CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Wireshark
          • WCNA
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • Python
          • PCEP
          • PCAP
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
        • Google
          • Cloud Architect
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • ITIL
          • ITIL Foundations
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • EC Council
          • Certified Ethical Hacker
        • ISC2
          • SSCP
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Wireshark
          • WCNA
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • Python
          • PCEP
          • PCAP
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
        • Google
          • Cloud Architect
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • ITIL
          • ITIL Foundations
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • EC Council
          • Certified Ethical Hacker
        • ISC2
          • SSCP
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets

Securing Network Devices

Securing network devices is an important topic in the world of internetworking and will remain so as long as the threat of intrusion, espionage, theft, or hacking exists. Barely a single day passes without a story breaking about a major company that has suffered from an embarrassing hacking, industrial espionage, or internal security breach by a careless or disgruntled employee.

While the CCNA is not a security course, you will be tested on some areas of network security. You should be able to configure routers and switches to allow only certain people to access them and allow only certain traffic to pass through them from your network to the Internet, or vice versa. You should also be able to restrict access to certain applications and services within the network.

If you really enjoy learning about network security, then consider studying for the Cisco CCNA Cyber Ops exam after passing the CCNA exam.

Back to book index.

Contents hide
Network Security Devices
Firewalls
Firewalls in Action
Stateful Inspection and Packet Filtering
Zone-based Policy Firewalls
Network Device Passwords
Enable Password
Enable Secret
Service Password Encryption
Auxiliary Password
Mini-lab – Adding a Telnet Password
Console Password
Configuring Local Usernames and User-Specific Passwords
Securing Network Devices
Privilege Levels
Login
Logging Router Access
Local Logging
Prevent Telnet Access
Enable SSH
Mini-lab – Enabling SSH Access
Disable HTTP
Disable CDP
Add a Banner Message
Shut Down Unused Ports
Network Device Clock and NTP
Update the IOS
Disable Unused Services
Using ACLs to Limit Telnet and SSH Access
Restrict VLAN Information
Change the Native VLAN
Change the Management VLAN
Simple Network Management Protocol
Securing VTP
External Authentication Methods
AAA
AAA Servers
Configuring AAA on Cisco Devices
End of Chapter Questions
Chapter 23 Labs
Lab 1: Basic Router Security
Lab Exercise
Purpose
Lab Objectives
Lab Walk-through
Lab 2: Switch Security
Lab Exercise
Purpose
Lab Objectives
Lab Walk-through

Network Security Devices

As well as the security measures mentioned here, you should have the following devices and services operational on your network:

  • Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) – IDS and IPS devices function by performing traffic inspection to detect unauthorized traffic that tries to enter the enterprise network. Their main role is to monitor networks for intrusions or other malicious activity. The actions taken by a device in a promiscuous mode include sending alerts, alarms, log messages, or SNMP traps. The major difference between IPS and IDS is that IPS devices operate in line with the traffic (meaning they are placed in the middle of the traffic flow and all the packets pass through the inspection device), while IDS devices only retrieve a copy of the traffic so they can analyze it.
  • Firewall – A firewall is a hardware- or software-based security device that filters traffic that is not allowed in the organization (while allowing legitimate traffic). Firewalls are positioned at the entry point in an organization or between critical network modules to create various security access policies. Most firewalls filter at layer 4 based on the source or destination address and TCP or UDP port number.
  • Antivirus – These programs were originally developed to remove malicious computer code, and today they can protect you from browser hijacking, worms, Trojans, adware, and spyware. Big players in this field include AVG and Symantec.
  • Antispyware – These programs are similar to the antivirus programs inasmuch as they help to block and prevent spyware and other malware types on computers. This type of software can be used to capture sensitive data and transmit it to a target device. Antispyware programs such as Ad-Aware and Spybot monitor incoming data from e-mail, websites, or file downloads and prevent spyware from taking root in your operating system.

Firewalls

Configuring firewalls is NOT a CCNA exam requirement. This subject is in the CCNA Cyber Ops and other security exams. However, the CCNA exam does require an understanding of the impact of a firewall in an enterprise network.

It would be prudent to understand the role of a firewall and some common associated terms both for the exam and to converse with customers and fellow network engineers. It is common for the network team to be on a call with the security team in order to jointly determine which part of the network is at fault.

Firewalls in Action

Firewalls filter traffic into and out of the network, and they are usually positioned at the network entry point or between critical modules. Most firewalls work at Layer 4, which is based on TCP or UDP port numbers (usually called traditional or legacy firewalls), although some can operate at Layer 7 (usually called next-generation firewalls). Firewalls often perform NAT, which will be covered later. Some encrypted traffic also passes in tunnels between sites (other firewalls).

First generation firewalls provided basic filtering capabilities at Layer 3 and Layer 4 of the OSI Model. Second-generation monitored traffic at Layer 3, Layer 4, and Layer 5 of the OSI Model. Third-generation firewalls provided firewalling capabilities at Layer 3, Layer 4, Layer 5, and Layer 7 of the OSI Model. And, finally, fourth-generation firewalls operate at Layer 3, Layer 4, Layer 5, and Layer 7 of the OSI Model and use a concept referred to as Stateful inspection.

Firewalls usually operate in either routed or transparent mode. Routed mode means that it functions like a layer 3 device, with IP addresses on the interface and running routing protocols or static routes. Transparent mode means that the firewall functions like a layer 2 device, passing traffic transparently to the end-user. This is illustrated in Figure 23.1 below:

Firewalls in action

FIG 23.1 – Firewalls in action

Software firewalls are available from companies such as AVG and Microsoft, with AVG offering both free and paid versions. Software firewalls are installed on users’ PCs and smartphones and offer OS-level protection (see Figure 23.2 below). Their role is to block traffic from leaving or entering the system. Because they are designed for end-device-level protection, they are not suitable for protecting enterprise networks.

Software firewall

FIG 23.2 – Software firewall

A virtual firewall (VF) is a network firewall service or appliance that runs within a virtualized environment and that provides the packet filtering and monitoring services which would normally be provided via a hardware firewall (see Figure 23.3 below).

