Cisco CCNA Study – Day 12

Posted on by Gregnstuff

Time flies when you are having fun… and sometimes when you are not.

It has been 9 days since I have been able to study as house prep for the sale of our house is taking longer than what we had expected and the search for a new position continues on.  Now I just have to make sure that I don’t get distracted by all the going ons and try to meet my target date of August 30th for this test.

 

 

Section 33: Cisco Device Security

  • Line Level Security
    • No security on the device when received for the factory
    • Access through a console cable, no password required
    • The first task should be to set security for only authorized admins
    • IOS Command Hierarchy
      • hostname> – User Exec mode
      • hostname# – privileged Exec mode (Enable mode)
      • hostname(config)# – Global Config mode (Configure Terminal)
      • hostname(config-if)# – Interface Config mode 
    • Basic Line Level Security
      • Console line – console cable  access to User Exec mode
        • Access to only one person at a time
        • Command
          • (config)#line console 0
          • (config-line)#password [password]
          • (config-line#login
      • Virtual terminal VTY line – Telnet or SSH Secure Shell access to User Exec mode
        • Not accepted by default
        • IP address and VTY line access must be configured
        • Used to connect to the device over an IP connection
        • Command
          • Setup 
            • (config)#line vty 0 15
            • (config-line)#password [password]
            • (config-line)#login
        • Note:
        • Multiple connections allowed at once
        • First come first serve
    • Privileged Exec Mode – Accessed through the User Exec mode
      • Notes:
        • Passwords can be different for each level
    • Exec Timeout
      • The default time is 10 minutes
      • Command
        • Turn-off
          • no exec-timeout
          • exec-timeout 0
        • Set time -out
          • (config)#line con 0
          • config-line)#exec-timeout 15
          • (config)#line vty 0 15
          • (config-line)#exec-timeout 5 30
            • the first number is minutes, the second number is seconds
        • Set access base on access-list
          • (config)#ilne vty 0 15
          • (config-line)#login
          • (config-line)#password [password]
          • config-line)#access-class 1 in
  • privileged Exec and Password Encryption
    • Enter ‘enable’ at User Exec mode to enter privileged Exec Mode
    • Password is stored in plain text by default
      • Should use the ‘enable secret’ command and not the ‘enable password’
      • If both ‘enable password’ and ‘enable secret’ is used only ‘enable secret’ is used
      • You can use the same password for both but system will request the password be put in twice
      • Use service password-encryption command to encrypt all passwords including the vty passwords
    •  Command
      • Set enable password
        • (config)#enable password [password]
      • Set encrypted password
        • (config)#enable secret [password] 
      • Set all password in config to be enctypted
        • (config)#service password-encryption
  • Usernames and Privilege Levels
    • With line level security all admins log in with the same password
    • Username Level Security
      • Command
        • (config)#username admin1 secret [password]
        • (config)#username admin2 secret [password]
        • (config)#line console 0
        • (config-line)#login local
        • (config)#line vty 0 15
        • (config-line)#login local
    • Privilege Levels
      • There are 16 privilege levels (0-15), the default level is level 1.
      • Usernames can be assigned privilege level but will default to level 1 if not specified.
      • Each command in IOS can be assigned a privilege level
      • three levels of privilege are used by default
        • zero
          • Allows logout, enable, disable, help and exit
        • user (level 1)
          • limited read-only access
        • privileged(level 15)
          • Complete control over the device.
          • When entering enable mode you have at level 15 by default
      • Configure command to have a privilege level
        • (config)#privilege exec level [level #] [command]
    • Set a password to open with a specified privilege level
      • If no level is set it will default to level 15
      • Command
        • (config)#enable secret level [level # to be set] [password]
  • SSH Secure Shell
    • Telnet crosses the network in plain text, SSH is encrypted
    • It is Best practice is to disable telnet
    • SSH uses a digital certificate with a key length of at least 768 bit and must be generated to enable SSH encryption
    • Command
      • Domain name needs to be set first before generating an encryption key
        • (config)#ip domain-name [domain]
      • Generate key
        • (config)#crypto key generate rsa
      • Name of key will be device hostname dot domain name
      • Choose the length of the key
        • How many bits in the modulus [512]: [key length]
    • SSH only uses usernames and will not accept line-level passwords.
    • Command
      • (config)#line vty 0 15
      • (config-line)#transport input ssh
      • (config-line)#login local
      • (config-line)#exit
      • (config)#ip ssh version 2
        • This command is optional but it is recommended as it will only allow version 2
