The generic security configuration used within Cisco CatOS switches is described in the following steps:
Step 1 Shut down all unneeded services by issuing the following commands:
set ip http server disable set cdp disable
Step 2 Set passwords and access restrictions. Enable AAA. To set passwords, use the following:
set password set enable
Set access restrictions with the following commands: set ip permit enable telnet set ip permit management-host-address 255.255.255.255 telnet
Enable AAA with the following:
set tacacs server tacacs-server-address set tacacs key key set authentication login local enable set authentication login tacacs enable set authorization exec enable tacacs+ none both aaa authorization exec default group tacacs+ local aaa accounting exec enable start-stop tacacs+
Step 3 Turn on logging and SNMP capability.
To enable Syslog, use the following commands:
set logging syslog_server_address set logging timestamp enable
To enable SNMP, use the following commands:
set snmp community read-only community-string set ip permit enable snmp set ip permit management-host-address snmp
Step 4 Enable and secure NTP with these commands:
set ntp authentication enable set ntp key 1 trusted md5 ntp-key set ntp trusted-key 1
set ntp server ntp-server-address key 1
set ntp client enable
Step 5 Enable the use of a banner message with the following: set banner motd #
Banner Message Text
Refer to Example B-1 to see a typical banner text message.
NOTE Remember that the commands and configurations that are shown in this appendix are just examples of the generic hardening of security on Cisco routers and switches and by no means define the limits to which these devices can be secured. Other best practices such as RFC 1918 and RFC 2827 filtering should also be adopted as well as those detailed in the various SAFE white papers, which you can review at Cisco.com by searching for "SAFE."
3DES Triple DES. See DES.
AAA Authentication, authorization, and accounting (pronounced "triple a"). ACK Acknowledgement bit in a TCP frame.
ACL Access control list. A set of data associated with a file, directory, or other resource that defines the access permissions for users, groups, processes, or devices.
ACS Access Control Server.
APNIC Asia Pacific Network Information Center. A nonprofit Internet registry organization for the Asia Pacific region.
application hardening Staying current on patches for applications and reducing information the applications provide through service banners.
ARIN American Registry for Internet Numbers. A nonprofit organization that dispenses IP addresses in North and South America, the Caribbean, and sub-Saharan Africa.
ATM Asynchronous Transfer Mode. A network technology for both LANs and WANs that supports real-time voice and video as well as data.
authentication Process by which a user or administrator demonstrates knowledge of possession of an item that verifies their identity to a system.
authorization Process by which a user or administrator demonstrates that they have the authority to execute an action on a device.
BCP Best common practices.
BIND Berkeley Internet Name Domain. The most commonly used DNS software.
BPDU Bridge protocol data unit. A Spanning Tree Protocol (STP) message unit that describes the attributes of a switch port, such as its MAC address, priority, and cost to reach.
buffer overflow An application layer attack made possible by the improper bounds checking of input data in a program. By sending properly crafted data to the program, the attacker redirects the program to execute code of the attacker's choice.
Campus module One of the SAFE modules; provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 functionality.
CCDA Cisco Certified Design Associate.
CCDP Cisco Certified Design Professional.
CCIE Cisco Certified Internetwork Expert.
CCIP Cisco Certified Internetwork Professional.
CCNA Cisco Certified Network Associate.
CCNP Cisco Certified Network Professional.
CDP Cisco Discovery Protocol. Media- and protocol-independent device-discovery protocol that runs on all Cisco-manufactured equipment, including routers, access servers, bridges, and switches.
CERT Computer Emergency Response Team. A group of people in a specific organization who coordinate their responses to breaches of security or other computer emergencies, such as breakdowns and disasters.
CHAP Challenge Handshake Authentication Protocol. An access control protocol that dynamically encrypts the user's ID and password.
CIA Confidentiality, integrity, and availability. In the field of information security, describes the desired characteristics of protected data.
cipher text Data that has been coded (enciphered, encrypted, encoded) for security purposes. Cisco AVVID Architecture for Voice, Video, and Integrated Data.
Cisco IOS Firewall A software option available for most Cisco routers that provides a stateful packet-filter firewall.
