4 Network Security

4.0 Chapter Introduction

4.0.1 Chapter Introduction

Page 1:
Security has moved to the forefront of network management and implementation. The overall security challenge is to find a balance between two important requirements: the need to open networks to support evolving business opportunities, and the need to protect private, personal, and strategic business information.

The application of an effective security policy is the most important step that an organization can take to protect its network. It provides guidelines about the activities to be carried out and the resources to be used to secure an organization's network.

Layer 2 security is not discussed in this chapter. For information about Layer 2 LAN security measures, refer to the CCNA Exploration: LAN Switching and Wireless course.

4.0.1 - Chapter Introduction
The diagram depicts the chapter objectives:
- Identify security threats to enterprise networks.
- Describe methods to mitigate security threats to enterprise networks.
- Configure basic router security.
- Disable unused router services and interfaces.
- Use the Cisco SDM one-step lockdown feature.
- Manage files and software images with the Cisco I O S Integrated File System (I F S).

4.1 Introduction to Network Security

4.1.1 Why is Network Security Important?

Page 1:
Why is Network Security Important?

Computer networks have grown in both size and importance in a very short time. If the security of the network is compromised, there could be serious consequences, such as loss of privacy, theft of information, and even legal liability. To make the situation even more challenging, the types of potential threats to network security are always evolving.

As e-business and Internet applications continue to grow, finding the balance between being isolated and open is critical. In addition, the rise of mobile commerce and wireless networks demands that security solutions become seamlessly integrated, more transparent, and more flexible.

In this chapter you are going to be taken on a whirlwind tour of the world of network security. You will learn about different types of threats, the development of organizational security policies, mitigation techniques, and Cisco IOS software tools to help secure networks. The chapter ends with a look at managing Cisco IOS software images. Although this may not seem like a security issue, Cisco IOS software images and configurations can be deleted. Devices compromised in this way pose security risks.

4.1.1 - Why Is Network Security Important?
The diagram depicts a network with multiple home and business sites using broadband, wireless, and Frame Relay. Hacker characters are positioned at various network points attempting to gain access.

Today's networks must balance accessibility to network resources with the protection of sensitive data from theft.

Page 2:
The Increasing Threat to Security

Over the years, network attack tools and methods have evolved. As shown in the figure, in 1985 an attacker had to have sophisticated computer, programming, and networking knowledge to make use of rudimentary tools and basic attacks. As time went on, and attackers' methods and tools improved, attackers no longer required the same level of sophisticated knowledge. This has effectively lowered the entry-level requirements for attackers. People who previously would not have participated in computer crime are now able to do so.

As the types of threats, attacks, and exploits have evolved, various terms have been coined to describe the individuals involved. Some of the most common terms are as follows:

White hat-An individual who looks for vulnerabilities in systems or networks and then reports these vulnerabilities to the owners of the system so that they can be fixed. They are ethically opposed to the abuse of computer systems. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them.
Hacker-A general term that has historically been used to describe a computer programming expert. More recently, this term is often used in a negative way to describe an individual that attempts to gain unauthorized access to network resources with malicious intent.
Black hat-Another term for individuals who use their knowledge of computer systems to break into systems or networks that they are not authorized to use, usually for personal or financial gain. A cracker is an example of a black hat.
Cracker-A more accurate term to describe someone who tries to gain unauthorized access to network resources with malicious intent.
Phreaker-An individual who manipulates the phone network to cause it to perform a function that is not allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free long distance calls.
Spammer-An individual who sends large quantities of unsolicited e-mail messages. Spammers often use viruses to take control of home computers and use them to send out their bulk messages.
Phisher-Uses e-mail or other means to trick others into providing sensitive information, such as credit card numbers or passwords. A phisher masquerades as a trusted party that would have a legitimate need for the sensitive information.

Think Like a Attacker

The attacker's goal is to compromise a network target or an application running within a network. Many attackers use this seven-step process to gain information and state an attack.

Step 1. Perform footprint analysis (reconnaissance). A company webpage can lead to information, such as the IP addresses of servers. From there, an attacker can build a picture of the security profile or "footprint" of the company.

Step 2. Enumerate information. An attacker can expand on the footprint by monitoring network traffic with a packet sniffer such as Wireshark, finding information such as version numbers of FTP servers and mail servers. A cross-reference with vulnerability databases exposes the applications of the company to potential exploits.

Step 3. Manipulate users to gain access. Sometimes employees choose passwords that are easily crackable. In other instances, employees can be duped by talented attackers into giving up sensitive access-related information.

Step 4. Escalate privileges. After attackers gain basic access, they use their skills to increase their network privileges.

Step 5. Gather additional passwords and secrets. With improved access privileges, attackers use their talents to gain access to well-guarded, sensitive information.

Step 6. Install backdoors. Backdoors provide the attacker with a way to enter the system without being detected. The most common backdoor is an open listening TCP or UDP port.

Step 7. Leverage the compromised system. After a system is compromised, an attacker uses it to stage attacks on other hosts in the network.

4.1.1 - Why Is Network Security Important?
The diagram depicts a timeline comparing the sophistication of attacker tools and the technical knowledge needed. In the mid 1980's, sophistication of attacker tools was very low, and the technical knowledge needed was very high. Today the reverse is true.

Threats continue to become more sophisticated as the technical knowledge required to implement attacks diminishes.

