A syslog client is a host that generates log messages and forwards them to a syslog server

Syslog is the standard for logging system events. As shown in the figure, syslog implementations contain two types of systems Syslog servers These systems are also known as log hosts. These systems accept and process log messages from syslog clients. Syslog clients Syslog clients are routers or other types of Cisco equipment that generate and forward log messages to syslog servers. Note Performing forensics on router logs can become very difficult if your router clocks are not running the...

AAA Example Authentication via PPP Link

- Clear text, repeated password - Subject to eavesdropping and replay attacks Challenge Handshake Authentication Protocol - Secret password, per remote user - Challenge sent on link (random number) - Challenge can be repeated periodically to prevent session hijacking - CHAP response is Message Digest 5 hash of (challenge + secret) that provides authentication - Robust against sniffing and replay attacks MS-CHAP version 1 (supported in Cisco IOS Release 11.3 and later) and version 1 or version 2...

Adaptive Threat Defense

ATD is the ultimate goal of the Cisco Self-Defending Network. This topic describes the components of the ATD phase of Cisco Self-Defending Network strategy. ATD Products, Services, and Architecture Example Access Control, Packet Inspection Firewall Services Application Intelligence, Content Identity, Virtualization, QoS Inspection, Virus Mitigation Segmentation, Traffic Visibility IPS and Antivirus Services Network Intelligence Application Inspection, Use Enforcement, Web Control Application...

Application Layer Attacks and Mitigation

This topic describes the mitigation of application layer attacks. This topic describes the mitigation of application layer attacks. Application layer attacks have these following characteristics Exploit well-known weaknesses, such as those in protocols, that are intrinsic Often use ports that are allowed through a firewall for example, TCP Can never be completely eliminated, There are several methods of executing an application layer attack Exploiting well-known weaknesses One of the most...

Application Security and AntiX Defense

Over the past several years, a number of new application layer network products have emerged to help address new classes of threats that were not adequately addressed by classic firewall and NIDS products, including viruses and worms, e-mail based spam and phishing, spyware, web services abuse, IP telephony abuse, and unauthorized peer-to-peer activity. Cisco has developed the next generation of packet- and content-inspection security services to deal with these types of threats and misuse....

As a step in a larger attack

The prime goal of an IP spoofing attack is to establish a connection that allows the attacker to gain root access to the host and to create a backdoor entry path into the target system. IP spoofing is a technique used to gain unauthorized access to computers whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. The attacker learns the IP address of a trusted host and modifies the packet headers so that it appears that the...

Authenticating Remote Access

This topic describes the methods of authentication used to provide remote access to a LAN. 1. The client establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database. If you have one or two NASs or routers providing access to your network for a limited number of users, you may store username...

Authenticating Router Access

It is important that you secure the interfaces of all your routers, particularly your network access servers and perimeter routers connecting to the Internet. You must configure the router to secure administrative access and remote LAN network access using aaa commands. The router access modes, port types, and AAA command elements are compared in the Router Access table. Securing Cisco Network Devices (SND) v2.0 Here are the general steps required to configure a Cisco router for local...

Authentication Methods

This topic describes the various authentication methods in use in terms of the degree of security that they provide and their ease of use. The most common method of user authentication is the use of usernames and passwords. These methods range from weak to strong in authentication security. Simple authentication methods use a database of usernames and passwords, while methods that are more complex use one-time passwords (OTPs). Consider each of the methods listed in the figure from the bottom...

Better than the type 7 encryption found in the service passwordencryption command

Boston(config) username rtradmin secret 0 Curium2006 Boston(config) username rtradmin secret 5 1 feb0 a104Qd9UZ. Ak00KTggPD0 Cisco routers can maintain a list of usernames and passwords for performing local login authentication. Starting with Cisco IOS Release 12.0(18)S, system administrators can choose to use an MD5 hashing mechanism to encrypt a user password. MD5 hashing of passwords is a much better encryption scheme than the standard type 7 encryption found in the service...

Change passwords often

When creating passwords for Cisco routers, always keep these rules in mind It is best to have a minimum of 10 characters for a password. Passwords may include the following A mix of uppercase and lowercase characters Passwords should not use dictionary words. Password-leading spaces are ignored, but all spaces after the first character are not ignored. You should decide when and how often the passwords will be changed. You may want to add your own rules to this list to make your passwords even...

Cisco SDM Overview

Cisco SDM is a web-based device management tool for Cisco IOS software-based routers. Cisco SDM offers these benefits - Knowledge base of Cisco TAC-approved Cisco IOS configurations - Integrated services management Cisco SDM is an intuitive, web-based device manager for easy and reliable deployment and management of services on Cisco IOS routers. Cisco SDM offers users these benefits Smart wizards in Cisco SDM have built-in intelligence about Cisco Technical Assistance Center (TAC)-recommended...

Cisco SDM Wizards in Configuration Mode

Carry out these tasks with smart wizards in configuration mode Configure the LAN interfaces and serial interfaces with Interfaces and Connections wizards Configure basic or advanced firewalls with the Firewall and ACL wizards Configure a secure site-to-site VPN, Cisco Easy VPN Server, Cisco Easy VPN Remote, and DMVPN with VPN wizards Perform a router security audit and lock down any insecure features it finds with Security Audit wizards Configure both basic and advanced NAT with NAT wizards....