Cisco Secure ACS A complete access control server that supports the industry-standard RADIUS protocol and the Cisco-proprietary TACACS+ protocol.
Cisco VMS CiscoWorks VPN/Security Management Solution. An integrated security management solution that is part of the SAFE blueprint for network security. VMS enables customers to deploy security infrastructures from small networks to large, complex, and widely distributed environments.
Cisco VPN 3000 Series Concentrator A purpose-built, remote-access VPN device.
clear text Normal text that has not been encrypted and is readable by text editors and word processors.
client mode Mode in which all users behind the hardware client appear as a single user on the corporate intranet through the use of Network Address Translation (NAT) overload or what is also commonly called Port Address Translation (PAT).
Corporate Internet module One of the SAFE modules; provides connectivity to the Internet and terminates any VPN connectivity. Traffic for public services, such as e-mail, web, file transfer, and name lookups, is also terminated at the Corporate Internet module.
CSI Cisco SAFE Implementation.
CSPM Cisco Secure Policy Manager. A centralized, scalable, comprehensive security policy management application for the Cisco Secure security portfolio.
DDoS Distributed denial of service. Attacks directed against a host or network where the intent is to deny access to the host or network by consuming all of the bandwidth available to the host. This attack typically involves a large number of attacking hosts controlled by one or more attackers. See also DoS.
DES Data Encryption Standard. The U.S. National Bureau of Standards secret key cryptography method that uses a 56-bit key.
DHCP Dynamic Host Configuration Protocol. Software that automatically assigns IP addresses to client stations logging on to a TCP/IP network.
DMZ Demilitarized zone. A middle ground between an organization's trusted internal network and an untrusted, external network such as the Internet.
DNS Domain Name System. Name resolution software that lets users locate computers on a TCP/IP network by domain name.
DoS Denial of service. An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. This attack typically has a single point of origin.
DSL Digital subscriber line. A technology that dramatically increases the digital capacity of ordinary telephone lines (the local loops) into the home or office.
egress Means "exit."
EXEC A phrase that is commonly used to refer to the interactive command processor of Cisco IOS.
Extranet A website for customers rather than the general public.
firewall A device used for implementing security policies that are designed to keep a network secure from intruders.
FTP File Transfer Protocol. A protocol used to transfer files over a TCP/IP network.
FWSM Firewall Services Module.
HIDS Host-based intrusion detection system. See IDS.
HTTP Hypertext Transfer Protocol. The protocol used by web browsers and web servers to transfer files, such as text and graphic files.
HTTPS Hypertext Transfer Protocol Secure. The protocol used to access a secure web server. Using https in the URL instead of http directs the message to a secure port number rather than the default web port number of 80. The session is then managed by a security protocol.
ICMP Internet Control Message Protocol. A TCP/IP protocol used to send error and control messages.
IDEA International Data Encryption Algorithm. A secret key cryptography method that uses a 128-bit key.
IDS Intrusion detection system. Software that detects illegal entrance to a computer system.
IDS sensor Monitors network traffic constantly in real time while looking for distinctive attack patterns in the traffic flow.
IEEE Institute of Electrical and Electronic Engineers.
IETF Internet Engineering Task Force. A nonmembership, open, voluntary standards organization dedicated to identifying problems and opportunities in IP data networks and proposing technical solutions to the Internet community.
IIS Internet Information Services. Microsoft's web server. Runs under the server versions of Windows NT and Windows 2000, adding full HTTP capability to the Windows operating system.
IKE Internet Key Exchange. A method for establishing a security association (SA) that authenticates users, negotiates the encryption method, and exchanges the secret key.
in-band network management Refers to the flow of management traffic that follows the same path as normal network data. See also out-of-band network management.
ingress Means "entrance."
Internet Network of computers in more than 100 countries that covers commercial, academic, and government endeavours.
intranet An in-house website that serves the employees of the enterprise.
IOS Cisco operating system software that is the primary control program used in its routers.
IP Internet Protocol. The network layer protocol in the TCP/IP communications protocol suite.
IP address spoofing An attacker inserts the IP address of an authorized user into the transmission of an unauthorized user to gain illegal access to a computer system.
IPSec IP Security. A security protocol from the IETF that provides authentication and encryption over the Internet.
