Вы находитесь на странице: 1из 21

CCNA Security Chapter 2

Securing Network Devices Describe an edge router: The edge router is the last router between
the internal network and an untrusted
network such as the Internet. All of an
organization's Internet traffic goes through
this edge router; therefore, it often
functions as the first and last line of
defense for a network. Describe three different In the Single Router Approach, a single

approaches to securing the router connects the protected network, or
internal (protected) network: internal LAN, to the Internet. All security
policies are configured on this device.
Defense-in-Depth Approach

In the Defense-In-Depth approach the

edge router acts as the first line of
defense and is known as a screening
router. It passes all connections that are
intended for the internal LAN to the
firewall which picks up where the edge
router leaves off and performs additional
The DMZ Approach is a variation of the
defense-in-depth approach that offers an
intermediate area which can be used for
servers that must be accessible from the
Internet or some other external network. Describe three critical areas of Physical security: Place the router and
router security: physical devices that connect to it in a
secure locked room that is accessible only
to authorized personnel, is free of
electrostatic or magnetic interference, and
has controls for temperature and humidity.
Install an uninterruptible power supply
(UPS) and keep spare components
available. This reduces the possibility of a
DoS attack from power loss to the
Page 1 of 21
CCNA Security Chapter 2
Securing Network Devices

Operating System Security: Configure

the router with the maximum amount of
memory possible. The availability of
memory can help protect the network from
some DoS attacks, while supporting the
widest range of security services. Use the
latest stable version that meets the
feature requirements of the network.
Security features in an operating system
evolve over time. Keep in mind that the
latest version of an operating system
might not be the most stable version
available. Keep a secure copy of the
router operating system image and router
configuration file as a backup.
Router Hardening: Secure administrative
control. Ensure that only authorized
personnel have access and that their level
of access is controlled. Disable unused
ports and interfaces. Reduce the number
of ways a device can be accessed.
Disable unnecessary services. Similar to
many computers, a router has services
that are enabled by default. Some of
these services are unnecessary and can
be used by an attacker to gather
information or for exploitation. Describe the important tasks Restrict device accessibility - Limit the
involved in securing accessible ports, restrict the permitted
administrative access: communicators, and restrict the permitted
methods of access.
Log and account for all access - For
auditing purposes, record anyone who
accesses a device, including what occurs
and when.
Authenticate access - Ensure that
access is granted only to authenticated
users, groups, and services. Limit the
Page 2 of 21
CCNA Security Chapter 2
Securing Network Devices

number of failed login attempts and the

time between logins.
Authorize actions - Restrict the actions
and views permitted by any particular
user, group, or service.
Present Legal Notification - Display a
legal notice, developed in conjunction with
company legal counsel, for interactive
Ensure the confidentiality of data -
Protect locally stored sensitive data from
viewing and copying. Consider the
vulnerability of data in transit over a
communication channel to sniffing,
session hijacking, and man-in-the-middle
(MITM) attacks. When accessing the network Encrypt all traffic between the
remotely, what precautions administrator computer and the router. For
should be taken? example, instead of using Telnet, use
SSH. Or instead of using HTTP, use
Establish a dedicated management
network. The management network
should include only identified
administration hosts and connections to a
dedicated interface on the router.
Configure a packet filter to allow only
the identified administration hosts and
preferred protocols to access the router.
For example, permit only SSH requests
from the IP address of the administration
host to initiate a connection to the routers
in the network.? Visit:
to see a list of password attack
Page 3 of 21
CCNA Security Chapter 2
Securing Network Devices Describe some common 1. Use a password length of 10 or more

