Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing the Router Chris Cunningham. Chris Cunningham CCSI #33650 CCNA & CCNP Routing and Switching / CCNA Security.

Similar presentations


Presentation on theme: "Securing the Router Chris Cunningham. Chris Cunningham CCSI #33650 CCNA & CCNP Routing and Switching / CCNA Security."— Presentation transcript:

1 Securing the Router Chris Cunningham

2 Chris Cunningham CCSI #33650 CCNA & CCNP Routing and Switching / CCNA Security MCITP (Server Enter. Admin & Vista), MCTS (Server 08 & Vista) A+, Network+, Security+

3 Before Implementing Security Changes Consult Change Management Documents and Processes Lab it up to be sure it will do what you think it will do Consult Security Documentation to verify it fits in with the Security Policy of the organization Above all else, when finished... Document!!

4 Planes of Security

5 Management Plane Data Plane Control Plane How Tech’s Connect to the device How the Router Decides to forward traffic The data being forwarded

6 Management Plane

7 Encrypted Communications SSH Version 2 HTTPs for GUI Configuration

8 Secure Login Use Radius or TACACS+ Router(config)# aaa new-model Router(config)# radius server Router(config-radius-server)#address ipv acct-port 1813 auth-port 1812 key apple Router(config)# aaa authentication login default group radius local Router(config)# username admin secret 0 apple Login Lockouts (local accounts) Router(config)# aaa local authentication attempts max-fail 3 Router# clear aaa local user lockout [username | all] Disable Password Recovery (disables access to RMON by disabling the BREAK sequence) Router (config)#no service password-recovery Access Class Exec-timeout

9 Network Monitoring Use SNMP Version 3 with ACL to limit which SNMP Servers can connect Router(config)#ip access-list extended snmp-server Router(config-ext-nacl)#permit ip any Router(config)# snmp-server group group1 v3 auth access snmp-server Router(config)# snmp-server engineID remote udp-port 120 1a2833c0129a Router(config)# snmp-server user user1 group1 v3 auth md5 password123 Or Router(config)#snmp-server community server1 RO snmp-server Router(config)#snmp-server community server2 RW snmp-server Use Syslog with separate Network (VLAN) for communication Disable Console Logging to reduce the CPU load on the device

10 Secure Configurations Use the Archive Feature to allow for rapid recovery when device is misconfigured Use Secure Boot-Image to secure the IOS so it can’t be deleted Router(config)# secure boot-image Use Secure Boot-Config to secure the startup-config from being removed Router(config)# secure boot-config Verify Router# show secure bootset

11 Control Plane

12 Secure Routing Protocols Use MD5 Password Hashes Router(config)# enable secret apple Router(config)# username chris secret 0 apple Passive interfaces Also Secure FHRP (HSRP, VRRP, GLBP) with Authentication Router(config)# key chain secure Router(config-keychain)#key 1 Router(config-keychain-key)#key-string apple Router(config-keychain-key)#inter fa 0/0 Router(config-if#standby 1 authentication md5 key-chain secure

13 Preserve CPU Resources Access Control List logging

14 Control Plane Policing (CoPP) Allows you more control over what protocols and data are allowed to enter the router and thus the Control Plane

15 Data Plane

16 IP Traffic Fragmentation Router(config)# ip access-list extended Secure Router(config-ext-nacl)#deny tcp any any fragments Router(config-ext-nacl)# deny udp any any fragments Router(config-ext-nacl)# deny icmp any any fragments Router(config-ext-nacl)# deny ip any any fragments IP Options Router(config-ext-nacl)# deny ip any any option any-options TTL to short to make it through the network Router(config-ext-nacl)# deny ip any any ttl lt 6 * All this traffic gets Process Switched instead of using CEF

17 Prevent Spoofed Packets Unicast Reverse Path Forwarding (Unicast RPF) Router(config-if)#ip verify unicast source reachable-via rx

18 Monitor with NetFlow

19 Wrap-Up

20 Secure All Planes of a Device Management Plane Control Plane Data Plane Document, Document, Document

21 Questions??


Download ppt "Securing the Router Chris Cunningham. Chris Cunningham CCSI #33650 CCNA & CCNP Routing and Switching / CCNA Security."

Similar presentations


Ads by Google