CCNA Security 1.1 Instructional...

© 2012 Cisco and/or its affiliates. All rights reserved. 1

CCNA Security 1.1 Instructional Resource Chapter 2 – Securing Network Devices


• Secure the physical installation of and the administrative access to Cisco routers based on different network requirements using the CLI and CCP.

• Configure administrative roles using privilege levels and role-based CLI.

• Implement the management and reporting features of syslog, SNMP, SSH, and NTP.

• Examine router configurations with the Security Audit feature of CCP, and make the router and network more secure by using the auto secure command or the One-Step Lockdown feature of

CCP.


2.0 Securing Cisco Routers

2.1 Implement Security on Cisco routers

2.1.1 CCP Security Audit feature

2.1.2 CCP One-Step Lockdown feature

2.1.3 Secure router access using strong encrypted passwords, and using IOS login enhancements, IPV6 security

2.1.4 Multiple privilege levels

2.1.5 Role-Based CLI

2.1.6 Cisco IOS image and configuration files


5.0 Implement Secure Network Management and Reporting

5.1 Describe Secure Network Management

5.1.1 In-band

5.1.2 Out of bound

5.1.3 Management protocols

5.1.4 Management enclave

5.1.5 Management plane

5.1 Implement Secure Network Management

5.2.1 SSH

5.2.2 Syslog

5.2.3 SNMP

5.2.4 NTP

5.2.5 SCP

5.2.6 CLI

5.2.7 CCP


• Device hardening is a critical task that involves physically securing the router and protecting the router's administrative access using the Cisco IOS command-line interface (CLI) as well as the Cisco Configuration Professional (CCP).

• Some of these methods involve maintaining passwords, configuring enhanced virtual login features, and implementing Secure Shell (SSH).

• Securing the management and reporting features such as syslog, Simple Network Management Protocol (SNMP), and configuring Network Time Protocol (NTP) are also examined.

• Many router services are enabled by default and a number of these features are no longer required and must be disabled. These services are examined using the Security Audit feature of CCP.

• Finally, the CCP One-Step Lockdown and the auto secure command

are used to automate device-hardening tasks.


• Chapter 2 Lab: Securing the Router for Administrative Access

Part 1: Basic Network Device Configuration

Part 2: Control Administrative Access for Routers

Part 3: Configure Administrative Roles

Part 4: Configure Cisco IOS Resilience and Management Reporting

Part 5: Configure Automated Security Features


SSH Secure Shell

UPS uninterruptible power supply

Cain & Abel password recovery tool for Microsoft Windows

L0phtcrack password recovery tool for Microsoft Windows

MD5 Message Digest 5

Normal-Mode A login block-for mode (state) in which a router keeps

track of failed login attempts within a specified amount of time.

Quiet-Mode A login block-for mode (state) in which failed login

attempts have reached a specified threshold and the router no

longer permits logins.

AAA authentication, authorization, accounting


DES data encryption standard

3DES triple DES

RSA Algorithm developed by for Ron Rivest, Adi Shamir and

Leonard Adleman.

CIO Chief Information Office

Role-Based CLI Allows the network administrator to define "views," which

restrict user access to Cisco IOS CLI to exercise better control

over access to Cisco networking devices.

Cisco IOS Resilient

Configuration

Cisco feature that secures the router image and maintaining a

secure working copy of the running configuration.

Out-of-band (OOB) Information flows on a dedicated management network on

which no production traffic resides.

In-band Information flows across an enterprise production network, the

Internet, or both using regular data channels.


Read-only community strings Provides read-only access to all objects in the SNMP MIB,

except the community strings.

Read-write community strings Provides read-write access to all objects in the SNMP MIB,

except the community strings.

NTP Network Time Protocol

UTC Coordinated Universal Time

Security Audit Wizard

A CCP wizard that provides a list of vulnerabilities and then

allows the administrator to choose which potential security-

related configuration changes to implement on a router.

Cisco AutoSecure

A CLI command that initiates a security audit and then allows

for configuration changes. Based on the mode selected,

configuration changes can be automatic or require network

administrator input.

One-Step Lockdown A CCP Security Audit Wizard feature that provides a list of

vulnerabilities and then automatically makes all recommended

security-related configuration changes.


Finger service Used to find out which users are logged into a network device. Should be disabled using no service finger

BOOTP

Bootstrap protocol. Is used for a router to dynamically discover

DHCP information from another device. Should be disabled using no ip bootp server.

PAD

Packet assembler/disassembler. Used for connections to

legacy PAD devices. Should be disabled using no service pad.

MOP

Maintenance Operations Protocol. Enabled on Ethernet

interfaces and is used to communicate to legacy DEC devices. Should be disabled using no mop enable.

IP source route Enables a host to control how a packet is routed. Should be disabled using no ip source-route.

IP GARPs IP gratuitous ARPs. It is an unsolicited ARP broadcast. Should be disabled using no ip gratuitous-arps.


• Cisco Configuration Professional (CCP) has replaced SDM to do the following:

To configure syslog logging.

To configure SNMP.

To configure NTP.

To conduct a Security Audit.

To perform a One-Step Lockdown.


• The chapter 2 lab sets the stage for securing a network infrastructure. Students use CLI and CCP tools to secure local and remote access to the routers, analyze potential vulnerabilities, and take steps to mitigate them. They will also enable management reporting to monitor router configuration changes.

