CCNA Security 1.1 Instructional Resource Chapter 2 – Securing Network Devices © 2012 Cisco and/or its affiliates. All rights reserved. 1 • Secure the physical installation of and the administrative access to Cisco routers based on different network requirements using the CLI and CCP. • Configure administrative roles using privilege levels and role- based CLI. • Implement the management and reporting features of syslog, SNMP, SSH, and NTP. • Examine router configurations with the Security Audit feature of CCP, and make the router and network more secure by using the auto secure command or the One-Step Lockdown feature of CCP. © 2012 Cisco and/or its affiliates. All rights reserved. 2 2.0 Securing Cisco Routers 2.1 Implement Security on Cisco routers 2.1.1 CCP Security Audit feature 2.1.2 CCP One-Step Lockdown feature 2.1.3 Secure router access using strong encrypted passwords, and using IOS login enhancements, IPV6 security 2.1.4 Multiple privilege levels 2.1.5 Role-Based CLI 2.1.6 Cisco IOS image and configuration files © 2012 Cisco and/or its affiliates. All rights reserved. 3 5.0 Implement Secure Network Management and Reporting 5.1 Describe Secure Network Management 5.1.1 In-band 5.1.2 Out of bound 5.1.3 Management protocols 5.1.4 Management enclave 5.1.5 Management plane 5.1 Implement Secure Network Management 5.2.1 SSH 5.2.2 Syslog 5.2.3 SNMP 5.2.4 NTP 5.2.5 SCP 5.2.6 CLI 5.2.7 CCP © 2012 Cisco and/or its affiliates. All rights reserved. 4 • Device hardening is a critical task that involves physically securing the router and protecting the router's administrative access using the Cisco IOS command-line interface (CLI) as well as the Cisco Configuration Professional (CCP). • Some of these methods involve maintaining passwords, configuring enhanced virtual login features, and implementing Secure Shell (SSH). • Securing the management and reporting features such as syslog, Simple Network Management Protocol (SNMP), and configuring Network Time Protocol (NTP) are also examined. • Many router services are enabled by default and a number of these features are no longer required and must be disabled. These services are examined using the Security Audit feature of CCP. • Finally, the CCP One-Step Lockdown and the auto secure command are used to automate device-hardening tasks. © 2012 Cisco and/or its affiliates. All rights reserved. 5 • Chapter 2 Lab: Securing the Router for Administrative Access Part 1: Basic Network Device Configuration Part 2: Control Administrative Access for Routers Part 3: Configure Administrative Roles Part 4: Configure Cisco IOS Resilience and Management Reporting Part 5: Configure Automated Security Features © 2012 Cisco and/or its affiliates. All rights reserved. 6 SSH Secure Shell UPS uninterruptible power supply Cain & Abel password recovery tool for Microsoft Windows L0phtcrack password recovery tool for Microsoft Windows MD5 Message Digest 5 Normal-Mode A login block-for mode (state) in which a router keeps track of failed login attempts within a specified amount of time. Quiet-Mode A login block-for mode (state) in which failed login attempts have reached a specified threshold and the router no longer permits logins. AAA authentication, authorization, accounting © 2012 Cisco and/or its affiliates. All rights reserved. 7 DES data encryption standard 3DES triple DES RSA Algorithm developed by for Ron Rivest, Adi Shamir and Leonard Adleman. CIO Chief Information Office Role-Based CLI Allows the network administrator to define "views," which restrict user access to Cisco IOS CLI to exercise better control over access to Cisco networking devices. Cisco IOS Resilient Configuration Cisco feature that secures the router image and maintaining a secure working copy of the running configuration. Out-of-band (OOB) Information flows on a dedicated management network on which no production traffic resides. In-band Information flows across an enterprise production network, the Internet, or both using regular data channels. © 2012 Cisco and/or its affiliates. All rights reserved. 8 Read-only community strings Provides read-only access to all objects in the SNMP MIB, except the community strings. Read-write community strings Provides read-write access to all objects in the SNMP MIB, except the community strings. NTP Network Time Protocol UTC Coordinated Universal Time Security Audit Wizard A CCP wizard that provides a list of vulnerabilities and then allows the administrator to choose which potential securityrelated configuration changes to implement on a router. Cisco AutoSecure A CLI command that initiates a security audit and then allows for configuration changes. Based on the mode selected, configuration changes can be automatic or require network administrator input. One-Step Lockdown A CCP Security Audit Wizard feature that provides a list of vulnerabilities and then automatically makes all recommended security-related configuration changes. © 2012 Cisco and/or its affiliates. All rights reserved. 