CCNA Security 05- securing the management plane

04- Securing the Management Plane
Ahmed Sultan
CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH
© 2009 Cisco Learning Institute. 1

Perimeter Implementations
• Single Router Approach
A single router connects the
internal LAN to the Internet. All
security policies are
configured on this device.
• Defense-in-depth Approach
Passes everything through to
the firewall. A set of rules
determines what traffic the
router will allow or deny.
• DMZ Approach
The DMZ is set up between
two routers. Most traffic
filtering left to the firewall
LAN 1
192.168.2.0
Router 1 (R1)
Internet
LAN 1
192.168.2.0
R1
Internet
Firewall
LAN 1
192.168.2.0
R1
Internet
Firewall R2
DMZ

Areas of Router Security
• Physical Security
- Place router in a secured, locked room
- Install an uninterruptible power supply
• Operating System Security
- Use the latest stable version that meets network requirements
- Keep a copy of the O/S and configuration file as a backup
• Router Hardening
- Secure administrative control
- Disable unused ports and interfaces
- Disable unnecessary services

SSH version 1, 2
• Configuring Router
• SSH Commands
• Connecting to Router

Configuring the Router for SSH
1. Configure the IP domain
name of the network
R1# conf t
R1(config)# ip domain-name span.com
R1(config)# crypto key generate rsa general-keys
modulus 1024
The name for the keys will be: R1.span.com
2. Generate one way
secret key
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[
OK]
R1(config)#
*Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has
been enabled
R1(config)# username Bob secret cisco
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit
3. Verify or create a local
database entry
4. Enable VTY inbound
SSH sessions

Optional SSH Commands
R1# show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication
retries: 3
R1#
R1# conf t
Enter configuration commands, one per line. End
with CNTL/Z.
R1(config)# ip ssh version 2
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 2
R1(config)# ^Z
R1#
R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication
retries: 2
R1#

Connecting to the Router
There are two different ways to
connect to an SSH-enabled router:
- Connect using an SSH-enabled Cisco
router
- Connect using an SSH client running
on a host.
11
There are no current SSH sessions ongoing with R1.
R1# sho ssh
%No SSHv2 server connections running.
R1#
22
R2 establishes an SSH connection with R1.
R2# ssh -l Bob 192.168.2.101
Password:
R1>
33
There is an incoming and outgoing SSHv2 session user Bob.
R1# sho ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-sha1 Session started Bob
0 2.0 OUT aes128-cbc hmac-sha1 Session started Bob
R1#

Configuring for Privilege Levels
• By default:
- User EXEC mode (privilege level 1)
- Privileged EXEC mode (privilege level 15)
• Sixteen privilege levels available
• Methods of providing privileged level access
infrastructure access:
- Privilege Levels
- Role-Based CLI Access

Privilege CLI Command
router(config)# privilege mode {level level command | reset command}
Command Description
mode Specifies the configuration mode. Use the privilege ?
command to see a complete list of router configuration
modes available
level (Optional) Enables setting a privilege level with a
specified command
level command (Optional) The privilege level associated with a
command (specify up to 16 privilege levels, using
numbers 0 to 15)
reset (Optional) Resets the privilege level of a command
Command (Optional) Resets the privilege level

Privilege Levels for Users
R1# conf t
R1(config)#
R1(config)# privilege exec level 5 ping
R1(config)# enable secret level 5 cisco5
R1(config)# username SUPPORT privilege 5 secret cisco5
R1(config)#
R1(config)# privilege exec level 10 reload
R1(config)# enable secret level 10 cisco10
R1(config)# username JR-ADMIN privilege 10 secret cisco10
R1(config)#
R1(config)# username ADMIN privilege 15 secret cisco123
R1(config)#
• A SUPPORT account with Level 5 and ping command access.
• A JR-ADMIN account with with Level 10 plus access to the reload
command.
• An ADMIN account which has all of the regular privileged EXEC
commands.

Privilege Levels
The enable level command is used to switch
from Level 1 to Level 5
R1> enable 5
Password:
R1# <cisco5>
R1# show privilege
Current privilege level is 5
R1#
R1# reload
Translating "reload"
Translating "reload"
The show privilege command displays
The current privilege level
The user cannot us the reload command
% Unknown command or computer name, or unable to find computer
address
R1#

Privilege Level Limitations
• There is no access control to specific interfaces, ports,
logical interfaces, and slots on a router
• Commands available at lower privilege levels are always
executable at higher levels.
• Commands specifically set on a higher privilege level are
not available for lower-privileged users.

Role-Based CLI
• Controls which commands are available to specific roles
• Different views of router configurations created for
different users providing:
- Security: Defines the set of CLI commands that is accessible by
a particular user by controlling user access to configure specific
ports, logical interfaces, and slots on a router
- Availability: Prevents unintentional execution of CLI commands
by unauthorized personnel
- Operational Efficiency: Users only see the CLI commands
applicable to the ports and CLI to which they have access

Role-Based Views
• Root View
To configure any view for the system, the administrator must be in
the root view. Root view has all of the access privileges as a user
who has level 15 privileges.
• CLI View
A specific set of commands can be bundled into a “CLI view”.
Each view must be assigned all commands associated with that
view and there is no inheritance of commands from other views.
Additionally, commands may be reused within several views.
• Superview
Allow a network administrator to assign users and groups of users
multiple CLI views at once instead of having to assign a single
CLI view per user with all commands associated to that one CLI
view.

