11 Replies Latest reply: May 29, 2010 8:32 PM by Jared RSS

    CCNA Security Discussion -- Secure Cisco Routers

    Paul Stewart  -  CCIE Security

      This is the second in a series of discussions regarding the CCNA Security (IINS) exam.  I expect this discussion to be quite a bit different since we are now talking about configuration as opposed to threats, vulnerabilities, policies.  There are a lot of directions that each person can go to give examples of configuration options.  This topic is "Secure Cisco Routers".

       

      Secure Cisco Routers

      • Secure Cisco routers using the SDM Security Audit feature

      • Use the One-Step Lockdown feature in SDM to secure a Cisco router

      • Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements

      • Secure administrative access to Cisco routers by configuring multiple privilege levels

      • Secure administrative access to Cisco routers by configuring role based CLI

       

      Community Challenges (open to all)

      • Make and embed a video that demonstrates SDM Security Audit or One-Step Lockdown
      • Provide sample configurations of the items that are pertaining to the CLI
      • Discuss how privilege levels work in IOS
      • Discuss the differences between type 5 and type 7 passwords
      • Discuss the use of "service password-encryption"

       

      IINS Blueprint

       

      640-553 IINS Exam Topics v1.0

       

      Print Resources

       

      Implementing Cisco IOS Network Security (IINS) by Catherine Paquet
      ISBN-10: 1587058154

      http://www.amazon.com/Implementing-Cisco-Network-Security-IINS/dp/1587058154/

       

       

       

      CCNA Security Official Exam Certification Guide (Exam 640-553) by Michael Watkins and Kevin Wallace
      ISBN-10: 1587202204

      http://www.amazon.com/Security-Official-Certification-Guide-640-553/dp/1587202204

       

       

      Study Aids

       

      Practice

      CCNA Security (IINS) Review Questions

        • 1. Re: CCNA Security Discussion -- Secure Cisco Routers
          rebarksdale

          Hello, All;

           

          I figured that I will kick off a discussion on how privilege levels work in IOS...

           

          There are 16 privilege levels, 0 to 15. Level 0 is reserved for user-level access privileges and level 15 is reserved for privileged mode commands.  Levels 2-14 allow you to tailor access to meet the needs of your particular organization.  This will allow you to allow a certain group of users the ability to configure particular interfaces, while preventing them from making other configuration changes.  Privilege levels are "cascading."  Therefore, if a user has level 10 access, the user has access to the commands authorized in levels 1-9 as well.

           

          The following configuration steps are required:

           

          1. configure terminal
          2. privilege mode [all] level level command
          3. enable password level level [encryption-type] password-string
          4. do copy running-config startup-config

           

          Reference: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html#wp1027195

           

          I look forward to our continued discussions.

           

          Robert

          • 2. Re: CCNA Security Discussion -- Secure Cisco Routers
            CrimsonMR2

            PacketU wrote:


            Community Challenges (open to all)

            • Discuss the differences between type 5 and type 7 passwords
            • Discuss the use of "service password-encryption"

             

            Type 5 passwords refer to the MD5 hashing algorithm defined in RFC 1321.  It was designed by Ron Rivest in 1991 and is used in many applications including Cisco type 5 Authentication.  This is used for encrypting the enable secret password.  It is moderately difficult to reverse engineer this type of encryption.

             

            Type 7 passwords refer to Cisco's proprietary algorithm in encrypting passwords.  This is best used to prevent shoulder surfers from recording privilege level access to network resources (ports, http(s) services).  It can easily be broken quickly using online resources.

             

            In a configuration file, the command service password-encryption will encrypt all passwords with the exception of the more secure type 5 enable secret variety.  This prevents passwords from showing up in plain text in configuration  files.  Best practice says that backup configuration files should be kept in secure areas because of how easy and vulnerable the type 7 password is.

            • 3. Re: CCNA Security Discussion -- Secure Cisco Routers
              CrimsonMR2

              PacketU wrote:

               

              Community Challenges (open to all)

              • Make and embed a video that demonstrates SDM Security Audit or One-Step Lockdown

              I am not sure how many of us have the resources available to us to compete this task.  It is well documented in both the trainsignal and cbt nugget on the topic.

               

              Perhaps, Keith Barker (or other trainers) would be interested in practicing their skills and contributing to this area of discussion with a video example?

              • 4. Re: CCNA Security Discussion -- Secure Cisco Routers
                Paul Stewart  -  CCIE Security

                Privilege levels are definitely an interesting concept.  I think the concept of moving commands between is a bit confusing.  I was glad that the article you referenced showed how to use "enable x" where "x" is a privilege level.  This is handy for messing with privilege levels without getting into the second "A" (Authorization) of the AAA model.

                 

                I pulled the below config from the following Documentation Page--

                http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_sec_4cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055480

                 

                This is a demonstration of using privilege levels to allow a user to only shut and no shut interfaces.

                 


                username admin privilege 7 secret 5 $1$tmIw$1aM7sadKhWMpkVTzxNw1J.
                !
                privilege interface all level 7 shutdown
                privilege interface all level 7 no shutdown
                privilege configure level 7 interface
                privilege exec level 7 configure terminal
                !
                ! the privilege exec level 7 configure command below is entered automatically
                ! when you enter the privilege exec level 7 configure terminal command above, do
                ! not enter it again
                !
                privilege exec level 7 configure

                • 5. Re: CCNA Security Discussion -- Secure Cisco Routers
                  CrimsonMR2

                  PacketU wrote:

                   

                  Privilege levels are definitely an interesting concept.  I think the concept of moving commands between is a bit confusing.  I was glad that the article you referenced showed how to use "enable x" where "x" is a privilege level.  This is handy for messing with privilege levels without getting into the second "A" (Authorization) of the AAA model.