Cisco Secure ACS is AAA system with these features

Key component used with firewall, dial-up access servers, and routers Implemented at network access points to authenticate remote or dial-in users Implemented at WAN extranet connections to audit activities and control authentication and authorization for business partner connections You can leverage the Cisco Secure ACS framework to control administrator access and configuration for all network devices in your network that are enabled by RADIUS and TACACS+. Here are some of the advanced...

Closed Networks

Attacks from inside the network remain a threat. The easiest way to protect a network from an outside attack is to close it off completely from the outside world. A closed network provides connectivity only to trusted known parties and sites a closed network does not allow a connection to public networks. Because there is no outside connectivity, networks designed in this way can be considered safe from outside attacks. However, internal threats still exist. The CSI in San Francisco,...

Common Threats to Physical Installations

Hardware threats Environmental threats Electrical threats Maintenance threats There are four classes of insecure installations or physical access threats Hardware threats The threat of physical damage to the router or switch hardware Environmental threats Threats such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry) Electrical threats Threats such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss...

Components of Network Security Design

This topic describes the factors that you need to consider when designing a network security system. Business goals and risk analysis drive the need for network security. Regardless of the security implications, business needs must come first. If your business cannot function because of security concerns, you have a problem. The security system design must accommodate the goals of the business, not hinder them. Risk analysis includes these two key elements What does the cost-benefit analysis of...

Configuring AAA with Cisco SDM

AAA can also be configured and edited using Cisco SDM. After the aaa new-model command has been configured on the router using the CLI, choose Additional Tasks > AAA. The figure shows the AAA Authentication Login configuration screen. It shows the two login authentication method lists configured on the router. One is the default method list, and the other is the sdm_vpn_xauth_ml_1 method list. Both method lists use the local database to perform login authentication. This screen can be used to...

Configuring an SSH Server for Secure Management and Reporting

This topic describes the steps used to configure an SSH server for secure management and reporting. Whenever possible, you should use SSH instead of Telnet to manage your Cisco routers. SSH version 1 (SSHv1) is supported in Cisco IOS Release 12.1(1)T and later, while SSH version 2 (SSHv2) is supported in Cisco IOS Release 12.3(4)T and later. Cisco routers configured for SSH act as SSH servers. You must provide an SSH client, such as PuTTY, OpenSSH, or Tera Term, for the administrator...

Control access to console ports

Maintenance-related threats compose a broad category of threats that include many items. Follow the general rules listed here to prevent these types of threats Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection, or incorrect termination. Use cable runs, raceways, or both, to traverse rack-to-ceiling or rack-to-rack connections. Always follow electrostatic discharge procedures when replacing or working with internal router...

Course Goal

The goal of the SND course is for learners to be able to perform basic tasks to secure network devices at Layers 2 and 3 using both the CLI and web-based GUIs. Devices include Cisco integrated services routers, and Cisco Catalyst switches. Upon completing this course, you will be able to meet these objectives Develop a comprehensive network security policy to counter threats against information security Configure routers on the network perimeter with Cisco IOS software security features...

DoS Example

Issues commands to handlers that control agents in a mass attack. 2. The cracker installs software to scan, compromise, and infect agents with zombies. 2. The cracker installs software to scan, compromise, and infect agents with zombies. 3. Agents are loaded with remote control attack software. 3. Agents are loaded with remote control attack software. This figure shows the process of a DDoS attack. In the figure, the hacker uses a terminal to scan for systems to hack. After the hacker accesses...

Defensein Depth Strategy

Policies and procedures Training and awareness System security administration Physical security Personnel security Facilities countermeasures Hire good people. Train and reward them well. Penalize unauthorized behavior. This figure shows some of the disciplines associated with people in the defense-in-depth strategy. Achieving information assurance begins with a senior-level management commitment (typically at the chief information officer level) based on a clear understanding of the perceived...

Defensein Depth Strategy Focus Areas

Defend the network and infrastructure Defend the perimeter Defend the computing environment Provide support Securing information and systems against all threats requires multiple, overlapping protection approaches that address the people, technology, and operational aspects of information technology. Using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach will ensure the system is never unprotected. The defense-in-depth strategy...

Developing a Security Policy Using the Pdioo Model

Developing a security policy is a major undertaking, and you should approach it in the same way as you would any major project. This topic describes the process of developing a security policy within a typical corporate environment. Assess the Effectiveness of the Security Policy Assess the Effectiveness of the Security Policy There are many references describing the way to build an effective security policy. A good approach is to use the planning, designing, implementing, operating, and...

Developing a Security Policy Implement Phase

This topic describes the activities included in the implement phase of a security policy life cycle. Developing a Security Policy Implement Phase Enforce, implement, and account for exceptions. (The policy must last a long time and be understood) Use the chain of command to disseminate any new or changed policies Use e-mail and security awareness program Design training to be relevant to the work responsibilities of every person using the system Audit internally ensure enforceability The...

