This chapter covers the following topics: ISR overview and providing secure administrative access: This section describes methods of securely accessing a router prompt for purposes of administration. Additionally, this section provides an overview of the Cisco Integrated Services Router (ISR) line of routers. Cisco Security Device Manager overview: This section examines the Cisco Security Device Manager (SDM) interface.
CHAPTER 3 Defending the Perimeter In addition to Cisco firewall, virtual private network (VPN), and intrusion prevention system (IPS) appliances that can sit at the perimeter of a network, Cisco IOS routers offer perimeter-based security. For example, the Cisco Integrated Services Routers (ISR) can be equipped to provide high-performance security features, including firewall, VPN termination, and IPS features, in addition to other services such as voice and quality-ofservice (QoS) services.
78 Chapter 3: Defending the Perimeter 1. 2. 3. 4. Which of the following are considered IOS security features? (Choose four.) a. Stateful firewall b. MARS c. IPS d. VRF-aware firewall e. VPN f. ACS Some ISRs include a USB port, into which a flash drive can connect. What are three common uses for the flash drive? (Choose three.) a. Storing configuration files b. Storing a digital certificate c. Storing a copy of the IOS image d.
“Do I Know This Already?” Quiz 5. 6. 7. 8. What line configuration mode command would you enter to prevent a line (such as a console, aux, or vty line) connection from timing out because of inactivity? a. no service timeout b. timeout-line none c. exec-timeout 0 0 d. service timeout default An IOS router’s privileged mode, which you can access by entering the enable command followed by the appropriate password, has which privilege level? a. 0 b. 1 c. 15 d.
80 Chapter 3: Defending the Perimeter 9. 10. 11. 12. 13. When you configure Cisco IOS login enhancements for virtual connections, what is the “quiet period”? a. The period of time between successive login attempts b. A period of time when no one is attempting to log in c. The period of time in which virtual login attempts are blocked, following repeated failed login attempts d.
ISR Overview and Providing Secure Administrative Access Foundation Topics ISR Overview and Providing Secure Administrative Access This section begins by introducing the security features offered in the Cisco line of ISR routers. Additional hardware options for these routers are also discussed. Then, with a foundational understanding of the underlying hardware, you will learn a series of best practices for security administrative access to a router.
82 Chapter 3: Defending the Perimeter the router architecture. Although Cisco offers a wide range of router platforms, ISR models are easy to identify, because the last three digits of their model begin with the number 8. As shown in Figure 3-1, the ISR family of routers includes the 800 series, 1800 series, 2800 series, and 3800 series.
ISR Overview and Providing Secure Administrative Access Table 3-3 Cisco 800 Series of ISRs (Continued) Feature Cisco 850 Series Cisco 870 Series Maximum number of VPN tunnels 10 20 Stateful firewall support Yes Yes Intrusion Prevention System (IPS) support No Yes Cisco 1800 Series The Cisco 1800 series of ISRs is designed for small businesses and smaller enterprise branch offices. These routers are designed for connectivity via cable modem/DSL, Metro Ethernet, and wireless technologies.
84 Chapter 3: Defending the Perimeter Cisco 2800 Series The Cisco 2800 series of ISRs is designed for small-to-medium businesses and enterprise branch offices. These routers can securely provide voice, data, and video services. Table 3-5 contrasts some of the features available in the Cisco 2801, 2811, 2821, and 2851 series of ISRs. Table 3-5 Cisco 2800 Series of ISRs Feature Cisco 2801 Series Cisco 2811 Series WAN technology support ADSL and ADSL and ADSL and optional optional G.SHDSL optional G.
ISR Overview and Providing Secure Administrative Access Table 3-6 Cisco 3800 Series of ISRs Feature Cisco 3825 Series Cisco 3845 Series WAN technology support ADSL and optional G.SHDSL WICs ADSL and optional G.
86 Chapter 3: Defending the Perimeter ■ Advanced Integration Modules: Cisco offers a variety of Advanced Integration Modules (AIM), which can offload processor-intensive tasks from a router’s processor. For example, AIMs can be used for VPN processing, including a variety of standards for encryption, authentication, and data integrity.