Page 3:
Types of Computer Crime

As security measures have improved over the years, some of the most common types of attacks have diminished in frequency, while new ones have emerged. Conceiving of network security solutions begins with an appreciation of the complete scope of computer crime. These are the most commonly reported acts of computer crime that have network security implications:

Insider abuse of network access
Virus
Mobile device theft
Phishing where an organization is fraudulently represented as the sender
Instant messaging misuse
Denial of service
Unauthorized access to information
Bots within the organization
Theft of customer or employee data
Abuse of wireless network
System penetration
Financial fraud
Password sniffing
Key logging
Website defacement
Misuse of a public web application
Theft of proprietary information
Exploiting the DNS server of an organization
Telecom fraud
Sabotage

Note: In certain countries, some of these activities may not be a crime, but are still a problem.

4.1.1 - Why Is Network Security Important?
The diagram depicts a list of the types of computer crimes that can be mitigated by effective and vigilant network management:
- Insider abuse of network access.
- Denial of service.
- System penetration.
- Password sniffing.

Page 4:
Open versus Closed Networks

The overall security challenge facing network administrators is balancing two important needs: keeping networks open to support evolving business requirements and protecting private, personal, and strategic business information.

Network security models follow a progressive scale from open-any service is permitted unless it is expressly denied-to restrictive-services are denied by default unless deemed necessary. In the case of the open network, the security risks are self-evident. In the case of the closed network, the rules for what are permitted are defined in the form of a policy by an individual or group in the organization.

A change in access policy may be as simple as asking a network administrator to enable a service. Depending on the company, a change could require an amendment to the enterprise security policy before the administrator is allowed to enable the service. For example, a security policy could disallow the use of instant messaging (IM) services, but demand from employees may cause the company to change the policy.

An extreme alternative for managing security is to completely close a network from the outside world. A closed network provides connectivity only to trusted known parties and sites. A closed network does not allow a connection to public networks. Because there is no outside connectivity, networks designed in this way are considered safe from outside attacks. However, internal threats still exist. A closed network does little to prevent attacks from within the enterprise.

4.1.1 - Why Is Network Security Important?
The diagram depicts a scale with access on one side and security on the other to illustrate open versus closed networks and different levels of security. Network administrators seek to find a balance between access and security.

Open Access:
Permit everything that is not explicitly denied:
- Easy to configure and administer.
- Easy for end users to access network resources.
- Security cost: least expensive.

Restrictive:
Combination of specific permissions and restrictions:
- More difficult to configure and administer.
- More difficult for end users to access resources.
- Security cost: more expensive.

Closed:
Anything not explicitly permitted is denied:
- Most difficult to configure and administer.
- Most difficult for end users to access resources.
- Security cost: most expensive.

Page 5:
Developing a Security Policy

The first step any organization should take to protect its data and itself from a liability challenge is to develop a security policy. A policy is a set of principles that guide decision-making processes and enable leaders in an organization to distribute authority confidently. RFC2196 states that a "security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide." A security policy can be as simple as a brief Acceptable Use Policy for network resources, or it can be several hundred pages long and detail every element of connectivity and associated policies.

A security policy meets these goals:

Informs users, staff, and managers of their obligatory requirements for protecting technology and information assets
Specifies the mechanisms through which these requirements can be met
Provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy

Assembling a security policy can be daunting if it is undertaken without guidance. For this reason, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have published a security standard document called ISO/IEC 27002. This document refers specifically to information technology and outlines a code of practice for information security management.

ISO/IEC 27002 is intended to be a common basis and practical guideline for developing organizational security standards and effective security management practices. The document consists of 12 sections:

Risk assessment
Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development, and maintenance
Information security incident management
Business continuity management
Compliance

This chapter focuses on the security policy section. To read about all the sections, visit http://en.wikipedia.org/wiki/ISO/IEC_27002. The development of the network security policy document is discussed in topic 4.1.5 "The Network Security Wheel" and topic 4.1.6 "The Enterprise Security Policy."

4.1.1 - Why Is Network Security Important?
The diagram depicts a security policy document for the Span Engineering Company, which says that it is for internal use only.

4.1.2 Common Security Threats

Page 1:
Vulnerabilities

When discussing network security, three common factors are vulnerability, threat, and attack.

Vulnerability is the degree of weakness which is inherent in every network and device. This includes routers, switches, desktops, servers, and even security devices.

Threats are the people interested and qualified in taking advantage of each security weakness. Such individuals can be expected to continually search for new exploits and weaknesses.

The threats use a variety of tools, scripts, and programs to launch attacks against networks and network devices. Typically, the network devices under attack are the endpoints, such as servers and desktop computers.

There are three primary vulnerabilities or weaknesses:

Technological weaknesses
Configuration weaknesses
Security policy weaknesses

Click the Technology button in the figure.

Computer and network technologies have intrinsic security weaknesses. These include TCP/IP protocol, operating system, and network equipment weaknesses.

Click the Configuration button in the figure.

Network administrators or network engineers need to learn what the configuration weaknesses are and correctly configure their computing and network devices to compensate.

Click the Policy button in the figure.

Security risks to the network exist if users do not follow the security policy. Some common security policy weaknesses and how those weaknesses are exploited are listed in the figure.

4.1.2 - Common Security Threats
The diagram depicts a list of network security vulnerabilities or weaknesses broken down by technology, configuration, and policy.

Technology:

TCP/IP protocol weakness
- Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Internet Control Message Protocol (ICMP) are inherently insecure.
- Simple Network Management Protocol (SNMP), Simple Mail Transfer Protocol (SMTP), and Syn Floods are related to the inherently insecure structure upon which TCP was designed.

