- Basic Router Security -



Similar documents
8 steps to protect your Cisco router

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Security Audit CHAPTER21. Perform Security Audit

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Configuring a Router

Cisco IOS Switch Security Configuration Guide

Table of Contents. Configuring IP Access Lists

How To Secure Network Threads, Network Security, And The Universal Security Model

Center for Internet Security Gold Standard Benchmark for Cisco IOS

Applicazioni Telematiche

LAB II: Securing The Data Path and Routing Infrastructure

LAB THREE STATIC ROUTING

Leased Line PPP Connections Between IOS and HP Routers

Lab Introductory Lab 1 Getting Started and Building Start.txt

3.1 Connecting to a Router and Basic Configuration

Configuring the MNLB Forwarding Agent

- The PIX OS Command-Line Interface -

Lab Introductory Lab 1 - Getting Started and Building Start.txt

Cisco Router Configuration Basics. Scalable Infrastructure Workshop

- Advanced IOS Functions -

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

The Trivial Cisco IP Phones Compromise

Teldat Router. ARP Proxy

Objectives. Router as a Computer. Router components and their functions. Router components and their functions

GLBP - Gateway Load Balancing Protocol

PT Activity 8.1.2: Network Discovery and Documentation Topology Diagram

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

FIREWALLS & CBAC. philip.heimer@hh.se

Firewall Firewall August, 2003

Virtual Fragmentation Reassembly

Basic Software Configuration Using the Cisco IOS Command-Line Interface

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Cisco Configuring Commonly Used IP ACLs

Innominate mguard Version 6

IP Routing Features. Contents

Internet Infrastructure Security Technology Details. Merike Kaeo

Configuring the Content Routing Software

Firewall Authentication Proxy for FTP and Telnet Sessions

Chapter 4 Managing Your Network

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Looking for Trouble: ICMP and IP Statistics to Watch

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Basics of Internet Security

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Cisco Secure PIX Firewall with Two Routers Configuration Example

General Network Security

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Firewall VPN Router. Quick Installation Guide M73-APO09-380

ProCurve Networking. Hardening ProCurve Switches. Technical White Paper

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

ccna question and answers

Chapter 4: Lab A: Configuring CBAC and Zone-Based Firewalls

NetFlow Subinterface Support

Layer 3 Redundancy with HSRP By Sunset Learning Instructor Andrew Stibbards

Cisco Routers and Switches

How To Understand and Configure Your Network for IntraVUE

Network Security Checklist - Cisco Infrastructure Router. Version 7, Release November 2007

HOW TO CONFIGURE CISCO FIREWALL PART I

Multi-Homing Dual WAN Firewall Router

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Skills Assessment Student Training Exam

Objectives. Background. Required Resources. CCNA Security

Configuring a Leased Line

Transport and Network Layer

APNIC Members Training Course Security workshop. 2-4 July, Port Vila Vanuatu. In conjunction with PACNOG 4

How To Configure A Cisco Router With A Cio Router

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

CHAPTER 3 STATIC ROUTING

Savvius Insight Initial Configuration

LUCOM GmbH * Ansbacher Str. 2a * Zirndorf * Tel / * Fax / *

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

CMPT 471 Networking II

Device Log Export ENGLISH

Enabling Remote Access to the ACE

Device Interface IP Address Subnet Mask Default Gateway

IP Filter/Firewall Setup

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

Basic Network Configuration

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

Basic Configuration of the Cisco Series Internet Router

Introduction to Cisco router configuration

Securing Networks with PIX and ASA

Lab Configuring Access Policies and DMZ Settings

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Routing Protocols and Concepts Chapter 2 Conceitos de protocolos de Encaminhamento Cap 2

Linux Network Security

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Lab Configure Basic AP Security through IOS CLI

Chapter 6 Configuring IP

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

co Characterizing and Tracing Packet Floods Using Cisco R

Unix System Administration

Transcription:

1 Enable Passwords - Basic Router Security - The enable password protects a router s Privileged mode. This password can be set or changed from Global Configuration mode: Router(config)# enable password MYPASSWORD Router(config)# enable secret MYPASSWORD2 The enable password command sets an unencrypted password intended for legacy systems that do not support encryption. It is no longer widely used. The enable secret command sets an MD5-hashed password, and thus is far more secure. The enable password and enable secret passwords cannot be identical. The router will not accept identical passwords for these two commands. Line Passwords and Configuration Passwords can additionally be configured on router lines, such as telnet (vty), console, and auxiliary ports. To change the password for a console port and all telnet ports: Router(config)# line console 0 Router(config-line)# login Router(config-line)# password cisco1234 Router(config)# line vty 0 4 Router(config-line)# login Router(config-line)# password cisco1234 Router(config-line)# exec-timeout 0 0 Router(config-line)# logging synchronous Router(config-line)# exec-timeout 0 0 Router(config-line)# logging synchronous The exec-timeout 0 0 command is optional, and disables the automatic timeout of your connection. The two zeroes represent the timeout value in minutes and seconds, respectively. Thus, to set a timeout for 2 minutes and 30 seconds: Router(config-line)# exec-timeout 2 30 The logging synchronous command is also optional, and prevents system messages from interrupting your command prompt. By default, line passwords are stored in clear-text in configuration files. To ensure these passwords are encrypted in all configuration files: Router(config)# service password encryption

