Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing the Router Chris Cunningham.

Similar presentations

Presentation on theme: "Securing the Router Chris Cunningham."— Presentation transcript:

1 Securing the Router Chris Cunningham

2 Chris Cunningham
CCSI #33650 CCNA & CCNP Routing and Switching / CCNA Security MCITP (Server Enter. Admin & Vista), MCTS (Server 08 & Vista) A+, Network+, Security+

3 Before Implementing Security Changes
Consult Change Management Documents and Processes Lab it up to be sure it will do what you think it will do Consult Security Documentation to verify it fits in with the Security Policy of the organization Above all else, when finished. . . Document!!

4 Planes of Security

5 Management Plane Control Plane Data Plane
How Tech’s Connect to the device Control Plane How the Router Decides to forward traffic Data Plane The data being forwarded

6 Management Plane

7 Encrypted Communications
SSH Version 2 HTTPs for GUI Configuration

8 Secure Login Use Radius or TACACS+ Login Lockouts (local accounts)
Router(config)# aaa new-model Router(config)# radius server Router(config-radius-server)#address ipv acct-port 1813 auth-port 1812 key apple Router(config)# aaa authentication login default group radius local Router(config)# username admin secret 0 apple Login Lockouts (local accounts) Router(config)# aaa local authentication attempts max-fail 3 Router# clear aaa local user lockout [username | all] Disable Password Recovery (disables access to RMON by disabling the BREAK sequence) Router (config)#no service password-recovery Access Class Exec-timeout

9 Network Monitoring Use SNMP Version 3 with ACL to limit which SNMP Servers can connect Router(config)#ip access-list extended snmp-server Router(config-ext-nacl)#permit ip any Router(config)# snmp-server group group1 v3 auth access snmp-server Router(config)# snmp-server engineID remote udp-port 120 1a2833c0129a Router(config)# snmp-server user user1 group1 v3 auth md5 password123 Or Router(config)#snmp-server community server1 RO snmp-server Router(config)#snmp-server community server2 RW snmp-server Use Syslog with separate Network (VLAN) for communication Disable Console Logging to reduce the CPU load on the device

10 Secure Configurations
Use the Archive Feature to allow for rapid recovery when device is misconfigured Use Secure Boot-Image to secure the IOS so it can’t be deleted Router(config)# secure boot-image Use Secure Boot-Config to secure the startup-config from being removed Router(config)# secure boot-config Verify Router# show secure bootset

11 Control Plane

12 Secure Routing Protocols
Use MD5 Password Hashes Router(config)# enable secret apple Router(config)# username chris secret 0 apple Passive interfaces Also Secure FHRP (HSRP, VRRP, GLBP) with Authentication Router(config)# key chain secure Router(config-keychain)#key 1 Router(config-keychain-key)#key-string apple Router(config-keychain-key)#inter fa 0/0 Router(config-if#standby 1 authentication md5 key-chain secure

13 Preserve CPU Resources
Access Control List logging

14 Control Plane Policing (CoPP)
Allows you more control over what protocols and data are allowed to enter the router and thus the Control Plane

15 Data Plane

16 IP Traffic Fragmentation
Router(config)# ip access-list extended Secure Router(config-ext-nacl)#deny tcp any any fragments Router(config-ext-nacl)# deny udp any any fragments Router(config-ext-nacl)# deny icmp any any fragments Router(config-ext-nacl)# deny ip any any fragments IP Options Router(config-ext-nacl)# deny ip any any option any-options TTL to short to make it through the network Router(config-ext-nacl)# deny ip any any ttl lt 6 * All this traffic gets Process Switched instead of using CEF

17 Prevent Spoofed Packets
Unicast Reverse Path Forwarding (Unicast RPF) Router(config-if)#ip verify unicast source reachable-via rx

18 Monitor with NetFlow

19 Wrap-Up

20 Secure All Planes of a Device
Management Plane Control Plane Data Plane Document, Document, Document

21 Questions??

Download ppt "Securing the Router Chris Cunningham."

Similar presentations

Ads by Google