CCNA Security 1.1
Instructional Resource
Chapter 2 – Securing Network Devices
© 2012 Cisco and/or its affiliates. All rights reserved.
1
• Secure the physical installation of and the administrative access
to Cisco routers based on different network requirements using
the CLI and CCP.
• Configure administrative roles using privilege levels and role-
based CLI.
• Implement the management and reporting features of syslog,
SNMP, SSH, and NTP.
• Examine router configurations with the Security Audit feature of
CCP, and make the router and network more secure by using the
auto secure command or the One-Step Lockdown feature of
CCP.
© 2012 Cisco and/or its affiliates. All rights reserved.
2
2.0 Securing Cisco Routers
2.1 Implement Security on Cisco routers
2.1.1 CCP Security Audit feature
2.1.2 CCP One-Step Lockdown feature
2.1.3 Secure router access using strong encrypted passwords, and using IOS
login enhancements, IPV6 security
2.1.4 Multiple privilege levels
2.1.5 Role-Based CLI
2.1.6 Cisco IOS image and configuration files
© 2012 Cisco and/or its affiliates. All rights reserved.
3
5.0 Implement Secure Network Management and Reporting
5.1 Describe Secure Network Management
5.1.1 In-band
5.1.2 Out of bound
5.1.3 Management protocols
5.1.4 Management enclave
5.1.5 Management plane
5.1 Implement Secure Network Management
5.2.1 SSH
5.2.2 Syslog
5.2.3 SNMP
5.2.4 NTP
5.2.5 SCP
5.2.6 CLI
5.2.7 CCP
© 2012 Cisco and/or its affiliates. All rights reserved.
4
• Device hardening is a critical task that involves physically securing the
router and protecting the router's administrative access using the Cisco
IOS command-line interface (CLI) as well as the Cisco Configuration
Professional (CCP).
• Some of these methods involve maintaining passwords, configuring
enhanced virtual login features, and implementing Secure Shell (SSH).
• Securing the management and reporting features such as syslog,
Simple Network Management Protocol (SNMP), and configuring
Network Time Protocol (NTP) are also examined.
• Many router services are enabled by default and a number of these
features are no longer required and must be disabled. These services
are examined using the Security Audit feature of CCP.
• Finally, the CCP One-Step Lockdown and the auto secure command
are used to automate device-hardening tasks.
© 2012 Cisco and/or its affiliates. All rights reserved.
5
• Chapter 2 Lab: Securing the Router for Administrative Access
Part 1: Basic Network Device Configuration
Part 2: Control Administrative Access for Routers
Part 3: Configure Administrative Roles
Part 4: Configure Cisco IOS Resilience and Management Reporting
Part 5: Configure Automated Security Features
© 2012 Cisco and/or its affiliates. All rights reserved.
6
SSH
Secure Shell
UPS
uninterruptible power supply
Cain & Abel
password recovery tool for Microsoft Windows
L0phtcrack
password recovery tool for Microsoft Windows
MD5
Message Digest 5
Normal-Mode
A login block-for mode (state) in which a router keeps
track of failed login attempts within a specified amount of time.
Quiet-Mode
A login block-for mode (state) in which failed login
attempts have reached a specified threshold and the router no
longer permits logins.
AAA
authentication, authorization, accounting
© 2012 Cisco and/or its affiliates. All rights reserved.
7
DES
data encryption standard
3DES
triple DES
RSA
Algorithm developed by for Ron Rivest, Adi Shamir and
Leonard Adleman.
CIO
Chief Information Office
Role-Based CLI
Allows the network administrator to define "views," which
restrict user access to Cisco IOS CLI to exercise better control
over access to Cisco networking devices.
Cisco IOS Resilient
Configuration
Cisco feature that secures the router image and maintaining a
secure working copy of the running configuration.
Out-of-band (OOB)
Information flows on a dedicated management network on
which no production traffic resides.
In-band
Information flows across an enterprise production network, the
Internet, or both using regular data channels.
© 2012 Cisco and/or its affiliates. All rights reserved.
8
Read-only community strings
Provides read-only access to all objects in the SNMP MIB,
except the community strings.