• This lab is divided into five parts. Each part can be administered individually or in combination with others as time permits. The main goal is to configure various Cisco IOS and CCP security features on routers R1 and R3. R1 and R3 are on separate networks and communicate through R2, which simulates a connection to an ISP. Students can work in teams of two for router security configuration, one student configuring R1 and the other student configuring R3.

• Although switches are shown in the topology, students can omit the switches and use crossover cables between the PCs and routers R1 and R3.


• When discussing the service password-encryption

command, a good demonstration is to copy a level 7 encrypted password and enter into one of many online Cisco password crackers to reveal the encrypted password.

http://www.hope.co.nz/projects/tools/ciscopw.php

http://www.kazmier.com/computer/cisco-cracker.html

• Emphasize that the service password-encryption

command is simply to stop shoulder surfing.

Ask the students “Why does the IOS not encrypt all password using MD5”?

Explain that Cisco IOS passwords are not properly encrypted because there are protocols such as when using CHAP authentication that an MD5 encrypted password would not work.

http://www.hope.co.nz/projects/tools/ciscopw.php





• Make sure to explain that the enable secret command should always be used instead of the enable password

command.

If both are configured, the enable secret supersedes the enable

password command.


• To illustrate why the enhanced login features of the login block-for command should be configured:

Interconnect a router -> switch -> hosts and ping to verify connectivity.

Change the Telnet password.

Ask students to attempt to login.

Next, configure the login block-for command.

Ask students to attempt to login again and observe the results.

Use the show login and show login failures to observe the results.


• To illustrate why SSH is more secure than Telnet:

Interconnect and configure a router -> hub -> hosts.

Each host should be able to ping the router gateway address.

Each host starts Wireshark .

One host Telnets and authenticates into the router.

Observe the Wireshark transfer and locate the Telnet flow.

Highlight a flow and from the Menu Bar, choose Analyze > Follow TCP Stream.

The username and password can be identified this way.

Repeat exercise but this time SSH into the router.

The content is no longer divulged.


• To explain the RSA key used by SSH:

Write down eight binary ones (1111 1111) and ask student what decimal number that is equal to? (255)

Add another 1 bit (1 1111 1111) and what does it equal to now? (1023)

Keep repeating the previous step a few times.

Contrast this with the number of possible IPv4 addresses (32 bits = 4 billion).

Contrast this with the number of possible IPV6 addresses (128 bits =340 trillion trillion trillion or 340 undecillion).

Now highlight that the RSA key has 1,024 bits and ask them to imagine how big of a key this creates.

What are the odds that something could calculate the exact same key in a reasonable amount of time?

• SSH uses RSA keys to authenticate users instead of (or in addition to) a username/password.


• To highlight the difference between privilege levels and role based CLI:

Interconnect a router -> switch -> hosts.

Configure privileged EXEC and Telnet access.

Verify connectivity using ping.

Ask one student to Telnet into the router and secretly configure something.

Ask another student to do the same.

Repeat with several students.

Now reveal the running-config and explain how there is no way to really tell who typed in which command.

• Once privileged levels are configured, explain that although there is some control, there are still some limitations.

• Once role-based CLI is configured, explain how logins can be easily customized.


• Ask students what they think is the worst a hacker could do if he gained access to the privileged EXEC mode of an edge router?

Possible answers include (but are not limited to) alter the configuration, reload the router, erase the startup config, erase the IOS, format flash, …

• Explain that the Cisco IOS Resilient Configuration feature secures the IOS image and maintains a secure copy of the startup-configuration file.

Even if a hacker gains access, he will not be able to completely delete the two files and restoration would be very quick.


• When discussing disabling of unneeded services and protocols make sure to identify each service and carefully explain its function and why it needs to be disabled.

• A good journal exercise is to assign the students to create a table consisting of three columns.

The first column identifies the service.

The second is a short description of the service.

The third is the CLI command to disable or enable the service.

• Students can use the CCP Security Audit to drive this section.

Specifically, use the Security Audit Wizard on a router and when you get to the Security Audit Report screen, click on the different security problems identified and explain them. This also displays the equivalent CLI command to disable.


• There are many areas of classroom discussion in this chapter. Discussion can include and are not limited to the following:

Which social network / services do you subscribe to that require password authentication. What’s the worst someone could do if they got your password? How do you create your password? Is it strong? How could you make it stronger?

We know that SSH is more secure than Telnet. Is there a reason why you would still use Telnet? How could you make Telnet more secure?

If CCP can be used to configure and secure a router, is CLI still valuable to know? When would knowing the CLI be better?

What types of IT infrastructure jobs are there in a Network Operation Center? Should all of these positions have the same level of access to the infrastructure devices? Have students research these various job titles and report back.


• There are many examples of security breaches that have occurred in the news lately. Ask students to research some of these and report back on how they could have been deterred better.

http://en.wikipedia.org/wiki/Password#Incidents

http://en.wikipedia.org/wiki/Password#Incidents


• http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

• http://www.nytimes.com/2010/01/21/technology/21password.html

• http://www.differencebetween.net/technology/internet/difference-between-telnet-and-ssh/

• http://www.cisco.com/en/US/products/ps9422/index.html

• Download a trial version of Cisco CDP Monitor:

http://www.tallsoft.com/download.htm

http://www.nytimes.com/2010/01/21/technology/21password.html




http://www.differencebetween.net/technology/internet/difference-between-telnet-and-ssh/









http://www.cisco.com/en/US/products/ps9422/index.html



CCNA Security 1.1 Instructional...

Documents

Transcript of CCNA Security 1.1 Instructional...