Presentation is loading. Please wait.

Presentation is loading. Please wait.

User Access to Router Securing Access.

Published byCory Banks Modified over 8 years ago

Similar presentations

Presentation on theme: "User Access to Router Securing Access."— Presentation transcript:

1 User Access to Router Securing Access

2 Example Scenario Set up authentication for the console, auxiliary, and VTY lines to use the local authentication database (login local) Two administrative machines: and For the VTY lines, restrict Telnet (and SSH) access to only the two administrative PCs. Disable specific services: HTTP, HTTPS, and SNMP For both the auxiliary and VTY lines, limit their idle timeout to 5 minutes Allow SSH access, which gives the two administrators encrypted access to the Skunk router Set up an ACL that allows SSH (TCP 22) but denies Telnet (TCP 23) to the router

3 Privilege levels in Cisco routers
Cisco IOS offers 16 privilege levels User Exec mode: Level 1 Privilege EXEC mode: Level 15 additional levels of access to commands, called privilege levels can be configured to protect the system from unauthorized access Configures the specified privilege level to allow access to the specified command or, if the all keyword is used, to all commands that start with the specified string Router(config)#privilege exec all level 5 show ip Sets the password for the specified privilege level. This is the password users will enter after entering the enable level command to access the specified level. Router(config)#enable secret password level 6 0 letmein 0 indicates an unencrypted password string follows, 5 indicates an encrypted password string follows do copy running-config startup-config Router> enable 15 Password:

4 Local Access: Console and Auxiliary
To assign a static password to the console line, use the following configuration: Router(config)# line console 0  Router(config-line)# password password Solution encrypting the clear-text password, and use a secure form of copying of your configuration to an external server without having to use TFTP, which lacks any authentication and encryption method Problem: The password that you enter in the password command is a clear-text password Access to clear text password if someone is looking over your shoulder or if you back up your configuration to a TFTP server with the copy running-config tftp command

5 To allow access through the auxiliary or VTY lines
Cisco uses VTY lines to handle incoming and outgoing Telnet connections. VTYs are basically logical lines: The Cisco IOS treats them as a physical line from a configuration and operation perspective, but they are not something that you physically can touch with your hands Example: Router(config)# line vty 0 4  Router(config-line)# password cisco  Router(config-line)# login Router(config)# line vty 0 4  Router(config-line)# [no] login [local] Login The login command, by itself, specifies the use of authentication it checks for a password configured with the password line-configuration command no login To disable authentication checking (never is recommended for any type of connection, whether local or remote access) login local you can override the use of the password configured on the line and use other methods, such as a local username and password database, by specifying

6 Login Connection Timeouts
By default, console, auxiliary, and Telnet (VTY) sessions time out after 10 minutes of idling. You can override this with the exec-timeout command Router(config)# line type #  Router(config-line)# exec-timeout minutes seconds  This simple example sets the timeout to 5 minutes for Telnet sessions Router(config)# line vty 0 4 Router(config-line)# exec-timeout 5 0

7 Secure Shell Two components are required for SSH to function:
The SSH server provides a secure connection, which is encrypted, to the Cisco IOS CLI. This connection is similar to an encrypted Telnet connection. The SSH client runs the SSH protocol to connect to an SSH server, and it must support the Data Encryption Standard (DES) or 3DES as well as password authentication. Authentication is performed in a normal fashion: Users can be authenticated using local mechanisms or by using an external security server. Cisco routers support both server and client connections Two components are required for SSH to function: Server Client Before setting up SSH, you must install a Cisco IOS image that supports DES or 3DES (this requires the image to support IPSec). For both router client and server functions to work, you need at least Cisco IOS 12.1(3)T.