Read-write community strings
Provides read-write access to all objects in the SNMP MIB,
except the community strings.
NTP
Network Time Protocol
UTC
Coordinated Universal Time
Security Audit Wizard
A CCP wizard that provides a list of vulnerabilities and then
allows the administrator to choose which potential securityrelated configuration changes to implement on a router.
Cisco AutoSecure
A CLI command that initiates a security audit and then allows
for configuration changes. Based on the mode selected,
configuration changes can be automatic or require network
administrator input.
One-Step Lockdown
A CCP Security Audit Wizard feature that provides a list of
vulnerabilities and then automatically makes all recommended
security-related configuration changes.
© 2012 Cisco and/or its affiliates. All rights reserved.
9
Finger service
Used to find out which users are logged into a network device.
Should be disabled using no service finger
BOOTP
Bootstrap protocol. Is used for a router to dynamically discover
DHCP information from another device.
Should be disabled using no ip bootp server.
PAD
Packet assembler/disassembler. Used for connections to
legacy PAD devices.
Should be disabled using no service pad.
MOP
Maintenance Operations Protocol. Enabled on Ethernet
interfaces and is used to communicate to legacy DEC devices.
Should be disabled using no mop enable.
IP source route
Enables a host to control how a packet is routed.
Should be disabled using no ip source-route.
IP GARPs
IP gratuitous ARPs. It is an unsolicited ARP broadcast.
Should be disabled using no ip gratuitous-arps.
© 2012 Cisco and/or its affiliates. All rights reserved.
10
• Cisco Configuration Professional (CCP) has replaced SDM to do
the following:
To configure syslog logging.
To configure SNMP.
To configure NTP.
To conduct a Security Audit.
To perform a One-Step Lockdown.
© 2012 Cisco and/or its affiliates. All rights reserved.
11
• The chapter 2 lab sets the stage for securing a network
infrastructure. Students use CLI and CCP tools to secure local
and remote access to the routers, analyze potential
vulnerabilities, and take steps to mitigate them. They will also
enable management reporting to monitor router configuration
changes.
• This lab is divided into five parts. Each part can be administered
individually or in combination with others as time permits. The
main goal is to configure various Cisco IOS and CCP security
features on routers R1 and R3. R1 and R3 are on separate
networks and communicate through R2, which simulates a
connection to an ISP. Students can work in teams of two for
router security configuration, one student configuring R1 and the
other student configuring R3.
• Although switches are shown in the topology, students can omit
the switches and use crossover cables between the PCs and
routers R1 and R3.
© 2012 Cisco and/or its affiliates. All rights reserved.
12
• When discussing the service password-encryption
command, a good demonstration is to copy a level 7 encrypted
password and enter into one of many online Cisco password
crackers to reveal the encrypted password.
http://www.hope.co.nz/projects/tools/ciscopw.php
http://www.kazmier.com/computer/cisco-cracker.html
• Emphasize that the service password-encryption
command is simply to stop shoulder surfing.
Ask the students “Why does the IOS not encrypt all password using MD5”?
Explain that Cisco IOS passwords are not properly encrypted because there
are protocols such as when using CHAP authentication that an MD5 encrypted
password would not work.
© 2012 Cisco and/or its affiliates. All rights reserved.
13
• Make sure to explain that the enable secret command
should always be used instead of the enable password
command.
If both are configured, the enable secret supersedes the enable
password command.
© 2012 Cisco and/or its affiliates. All rights reserved.
14
• To illustrate why the enhanced login features of the login
block-for command should be configured:
Interconnect a router -> switch -> hosts and ping to verify connectivity.
Change the Telnet password.
Ask students to attempt to login.
Next, configure the login block-for command.
Ask students to attempt to login again and observe the results.
Use the show login and show login failures to observe the results.
© 2012 Cisco and/or its affiliates. All rights reserved.
15
• To illustrate why SSH is more secure than Telnet:
Interconnect and configure a router -> hub -> hosts.
Each host should be able to ping the router gateway address.
Each host starts Wireshark .
One host Telnets and authenticates into the router.
Observe the Wireshark transfer and locate the Telnet flow.