ISR Overview and Providing Secure Administrative Access Figure 3-2 Administrative Access to a Router Telnet Connection Serial Connection Router Vty PC with Terminal Emulation Software Aux Con PSTN Modem Serial Connection PC with Terminal Emulation Software Telnet sends data in clear text. Therefore, if an attacker intercepted a series of Telnet packets, he could view their contents, such as usernames and passwords.
88 Chapter 3: Defending the Perimeter ■ Use a mixture of alphabetic (both uppercase and lowercase), numeric, and special characters. ■ The password should not be a common word found in a dictionary. ■ Create a policy that dictates how and when passwords are to be changed. NOTE A space is a valid special character that can be used in a password. However, any leading space (that is, one or more spaces at the beginning of the password) is ignored.
ISR Overview and Providing Secure Administrative Access Example 3-1 Setting the Enable Secret Password R1(config)# enable secret Cisc0Pr3$$ R1(config)# end R1# show running-config ! hostname R1 ! enable secret 5 $1$kmOB$rL419kUxmQphzVVTgO4sP1 ! To configure a password for a router’s console, the administrator enters line configuration mode for con 0 and specifies a password with the password command.
90 Chapter 3: Defending the Perimeter The enable secret password appears in the running configuration as an MD5 hash value. However, the console, auxiliary, and vty line passwords appear in the running configuration as plain text, as shown in Example 3-5.
ISR Overview and Providing Secure Administrative Access Aside from having a single password for all administrators, individual user accounts can be used to give different login credentials (that is, username/password combinations) to different administrators. Although an external user database (such as a Cisco Secure Access Control Server [ACS]) could be used, a simple way to configure a user database is to add the username/password combinations to a router’s configuration.
92 Chapter 3: Defending the Perimeter Limiting the Number of Failed Login Attempts If an attacker uses a brute-force attack or a dictionary attack when attempting to log in to a device, such as a router, multiple login attempts typically fail before the correct credentials are found. To mitigate these types of attacks, a Cisco IOS router can suspend the login process for 15 seconds, following a specified number of failed login attempts.
ISR Overview and Providing Secure Administrative Access NOTE Although it isn’t recommended, you can disable the inactivity timer by entering a 0 for both the minutes and seconds arguments in the exec-timeout command (that is, exec-timeout 0 0). Configuring Privilege Levels Larger enterprise environments might need to support multiple administrative privilege levels for router configuration.
94 Chapter 3: Defending the Perimeter exactly what commands an administrator has access to. Following are the steps required to configure these views: Step 1 Enable AAA: Authentication, authorization, and accounting (AAA) is discussed in detail in Chapter 4, “Configuring AAA.” For now, just realize that AAA must be enabled to support views. Example 3-11 shows how to enable AAA on an IOS router.
ISR Overview and Providing Secure Administrative Access Step 5 Add available commands to the view: The commands parser_mode {include | include-exclusive | exclude} [all] [interface interface_identifier | command] command, issued in view configuration mode, allows an administrator to specify a command (or interface) available to a particular view.
96 Chapter 3: Defending the Perimeter Table 3-8 Cisco IOS Resilient Configuration Steps Step Description Step 1: Enable image resilience The secure boot-image command, issued in global configuration mode, secures the Cisco IOS image. The secured image is hidden so that it does not appear in a directory listing of files. Step 2: Secure the boot configuration The secure boot-config command, issued in global configuration mode, archives the running configuration of a router to persistent storage.
ISR Overview and Providing Secure Administrative Access Table 3-9 Commands for Enhancing Virtual Login Support Command Description Router(config)# login block-for seconds attempts attempts within seconds Specifies the number of failed login attempts (within a specified time period) that trigger a quiet period, during which login attempts would be blocked.
98 Chapter 3: Defending the Perimeter Example 3-17 Configuring Enhanced Support for Virtual Logins R1# conf term R1(config)# login block-for 30 attempts 5 within 10 R1(config)# login quiet-mode access-class 101 R1(config)# login delay 3 R1(config)# login on failure log R1(config)# login on-success log R1(config)# end R1# show login A login delay of 3 seconds is applied. Quiet-Mode access list 101 is applied. All successful login is logged. All failed login is logged.