Operating system weakness
- Each operating system has security problems that must be addressed.
- UNIX, Linux, Mac OS, Mac OS X, Windows NT, 9x, 2K, XP, and Vista.
- They are documented in the Computer Emergency Response Team (CERT) archives at http://www.cert.org.

Network equipment weakness
- Various types of network equipment, such as routers, firewalls, and switches, have security weaknesses that must be recognized and protected against. Their weaknesses include password protection, lack of authentication, routing protocols, and firewall holes.

Configuration:
Weakness: Unsecured user accounts.
How the weakness is exploited: User account information may be transmitted insecurely across the network, exposing usernames and passwords to snoopers.

Weakness: System accounts with easily guessed passwords.
How the weakness is exploited: This common problem is the result of poorly selected and easily guessed user passwords.

Weakness: Misconfigured Internet services.
How the weakness is exploited: A common problem is to turn on JavaScript in Web browsers, enabling attacks by way of hostile JavaScript when accessing untrusted sites. I I S, FTP, and Terminal Services also pose problems.

Weakness: Unsecured default settings within products.
How the weakness is exploited: Many products have default settings that enable security holes.

Weakness: Misconfigured network equipment.
How the weakness is exploited: Misconfigured access lists, routing protocols, or SNMP community strings can open up large security holes.

Policy:
Weakness: Lack of written security policy.
How the weakness is exploited: An unwritten policy cannot be consistently applied or enforced.

Weakness: Politics.
How the weakness is exploited: Political battles and turf wars can make it difficult to implement a consistent security policy.

Weakness: Lack of authentication continuity.
How the weakness is exploited: Poorly chosen, easily cracked, or default passwords can allow unauthorized access to the network.

Weakness: Logical access controls not applied.
How the weakness is exploited: Inadequate monitoring and auditing allow attacks and unauthorized use to continue, wasting company resources. This could result in legal action against or termination of I T technicians, I T management, or even company leadership who allow these unsafe conditions to persist.

Weakness: Software and hardware installation and changes do not follow policy.
How the weakness is exploited: Unauthorized changes to the network topology or installation of unapproved applications create security holes.

Weakness: Disaster recovery plan is nonexistent.
How the weakness is exploited: Lack of a disaster recovery plan allows chaos, panic, and confusion to occur when someone attacks the enterprise.

Page 2:
Threats to Physical Infrastructure

When you think of network security, or even computer security, you may imagine attackers exploiting software vulnerabilities. A less glamorous, but no less important, class of threat is the physical security of devices. An attacker can deny the use of network resources if those resources can be physically compromised.

The four classes of physical threats are:

Hardware threats-Physical damage to servers, routers, switches, cabling plant, and workstations
Environmental threats-Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
Electrical threats-Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
Maintenance threats-Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling

Some of these issues must be dealt with in an organizational policy. Some of them are subject to good leadership and management in the organization. The consequences of bad luck can wreak havoc in a network if the physical security is not sufficiently prepared.

Here are some ways to mitigate physical threats:

Hardware threat mitigation
Environmental threat mitigation
Electrical threat mitigation
Mechanical threat mitigation

Click the Hardware button in the figure.

Hardware threat mitigation

Lock the wiring closet and only allow access to authorized personnel. Block access through any dropped ceiling, raised floor, window, ductwork, or point of entry other than the secured access point. Use electronic access control, and log all entry attempts. Monitor facilities with security cameras.

Click the Environmental button in the figure.

Environmental threat mitigation

Create a proper operating environment through temperature control, humidity control, positive air flow, remote environmental alarming, and recording and monitoring.

Click the Electrical button in the figure.

Electrical threat mitigation

Limit electrical supply problems by installing UPS systems and generator sets, following a preventative maintenance plan, installing redundant power supplies, and performing remote alarming and monitoring.

Click the Maintenance button in the figure.

Maintenance threat mitigation

Maintenance-related threat mitigation-Use neat cable runs, label critical cables and components, use electrostatic discharge procedures, stock critical spares, and control access to console ports.

4.1.2 - Common Security Threats
The diagram depicts threats to physical infrastructure and physical security measures, divided into four categories: Hardware threats, environmental threats, electrical threats, and maintenance threats.

Hardware threats:
A secure computer room floor plan is shown with the following areas defined: AC, UPS bay, servers, LAN, WAN, and a help desk separated from the other equipment by a door with a card reader.

Plan physical security to limit damage to the equipment:
- Lock up equipment and prevent unauthorized access from the doors, ceiling, raised floor, windows, ducts, and vents.
- Monitor and control closet entry with electronic logs.
- Use security cameras.

Environmental threats:
A modular high-end switch chassis is shown.
Limit damage by creating a proper operating environment:
- Temperature control.
- Humidity control.
- Positive air flow.
- Remote environmental alarming, recording, and monitoring.

Electrical threats:
Rack-mounted servers and networking equipment are shown.
Limit electrical supply problems:
- Install UPS systems.
- Install generator sets.
- Follow a preventative maintenance plan.
- Install redundant power supplies.
- Perform remote alarming and monitoring.

Maintenance threats:
Raised flooring and large quantities of cabling are shown.
Limit maintenance threats:
- Use neat cable runs.
- Label critical cables and components.
- Use electrostatic discharge procedures.
- Stock critical spares.
- Control access to console ports.