Developing a Security Policy Operate Phase

This topic describes the activities included in the operate phase of the security policy life cycle. Developing a Security Policy Operate Phase Security operations and administration Includes day-to-day operations, responses to changes, and responses to attack Scheduled activity to evaluate effectiveness using Ongoing activity focusing on the security system and its users Established procedures and follow-up During the operate phase, the system performs its work. However, during this stage,...

Developing a Security Policy Optimize Phase

This topic describes the activities included in the optimize phase of the security policy life cycle. Developing a Security Policy Optimize Phase Organizations deal with changes in features and services, new threats and vulnerabilities, increasing need for interconnections, new user groups, and upgrades to software, hardware, and services. You should analyze changes from a security standpoint and use the PDIOO process. You should complete the necessary analysis and modify as necessary. You...

Developing a Security Policy Plan Phase

This topic describes the activities included in the plan phase of a security policy life cycle. Information security team Technical staffs The goal of the plan phase is to assemble a team and assign tasks. An appropriate and effective security policy needs the acceptance and support of all employees in the organization. At the top, corporate management must give full support to the policy process or the policy will have little chance of being effective. Companies should follow a formal policy...

Disable and restrict commonly configured management services

Simple Network Management Protocol (SNMP) This service is enabled by default. The SNMP service allows the router to respond to remote SNMP queries and configuration requests. If required, restrict which SNMP systems have access to the router SNMP agent and use SNMP version 3 (SNMPv3) whenever possible, because this version offers secure communication not available in earlier versions of SNMP. Disable this service when it is not required. HTTP or HTTP Secure (HTTPS) configuration and monitoring...

DoS Attacks

A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services. DoS attack techniques almost always use IP spoofing. Yahoo was so, off line for several hours. E*TRADE suffered problems from a similar flood attack. Buy.com was offline for several hours. Amazon.com was offline for more than an hour. CNN was mostly unreachable for 2 hours. DoS attacks are the most publicized form of attack. They are also among the most difficult to...

Each of these commands has its own syntax and options methods

The figure contains a complete listing of aaa authentication commands for Cisco IOS Release 12.2 and later. The AAA Authentication Commands table describes each of these commands 2006 Cisco Systems, Inc. Securing the Perimeter 2-93 To enable an AAA authentication method for AppleTalk Remote Access Protocol (ARAP) users using RADIUS or TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication. This command creates a...

Enables password checking at login for auxiliary line connections

Boston(config-line) password NeverGessMeAux Boston(config-line) login By default, Cisco router auxiliary ports do not require a password for remote administrative access. Administrators sometimes use this port to remotely configure and monitor the router using a dial-up modem connection. Unlike console and vty passwords, the auxiliary password is not configured during the initial configuration dialog and should be configured, as shown in the figure, using the password command in auxiliary line...

Enables password checking at login for vty Telnet sessions

Boston(config) line vty 0 4 Boston(config-line) login Boston(config-line) password Cisco routers support multiple Telnet sessions (up to five simultaneous sessions by default, and more can be added), each serviced by a logical vty line. By default, Cisco routers do not have any line-level passwords configured for these vty lines. If you enable password checking, you must also configure a vty password before attempting to access the router using Telnet. If you fail to configure a vty password...

Enables secure calls from Cisco IP phones to Cisco Call Manager

The High Density Voice Network Module (NM-HDV) contains five 72-pin single inline memory module (SIMM) sockets or banks for packet PVDMs numbered 0 through 4. Each socket can be filled with a single 72-pin PVDM. The PVDMs must be installed starting from slot 0. Note PVDM and PVDM2 modules are not interchangeable. Use PVDM modules with the NM- HDV network module only, and use PVDM2 modules with the NM-HDV2 network module only. The PVDM2 modules are used with onboard voice interface cards on the...

Encrypting Passwords Using the service passwordencryption Command

Encrypts all clear text passwords in the router configuration file Boston(config) service password-encryption Encrypts all clear text passwords in the router configuration file Boston(config) service password-encryption Just like console and vty passwords, auxiliary passwords are not encrypted in the router configuration. This is why it is important to use the service password-encryption command. With the exception of the enable secret password, all Cisco router passwords are, by default,...

Generation of system logging messages for login detection

The Cisco IOS Login Enhancements feature allows users to better secure their Cisco IOS devices when creating a virtual connection, such as Telnet, SSH, or HTTP. Thus, users can help slow down dictionary attacks and help protect their router from a possible denial of service (DoS) attack. To better configure security when opening a virtual login connection, these requirements have been added to the login process Delays between successive login attempts Login shutdown if DoS attacks are suspected...

Hashes the password in the router configuration file Uses a strong hashing algorithm based on MD5

Boston(config) enable secret Curium2006 enable secret 5 1 ptCj vRErS tehv53JjaqFMzBT If you did not use the initial configuration dialog to configure your enable secret password, you must use the enable secret command in global configuration mode as shown in the figure. The enable secret command uses a one-way encryption hash based on MD5 (designated by the number 5 in the sample configuration) and is considered irreversible by most cryptographers. However, even this type of encryption is still...