Virtual firewall

FIG 23.3 – Virtual firewall

The advantage of this is that multiple firewalls can be run without high costs. The VF is used to partition the physical firewall into multiple logical devices. Assigned interfaces are allocated separate security policies, NAT rules, and access control lists (which will be covered later). Virtual firewalls do not usually support IPSec VPNs, SSL VPNs, or dynamic routing.

Cisco has coined the term “security contexts”. These allow a single physical device to act as multiple independent firewalls. Each security context defines a single virtual firewall, which includes a unique configuration. Cisco has warned that, just as with physical devices, each security context must be carefully configured to ensure that overall network security is never compromised.

Instructor Since Cisco has a real virtual firewall product (i.e., ASAv) that supports all these features, virtual firewalls should not be referred to as security contexts. Regarding security contexts, this applies to OS version 8.x and earlier. In OS 9.x., some of these features are supported (e.g., site-to-site VPNs) while some are (still) not (e.g., dynamic routing and remote access VPN).

Stateful Inspection and Packet Filtering

Firewalls operate in two modes, stateful or stateless. The legacy firewall operating mode is stateless, which is also known as packet filtering. In stateless mode, the network administrator will configure firewall rules to permit or deny certain data to certain ports or ranges of ports, and the incoming and outgoing data have no relationship with each other. Stateless firewalls are typically faster than stateful ones.

Instructor Nowadays, the term “legacy” (although I prefer “old” or “back in the past”) is used for all firewalls that are working up to layer 4.

Figure 23.4 below shows firewall rules configured on a device:

Firewall rules example (Image © Bullguard.com)

FIG 23.4 – Firewall rules example (Image © Bullguard.com)

Stateful inspection means that all data flows are recorded, and associated flows of data are then permitted or denied. A stateful firewall determines the state of a TCP connection (e.g., open, open sent, synchronized, etc.) and can tell whether changes have been made, such as the Maximum Transmission Unit (MTU) or whether the packets are fragmented.

Stateful firewall

FIG 23.5 – Stateful firewall

A single network firewall represents a single point of failure, so most will feature an active and failover firewall, with the failover acting as the backup (see Figure 23.6 below).

Active and failover firewalls

FIG 23.6 – Active and failover firewalls

Using the same vendor and operating system for each firewall is always recommended. Changes should be performed and tested on one firewall before doing the same on the second firewall.

Zone-based Policy Firewalls

Zone-based policy firewall (ZBW) functionality represents an evolution in firewall technology. The objective of ZBWs is to create security zones, with each device interface placed into a zone. Unidirectional zone pairs can be created to define zone relationships by applying a modular flexible policy to zone pairs.

Instructor Two or more interfaces can be in the same zone, which is often the case (e.g., two LAN/DMZ/Internet interfaces).

 

 

This concept is illustrated in Figure 23.7 below:

Zone-based policy firewall

FIG 23.7 – Zone-based policy firewall

Devices in the demilitarized zone (DMZ) need to be accessible from the Internet, so they should be in a zone separate from the internal devices. Zones created include Trusted, Untrusted, and the DMZ. Figure 23.7 shows the interfaces placed into each zone (i.e., Gi0/0 is trusted, Gi0/1 is untrusted, and Gi0/2 is in the DMZ).

The following are the unidirectional zone pairs that can be created:

  1. Trusted Zone to DMZ
  2. DMZ to Trusted Zone
  3. Trusted Zone to Untrusted Zone
  4. Untrusted Zone to Trusted Zone
  5. DMZ to Untrusted Zone
  6. Untrusted Zone to DMZ

Network Device Passwords

Do you want just anybody to access your network devices? Perhaps you want only a handful of people to be able to log on to the router and a few others to be able to remotely connect to the router and administer it. Network device access needs to be protected from internal staff and external intruders.

Passwords on Cisco devices must contain from 1 to 25 uppercase and lowercase alphanumeric characters. Passwords are case sensitive; spaces can be used but not as the first character. Cisco recommends that the best way to handle passwords is to maintain them on a TACACS+ or RADIUS authentication server. Most routers, however, have a locally stored (in the router’s configuration) privilege-level password.

Enable Password

Protecting privileged mode (or enable mode) on your router is very important and the process is very simple. When any person attempts to enter privileged mode from user exec mode, they will be prompted for a password.

Router>enable

Router#config t

Router(config)#enable password cisco – Passwords ARE case sensitive

Router(config)#disable

Router>enable

Password:          – The password will not show as you type it

Router#

By default, the enable password command can be seen when any user looks at the running or startup configuration of the router. You probably do not want this to happen (see the service password-encryption command below).

Router#show run

Building configuration…

hostname Router

!

enable password cisco

 

You can disable the enable password command by entering no in front of the command.

 

Router(config)#no enable password

 

You do not need to enter the password again.

Enable Secret

The following output shows the enable secret command:

Router#conf t

Router(config)#enable secret cisco

Router(config)#exit

Router#disable

Router>enable

Password:         – The password will not show as you type it

Router#

You can see that when a show running-configuration command is issued, the enable secret command is encrypted. Only the relevant part of the configuration is shown below:

Router#show running-configuration

Building configuration…

hostname Router

!

enable secret 5 $1$F3Dy$w0mwxVmJ79Ug9pK/snpRe/ – Hashed using the MD5 algorithm

The number 5 after enable secret stands for level 5 encryption. This uses a hashed value of the MD5 algorithm, and it is harder to crack than level 7, which uses a weaker algorithm. If you forget your password, you will have to do password recovery using the console port (check Google for “[router model] password recovery” because each router and switch model has a slightly different recovery process).

Instructor Newer IOS releases also offer the SHA256 encryption algorithm (number 4).

Service Password Encryption

You can actually encrypt all of the passwords on the router with the service password-encryption command. This command will encrypt all current and future passwords added to the router.

Router(config)#enable password cisco

Router(config)#service password-encryption

Router(config)#exit

Router#show run

!

service password-encryption

hostname Router

enable password 7 070724404206 – Weaker reversible algorithm

The service password-encryption command does not provide a high level of security. Use this command with additional security measures.

Auxiliary Password

In order to protect connections through the AUX port, you will need to assign a password to it. Note that when you configure the AUX port, the router drops into config-line mode, as shown below:

Router#config t

Router(config)#line aux ?

