<<

. 2
( 19)



>>

hosts in a particular environment. After such a list is generated, port scanning tools can cycle
through all well-known ports to provide a complete list of all services that are running on the hosts
that the ping sweep discovered. Hackers can then examine the characteristics of active applica-
tions, which can lead to specific information that is useful to a hacker whose intent is to compro-
mise that service.
Keep in mind that reconnaissance attacks are typically the precursor to further attacks with the in-
tention of gaining unauthorized access to a network or disrupting network functionality. A network
security professional can detect when a reconnaissance attack is underway by configured alarms
that are triggered when certain parameters are exceeded, such as ICMP requests per second. A
Cisco ISR supports the security technologies that enable these types of alarms to be triggered. This
is made available by the network-based intrusion prevention functionality supported by Cisco IOS
security images running on ISRs.
Host-based intrusion prevention systems and standalone network-based intrusion detection sys-
tems can also be used to notify when a reconnaissance attack is occurring.


1.3.2 Access Attacks
Access attacks
Hackers use access attacks on networks or systems for three reasons: retrieve data, gain access,
and escalate access privileges.
Access attacks often employ password attacks to guess system passwords. Password attacks can be
implemented using several methods, including brute-force attacks, Trojan Horse programs, IP
spoofing, and packet sniffers. However, most password attacks refer to brute-force attacks, which
involve repeated attempts based on a built-in dictionary to identify a user account or password.
A brute-force attack is often performed using a program that runs across the network and attempts
to log in to a shared resource, such as a server. After an attacker gains access to a resource, the at-
tacker has the same access rights as the user whose account was compromised. If this account has
sufficient privileges, the attacker can create a back door for future access without concern for any
status and password changes to the compromised user account.
As an example, a user can run the L0phtCrack, or LC5, application to perform a brute-force attack
to obtain a Windows server password. When the password is obtained, the attacker can install a
keylogger, which sends a copy of all keystrokes to a desired destination. Or, a Trojan Horse can be
installed to send a copy of all packets sent and received by the target to a particular destination,
thus enabling the monitoring of all the traffic to and from that server.
There are five types of access attacks:

Password attack - An attacker attempts to guess system passwords. A common example is a


dictionary attack.
Trust exploitation - An attacker uses privileges granted to a system in an unauthorized way,


possibly leading to compromising the target.
20 CCNA Security Course Booklet, Version 1.0




Port redirection - A compromised system is used as a jump-off point for attacks against other


targets. An intrusion tool is installed on the compromised system for session redirection.
Man-in-the-middle attack - An attacker is positioned in the middle of communications


between two legitimate entities in order to read or modify the data that passes between the two
parties. A popular man-in-the-middle attack involves a laptop acting as a rogue access point to
capture and copy all network traffic from a targeted user. Often the user is in a public location
on a wireless hotspot.
Buffer overflow - A program writes data beyond the allocated buffer memory. Buffer


overflows usually arise as a consequence of a bug in a C or C++ program. A result of the
overflow is that valid data is overwritten or exploited to enable the execution of malicious code.
Access attacks in general can be detected by reviewing logs, bandwidth utilization, and process loads.
The network security policy should specify that logs are formally maintained for all network de-
vices and servers. By reviewing logs, security personnel can determine if an unusual number of
failed login attempts have occurred. Software packages such as ManageEngine EventLog Analyzer
or Cisco Secure Access Control Server (CSACS) maintain information regarding failed login at-
tempts to network devices. UNIX and Windows servers also keep a log of failed login attempts.
Cisco routers and firewall devices can be configured to prevent login attempts for a given time
from a particular source after a prescribed number of failures in a specified amount of time.
Man-in-the-middle attacks often involve replicating data. An indication of such an attack is an un-
usual amount of network activity and bandwidth utilization, as indicated by network monitoring
software.
Similarly, an access attack resulting in a compromised system would likely be revealed by slug-
gish activity due to ongoing buffer overflow attacks, as indicated by active process loads viewable
on a Windows or UNIX system.


1.3.3 Denial of Service Attacks
Denial of Service Attacks
A DoS attack is a network attack that results in some sort of interruption of service to users, de-
vices, or applications. Several mechanisms can generate a DoS attack. The simplest method is to
generate large amounts of what appears to be valid network traffic. This type of network DoS at-
tack saturates the network so that valid user traffic cannot get through.
A DoS attack takes advantage of the fact that target systems such as servers must maintain state in-
formation. Applications may rely on expected buffer sizes and specific content of network packets.
A DoS attack can exploit this by sending packet sizes or data values that are not expected by the
receiving application.
There are two major reasons a DoS attack occurs:

A host or application fails to handle an unexpected condition, such as maliciously formatted


input data, an unexpected interaction of system components, or simple resource exhaustion.
A network, host, or application is unable to handle an enormous quantity of data, causing the


system to crash or become extremely slow.
DoS attacks attempt to compromise the availability of a network, host, or application. They are
considered a major risk because they can easily interrupt a business process and cause significant
loss. These attacks are relatively simple to conduct, even by an unskilled attacker.
One example of a DoS attack is sending a poisonous packet. A poisonous packet is an improperly
formatted packet designed to cause the receiving device to process the packet in an improper fash-
Chapter 1: Modern Network Security Threats 21




ion. The poisonous packet causes the receiving device to crash or run very slowly. This attack can
cause all communications to and from the device to be disrupted.
In another example, an attacker sends a continuous stream of packets, which overwhelms the avail-
able bandwidth of network links. In most cases, it is impossible to differentiate between the at-
tacker and legitimate traffic and to trace an attack quickly back to its source. If many systems in
the Internet core are compromised, the attacker may be able to take advantage of virtually unlim-
ited bandwidth to unleash packet storms toward desired targets.
A Distributed Denial of Service Attack (DDoS) is similar in intent to a DoS attack, except that a
DDoS attack originates from multiple coordinated sources. In addition to increasing the amount of
network traffic from multiple distributed attackers, a DDoS attack also presents the challenge of
requiring the network defense to identify and stop each distributed attacker.
As an example, a DDoS attack could proceed as follows. A hacker scans for systems that are ac-
cessible. After the hacker accesses several “handler” systems, the hacker installs zombie software
on them. Zombies then scan and infect agent systems. When the hacker accesses the agent sys-
tems, the hacker loads remote-control attack software to carry out the DDoS attack.
It is useful to detail three common DoS attacks to get a better understanding of how DoS at-
tacks work.
Ping of Death
In a ping of death attack, a hacker sends an echo request in an IP packet larger than the maximum
packet size of 65,535 bytes. Sending a ping of this size can crash the target computer. A variant of
this attack is to crash a system by sending ICMP fragments, which fill the reassembly buffers of
the target.
Smurf Attack
In a smurf attack, a perpetrator sends a large number of ICMP requests to directed broadcast ad-
dresses, all with spoofed source addresses on the same network as the respective directed broad-
cast. If the routing device delivering traffic to those broadcast addresses forwards the directed
broadcasts, all hosts on the destination networks send ICMP replies, multiplying the traffic by the
number of hosts on the networks. On a multi-access broadcast network, hundreds of machines
might reply to each packet.
TCP SYN Flood
In a TCP SYN flood attack, a flood of TCP SYN packets is sent, often with a forged sender ad-
dress. Each packet is handled like a connection request, causing the server to spawn a half-open
connection by sending back a TCP SYN-ACK packet and waiting for a packet in response from
the sender address. However, because the sender address is forged, the response never comes.
These half-open connections saturate the number of available connections the server is able to
make, keeping it from responding to legitimate requests until after the attack ends.
The TCP SYN flood, ping of death, and smurf attacks demonstrate how devastating a DoS attack
can be. To date, hundreds of DoS attacks have been documented. There are five basic ways that
DoS attacks can do harm:

Consumption of resources, such as bandwidth, disk space, or processor time



Disruption of configuration information, such as routing information



Disruption of state information, such as unsolicited resetting of TCP sessions



Disruption of physical network components

22 CCNA Security Course Booklet, Version 1.0




Obstruction of communication between the victim and others.