Identify vulnerabilities on the network

As legitimate tools, port scan and ping sweep applications run a series of tests against hosts and devices to identify vulnerable services needing attention. IP addressing and port or banner data from both TCP and UDP ports are examined to gather information. In an illegitimate situation, a port scan can be a series of messages sent by someone attempting to break into a computer to learn which computer network services (each service is associated with a well-known port number) the computer...

If the host cannot be seen by the hacker the hacker may launch a Trojan application such as W32QAZ to determine the

The first step is to review all the information on the host that the hacker has collected for example, files containing usernames and passwords and registry keys containing application or user passwords. (Any available documentation, including e-mails and other documents, may also be of assistance.) If this step does not succeed, the hacker may launch a Trojan horse attack. This type of attack usually means copying malicious code to the user system and giving it the same name as a frequently...

Implement integrated security into the network infrastructure

- Review network staging, implementation, - Review network staging, implementation, When your security solution design is complete, you must define the implementation and deployment activities. During the implement phase, the team uses sound security design principles and assistance provided during the plan and design phases to strengthen their ability to meet aggressive deployment schedules and to help minimize costly disruptions to the existing network infrastructure. Network security...

Information Assurance Typical Network Architecture

This figure shows a conceptual diagram of a network for a branch location within a large enterprise. The network topology aligns with the Availability and Protection of Information Triangle. Information at the bottom is available to the public and corresponds to the base of the Availability and Protection of Information Triangle. There is a demilitarized zone (DMZ) that acts as the single point of entry into the site and defends the network perimeter and external connections. The network...

Introducing the Cisco Integrated Services Router Family

This topic describes the security features of the Cisco Integrated Services Router Family. Integrated Services Router Product Portfolio ,, _ SMB or Enterprise Large . . Small Office - . . n l. n l. Headquarters _ . Small branch Branch Branch , , Home Office and beyond The Cisco 850 Series Access Routers supports broadband cable and Asymmetric Digital Subscriber Line (ADSL) over analog telephone lines. Designed for very small offices, the routers provide secure WAN connectivity with optional...

Launching Cisco SDM

SDM will be launched from the PC using the If you installed Cisco SDM on an administrator PC, go to the Microsoft Windows program menu (choose Start > Programs (All Programs) > Cisco Systems > Cisco SDM). Then provide the IP address of the LAN interface on the router as configured previously with the Cisco SDM Express Wizard in the Cisco SDM Launcher window. If Cisco SDM is on the router flash memory, open a web browser and enter the new IP address of the LAN interface there. Follow the...

Launching Cisco SDM Express

- For a new router, in a web browser go to - For existing routers go to https < router IP address> The first time that you access the router by web browser, you will get the Cisco SDM Express wizard. On a new router, you can access Cisco SDM Express from your PC web browser by going to IP address http 10.10.10.1. The factory default router configuration file that comes with Cisco SDM configures the router Ethernet IP address to 10.10.10.1. If the proper files are loaded on the router flash...

Locking Down a Router with Cisco Auto Secure

Cisco AutoSecure will modify the configuration of your device. Cisco AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks. Is this router connected to internet no y Enter the number of interfaces facing internet 1 1 Enter the interface name that is facing internet FastEthernet0 0 Securing Management plane services Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service...

Management Protocol Best Practices

- Configure SNMP with only read-only community strings - Set up access control on the device that you wish to manage - Encrypt syslog traffic within an IPsec tunnel - Set up access control on the firewall - Encrypt TFTP traffic within an IPsec tunnel - Implement your own master clock - Use ACLs that specify which network devices are allowed to synchronize with other network devices Here are three recommendations for the correct use of SNMP tools Configure SNMP with only read-only community...

Microsoft Windows dialup networking connection Username and Password fields

An example of dial-up authentication using usemame and password authentication is shown in the figure. On the client end, a Microsoft Windows dial-up networking connection prompts users for their username and password. This information is sent for authentication over communication lines using TCP IP and PPP to a remote NAS or a security server. As a matter of policy, do not allow users to check the Save Password check box. 2006 Cisco Systems, Inc. Securing the Perimeter 2-85 Another OTP...

Mitigating Worm Attacks

Worm attack mitigation requires diligence on the part of system and network administration staff. Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident. There are four recommended steps for worm attack mitigation Containment Contain the spread of the worm inside your network and within your network. Compartmentalize uninfected parts of your network. Inoculation Start patching all systems and,...

Navigating the Cisco SDM Interface Cont

From the task panel that appears, launch wizards. 2006 Cisco Systems, Inc. All rights re Configure mode provides wizards for the novice. More experienced users are able to perform tasks in any order and outside of the wizards. Monitor mode is where the user can view the current status of the router. The Refresh button is used to resynchronize the router running configuration with Cisco SDM, because Cisco SDM does not synchronize with the router configuration automatically. The Save button is...

NTP Many NTP servers on the Internet do not require any authentication of peers

Use Simple Network Management Protocol (SNMP) to remotely retrieve information from a network device (commonly referred to as read-only access) or to configure parameters on the device (commonly referred to as read-write access). SNMP uses passwords (called community strings) within each message as a very simple form of security. Unfortunately, most implementations of SNMP on networking devices today send the community string in clear text along with the message. Just like Telnet, anyone with a...