[0-0]  First Line number

Router(config)#line aux 0

RouterA(config-line)#password cisco – Config-line mode

Router(config-line)#login

Router(config-line)#^Z

Router#

The login command is very important, as it tells the router to ask the user for a password, while the command login local tells the router to check a username and password you have configured on the router itself (the local database). You can instead put a server in the network, which does the job of authenticating all the users. These servers are known as TACACS or RADIUS servers.

The login and login local commands are covered comprehensively in the labs throughout this book.

Mini-lab – Adding a Telnet Password

In order to connect to your router over the Internet or remotely, you may want to telnet to it. To allow Telnet sessions, you need to have a password set on the VTY line. Terminal lines are logical (i.e., not physically attached to the router), so you will normally telnet via the Serial port or Ethernet port and a virtual terminal (known as VTY) will be opened. The number of available VTY ports depends on your router model; mine below has five. Please configure the IP addressing and hostnames as per Figure 23.8 below. Ping across the link to ensure that the network is working.

Mini-lab: Adding a Telnet password

FIG 23.8 – Mini-lab: Adding a Telnet password

R1#config t

R1(config)#enable secret howtonetwork

R1(config)#line vty 0 4 – Use ? to see your available VTY port numbers

R1(config-line)#password cisco

R1(config-line)#login

R1(config-line)#^Z

Now you can telnet to R1 from R2:

R2#telnet 192.168.1.1

Trying 192.168.1.1 … Open

User Access Verification

Password:

R1>enable

Password:

R1# – You are now connected to Router A from Router B

R1#exit – You can use Ctrl+Shift+6 and x to exit

[Connection to 192.168.1.1 closed by foreign host]

R2#

[END OF MINI-LAB]

Configuring the router for Telnet access alone is not sufficient. The enable or enable secret command must also be configured to allow for privileged access after Telnet access has been allowed. Try it for yourself with and without an enable command on the device you are telnetting to. Remember also that you can protect the VTY lines with an ACL, but you must apply it using the access-class command. We covered this in the ACL sections and hands-on labs earlier.

Your ACL may permit a certain IP address only, so in this case you can source the telnet from that interface.

R1#telnet 192.168.1.1 /source-interface loopback0

If there is no VTY password on the remote router, you will see:

R2#telnet 192.168.1.1

Trying 192.168.1.1 … Open

Password required, but none set

[Connection to 192.168.1.1 closed by foreign host]

R2#

You can test this yourself by adding the command below to the R1 VTY lines:

R1(config-line)#no password

There must be either a login local password or a username and password configured on the router and the login local command issued under the VTY lines. If a VTY password is set but there is no enable command, you will still be able to telnet across, but once you try to enter privileged mode, will you see:

R2#telnet 192.168.1.1

Trying 192.168.1.1 … Open

User Access Verification

Password:

R1>enable

% No password set

R1>

If you are connected to R1, you can see other connections to the router with the show line command:

R1#show line

Tty Typ  Tx/Rx    A Modem  Roty AccO AccI   Uses  Noise  Overruns Int

*    0 CTY            –    –     –    –    –      0      0       0/0     –

1 AUX 9600/9600  –    –     –    –    –      0      0       0/0     –

*    2 VTY            –    –     –    –    –      2      0       0/0     –

3 VTY            –    –     –    –    –      0      0       0/0     –

4 VTY            –    –     –    –    –      0      0       0/0     –

5 VTY            –    –     –    –    –      0      0       0/0     –

6 VTY            –    –     –    –    –      0      0       0/0     –

The * indicates that there is an active connection on that line. The CTY is the console port, and as you can see the console connection is active. The AUX is for connections to the auxiliary port. Finally, the VTY is for the virtual terminal lines that are used for inbound Telnet connections.

You may want to clear a Telnet session coming into your router either to throw the user off or to free up a VTY line that should have cleared but has not. To do this, you would use the clear line # command:

R1#clear line 2

[confirm]

[OK]

In the output below, on my own network I have created the username paul and have allowed incoming Telnet sessions. When a user telnets to my router, I can check the connection that is in use with the show users command.

R2#show users

Line       User       Host(s)              Idle     Location

*  0 con 0                idle                 00:00:00

98 vty 0     paul       idle                 00:00:17 192.168.1.1

Interface    User       Mode                 Idle     Peer Address

I have VTY lines 0 to 933 available on this router because I’m using GNS3. You would think that the lines would be used in ascending order from 0 upward but that is not so. I’ve found that a random number is used from the range available. In the output above, it’s 98. You could technically protect your VTY lines by allowing only one incoming connection with the configuration below. Test it for yourself; however, I couldn’t find a way to control which line you actually telnetted on. Also, note that the incoming session below came in on VTY 194.

R2(config)#line vty 0

R2(config-line)#login local

R2(config-line)#end

 

Now I will telnet in from R1 (IP address 192.168.1.1):

 

R2#show users

Line       User       Host(s)              Idle     Location

*  0 con 0                idle                 00:00:00

194 vty 0     paul       idle                 00:00:14 192.168.1.1

Interface    User       Mode                 Idle     Peer Address

R2#show line

Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int

*     0    0 CTY             –     –     –    –    –     0      0    0/0      –

1    1 AUX   9600/9600 –     –     –    –    –     0      0    0/0      –

*   194  194 VTY             –     –     –    –    –     1      0    0/0      –

195  195 VTY             –     –     –    –    –     0      0    0/0      –

196  196 VTY             –     –     –    –    –     0      0    0/0      –

197  197 VTY             –     –     –    –    –     0      0    0/0      –

198  198 VTY              –      –     –     –    –      0       0    0/0      –

The show users command will display incoming connections to your router and the show sessions command will display outgoing connections from your router to another device. There is a fourth type of connection known as a TTY. These are asynchronous lines used for modem and terminal connections.

Console Password

It is very important to protect your console port on the router. If you do not, any person who can get physical access to the router will be able to reconfigure and reboot it.

Router#config t

Router(config)#line console ?

[0-0]  First Line number

Router(config)#line console 0

Router(config-line)#password hello

Router(config-line)#login

Router(config-line)#exit

Router(config)#exit

For added security, you can specify a timeout value to lock the console connection if there is no activity for a specified number of minutes. This will also work on the VTY and AUX ports.

