Skip navigation
Cisco Learning Home > CCNA Security Study Group > Discussions
8378 Views 11 Replies Latest reply: May 29, 2010 8:32 PM by Jared RSS

Currently Being Moderated

CCNA Security Discussion -- Secure Cisco Routers

May 22, 2010 2:41 PM

Paul Stewart  -  CCIE Security, CCSI 6,952 posts since
Jul 18, 2008

This is the second in a series of discussions regarding the CCNA Security (IINS) exam.  I expect this discussion to be quite a bit different since we are now talking about configuration as opposed to threats, vulnerabilities, policies.  There are a lot of directions that each person can go to give examples of configuration options.  This topic is "Secure Cisco Routers".

 

Secure Cisco Routers

  • Secure Cisco routers using the SDM Security Audit feature

  • Use the One-Step Lockdown feature in SDM to secure a Cisco router

  • Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements

  • Secure administrative access to Cisco routers by configuring multiple privilege levels

  • Secure administrative access to Cisco routers by configuring role based CLI

 

Community Challenges (open to all)

  • Make and embed a video that demonstrates SDM Security Audit or One-Step Lockdown
  • Provide sample configurations of the items that are pertaining to the CLI
  • Discuss how privilege levels work in IOS
  • Discuss the differences between type 5 and type 7 passwords
  • Discuss the use of "service password-encryption"

 

IINS Blueprint

 

640-553 IINS Exam Topics v1.0

 

Print Resources

 

Implementing Cisco IOS Network Security (IINS) by Catherine Paquet
ISBN-10: 1587058154

http://www.amazon.com/Implementing-Cisco-Network-Security-IINS/dp/1587058154/

 

 

 

CCNA Security Official Exam Certification Guide (Exam 640-553) by Michael Watkins and Kevin Wallace
ISBN-10: 1587202204

http://www.amazon.com/Security-Official-Certification-Guide-640-553/dp/1587202204

 

 

Study Aids

 

Practice

CCNA Security (IINS) Review Questions

  • rebarksdale 33 posts since
    Aug 12, 2008

    Hello, All;

     

    I figured that I will kick off a discussion on how privilege levels work in IOS...

     

    There are 16 privilege levels, 0 to 15. Level 0 is reserved for user-level access privileges and level 15 is reserved for privileged mode commands.  Levels 2-14 allow you to tailor access to meet the needs of your particular organization.  This will allow you to allow a certain group of users the ability to configure particular interfaces, while preventing them from making other configuration changes.  Privilege levels are "cascading."  Therefore, if a user has level 10 access, the user has access to the commands authorized in levels 1-9 as well.

     

    The following configuration steps are required:

     

    1. configure terminal
    2. privilege mode [all] level level command
    3. enable password level level [encryption-type] password-string
    4. do copy running-config startup-config

     

    Reference: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html#wp1027195

     

    I look forward to our continued discussions.

     

    Robert

  • CrimsonMR2 187 posts since
    Nov 20, 2009

    PacketU wrote:


    Community Challenges (open to all)

    • Discuss the differences between type 5 and type 7 passwords
    • Discuss the use of "service password-encryption"

     

    Type 5 passwords refer to the MD5 hashing algorithm defined in RFC 1321.  It was designed by Ron Rivest in 1991 and is used in many applications including Cisco type 5 Authentication.  This is used for encrypting the enable secret password.  It is moderately difficult to reverse engineer this type of encryption.

     

    Type 7 passwords refer to Cisco's proprietary algorithm in encrypting passwords.  This is best used to prevent shoulder surfers from recording privilege level access to network resources (ports, http(s) services).  It can easily be broken quickly using online resources.

     

    In a configuration file, the command service password-encryption will encrypt all passwords with the exception of the more secure type 5 enable secret variety.  This prevents passwords from showing up in plain text in configuration  files.  Best practice says that backup configuration files should be kept in secure areas because of how easy and vulnerable the type 7 password is.