      • KNOW this command as it could be on the test
        • >ssh -l [username] [IP Address]
  • AAA – Authentication, Authorization and accounting
    • Limitation of Local Security Configuration
      • Setting line level security and/or local username on each device has serious scalability limitation
        • Password add, remove and/or change will have to be done on each box
    • AAA servers allow
      • centralized passwords
      • Multiple servers can be used for redundancy
    • Authorization and Accounting are optional.  Authentication is mandatory if when Authorization and/or accounting are used.
    • AAA Protocols
      • RADIUS and TACACS+
      • Both are open standards, but vendors by have proprietary extensions
      • RADIUS is also used commonly for other services (example VPN)
      • TACACS+ Commonly used for admin access as it provides more granular authorization abilities
    • Cisco AAA
      • Current version is ISE (Identity Services Engine)
      • End of Life version is ACS (Access Control Server)
    • Commands
      • Old RADIUS Config
        • (config)#uername [username] secret [password]
          • backup username and password to be used in an emergency if the AAA server is unreachable
          • This username/password will not work if the AAA server is reachable by the device and will only be accessible when the AAA server is not able to be reached.
        • (config)#aaa new-model
          • This just set AAA to be used
        • (config)#radius-server host [primary AAA server ip address] key [password]
        • (config)#radius-server host [secondary AAA server ip address] key [password]
          • Sets location of the radius server and if more than one is added this will allow redundancy
        • (config)#aaa group server radius FB-RG
        • (config-sg-radius)#server 10.10.10.10
        • (config-sg-radius)#server 10.10.10.11
          • Set a AAA group, this is optional to only authenticate against specified AAA servers
        • (config)#aaa authentication login default group radius local
          • Use all Radius servers or
        • (config)#aaa authentication login default group FB-RG local
          • use servers in the specified group, detail of the other aaa commands is not covered in CCNA
      • New RADIUS Config – New config gives AAA servers a name for each server and sub-commands for those servers.
        • (config)#aaa new-model
        • (config)#radius server Server1
        • (config-radius-server)# address ipv4 10.10.10.10
        • (config-radius-server)# key [password]
        • (config)#radius server Server2
        • (config-radius_server)# address ipv4 10.10.10.11
        • (config-radius-server)#key [password]
        • (config-radius-server)#aaa group server radius [groupname]
        • (config-sg-radius)#server name Server1
        • (config-sg-radius)#server name Server2
        • (config-sg-radius)#aaa authentication login default group [groupname] local
      • Old & New TACACS+ commands
        • Same as RADIUS but you use ‘tacacs+’ oppose to ‘radius’
  • Global Security Best Practices
    • Login Banner – this message will be seen before the user logs in
      • Command
        • (config)#banner login ” [hit enter]
          Enter TEXT message. End with the character ‘”‘.
          Authorized users only”
    • Exec banner – this message will be seen after the user logs in to the device
      • Command
        • (config)#banner exec ”
          Enter TEXT message. End with the character ‘”‘.
          Please log out immediately if you are not an authorized administrator”
    • Disable unused services
      • Reduces attack surface
      • Disable HTTP always and CDP in highly secure environments
      • Command
        • (config)#no ip HTTP server
        • (config)#no cdp run
    • All network devices should have time synchronized
      • Aids troubleshooting
      • Required for features such as Kerberos and digital certs
      • Use NTP as time can drift over time
      • Command
        • (config)#clock timezone [timezone]
        • (config)#ntp sever [server IP]
        • (config)#ntp master
          • Sets configure the router to be NRP server
      • Verification Commands
        • #show clock
          • It can take up to 5 minutes for the device to sync its time.
        • #show ntp status
  • Network Device Management
    • Syslog
      • Generated when something happens on the device
      • Format
        • seq no
        • Timestamp
        • %facility
        • severity
          • Levels – 8 levels
            • 0 – Emergency – System is unusable
            • 1 – Alert – A condition that should be correct immediately
            • 2 – Critical – Critical conditions
            • 3 – Error – Error conditions
            • 4 – Warning – Warning Condition
            • 5 – Notice – normal but significant conditions
            • 6 – Information – Informational messages
            • 7 – Debug – messages that contain information normally of use only when debugging a program.
        • mnemonic
          • Short desc
        • description
      • Logging locations
        • Console line
          • All events logged by default
        • VTY Terminal lines
          • Not enabled by default
        • Logging buffer
          • Events saved in RAM memory can be viewed with show logging command
          • All events logged by default