Router(config)#line console 0

Router(config-line)#exec-timeout 5 – Sets timeout for 5 minutes

Timeout values can be set on AUX, console, and VTY lines. The default timeout value is 10 minutes. If you want to set it to never timeout, then the value must be 0. This does represent a security issue though as the lines will always be open.

Configuring Local Usernames and User-Specific Passwords

You may not want to have a generic password on your connections to the router. You can configure specific username and password combinations on a per-user basis.

RouterA#config term

RouterA(config)#username paul password cisco

RouterA(config)#username stuart password ccna

RouterA(config)#username davie password rugby

RouterA(config)#line vty 0 4

RouterA(config-line)#login local

RouterA(config-line)#exit

RouterA(config)#exit

 

I can now telnet from Router B to Router A, providing I know my username and password:

 

RouterB#telnet 192.168.1.1

Trying 192.168.1.1 … Open

User Access Verification

Username: paul

Password:

Securing Network Devices

Privilege Levels

You can assign different levels of access to different users based on their local user accounts on the router. For example, you might restrict junior members of the network team to use only basic show commands. This is done using privilege levels. Cisco has 16 privilege levels ranging from 0 to 15, where 15 is full access.

You can assign a specific privilege level to a user and assign some commands to that level. This is shown in the output below:

RouterA#conf t

RouterA(config)#username juniortech privilege 4 password support

RouterA(config)#privilege exec level 4 ping

RouterA(config)#privilege exec level 4 traceroute

RouterA(config)#privilege exec level 4 show ip interface brief

RouterA(config)#line console 0

RouterA(config-line)#password basketball

RouterA(config-line)#login local – Password is needed

RouterA(config-line)#^z

If a junior technician tries to log in using the juniortech username, and then tries to make a configuration change, access is denied because the command is not allowed in privilege level 4.

RouterA con0 is now available

Press RETURN to get started.

User Access Verification

Username: juniortech

Password:

RouterA#config t –  Not allowed to use this command

^

% Invalid input detected at “^” marker.

Login

The login local password on the console, AUX, or VTY line overrides the console, AUX, or VTY password so that any person who telnets to Router A will be asked for his/her username and password from the local database.

You can use the enable secret [level] password command to define a password for a specific level of access and then give the password only to those who you want to have that level of access. You would then use the privilege exec level command to specify the commands available at the various access levels.

Logging Router Access

As a network administrator, it is very likely that you will want to be aware of who is attempting to log in to your network, as well as aware of any other network events.

Local Logging

There are several features included in the Cisco IOS to monitor events locally on the router:

  • logging console [level] – This command monitors connections via the console port. Levels can be from 0 to 7. You can use the no logging console command to turn off console output if you do not want it to appear on your screen constantly.

Table 23-1: Logging levels

Level Logging Message
0 Emergencies
1 Alerts
2 Critical
3 Errors
4 Warnings
5 Notifications
6 Informational
7 Debugging

 

  • terminal monitor – This command will allow debug and system messages to appear on your terminal connection to a router. If you are telnetting to a remote router (via SSH or Telnet) you will need to use this command if you want to see the debug commands. The console connection already monitors the terminal.
  • logging buffered [size in bytes | level] – This command will allow log messages to be kept in the router’s memory.
  • access list [specify action] log – This command enables the logging of packets that match the ACL configuration line criteria (e.g., access list 10 permit 192.168.1.1 log).
  • service timestamps – This command allows the router to timestamp logging or debug messages.
  • logging host address – This command will send logging messages to a syslog server (e.g., Router(config)#logging 172.16.1.5).

You can view the current logging levels with the show logging command:

RouterB#show logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)

Console logging: level debugging, 20 messages logged

Monitor logging: level debugging, 0 messages logged

Buffer logging: level debugging, 20 messages logged

Trap logging: level informational, 24 message lines logged

Log Buffer (4096 bytes):

00:00:09: %LINK-3-UPDOWN: Interface Serial0, changed state to down

00:00:09: %LINK-3-UPDOWN: Interface Serial1, changed state to down

00:01:43: %LINK-5-CHANGED: Interface BRI0, changed state to administratively down

In summary, logging options include:

  • logging buffered – logs messages to the router buffer
  • logging host – logs messages to a syslog server
  • logging console – logs messages to the console (you need to enable the terminal monitor command to see the logs on non-console connections)

You can have logging and/or debug messages timestamped with the service timestamps debug datetime msec localtime and/or service timestamps log datetime msec localtime commands. If you want, you can clear the logging buffer with the clear logging command. If you have requested assistance from a Cisco TAC, they may ask you to enable timestamps on your debug messages to assist them with troubleshooting your issue. Below are two debug outputs, the first without and the second with a timestamp:

%LINK-3-UPDOWN: Interface Serial0, changed state to down

00:00:09: %LINK-3-UPDOWN: Interface Serial0, changed state to down

Please do type the commands above onto a router so that they stick in your mind. We will look at syslog again later in this guide.

Prevent Telnet Access

All traffic sent using Telnet (including network configuration commands and passwords) are sent in clear text, which means that the configuration commands being sent over a Telnet session can easily be captured by a network sniffer if it is attached to the network. This makes Telnet inherently insecure.

Figure 23.9 below is a packet capture of an incoming Telnet session. You can clearly see that the sent password is “cisco”.

Telnet password sent in clear text

FIG 23.9 – Telnet password sent in clear text

Telnet is disabled by default because you need to set a password (and an optional username) to enable it. For secure remote management access to the router or switch, you can enable SSH (Secure Shell), which is described below. Later, we will cover how to use ACLs to protect Telnet access if you need to enable it.

Enable SSH

It is highly recommended that you use SSH rather than Telnet to access your network devices whenever possible. Unlike Telnet, which sends traffic in clear text, SSH creates a secure encryption channel where all traffic sent to the switch is encrypted. This secures the traffic from packet sniffing attacks.

SSH requires Cisco IOS versions that support cryptography. These are the security versions of the IOS. An easy way to check whether your IOS supports cryptography is using the show version command. Security IOS versions usually have “K9” or “security” in their names.