It is usually not difficult to determine if a DoS attack is occurring. A large number of complaints
about not being able to access resources is a first sign of a DoS attack. To minimize the number of
attacks, a network utilization software package should be running at all times. This should also be
required by the network security policy. A network utilization graph showing unusual activity
could indicate a DoS attack.
Keep in mind that DoS attacks could be a component of a larger offensive. DoS attacks can lead to
problems in the network segments of the computers being attacked. For example, the packet-per-
second capacity of a router between the Internet and a LAN might be exceeded by an attack, com-
promising not only the target system but also the entire network. If the attack is conducted on a
sufficiently large scale, entire geographical regions of Internet connectivity could be compromised.
Not all service outages, even those that result from malicious activity, are necessarily DoS attacks.
In any case, DoS attacks are among the most dangerous types of attacks, and it is critical that a
network security professional act quickly to mitigate the effects of such attacks.


1.3.4 Mitigating Network Attacks
There are a variety of network attacks, network attack methodologies, and categorizations of net-
work attacks. The important question is, ˜How do I mitigate these network attacks?™
The type of attack, as specified by the categorization of reconnaissance, access, or DoS attack, de-
termines the means of mitigating a network threat.
Reconnaissance attacks can be mitigated in several ways.
Using strong authentication is a first option for defense against packet sniffers. Strong authentica-
tion is a method of authenticating users that cannot easily be circumvented. A One-Time Password
(OTP) is a form of strong authentication. OTPs utilize two-factor authentication. Two-factor au-
thentication combines something one has, such as a token card, with something one knows, such
as a PIN. Automated teller machines (ATMs) use two-factor authentication.
Encryption is also effective for mitigating packet sniffer attacks. If traffic is encrypted, it is practi-
cally irrelevant if a packet sniffer is being used because the captured data is not readable.
Antisniffer software and hardware tools detect changes in the response time of hosts to determine
whether the hosts are processing more traffic than their own traffic loads would indicate. While
this does not completely eliminate the threat, as part of an overall mitigation system, it can reduce
the number of instances of threat.
A switched infrastructure is the norm today, which makes it difficult to capture any data except that
on your immediate collision domain, which probably contains only one host. A switched infrastruc-
ture does not eliminate the threat of packet sniffers, but can greatly reduce the sniffer™s effectiveness.
It is impossible to mitigate port scanning. But using an IPS and firewall can limit the information
that can be discovered with a port scanner. Ping sweeps can be stopped if ICMP echo and echo-
reply are turned off on edge routers. However, when these services are turned off, network diag-
nostic data is lost. Additionally, port scans can be run without full ping sweeps. The scans simply
take longer because inactive IP addresses are also scanned.
Network-based IPS and host-based IPS can usually notify an administrator when a reconnaissance
attack is under way. This warning enables the administrator to better prepare for the coming attack
or to notify the ISP from where the reconnaissance probe is launching from.
Several techniques are also available for mitigating access attacks.
Chapter 1: Modern Network Security Threats 23




A surprising number of access attacks are carried out through simple password guessing or brute-
force dictionary attacks against passwords. The use of encrypted or hashed authentication proto-
cols, along with a strong password policy, greatly reduces the probability of successful access
attacks. There are specific practices that help to ensure a strong password policy:

Disabling accounts after a specific number of unsuccessful logins. This practice helps to


prevent continuous password attempts.
Not using plaintext passwords. Use either a one-time password (OTP) or encrypted password.



Using strong passwords. Strong passwords are at least eight characters and contain uppercase


letters, lowercase letters, numbers, and special characters.
The principle of minimum trust should also be designed into the network structure. This means
that systems should not use one another unnecessarily. For example, if an organization has a server
that is used by untrusted devices, such as web servers, the trusted device (server) should not trust
the untrusted devices (web servers) unconditionally.
Cryptography is a critical component of any modern secure network. Using encryption for remote
access to a network is recommended. Also, routing protocol traffic should be encrypted as well.
The more that traffic is encrypted, the less opportunity hackers have for intercepting data with
man-in-the-middle attacks.
Companies with a high-profile Internet presence should plan in advance how to respond to poten-
tial DoS attacks. Historically, many DoS attacks were sourced from spoofed source addresses.
These types of attacks can be thwarted using antispoofing technologies on perimeter routers and
firewalls. Many DoS attacks today are distributed DoS attacks carried out by compromised hosts
on several networks. Mitigating DDoS attacks requires careful diagnostics, planning, and coopera-
tion from ISPs.
The most important elements for mitigating DoS attacks are firewalls and IPSs. Both host-based
and network-based IPSs are strongly recommended.
Cisco routers and switches support a number of antispoofing technologies, such as port security,
DHCP snooping, IP Source Guard, Dynamic ARP Inspection, and ACLs.
Lastly, although Quality of Service (QoS) is not designed as a security technology, one of its appli-
cations, traffic policing, can be used to limit ingress traffic from any given customer on an edge
router. This limits the impact a single source can have on ingress bandwidth utilization.
Defending your network against attack requires constant vigilance and education. There are 10
best practices that represent the best insurance for your network.

Keep patches up to date by installing them weekly or daily, if possible, to
Step 1.
prevent buffer overflow and privilege escalation attacks.
Shut down unnecessary services and ports.
Step 2.

Use strong passwords and change them often.
Step 3.

Control physical access to systems.
Step 4.

Avoid unnecessary web page inputs. Some websites allow users to enter
Step 5.
usernames and passwords. A hacker can enter more than just a username. For
example, entering “jdoe; rm -rf /” might allow an attacker to remove the root file
system from a UNIX server. Programmers should limit input characters and not
accept invalid characters such as | ; < > as input.
24 CCNA Security Course Booklet, Version 1.0




Perform backups and test the backed up files on a regular basis.
Step 6.

Educate employees about the risks of social engineering, and develop strategies
Step 7.
to validate identities over the phone, via email, or in person.
Encrypt and password-protect sensitive data.
Step 8.

Implement security hardware and software such as firewalls, IPSs, virtual private
Step 9.
network (VPN) devices, anti-virus software, and content filtering.
Develop a written security policy for the company.
Step 10.

