book

Hardening Cisco Routers

by Thomas Akin

February 2002

Intermediate to advanced

190 pages

4h 56m

English

O'Reilly Media, Inc.

Read now

Unlock full access

OrganizationAudienceConventions Used in This BookHow to Contact UsAcknowledgments
1.1. Router Security?1.2. Routers: The Foundation of the Internet1.3. What Can Go Wrong1.3.1. Consequences of Compromised Routers1.4. What Routers Are at Risk?1.5. Moving Forward
2.1. The Need for a Current IOS2.2. Determining the IOS Version2.3. IOS Versions and Vulnerabilities2.3.1. IOS Versions2.3.2. IOS Naming Scheme2.3.3. Vulnerabilities2.4. IOS Security Checklist
3.1. Authentication Versus Authorization3.2. Points of Access3.3. Basic Access Control3.3.1. Authentication and Authorization3.3.1.1. Console password3.3.1.2. AUX and VTY passwords3.3.1.3. Privileged-level access control3.3.1.4. Local username access control3.3.1.5. TACACS access control3.3.1.6. Disabling console, auxiliary, and VTY logins3.3.2. TFTP Access3.4. Remote Administration3.4.1. Danger of Remote Administration3.4.2. Dial-up Access3.4.2.1. Reverse Telnet3.4.3. VTY Access3.4.3.1. Disabling VTY access3.4.3.2. SSH3.4.3.3. Limiting VTY access by IP3.4.3.4. Additional VTY settings3.4.4. HTTP/Web Access3.4.4.1. Limiting HTTP access by IP3.4.4.2. HTTP authentication3.5. Protection with IPSec3.5.1. Setting up ISAKMP3.5.2. Creating the IPSec Extended ACL3.5.3. Creating IPSec Transforms3.5.4. Creating the Crypto Map3.5.5. Applying the Crypto Map to an Interface3.6. Basic Access Control Security Checklist
4.1. Password Encryption4.1.1. Vigenere Versus MD54.2. Clear-Text Passwords4.3. service password-encryption4.4. Enable Security4.5. Strong Passwords4.6. Keeping Configuration Files Secure4.7. Privilege Levels4.7.1. Changing Privilege Levels4.7.2. Default Privilege Levels4.7.3. Privilege-Level Passwords4.7.4. Line Privilege Levels4.7.5. Username Privilege Levels4.7.6. Changing Command Privilege Levels4.7.7. Privilege Mode Example4.7.8. Recommended Privilege-Level Changes4.8. Password Checklist
5.1. Enabling AAA5.2. Local Authentication5.3. TACACS+ Authentication5.3.1. TACACS+ Enable Password5.3.2. HTTP Authentication with TACACS+5.3.3. TACACS+ Authorization5.3.3.1. EXEC authorization5.3.3.2. Command authorization5.4. RADIUS Authentication5.4.1. RADIUS Enable Password5.4.2. HTTP Authentication with RADIUS5.4.3. RADIUS Authorization5.5. Kerberos Authentication5.6. Token-Based Access Control5.7. AAA Security Checklist
6.1. Legal Issues6.2. Example Banner6.3. Adding Login Banners6.3.1. MOTD Banner6.3.2. Login Banner6.3.3. AAA Authentication Banner6.3.4. EXEC Banner6.4. Warning Banner Checklist
7.1. ICMP7.1.1. ICMP MTU Discovery7.1.2. ICMP Redirects7.1.2.1. ICMP redirects—sending7.1.2.2. ICMP redirects—receiving7.1.3. ICMP-Directed Broadcasts7.1.4. ICMP Mask Reply7.1.5. ICMP Unreachables7.1.6. ICMP Timestamp and Information Requests7.2. Source Routing7.3. Small Services7.4. Finger7.5. HTTP7.6. CDP7.7. Proxy ARP7.8. Miscellaneous7.9. SNMP7.10. Unnecessary Protocols and Services Checklist
8.1. SNMP Versions8.1.1. SNMP Version 18.1.2. SNMP Version 2c8.1.3. SNMP Version 38.2. Securing SNMP v1 and v2c8.2.1. Enabling SNMP v1 and v2c8.2.1.1. Community strings8.2.1.2. Read-only access8.2.1.3. Read/write access8.2.2. Disabling SNMP v1 and v2c8.2.2.1. Disabling read-only access8.2.2.2. Disabling read/write access8.2.3. Limiting SNMP v1 and v2c Access by IP8.2.3.1. Read-only access8.2.3.2. Read/write access8.2.4. SNMP Read/Write and TFTP8.2.5. Limiting SNMP v1 and v2c Access with Views8.3. Securing SNMP v38.3.1. No Authentication/No Encryption8.3.2. Authentication/No Encryption8.3.3. Authentication/Encryption8.3.4. Limiting SNMP v3 Access by IP8.3.5. Limiting SNMP v3 Output with Views8.4. SNMP Management Servers8.5. SNMP Security Checklist
9.1. Antispoofing9.1.1. Ingress and Egress Filtering9.1.1.1. Ingress9.1.1.2. Reserved and private networks9.1.1.3. Egress9.1.2. Unicast Reverse Packet Forwarding9.2. Routing Protocol Security9.2.1. Static Routing9.2.2. Authentication9.2.2.1. RIP v29.2.2.2. EIGRP9.2.2.3. OSPF9.2.2.4. BGP9.2.3. Passive Interfaces9.2.3.1. Passive interfaces9.2.3.2. OSPF and EIGRP passive interfaces9.2.4. Route Filtering9.2.4.1. Global filtering9.2.4.2. Per-interface filtering9.2.4.3. Filtering at network borders9.3. Routing Protocol and Antispoofing Checklist