Switch#sh version

Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICES K9-M), Version

15.2(35)SE1, RELEASE SOFTWARE (fc1)

[output truncated]

System image file is flash:/c3560-advipservicesk9-mz.152-35.SE1.bin

If you do not have a security version of IOS, you must purchase a license for it.

A public/private key pair is used for SSH encryption. Traffic sent to a device is encrypted using a public key, and the encrypted traffic is decoded using the private key when it gets to the device. Users are authenticated through a username/password combination. Before generating the keys on a device, you need to set the hostname and password of the switch because the keys are identified using Fully Qualified Domain Name (hostname.domainname).

The steps to enable SSH are as follows:

  • Set the hostname and domain name
  • Generate crypto keys for encryption; SSH is enabled at this point
  • Set other SSH parameters such as idle timeout and authentication-retries (optional)

Mini-lab – Enabling SSH Access

You already know how to add an IP address and default gateway on a switch. Take a router and add the IP address below to the Fast Ethernet interface and connect it to a switch via a straight-through cable. Add an IP address to the management VLAN and ping from the router to the switch.

Router(config)#interface f0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Switch(config)#ip default-gateway 192.168.1.1

Switch(config)#interface vlan 1

Switch(config-if)#ip address 192.168.1.2 255.255.255.0

Switch(config-if)#no shut

Mini-lab: Enabling SSH access

FIG 23.10 – Mini-lab: Enabling SSH access

An example is shown below:

Switch(config)#hostname SwitchOne

SwitchOne(config)#ip domain-name howtonetwork.com

SwitchOne(config)#crypto key generate rsa

The name for the keys will be: SwitchOne.howtonetwork.com

Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

SwitchOne(config)#ip ssh time-out 60

SwitchOne(config)#ip ssh authentication-retries 2

SwitchOne(config)#line vty 0 15

SwitchOne(config-line)#transport input ssh

SwitchOne(config-line)#password cisco

You can specify the SSH version using the ip ssh version [1|2] command (version 2 is the default in modern IOS versions).

To verify that SSH is enabled, as well as the version of SSH that is enabled on a switch, use the show ip ssh command:

SwitchOne#show ip ssh

SSH Enabled – version 2.0

Authentication timeout: 60 secs; Authentication retries: 2

Now you can attempt to connect from the router to the switch. Cisco documentation on how to do this is somewhat light.

Router#ssh -l paul 192.168.1.2

Open

Password:

SwitchOne>

If you try to telnet from the router to the switch, the connection will be rejected.

Router#telnet 192.168.1.2

Trying 192.168.1.2 …

% Connection refused by remote host Router#

[END OF MINI-LAB]

The output below displays how to permit both Telnet and SSH.

Router(config-line)#line vty 0 15

Router(config-line)#transport input ssh telnet

Disable HTTP

You can disable HTTP access using the no ip http server command. Routers can be accessed, managed, and configured via a web page using HTTP, so unless you need to run it, you should disable it.

Switch(config)#no ip http server

To view the status of the HTTP server on the switch:

Switch#show ip http server status

HTTP server status: Disabled

HTTP server port: 80

[output truncated]

Disable CDP

Cisco Discovery Protocol is a Cisco proprietary data link layer protocol used to discover the Cisco devices that are attached to a particular device. Although CDP can be a really useful troubleshooting protocol, it can pose security flaws because the device information might be available to anyone who connects to it. Because it runs at layer 2 of the OSI model, it doesn’t require an IP address to be configured to exchange information with connected devices.

You can disable CDP in your network or, at least, on devices that are at the edge of your network that connect to other devices that you do not trust.

An example of a CDP output on a switch is shown below:

Router#show cdp neighbor detail

Device ID: Switch

Entry address(es):

Platform: Cisco 2960, Capabilities: Switch

Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/2

Holdtime: 176

Version:

Cisco Internetwork Operating System Software

IOS ™ C2960 Software (C2960-I6Q4L2-M), Version 15.1(22)EA4, RELEASE SOFTWARE(fc1)

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Wed 18-May-05 22:31 by jharirba

advertisement version: 2

Duplex full

The output above demonstrates why CDP is a very useful troubleshooting tool. To turn off CDP on an entire device, use the no cdp run command:

Switch(config)#no cdp run

To turn off CDP on an interface, use the no cdp enable interface configuration command. You must know the difference between these two commands for the CCNA exam.

Switch(config)#int fast0/2

Switch(config-if)#no cdp enable

Add a Banner Message

Banner messages are displayed when a user connects to a device. Although these messages do not provide any actual security, they can be used to display warning messages and company policies, which can be very useful legally.

When configuring a banner, a delimiting character is selected to tell the router when the banner message is complete. In the example below, the delimiting character is Y:

 

Switch(config)#banner motd Y

Enter TEXT message.  End with the character “Y”.

KEEP OUT OR YOU WILL REGRET IT Y

Switch(config)#

Referring to the output below, when telnetting to the router and the MOTD banner appears, notice that the banner message is truncated. This is because Y was chosen as the delimiting character. To avoid this, always select a delimiting character that is not used in your banner message.

Router#telnet 192.168.1.3

Trying 192.168.1.3 …Open

KEEP OUT OR Y

The banner in the example above is a message of the day (MOTD) banner, which is shown before the user sees the login prompt. Other types of banner messages include:

  • Login – shown before the user sees the login prompt
  • Exec – shown to user after login prompt; used when you want to hide the banner message from unauthorized users

There are banner inputs as part of the labs at the end of the chapter. I suggest that you learn to configure all three types and test them by logging in to the router. You will have different choices depending on your platform and IOS:

Router(config)#banner ?

LINE            c banner-text c, where “c” is a delimiting character

exec            Set EXEC process creation banner

incoming        Set incoming terminal line banner

login           Set login banner

motd            Set Message of the Day banner

prompt-timeout  Set Message for login authentication timeout

slip-ppp        Set Message for SLIP/PPP

Shut Down Unused Ports

Any switch ports that are not being used should be both shut down and placed into an unused VLAN.

