Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Cisco’s Security Device Manager (SDM) provides a way to graphically configure a router through a web
interface or through SDM software. This software includes a number of different wizards which can be
used to configure the router to perform certain functions without a high level of router knowledge.
In order to be able to work with SDM, the router must be installed and configured. There are two ways to
use SDM, but both require the same commands to enable its use on the router.
router(config)#ip http server
router(config)#ip http secure-server
router(config)#ip http authentication local
router(config)#username name privilege 15 secret password
The first two commands are used to enable HTTP access; “secure-sever” enables secure access. A username
must be set up on the router for SDM to use to local login authentication.
After this there are two different ways to install SDM: either locally on the router flash, or through an
installer on the user’s computer. Many of the newer routers come with SDM preinstalled, but older routers
can be installed with it.
Security Audit
One of SDM’s main security features is the Security Audit feature. The Security Audit feature can be run in
one of two modes: One-Step Lockdown, and Security Audit Wizard. When using the One-Step lockdown,
the SDM will automatically lockdown the router based on a list of common security threats. When using
the Security Audit Wizard feature, SDM will ask for the changes that you want to be fixed.
Figure 1 - One-Step Lockdown
Securing Passwords
One of the easiest ways to ensure security on a Cisco router is by setting passwords. There are a number of
different password types which are configurable on a router:
Enable Password
Enable Secret Password
Line Passwords
Console Password
Auxiliary Password
vty Password
Local User Passwords
Enable Password
“Enable Password” is used when trying to enter the “Enable Configuration” mode.
router(config)#enable password password
Enable Secret Password
“Enable Secret Password” is used when trying to enter the “Enable Configuration” mode. The difference
between “Enable Password” and “Enable Secret Password” is the password’s security in the router’s
configuration. When using “Enable Password,” it is stored in the configuration files in one of two ways: clear
text, or using Cisco-Proprietary encryption. The problem with the Cisco-Proprietary encryption is that it is
easily reversible and therefore not secure. When using the “Enable Secret Password” method, the password
is entered in the configuration as an MD5 hash and therefore is not reversible and is highly secure.
router(config)#enable secret password
Line Passwords
Line passwords are used to secure specific entry points into the router. The three main types include
console, auxiliary, and vty passwords. The console password is used to secure the console access into
the router. The auxiliary password is used to secure the access through the router auxiliary port. The vty
password is used to secure the telnet and/or ssh virtual entry points coming into the router.
router(config-line)#login
router(config-line)#password password
Local User Passwords
“Local User Password” is used when individual users are set up on the router. Like “Enable Password,” user
passwords can be entered using either a clear text password, Cisco-Proprietary encrypted password, or
using an MD5 hash.
router(config)#username username password password
router(config)#username username secret password
Password Recovery
An important part of being familiar with passwords is knowing how to recover them. This can be done on
most Cisco equipment once physical access is possible. If routers are going to be put into a location which
is not as physically secure as possible, the option to disable this ability is possible through configuration.
It should be noted however that if password recovery is disabled in the configuration and the password is
lost, the configuration will not be recoverable from the router and must be stored elsewhere.
router(config)#no service password-recovery
Configuring Cisco Password Encryption
As described above, a method of masking the passwords in the configuration is to use the
Cisco-Proprietary encryption algorithm. By default, this is enabled and masks the password,
however it is easily reversible.
router(config)#no service password-encryption
Configuring Miscellaneous Password Parameters
There are a number of different parameters which can be configured to affect different password
behaviors. The first one shown below is where you can configure the minimum length of the passwords
used on the router.
router(config)#security password min-length length
The second one shown is how you can configure the number of login attempts before a 15 second delay
is imposed. By default, this parameter is set to 10 login attempts.
router(config)#security authentication failure rate rate log
The third one shows how to configure the login inactivity timer. When the time is up, the router will
automatically log the person out. By default, this timer is set for 10 minutes.
router(config)#exec-timeout minutes seconds
Privilege Levels
By default, users logged in using the enable command have a privilege level of 15 and can use all
commands available on the router. If finer granularity is required, it is possible to setup different privilege
levels, so that certain commands can be used and other commands are still restricted. The following shows
the two commands that are required to setup the commands into a specific privilege levels.
router(config)#privilege exec level level command
router(config)#enable secret level level password
Role-Based CLI
Another way of configuring multiple levels of access is through Role-Based CLI or Interface views. In order
to set this up there are a couple of main commands which are required. The initial two shown are used to
setup Authentication, Authorization and Accounting (AAA) and to setup the root view which is used by
the senior administrators.
router(config)#aaa new-model
router(config)#enable view
The next command is used to setup a custom view which is configured with a separate password.
router(config)#parser view view-name
router(config)#secret password
At this point you are ready to configure the commands which are to be allowed in a specific view.
router(config)# commands parser-mode {include | include-exclusive | exclude} [all] command
Securing IOS Images and Configuration Files
Cisco calls the router image and configuration the bootset and the Cisco IOS Resilient Configuration
feature can be used to secure a copy of these files. This feature can only be disabled from the CLI on the
Cisco router. The following commands are used to enable these features:
router(config)#secure boot-image
router(config)#secure boot-confiig
The boot image can be restored by booting into ROMmon and using the boot command. The secured
configuration can be restored using the following command:
router(config)#secure boot-config restore restore-filename
Login Banner
Implementing a legally worded login banner is recommended for a secured device. This should be crafted
from your legal department and warn of the repercussions of attempting a breach of the networking
equipment. It should not, however, have any identifying markings for a specific company or piece of
networking equipment. This banner is configured using the following command:
router(config)#banner motd delimiter message delimiter
No comments:
Post a Comment