These methods are only a starting point for sound security management. Organizations must re-
main vigilant at all times to defend against continually evolving threats.
Using these proven methods of securing a network and applying the knowledge gained in this
chapter, you are now prepared to begin deploying network security solutions. One of the first de-
ployment considerations involves securing access to network devices.
Chapter 1: Modern Network Security Threats 25




Chapter Summary
Refer to Packet Refer to
Tracer Activity Lab Activity
for this chapter for this chapter




Your Chapter Notes
26 CCNA Security Course Booklet, Version 1.0
CHAPTER 2

Securing Network Devices




Chapter Introduction
Securing outgoing network traffic and scrutinizing incoming traffic are critical aspects of network
security. Securing the edge router, which connects to the outside network, is an important first step
in securing the network.
Device hardening is an essential task that must never be overlooked. It involves implementing
proven methods for physically securing the router and protecting the router™s administrative access
using the Cisco IOS command-line interface (CLI) as well as the Cisco Router and Security De-
vice Manager (SDM). Some of these methods involve securing administrative access, including
maintaining passwords, configuring enhanced virtual login features, and implementing Secure
Shell (SSH). Because not all information technology personnel should have the same level of ac-
cess to the infrastructure devices, defining administrative roles in terms of access is another impor-
tant aspect of securing infrastructure devices.
Securing the management and reporting features of Cisco IOS devices is also important. Recom-
mended practices for securing syslog, using Simple Network Management Protocol (SNMP), and
configuring Network Time Protocol (NTP) are examined.
Many router services are enabled by default. A number of these features are enabled for historical
reasons but are no longer required today. This chapter discusses some of these services and exam-
ines router configurations with the Security Audit feature of Cisco SDM. This chapter also exam-
ines the one-step lockdown Cisco SDM feature and the auto secure command, which can be
used to automate device hardening tasks.
A hands-on lab for the chapter, Securing the Router for Administrative Access, is a very compre-
hensive lab that provides an opportunity to practice the wide-ranging security features introduced
in this chapter. The lab introduces the various means of securing administrative access to a router,
including password best practices, appropriate banner configuration, enhanced login features, and
SSH. The role-based CLI access feature relies on creating views as a means of providing different
levels of access to routers. The Cisco IOS Resilient Configuration feature permits securing router
images and configuration files. Syslog and SNMP are used for management reporting. Cisco Au-
toSecure is an automated tool for securing Cisco routers using the CLI. The SDM Security Audit
feature provides similar functionality to AutoSecure. The lab is found in the lab manual on Acad-
emy Connection at cisco.netacad.net.
A Packet Tracer activity, Configure Cisco Routers for Syslog, NTP, and SSH Operations, provides
learners additional practice implementing the technologies introduced in this chapter. In particular,
learners configure routers with NTP, syslog, timestamp logging of messages, local user accounts,
exclusive SSH connectivity, and RSA key pairs for SSH servers. Using SSH client access from a
Windows PC and from a Cisco router is also explored. Packet Tracer activities for CCNA Security
are found on Academy Connection at cisco.netacad.net.
28 CCNA Security Course Booklet, Version 1.0




2.1 Securing Device Access
2.1.1 Securing the Edge Router
Securing the network infrastructure is critical to overall network security. The network infrastruc-
ture includes routers, switches, servers, endpoints, and other devices.
Consider a disgruntled employee casually looking over the shoulder of a network administrator
while the administrator is logging in to an edge router. This is known as shoulder surfing, and it is
a surprisingly easy way for an attacker to gain unauthorized access.
If an attacker gains access to a router, the security and management of the entire network can be
compromised, leaving servers and endpoints at risk. It is critical that the appropriate security poli-
cies and controls be implemented to prevent unauthorized access to all infrastructure devices. Al-
though all infrastructure devices are at risk, routers are a primary target for network attackers. This
is because routers act as traffic police, directing traffic into, out of and between networks.
The edge router is the last router between the internal network and an untrusted network such as
the Internet. All of an organization™s Internet traffic goes through this edge router; therefore, it
often functions as the first and last line of defense for a network. Through initial and final filtering,
the edge router helps to secure the perimeter of a protected network. It is also responsible for im-
plementing security actions that are based on the security policies of the organization. For these
reasons, securing network routers is imperative.
The edge router implementation varies depending on the size of the organization and the complex-
ity of the required network design. Router implementations can include a single router protecting
an entire inside network or a router as the first line of defense in a defense-in-depth approach.
Single Router Approach
In the single router approach, a single router connects the protected network, or internal LAN, to
the Internet. All security policies are configured on this device. This is more commonly deployed
in smaller site implementations such as branch and SOHO sites. In smaller networks, the required
security features can be supported by ISRs without impeding the router™s performance capabilities.
Defense-in-Depth Approach
A defense-in-depth approach is more secure than the single router approach. In this approach, the
edge router acts as the first line of defense and is known as a screening router. It passes all connec-
tions that are intended for the internal LAN to the firewall.
The second line of defense is the firewall. The firewall typically picks up where the edge router
leaves off and performs additional filtering. It provides additional access control by tracking the
state of the connections and acts as a checkpoint device.
The edge router has a set of rules specifying which traffic it allows and denies. By default, the fire-
wall denies the initiation of connections from the outside (untrusted) networks to the inside (trusted)
network. However, it allows the internal users to establish connections to the untrusted networks
and permits the responses to come back through the firewall. It can also perform user authentication
(authentication proxy) where users must be authenticated to gain access to network resources.
DMZ Approach
A variation of the defense-in-depth approach is to offer an intermediate area, often called the de-
militarized zone (DMZ). The DMZ can be used for servers that must be accessible from the Inter-
net or some other external network. The DMZ can be set up between two routers, with an internal
router connecting to the protected network and an external router connecting to the unprotected
network, or simply be an additional port off of a single router. The firewall, located between the
protected and unprotected networks, is set up to permit the required connections (for example,
HTTP) from the outside (untrusted) networks to the public servers in the DMZ. The firewall serves
Chapter 2: Securing Network Devices 29




as the primary protection for all devices on the DMZ. In the DMZ approach, the router provides
some protection by filtering some traffic, but leaves the bulk of the protection to the firewall.
(The focus of this course is on ISR security features, including explanations of how to configure
these features. With respect to the Cisco Adaptive Security Appliance (ASA), the discussion is lim-
ited to design implementation in this course. For ASA device configuration, see www.cisco.com.)
Securing the edge router is a critical first step in securing the network. If there are other internal
routers, they must be securely configured as well. Three areas of router security must be main-
tained.
Physical Security
Provide physical security for the routers:

Place the router and physical devices that connect to it in a secure locked room that is


accessible only to authorized personnel, is free of electrostatic or magnetic interference, has
fire suppression, and has controls for temperature and humidity.
Install an uninterruptible power supply (UPS) and keep spare components available. This


reduces the possibility of a DoS attack from power loss to the building.
Operating System Security
Secure the features and performance of the router operating systems:

Configure the router with the maximum amount of memory possible. The availability of


memory can help protect the network from some DoS attacks, while supporting the widest
range of security services.
Use the latest stable version of the operating system that meets the feature requirements of the


network. Security features in an operating system evolve over time. Keep in mind that the
latest version of an operating system might not be the most stable version available.
Keep a secure copy of the router operating system image and router configuration file as a


backup.
Router Hardening
Eliminate potential abuse of unused ports and services:

Secure administrative control. Ensure that only authorized personnel have access and that


their level of access is controlled.
Disable unused ports and interfaces. Reduce the number of ways a device can be accessed.