9 Finger service Used to find out which users are logged into a network device. Should be disabled using no service finger BOOTP Bootstrap protocol. Is used for a router to dynamically discover DHCP information from another device. Should be disabled using no ip bootp server. PAD Packet assembler/disassembler. Used for connections to legacy PAD devices. Should be disabled using no service pad. MOP Maintenance Operations Protocol. Enabled on Ethernet interfaces and is used to communicate to legacy DEC devices. Should be disabled using no mop enable. IP source route Enables a host to control how a packet is routed. Should be disabled using no ip source-route. IP GARPs IP gratuitous ARPs. It is an unsolicited ARP broadcast. Should be disabled using no ip gratuitous-arps. © 2012 Cisco and/or its affiliates. All rights reserved. 10 • Cisco Configuration Professional (CCP) has replaced SDM to do the following: To configure syslog logging. To configure SNMP. To configure NTP. To conduct a Security Audit. To perform a One-Step Lockdown. © 2012 Cisco and/or its affiliates. All rights reserved. 11 • The chapter 2 lab sets the stage for securing a network infrastructure. Students use CLI and CCP tools to secure local and remote access to the routers, analyze potential vulnerabilities, and take steps to mitigate them. They will also enable management reporting to monitor router configuration changes. • This lab is divided into five parts. Each part can be administered individually or in combination with others as time permits. The main goal is to configure various Cisco IOS and CCP security features on routers R1 and R3. R1 and R3 are on separate networks and communicate through R2, which simulates a connection to an ISP. Students can work in teams of two for router security configuration, one student configuring R1 and the other student configuring R3. • Although switches are shown in the topology, students can omit the switches and use crossover cables between the PCs and routers R1 and R3. © 2012 Cisco and/or its affiliates. All rights reserved. 12 • When discussing the service password-encryption command, a good demonstration is to copy a level 7 encrypted password and enter into one of many online Cisco password crackers to reveal the encrypted password. http://www.hope.co.nz/projects/tools/ciscopw.php http://www.kazmier.com/computer/cisco-cracker.html • Emphasize that the service password-encryption command is simply to stop shoulder surfing. Ask the students “Why does the IOS not encrypt all password using MD5”? Explain that Cisco IOS passwords are not properly encrypted because there are protocols such as when using CHAP authentication that an MD5 encrypted password would not work. © 2012 Cisco and/or its affiliates. All rights reserved. 13 • Make sure to explain that the enable secret command should always be used instead of the enable password command. If both are configured, the enable secret supersedes the enable password command. © 2012 Cisco and/or its affiliates. All rights reserved. 14 • To illustrate why the enhanced login features of the login block-for command should be configured: Interconnect a router -> switch -> hosts and ping to verify connectivity. Change the Telnet password. Ask students to attempt to login. Next, configure the login block-for command. Ask students to attempt to login again and observe the results. Use the show login and show login failures to observe the results. © 2012 Cisco and/or its affiliates. All rights reserved. 15 • To illustrate why SSH is more secure than Telnet: Interconnect and configure a router -> hub -> hosts. Each host should be able to ping the router gateway address. Each host starts Wireshark . One host Telnets and authenticates into the router. Observe the Wireshark transfer and locate the Telnet flow. Highlight a flow and from the Menu Bar, choose Analyze > Follow TCP Stream. The username and password can be identified this way. Repeat exercise but this time SSH into the router. The content is no longer divulged. © 2012 Cisco and/or its affiliates. All rights reserved. 