guidelines for choosing strong characters. The longer, the better.
passwords: 2. Make passwords complex. Include a
mix of uppercase and lowercase letters,
numbers, symbols, and spaces.
3. Avoid passwords based on repetition,
dictionary words, letter or number
sequences, usernames, relative or pet
names, biographical information, such as
birthdates, ID numbers, ancestor names,
or other easily identifiable pieces of
4. Deliberately misspell a password. For
example, Smith = Smyth = 5mYth or
Security = 5ecur1ty.
5. Change passwords often. If a password
is unknowingly compromised, the window
of opportunity for the attacker to use the
password is limited.
6. Do not write passwords down and leave
them in obvious places such as on the
desk or monitor. Describe the enable secret The enable secret password global
password global configuration configuration command: restricts access
command: to privileged EXEC mode. The enable
secret password is always hashed inside
the router configuration using a Message
Digest 5 (MD5) hashing algorithm. If the
enable secret password is lost or
forgotten, it must be replaced using the
Cisco router password recovery
procedure. How can you protect Console By default, the console port does not
Port access? require a password for console
administrative access; however, it should
always be configured as a console port
line-level password. Use the line console
Page 4 of 21
CCNA Security Chapter 2
Securing Network Devices

0 command followed by the login and

password subcommands to require login
and establish a login password on the
console line. How can you protect Virtual Use the line vty 0 4 command followed by
Terminal Line (vty) access? the login and password subcommands
to require login and establish a login
password on incoming Telnet sessions. How can you protect Auxiliary To access the auxiliary line use the line
Port (aux) access? aux 0 command. Use the login and
password subcommands to require login
and establish a login password on
incoming auxiliary port connections. What can be done to increase Enforce minimum password lengths.

the security of passwords? (security passwords min-length
Disable unattended connections.
(exec-timeout minutes [seconds])
Encrypt all passwords in the configuration
(service password-encryption) What command creates a username name secret password

secure list of usernames and
passwords in a database on
the router for local login
authentication? What should be done to better Delays between successive login

configure security for virtual attempts
login connections? Login shutdown if DoS attacks are
Generation of system logging messages
for login detection What commands are available Router# configure terminal

Page 5 of 21
CCNA Security Chapter 2
Securing Network Devices

to configure a Cisco IOS device Router(config)# login block-for seconds

to support enhanced login attempts tries within seconds
features? Router(config)# login quiet-mode
access-class {acl-name | acl-number}
Router(config)# login delay seconds
Router(config)# login on-failure log
[every login]
Router(config)# login on-success log
[every login] Describe the two login block- Normal mode (watch mode) - The router
for feature modes of operation: keeps count of the number of failed login
attempts within an identified amount of
Quiet mode (quiet period) - If the
number of failed logins exceeds the
configured threshold, all login attempts
using Telnet, SSH, and HTTP are
denied.* business continuity management; What commands can be used login on-failure log generates logs for
to keep track of the number of failed login requests.
successful and failed login login on-success log generates log
attempts.? messages for successful login requests. What command generates a security authentication failure rate

log message when the login threshold-rate log
failure rate is exceeded? How can you verify that the Use the show login command.
login block-for command is
configured and which mode the
router is currently in? What command displays more The show login failures command
information regarding failed
Page 6 of 21
CCNA Security Chapter 2
Securing Network Devices

login attempts? Why are banners important and Banner messages should be used to
how can they be configured? present legal notification to would-be
intruders to inform them that they are not
welcome on a network.
Banners are activated with the banner
banner {exec | incoming | login | motd |
slip-ppp} # message # How can a secure remote SSH has replaced Telnet as the
access connection be recommended practice for providing
established to manage Cisco remote router administration with
IOS devices? connections that support confidentiality
and session integrity. A SSH connection
is encrypted and operates on port 22. Describe the four steps to 1. Target routers must have an IOS that
configure routers for the SSH supports SSA
protocol: 2. Target routers have unique host name
3. Target routers have correct domain
4. Target routers are configured for
authentication Describe the four steps to 1. Configure the IP domain name

configure SSH on a Cisco R1(config)#ip domain-name span.com
router and the commands to 2. Generate one-way secret keys
accomplish each step: R1(config)#crypto key generate rsa
general-keys modulus modulus-size
3. Verify or create a local database entry
R1(config)#username Mark secret
4. Enable VTY inbound SSH sessions
R1(config)#line vty 0 4
R1(config-line)# login local
R1(config-line)#transport input ssh

Page 7 of 21
CCNA Security Chapter 2
Securing Network Devices Describe how to configure and R1(config)# ip ssh version {1 | 2}

confirm: R1(config)# ip ssh time-out seconds
SSH version R1(config)#ip ssh authentication-
SSH timeout period retries integer
Number of authentication R1#show ip ssh
retries Describe the two ways to Connect using an SSH-enabled Cisco

connect to an SSH-enabled router using the privileged EXEC mode
router: ssh command.