Disable unnecessary services. Similar to many computers, a router has services that are


enabled by default. Some of these services are unnecessary and can be used by an attacker to
gather information or for exploitation.
Administrative access is required for router management purposes; therefore, securing administra-
tive access is an extremely important security task. If an unauthorized person were to gain admin-
istrative access to a router, that person could alter routing parameters, disable routing functions, or
discover and gain access to other systems in the network.
Several important tasks are involved in securing administrative access to an infrastructure device:

Restrict device accessibility - Limit the accessible ports, restrict the permitted


communicators, and restrict the permitted methods of access.
30 CCNA Security Course Booklet, Version 1.0




Log and account for all access - For auditing purposes, record anyone who accesses a


device, including what occurs and when.
Authenticate access - Ensure that access is granted only to authenticated users, groups, and


services. Limit the number of failed login attempts and the time between logins.
Authorize actions - Restrict the actions and views permitted by any particular user, group, or


service.
Present Legal Notification - Display a legal notice, developed in conjunction with company


legal counsel, for interactive sessions.
Ensure the confidentiality of data - Protect locally stored sensitive data from viewing and


copying. Consider the vulnerability of data in transit over a communication channel to
sniffing, session hijacking, and man-in-the-middle (MITM) attacks.
There are two ways to access a device for administrative purposes, locally and remotely.
All network infrastructure devices can be accessed locally. Local access to a router usually re-
quires a direct connection to a console port on the Cisco router using a computer that is running
terminal emulation software.
Some network devices can be accessed remotely. Remote access typically involves allowing Tel-
net, Secure Shell (SSH), HTTP, HTTPS, or Simple Network Management Protocol (SNMP) con-
nections to the router from a computer. The computer can be on the same subnet or a different
subnet. Some remote access protocols send the data, including usernames and passwords, to the
router in plaintext. If an attacker can collect network traffic while an administrator is remotely
logged in to a router, the attacker can capture passwords or router configuration information.
For this reason, it is preferable to allow only local access to the router. However, remote access
might still be necessary. When accessing the network remotely, a few precautions should be taken:

Encrypt all traffic between the administrator computer and the router. For example, instead of


using Telnet, use SSH. Or instead of using HTTP, use HTTPS.
Establish a dedicated management network. The management network should include only


identified administration hosts and connections to a dedicated interface on the router.
Configure a packet filter to allow only the identified administration hosts and preferred


protocols to access the router. For example, permit only SSH requests from the IP address of
the administration host to initiate a connection to the routers in the network.
These precautions are valuable, but they do not protect the network completely. Other lines of de-
fense must also be implemented. One of the most basic and important is the use of a secure pass-
word.


2.1.2 Configuring Secure Administrative Access
Attackers deploy various methods of discovering administrative passwords. They can shoulder
surf, attempt to guess passwords based on the user™s personal information, or sniff TFTP packets
containing plaintext configuration files. Attackers can also use tools such as L0phtCrack and Cain
& Abel to attempt brute force attacks and guess passwords.
To protect assets such as routers and switches, follow these common guidelines for choosing
strong passwords. These guidelines are designed to make passwords less easily discovered by in-
telligent guessing and cracking tools:

Use a password length of 10 or more characters. The longer, the better.

Chapter 2: Securing Network Devices 31




Make passwords complex. Include a mix of uppercase and lowercase letters, numbers,


symbols, and spaces.
Avoid passwords based on repetition, dictionary words, letter or number sequences,


usernames, relative or pet names, biographical information, such as birthdates, ID numbers,
ancestor names, or other easily identifiable pieces of information..
Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security =


5ecur1ty.
Change passwords often. If a password is unknowingly compromised, the window of


opportunity for the attacker to use the password is limited.
Do not write passwords down and leave them in obvious places such as on the desk or


monitor.

On Cisco routers and many other systems, password-leading spaces are ignored, but spaces after
the first character are not ignored. Therefore, one method to create a strong password is to use the
space bar in the password and create a phrase made of many words. This is called a pass phrase. A
pass phrase is often easier to remember than a simple password. It is also longer and harder to
guess.
Administrators should ensure that strong passwords are used across the network. One way to ac-
complish this is to use the same cracking and brute force attack tools that attackers use as a way to
verify password strength.
Many access ports require passwords on a Cisco router, including the console port, auxiliary port,
and virtual terminal connections. Password management in a large network should be maintained
using a central TACACS+ or RADIUS authentication server such as the Cisco Secure Access Con-
trol Server (ACS). All routers must be configured with the user and privileged EXEC passwords. A
local username database is also recommended as backup if access to an authentication, authoriza-
tion, and accounting (AAA) server is compromised. Using a password and assigning privilege lev-
els is a simple way to provide terminal access control in a network. Passwords must be established
for privileged EXEC mode access and individual lines such as the console and auxiliary lines.
Enable Secret Password
The enable secret password global configuration command restricts access to privileged EXEC
mode. The enable secret password is always hashed inside the router configuration using a Mes-
sage Digest 5 (MD5) hashing algorithm. If the enable secret password is lost or forgotten, it must
be replaced using the Cisco router password recovery procedure.
Console Line
By default, the console port does not require a password for console administrative access; how-
ever, it should always be configured as a console port line-level password. Use the line console
0 command followed by the login and password subcommands to require login and establish a
login password on the console line.
Virtual Terminal Lines
By default, Cisco routers support up to five simultaneous virtual terminal vty (Telnet or SSH) ses-
sions. On the router, the vty ports are numbered from 0 through 4. Use the line vty 0 4 com-
mand followed by the login and password subcommands to require login and establish a login
password on incoming Telnet sessions.
32 CCNA Security Course Booklet, Version 1.0




Auxiliary Line
By default, Cisco router auxiliary ports do not require a password for remote administrative ac-
cess. Administrators sometimes use this port to remotely configure and monitor the router using a
dialup modem connection.
To access the auxiliary line use the line aux 0 command. Use the login and password subcom-
mands to require login and establish a login password on incoming connections.
By default, with the exception of the enable secret password, all Cisco router passwords are stored
in plain text within the router configuration. These passwords can be viewed with the show run-
ning-config command. Sniffers can also see these passwords if the TFTP server configuration
files traverse an unsecured intranet or Internet connection. If an intruder gains access to the TFTP
server where the router configuration files are stored, the intruder is able to obtain these pass-
words.
To increase the security of passwords, the following should be configured:

Enforce minimum password lengths.



Disable unattended connections.



Encrypt all passwords in the configuration file.



Minimum Character Length
Beginning with the Cisco IOS Release 12.3(1) and later, administrators can set the minimum char-
acter length for all router passwords from 0 to 16 characters using the global configuration com-
mand security passwords min-length length. It is strongly recommended that the minimum
password length be set to at least 10 characters to eliminate common passwords that are short and
prevalent on most networks, such “lab” and “cisco”.
This command affects user passwords, enable secret passwords, and line passwords that are cre-
ated after the command is executed. Existing router passwords remain unaffected. Any attempt to
create a new password that is less than the specified length fails and results in an error message
similar to the following:
Password too short - must be at least 10 characters. Password configuration
failed.
Disable Unattended Connections
By default, an administrative interface stays active and logged in for 10 minutes after the last ses-
sion activity. After that, the interface times out and logs out of the session.
If an administrator is away from the terminal while the console connection is active, an attacker
has up to 10 minutes to gain privilege level access. It is recommended that these timers be fine-
tuned to limit the amount of time to within a two or three minute maximum. These timers can be
adjusted using the exec-timeout command in line configuration mode for each of the line types
that are used.
It is also possible to turn off the exec process for a specific line, such as on the auxiliary port,
using the no exec command within the line configuration mode. This command allows only an
outgoing connection on the line. The no exec command allows you to disable the EXEC process
for connections which may attempt to send unsolicited data to the router.
Encrypt All Passwords
By default, some passwords are shown in plaintext, meaning not encrypted, in the Cisco IOS soft-
ware configuration. With the exception of the enable secret password, all other plaintext passwords
in the configuration file can be encrypted in the configuration file using the service password-
Chapter 2: Securing Network Devices 33