Page 3:
Threats to Networks

Earlier in this chapter the common computer crimes that have implications for network security were listed. These crimes can be grouped into four primary classes of threats to networks:

Unstructured Threats

Unstructured threats consist of mostly inexperienced individuals using easily available hacking tools, such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing an attacker's skills can do serious damage to a network. For example, if a company website is hacked, the reputation of the company may be damaged. Even if the website is separated from the private information that sits behind a protective firewall, the public does not know that. What the public perceives is that the site might not be a safe environment to conduct business.

Structured Threats

Structured threats come from individuals or groups that are more highly motivated and technically competent. These people know system vulnerabilities and use sophisticated hacking techniques to penetrate unsuspecting businesses. They break into business and government computers to commit fraud, destroy or alter records, or simply to create havoc. These groups are often involved with the major fraud and theft cases reported to law enforcement agencies. Their hacking is so complex and sophisticated that only specially trained investigators understand what is happening.

In 1995, Kevin Mitnick was convicted of accessing interstate computers in the United States for criminal purposes. He broke into the California Department of Motor Vehicles database, routinely took control of New York and California telephone switching hubs, and stole credit card numbers. He inspired the 1983 movie "War Games."

External Threats

External threats can arise from individuals or organizations working outside of a company who do not have authorized access to the computer systems or network. They work their way into a network mainly from the Internet or dialup access servers. External threats can vary in severity depending on the expertise of the attacker-either amateurish (unstructured) or expert (structured).

Internal Threats

Internal threats occur when someone has authorized access to the network with either an account or physical access. Just as for external threats, the severity of an internal threat depends on the expertise of the attacker.

4.1.2 - Common Security Threats
The diagram depicts threats to networks, which include unstructured, structured, external, and internal threats. All are attacking a compromised host.

Page 4:
Social Engineering

The easiest hack involves no computer skill at all. If an intruder can trick a member of an organization into giving over valuable information, such as the location of files or passwords, the process of hacking is made much easier. This type of attack is called social engineering, and it preys on personal vulnerabilities that can be discovered by talented attackers. It can include appeals to the ego of an employee, or it can be a disguised person or faked document that causes someone to provide sensitive information.

Phishing is a type of social engineering attack that involves using e-mail or other types of messages in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords. The phisher masquerades as a trusted party that has a seemingly legitimate need for the sensitive information.

Frequently, phishing scams involve sending out spam e-mails that appear to be from known online banking or auction sites. The figure shows a replica of such an e-mail. The actual company used as the lure in this example has been changed. These e-mails contain hyperlinks that appear to be legitimate, but actually take users to a fake website set up by the phisher to capture their information. The site appears to belong to the party that was faked in the e-mail. When the user enters the information, it is recorded for the phisher to use.

Phishing attacks can be prevented by educating users and implementing reporting guidelines when they receive suspicious e-mail. Administrators can also block access to certain web sites and configure filters that block suspicious e-mail.

4.1.2 - Common Security Threats
The diagram depicts social engineering with a bogus account suspension email screen instructing the user to re-enter account information.

4.1.3 Types of Network Attacks

Page 1:
Types of Network Attacks

There are four primary classes of attacks.

Reconnaissance

Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. It is also known as information gathering and, in most cases, it precedes another type of attack. Reconnaissance is similar to a thief casing a neighborhood for vulnerable homes to break into, such as an unoccupied residence, easy-to-open doors, or open windows.

Access

System access is the ability for an intruder to gain access to a device for which the intruder does not have an account or a password. Entering or accessing systems usually involves running a hack, script, or tool that exploits a known vulnerability of the system or application being attacked.

Denial of Service

Denial of service (DoS) is when an attacker disables or corrupts networks, systems, or services with the intent to deny services to intended users. DoS attacks involve either crashing the system or slowing it down to the point that it is unusable. But DoS can also be as simple as deleting or corrupting information. In most cases, performing the attack involves simply running a hack or script. For these reasons, DoS attacks are the most feared.

Worms, Viruses, and Trojan Horses

Malicious software can be inserted onto a host to damage or corrupt a system, replicate itself, or deny access to networks, systems, or services. Common names for this type of software are worms, viruses, and Trojan horses.

4.1.3 - Types of Network Attacks
The diagram depicts types of network attacks. Icons represent four types of attacks: reconnaissance, access, denial of service (D o S), and worms, viruses, and trojan horses.

The diagram also shows an attacker and computer on the same local network as two PC's and two servers. Clicking each attack type starts an animation of how the attack works.

Reconnaissance:
The attacker computer retrieves address information from the four hosts and starts the N MAP application to probe for vulnerabilities.

Access:
The attacker computer accesses one of the four compromised hosts and gains root level access via FTP.

Denial of Service (D o S):
The attacker computer pings one of the servers with the command ping 10.10.10.2 -l 5000, which sends echo requests of 5,000 bytes to the server in an attempt to occupy its resources and prevent other legitimate users from accessing it.

Worms, Viruses, and Trojan Horses:
The attacker computer sends an email with a worm attached to the four hosts, so the users will open it and compromise their computers.

Page 2:
Reconnaissance Attacks
Reconnaissance attacks can consist of the following:

Internet information queries
Ping sweeps
Port scans
Packet sniffers

External attackers can use Internet tools, such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity. After the IP address space is determined, an attacker can then ping the publicly available IP addresses to identify the addresses that are active. To help automate this step, an attacker may use a ping sweep tool, such as fping or gping, which systematically pings all network addresses in a given range or subnet. This is similar to going through a section of a telephone book and calling each number to see who answers.