Overview

Securing Cisco Network Devices (SND) v2.0 provides an opportunity to learn about a broad range of the components embedded in the Cisco Self-Defending Network. You learn to recognize threats and vulnerabilities to networks and learn how to implement basic mitigation measures. This subtopic lists the skills and knowledge that learners must possess to benefit fully from the course. The subtopic also includes recommended Cisco learning offerings that learners should first complete to benefit fully...

Password Attack Example

L0phtCrack can take the hashes of passwords and generate clear text passwords from them. Passwords are computed using two methods Just as with packet sniffer and IP spoofing attacks, a brute-force password attack can provide access to accounts that attackers then use to modify critical network files and services. For example, an attacker compromises your network integrity by modifying your network routing tables. This trick reroutes all network packets to the attacker before transmitting them...

Port redirectors can help bypass port filters routers and firewalls and may even be encrypted over a Secure Sockets

Back doors provide hackers with a way into the system if they are detected trying to enter through the front door, or if they want to enter the system without being detected. The most common backdoor point is a listening port that provides remote access to the system for users (hackers) who do not have, or do not want to use, access or administrative privileges. Firewalls or router filtering may prevent the hacker from later accessing these ports. However, common router filtering may not block...

Reconnaissance Attacks

Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications. Reconnaissance attacks include these attacks Internet information queries Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. Reconnaissance is also known as information gathering, and in most cases, precedes an actual access or denial of service (DoS) attack. First, the malicious intruder typically...

Recovery and reconstitution

Respond quickly to intrusions. Restore critical services. This figure lists some of the operational focus areas associated with the defense-in-depth The operational element focuses on all of the activities required to sustain the organization security posture on a daily basis. The operational element performs these functions Maintaining a visible and up-to-date system security policy Certifying and accrediting changes to the information technology baseline....

Remote environmental alarming recording and monitoring

Take these actions to limit environmental damage to Cisco network devices Supply the room with dependable temperature and humidity control systems. Always verify the recommended environmental parameters of the Cisco network equipment with the supplied product documentation. Remove any sources of electrostatic and magnetic interferences in the room. If possible, remotely monitor and alarm the environmental parameters of the room. 2006 Cisco Systems, Inc. Introduction to Network Security Policies...

RFC 3704 filtering at the perimeter router should be used to mitigate the chance of an outside attacker spoofing the

The first recommendation is to use IPsec, SSH, or SSL to encrypt management traffic to protect sensitive information such as the device configuration, passwords, and other sensitive data. Regardless of whether you use SSH, SSL, or Telnet for remote access to the managed device, you should also configure ACLs to allow only management servers to connect to the device. Deny and log all attempts from other IP addresses logged. Implement RFC 3704 filtering at the ingress router to reduce the chance...

Secure Management and Reporting Architectural Perspective Cont

Protected Management Network (Behind Firewall) Protected Management Network (Behind Firewall) Stateful Packet Filtering and IPsec Termination for Management Configuration and Content Management (SSH if Possible) Configuration and Content Management (SSH if Possible) Stateful Packet Filtering and IPsec Termination for Management Network administrators need to securely manage all devices and hosts in the network. Management includes logging and reporting information flow, including content,...

Secure Management and Reporting Architectural Perspective

Protected Management Network (Behind Firewall) In-band management Out-of-band (OOB) management The figure shows a management module with two network segments separated by a Cisco IOS router that acts as a firewall and a virtual private network (VPN) termination device. The segment outside the firewall connects to all the devices that require management. The segment inside the firewall contains the management hosts themselves and the Cisco IOS routers that act as terminal servers. Information...

Sets the minimum length of all Cisco IOS passwords

Boston(config) security passwords min-length 10 Cisco IOS Release 12.3(1) and later allows administrators to set the minimum character length for all router passwords using the security passwords global configuration command. This command provides enhanced security access to the router by allowing you to specify a minimum password length (0 to 16 characters) this eliminates common passwords that are short and prevalent on most networks, such as lab and cisco. This command affects user...

Setting a Login Failure Rate

This topic describes how to secure administrative access to Cisco routers by setting a login failure rate. Authentication Failure Rate with Logging security authentication failure rate threshold-rate log This command configures the number of allowable unsuccessful login attempts. By default, the router allows 10 login failures before initiating a 15-second delay. This command generates a syslog message when the rate is exceeded. Boston(config) security authentication failure rate 10 log...

SNMP Security Is Not My Problem

SNMP was developed to manage nodes (servers, workstations, routers, switches, hubs, and security appliances) on an IP network. All versions of SNMP are application layer protocols that facilitate the exchange of management information between network devices. SNMP is part of the TCP IP protocol suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. SNMP version 1 (SNMPvl) and SNMP version 2 (SNMPv2) are based on...

Specifies that privacy should not be expected when using this system

Boston(config) banner motd WARNING You are connected to (hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. Banner messages should be used to warn would-be intruders that they are not welcome on your network. Banners are very important, especially from a legal perspective. Intruders have been known to win court cases because they did not encounter appropriate warning messages when accessing router networks. Choosing...