2 Disabling Unnecessary Services Cisco IOS devices support many services that may pose a risk to the network. These services, if unneeded, should be disabled. Additionally, any interfaces that are not being used should be disabled using the shutdown command: Router(config)# interface ethernet0 Router(config-if)# shutdown BOOTP can be used by Cisco devices to load copies of the IOS to other Cisco devices, and is enabled by default. To disable this service: Router(config)# no ip bootp server CDP (Cisco Discovery Protocol) allows Cisco devices to discover information about other directly connected Cisco devices, and is enabled by default. CDP can be disabled either globally or on a per-interface level: Router(config)# no cdp run Router(config)# interface ethernet0 Router(config-if)# no cdp enable Cisco devices can load their startup-configuration files from a remote FTP server, though this service is disabled by default. Either of the following commands will prevent the router from doing this: Router(config)# no boot network Router(config)# no service config If a device name or unrecognized command is typed into the IOS command line, the IOS will attempt to resolve the name using DNS. By default, the IOS will broadcast (255.255.255.255) this request. To specify a specific DNS server for name resolution: Router(config)# ip name-server 192.168.1.1 DNS name resolution can be disabled if necessary: Router(config)# no ip domain-lookup

3 Disabling Unnecessary Services (continued) Cisco routers, as of IOS 11.3, can function as an FTP server. This can be useful to copy configuration files back and forth from your router. However, this could also allow an unauthorized person to gain access to the router file system. This service is disabled by default as of IOS 12.3. To manually disable this service: Router(config)# no ftp-server write-enable Earlier version of the IOS may use the following syntax: Router(config)# no ftp-server enable To disable the TFTP equivalent: Router(config)# no tftp-server flash The Finger service allows someone to query what users are logged into a device, and is enabled by default. This is the same information displayed when the show users command is inputted. To disable the finger service: Router(config)# no ip finger Router(config)# no service finger The Cisco IOS now supports a basic HTTP management interface. However, access to this interface should be regulated. If the HTTP interface is unnecessary, disable it using the following command: Router(config)# no ip http server A Cisco device can respond to an ICMP Mask Request, providing the requestor with the subnet mask of an interface, though this is disabled by default. To manually disable: Router(config)# interface Ethernet 0 Router(config-if)# no ip mask-reply Source Routing allows a sending device to dictate the exact routing path to a destination, a function which can be exploited by a malicious user. Source Routing is enabled by default. To manually disable: Router(config)# no ip source-route

4 Disabling Unnecessary Services (continued) By default, Cisco devices will respond to ICMP Unreachable Messages, informing the requestor which IP addresses are reachable (or not). These messages should be disabled to deny a malicious user potentially compromising information: Router(config)# interface serial 0 Router(config-if)# no ip unreachable Network Time Protocol (NTP) can be used to synchronize the time on all Cisco devices to a central time source. A router can function as either an NTP client or server. Useful as this is, NTP has recognized security flaws and can be compromised. NTP authentication can (and should) be utilized (explained in a different section). To completely disable NTP on an interface: Router(config)# interface ethernet 0 Router(config-if)# ntp disable Proxy ARP allows for resolution of Layer 2 addresses across multiple interfaces of a router. Essentially, devices in separate IP subnets can act as if they are on the same physical segment. This should NOT be enabled on any interface connecting to an untrusted network, as it could allow someone to spoof the MAC of a trusted host. Proxy ARP is enabled by default on all interfaces (.bastards!). Router(config)# interface ethernet 0 Router(config-if)# no ip proxy-arp Cisco devices support various UDP and TCP Small Servers, including: Echo echoes what you type to screen Discard discards whatever is typed Chargen generates a stream of ASCII data Daytime displays system date and time These services were enabled by default up until IOS 11.3, and now are disabled by default. All of the Small Servers were susceptible to DOS attacks, and thus should be disabled: Router(config)# no service tcp-small-servers Router(config)# no service udp-small-servers

5 ICMP Redirects Cisco devices support ICMP Redirects, which are enabled by default. An ICMP redirect is sent from a router, to a particular host, telling that host about a better route to a particular destination. 192.168.3.0/24 Router A Router B Host A Consider the above example, and assume that the Host points to Router A as its default gateway. When the Host sends a packet destined to 192.168.3.0, it will forward it first to Router A, which then forwards it out the same interface again to Router B. If ICMP Redirects are enabled, Router A will inform the Host that Router B is the best next hop to the destination. The Host will add this to its local routing table, and send any subsequent packets destined for the 192.168.3.0 network directly to Router B. This service could potentially be exploited by a malicious hacker. To disable ICMP Redirects: Router(config)# interface serial 0 Router(config-if)# no ip redirect (Reference: http://www.cisco.com/en/us/tech/tk365/technologies_tech_note09186a0080094702.shtml)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information