When the active IP addresses are identified, the intruder uses a port scanner to determine which network services or ports are active on the live IP addresses. A port scanner is software, such as Nmap or Superscan, that is designed to search a network host for open ports. The port scanner queries the ports to determine the application type and version, as well as the type and version of operating system (OS) running on the target host. Based on this information, the intruder can determine if a possible vulnerability that can be exploited exists. As shown in the figure, a network exploration tool such as Nmap can be used to conduct host discovery, port scanning, version detection, and OS detection. Many of these tools are available and easy to use.

Internal attackers may attempt to "eavesdrop" on network traffic.

Network snooping and packet sniffing are common terms for eavesdropping. The information gathered by eavesdropping can be used to pose other attacks to the network.

Two common uses of eavesdropping are as follows:

Information gathering-Network intruders can identify usernames, passwords, or information carried in a packet.
Information theft-The theft can occur as data is transmitted over the internal or external network. The network intruder can also steal data from networked computers by gaining unauthorized access. Examples include breaking into or eavesdropping on financial institutions and obtaining credit card numbers.

An example of data susceptible to eavesdropping is SNMP version 1 community strings, which are sent in clear text. SNMP is a management protocol that provides a means for network devices to collect information about their status and to send it to an administrator. An intruder could eavesdrop on SNMP queries and gather valuable data on network equipment configuration. Another example is the capture of usernames and passwords as they cross a network.

A common method for eavesdropping on communications is to capture TCP/IP or other protocol packets and decode the contents using a protocol analyzer or similar utility. An example of such a program is Wireshark, which you have been using extensively throughout the Exploration courses. After packets are captured, they can be examined for vulnerable information.

Three of the most effective methods for counteracting eavesdropping are as follows:

Using switched networks instead of hubs so that traffic is not forwarded to all endpoints or network hosts.
Using encryption that meets the data security needs of the organization without imposing an excessive burden on system resources or users.
Implementing and enforcing a policy directive that forbids the use of protocols with known susceptibilities to eavesdropping. For example, SNMP version 3 can encrypt community strings, so a company could forbid using SNMP version 1, but permit SNMP version 3.

Encryption provides protection for data susceptible to eavesdropping attacks, password crackers, or manipulation. Almost every company has transactions that could have negative consequences if viewed by an eavesdropper. Encryption ensures that when sensitive data passes over a medium susceptible to eavesdropping, it cannot be altered or observed. Decryption is necessary when the data reaches the destination host.

One method of encryption is called payload-only encryption. This method encrypts the payload section (data section) after a User Datagram Protocol (UDP) or TCP header. This enables Cisco IOS routers and switches to read the Network layer information and forward the traffic as any other IP packet. Payload-only encryption allows flow switching and all access-list features to work with the encrypted traffic just as they would with plain text traffic, thereby preserving desired quality of service (QoS) for all data.

4.1.3 - Types of Network Attacks
The diagram depicts icons representing four types of reconnaissance attacks: Internet information queries, ping sweeps, port scans, and packet sniffers.

The diagram also shows an attacker and computer on the same local network as two PC's and two servers. Clicking each attack type starts an animation of how the attack works.

Internet information queries:
The attacker issues a Who is dot Net request from a computer to obtain host domain name information.

Ping sweeps:
The attacker computer retrieves address information from the four hosts and starts the N MAP application to probe for vulnerabilities.

Port scans:
The attacker computer retrieves application and open port status information from the four hosts using the N MAP application.

Packet sniffers:
The attacker computer monitors traffic to and from the four hosts using the Wireshark application.

Page 3:
Access Attacks

Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.

Password Attacks

Password attacks can be implemented using a packet sniffer to yield user accounts and passwords that are transmitted as clear text. Password attacks usually refer to repeated attempts to log in to a shared resource, such as a server or router, to identify a user account, password, or both. These repeated attempts are called dictionary attacks or brute-force attacks.

To conduct a dictionary attack, attackers can use tools such as L0phtCrack or Cain. These programs repeatedly attempt to log in as a user using words derived from a dictionary. Dictionary attacks often succeed because users have a tendency to choose simple passwords that are short, single words or are simple variations that are easy to predict, such as adding the number 1 to a word.

Another password attack method uses rainbow tables. A rainbow table is precomputed series of passwords which is constructed by building chains of possible plaintext passwords. Each chain is developed by starting with a randomly selected "guess" of the plaintext password and then successively applying variations on it. The attack software will apply the passwords in the rainbow table until it solves the password. To conduct a rainbow table attack, attackers can use a tool such as L0phtCrack.

A brute-force attack tool is more sophisticated because it searches exhaustively using combinations of character sets to compute every possible password made up of those characters. The downside is that more time is required for completion of this type of attack. Brute-force attack tools have been known to solve simple passwords in less than a minute. Longer, more complex passwords may take days or weeks to resolve.

Password attacks can be mitigated by educating users to use complex passwords and specifying minimum password lengths. Brute-force attacks could be mitigated by restricting the number of failed login attempts. However, a brute-force attack can also be performed offline. For example, if an attacker snoops an encrypted password, either through eavesdropping or by accessing a configuration file, the attacker could then attempt to resolve the password without actually being connected to the host.

Trust Exploitation

The goal of a trust exploitation attack is to compromise a trusted host, using it to stage attacks on other hosts in a network. If a host in a network of a company is protected by a firewall (inside host), but is accessible to a trusted host outside the firewall (outside host), the inside host can be attacked through the trusted outside host.

