Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Slides:



Advertisements
Similar presentations
Chapter 1: Introduction to Scaling Networks
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)
Securing the Router Chris Cunningham.
1 Passwords and Banners Cisco Devices Packet Tracer.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using the Cisco SDM.
Cisco Router. Overview Understanding and configuring the Cisco Internetwork Operating System (IOS) Connecting to a router Bringing up a router Logging.
Network Security Network Attacks and Mitigation 張晃崚 CCIE #13673, CCSI #31340 區域銷售事業處 副處長 麟瑞科技.
Introduction to the Cisco IOS
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
Enterprise Network Security Accessing the WAN Lecture week 4.
COEN 252: Computer Forensics Router Investigation.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
CBAC L AB. Nmap Port scanner Nmap: the beef, Zenmap: GUI frontend Findings before CBAC firewall c. What services are running and available on R1 from.
Chapter 6 Router Configuration Sem 2V2. Configuration files can come from the console NVRAM TFTP server. The router has several modes:  privileged mode.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Enterprise Network Security Accessing the WAN – Chapter 4.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 5 – ‘Cisco Device Hardening’
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
© 1999, Cisco Systems, Inc Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,
Operating Cisco IOS Software
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© Wiley Inc All Rights Reserved. CHAPTER 4: Introduction to the Cisco IOS CCNA: Cisco Certified Network Associate Study Guide.
CCNA Journal Sample. Index Basic Ethernet Serial Router Rip.
Instructor & Todd Lammle
1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.
Sybex CCNA Chapter 12: Security Instructor & Todd Lammle.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.
Basic Router Configuration 1.1 Global configuration Cisco allows us to configure the router to support various protocols and interfaces. The router stores.
User Access to Router Securing Access.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Exploring the Enterprise Network Infrastructure Introducing Routing and Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Chapter 2: Securing Network Devices
Module 3 Configuring a Router.
Enterprise Network Security Accessing the WAN – Chapter 4.
Sybex CCNA Chapter 6: Cisco’s IOS Instructor & Todd Lammle.
Configuring the PIX Firewall Presented by Drew Spesard.
Jose Luis Flores / Amel Walkinshaw
Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
Routers and Routing Basics CCNA 2 Chapter 3 1.
Will learn to use router modes and configuration methods to update a router's configuration file with current and prior versions of Cisco Internetwork.
Configuration Modes and TFTP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Understanding Cisco Router Security.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Configuring a Router Module 3 Semester 2. Router Configuration Tasks Name a router Set passwords Examine show commands Configure a serial interface Configure.
Liquid Telecom Network Security. Network Security - Availability Physical Infrastructure – PoP Site Security/Traffic Protection Logical – Device Hardening/Traffic.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Cisco LAN Switches.
Instructor Materials Chapter 2: Configure a Network Operating System
Working at a Small-to-Medium Business or ISP – Chapter 8
Enterprise Network Security
Instructor & Todd Lammle
– Chapter 3 – Device Security (B)
Understanding Cisco Router Security
Configuring a Router Module 3 Semester 2.
Enterprise Network Security
– Chapter 3 – Device Security (B)
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
Enterprise Network Security
Presentation transcript:

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces

Vulnerable Router Services and Interfaces

Cisco IOS routers can be used as: –Edge devices –Firewalls –Internal routers (CDP, FTP, TFTP, NTP, SNMP, TCP/UDP ).

Router Hardening Considerations.

Locking Down Routers with AutoSecure

What is AutoSecure? AutoSecure Cisco IOS Router : global services Disable. Security-base global services Enable. Interface services Disables. security logging. Router.

AutoSecure Operation Modes AutoSecure 2 Mode : Interactive mode: Prompt service. Noninteractive mode: Auto secure.

AutoSecure Functions AutoSecure can selectively lock down: services functions: –Finger, PAD, UDP & TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner –Also provides password security and SSH access Forwarding services and functions: –CEF, traffic filtering with ACLs Firewall services and functions: –Cisco IOS Firewall inspection for common protocols Login functions: –Password security NTP protocol SSH access TCP Intercept services

AutoSecure Process Overview

Start and Interface Selection Router#auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks *** All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]: y Enter the number of interfaces facing internet [1]: 1 Interface IP-Address OK? Method Status Protocol Ethernet0/ YES NVRAM up up Ethernet0/ YES NVRAM up up Enter the interface name that is facing internet: Ethernet0/1

Securing Management Plane Services Securing Management plane services.. Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp

Creating Security Banner Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorised Access only This system is the property of So-&-So-Enterprise. UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged and violations of of this policy result in disciplinary action. Enter the security banner {Put the banner between k and k, where k is any character}: %This system is the property of Cisco Systems, Inc. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.%

Passwords and AAA Enable secret is either not configured or is same as enable password Enter the new enable secret: Curium96 Configuration of local user database Enter the username: student1 Enter the password: student1 Configuring aaa local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 300 Maximum Login failures with the device: 3 Maximum time period for crossing the failed login attempts: 60

SSH and Interface-Specific Services Configure SSH server? [yes]: y Enter the hostname: R2 Enter the domain-name: cisco.com Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces

Forwarding Plane, Verificaton and Deployment Securing Forwarding plane services.. Enabling CEF (This might impact the memory requirements for your platform) Enabling unicast rpf on all interfaces connected to internet Configure CBAC Firewall feature? [yes/no]: yes This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption. Apply this configuration to running-config? [yes]: y

Locking Down Routers with the SDM

Security Device Manager SDM automated hardening features: Security Audit One-Step Lockdown

SDM Security Audit Overview Router. (audit) : –Shut down unneeded servers. –Disable unneeded services. –Apply the firewall to the outside interfaces. –Disable or harden SNMP. –Shut down unused interfaces. –Check password strength. –Enforce the use of ACLs.

SDM Security Audit: Main Window

SDM Security Audit Wizard

SDM Security Audit Interface Configuration

SDM Security Audit

SDM Security Audit: Fix the Security Problems

SDM Security Audit: Summary

SDM One-Step Lockdown: Main Window

SDM One-Step Lockdown Wizard

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.