command. This command hashes current and future plaintext passwords in the config-
encryption
uration file into an encrypted ciphertext. To stop encrypting passwords, use the no form of the
command. Only passwords created after the no command is issued will be unencrypted. Existing
passwords that have been previously encrypted will remain so.
The service password-encryption command is primarily useful for keeping unauthorized indi-
viduals from viewing passwords in the configuration file. The algorithm used by the service
password-encryption command is simple and can be easily reversed by someone with access to
the encrypted ciphertext and a password-cracking application. For that reason, this command
should not be used with the intention to protect configuration files against serious attacks.
The enable secret command is far more secure because it encrypts the password using MD5,
which is a stronger algorithm.
Another available security feature is authentication. Cisco routers can maintain a list of usernames
and passwords in a local database on the router for performing local login authentication. There
are two methods of configuring local username accounts.
username name password password
username name secret password
The username secret command is more secure because it uses the stronger algorithm, MD5 hash-
ing, for concealing passwords. MD5 is a much better algorithm than the standard type 7 used by
the service password-encryption command. The added layer of MD5 protection is useful in en-
vironments in which the password crosses the network or is stored on a TFTP server. Keep in mind
that when configuring a username and password combination, password length restrictions must
be followed. Use the login local command on the line configuration to enable the local database
for authentication.
All of the remaining examples in this chapter are using the username configuration instead
secret
of username password.


2.1.3 Configuring Enhanced Security for Virtual Logins
Assigning passwords and local authentication does not prevent a device from being targeted for at-
tack. DoS attacks flood a device with so many connection requests that the device might not pro-
vide normal login service to legitimate system administrators. A dictionary attack, which is used to
gain administrative access to a device, floods a device with thousands of username and password
combinations. The end result is much the same as a DoS attack, in that the device cannot process
legitimate user requests. The network needs to have systems in place to detect and help prevent
these attacks.
By enabling a detection profile, a network device can be configured to react to repeated failed
login attempts by refusing further connection requests (login blocking). This block can be config-
ured for a period of time, which is called a quiet period. Legitimate connection attempts can still
be permitted during a quiet period by configuring an access control list (ACL) with the addresses
that are known to be associated with system administrators.
The Cisco IOS login enhancements feature provides more security for Cisco IOS devices when
creating a virtual connection, such as Telnet, SSH, or HTTP, by slowing down dictionary attacks
and stopping DoS attacks. To better configure security for virtual login connections, the login
process should be configured with specific parameters:

Delays between successive login attempts



Login shutdown if DoS attacks are suspected



Generation of system logging messages for login detection

34 CCNA Security Course Booklet, Version 1.0




These enhancements do not apply to console connections. It is assumed that only authorized per-
sonnel have physical access to the devices.
The following commands are available to configure a Cisco IOS device to support the enhanced
login features.
Router# configure terminal
Router(config)# login block-for seconds attempts tries within seconds
Router(config)# login quiet-mode access-class {acl-name | acl-number}
Router(config)# login delay seconds
Router(config)# login on-failure log [every login]
Router(config)# login on-success log [every login]

Authentication on vty lines must be configured to use a username and password combination. If
the vty lines are configured to use only a password, the enhanced login features are not enabled.
What does each command accomplish?
All login enhancement features are disabled by default. Use the login command to en-
block-for
able login enhancements.
The login feature monitors login device activity and operates in two modes:
block-for


Normal mode (watch mode) - The router keeps count of the number of failed login attempts


within an identified amount of time.
Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold,


all login attempts using Telnet, SSH, and HTTP are denied.

When quiet mode is enabled, all login attempts, including valid administrative access, are not per-
mitted. However, to provide critical hosts access at all times, this behavior can be overridden using
an ACL. The ACL must be created and identified using the login quiet-mode access-class
command.
By default, Cisco IOS devices can accept connections, such as Telnet, SSH, and HTTP, as quickly
as they can be processed. This makes devices susceptible to dictionary attack tools, such as Cain or
L0phtCrack, which are capable of thousands of password attempts per second. The login block-
for command invokes an automatic delay of 1 second between login attempts. Attackers have to
wait 1 second before they can try a different password.
This delay time can be changed using the login delay command. The login delay command in-
troduces a uniform delay between successive login attempts. The delay occurs for all login at-
tempts, including failed or successful attempts.
The login block-for, login quiet-mode access-class, and login delay commands help
block failed login attempts for a limited period of time but cannot prevent an attacker from trying
again. How can an administrator know when someone tries to gain access to the network by guess-
ing the password?
The command auto secure enables message logging for failed login attempts. Logging success-
ful login attempts is not enabled by default.
These commands can be used to keep track of the number of successful and failed login attempts.
generates logs for failed login requests.
login on-failure log [every login]

generates log messages for successful login requests.
login on-success log [every login]

The number of login attempts before a message is generated can be specified using the [every
login] parameter. The default value is 1 attempt. The valid range is from 1 to 65,535.
Chapter 2: Securing Network Devices 35




As an alternative, the security authentication failure rate threshold-rate log command
generates a log message when the login failure rate is exceeded.
To verify that the login block-for command is configured and which mode the router is cur-
rently in, use the show login command. The router is in either normal or quite mode, depending
on whether login thresholds were exceeded.
The show login failures command displays more information regarding the failed attempts,
such as the IP address from which the failed login attempts originated.
Use banner messages to present legal notification to potential intruders to inform them that they
are not welcome on a network. Banners are very important to the network from a legal perspective.
Intruders have won court cases because they did not encounter appropriate warning messages
when accessing router networks. In addition to warning would-be intruders, banners are also used
to inform remote administrators of use restrictions.
Choosing what to place in banner messages is important and should be reviewed by legal counsel
before putting them on network routers. Never use the word welcome or any other familiar greet-
ing that may be misconstrued as an invitation to use the network.
Banners are disabled by default and must be explicitly enabled. Use the banner command from
global configuration mode to specify appropriate messages.
banner {exec | incoming | login | motd | slip-ppp} d message d
Tokens are optional and can be used within the message section of the banner command:
- Displays the host name for the router.
$(hostname)

- Displays the domain name for the router.
$(domain)

- Displays the vty or tty (asynchronous) line number.
$(line)

- Displays the description that is attached to the line.
$(line-desc)

Be careful in placing this information in the banner because it provides more information to a pos-
sible intruder.
Cisco SDM can also be used to configure banner messages.


2.1.4 Configure SSH
When enabling remote administrative access, it is also important to consider the security implica-
tions of sending information across the network. Traditionally, remote access on routers was con-
figured using Telnet on TCP port 23. However, Telnet was developed in the days when security
was not an issue, therefore, all Telnet traffic is forwarded in plaintext. Using this protocol, critical
data, such as router configurations, is easily accessible to attackers. Hackers can capture packets
forwarded by an administrator™s computer using a protocol analyzer such as Wireshark. If the ini-
tial Telnet stream is discovered and followed, attackers can learn the administrator™s username and
password.
However, having remote access capability can save an organization time and money when making
necessary configuration changes. So how can a secure remote access connection be established to
manage Cisco IOS devices?
SSH has replaced Telnet as the recommended practice for providing remote router administration with
connections that support confidentiality and session integrity. It provides functionality that is similar to
an outbound Telnet connection, except that the connection is encrypted and operates on port 22. With
authentication and encryption, SSH allows for secure communication over a non-secure network.
36 CCNA Security Course Booklet, Version 1.0