The means used by attackers to gain access to the trusted outside host as well as the details of trust exploitation are not discussed in this chapter. For information about trust exploitation, refer to the course Networking Academy Network Security course.

Trust exploitation-based attacks can be mitigated through tight constraints on trust levels within a network, for example, private VLANs can be deployed in public-service segments where multiple public servers are available. Systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall. Such trust should be limited to specific protocols and should be authenticated by something other than an IP address, where possible.

Port Redirection

A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be blocked.

Consider a firewall with three interfaces and a host on each interface. The host on the outside can reach the host on the public services segment, but not the host on the inside. This publicly accessible segment is commonly referred to as a demilitarized zone (DMZ). The host on the public services segment can reach the host on both the outside and the inside. If attackers were able to compromise the public services segment host, they could install software to redirect traffic from the outside host directly to the inside host. Although neither communication violates the rules implemented in the firewall, the outside host has now achieved connectivity to the inside host through the port redirection process on the public services host. An example of a utility that can provide this type of access is netcat.

Port redirection can be mitigated primarily through the use of proper trust models, which are network specific (as mentioned earlier). When a system is under attack, a host-based intrusion detection system (IDS) can help detect an attacker and prevent installation of such utilities on a host.

Man-in-the-Middle Attack

A man-in-the-middle (MITM) attack is carried out by attackers that manage to position themselves between two legitimate hosts. The attacker may allow the normal transactions between hosts to occur, and only periodically manipulate the conversation between the two.

There are many ways that an attacker gets position between two hosts. The details of these methods are beyond the scope of this course, but a brief description of one popular method, the transparent proxy, helps illustrate the nature of MITM attacks.

In a transparent proxy attack, an attacker may catch a victim with a phishing e-mail or by defacing a website. Then the URL of a legitimate website has the attackers URL added to the front of it (prepended). For instance http:www.legitimate.com becomes http:www.attacker.com/http://www.legitimate.com.

1. When a victim requests a webpage, the host of the victim makes the request to the host of the attacker's.

2. The attacker's host receives the request and fetches the real page from the legitimate website.

3. The attacker can alter the legitimate webpage and apply any transformations to the data they want to make.

4. The attacker forwards the requested page to the victim.

Other sorts of MITM attacks are potentially even more harmful. If attackers manage to get into a strategic position, they can steal information, hijack an ongoing session to gain access to private network resources, conduct DoS attacks, corrupt transmitted data, or introduce new information into network sessions.

WAN MITM attack mitigation is achieved by using VPN tunnels, which allow the attacker to see only the encrypted, undecipherable text. LAN MITM attacks use such tools as ettercap and ARP poisoning. Most LAN MITM attack mitigation can usually be mitigated by configuring port security on LAN switches.

4.1.3 - Types of Network Attacks
The diagram depicts four types of access attacks: password attacks, trust exploitation, port redirection, and man-in-the-middle.

Password Attack:
An authorization screenshot is shown for entering a username and password. Attackers can implement password attacks using several different methods:
- Brute-force attacks.
- Trojan horse programs.
- Packet sniffers.

Trust Exploitation:
The diagram shows an attacker and PC's labeled System A and System B connected to a firewall. Network OS's and trust models are shown as follows:
Windows: Domains Active Directory (A D)
Linux and UNIX: Network File System (NFS) Network Information Service Plus (N I S +).

In this animation, the attacker's goal is to gain access to System A. When the animation is run, the attacker cannot get access to System A, but notices that he can gain access to System B. Because System B trusts everyone, the attacker now has access to System A through the access gained from System B.

Port Redirection:
The diagram shows an attacker accessing and compromising Host A on port 22 (SSH). Host A then accesses Host B on behalf of the attacker on Port 23 (Telnet).

Port redirection is a type of trust-exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be dropped. It is mitigated primarily through using proper trust models. Antivirus software and host-based I D S can help detect and prevent an attacker installing port-redirecting utilities on the host.

Man-in-the-Middle:
The diagram shows an attacker with a PC acting as a man-in-the-middle by intercepting a web page request and altering it to take advantage of the victim. In the example, the victim unknowingly clicks a link in a phish email. The following process is described:

One. When a victim requests a web page, the victim's host makes the request to the attacker's host.

Two. The attacker's host receives the request and fetches the real page from the legitimate website.

Three. The attacker can alter the legitimate webpage and apply any transformations to the data desired.

Four. The attacker forwards the requested page to the victim.

Page 4:
DoS Attacks

DoS attacks are the most publicized form of attack and also among the most difficult to eliminate. Even within the attacker community, DoS attacks are regarded as trivial and considered bad form, because they require so little effort to execute. But because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators.

DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by consuming system resources. The following are some examples of common DoS threats:

Click the Ping of Death button in the figure.

A ping of death attack gained popularity back in the late 1990s. It took advantage of vulnerabilities in older operating systems. This attack modified the IP portion of a ping packet header to indicate that there is more data in the packet than there actually was. A ping is normally 64 or 84 bytes, while a ping of death could be up to 65,536 bytes. Sending a ping of this size may crash an older target computer. Most networks are no longer susceptible to this type of attack.

Click the SYN Flood button in the figure.

A SYN flood attack exploits the TCP three-way handshake. It involves sending multiple SYN requests (1,000+) to a targeted server. The server replies with the usual SYN-ACK response, but the malicious host never responds with the final ACK to complete the handshake. This ties up the server until it eventually runs out of resources and cannot respond to a valid host request.

