NEXUS IT TRAINING CENTER

How to Secure your IT Infrastructure

ITE I Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1
 NEXUS IT TRAINING CENTER
Host and Server Based Security: Device Hardening
 When a new operating system is installed on a
computer, the level of security is inadequate. There
are some simple steps that should be taken :
NEXUS IT TRAINING CENTER

–Default usernames and passwords should be

changed.
–Access to system resources should be restricted to
only the individuals that are authorized.
–Any unnecessary services should be turned off.
 Additional steps can be taken to secure hosts:
Antivirus, firewall, and intrusion detection tools.
 Antivirus Software
–Antivirus software to protect against known viruses.
Antivirus software does this in two ways:
•It scans files, comparing their contents to known viruses
in a virus dictionary. Matches are flagged in a manner
defined by the end user.
•It monitors suspicious processes running on a host that
might indicate infection.
 NEXUS IT TRAINING CENTER
Host and Server Based Security: Device Hardening
 Personal Firewall
–Personal computers connected to the Internet through
a dialup, DSL, or cable modems are vulnerable.
•Personal firewalls on the PC can prevent attacks.
NEXUS IT TRAINING CENTER

•Some personal firewall software vendors include McAfee,

Norton, Symantec, and Zone Labs.

 Operating System Patches

–The most effective way to mitigate a worm and its
variants is to download security updates and patch all
vulnerable systems.
–This is difficult with uncontrolled systems in the local
network, and even more troublesome if these systems
are remotely connected via a VPN.
–One solution to the management of security patches
is to create a central patch server that all systems must
communicate.
•Any patches that are not applied to a host are
automatically downloaded from the patch server and
installed without user intervention.
 NEXUS IT TRAINING CENTER
Host and Server Based Security: Device Hardening
 Intrusion Detection and Prevention
–Intrusion detection systems (IDS) detect attacks and
send logs to a management console.
–Intrusion prevention systems (IPS) prevent attacks.
NEXUS IT TRAINING CENTER

It provides the following active defense:

•Prevention - Stops the detected attack from executing.
•Reaction - Immunizes the system from future attacks.
–Either technology can be implemented at a network
or host level, or both for maximum protection.
 Host-based Intrusion Detection Systems (HIDS)
–Host-based intrusion is passive technology.
•HIDS sends logs to a management console after the
attack has occurred and the damage is done.

 Host-based intrusion prevention system (HIPS),

–HIPS stops the attack, and prevents damage.
–Cisco provides HIPS using the Security Agent software.
–Agents are installed on publicly accessible servers and
corporate mail and application servers.
 NEXUS IT TRAINING CENTER
Common Security Appliances and Applications
Network-based intrusion prevention system (HIPS)
 A firewall by itself is no longer adequate.
–An integrated approach involving firewall, intrusion
NEXUS IT TRAINING CENTER

prevention, and VPN is necessary.

 An integrated approach follows these building blocks:
–Threat control - Regulates network access, prevents
intrusions, by counteracting malicious traffic.
•Cisco ASA 5500 Series Adaptive Security Appliances
•Integrated Services Routers (ISR)
•Network Admission Control
•Cisco Security Agent for Desktops
•Cisco Intrusion Prevention Systems
–Secure communications - Secures network endpoints
with VPN.
•Cisco ISR routers with Cisco IOS VPN solution,
•Cisco 5500 ASA
•Cisco Catalyst 6500 switches.
–Network admission control (NAC) - Provides a roles-
based method of preventing unauthorized access
 NEXUS IT TRAINING CENTER
Common Security Appliances and Applications
 Cisco IOS Software on Cisco Integrated Services Routers (ISRs)
–Cisco provides many of the required security measures for customers
within the Cisco IOS software. Cisco IOS software provides built-in
Cisco IOS Firewall, IPsec, SSL VPN, and IPS services.
NEXUS IT TRAINING CENTER

 Cisco ASA 5500 Series Adaptive Security Appliance

–At one time, the PIX firewall was the one device that a secure
network would deploy. The PIX has evolved into a platform that
integrates many different security features, called the Cisco Adaptive
Security Appliance (ASA). The Cisco ASA integrates firewall, voice
security, SSL and IPsec VPN, and IPS in one device.
 Cisco IPS 4200 Series Sensors
–For larger networks, an inline intrusion prevention system is provided
by the Cisco IPS 4200 series sensors. This sensor identifies,
classifies, and stops malicious traffic on the network.
 Cisco NAC Appliance
–The Cisco NAC appliance uses the network infrastructure to enforce
security policy compliance on all devices seeking to access network
computing resources.
 Cisco Security Agent (CSA)
–Cisco Security Agent software provides threat protection capabilities
for server, desktop, and point-of-service (POS) computing systems.
 NEXUS IT TRAINING CENTER
The Network Security Wheel
 The security policy is the four steps of Security Wheel.
 Step 1: Secure
–Secure the network by applying the security policy and
NEXUS IT TRAINING CENTER

implementing the following security solutions:

•Threat defense
•Stateful inspection and packet filtering

 Step 2: Monitor
–Monitoring security involves both active and passive methods
of detecting security violations.
•The active method is to audit host-level log files.
•Passive methods include using IDS devices to detect intrusion.