Switch(config)#interface range f0/10-20

Switch(config-if-range)#switchport access vlan 500

% Access VLAN does not exist. Creating vlan 500

Switch(config-if-range)#shutdown

Network Device Clock and NTP

For incident management and logging, it is important for a network device to have accurate timestamps with its logging messages. You can view the time on a device using the show clock command:

Switch#show clock

*23:09:45.773 UTC Tue Mar 2 1993

To set the time, use the clock command in privileged mode. The commands shown below show how to set the time zone and recurring summer time on a switch:

clock timezone CST -6

clock summer-time CDT recurring

clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

 

The output below shows how you can set the clock on a Cisco device:

 

Switch#clock set 14:55:05 March 29 2016

1d23h: %SYS-6-CLOCKUPDATE: System clock updated from 17:26:01 CST

Switch#show clock

*14:55:7.953 UTC Tue Mar 29 2016

Another option for updating the time on a network device is using the Network Time Protocol (NTP), which was discussed earlier. You will need to be able to configure your router as an NTP client for the CCNA exam.

Routers sync with an NTP server over TCP port 123. NTP is now included in the CCNA syllabus, and it is quite useful in ensuring that all the network devices in the same environment have the same time. A router can be configured to sync with an NTP server using the ntp server command:

Switch(config)#ntp server 134.84.84.84 prefer

Switch(config)#ntp server 209.184.112.199

Update the IOS

One of the easiest ways to ensure that your switch/router is secure is to maintain the software on your Cisco switch and router. IOS updates not only fix bugs, they also provide feature enhancements. Most of Cisco’s stackable switches offer lifetime warranties (which includes software updates), so there are no excuses. You can request that Cisco TAC do a bug sweep if you are concerned about any possible issues before an upgrade.

Disable Unused Services

A recommended best practice for increasing security is to disable unused services. An easy way to check the services running on a router is to use the service command in global configuration mode. Just use a question mark (?) to list the services, as shown below (output truncated):

Router(config)#service ?

compress-config         Compress the configuration file

config                  TFTP load config files

counters                Control aging of interface counters

dhcp                    Enable DHCP server and relay agent

tcp-keepalives-in       Generate keepalives on idle incoming network

tcp-small-servers       Enable small TCP servers (e.g., ECHO)

telnet-zeroidle         Set TCP window 0 when connection is idle

timestamps              Timestamp debug/log messages

udp-small-servers       Enable small UDP servers (e.g., ECHO)

Here is a list of common services that should be disabled (or enabled), along with a brief description of each service:

  • no service pad – rarely used; assembles/disassembles packets in asynchronous networking
  • no service config – prevents the switch from getting its configuration file from a TFTP server in the network
  • no service finger – rarely used; disables the finger protocol
  • no ip icmp redirect – prevents the router from sending ICMP redirects, which can help attackers learn about the network topology
  • no ip finger – another way to disable the finger service
  • no ip gratuitous-arps – disables unsolicited ARP responses, which can lead to man-in-the-middle attacks
  • no ip source-route – disables user-specified hop-by-hop routing to destination
  • service sequence-numbers – enables clarity in logs by giving each log entry a number, which increases sequentially
  • service tcp-keepalives-in – prevents the router from keeping hung management sessions open
  • service tcp-keepalives-out – prevents the router from keeping hung management sessions open
  • no service udp-small-servers – disables echo, chargen, discard, and daytime, which are rarely used
  • no service tcp-small-servers – disables echo, chargen, and discard, which are rarely used
  • service timestamps debug datetime localtime show-timezone – timestamps each log entry packet (in debug mode) with the date and time, using local time, and shows the time zone
  • service password-encryption – encrypts all clear text passwords in the configuration file with type 7 encryption
  • service timestamps log datetime localtime show-timezone – timestamps each logged packet (not in debug mode) with the date and time, using local time, and shows the time zone

Using ACLs to Limit Telnet and SSH Access

You can use an ACL to determine who can access the VTY lines. First, create the access list, and then assign it to the VTY lines. I’ve added some other security-related commands also.

Switch(config)#access-list 11 permit 10.10.9.23

Switch(config)#access-list 11 permit 10.10.10.7

Switch(config)#line vty 0 15

Switch(config-line)#access-class 11 in

Switch(config-line)#transport input ssh

Switch(config-line)#transport output telnet ssh

Switch(config-line)#exec-timout 5 0

Being able to configure the output above is a key CCNA exam topic, so make sure that you have it down cold. Let’s do a show run and take a look at the configuration; I also set SSH-only access, which you’ve seen how to do already. I displayed only the relevant part of the output below:

line vty 0 15

access-class 11 in

exec-timeout 5 0

transport input ssh

transport output telnet ssh

With that configuration, only host 10.10.9.23 and 10.10.10.7 are allowed to connect, and they must use a local-defined username and password and connect using SSH. If any one of those conditions fails, they will not be able to establish a session with the switch. It’s very important to note that you will be applying an access class to a port, NOT an access group or list. If there is no activity on the line for five minutes, it will terminate the session.

Restrict VLAN Information

All VLANs are permitted across a trunk link by default. To further lock down security, you can specify the VLANs that are permitted across a trunk link, as shown in the output below:

Switch(config)#int fast0/4

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport trunk allowed vlan ?

WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode

add     add VLANs to the current list

all     all VLANs

except  all VLANs except the following

none    no VLANs

remove  remove VLANs from the current list

 

Switch(config-if)#switchport trunk allowed vlan 7-12

Switch(config-if)#^Z

Switch#show interface trunk

Port        Mode         Encapsulation  Status        Native vlan

Fa0/4       on           802.1q         trunking      1

Port        Vlans allowed on trunk

Fa0/4       7-12

Change the Native VLAN

As discussed earlier, the native VLAN is used to carry untagged traffic on a trunk link. The default native VLAN on a trunk port is VLAN 1. This creates a degree of predictability. You can improve the security of the network by changing the native VLAN (any valid VLAN number from 2 to 4095 can be used).

The native VLAN can be verified using the show interfaces [int] switchport command, as shown below:

Switch#show interfaces FastEthernet0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

The native VLAN can be changed using the switchport trunk native vlan interface-level command. Remember that both sides of the connection must have the same native VLAN.