Other types of DoS attacks include:

E-mail bombs - Programs send bulk e-mails to individuals, lists, or domains, monopolizing e-mail services.
Malicious applets - These attacks are Java, JavaScript, or ActiveX programs that cause destruction or tie up computer resources.

DDos Attacks

Distributed DoS (DDoS) attacks are designed to saturate network links with illegitimate data. This data can overwhelm an Internet link, causing legitimate traffic to be dropped. DDoS uses attack methods similar to standard DoS attacks, but operates on a much larger scale. Typically, hundreds or thousands of attack points attempt to overwhelm a target.

Click the DDoS button in the figure.

Typically, there are three components to a DDoS attack.

There is a Client who is typically a person who launches the attack.
A Handler is a compromised host that is running the attacker program and each Handler is capable of controlling multiple Agents
An Agent is a compromised host that is running the attacker program and is responsible for generating a stream of packets that is directed toward the intended victim

Examples of DDoS attacks include the following:

SMURF attack
Tribe flood network (TFN)
Stacheldraht
MyDoom

Click the Smurf Attack button in the figure.

The Smurf attack uses spoofed broadcast ping messages to flood a target system. It starts with an attacker sending a large number of ICMP echo requests to the network broadcast address from valid spoofed source IP addresses. A router could perform the Layer 3 broadcast-to-Layer 2 broadcast function, most hosts will each respond with an ICMP echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines replying to each echo packet.

For example, assume that the network has 100 hosts and that the attacker has a high performance T1 link. The attacker sends a 768 kb/s stream of ICMP echo requests packets with a spoofed source address of the victim to the broadcast address of a targeted network (referred to as a bounce site). These ping packets hit the bounce site on the broadcast network of 100 hosts, and each of them takes the packet and responds to it, creating 100 outbound ping replies. A total of 76.8 megabits per second (Mb/s) of bandwidth is used outbound from the bounce site after the traffic is multiplied. This is then sent to the victim or the spoofed source of the originating packets.

Turning off directed broadcast capability in the network infrastructure prevents the network from being used as a bounce site. Directed broadcast capability is now turned off by default in Cisco IOS software since version 12.0.

DoS and DDoS attacks can be mitigated by implementing special anti-spoof and anti-DoS access control lists. ISPs can also implement traffic rate, limiting the amount of nonessential traffic that crosses network segments. A common example is to limit the amount of ICMP traffic that is allowed into a network, because this traffic is used only for diagnostic purposes.

Details of the operation of these attacks is beyond the scope of this course. For more information, refer to the Networking Academy Network Security course.

4.1.3 - Types of Network Attacks
The diagram depicts five types of D o S related attacks. These include the D o S Attack, Ping of Death, SYN Flood, D D o S, and Smurf Attack.

D o S Attack:
The diagram shows an attacker with a PC sending excessive amounts of traffic to a server and using up system resources, thus preventing authorized people from using a service. Types of resource overloads and malformed data are listed:

Resource overloads:
Disk space, bandwidth, buffers.
Ping floods such as smurf.
Packet storms such as UDP bombs and fraggle.

Malformed data:
Oversized packets such as ping of death.
Overlapping packets such as winuke.
Unhandled data such as teardrop.

Ping of Death:
The animation shows an attacker with a PC sending the ping of death and disabling a computer.

SYN Flood:
The diagram shows an attacker with a PC sending multiple SYN requests to a web server. The web server sends multiple SYN-Ack replies and waits to complete the three-way handshake. A valid user sends a SYN request, but the server is unable to respond.

D D o S:
The diagram shows a client PC who launches an attack from a PC to several handler PC's. A handler is a compromised host that is running the attacker program. Each handler controls multiple agents or zombies.
The agents are compromised hosts running the attacker program. They are responsible for generating streams of packets directed toward the intended victim.

Smurf Attack:
The diagram shows an attacker creating an echo request and using a smurf amplifier to send to many zombie computers. The zombies send echo replies to the victim in an attempt to overwhelm the WAN link to the destination.

Page 5:
Malicious Code Attacks

The primary vulnerabilities for end-user workstations are worm, virus, and Trojan horse attacks.

A worm executes code and installs copies of itself in the memory of the infected computer, which can, in turn, infect other hosts.

A virus is malicious software that is attached to another program for the purpose of executing a particular unwanted function on a workstation.

A Trojan horse is different from a worm or virus only in that the entire application was written to look like something else, when in fact it is an attack tool.

Worms

The anatomy of a worm attack is as follows:

The enabling vulnerability-A worm installs itself by exploiting known vulnerabilities in systems, such as naive end users who open unverified executable attachments in e-mails.
Propagation mechanism-After gaining access to a host, a worm copies itself to that host and then selects new targets.
Payload-Once a host is infected with a worm, the attacker has access to the host, often as a privileged user. Attackers could use a local exploit to escalate their privilege level to administrator.

Typically, worms are self-contained programs that attack a system and try to exploit a specific vulnerability in the target. Upon successful exploitation of the vulnerability, the worm copies its program from the attacking host to the newly exploited system to begin the cycle again. In January 2007, a worm infected the popular MySpace community. Unsuspecting users enabled propagation of the worm, which began to replicate itself on user sites with the defacement "w0rm.EricAndrew".