IPT IP Telephony.
ISP Internet service provider.
L2 Layer 2.
L2TP Layer 2 Tunneling Protocol. A protocol from the IETF that allows a PPP session to run over the Internet or an ATM or Frame Relay network.
Layer 2 The communications layer that contains the physical address of a client or server station.
Layer 3 The communications layer that contains the logical address of a client or server station.
LDAP Lightweight Directory Access Protocol. A protocol used to access a directory listing.
MAC Media Access Control. The unique serial number burned into Ethernet and Token Ring adapters that identifies that network card from all others.
man-in-the-middle attack An attacker intercepts data packets crossing a network, modifies or falsifies the information in those packets, and reinjects the packets into the network without being detected.
MTA Mail transport agent.
NAS Network access server. Hardware or software that functions as a junction point between an external and internal network.
NAT Network Address Translation. An IETF standard that allows an organization to present itself to the Internet with far fewer IP addresses than there are nodes on its internal network.
NetBIOS The native networking protocol in DOS and Windows networks.
network extension mode A mode in which all devices access the corporate intranet as if they were directly connected, and hosts in the intranet may initiate connections to the hosts behind the hardware client once a tunnel is established.
network management A generic term used to describe the execution of the set of functions that help to maintain, monitor, and troubleshoot the resources of a network.
NIDS Network intrusion detection system. See IDS.
NTP Network Time Protocol. A protocol used to synchronize the real-time clock in a computer. OBB Out-of-band.
OSPF Open Shortest Path First. A routing protocol that determines the best path for routing IP traffic over a TCP/IP network based on distance between nodes and several quality parameters.
OTP One-time password. A password that is generated for use one time only. Once the password has been used, the system will authenticate a user using that same password again.
out-of-band network management Refers to the flow of management traffic that does not follow the same path as normal network data.
packet sniffer Software application that uses a network adapter card in promiscuous mode to receive all packets on the physical network wire and pass those packets up to an application.
password attack Attempt to determine the valid password to an account on a system and use it to gain access to that system.
PAT Port Address Translation. See NAT.
perimeter router The router that provides the first line of defense to an untrusted network.
perimeter security The security policy and devices used at the edge of a network to protect the internal network. The firewall is a typical example of a perimeter security device.
PIX Packet Internet Exchange.
POP Point of presence.
POP3 Post Office Protocol version 3. A standard mail server commonly used on the Internet.
port redirection An attack used to redirect traffic from a port on one host to another port, not necessarily on the same host.
PPTP Point-to-Point Tunnelling Protocol. A protocol from Microsoft that is used to create a VPN over the Internet.
proxy server An application that breaks the connection between sender and receiver; also called a "proxy" or "application level gateway."
PSTN Public Switched Telephone Network. The global voice telephone network.
public services segment A network segment, usually the DMZ, where the Internet services servers are located.
QoS Quality of service. The ability to define a level of performance in a data communications system.
RADIUS Remote Authentication Dial-In User Service. An access control protocol that uses a challenge/response method for authentication.
RCP Remote Copy Protocol. A protocol that allows users to copy files to and from a file system residing on a remote host or server.
reconnaissance attack The act of gathering information about a network in preparation for a possible attack.
RFC Request for Comments. A document that describes the specifications for a recommended technology. RFCs are used by the IETF and other standards bodies.
RFC 1918 Describes address allocation for private internetworks. Describes the use of certain IP address ranges for private networks.
RFC 2827 Describes network ingress filtering to mitigate denial of service attacks that employ IP address spoofing.
RIP Routing Information Protocol. A simple routing protocol that is part of the TCP/IP protocol suite.
RIPE Réseaux IP Europénnes. Group formed to coordinate and promote TCP/IP-based networks in Europe.
risk assessment A method used to quantify the level of risk inherent in a system.
rlogin Remote LOGIN. A UNIX command that allows users to remotely log on to a server in the network as if they were at a terminal directly connected to that computer.
router A device that forwards data packets from one LAN or WAN to another.
RSA Rivest-Shamir-Adleman. A highly secure cryptography method by RSA Data Security, Inc. It uses a two-part key. The private key is kept by the owner; the public key is published.
