Presentation is loading. Please wait.

Presentation is loading. Please wait.

CCNA Security v2.0 Chapter 2: Securing Network Devices.

Published byMatias Cardenas Modified over 4 years ago

Similar presentations

Presentation on theme: "CCNA Security v2.0 Chapter 2: Securing Network Devices."— Presentation transcript:

1 CCNA Security v2.0 Chapter 2: Securing Network Devices

2 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 2.0 Introduction 2.1 Securing Device Access 2.2 Assigning Administrative Roles 2.3 Monitoring and Managing Devices 2.4 Using Automated Security Features 2.5 Securing the Control Plane 2.6 Summary

3 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Upon completion of this section, you should be able to: Explain how to secure a network perimeter. Configure secure administrative access to Cisco routers. Configure enhanced security for virtual logins. Configure an SSH daemon for secure remote management.

4 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 4

5 Cisco Public 5

6 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Single Router Approach Defense in Depth Approach DMZ Approach

7 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Tasks: Restrict device accessibility Log and account for all access Authenticate access Authorize actions Present legal notification Ensure the confidentiality of data

9 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Local AccessRemote Access Using Telnet Remote Access Using Modem and Aux Port

10 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Dedicated Management Network

11 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 11

12 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Guidelines: Use a password length of 10 or more characters. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces. Avoid passwords based on easily identifiable pieces of information. Deliberately misspell a password (Smith = Smyth = 5mYth). Change passwords often. Do not write passwords down and leave them in obvious places. Weak PasswordWhy it is WeakStrong PasswordWhy it is Strong secretSimple dictionary passwordb67n42d39cCombines alphanumeric characters smithMother’s maiden name12^h u4@1p7Combines alphanumeric characters, symbols, and includes a space toyotaMake of car bob1967Name and birthday of user Blueleaf23Simple words and numbers

13 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Guidelines: Configure all secret passwords using type 8 or type 9 passwords Use the enable algorithm-type command syntax to enter an unencrypted password Use the username name algorithm-type command to specify type 9 encryption

15 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 16

17 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Virtual login security enhancements: Implement delays between successive login attempts Enable login shutdown if DoS attacks are suspected Generate system-logging messages for login detection

18 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Command Syntax: login block-for Example: login quiet-mode access-class Example: login delay

20 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Generate Login Syslog Messages Example: show login failures

21 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 21

22 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Example SSH Configuration Example Verification of SSH

23 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Two ways to connect: Enable SSH and use a Cisco router as an SSH server or SSH client. As a server, the router can accept SSH client connections As a client, the router can connect via SSH to another SSH-enabled router Use an SSH client running on a host, such as PuTTY, OpenSSH, or TeraTerm.

25 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Upon completion of this section, you should be able to: Configure administrative privilege levels to control command availability. Configure role-based CLI access to control command availability.

26 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 26

27 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Levels of access commands: User EXEC mode (privilege level 1) Lowest EXEC mode user privileges Only user-level command available at the router> prompt Privileged EXEC mode (privilege level 15) All enable-level commands at the router# prompt Privilege levels: Level 0: Predefined for user-level access privileges. Level 1: Default level for login with the router prompt. Level 2-14: May be customized for user-level privileges. Level 15: Reserved for the enable mode privileges. Privilege Level Syntax

28 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 No access control to specific interfaces, ports, logical interfaces, and slots on a router Commands available at lower privilege levels are always executable at higher privilege levels Commands specifically set at higher privilege levels are not available for lower privilege users Assigning a command with multiple keywords allows access to all commands that use those

30 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 30

31 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 For example: Security operator privileges Configure AAA Issue show commands Configure firewall Configure IDS/IPS Configure NetFlow WAN engineer privileges Configure routing Configure interfaces Issue show commands

32 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Step 1 Step 2 Step 3 Step 4

34 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Step 1 Step 2 Step 3

35 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Enable Root View and Verify All Views

36 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Upon completion of this section, you should be able to: Use the Cisco IOS resilient configuration feature to secure the Cisco IOS image and configuration files. Compare in-band and out-of band management access. Configure syslog to log system events. Configure secure SNMPv3 access using ACL Configure NTP to enable accurate timestamping between all devices.

37 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 37

38 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Configure the router for server-side SCP with local AAA: 1. Configure SSH 2. Configure at least one user with privilege level 15 3. Enable AAA 4. Specify that the local database is to be used for authentication 5. Configure command authorization 6. Enable SCP server-side functionality

42 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 1. Connect to the console port. 2. Record the configuration register setting. 3. Power cycle the router. 4. Issue the break sequence. 5. Change the default configuration register with the confreg 0x2142 command. 6. Reboot the router. 7. Press Ctrl-C to skip the initial setup procedure. 8. Put the router into privileged EXEC mode. 9. Copy the startup configuration to the running configuration. 10. Verify the configuration. 11. Change the enable secret password. 12. Enable all interfaces. 13. Change the config-register with the config-register configuration_register_setting. 14. Save the configuration changes.