How can connection status be Connect using a publicly and

verified? commercially available SSH client running
on a host. Examples of these clients are
PuTTY, OpenSSH, and TeraTerm.

R1#show ssh How can Cisco SDM be used to To see the current SSH key settings,
configure an SSH daemon on a choose Configure > Additional Tasks >
router? Router Access > SSH. Using Cisco SDM how are the Configure > Additional Tasks > Router
vty lines configured to support Access > VTY
SSH? click Edit button to configure What two levels of access to User EXEC mode (privilege level 1) -
commands does Cisco IOS Provides the lowest EXEC mode user
software CLI have? privileges and allows only user-level
commands available at the router>
Privileged EXEC mode (privilege level
15) - Includes all enable-level commands
at the router# prompt. Describe the privilege levels Level 0: Predefined for user-level access
available in the Cisco IOS CLI. privileges. Seldom used, but includes five
Page 8 of 21
CCNA Security Chapter 2
Securing Network Devices

commands: disable, enable, exit, help,

and logout
Level 1: The default level for login with the
router prompt router>. A user cannot
make any changes or view the running
configuration file.
Levels 2 –14: May be customized for
user-level privileges. Commands from
lower levels may be moved up to another
higher level, or commands from higher
levels may be moved down to a lower
Level 15: Reserved for the enable mode
privileges (enable command). Users can
change configurations and view
configuration files. What is the command to set Router(config)# privilege mode {level level
privilege levels? command | reset} command What are the two methods for To the privilege level using the global
assigning passwords to configuration command enable secret
different levels for level level password.
authentication? To a user that is granted a specific
privilege level, using the global
configuration command username name
privilege level secret password. How can the limitations of By utilizing Role-Based CLI Access

assigning privilege levels be
overcome? Role-based CLI provides which Root view: has the same access
three types of views? privileges as a user who has level 15
privileges. However, only a root view user
can configure a new view and add or
remove commands from the existing
CLI view: must be assigned all
Page 9 of 21
CCNA Security Chapter 2
Securing Network Devices

commands associated with that view, and

a view does not inherit commands from
any other views
Superview: allows a network
administrator to assign users and groups
of users multiple CLI views at once Describe the characteristics of A single CLI view can be shared within
Superviews: multiple superviews.
Commands cannot be configured for a
superview. An administrator must add
commands to the CLI view and add that
CLI view to the superview.
Users who are logged into a superview
can access all the commands that are
configured for any of the CLI views that
are part of the superview.
Each superview has a password that is
used to switch between superviews or
from a CLI view to a superview. Describe the steps to create Step 1. Enable AAA with the aaa new-
and manage a specific view: model global configuration command. Exit
and enter the root view with the enable
view command.
Step 2. Create a view using the parser
view view-name command. This enables
the view configuration mode. Excluding
the root view, there is a maximum limit of
15 views in total.
Step 3. Assign a secret password to the
view using the secret encrypted-
password command.
Step 4. Assign commands to the selected
view using the commands parser-mode
{include | include-exclusive | exclude}
[all] [interface interface-name |
command] command in view
configuration mode.
Page 10 of 21
CCNA Security Chapter 2
Securing Network Devices

Step 5. Exit view configuration mode by

typing the exit command. Describe the steps to create Step 1. Create a view using the parser
and manage a superview: view view-name superview command
and enter superview configuration mode.
Step 2. Assign a secret password to the
view using the secret encrypted-
password command.
Step 3. Assign an existing view using the
view view-name command in view
configuration mode.
Step 4. Exit superview configuration mode
by typing the exit command. 1. What command enables 1. secure boot-image