Step 3 Manipulate Users to Gain Access

Social engineering techniques by telephone Reverse social engineering techniques Password cracking tools and techniques Aimed at network basic I O system (NetBIOS) over TCP (TCP 139) Terminal services (TCP 3389) When the hacker knows some basic information about their target, they attempt to masquerade as authorized users. The first thing that hackers need is a password. There are two common ways to get that password through social engineering or brute-force attack. Our natural human...

Stores a secure copy of the primary bootset in persistent storage

IOS resilience router id FHK085031MD IOS image resilience version 12.3 activated at 05 00 59 UTC Fri Feb 10 2006 Secure archive type is image (elf) file size is 17533860 bytes, run size is 17699528 bytes Runnable image, entry point 0x8000F000, run from ram IOS configuration resilience version 12.3 activated at 05 01 02 UTC Fri Feb 10 2 006 Secure archive flash .runcfg-2 0060210-050102.ar type is config configuration archive size 4014 bytes The figure shows an example of the show secure bootset...

Syslog logging is a key security policy component

Implementing a router logging facility is an important part of any network security policy. Cisco routers can log information regarding configuration changes, ACL violations, interface status, and many other types of events. Cisco routers can direct log messages to several different facilities. You should configure the router to send log messages to one or more of these items Console Console logging is used when modifying or testing the router while it is connected to the console. Messages sent...

Test the updates

Periodically, the router will require updates to be loaded for either the operating system or the configuration file. These updates are necessary for one or more of these reasons to fix known security vulnerabilities, to support new features that allow more advanced security policies, or to improve performance. Before updating, the administrator should complete these tasks Determine the memory required for the update and, if necessary, install additional memory Set up and test the file transfer...

The command sequence to configure views is as follows

- Step 3 Parser view view-name. - Step 4 Set secret 5 encrypted password. - Step 5 Commands parser-mode include include-exclusive exclude all interface interface-me command . - Step 9 Show parser view all . The role-based CLI access feature allows the network administrator to create different views of router configurations for different users. Views define what commands are accepted from different users and what configuration information is visible to them. With role-based CLI access, network...

The no version prevents console from accessing ROMMON

Boston(config) no service password-recovery WARNING Executing this command will disable password recovery mechanism. Do not execute this command without another plan for password recovery. Are you sure you want to continue yes no yes By default, Cisco IOS routers allow a break sequence during startup that forces the router into ROM monitor (ROMMON) mode. Once the router is in ROMMON mode, anyone can choose to enter a new secret password using the well-known Cisco password recovery procedure....

The terminal can be a dumb terminal or a PC with terminal emulation software

Configuring secure administrative access is an extremely important security task. If an unauthorized person were to gain administrative access to a router, the person could alter routing parameters, disable routing functions, or discover and gain access to other systems in the network. Strong passwords and similar secrets, such as Simple Network Management Protocol (SNMP) community strings, are the primary defense against unauthorized access to your router. The best way to handle most passwords...

The threat of IP spoofing can be reduced but not eliminated using these measures

Strong access control at the router Additional authentication requirements The measures listed here can reduce the threat of IP spoofing Access control at the router Properly configured access controls reduce the effectiveness of IP spoofing. Inbound interface If your internal addresses are the only trusted addresses, access control lists (ACLs) should deny any traffic from the external network using an internal source address. If some external addresses are trusted, the ACL needs to block...

The whole sevenstep process is repeated as the hacker continues to penetrate the network

After installing back doors and port redirectors, hackers try to attack other systems after fully hacking the local system. Recall that reverse trafficking enables hackers to bypass security mechanisms. Trojan horses help hackers execute commands undetected. If the target host enables failed login auditing or runs a third-party intrusion detection system (IDS), it will record the IP address or computer name of the host running the port redirector and not the system used by the hacker. This...

Threat Capabilities More Dangerous and Easier to

The figure illustrates how the increasing sophistication of hacking tools and the decreasing skill needed to use these tools have combined to pose increasing threats to open networks. With the development of large open networks, security threats in the past 20 years have increased significantly. Hackers have discovered more network vulnerabilities, and hacking tools have become easier to use. You can now download applications that require little or no hacking knowledge to implement....

Trust Exploitation

A hacker leverages existing trust relationships. by a hacker. User psmith Pat Smith by a hacker. User psmith Pat Smith Although it is not an attack in itself, trust exploitation refers to an individual taking advantage of a trust relationship within a network. An example of trust exploitation occurs when a perimeter network is connected to a corporate network. These two network segments often house DNS, Simple Mail Transfer Protocol (SMTP), and HTTP servers. Because these servers all reside on...

Types of access related to router security layers as follows

- Access to networks that the router serves Dynamic Configuration and Router Status Dynamic Configuration and Router Status Source National Security Agency, December 2005, Router Security Configuration Guide Typically, the network that a router serves will have a security policy, defining roles, permissions, rules of conduct, and responsibilities. The policy for a router must fit into this overall framework. For example, the network security policy might forbid administration of the router from...