Four steps must be completed prior to configuring routers for the SSH protocol:
Step 1. Ensure that the target routers are running a Cisco IOS Release 12.1(1)T image or later to sup-
port SSH. Only the Cisco IOS cryptographic images containing the IPsec feature set support SSH.
Specifically, Cisco IOS 12.1 or later IPsec DES or Triple Data Encryption Standard (3DES) crypto-
graphic images support SSH. Typically, these images have image IDs of k8 or k9 in their image
names. For example, c1841-advipservicesk9-mz.124-10b.bin is an image that can support SSH.
Step 2. Ensure that each of the target routers has a unique host name.
Step 3. Ensure that each of the target routers is using the correct domain name of the network.
Step 4. Ensure that the target routers are configured for local authentication or AAA services for
username and password authentication. This is mandatory for a router-to-router SSH connection.
Using the CLI, there are four steps to configure a Cisco router to support SSH:
Step 1. If the router has a unique host name, configure the IP domain name of the network using
the ip domain-name domain-name command in global configuration mode.
Step 2. One-way secret keys must be generated for a router to encrypt the SSH traffic. These keys
are referred to as asymmetric keys. Cisco IOS software uses the Rivest, Shamir, and Adleman
(RSA) algorithm to generate keys. To create the RSA key, use the crypto key generate rsa
general-keys modulus modulus-size command in global configuration mode. The modulus de-
termines the size of the RSA key and can be configured from 360 bits to 2048 bits. The larger the
modulus, the more secure the RSA key. However, keys with large modulus values take slightly
longer to generate and longer to encrypt and decrypt as well. The minimum recommended modu-
lus key length is 1024 bits.
To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command
in privileged EXEC mode. If there are existing key pairs, it is recommended that they are overwrit-
ten using the crypto key zeroize rsa command.
Step 3. Ensure that there is a valid local database username entry. If not, create one using the
username name secret secret command.

Step 4. Enable vty inbound SSH sessions using the line vty commands login and
local
transport input ssh.

SSH is automatically enabled after the RSA keys are generated. The router SSH service can be ac-
cessed using SSH client software.
Optional SSH Commands
Optionally, SSH commands can be used to configure the following:

SSH version



SSH timeout period



Number of authentication retries



Cisco routers support two versions of SSH: SSH version 1 (SSHv1) and the newer, more secure
SSH version 2 (SSHv2). SSHv2 provides better security using the Diffie-Hellman key exchange
and the strong integrity-checking message authentication code (MAC).
Cisco IOS Release 12.1(1)T and later supports SSHv1. Cisco IOS Release 12.3(4)T and later oper-
ates in compatibility mode and supports both SSHv1 and SSHv2. To change from compatibility
mode to a specific version, use the ip ssh version {1 | 2} global configuration command.
Chapter 2: Securing Network Devices 37




The time interval that the router waits for the SSH client to respond during the SSH negotiation
phase can be configured using the ip ssh time-out seconds command in global configuration
mode. The default is 120 seconds. When the EXEC session starts, the standard exec timeout con-
figured for the vty applies.
By default, a user logging in has three attempts before being disconnected. To configure a different
number of consecutive SSH retries, use the ip ssh authentication-retries integer command
in global configuration mode.
To verify the optional SSH command settings, use the show command.
ip ssh

After SSH is configured, an SSH client is required to connect to an SSH-enabled router.
There are two different ways to connect to an SSH-enabled router:

Connect using an SSH-enabled Cisco router using the privileged EXEC mode ssh command.



Connect using a publicly and commercially available SSH client running on a host. Examples


of these clients are PuTTY, OpenSSH, and TeraTerm.
Cisco routers are capable of acting as the SSH server and as an SSH client connecting to another
SSH-enabled device. By default, both of these functions are enabled on the router when SSH is en-
abled. As a server, a router can accept SSH client connections. As a client, a router can SSH to an-
other SSH-enabled router.
The procedure for connecting to a Cisco router varies depending on the SSH client application that
is being used. Generally, the SSH client initiates an SSH connection to the router. The router SSH
service prompts for the correct username and password combination. After the login is verified,
the router can be managed as if the administrator was using a standard Telnet session.
Use the show command to verify the status of the client connections.
ssh

Cisco SDM can be used to configure an SSH daemon on a router. To see the current SSH key set-
tings, choose Configure > Additional Tasks > Router Access > SSH. The SSH key settings have
two status options.

RSA key is not set on this router - This notice appears if there is no cryptographic key


configured for the device. If there is no key configured, enter a modulus size and generate a
key.
RSA key is set on this router - This notice appears if a cryptographic key has been generated,


in which case SSH is enabled on this router.
The default configuration file that ships with a Cisco SDM-enabled router automatically enables
Telnet and SSH access from the LAN interface and generates an RSA key.
The Generate RSA Key button configures a cryptographic key if one is not set. The Key Modulus
Size dialog box appears. If the modulus value needs to be between 512 and 1024, enter an integer
value that is a multiple of 64. If the modulus value needs to be higher than 1024, enter 1536 or
2048. If a value greater than 512 is entered, key generation can take a minute or longer.
After SSH is enabled on the router, the vty lines to support SSH need to be configured. Choose
Configure > Additional Tasks > Router Access > VTY. The VTY Lines window displays the vty
settings on the router. Click the Edit button to configure vty parameters.
38 CCNA Security Course Booklet, Version 1.0




2.2 Assigning Administrative Roles
2.2.1 Configuring Privilege Levels
While it is important that a system administrator can securely connect to and manage a device, still
more configurations are needed to keep the network secure. For example, should complete access
be provided for all employees in a company? The answer to that question is usually no. Most com-
pany employees require only specific areas of access to the network. What about complete access
for all employees in the IT department? Keep in mind that large organizations have many various
job functions within an IT department. For example, job titles include Chief Information Officer
(CIO), Security Operator, Network Administrator, WAN Engineer, LAN Administrator, Software
Administrator, PC Tech support, Help Desk support, and others. Not all job functions should have
the same level of access to the infrastructure devices.
As an example, a senior network administrator leaves for vacation and, as a precaution, provides a
junior administrator with the privileged EXEC mode passwords to all infrastructure devices. A few
days later, the curious junior administrator accidentally disables the company network. This is not
an uncommon scenario, because all too often a router is secured with only one privileged EXEC
password. Anyone with knowledge of this password has open access to the entire router.
Configuring privilege levels is the next step for the system administrator who wants to secure the net-
work. Privilege levels determine who should be allowed to connect to the device and what that per-
son should be able to do with it. The Cisco IOS software CLI has two levels of access to commands.

User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and


allows only user-level commands available at the router> prompt.
Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the


router# prompt.

Although these two levels do provide control, sometimes a more precise level of control is re-
quired.
Cisco IOS software has two methods of providing infrastructure access: privilege level and role-
based CLI.
Assigning Privilege Levels
Since Cisco IOS Release 10.3, Cisco routers enable an administrator to configure multiple privi-
lege levels. Configuring privilege levels is especially useful in a help desk environment where cer-
tain administrators must be able to configure and monitor every part of the router (level 15), and
other administrators need only to monitor, not configure, the router (customized levels 2 to 14).
There are 16 privilege levels in total. Levels 0, 1, and 15 have predefined settings.
An administrator can define multiple customized privilege levels and assign different commands to
each level. The higher the privilege level, the more router access a user has. Commands that are
available at lower privilege levels are also executable at higher levels, because a privilege level in-
cludes the privileges of all lower levels. For example, a user authorized for privilege level 10 is
granted access to commands allowed at privilege levels 0 through 10 (if also defined). A privilege-
level-10 user cannot access commands granted to privilege level 11 (or higher). A user authorized
for privilege level 15 can execute all Cisco IOS commands.
To assign commands to a custom privilege level, use the privilege command from global config-
uration mode.
Router(config)# privilege mode {level level command | reset} command
It is important to note that assigning a command with multiple keywords, such as show ip route,
to a specific privilege level automatically assigns all commands associated with the first few key-
Chapter 2: Securing Network Devices 39




words to the specified privilege level. For example, both the show command and the show ip com-
mand are automatically set to the privilege level where show ip route is set. This is necessary be-
cause the show ip route command cannot be executed without access to the show and show ip
commands. Subcommands coming under show ip route are also automatically assigned to the
same privilege level. Assigning the show ip route allows the user to issue all show commands,
such as show version.
Privilege levels should also be configured for authentication. There are two methods for assigning
passwords to the different levels:

To the privilege level using the global configuration command enable
– secret level level
password.