 Step 3: Test
–The functionality of the security solutions implemented in step
1 and the system auditing and intrusion detection methods
implemented in step 2 are verified.
 Step 4: Improve
–With the information collected from the monitoring and testing
phases, IDSs can be used to implement improvements
 NEXUS IT TRAINING CENTER
Routers are Targets
 Because routers provide gateways to other networks,
they are obvious targets. Here are some examples of
various security problems:
–Compromising the access control can expose network
NEXUS IT TRAINING CENTER

configuration details, thereby facilitating attacks against

other network components.
–Compromising the route tables can reduce
performance, deny network communication services,
and expose sensitive data.
–Misconfiguring a router traffic filter can expose internal
network components to scans and attacks, making it
easier for attackers to avoid detection.
 Attackers can compromise routers in different ways.
–The types of attacks including trust exploitation attacks,
IP spoofing, session hijacking, and MITM attacks.
 Note: This section focuses on securing routers. Most
of the best practices discussed can also be used to
secure switches.
 NEXUS IT TRAINING CENTER
Router Security Issues
 Physical security
–Locate the router in a locked room that is accessible
only to authorized personnel.
–To reduce the possibility of DoS due to a power failure,
NEXUS IT TRAINING CENTER

install an uninterruptible power supply (UPS).

 Update the router IOS whenever advisable
–However, the latest version of an operating system may
not be the most stable version available.
–To get the best security performance from your
operating system, use the latest stable release that meets
the feature requirements of your network.
 Backup the router configuration and IOS
–Keep a secure copy of the router image and router
configuration file on a TFTP server for backup purposes.
 Harden the router to eliminate the potential abuse of
unused ports and services
–A router has many services enabled by default.
–You should harden your router configuration by disabling
unnecessary services.
 NEXUS IT TRAINING CENTER
Applying Cisco IOS Security Features to Routers
 Before you configure security features
on a router, you need a plan for all the
Cisco IOS security configuration steps.
NEXUS IT TRAINING CENTER

–The first 5 steps are discussed in this

chapter.
–Though access control lists (ACLs) are
discussed in the next chapter, they are a
critical technology and must be configured to
control and filter network traffic.

NEXUS IT TRAINING CENTER

 NEXUS IT TRAINING CENTER
Step 1: Manage Router Security
 Basic router security consists of configuring passwords.
 Good password practices include the following:
–Do not write passwords down and leave them in places such as your desk or on your monitor.
–Avoid dictionary words, names, phone numbers, and dates.
NEXUS IT TRAINING CENTER

–Combine letters, numbers, and symbols. Include at least one lowercase letter, uppercase letter,
digit, and special character.
–Deliberately misspell a password. For example, Smith can be spelled as 5mYth. Another
example could be Security spelled as 5ecur1ty.
–Make passwords lengthy. The best practice is to have a minimum of eight characters.
–Change passwords as often as possible. This practice limits the window of opportunity in which
a hacker can crack a password and limits the window of exposure after a password has been
compromised.
 Passphrases
–A recommended method for creating strong complex passwords is to use passphrases. A
passphrase is basically a sentence or phrase that serves as a more secure password.
 NEXUS IT TRAINING CENTER
Step 1: Manage Router Security
 By default, Cisco IOS software leaves passwords in
plain text when they are entered on a router. This is
not secure since anyone walking behind you when
you are looking at a router configuration could snoop
NEXUS IT TRAINING CENTER

over your shoulder and see the password.

 Using the enable password command or the
username username password password command
would result in these passwords being displayed
when looking at the running configuration.
–For example:
–R1(config)# username Student password cisco123
–R1(config)# do show run | include username
username Student password 0 cisco123
–R1(config)#
•The 0 displayed in the running configuration, indicates that
password is not hidden.
 NEXUS IT TRAINING CENTER
Step 1: Manage Router Security
 Cisco IOS provides 2 password protection schemes:
Simple encryption called a type 7 scheme.
•It hide the password using a simple encryption algorithm.
•use the service password-encryption global command.
NEXUS IT TRAINING CENTER

•The type 7 encryption can be used by enable password, and line

password including vty, line console, and aux port.
•R1(config)# service password-encryption
•R1(config)# do show run | include username
username Student password 7 03075218050061
•R1(config)#
Complex encryption called a type 5 scheme.
•It uses a more secure MD5 hash.
•To protect the privileged EXEC level use enable secret command.
–Router will use the secret password over the enable password.
•The local database usernames should be also configured using
the username username secret password command.
•R1(config)# username Student secret cisco
•R1(config)# do show run | include username
username Student secret 5
$1$z245$lVSTJzuYgdQDJiacwP2Tv/
•R1(config)#
 NEXUS IT TRAINING CENTER
Step 1: Manage Router Security
 Password Length
–Cisco IOS Software Release 12.3(1) and later
allow administrators to set the minimum character
length for all router passwords using the security
NEXUS IT TRAINING CENTER