Typically routers are not able to filter on the content of services such as the FTP file name

When acting as the gateway between trusted and untrusted networks, packet filters configured on a router can enforce a security policy restricting IP addresses, protocol, and ports according to the security policies of the trusted network. A filter consists of one or more rules. When the router analyzes a packet against a filter, the packet is compared to each filter rule in the order that the filter was created. If a match is found, the packet is either permitted or denied, and the rest of the...

Update the security policy regularly

Here are several important tips to remember when creating the security policy for a router Specify security objectives, not particular commands or mechanisms When the policy specifies the security results to be achieved, rather than a particular command or mechanism, the policy is more portable across router software versions and between different kinds of routers. In some cases, it may not be practical to identify and list all the services and protocols that the router will explicitly permit....

Use strong passwords for example mY8Rthd8y rather than mybirthday

Password attack mitigation techniques are as follows Do not allow users to have the same password on multiple systems. Most users use the same password for each system they access, and often personal system passwords are also the same. Disable accounts after a specific number of unsuccessful logins. This practice helps to prevent continuous password attempts. Do not use plain text passwords. Use either an OTP or encrypted password. Use strong passwords. Strong passwords are at least eight...

User student accessed host serverXYZ using Telnet for 15 minutes

AAA services provide a higher degree of scalability than the line-level and privileged EXEC authentication that you have learned so far. Unauthorized access in campus, dial-up, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment and services. The Cisco AAA architecture enables systematic and scalable access security. Network and administrative access security in the Cisco environment, whether it involves campus, dial-up, or...

Using Logs to Monitor Network Security

Choose a level from the Select a Logging Level to View drop-down menu. 3. Monitor network security using log entries shown in this window. Select a Logging level to view warnings 2 1 Each row represents one log entry. 1 Cisco Router and Security Device Manager (SDM) can be used to monitor logging. The figure shows the logging screen in the Monitor > Logging window of the Cisco SDM utility. From this screen you can perform these functions Show the logging hosts where the router logs messages...

Vulnerable Router Services and Interfaces

Disable these unnecessary services and interfaces Disable commonly configured management services - ICMP unreachable notifications Ensure terminal access security Disable gratuitous and proxy ARP Disable IP-directed broadcast Cisco routers support many network services that may not be required in certain enterprise networks. The services listed in the figure have been chosen for their vulnerability to malicious exploitation. These are the router services most likely to be used in network...

What Does a Security Policy Do and Who Uses It

This topic describes the essential functions of a security policy. This topic describes the essential functions of a security policy. A comprehensive security policy fulfills these essential functions Protects people and information Sets the rules for expected behavior by users, system administrators, management, and security personnel Authorizes security personnel to monitor, probe, and investigate Defines and authorizes the consequences of violations 2006 Cisco Systems, Inc. Introduction to...

What Makes a Good Security Policy

After you put your security policy in place, its effectiveness and efficiency will soon become obvious. This topic describes the general characteristics of an effective security policy. The characteristics of an effective and efficient policy Defines roles and responsibilities Documented, distributed, and communicated An Effective Security Policy for SPAN Engineering A good security policy must be effective and efficient. An effective policy does what it is intended to do. An efficient policy...

Why Do You Need a Security Policy

This topic explains the goals of a security policy. Safeguards protect the confidentiality, integrity, and availability of your network. Safeguards protect the confidentiality, integrity, and availability of your network. Critical processes, data, or information systems Critical processes, data, or information systems Anything that will bring your business to a halt Every organization has something that someone else wants. Someone may want that something for themselves, or they may want the...

You do not have to know how these services can be used by attackers but you do need to know how and when to disable them

Leaving unused network services enabled increases the possibility of malicious exploitation of those services. Turning off or restricting access to unused services greatly improves network security. While it is not required that you explain why many of these services pose the vulnerabilities they do, you do need to know how and when they need to be disabled. 2-116 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. This topic explains the vulnerabilities posed by commonly...

These Cisco Auto Secure features are implemented differently in Cisco SDM

Cisco SDM will disable SNMP but will not configure SNMPv3. Cisco SDM will enable and configure SSH on crypto Cisco IOS images, but will not enable Service Control Point or disable other access and file transfer services, such as FTP. Not all the features of Cisco AutoSecure are implemented in Cisco SDM. As of Cisco SDM Version 2.2a, these Cisco AutoSecure features are not part of the Cisco SDM One-Step Disabling NTP Based on input, Cisco AutoSecure will disable NTP if it is not necessary....

Is there a change management policy or plan in place

When in-band management of a device is required, you should consider these questions What management protocols does the device support Devices with IPsec should be managed by simply creating a tunnel from the management network to the device. This setup allows many insecure management protocols to flow over a single encrypted tunnel. When IPsec is not possible because it is not supported on a device, other, less secure options must be chosen. For configuration of the device, SSH or Secure...