Cisco Security Device Manager Overview Example 3-18 Creating a Message-of-the-Day Banner R1# conf term Enter configuration commands, one per line. End with CNTL/Z. R1(config)# banner motd $ Enter TEXT message. End with the character '$'. WARNING: This router is the private property of Cisco Press. D i s c o n n e c t n o w i f y o u a r e n o t a n a u t ho r i z e d u s e r . Viola tors will be pro secuted.
100 Chapter 3: Defending the Perimeter Figure 3-3 SDM Home Screen Some newer Cisco routers come with SDM preinstalled, but SDM needs to be installed on other supported platforms. Go to http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm to download the current version of SDM and its release notes. Cisco SDM offers the following benefits: ■ SDM’s smart wizards use Cisco TAC best-practice recommendations for a variety of configuration scenarios.
Cisco Security Device Manager Overview Preparing to Launch Cisco SDM If you plan to run SDM on a router that does not already have SDM installed, you need to install SDM either from a CD accompanying the router or from a download from the Cisco IOS Software Center. The installation is wizard-based. You are prompted to install SDM either on an administrator’s PC, in the router’s flash, or both. SDM can connect to the managed router using secure HTTP (that is, HTTPS).
102 Chapter 3: Defending the Perimeter If you run SDM from a router’s flash, as opposed to running SDM from a PC, the first time you connect to the router via a browser, you are taken to the Cisco SDM Express interface. Specifically, on a new router that has SDM installed, you point your browser to http:// 10.10.10.1. Alternatively, on an existing router, you point your browser to an active IP address on the router. Cisco SDM Express guides you through the initial SDM configuration on a router.
Cisco Security Device Manager Overview After clicking the Configure button, you see a screen similar to the one shown in Figure 3-5. Notice the wizards available in the Tasks bar. Available configuration wizards are described in Table 3-11.
104 Chapter 3: Defending the Perimeter Table 3-11 Cisco SDM Wizards (Continued) Cisco SDM Wizard Description Routing Allows an administrator to modify and view routing configurations for the RIP, OSPF, or EIGRP routing protocols NAT Helps you configure Network Address Translation (NAT) Intrusion Prevention Walks an administrator through the process of configuring an IOS-based IPS Quality of Service Provides wizards for configuring Network Admission Control (NAC) features such as Extensible Authentic
Cisco Security Device Manager Overview Advanced administrators can use graphical interfaces to configure these additional tasks. Examples of these tasks are DHCP configuration, DNS configuration, and AAA configuration. After clicking the Monitor button, you see a screen similar to the one shown in Figure 3-7. Clicking the various buttons in the Tasks bar allows you to monitor the status of various router features. Examples are firewall status, VPN status, and IPS status.
106 Chapter 3: Defending the Perimeter Exam Preparation Tasks Review All the Key Topics Review the most important topics from this chapter, denoted with the Key Topic icon. Table 3-12 lists these key topics and the page where each is found.
Command Reference to Check Your Memory Command Reference to Check Your Memory This section includes the most important configuration and EXEC commands covered in this chapter. To see how well you have memorized the commands as a side effect of your other studies, cover the left side of the table with a piece of paper, read the descriptions on the right side, and see whether you remember the commands.
108 Chapter 3: Defending the Perimeter Table 3-13 Chapter 3 Configuration Command Reference (Continued) Command Description secure boot-image A global configuration mode command used to enable image resilience secure boot-config A global configuration mode command that archives the running configuration of a router to persistent storage login block-for seconds attempts attempts within seconds A global configuration mode command that specifies the number of failed login attempts (within a specified time pe
Command Reference to Check Your Memory Table 3-14 Chapter 3 EXEC Command Reference Command Description enable view Enables the root view, which is represented by the set of commands available to an administrator logged in with a privilege level of 15 enable view view_name Switches to the specific view (after the required credentials are provided) show secure bootset Used to verify that Cisco IOS Resilient Configuration is enabled and that the files in the bootset have been secured show login Can be