Cisco IOS image resilience?
2. What command takes a 2. secure boot-config
snapshot of the router running
configuration and securely
archives it in persistent
storage? What command is used to show secure bootset

verify the existence of the
secured files in the archive? Describe the steps to restore a Step 1. Reload the router using the reload
primary bootset from a secure command.
archive after the router has Step 2. From ROMmon mode, enter the
been tampered with: dir command to list the contents of the
device that contains the secure bootset
file. From the CLI, the device name can
be found in the output of the show secure
bootset command.
Step 3. Boot the router with the secure
bootset image using the boot command
with the filename found in Step 2. When
the compromised router boots, change to
privileged EXEC mode and restore the
Page 11 of 21
CCNA Security Chapter 2
Securing Network Devices

Step 4. Enter global configuration mode
using conf t.
Step 5. Restore the secure configuration
to the supplied filename using the secure
boot-config restore filename command. Describe the steps necessary Step 1. Connect to the console port.
to recover a lost router Step 2. Use the show version command
password: to view and record the configuration
Step 3. Use the power switch to power
cycle the router.
Step 4. Press “CTRL break” within 60
seconds of power up to put the router into
ROMmon mode.
Step 5. Type confreg 0x2142 at the
rommon 1> prompt.
Step 6. Type reset at the rommon 2>
Step 7. Type no after each setup
question, or press Ctrl-C to skip the initial
setup procedure.
Step 8. Type enable at the Router>
prompt. This puts the router into enable
mode and allows you to see the Router#
Step 9. Type copy startup-config
running-config to copy the NVRAM into
Step 10. Type show running-config. An
administrator can now see the passwords
(enable password, enable secret, vty, and
console passwords) either in encrypted or
unencrypted format. Unencrypted
passwords can be reused, but encrypted
passwords need a new password to be
Step 11. Enter global configuration and
Page 12 of 21
CCNA Security Chapter 2
Securing Network Devices

type the enable secret password

command to change the enable secret
Step 12. Issue the no shutdown
command on every interface to be used.
Step 13. From global configuration mode
type config-register 0x2102 (typically)
Step 14. Save the configuration changes
using the copy running-config startup-
config command. What command secures the no service password-recovery

router from the normal
password recovery process? Describe the two paths that the Out-of-band (OOB) - Information flows on
flow can take when logging and a dedicated management network on
managing information flow which no production traffic resides.
between management hosts In-band - Information flows across an
and the managed devices: enterprise production network, the
Internet, or both using regular data
channels. Describe 5 different facilities to Console - Console logging is on by

which Cisco routers can send default. Messages log to the console and
log messages: can be viewed when modifying or testing
the router using terminal emulation
software while connected to the console
port of the router.
Terminal lines - Enabled EXEC sessions
can be configured to receive log
messages on any terminal lines. Similar to
console logging, this type of logging is not
stored by the router and, therefore, is only
valuable to the user on that line.
Buffered logging - Buffered logging is a
little more useful as a security tool
because log messages are stored in
router memory for a time. However,
Page 13 of 21
CCNA Security Chapter 2
Securing Network Devices

events are cleared whenever the router is

SNMP traps - Certain thresholds can be
preconfigured on routers and other
devices. Router events, such as
exceeding a threshold, can be processed
by the router and forwarded as SNMP
traps to an external SNMP server. SNMP
traps are a viable security logging facility
but require the configuration and
maintenance of an SNMP system.
Syslog - Cisco routers can be configured
to forward log messages to an external
syslog service. This service can reside on
any number of servers or workstations,
including Microsoft Windows and UNIX-
based systems, or the Cisco Security
MARS appliance. Syslog is the most
popular message logging facility, because
it provides long-term log storage
capabilities and a central location for all
router messages. What are the three main parts Timestamp

of Cisco router log messages? Log message name and severity level
Message text Describe the eight levels that 0 – emergencies - System is unusable.