16 • To explain the RSA key used by SSH: Write down eight binary ones (1111 1111) and ask student what decimal number that is equal to? (255) Add another 1 bit (1 1111 1111) and what does it equal to now? (1023) Keep repeating the previous step a few times. Contrast this with the number of possible IPv4 addresses (32 bits = 4 billion). Contrast this with the number of possible IPV6 addresses (128 bits =340 trillion trillion trillion or 340 undecillion). Now highlight that the RSA key has 1,024 bits and ask them to imagine how big of a key this creates. What are the odds that something could calculate the exact same key in a reasonable amount of time? • SSH uses RSA keys to authenticate users instead of (or in addition to) a username/password. © 2012 Cisco and/or its affiliates. All rights reserved. 17 • To highlight the difference between privilege levels and role based CLI: Interconnect a router -> switch -> hosts. Configure privileged EXEC and Telnet access. Verify connectivity using ping. Ask one student to Telnet into the router and secretly configure something. Ask another student to do the same. Repeat with several students. Now reveal the running-config and explain how there is no way to really tell who typed in which command. • Once privileged levels are configured, explain that although there is some control, there are still some limitations. • Once role-based CLI is configured, explain how logins can be easily customized. © 2012 Cisco and/or its affiliates. All rights reserved. 18 • Ask students what they think is the worst a hacker could do if he gained access to the privileged EXEC mode of an edge router? Possible answers include (but are not limited to) alter the configuration, reload the router, erase the startup config, erase the IOS, format flash, … • Explain that the Cisco IOS Resilient Configuration feature secures the IOS image and maintains a secure copy of the startupconfiguration file. Even if a hacker gains access, he will not be able to completely delete the two files and restoration would be very quick. © 2012 Cisco and/or its affiliates. All rights reserved. 19 • When discussing disabling of unneeded services and protocols make sure to identify each service and carefully explain its function and why it needs to be disabled. • A good journal exercise is to assign the students to create a table consisting of three columns. The first column identifies the service. The second is a short description of the service. The third is the CLI command to disable or enable the service. • Students can use the CCP Security Audit to drive this section. Specifically, use the Security Audit Wizard on a router and when you get to the Security Audit Report screen, click on the different security problems identified and explain them. This also displays the equivalent CLI command to disable. © 2012 Cisco and/or its affiliates. All rights reserved. 20 • There are many areas of classroom discussion in this chapter. Discussion can include and are not limited to the following: Which social network / services do you subscribe to that require password authentication. What’s the worst someone could do if they got your password? How do you create your password? Is it strong? How could you make it stronger? We know that SSH is more secure than Telnet. Is there a reason why you would still use Telnet? How could you make Telnet more secure? If CCP can be used to configure and secure a router, is CLI still valuable to know? When would knowing the CLI be better? What types of IT infrastructure jobs are there in a Network Operation Center? Should all of these positions have the same level of access to the infrastructure devices? Have students research these various job titles and report back. © 2012 Cisco and/or its affiliates. All rights reserved. 21 • There are many examples of security breaches that have occurred in the news lately. Ask students to research some of these and report back on how they could have been deterred better. http://en.wikipedia.org/wiki/Password#Incidents © 2012 Cisco and/or its affiliates. All rights reserved. 22 • http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_ note09186a0080120f48.shtml • http://www.nytimes.com/2010/01/21/technology/21password.html • http://www.differencebetween.net/technology/internet/difference- between-telnet-and-ssh/ • http://www.cisco.com/en/US/products/ps9422/index.html • Download a trial version of Cisco CDP Monitor: http://www.tallsoft.com/download.htm © 2012 Cisco and/or its affiliates. All rights reserved. 23 © 2011 Cisco and/or its affiliates. All rights reserved. 24