10.1. NTP Overview10.2. Configuring NTP10.2.1. Central Server10.2.1.1. Existing timeserver10.2.1.2. Synchronized router as a timeserver10.2.1.3. Unsynchronized router as a timeserver10.2.2. Flat10.2.3. Hierarchical10.2.4. NTP Options10.2.4.1. Preferred server10.2.4.2. ntp max-associations10.2.4.3. ntp disable10.2.5. Time Zones10.2.6. Viewing Status10.2.7. Access Lists10.2.8. NTP Source Address10.2.9. Authentication10.3. NTP Checklist
11.1. Logging in General11.2. Router Logging11.2.1. Timestamps11.2.2. Console Logging11.2.2.1. Changing the console logging level11.2.2.2. Disabling console logging11.2.3. Buffered Logging11.2.4. Terminal Monitor11.2.5. syslog11.2.5.1. syslog facilities11.2.5.2. Configuring syslog logging11.2.5.3. syslog sequence numbers11.2.5.4. Throttling syslog messages11.2.6. SNMP Traps11.3. ACL Violation Logging11.3.1. Antispoofing Violations11.3.2. VTY Access Logging11.3.3. Other Services11.4. AAA Accounting11.4.1. AAA Accounting Methods11.4.2. AAA Accounting Types11.4.3. AAA Accounting Configurations11.4.3.1. Accounting with TACACS+11.4.3.2. Accounting with RADIUS11.4.3.3. AAA authentication failure logging11.5. Logging Checklist
A.1. Hardening Your RoutersA.2. Auditing Your RoutersA.3. Cisco Router Security ChecklistA.3.1. IOS Security (Chapter 2)A.3.2. Basic Access Control (Chapter 3)A.3.3. Password Security (Chapter 4)A.3.4. AAA Security (Chapter 5)A.3.5. Warning Banners (Chapter 6)A.3.6. Unnecessary Protocols and Services (Chapter 7)A.3.7. SNMP Security (Chapter 8)A.3.8. Routing Protocol and Antispoofing (Chapter 9)A.3.9. NTP Security (Chapter 10)A.3.10. Logging (Chapter 11)A.3.11. Physical Security (Appendix B)A.3.12. Incident Reponse (Appendix C)
B.1. Protection Against PeopleB.1.1. LocationB.1.2. DoorsB.1.3. LocksB.1.3.1. Keyed locksB.1.3.2. Mechanical locksB.1.3.3. Electronic locksB.1.3.4. Card-access locksB.1.3.5. Biometric locksB.1.3.6. Dual-factor locksB.1.4. PersonnelB.1.5. BackupsB.2. Protection Against Murphy and Mother NatureB.2.1. FireB.2.2. WaterB.2.3. HeatB.2.4. HumidityB.2.5. ElectricityB.2.6. Dirt and DustB.3. Physical Security Checklist
C.1. Warning!C.2. Keys to InvestigatingC.2.1. Change NothingC.2.2. Record EverythingC.3. Attack Versus AccidentC.4. Discover What Happened and the Scope of the IncidentC.5. Evidence PreservationC.6. Recovering from the IncidentC.7. Preventing Future IncidentsC.8. Incident Response Checklist
D.1. Basic Example ConfigurationD.2. AAA Example ConfigurationD.3. SNMP Example ConfigurationD.3.1. SNMP Version 2cD.3.2. SNMP Version 3D.4. HTTP Configuration
E.1. Web SitesE.2. Books

Content preview from Hardening Cisco Routers

Chapter 4. Passwords and Privilege Levels

Passwords are the core of Cisco routers’ access control methods. Chapter 3 addressed basic access control and using passwords locally and from access control servers. This chapter talks about how Cisco routers store passwords, how important it is that the passwords chosen are strong passwords, and how to make sure that your routers use the most secure methods for storing and handling passwords. It then discusses privilege levels and how to implement them.

Password Encryption

Cisco routers have three methods of representing passwords in the configuration file. From weakest to strongest, they include clear text, Vigenere encryption, and MD5 hash algorithm. Clear-text passwords are represented in human-readable format. Both the Vigenere and MD5 encryption methods obscure passwords, but each has its own strengths and weaknesses.

Vigenere Versus MD5

The main difference between Vigenere and MD5 is that Vigenere is reversible, while MD5 is not. Being reversible makes it easier for an attacker to break the encryption and obtain the passwords. Being unreversible means that an attacker must use much slower brute force guessing attacks in an attempt to obtain the passwords.

Ideally, all router passwords would use strong MD5 encryption, but the way certain protocols, such as CHAP and PAP, work, routers must be able to decode the original password to perform authentication. This need to decode specific passwords means that Cisco routers will continue ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

CCNA Cyber Ops SECFND 210-250

Omar Santos

Learning SD-WAN with Cisco: Transform Your Existing WAN Into a Cost-effective Network

Stuart Fordham

Integrated Security Technologies and Solutions - Volume II: Cisco Security Solutions for Network Access Control, Segmentation, Context Sharing, Secure Connectivity and Virtualization

Chad Mitchell, Jamie Sanbower, Aaron Woland, Vivek Santuka

Transforming Campus Networks to Intent-Based Networking

Pieter-Jan Nefkens

Publisher Resources

ISBN: 0596001665Errata Page