RSH Remote Shell. A UNIX command that enables a user to remotely log on to a server on the network and pass commands to it.
SAFE The Cisco best-practice design blueprints for securing networks. The CSI exam focuses on the SAFE SMR blueprint.
SAFE module A module within the SAFE design concept that describes a functional component of a network and its associated devices. The SAFE SMR blueprint includes the Corporate Internet module, the Campus module, and the WAN module.
script kiddie An amateur that tries to illegally intrude into a system but takes the path of least resistance.
security policy A framework definition that is used to protect the assets connected to a network.
security threat Any action or actions against a network that are not authorized or that are in defiance of the security policy.
Security Wheel A concept where network security is treated as a continuous process built around the corporate security policy.
SMB Small and medium business.
SMR Small, midsize, and remote-user.
SMTP Simple Mail Transfer Protocol. The standard e-mail protocol used on the Internet.
SNMP Simple Network Management Protocol. A widely used network monitoring and control protocol.
split-tunnel A VPN tunnel that allows only remote-site traffic that is specifically defined to traverse it; all other traffic follows the appropriate routes.
SQL Structured Query Language. Pronounced "SQL" or "see qwill," a language used to interrogate and process data in a relational database.
SSH Secure Shell. Provides secure logon for Windows and UNIX clients and servers. SSH replaces Telnet, FTP, and other remote-logon utilities with an encrypted alternative.
SSL Secure Sockets Layer. The leading security protocol on the Internet. When an SSL session is started, the server sends its public key to the browser. The browser uses this public key to send a randomly generated secret key back to the server in order to have a secret key exchange for that session.
string attack A type of attack where an attacker relies on an improper bounds check in the format of a string to be printed by the program thus permitting the execution of arbitrary code.
syslog System Log protocol. A transport mechanism for sending event messages across an IP network.
TACACS+ Terminal Access Controller Access Control System Plus. An access control protocol that is used to authenticate a user who is logging on to the network.
TCP Transmission Control Protocol. The TCP part of TCP/IP.
TCP SYN The first packet in the three-way handshake that occurs when establishing a TCP connection between two hosts. Can also be used in a DoS attack by exhausting the resources on the target host.
TCP/IP Transmission Control Protocol/Internet Protocol. A communications protocol developed under contract from the U.S. Department of Defence to internetwork dissimilar systems.
Telnet A terminal-emulation protocol that is commonly used on the Internet and TCP/IP-based networks.
TFN Tribe Flood Network.
TFTP Trivial File Transfer Protocol. A version of the TCP/IP FTP protocol that has no directory or password capability.
TLS Transport Layer Security. A security protocol from the IETF that is a merger of SSL and other protocols.
traffic-rate limiting A filtering technique used to limit the rate of predefined traffic on a link.
Trojan horse A program that appears to be a normal application but, when executed, conducts covert actions on behalf of an attacker.
UDP User Datagram Protocol. A protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required.
URL Uniform Resource Locator. The address that defines the route to a file on the web or any other Internet facility.
virus Small piece of mobile code that attaches to other programs or documents and can infect a user's computer when the program is executed or the document is opened.
VLAN Virtual LAN. A logical subgroup within a LAN that is created via software rather than manually moving cables in the wiring closet.
VMS VPN/Security Management Solution.
VPN Virtual Private Network. A private network that is configured within a public network to take advantage of the economies of scale and management facilities of large networks.
VPN Hardware Client Cisco VPN 3002 hardware client that is part of the Cisco VPN 3000 concentrator series of products and combines the ease of use and high-scalability features of the software client while providing the reliability and stability of a hardware platform.
VPN Software Client Cisco VPN software client that establishes secure, end-to-end encrypted (IPSec) tunnels to any Cisco VPN gateways or concentrators from a wide range of operating systems, including Microsoft Windows, Linux, and Solaris.
VPN-enabled router A Cisco VPN router that is running a version of Cisco IOS software that provides IPSec VPN capability.
VTP VLAN Trunking Protocol.
WAN module A SAFE module that provides WAN functionality. WLAN Wireless LAN.
X.25 The first international standard packet-switching network developed in the early 1970s.
Was this article helpful?