Documente Academic
Documente Profesional
Documente Cultură
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Upon completion of this section, you should be able to:
• Explain how to secure a network perimeter.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Single Router Approach
DMZ Approach
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Tasks:
• Restrict device accessibility
• Authenticate access
• Authorize actions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Local Access Remote Access Using Telnet
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Dedicated Management Network
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Guidelines:
• Use a password length of 10 or more characters.
• Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Guidelines:
• Configure all secret passwords using type 8 or type 9 passwords
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Virtual login security enhancements:
• Implement delays between
successive login attempts
• Enable login shutdown if DoS
attacks are suspected
• Generate system-logging
messages for login detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Command Syntax: login block-for
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Generate Login Syslog Messages
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Example SSH Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Two ways to connect:
• Enable SSH and use a Cisco router as an SSH server or SSH client.
As a server, the router can accept SSH client connections
As a client, the router can connect via SSH to another SSH-enabled router
• Use an SSH client running on a host, such as PuTTY, OpenSSH, or TeraTerm.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Upon completion of this section, you should be able to:
• Configure administrative privilege levels to control command availability.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Privilege levels: Levels of access commands:
• Level 0: Predefined for user-level access privileges. • User EXEC mode (privilege level 1)
Lowest EXEC mode user privileges
• Level 1: Default level for login with the router prompt.
Only user-level command available at the router> prompt
• Level 2-14: May be customized for user-level privileges.
• Privileged EXEC mode (privilege level 15)
• Level 15: Reserved for the enable mode privileges.
All enable-level commands at the router# prompt
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
• No access control to specific interfaces, ports, logical interfaces, and
slots on a router
• Commands available at lower privilege levels are always executable at
higher privilege levels
• Commands specifically set at higher privilege levels are not available
for lower privilege users
• Assigning a command with multiple keywords allows access to all
commands that use those
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
For example:
• Security operator privileges
Configure AAA
Issue show commands
Configure firewall
Configure IDS/IPS
Configure NetFlow
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Step 1
Step 2
Step 3
Step 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Step 1
Step 2
Step 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Enable Root View and Verify All Views
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Upon completion of this section, you should be able to:
• Use the Cisco IOS resilient configuration feature to secure the Cisco IOS
image and configuration files.
• Compare in-band and out-of band management access.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Configure the router for server-side SCP with local AAA:
1. Configure SSH
3. Enable AAA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
1. Connect to the console port.
5. Change the default configuration register with the confreg 0x2142 command.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Disable Password Recovery
Password Recovery
Functionality is Disabled
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
In-Band Management:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Security Levels
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Step 1
Step 2 (optional)
Step 3
Step 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Cisco MIB
Hierarchy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Message integrity & authentication
Encryption
Access control
• Agent may enforce access control to restrict each principal to certain actions on specific
portions of data.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Sample NTP Topology
Sample NTP
Configuration on R1
Sample NTP
Configuration on R2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Upon completion of this section, you should be able to:
• Use security audit tools to determine IOS-based router vulnerabilities.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
There is a detailed list of security settings for protocols and services
provided in Figure 2 of this page in the course.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
1. The auto secure command is entered
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Upon completion of this section, you should be able to:
• Configure a routing protocol authentication.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Consequences of protocol spoofing:
• Redirect traffic to create routing loops.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Chapter Objectives:
• Configure secure administrative access.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Thank you.
• Remember, there are
helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 85