        • External Syslog servers
      • You can specify different logging levels to each location
      • When a severity level is set, all events with levels higher than the set level will be logged.
      • Command
        • Disable console logging
          • (config)#no logging console
        • VTY lines logging
          • (config)#logging monitor [severity level]
        • Events with severity level 7 and higher will be logged to the buffer
          • (config#logging buffered debugging
        • Set external syslog server
          • (config)#logging [syslog ip address]
          • (config)#logging trap debugging
      • Systems used to collect logs
        • Syslog server
        • SIEM (Security Information and Event Management) and will typically provide analysis and correlation of events.
      • Verification Command
        • #show logging
      • To keep logging commands to show up in the middle of typing use the ‘#logging synchronous’ command which will display the debug message and then reprint what you have typed on a new line.
      • Notes about logging
        • Debug commands are outputted to the console line and for them to be displayed on a vty line the #terminal monitor command needs to be used.
        • Debug commands can produce large amounts of output and can overwhelm a device so use very carefully in a production environment.
  • SNMP – Simple Network Management Protocol
    • An open standard used on most network devices
    • SNMP Terms
      • SNMP Manager
        • Collects and organized information from SNMP Agents
        • AKA SNMP Server or NMS (Network Management System)
        • Can pull info from SNMP devices ‘get’ or device can push ‘Trap’ information to the SNMP Server
        • Devices can also support changes being made over SNMP by an SNMP Server
        • MIB (Management Information Base (MIB) which organizers the data being delivered or retrieved from the device.
        • SNMP server and SNMP device use the same MIB so they know what data is and can be passed.
    • SNMP Versions
      • SNMPv1 plain text between server and agent, using matching Community strings
      • SNMPv2c same as v1 but supports bulk retrieval of data
      • SNMPv3 supports strong Auth and encryption, recommended but is not supported on all devices 
    • Commands
      • Sets SNMP Information
        • (config)#snmp-server contact [email]
        • (config)#snmp-server location [text description]
      • Set Community Strings
        • (config)#snmp-server community [string] to
        • (config)#snmp-server community [string] rw
      • Set SNMP server and traps
        • (config)#snmp-server host [IP address] [communitystring]
        • (config)#snmp-server enable traps [traptype]
    • Best Practice
      • SNMP should be disabled if not being used.
      • Should change the default SNMP community strings if SNMP is going to be used
      • Use SNMPv3 with secure passwords
  • SNMPv3 Configuration
    • Supports authentication and encryption
    • Works with users and groups
    • Matching user account is set up on the NMS server and network device
    • Settings are made up from the groups the user is a member of
    • Security Levels
      • noAuthnoPriv
        • No Auth password is exchanged
        • Communications between the agent and server are not encrypted
        • username replaces the community string
      • AuthNoPriv
        • Uses Auth password
        • No encryption is used for communication
      • AuthPriv
        • Uses Auth password
        • Communication is encrypted
    • Configuration Action
      • access – specify an access-list associated with this group
        • limits the device to communicate with access list specified NMS server
      • context – specify a context to associate these views for the group
        • specify which VLANs are accessible via SNMP
      • match – context name match criteria
      • notify – specify a notify view for the group
      • read – specify a read view for the group
      • write – specify a write view for the group
        • Views
          • limit what information is accessible to the NMS server
          • If read view is not specified all MIB objects are accessible
          • If write view is not specified no MIB objects are accesible
          • NMS gets read-only access to all MIBs by default
          • Notify is disabled by default if not specified, it is used to send a notification to group members
    • Command
      • Group config 
        • (config)#snmp-server group [groupName] v3 [Security Level] [action]
      • User config
        • (config)#snmp-server user [user] [groupname] v3 auth [auth Algorythm] [password] priv [encryption] [bit size] [priv password]
          • Auth algorithm
            • md5
            • sha – most secure but slower
          • Encryption type
            • des
            • 3des
            • aes – most secure but slower
              • 128 – Use 128 bits
              • 192 – Use 192 bits
              • 256 – Use 256 bits
    • Syslog vs SNMP
      • Both provide logging functionality
      • Syslog often provides more detailed information
      • SNMP support pushing data
      • NMS servers typically support both syslog and SNMP
    • NMS vs SIEM
      • Both pull reports to help with early warning and troubleshooting but are focused on  
        • NMS focuses on network information 
        • SIEM focuses on security info