Cisco router log messages fall LOG_EMERG
into in order of severity from 1 - alerts - Immediate action is needed.
highest to lowest: LOG_ALERT
2 - critical - Critical conditions exist.
3 - errors - Error conditions exist.
4 - warnings - Warning conditions exist.
5 - notifications - Normal but significant
condition. LOG_NOTICE
Page 14 of 21
CCNA Security Chapter 2
Securing Network Devices

6 - informational - Informational
messages only. LOG_INFO
7 - debugging - Debugging messages.
LOG_DEBUG Describe the two types of Syslog servers - Also known as log hosts,
systems contained in Syslog these systems accept and process log
implementations: messages from syslog clients.
Syslog clients - Routers or other types of
equipment that generate and forward log
messages to syslog servers. Describe Cisco Security MARS The Cisco Security Monitoring, Analysis,
and explain how it uses logging and Response System (MARS) is a Cisco
information: security appliance that can receive and
analyze syslog messages from various
networking devices and hosts from Cisco
and other vendors. Cisco Security MARS
combines all of this log data into a series
of sessions which it then compares to a
database of rules. If the rules indicate that
there might be a problem, an incident is
triggered. Describe the steps to activate 1. Set the destination logging host using
and configure system logging: the logging host [hostname | ip
Step 2. (Optional) Set the log severity
(trap) level using the logging trap level
Step 3. Set the source interface using the
logging source-interface interface-type
interface-number command. This
specifies that syslog packets contain the
IPv4 or IPv6 address of a particular
interface, regardless of which interface the
packet uses to exit the router.
Step 4. Enable logging with the logging
on command. You can turn logging on
Page 15 of 21
CCNA Security Chapter 2
Securing Network Devices

and off for these destinations individually

using the logging buffered, logging
monitor, and logging global
configuration commands. Describe the steps to enable 1. Choose Configure > Additional Tasks
syslog logging using Cisco > Router Properties > Logging.
Security Device Manager: 2. From the Logging pane, click Edit.
3. In the Logging window, select Enable
Logging Level and choose the logging
level from the Logging Level list box.
Messages will be logged for the level
selected and below.
4. Click Add, and enter an IP address of
a logging host in the IP
Address/Hostname field.
5. Click OK to return to the Logging dialog
6. Click OK to accept the changes and
return to the Logging pane. Describe SNMP: SNMP was developed to manage nodes,

such as servers, workstations, routers,
switches, hubs, and security appliances,
on an IP network. SNMP is an Application
Layer protocol that facilitates the
exchange of management information
between network devices.
SNMP enables network administrators to
manage network performance, find and
solve network problems, and plan for
network growth. Describe the components of Network Management Systems - at

SNMP: least one manager node runs SNMP
Page 16 of 21
CCNA Security Chapter 2
Securing Network Devices

management software
Agents - network devices that need to be
managed, such as switches, routers,
servers, and workstations
Management Information Bases – a
database that reflects the resources and
activity of a managed device What are the three actions that Get – view information about a managed
a manager node can use to device
view or alter information in a Set - change configuration variables in the
managed device? agent device
Trap (Notification) - enable an agent to
notify the management station of
significant events Describe the two types of Read-only community strings - Provides

community strings as they read-only access to all objects in the MIB,
relate to SNMP versions 1 and except the community strings. Allows only
2: GET requests.
Read-write community strings - Provides
read-write access to all objects in the MIB,
except the community strings. Allows
GET and SET requests but should be
used only on an OOB network. How does SNMP version 3 SNMPv3 provides three security features.
address the vulnerabilities of
versions 1 and 2? Message integrity - Ensures that a
packet has not been tampered with in
Authentication - Determines that the
message is from a valid source.
Encryption - Scrambles the contents of a
packet to prevent it from being seen by an
unauthorized source. Describe the security levels noAuth - Authenticates a packet by a

available for the three SNMP string match of the username or
Page 17 of 21
CCNA Security Chapter 2
Securing Network Devices

security models: community string. Available with

SNMPv1, 2, and 3.

auth - Authenticates a packet by using

either the Hashed Message
Authentication Code (HMAC) with MD5
method or Secure Hash Algorithms (SHA)
method. The HMAC method is described
in RFC 2104, HMAC: Keyed-Hashing for
Message Authentication. Available with
SNMPv3 only.