Anatomy of a Worm Attack

The anatomy of a worm attack is as follows The enabling vulnerability A worm installs itself on a vulnerable system. Propagation mechanism After gaining access to devices, a worm replicates and selects new targets. Payload After the worm infects the device, the attacker has access to the host often as a privileged user. Attackers use a local exploit to escalate their privilege level to the administrator level. 2006 Cisco Systems, Inc. Introduction to Network Security Policies 1-67

Troubleshooting AAA for Cisco Routers

This topic explains how to troubleshoot AAA on a Cisco peripheral router using debug aaa commands. Use these debug commands on your routers to trace AAA packets and monitor authentication, authorization, or accounting activities The debug aaa authentication command displays debugging messages on authentication functions. The debug aaa authorization command displays debugging messages on authorization functions. The debug aaa accounting command displays debugging messages on accounting...

Cisco Integrated Security Portfolio

This topic describes the positioning of the Cisco integrated security portfolio. Cisco SOHO 90 Cisco 800 Cisco 1700 Cisco 2600 Cisco 3600 Cisco 3700 Cisco 7xxx Series Routers Series Routers Series Routers Series Routers Intrusion Detection and Prevention Systems Cisco PIX 500 Series Security Appliances Cisco ASA 5500 Series Adaptive Security Appliances Cisco ASA 5500 Series Adaptive Security Appliances Cisco PIX 500 Series Security Appliances Cisco SOHO 90 Cisco 800 Cisco 1700 Cisco 2600 Cisco...

Setting Multiple Privilege Levels

This topic describes how to secure administrative access to Cisco routers by setting multiple privilege levels. privilege mode level level command reset command Level 0 is predefined for user-level access privileges. Levels 1 to 14 may be customized for user-level privileges. Level 15 is predefined for enable mode (enable command). Boston(config) privilege exec level 2 ping Boston(config) enable secret level 2 Patriot2006 Cisco routers enable you to configure various privilege levels for your...

Cisco Career Certifications Cisco Certified Security Professional

Expand Your Professional Options and Advance Your Career Professional-level recognition in network security Recommended Training Through Cisco Learning Partners Securing Networks with PIX and ASA (SNPA) Implementing Cisco Intrusion Prevention Systems (IPS) You are encouraged to join the Cisco Certification Community, a discussion forum open to anyone holding a valid Cisco Career Certification (such as Cisco CCIE , CCNA , CCDA , CCNP , CCDP , CCIP , CCVP , or CCSP ). It provides a gathering...

Developing a Security Policy Design Phase

This topic descries the activities included in the design phase of a security policy life cycle. Developing a Security Policy Design Phase What level of risk does each threat present to each asset What policies are needed to protect our assets Design activities include these steps Identify the assets that you are trying to protect. Identify the threats to those assets. Assess the level of risk to each asset. Determine who needs to use each asset. Draft appropriate security policies. 1-136...

Security posture assessment analysis and documentation

By assessing all aspects of the networked business environment, it is possible to determine the ability of the organization to detect, defend against, and respond to network attacks. These are the key activities Security posture assessment The first step in planning network security requires an evaluation of the network security posture of the organization. The security posture assessment provides a snapshot of the security state of the network by conducting a thorough assessment of the network...

Building a Cisco Self Defending Network

This topic describes how to build a Cisco Self-Defending Network in three evolving phases. Cisco Self-Defending Network Strategy The Cisco defense-in-depth strategy improves the ability of the network to identify, prevent, and adapt to threats. VPN solutions including VPN concentrators, VPN-enabled routers, and firewall VPNs Appliance and Cisco IOS-based firewalls Cisco intrusion detection and prevention systems NAC, Cisco Secure ACS, and 802.1x technology Cisco integrated network security...

Keep keys for encrypted information secure and available

Every system eventually reaches its end of life, and components within the system break down or simply wear out. The disposal phase of the system life cycle involves the state of information, hardware, and software no longer required or of use. Activities include moving, archiving, discarding or destroying information, and sanitizing the media. Disposal activities must meet all applicable regulations and directives. The disposal phase of the network life cycle involves the state of information,...

How Routers Enforce Perimeter Security Policy

Routers are used to secure the perimeter of networks. Three typical methods are as follows In scenario 1, the router protects the LAN. In scenario 2, the router provides defense in depth by screening traffic before a firewall. In scenario 3, the zone between R1 and R2 is called a DMZ. Servers that must be accessible from the Internet can be put here. A router provides a capability to help secure the perimeter of a protected network. It is a device where security action, based on the security...

Module Self Check

Use the questions here to review what you learned in this module. The correct answers and solutions are in the Module Self-Check Answer Key. Q1) What is the main threat to a closed network (Source Understanding the Requirement for a Network Security Policy) A) a deliberate attack from outside B) a deliberate or accidental attack from inside Q2) Which two factors have recently influenced the increase in threats from hackers (Choose two.) (Source Understanding the Requirement for a Network...

Enabling Syslog Logging With Cisco SDM

Configure > Additional Tasks > Router Properties > Logging > Edit Configure > Additional Tasks > Router Properties > Logging > Edit The procedure to enable syslog logging on your router using Cisco SDM is shown in the figure. Enter an IP address of a logging host. 2-148 Securing Cisco Network Devices (SND) v2.0 2006 Cisco Systems, Inc. Enter a value in the Community String field. The procedure to enable SNMP, set SNMP community strings, and enter SNMP trap manager information...