includes two major steps :

76
Chapter Objectives:
• Configure secure administrative access.

• Configure command authorization using privilege levels and role-based CLI.

• Implement the secure management and monitoring of network devices.

• Use automated features to enable security on IOS-based routers.

• Implement control plane security.

77
Thank you.