To a user that is granted a specific privilege level, using the global configuration command


username name privilege level secret password.

For example, an administrator could assign four levels of device access within an organization:

A USER account (requiring level 1, not including ping)



A SUPPORT account (requiring all level 1 access, plus the ping command)



A JR-ADMIN account (requiring all level 1 and 5 access, plus the reload command)



An ADMIN account (requiring complete access)


Implementing privilege levels varies depending on the organization™s structure and the different
job functions that require access to the infrastructure devices.
In the case of the USER, which requires default level 1 (Router>) access, no custom privilege
level is defined. This is because the default user mode is equivalent to level 1.
The SUPPORT account could be assigned a higher level access such as level 5. Level 5 automati-
cally inherits the commands from levels 1 through 4, plus additional commands can be assigned.
Keep in mind that when a command is assigned at a specific level, access to that command is taken
away from any lower level. For example, to assign level 5 the ping command, use the following
command sequence.
privilege exec level 5 ping

The USER account (level 1) no longer has access to the ping command, because a user must have
access to level 5 or higher to perform the ping function.
To assign a password to level 5, enter the following command.
enable secret level 5 cisco5

To access level 5, the password cisco5 must be used.
To assign a specific username to privilege level 5, enter the following command.
username support privilege 5 secret cisco5

A user that logs in under the username support is only able to access privilege level 5, which also
inherits privilege level 1.
The JR-ADMIN account needs access to all level 1 and level 5 commands as well as the reload
command. This account must be assigned a higher level access, such as level 10. Level 10 auto-
matically inherits all the commands from the lower levels.
To assign level 10 to the privileged EXEC mode reload command, use the following command
sequence.
40 CCNA Security Course Booklet, Version 1.0




privilege exec level 10 reload
username jr-admin privilege 10 secret cisco10
enable secret level 10 cisco10

By performing these commands, the reload command is only available to users with level 10 ac-
cess or higher. The username jr-admin is given access to privilege level 10 and all associated com-
mands, including those commands assigned to any lower privilege levels. To access level 10 mode,
the password cisco10 is required.
An ADMIN account could be assigned the default level 15 access for privileged EXEC mode. In
this instance, no custom commands need to be defined. A custom password could be assigned
using the enable secret level 15 cisco123 command, however, that does not override the en-
able secret password, which could also be used to access level 15. Use the username admin priv-
ilege 15 secret cisco15 command to assign level 15 access to the user ADMIN with a
password of cisco15.
Keep in mind that when assigning usernames to privilege levels, the privilege and secret key-
words are not interchangeable. For example, the username USER secret cisco privilege 1
command does not assign the USER account level 1 access. Instead, it creates an account requiring
the password “cisco privilege 1”.
To access established privilege levels, enter the enablelevel command from user mode, and enter
the password that was assigned to the custom privilege level. Use the same command to switch
from a lower level to a higher level.

To switch from level 1 to level 5, use the enable command at the EXEC prompt.
– 5

To switch to level 10, use enable with the correct password.
– 10

To switch from level 10 to level 15, use the enable command. If no privilege level is


specified, level 15 is assumed.

It is sometimes easy to forget which level of access a user currently has. Use the show privilege
command to display and confirm the current privilege level. Remember that the higher privilege
levels automatically inherit the command access of the lower levels.
Although assigning privilege levels does provide some flexibility, some organizations might not
find them suitable because of the following limitations:

No access control to specific interfaces, ports, logical interfaces, and slots on a router.



Commands available at lower privilege levels are always executable at higher levels.



Commands specifically set on a higher privilege level are not available for lower privileged


users.
Assigning a command with multiple keywords to a specific privilege level also assigns all


commands associated with the first keywords to the same privilege level. An example is the
show ip route command.

The biggest limitation however is that if an administrator needs to create a user account that has
access to most but not all commands, privilege exec statements must be configured for every
command that must be executed at a privilege level lower than 15. This can be a tedious process.
How can the limitations of assigning privilege levels be overcome?
Chapter 2: Securing Network Devices 41




2.2.2 Configuring Role-Based CLI Access
Role-Based CLI
To provide more flexibility than privilege levels, Cisco introduced the Role-Based CLI Access fea-
ture in Cisco IOS Release 12.3(11)T. This feature provides finer, more granular access by control-
ling specifically which commands are available to specific roles. Role-based CLI access enables
the network administrator to create different views of router configurations for different users.
Each view defines the CLI commands that each user can access.
Security
Role-based CLI access enhances the security of the device by defining the set of CLI commands
that is accessible by a particular user. Additionally, administrators can control user access to spe-
cific ports, logical interfaces, and slots on a router. This prevents a user from accidentally or pur-
posely changing a configuration or collecting information to which they should not have access.
Availability
Role-based CLI access prevents unintentional execution of CLI commands by unauthorized per-
sonnel, which could result in undesirable results. This minimizes downtime.
Operational Efficiency
Users only see the CLI commands applicable to the ports and CLI to which they have access;
therefore, the router appears to be less complex, and commands are easier to identify when using
the help feature on the device.
Role-based CLI provides three types of views:

Root view



CLI view



Superview



Each view dictates which commands are available.
Root View
To configure any view for the system, the administrator must be in root view. Root view has the
same access privileges as a user who has level 15 privileges. However, a root view is not the same
as a level 15 user. Only a root view user can configure a new view and add or remove commands
from the existing views.
CLI View
A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view
has no command hierarchy and, therefore, no higher or lower views. Each view must be assigned
all commands associated with that view, and a view does not inherit commands from any other
views. Additionally, the same commands can be used in multiple views.
Superview
A superview consists of one or more CLI views. Administrators can define which commands are
accepted and which configuration information is visible. Superviews allow a network administra-
tor to assign users and groups of users multiple CLI views at once, instead of having to assign a
single CLI view per user with all commands associated to that one CLI view.
Superviews have the following characteristics:

A single CLI view can be shared within multiple superviews.