  • CrimsonMR2 187 posts since
    Nov 20, 2009

    PacketU wrote:

     

    Community Challenges (open to all)

    • Make and embed a video that demonstrates SDM Security Audit or One-Step Lockdown

    I am not sure how many of us have the resources available to us to compete this task.  It is well documented in both the trainsignal and cbt nugget on the topic.

     

    Perhaps, Keith Barker (or other trainers) would be interested in practicing their skills and contributing to this area of discussion with a video example?

  • CrimsonMR2 187 posts since
    Nov 20, 2009

    PacketU wrote:

     

    Privilege levels are definitely an interesting concept.  I think the concept of moving commands between is a bit confusing.  I was glad that the article you referenced showed how to use "enable x" where "x" is a privilege level.  This is handy for messing with privilege levels without getting into the second "A" (Authorization) of the AAA model.

     

    I pulled the below config from the following Documentation Page--

    http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_sec_4cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055480

     

    This is a demonstration of using privilege levels to allow a user to only shut and no shut interfaces.

     


    username admin privilege 7 secret 5 $1$tmIw$1aM7sadKhWMpkVTzxNw1J.
    !
    privilege interface all level 7 shutdown
    privilege interface all level 7 no shutdown
    privilege configure level 7 interface
    privilege exec level 7 configure terminal
    !
    ! the privilege exec level 7 configure command below is entered automatically
    ! when you enter the privilege exec level 7 configure terminal command above, do
    ! not enter it again
    !
    privilege exec level 7 configure

    I think the discussion of privilage levels is a proper segway to custom views.  There are several commands used in configuring custom views.  Are there any secrets in memorizing them?  How useful are they in today's network deployments?  Are they common place or "featurific" which often do not get put into play in production environments?

  • CrimsonMR2 187 posts since
    Nov 20, 2009
    Currently Being Moderated
    7. May 24, 2010 6:28 PM (in response to CrimsonMR2)
    Re: CCNA Security Discussion -- Secure Cisco Routers

     

     

    CrimsonMR2 wrote:

     

    PacketU wrote:

     

    Community Challenges (open to all)

    • Make and embed a video that demonstrates SDM Security Audit or One-Step Lockdown

    I am not sure how many of us have the resources available to us to compete this task.  It is well documented in both the trainsignal and cbt nugget on the topic.

     

    Perhaps, Keith Barker (or other trainers) would be interested in practicing their skills and contributing to this area of discussion with a video example?

     

    Keith Rocks:

     

    Here we go:  https://learningnetwork.cisco.com/docs/DOC-7631#cf

     

    Thanks Keith!

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    8. May 24, 2010 6:39 PM (in response to CrimsonMR2)
    Re: CCNA Security Discussion -- Secure Cisco Routers
    SDM Security Audit Demo

     

    Best wishes,

     

    Keith

     

  • Jared 5,498 posts since
    Jul 27, 2008

    I don't work for a service provider, but I can tell you that setting up various views on every single device you have can get ugly, especially if you have a large amount of devices.  I work in a 500+ node network.  That includes routers, switches, bridges, APs, controllers and management software.  I would much rather use TACACS+ and set up Authorization permissions on one AAA server than various views on every node.

     

    Now, I do have some contacts at the ISP that provides Internet access to my organization and their take is the same.  I can see views comming in handy in a small environment, but not an enterprise!  A question I would pose is how big does the environment need to get before one would consider dumping views and going to AAA?

  • eehinesee 484 posts since
    Nov 12, 2008
    Currently Being Moderated
    11. May 29, 2010 8:45 PM (in response to Jared)
    Re: CCNA Security Discussion -- Secure Cisco Routers

    I'm not sure the organization would need to get very large at all.  The network guy in a small organization probably is struggling with the network, Microsoft/Mac OS, et al., as an additional duty, and his/her day job would take most of his time.  The network guy working in a larger organization probably is going to be fully employed maintaining the network; I don't see that person having a lot of time for individual views.  I think views are a hold over from the bad old days of early UNIX.

     

    Eric Hines

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)