Role-Based Views

Creating and Managing a View
1. Enable aaa with the global configuration command aaa new-model.
Exit, and enter the root view with the command enable
view command.
2. Create a view using the parser view view-name command.
3. Assign a secret password to the view using the secret
encrypted-password command.
4. Assign commands to the selected view using the parser-mode
{include | include-exclusive | exclude} [all]
[interface interface-name | command] command in view
configuration mode.
5. Exit the view configuration mode by typing the command exit.

View Commands
router# enable [view [view-name]]
Command is used to enter the CLI view.
Parameter Description
view Enters view, which enables users to configure CLI views.
This keyword is required if you want to configure a CLI view.
view-name (Optional) Enters or exits a specified CLI view.
This keyword can be used to switch from one CLI view to
another CLI view.
router(config)# parser view view-name
Creates a view and enters view configuration mode.
router(config-view)# secret encrypted-password
• Sets a password to protect access to the View.
• Password must be created immediately after creating a view

Creating and Managing a Superview
1. Create a view using the parser view view-name
superview command and enter
superview configuration mode.
2. Assign a secret password to the view using the
secret encrypted-password command.
3. Assign an existing view using the view view-name
command in view configuration mode.
4. Exit the superview configuration mode by typing
the command exit.

Running Config “Views”

Running Config “SUPERVIEWS”

Resilient Configuration Facts
• The configuration file in the primary
bootset is a copy of the running
configuration that was in the router when
the feature was first enabled.
• The feature secures the smallest working
set of files to preserve persistent storage
space. No extra space is required to
secure the primary IOS image file.
• The feature automatically detects image
or configuration version mismatch.
• Only local storage is used for securing
files.
• The feature can be disabled only through
a console session.
R1# erase
startup-config
Erasing the
nvram filesystem
will remove all
configuration
files! Continue?
[confirm]

CLI Commands
router(config)#
secure boot-image
 Enables Cisco IOS image resilience. Prevents the IOS image
from being deleted by a malicious user.
router(config)#
secure boot-config
 Takes a snapshot of the router running configuration and securely
archives it in persistent storage.

Preventing Password Recovery
R1(config)# no service password-recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for password recovery.
Are you sure you want to continue? [yes/no]: yes
R1(config)
R1# sho run
Building configuration...
Current configuration : 836 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service password-recovery
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c1841 platform with 131072 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x8000f000, size: 0xcb80

Using Syslog
• Implementing Router Logging
• Syslog
• Configuring System Logging

Syslog
• Syslog servers: Known as log hosts, these systems
accept and process log messages from syslog clients.
• Syslog clients: Routers or other types of equipment that
generate and forward log messages to syslog servers.
Syslog Client
e0/0
Public Web
Server
10.2.2.3
10.2.1.1 e0/1
R3
e0/2 10.2.2.1
10.2.3.1
Mail
Server
10.2.2.4
DMZ LAN 10.2.2.0/24
Syslog
Server 10.2.3.2
User 10.2.3.3
Administrator
Server
10.2.2.5
Protected LAN
10.2.3.0/24

Configuring System Logging
1. Set the destination logging host
R3(config)# logging 10.2.2.6
R3(config)# logging trap informational
2. Set the log severity (trap) level

Monitor Logging Remotely
• Logs can easily be viewed
through the SDM, or for easier
use, through a syslog viewer on
any remote system.
• There are numerous Free
remote syslog viewers, Kiwi is
relatively basic and free.
• Configure the router/switch/etc
to send logs to the PC’s ip
address that has kiwi installed.
• Kiwi automatically listens for
syslog messages and displays
them.

Cisco AutoSecure
• Initiated from CLI and executes a script. The
AutoSecure feature first makes
recommendations for fixing security
vulnerabilities, and then modifies the security
configuration of the router.
• Can lockdown the management plane functions
and the forwarding plane services and functions
of a router
• Used to provide a baseline security policy on a
new router

Auto Secure Command
• Command to enable the Cisco AutoSecure
feature setup:
auto secure [no-interact]
• In Interactive mode, the router prompts with
options to enable and disable services and other
security features. This is the default mode but
can also be configured using the auto secure
full command.

Auto Secure Command
router#
auto secure [no-interact | full] [forwarding | management ] [ntp
| login | ssh | firewall | tcp-intercept]
R1# auto secure ?
firewall AutoSecure Firewall
forwarding Secure Forwarding Plane
full Interactive full session of AutoSecure
login AutoSecure Login
management Secure Management Plane
no-interact Non-interactive session of AutoSecure
ntp AutoSecure NTP
ssh AutoSecure SSH
tcp-intercept AutoSecure TCP Intercept
<cr>
R1#

CCNA Security 05- securing the management plane

CCNA Security 05- securing the management plane

More Related Content

What's hot (19)

Viewers also liked (15)

Similar to CCNA Security 05- securing the management plane (20)

Recently uploaded (20)

CCNA Security 05- securing the management plane

Editor's Notes