                   

                  I pulled the below config from the following Documentation Page--

                  http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_sec_4cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055480

                   

                  This is a demonstration of using privilege levels to allow a user to only shut and no shut interfaces.

                   


                  username admin privilege 7 secret 5 $1$tmIw$1aM7sadKhWMpkVTzxNw1J.
                  !
                  privilege interface all level 7 shutdown
                  privilege interface all level 7 no shutdown
                  privilege configure level 7 interface
                  privilege exec level 7 configure terminal
                  !
                  ! the privilege exec level 7 configure command below is entered automatically
                  ! when you enter the privilege exec level 7 configure terminal command above, do
                  ! not enter it again
                  !
                  privilege exec level 7 configure

                  I think the discussion of privilage levels is a proper segway to custom views.  There are several commands used in configuring custom views.  Are there any secrets in memorizing them?  How useful are they in today's network deployments?  Are they common place or "featurific" which often do not get put into play in production environments?

                  • 6. Re: CCNA Security Discussion -- Secure Cisco Routers
                    Paul Stewart  -  CCIE Security

                    CrimsonMR2,

                     

                    Regarding the Video, I absolutely agree.  It would be nice to have something like that, but I certainly don't expect it.  Stuff like that is time consuming if you don't create them regularly.  This is an open forum and no one should feel obligated to do anything that they don't have the time and resources for.  Keith has been doing some excellent work with video and I am way envious of his skills.  I was just throwing that out there as a challenge if someone wanted to take the time, or already had one readily available

                     

                     

                    Regarding the password encryption methods, that is a great explanation.  I have a piece of trivia that I'll add--

                     

                    If you encrypt your passwords with "service password-encryption" and subsequently remove it, what happens?  It would be easy to assume that the type 7 passwords would be decrypted and stored in plain text.  However, that is not the case.  The passwords are still stored as type 7 and displayed as type 7.  Doing a "show running-config" or "show startup-config" will display the type 7 format.  If you manually add them back into the configuration (overwriting the type 7 ones), they will then be in clear text.  The IOS understands these passwords to be type 7 because of the '7' indicator with them while stored in flash and in execution ram.  Therefore the type 7 passwords can continue to work even though the router may no longer be doing "password-encryption".

                     

                    Another interesting side effect of type 7 versus type 5 is that type 7 is reversible.  There is truly a mathematical process that can reverse it back into a clear text password.  This sounds pretty bad, and it is certainly something to be aware of.  However, consider using a non reversible (type 5) password with a challenge algorithm like CHAP.  Both endpoints must know the passwords, or have equivalent hashes.  With type 5 this is not the case and thus CHAP cannot work with type 5 passwords.  However, the IOS can understand the origination of a type 7 password and thus it can work with CHAP.  Probably not an IINS concept, but another piece of trivia.

                    • 7. Re: CCNA Security Discussion -- Secure Cisco Routers
                      CrimsonMR2

                       

                       

                      CrimsonMR2 wrote:

                       

                      PacketU wrote:

                       

                      Community Challenges (open to all)

                      • Make and embed a video that demonstrates SDM Security Audit or One-Step Lockdown

                      I am not sure how many of us have the resources available to us to compete this task.  It is well documented in both the trainsignal and cbt nugget on the topic.

                       

                      Perhaps, Keith Barker (or other trainers) would be interested in practicing their skills and contributing to this area of discussion with a video example?

                       

                      Keith Rocks:

                       

                      Here we go:  https://learningnetwork.cisco.com/docs/DOC-7631#cf

                       

                      Thanks Keith!

                      • 8. Re: CCNA Security Discussion -- Secure Cisco Routers
                        Keith Barker - CCIE RS/Security, CISSP
                        SDM Security Audit Demo

                         

                        Best wishes,

                         

                        Keith

                         

                        • 9. Re: CCNA Security Discussion -- Secure Cisco Routers
                          Paul Stewart  -  CCIE Security

                          I think technologies such as parser-view and lawful intercept do provide a lot of granularity in access.  The organizations I support don't allow access to their network devices from their help desk, so I don't personally see this implemented.  I do have an opinion that a lot of places that need something like this already have TACACS+ in place.  In those cases, very fine granularity can be found using command authorization in TACACS+.  I'm sure there are some organizations that use parser-view extensively.   I too am curious to others opinions on how extensively these are used, especially in the service provider space.  I found a nice presentation at the url below:

                           

                          http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps7264/ps6642/prod_presentation0900aecd80313ff4.pdf

                          • 10. Re: CCNA Security Discussion -- Secure Cisco Routers
                            Jared

                            I don't work for a service provider, but I can tell you that setting up various views on every single device you have can get ugly, especially if you have a large amount of devices.  I work in a 500+ node network.  That includes routers, switches, bridges, APs, controllers and management software.  I would much rather use TACACS+ and set up Authorization permissions on one AAA server than various views on every node.

                             

                            Now, I do have some contacts at the ISP that provides Internet access to my organization and their take is the same.  I can see views comming in handy in a small environment, but not an enterprise!  A question I would pose is how big does the environment need to get before one would consider dumping views and going to AAA?

                            • 11. Re: CCNA Security Discussion -- Secure Cisco Routers
                              eehinesee

                              I'm not sure the organization would need to get very large at all.  The network guy in a small organization probably is struggling with the network, Microsoft/Mac OS, et al., as an additional duty, and his/her day job would take most of his time.  The network guy working in a larger organization probably is going to be fully employed maintaining the network; I don't see that person having a lot of time for individual views.  I think views are a hold over from the bad old days of early UNIX.

                               

                              Eric Hines