8 Configuring secure shell
Step 1. Assign a name to the router (required). Router(config)# hostname router_name  Step 2. Assign a domain name to the router (required). Router(config)# ip domain-name DNS_domain_name  Step 3. Generate your encryption keys (required). Router(config)# crypto key generate rsa Step 4. Set up your VTY access for SSH (optional, but recommended):  Router(config)# username name secret password  Router(config)# line vty 0 4 Router(config-line)# transport input ssh Router(config-line)# transport output ssh  Router(config-line) login local Step 5. Tune the SSH server (optional). Router(config)# ip ssh {[timeout seconds] | [authentication-retries integer]} Step 6. Verify SSH server operation (optional). Router# show ssh Router# show ip ssh

9 Securing Web Browser access
Cisco supports the use of a web browser to access and manage a Cisco router By default, the HTTP server function on the router is disabled. To configure HTTP access, use the following steps: Step 1. Enable the HTTP server (required). Router(config)# ip http server Step 2. Define an authentication method (highly recommended). Router(config)# ip http authentication {aaa | enable | local} Step 3. Restrict access through HTTP (highly recommended). Router(config)# ip http access-class standard_ACL_# This command enables you to restrict, based on the source IP address of the client, which devices are allowed HTTP or HTTPS access to the route. Step 4. Change the HTTP port number (optional). Router(config)# ip http port port_# By default, the Cisco IOS uses port 80 for HTTP connections; however, you can change this port to a different number with the ip http port command. By changing the port number to a nonstandard one, you make it more difficult for a hacker to determine that you are running a web server on the router. Step 5. Change the location of HTML files (optional). Router(config)# ip http path URL_location Step 6. Restrict the number of HTTP connections (recommended). Router(config)# ip http max-connections #_of_connections

10 Example Router(config)# access-list 1 permit   Router(config)# access-list 1 permit   Router(config)# username richard privilege 15 secret bigXdogYlover  Router(config)# username natalie privilege 15 secret BIGxDOGyLOVER  Router(config)# ip http server  Router(config)# ip http authentication local  Router(config)# ip http access-class 1 Allow only two devices are allowed HTTP access to the router: and Both administrators have accounts set up, and the router uses the local authentication database (username commands) to perform the authentication. One interesting thing to point out about the username commands is the privilege 15

11 Example Scenario Set up authentication for the console, auxiliary, and VTY lines to use the local authentication database (login local) Two administrative machines: and For the VTY lines, restrict Telnet (and SSH) access to only the two administrative PCs. Disable specific services: HTTP, HTTPS, and SNMP For both the auxiliary and VTY lines, limit their idle timeout to 5 minutes Allow SSH access, which gives the two administrators encrypted access to the Skunk router Set up an ACL that allows SSH (TCP 22) but denies Telnet (TCP 23) to the router

Download ppt "User Access to Router Securing Access."

Similar presentations

© 2003, Cisco Systems, Inc. All rights reserved..

© 2003, Cisco Systems, Inc. All rights reserved..
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
Cisco Router. Overview Understanding and configuring the Cisco Internetwork Operating System (IOS) Connecting to a router Bringing up a router Logging.

Cisco Router. Overview Understanding and configuring the Cisco Internetwork Operating System (IOS) Connecting to a router Bringing up a router Logging.
1 CCNA 2 v3.1 Module 3. 2 CCNA 2 Module 3 Configuring a Router.

1 CCNA 2 v3.1 Module 3. 2 CCNA 2 Module 3 Configuring a Router.
Introduction to the Cisco IOS

Introduction to the Cisco IOS
CCNA 2 v3.1 Module 2.

CCNA 2 v3.1 Module 2.
Chapter 9 Managing a Cisco Internetwork Cisco Router Components Bootstrap - Brings up the router during initialization POST - Checks basic functionality;

Chapter 9 Managing a Cisco Internetwork Cisco Router Components Bootstrap - Brings up the router during initialization POST - Checks basic functionality;
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.

CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Summer Classes Router - Initial Configuration By Roshan Chaudhary Lecturer Islington College.

Summer Classes Router - Initial Configuration By Roshan Chaudhary Lecturer Islington College.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Sybex CCNA 640-802 Chapter 7: Managing a Cisco Internetwork Instructor & Todd Lammle.

Sybex CCNA Chapter 7: Managing a Cisco Internetwork Instructor & Todd Lammle.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Similar presentations

Ads by Google