Switch(config-if)#switchport trunk native vlan 888

Switch#show interfaces FastEthernet0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 888

Voice VLAN: none

This is one of the key objectives in the CCNA syllabus, so bear it in mind and ensure that you can issue the show and configuration commands above. Native VLANs must match on either side of a trunk link and they must also be manually configured if you want them to be a number other than 1. There is no autodetect feature for native VLANs, so you can’t rely on the other side of your trunk link setting itself to match the configured side.

Change the Management VLAN

As you know, a Switched Virtual Interface (SVI) can be created on the switch so that you can access it via Telnet/SSH for management purposes. By default, this is VLAN 1. A good security practice is to change this VLAN number. This can be done by creating another VLAN and SVI, as shown below:

Switch(config)#vlan 3

Switch(config-vlan)#interface vlan 3

%LINK-5-CHANGED: Interface Vlan3, changed state to up

Switch(config-if)#ip address 192.168.1.1 255.255.255.0

Simple Network Management Protocol

SNMP allows for the management of your network via one or more network management stations. SNMP uses a system of trap messages to notify the SNMP management station about events in the network. The SNMP management station can also poll the network device to determine its state. Finally, SNMP can also be used to remotely manage your network devices. SNMP is disabled by default. However, you can verify that with the following command:

Switch#show snmp

%SNMP agent not enabled

Let’s configure SNMP for read-only access (use write access only if it is absolutely necessary) and with an ACL:

Switch(config)#snmp-server community HoWtOnEtWoRk ro 15

Switch(config)#access-list 15 permit 10.10.10.15

Switch(config)#access-list 15 permit 10.10.10.16

In the first line, SNMP was configured using the community string HoWtOnEtWoRk; it has read-only access (that is the ro), and only the two addresses in access list 15 are permitted. It is pretty easy to secure SNMP, you just need to map out what you want to do. SNMPv3 offers authentication and encryption for additional security. We will discuss SNMP again later in this guide.

Securing VTP

If you use VTP in your network, you will certainly want to configure a password. This will ensure that only authorized switches are installed into your VTP domain.

Switch#show vtp password

The VTP password is not configured.

Let’s configure the password:

Switch(config)#vtp password IwAnTmYcCnA

Setting device VLAN database password to IwAnTmYcCnA

Switch(config)#end

Switch#show vtp password

VTP Password: IwAnTmYcCnA

You will have to configure the password on each switch in your VTP domain. If a switch does not have the password, it will not participate in VTP.

External Authentication Methods

We have explored how to configure local usernames on the router. Although the method is easy, it is not scalable because it can become very difficult to manage many usernames on a router or a switch. A better alternative is to use external authentication methods. External authentication can be provided using either the TACACS+ or RADIUS protocol which we briefly discussed earlier.

  • TACACS+ (Terminal Access Controller Access Control System Plus) is a Cisco proprietary protocol that operates on TCP port 49. It is used to provide access control to network devices.
  • RADIUS (Remote Authentication Dial-In User Service) is an open standard protocol used to provide secure remote access to the network. It operates on UDP ports 1812 and 1813.

To set up a router or a switch to use RADIUS/TACACS+, you need to set up AAA on the device. If you are interested in finding out how to go about this, it’s covered later.

AAA

AAA has been featured in the CCNA syllabus for a few years now, and you can expect to see at least a question about what it does. Cisco has now expanded on this, specifically addressing managing devices with AAA through TACACS+ and RADIUS.

AAA stands for Authentication, Authorization, and Accounting and each serves a different purpose:

  • Authentication – verifies identity (e.g., username and password)
  • Authorization – what is a person allowed to do (after authentication)?
  • Accounting – what did the person do?

An example of AAA would be online banking, which requires customers to log in using their username, password, and possibly some sort of PIN verification. Once logged in, customers are authorized to view their account balance but are not authorized to change it (unfortunately). The accounting part of AAA logs customers’ activities.

On Cisco devices, AAA serves two purposes, network access (e.g., what VLAN to place a user in) and device management (e.g., username/password to configure the device or just view privileges).

AAA Servers

You can use the local database of a device to perform some functions, such as check incoming connections against a list of permitted users, but if you want to use AAA to full effect, then it is recommended that you use external AAA servers. This service will usually go hand in hand with either RADIUS (Remote Authentication Dial-in User Service) or TACACS+ (Terminal Access Controller Access-Control System Plus) protocols, which are used to connect to and communicate with external AAA servers. Some AAA servers support either or both of these protocols.

Cisco Secure ACS (Access Control Server) supports both, whereas Cisco ISE (Identity Service Engine) used to support only RADIUS but now supports both.

TACACS+ provides a centralized method to validate network access for users (routers or network access servers). The TACACS+ application runs on a router and sends encrypted login information when a user attempts to authenticate into the network. This requires a login ID and password, and once verified, can load configurations restricting what the user can and cannot do.

RADIUS (as the name suggests) is designed to authenticate dial-in access to a network. The RADIUS client software resides on the router or Network Access Server (NAS) and communicates with the RADIUS server. Unlike TACACS+, it cannot control which commands an authenticated user can execute.

Figure 23.11 below demonstrates a user being authenticated using RADIUS, with the credentials username iinsuser and the password s3cur!ty. The NAS triggers the RADIUS process when the remote user attempts to authenticate after dialing in. The steps are outlined in more detail if you study for the CCNA Cyber Ops exam.

User authentication

FIG 23.11 – User authentication

Although TACACS+ and RADIUS provide the same function, they operate in different ways. Table 23-2 below summarizes the main differences:

Table 23-2: TACACS+ versus RADIUS

TACACS+ RADIUS
TCP port 49 UDP (1645/1646 or 1812/1813)
Encrypts entire packet Encrypts only password field
Separates AAA functions Combines Authentication and Authorization
Most suitable for device management Most suitable for network access
Proprietary RFC 2865

Configuring AAA on Cisco Devices

Cisco does not specify that you must know how to configure AAA; however, configuration commands have been asked about in previous exams. Here are the steps:

  1. Enable AAA
  2. Define individual or group AAA servers (if using external AAA servers)
  3. Define method lists for different AAA functions
  4. Apply method lists to necessary parts of the device (e.g., VTY lines)

AAA is enabled with the following command:

R1(config)#aaa new-model

The effects of this command are that authentication is removed from the console line and local database authentication is applied to all other lines. This is why you must carefully plan your configurations before enabling AAA. It is recommended that you have a fallback username and password (just in case).