Highlight a flow and from the Menu Bar, choose Analyze > Follow TCP
Stream.
The username and password can be identified this way.
Repeat exercise but this time SSH into the router.
The content is no longer divulged.
© 2012 Cisco and/or its affiliates. All rights reserved.
16
• To explain the RSA key used by SSH:
Write down eight binary ones (1111 1111) and ask student what decimal
number that is equal to? (255)
Add another 1 bit (1 1111 1111) and what does it equal to now? (1023)
Keep repeating the previous step a few times.
Contrast this with the number of possible IPv4 addresses (32 bits = 4 billion).
Contrast this with the number of possible IPV6 addresses (128 bits =340 trillion
trillion trillion or 340 undecillion).
Now highlight that the RSA key has 1,024 bits and ask them to imagine how
big of a key this creates.
What are the odds that something could calculate the exact same key in a
reasonable amount of time?
• SSH uses RSA keys to authenticate users instead of (or in
addition to) a username/password.
© 2012 Cisco and/or its affiliates. All rights reserved.
17
• To highlight the difference between privilege levels and role based
CLI:
Interconnect a router -> switch -> hosts.
Configure privileged EXEC and Telnet access.
Verify connectivity using ping.
Ask one student to Telnet into the router and secretly configure something.
Ask another student to do the same.
Repeat with several students.
Now reveal the running-config and explain how there is no way to really tell
who typed in which command.
• Once privileged levels are configured, explain that although there
is some control, there are still some limitations.
• Once role-based CLI is configured, explain how logins can be
easily customized.
© 2012 Cisco and/or its affiliates. All rights reserved.
18
• Ask students what they think is the worst a hacker could do if he
gained access to the privileged EXEC mode of an edge router?
Possible answers include (but are not limited to) alter the configuration, reload
the router, erase the startup config, erase the IOS, format flash, …
• Explain that the Cisco IOS Resilient Configuration feature secures
the IOS image and maintains a secure copy of the startupconfiguration file.
Even if a hacker gains access, he will not be able to completely delete the two
files and restoration would be very quick.
© 2012 Cisco and/or its affiliates. All rights reserved.
19
• When discussing disabling of unneeded services and protocols
make sure to identify each service and carefully explain its
function and why it needs to be disabled.
• A good journal exercise is to assign the students to create a table
consisting of three columns.
The first column identifies the service.
The second is a short description of the service.
The third is the CLI command to disable or enable the service.
• Students can use the CCP Security Audit to drive this section.
Specifically, use the Security Audit Wizard on a router and when you get to the
Security Audit Report screen, click on the different security problems identified
and explain them. This also displays the equivalent CLI command to disable.
© 2012 Cisco and/or its affiliates. All rights reserved.
20
• There are many areas of classroom discussion in this chapter.
Discussion can include and are not limited to the following:
Which social network / services do you subscribe to that require password
authentication. What’s the worst someone could do if they got your password?
How do you create your password? Is it strong? How could you make it
stronger?
We know that SSH is more secure than Telnet. Is there a reason why you
would still use Telnet? How could you make Telnet more secure?
If CCP can be used to configure and secure a router, is CLI still valuable to
know? When would knowing the CLI be better?
What types of IT infrastructure jobs are there in a Network Operation Center?
Should all of these positions have the same level of access to the
infrastructure devices? Have students research these various job titles and
report back.
© 2012 Cisco and/or its affiliates. All rights reserved.
21
• There are many examples of security breaches that have
occurred in the news lately. Ask students to research some of
these and report back on how they could have been deterred
better.
http://en.wikipedia.org/wiki/Password#Incidents
© 2012 Cisco and/or its affiliates. All rights reserved.
22
• http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_
note09186a0080120f48.shtml
• http://www.nytimes.com/2010/01/21/technology/21password.html
• http://www.differencebetween.net/technology/internet/difference-
between-telnet-and-ssh/
• http://www.cisco.com/en/US/products/ps9422/index.html
• Download a trial version of Cisco CDP Monitor:
http://www.tallsoft.com/download.htm
© 2012 Cisco and/or its affiliates. All rights reserved.
23
© 2011 Cisco and/or its affiliates. All rights reserved.
24