priv - Authenticates a packet by using

either the HMAC MD5 or HMAC SHA
algorithms and encrypts the packet using
the Data Encryption Standard (DES),
Triple DES (3DES), or Advanced
Encryption Standard (AES) algorithms.
Available with SNMPv3 only. This page shows the steps to

activate an SNMP trap receiver. Describe two ways to set date Manually editing the date and time
and time on a Cisco router. Configuring the Network Time Protocol
(NTP) Describe the process of setting NTP clients either contact the master or
date and time on Cisco routers listen for messages from the master to
using NTP: synchronize their clocks. To contact the
master, use the ntp server ntp-server-
address command.
In a LAN environment, NTP can be
configured to use IP broadcast messages
instead by using the ntp broadcast client
command. Describe the security features 1. ACL-based restriction scheme

of NTP: Encrypted authentication mechanism
Page 18 of 21
CCNA Security Chapter 2
Securing Network Devices

offered by NTP version 3 or later This page shows the

configuration steps for CLI
based NTP authentication: This page shows the
configuration steps for SDM
based NTP authentication: Describe some of the practices Disable unnecessary services and
that help ensure that a network interfaces.
device is secure: Disable and restrict commonly configured
management services, such as SNMP.
Disable probes and scans, such as ICMP.
Ensure terminal access security.
Disable gratuitous and proxy Address
Resolution Protocol.
Disable IP-directed broadcasts. What is best way to determine Use security audit tools such as:
and fix the vulnerabilities that Security Audit Wizard in Cisco SDM
exist with a current One-Step Lockdown in Cisco SDM
configuration? Cisco auto secure command in the Cisco
IOS CLI What actions does the Security Shuts down unneeded servers.
Audit wizard in Cisco Security Disables unneeded services.
Device Manager (SDM) Applies the firewall to the outside
perform? interfaces.
Disables or hardens SNMP.
Shuts down unused interfaces.
Checks password strength.
Enforces the use of ACLs. Differentiate between the The management plane is the logical

management plane and the path of all traffic related to the
forwarding plane of a Cisco management of a routing platform.
router: The forwarding plane is responsible for
packet forwarding (or packet switching),
which is the act of receiving packets on
Page 19 of 21
CCNA Security Chapter 2
Securing Network Devices

the router interfaces and sending them out

on other interfaces. List management plane and Management plane:

forwarding plane services and Secure BOOTP, CDP, FTP, TFTP, PAD,
functions which can be secured UDP, and TCP small servers, MOP, ICMP
with auto secure: (redirects, mask-replies), IP source
routing, Finger, password encryption, TCP
keepalives, gratuitous ARP, proxy ARP,
and directed broadcast
Legal notification using a banner
Secure password and login functions
Secure NTP
Secure SSH access
TCP intercept services

Forwarding plane:
Enables CEF
Enables traffic filtering with ACLs
Implements Cisco IOS firewall inspection
for common protocols Describe the features of Cisco Disabling NTP - Based on input, Cisco
AutoSecure that are not AutoSecure disables NTP if it is not
implemented or are necessary. Otherwise, NTP is configured
implemented differently in with MD5 authentication. Cisco SDM does
Cisco SDM one-step lockdown: not support disabling NTP.
Configuring AAA - If the AAA service is
not configured, Cisco AutoSecure
configures local AAA and prompts for the
configuration of a local username and
password database on the router. Cisco
SDM does not support AAA configuration.
Setting Selective Packet Discard (SPD)
values - Cisco SDM does not set SPD
Enabling TCP intercepts - Cisco SDM
does not enable TCP intercepts.
Configuring antispoofing ACLs on
Page 20 of 21
CCNA Security Chapter 2
Securing Network Devices

outside interfaces - Cisco AutoSecure

creates three named access lists to
prevent antispoofing source addresses.
Cisco SDM does not configure these

Enable SSH for access to the router -

Cisco SDM enables and configures SSH
on Cisco IOS images that have the IPsec
feature set; however, unlike Cisco
AutoSecure, Cisco SDM does not enable
Secure Copy Protocol (SCP) or disable
other access and file transfer services,
such as FTP.
Disable SNMP - Cisco SDM disables
SNMP; however, unlike Cisco
AutoSecure, Cisco SDM does not provide
an option for configuring SNMPv3. The
SNMPv3 option is not available on all

Page 21 of 21