You can define AAA servers with the following commands:

R1(config)#radius-server host 10.0.0.100 key cisco

R1(config)#tacacs-server host 10.0.0.100 key cisco

The commands above are being deprecated, so be sure to Google “Cisco Radius Server Command Line” and the same for TACACS+ for the new commands.

End of Chapter Questions

Please visit https://www.howtonetwork.com/ccnasimplified to take the free Chapter 23 exam.

Chapter 23 Labs

Lab 1: Basic Router Security

The physical topology is shown in Figure 23.12 below:

Basic router security

FIG 23.12 – Basic router security

Lab Exercise

Your task is to configure basic access and security features on a router.

Purpose

Learn some basic steps to take to lock down your router.

Lab Objectives

  1. Protect enable mode with a password.
  2. Enable service password encryption.
  3. Protect the Telnet and console lines.
  4. Add a banner.
  5. Turn off CDP.
  6. Configure router logging.

Lab Walk-through

  1. Protect enable mode with an enable secret password. Test this by logging out of privileged mode and then logging back in:

Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#enable secret cisco

Router(config)#exit

Router#

%SYS-5-CONFIG_I: Configured from console by console

Router#exi

Router con0 is now available

Press RETURN to get started.

Router>en

Password:

Router#

  1. Set an enable password and then add service password-encryption. This is rarely done on live routers because it is not secure.

Router(config)#no enable secret

Router(config)#enable password cisco

Router(config)#service password-encryption

Router(config)#exit

Router#

%SYS-5-CONFIG_I: Configured from console by console

Router#show run

Building configuration…

Current configuration: 480 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

service password-encryption

!

hostname Router

!

enable password 7 0822455D0A16

  1. Protect the Telnet lines. Set a local username and password and have users enter this when connecting to the router. You may have more or less VTY lines depending on your platform.

Router(config)#line vty 0 ?

[1-15] Last Line number

[cr]

Router(config)#line vty 0 15

Router(config-line)#login local

Router(config-line)#exi

Router(config)#username howtonetwork password cisco

You have tested Telnet before, but feel free to add a PC and telnet to the router so that you are prompted for a username and password.

  1. Protect the console port with a password. Set one directly on the console port.

Router(config)#line console 0

Router(config-line)#password cisco

You can test this by unplugging and plugging your console lead back into the router. You can also protect the auxiliary port on your router if you have one:

Router(config)#line aux 0

Router(config-line)#password cisco

  1. Protect the Telnet lines by permitting only SSH traffic in. You can also permit only SSH traffic outbound. You will need a security image for this command to work.

Router(config)#line vty 0 15

Router(config-line)#transport input ssh

Router(config-line)#transport output ssh

  1. Add a banner message of the day (MOTD). Set the character that tells the router you have finished with your message as X (the delimiting character).

Router(config)#banner motd X

 

Enter TEXT message. End with the character “X”.

Do not use this router without authorization. X

Router(config)#exit

 

Router#exit

Router con0 is now available

Press RETURN to get started.

Do not use this router without authorization.

Router>

  1. Turn off CDP on the entire router. You can disable it on an interface only with the no cdp enable interface command.

Router(config)#no cdp run

You can test whether this is working by connecting a switch or router to your router before you turn off CDP and issuing the show cdp neighbor [detail] command.

  1. Set the router to send logging messages to a host in the network:

Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#logging ?

A.B.C.D   IP address of the logging host

buffered  Set buffered logging parameters

console   Set console logging parameters

host      Set syslog server IP address and parameters

on        Enable logging to all enabled destinations

trap      Set syslog server logging level

userinfo  Enable logging of user info on privileged mode enabling

Router(config)#logging 10.1.1.1

Lab 2: Switch Security

The physical topology is shown in Figure 23.13 below:

Switch security

FIG 23.13 – Switch security

Lab Exercise

Your task is to configure basic access and security features on a switch. Please note that your switch will need to have a security image that permits basic security settings.

Purpose

Learn how to apply basic security settings on a Cisco switch.

Lab Objectives

  1. Set up Telnet access.
  2. Assign a management IP address to the switch.
  3. Configure SSH.

Lab Walk-through

  1. Connect a PC or laptop to your switch. In addition, set up a console connection for your configuration. The port to which you connect your PC will be the one you configure security settings on in this lab. I have chosen Fast Ethernet 0/1 on my switch.

Log in to the VTY lines and set up Telnet access, referring to a local username and password.

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#line vty 0 ?

[1-15] Last Line number

[cr]

Switch(config)#line vty 0 15

Switch(config-line)#login local

Switch(config-line)#exit

Switch(config)#username days password cisco

Switch(config)#

  1. Add an IP address to VLAN 1 on the switch (all ports are in VLAN 1 automatically). Additionally, add the IP address 192.168.1.1 to your PC’s Fast Ethernet interface.

Switch(config)#interface Vlan1

Switch(config-if)#ip address 192.168.1.2 255.255.255.0

Switch(config-if)#no shut

%LINK-5-CHANGED: Interface Vlan1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to up

Switch(config-if)#^Z

Switch#ping 192.168.1.1 – Tests connection from switch to PC

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 31/31/32 ms

  1. Test Telnet by telnetting from your PC to your switch.

test

  1. Your IT manager changes his mind and wants only SSH access, so change this on your VTY lines. Only certain models and IOS versions will support the SSH commands.

Switch(config)#line vty 0 15

Switch(config-line)#transport input ssh

  1. Now telnet from your PC to the switch. Because only SSH is permitted, the connection should fail.

 

test 2

 

content-filler

ABOUT US

This site has been created to help you make the best out of your IT career. Whether you are trying to get your first job, get promoted, or start your own IT business, we have a course for you.

MOST POPULAR

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Members

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Newsletter

Secure Site

website security secure

Copyright Reality Press Ltd . / Paul Browning

Insert/edit link

Enter the destination URL

Or link to existing content

    No search term specified. Showing recent items. Search or use up and down arrow keys to select an item.