passwords min-length global configuration

command
•This eliminating common passwords that are
prevalent on most networks, such as "lab" and
"cisco."
•This command affects any new user
passwords, enable passwords and secrets,
and line passwords created after the command
was executed.
•The command does not affect existing router
passwords.
NEXUS IT TRAINING CENTER
 NEXUS IT TRAINING CENTER
Step 2: Securing Remote Administrative Access To Routers
 Local access through the console port is the ?
preferred way for an administrator to connect to a
device to manage it because it is secure.
–As companies get bigger and the number of routers
NEXUS IT TRAINING CENTER

and switches in the network grows, to connect to all the

devices locally can become overwhelming.
 Remote administrative access is more convenient
than local access.
–However, remote administrative access using Telnet
can be very insecure because Telnet forwards all
network traffic in clear text.
–An attacker could capture network traffic and sniff the
administrator passwords or router configuration.
 To secure administrative access to routers and
switches,
–first secure the administrative lines (VTY, AUX),
–then configure the network device to encrypt traffic in
an SSH tunnel.
 NEXUS IT TRAINING CENTER
Step 2: Securing Remote Administrative Access To Routers
 Remote access typically involves allowing
Telnet, Secure Shell (SSH), HTTP, HTTP
Secure (HTTPS), or SNMP connections to the
router from a computer.
NEXUS IT TRAINING CENTER

 If remote access is required, your options are:

–Establish a dedicated management network.
•This could be accomplished using a management
VLAN or by using an additional physical network.
–Encrypt all traffic between the administrator
computer and the router.
•In either case, a packet filter can be configured to
only allow the identified hosts and protocol to access
the router.
•For example, only permit the administration host IP
address to initiate an SSH connection to the routers
in the network.
NEXUS IT TRAINING CENTER
 NEXUS IT TRAINING CENTER
Step 2: Securing Remote Administrative Access To Routers
 Traditionally, remote administrative access on
routers was configured using Telnet on TCP port 23.
–All Telnet traffic is forwarded in plain text.
NEXUS IT TRAINING CENTER

 SSH has replaced Telnet for providing remote

access with connections that support privacy and
integrity.
–SSH uses port TCP 22.
–Not all Cisco IOS images support SSH.
–Only cryptographic images can.
 Cisco routers are capable of acting as the SSH
client and server.
–By default, both of these functions are enabled on the
router when SSH is enabled.
•As a client, a router can SSH to another router.
•As a server, a router can accept SSH client connections.
 NEXUS IT TRAINING CENTER
Configuring SSH Security
 To enable SSH, the following parameters must be configured:
1. Hostname 2. Domain name
3. Asymmetrical keys 4. Local authentication
 Optional configuration parameters include:
NEXUS IT TRAINING CENTER

–Timeouts -Retries
 Step 1: Set router parameters
–Configure the router hostname with the hostname command.
 Step 2: Set the domain name
–Enter the ip domain-name cisco.com command.
 Step 3: Generate asymmetric keys
–You need to create a key that the router uses to encrypt its SSH
management traffic with the crypto key generate rsa command.
–Cisco recommends using a minimum modulus length of 1024.
 Step 4: Configure local authentication and vty
–You must define a local user and assign SSH to the vty lines.
 Step 5: Configure SSH timeouts (optional)
–Use the command ip ssh time-out second and authentication-retries
integer to enable timeouts and authentication retries.
–Set the SSH timeout to 15 seconds and the amount of retries to 2
 NEXUS IT TRAINING CENTER
Test SSH Security
 To connect to a router configured with SSH, you have to use an SSH
client application such as PuTTY or TeraTerm.
 You must be sure to choose the SSH option and that it uses TCP port
NEXUS IT TRAINING CENTER

22.
–Using TeraTerm to connect securely to the R2 router with SSH,
–once the connection is initiated, the R2 displays a username prompt,
followed by a password prompt.
–Assuming that the correct credentials are provided, TeraTerm displays
the router R2 user EXEC prompt.
 NEXUS IT TRAINING CENTER
Step 4: Vulnerable Router Services and Interfaces
 Services which should typically be disabled are.
–Cisco Discovery Protocol (CDP) - Use the no cdp run.
–Source routing - Use the no ip source-route command.
–Classless routing - Use the no ip classless command.
NEXUS IT TRAINING CENTER

–Small services such as echo, discard, and chargen -

Use the no service tcp-small-servers or no service udp-
small-servers command.
–Finger - Use the no service finger command.
–BOOTP - Use the no ip bootp server command.
–HTTP - Use the no ip http server command.
–Remote configuration - Use the no service config.
–SNMP - Use the no snmp-server command.
 The interfaces on the router can be made more
secure by using certain commands in interface
configuration mode:
–Unused interfaces - Use the shutdown command.
–Ad hoc routing - Use the no ip proxy-arp command.
–No SMURF attacks - Use the no ip directed-broadcast.