42 CCNA Security Course Booklet, Version 1.0




Commands cannot be configured for a superview. An administrator must add commands to


the CLI view and add that CLI view to the superview.
Users who are logged into a superview can access all the commands that are configured for


any of the CLI views that are part of the superview.
Each superview has a password that is used to switch between superviews or from a CLI view


to a superview.
Deleting a superview does not delete the associated CLI views. The CLI views remain available to
be assigned to another superview.
Before an administrator can create a view, AAA must be enabled using the aaa com-
new-model
mand or Cisco SDM.
To configure and alter views, an administrator must log in as the root view, using the enable view
privileged EXEC command. The enable view root command can also be used. When prompted,
enter the enable secret password.
There are five steps to create and manage a specific view.
Step 1. Enable AAA with the aaa new-model global configuration command. Exit and enter the
root view with the enable view command.
Step 2. Create a view using the parser view view-name command. This enables the view configu-
ration mode. Excluding the root view, there is a maximum limit of 15 views in total.
Step 3. Assign a secret password to the view using the secret encrypted-password command.
Step 4. Assign commands to the selected view using the commands parser-mode {include |
include-exclusive | exclude} [all] [interface interface-name | command] command in
view configuration mode.
Step 5. Exit view configuration mode by typing the exit command.
The steps to configure a superview are essentially the same as configuring a CLI view, except that
instead of using the commands command to assign commands, use the view view-name command
to assign views. The administrator must be in root view to configure a superview. To confirm that
root view is being used, use either the enable view or enable view root command. When
prompted, enter the enable secret password.
There are four steps to create and manage a superview.
Step 1. Create a view using the parser command and enter super-
view view-name superview
view configuration mode.
Step 2. Assign a secret password to the view using the secret encrypted-password command.
Step 3. Assign an existing view using the view view-name command in view configuration mode.
Step 4. Exit superview configuration mode by typing the exit command.
More than one view can be assigned to a superview, and views can be shared between superviews.
To access existing views, enter the enable view viewname command in user mode and enter the
password that was assigned to the custom view. Use the same command to switch from one view
to another.
To verify a view, use the enable view command. Enter the name of the view to verify, and provide
the password to log in to the view. Use the question mark (?) command to verify that the com-
mands available in the view are correct.
From the root view, use the show command to see a summary of all views.
parser view all
Chapter 2: Securing Network Devices 43




2.3 Monitoring and Managing Devices
2.3.1 Securing the Cisco IOS Image and Configuration
Files
If attackers gain access to a router there are many things that they could do. For example, they
could alter traffic flows, alter configurations, and even erase the startup configuration file and
Cisco IOS image. If the configuration or IOS image is erased, the operator might need to retrieve
an archived copy to restore the router. The recovery process must then be performed on each af-
fected router, adding to the total network downtime.
The Cisco IOS Resilient Configuration feature allows for faster recovery if someone reformats
flash memory or erases the startup configuration file in NVRAM. This feature allows a router to
withstand malicious attempts at erasing the files by securing the router image and maintaining a
secure working copy of the running configuration.
When a Cisco IOS image is secured, the resilient configuration feature denies all requests to copy,
modify, or delete it. The secure copy of the startup configuration is stored in flash along with the
secure IOS image. This set of Cisco IOS image and router running configuration files is referred to
as the bootset.
The Cisco IOS resilient configuration feature is only available for systems that support a PCMCIA
Advanced Technology Attachment (ATA) flash interface. The Cisco IOS image and backup run-
ning configuration on the Flash drive are hidden from view, so the files are not included in any di-
rectory listing on the drive.
Two global configurations commands are available to configure the Cisco IOS resilient configura-
tion features: secure boot-image and secure boot-config.
The secure command
boot-image

The secure boot-image command enables Cisco IOS image resilience. When enabled for the first
time, the running Cisco IOS image is secured, and a log entry is generated. This feature can be dis-
abled only through a console session using the no form of the command.
This command functions properly only when the system is configured to run an image from a flash
drive with an ATA interface. Additionally, the running image must be loaded from persistent stor-
age to be secured as primary. Images that are booted from the network, such as a TFTP server,
cannot be secured.
The Cisco IOS resilient configuration feature detects image version mismatches. If the router is
configured to boot with Cisco IOS resilience and an image with a different version of the Cisco
IOS software is detected, a message, similar to the one shown below, is displayed at bootup:
ios resilience: Archived image and configuration version 12.2 differs from run-
ning version 12.3

To upgrade the image archive to the new running image, reenter the secure boot-image com-
mand from the console. A message about the upgraded image is displayed. The old image is re-
leased and is visible in the dir command output.
The secure command
boot-config

To take a snapshot of the router running configuration and securely archive it in persistent storage,
use the secure boot-config command in global configuration mode. A log message is displayed
on the console notifying the user that configuration resilience is activated. The configuration
archive is hidden and cannot be viewed or removed directly from the CLI prompt.
44 CCNA Security Course Booklet, Version 1.0




The configuration upgrade scenario is similar to an image upgrade. This feature detects a different
version of Cisco IOS configurations and notifies the user of a version mismatch. The secure
boot-config command can be run to upgrade the configuration archive to a newer version after
new configuration commands have been issued.
Secured files do not appear in the output of a dir command that is issued from the CLI. This is be-
cause the Cisco IOS file system prevents secure files from being listed. Because the running image
and running configuration archives are not visible in the dir command output, use the show se-
cure bootset command to verify the existence of the archive. This step is important to verify that
the Cisco IOS image and configuration files have been properly backed up and secured.
While the Cisco IOS file system prevents these files from being viewed, ROM monitor (ROM-
mon) mode does not have any such restrictions and can list and boot from secured files.
There are five steps to restore a primary bootset from a secure archive after the router has been
tampered with (by an NVRAM erase or a disk format):
Step 1. Reload the router using the reload command.
Step 2. From ROMmon mode, enter the dir command to list the contents of the device that con-
tains the secure bootset file. From the CLI, the device name can be found in the output of the show
secure bootset command.

Step 3. Boot the router with the secure bootset image using the boot command with the filename
found in Step 2. When the compromised router boots, change to privileged EXEC mode and re-
store the configuration.
Step 4. Enter global configuration mode using conf t.

Step 5. Restore the secure configuration to the supplied filename using the secure boot-config
restore filename command.

In the event that a router is compromised or needs to be recovered from a misconfigured password,
an administrator must understand password recovery procedures. For security reasons, password
recovery requires the administrator to have physical access to the router through a console cable.
Recovering a router password involves several steps.
Step 1. Connect to the console port.
Step 2. Use the show command to view and record the configuration register.
version

The configuration register is similar to the BIOS setting of a computer, which controls the bootup
process. A configuration register, represented by a single hexadecimal value, tells a router what
specific steps to take when powered on. Configuration registers have many uses, and password re-
covery is probably the most used. To view and record the configuration register, use the show ver-
sion command.

R1> show version
<Output omitted>
Configuration register is 0x2102

The configuration register is usually set to 0x2102 or 0x102. If there is no longer access to the
router (because of a lost login or TACACS password), an administrator can safely assume that the
configuration register is set to 0x2102.
Step 3. Use the power switch to power cycle the router.
Step 4. Issue the break sequence within 60 seconds of power up to put the router into ROMmon.
Chapter 2: Securing Network Devices 45




Step 5. Type confreg at the rommon prompt.
0x2142 1>

This changes the default configuration register and causes the router to bypass the startup configu-
ration where the forgotten enable password is stored.
Step 6. Type reset at the rommon prompt. The router reboots, but ignores the saved configura-
2>
tion.
Step 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure.
Step 8. Type enable at the Router> prompt. This puts the router into enable mode and allows you
to see the Router# prompt.
Step 9. Type copy startup-config running-config to copy the NVRAM into memory. Be care-
ful not to type copy running-config startup-config or the startup configuration will be erased.
Step 10. Type show running-config. In this configuration, the shutdown command appears under
all interfaces because all interfaces are currently shut down. An administrator can now see the
passwords (enable password, enable secret, vty, and console passwords) either in encrypted or un-
encrypted format. Unencrypted passwords can be reused, but encrypted passwords need a new

<<

. 2
( 19)



>>