43 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Password Recovery Functionality is Disabled No Service Password Recovery Disable Password Recovery

44 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 44

45 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 In-Band Management: Apply only to devices that need to be managed or monitored Use IPsec, SSH, or SSL when possible Decide whether the management channel need to be open at all time Out-of-Band (OOB) Management: Provide highest level of security Mitigate the risk of passing management protocols over the production network

46 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 46

47 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Security Levels Example Severity Levels

50 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Step 1 Step 2 (optional) Step 3 Step 4

53 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 53

54 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Cisco MIB Hierarchy

56 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Message integrity & authentication Encryption Access control Transmissions from manager to agent may be authenticated to guarantee the identity of the sender and the integrity and timeliness of a message. SNMPv3 messages may be encrypted to ensure privacy. Agent may enforce access control to restrict each principal to certain actions on specific portions of data.

59 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 62

63 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Sample NTP Topology Sample NTP Configuration on R1 Sample NTP Configuration on R2

65 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 Upon completion of this section, you should be able to: Use security audit tools to determine IOS-based router vulnerabilities. Use AutoSecure to enable security on IOS-based routers.

67 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 67

68 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 There is a detailed list of security settings for protocols and services provided in Figure 2 of this page in the course. Additional recommended practices to ensure a device is secure: Disable unnecessary services and interfaces. Disable and restrict commonly configured management services. Disable probes and scans. Ensure terminal access security. Disable gratuitous and proxy ARPs Disable IP-directed broadcasts.

70 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 70

71 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 1. The auto secure command is entered 2. Wizard gathers information about the outside interfaces 3. AutoSecure secures the management plane by disabling unnecessary services 4. AutoSecure prompts for a banner 5. AutoSecure prompts for passwords and enables password and login features 6. Interfaces are secured 7. Forwarding plane is secured

74 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Upon completion of this section, you should be able to: Configure a routing protocol authentication. Explain the function of Control Plane Policing.

75 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 75

76 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 Consequences of protocol spoofing: Redirect traffic to create routing loops. Redirect traffic so it can be monitored on an insecure link. Redirect traffic to discard it.

77 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 79

80 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Chapter Objectives: Configure secure administrative access. Configure command authorization using privilege levels and role-based CLI. Implement the secure management and monitoring of network devices. Use automated features to enable security on IOS-based routers. Implement control plane security.

84 Thank you.

85 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 Remember, there are helpful tutorials and user guides available via your NetSpace home page. (https://www.netacad.com) These resources cover a variety of topics including navigation, assessments, and assignments. A screenshot has been provided here highlighting the tutorials related to activating exams, managing assessments, and creating quizzes. 1 2

Download ppt "CCNA Security v2.0 Chapter 2: Securing Network Devices."

Similar presentations

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
1 Passwords and Banners Cisco Devices Packet Tracer.

1 Passwords and Banners Cisco Devices Packet Tracer.
CCNA2-1 Chapter 1 Introduction to Routing and Packet Forwarding CLI Configuration and Addressing.

CCNA2-1 Chapter 1 Introduction to Routing and Packet Forwarding CLI Configuration and Addressing.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition

CCNA Guide to Cisco Networking Fundamentals Fourth Edition
CCNA 2 v3.1 Module 2.

CCNA 2 v3.1 Module 2.
Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 2 – Securing Network Devices.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 2 – Securing Network Devices.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
1 Semester 2 Module 3 Configuring a Router Yuda college of business James Chen

1 Semester 2 Module 3 Configuring a Router Yuda college of business James Chen
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 6 Router Configuration Sem 2V2. Configuration files can come from the console NVRAM TFTP server. The router has several modes:  privileged mode.

Chapter 6 Router Configuration Sem 2V2. Configuration files can come from the console NVRAM TFTP server. The router has several modes:  privileged mode.
Configuring a network os

Configuring a network os
© Wiley Inc. 2006. All Rights Reserved. CHAPTER 4: Introduction to the Cisco IOS CCNA: Cisco Certified Network Associate Study Guide.

© Wiley Inc All Rights Reserved. CHAPTER 4: Introduction to the Cisco IOS CCNA: Cisco Certified Network Associate Study Guide.
Chapter 2: Securing Network Devices

Chapter 2: Securing Network Devices
Instructor & Todd Lammle

Instructor & Todd Lammle
Chapter 11: Managing a Secure Network

Chapter 11: Managing a Secure Network

Similar presentations

Ads by Google