Worm attack mitigation requires diligence on the part of system and network administration staff. Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident. The following are the recommended steps for worm attack mitigation:

Containment-Contain the spread of the worm in and within the network. Compartmentalize uninfected parts of the network.
Inoculation-Start patching all systems and, if possible, scanning for vulnerable systems.
Quarantine-Track down each infected machine inside the network. Disconnect, remove, or block infected machines from the network.
Treatment-Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

Viruses and Trojan Horses

A virus is malicious software that is attached to another program to execute a particular unwanted function on a workstation. An example is a program that is attached to command.com (the primary interpreter for Windows systems) and deletes certain files and infects any other versions of command.com that it can find.

A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool. An example of a Trojan horse is a software application that runs a simple game on a workstation. While the user is occupied with the game, the Trojan horse mails a copy of itself to every address in the user's address book. The other users receive the game and play it, thereby spreading the Trojan horse to the addresses in each address book.

A virus normally requires a delivery mechanism-a vector-such as a zip file or some other executable file attached to an e-mail, to carry the virus code from one system to another. The key element that distinguishes a computer worm from a computer virus is that human interaction is required to facilitate the spread of a virus.

These kinds of applications can be contained through the effective use of antivirus software at the user level, and potentially at the network level. Antivirus software can detect most viruses and many Trojan horse applications and prevent them from spreading in the network. Keeping up to date with the latest developments in these sorts of attacks can also lead to a more effective posture toward these attacks. As new virus or Trojan applications are released, enterprises need to keep current with the latest versions of antivirus software.

Sub7, or subseven, is a common Trojan horse that installs a backdoor program on user systems. It is popular for both unstructured and structured attacks. As an unstructured threat, inexperienced attackers can use the program to cause mouse cursers to disappear. As a structured threat, crackers can use it to install keystroke loggers (programs that record all user keystrokes) to capture sensitive information.

4.1.3 - Types of Network Attacks
The animation depicts malicious code attacks. The primary vulnerabilities for end-user workstations are worm, virus, and Trojan horse attacks.

Worm:
A worm executes arbitrary code and installs copies of itself in the infected computer's memory, which infects other hosts.

Virus:
A virus is malicious software that is attached to another program to execute a particular unwanted function on a user's workstation.

Trojan horse:
A Trojan horse is different only in that the entire application was written to look like something else, when, in fact, it is an attack tool.

4.1.4 General Mitigation Techniques

Page 1:
Host and Server Based Security

Device Hardening

When a new operating system is installed on a computer, the security settings are set to the default values. In most cases, this level of security is inadequate. There are some simple steps that should be taken that apply to most operating systems:

Default usernames and passwords should be changed immediately.
Access to system resources should be restricted to only the individuals that are authorized to use those resources.
Any unnecessary services and applications should be turned off and uninstalled, when possible.

Section 4.2 "Securing Cisco Routers" describes device hardening in more detail.

It is critical to protect network hosts, such as workstation PCs and servers. These hosts need to be secured as they are added to the network, and should be updated with security patches as these updates become available. Additional steps can be taken to secure these hosts. Antivirus, firewall, and intrusion detection are valuable tools that can be used to secure network hosts. Because many business resources may be contained on a single file server, it is especially important for servers to be accessible and available.

Antivirus Software

Install host antivirus software to protect against known viruses. Antivirus software can detect most viruses and many Trojan horse applications, and prevent them from spreading in the network.

Antivirus software does this in two ways:

It scans files, comparing their contents to known viruses in a virus dictionary. Matches are flagged in a manner defined by the end user.
It monitors suspicious processes running on a host that might indicate infection. This monitoring may include data captures, port monitoring, and other methods.

Most commercial antivirus software uses both of these approaches.

Click the Antivirus button in the figure.

Update antivirus software vigilantly.

Personal Firewall

Personal computers connected to the Internet through a dialup connection, DSL, or cable modems are as vulnerable as corporate networks. Personal firewalls reside on the PC of the user and attempt to prevent attacks. Personal firewalls are not designed for LAN implementations, such as appliance-based or server-based firewalls, and they may prevent network access if installed with other networking clients, services, protocols, or adapters.

Click the Personal Firewalls button in the figure.

Some personal firewall software vendors include McAfee, Norton, Symantec, and Zone Labs.

Operating System Patches

The most effective way to mitigate a worm and its variants is to download security updates from the operating system vendor and patch all vulnerable systems. This is difficult with uncontrolled user systems in the local network, and even more troublesome if these systems are remotely connected to the network via a virtual private network (VPN) or remote access server (RAS). Administering numerous systems involves the creation of a standard software image (operating system and accredited applications that are authorized for use on deployed client systems) that is deployed on new or upgraded systems. These images may not contain the latest patches, and the process of continually remaking the image to integrate the latest patch may quickly become administratively time-consuming. Pushing patches out to all systems requires that those systems be connected in some way to the network, which may not be possible.

One solution to the management of critical security patches is to create a central patch server that all systems must communicate with after a set period of time. Any patches that are not applied to a host are automatically downloaded from the patch server and installed without user intervention.

In addition to performing security updates from the OS vendor, determining which devices are exploitable can be simplified by the use of security auditing tools that look for vulnerabilities.

Click the OS Patches button in the figure.

4.1.4 - General Mitigation Techniques
The diagram depicts host- and server-based security measures. These include antivirus software, personal firewall, and operating system (OS) patches.

Antivirus:
The diagram shows a screenshot of McAfee AutoUpdate in progress.

Personal Firewall:
The diagram shows a screenshot of Norton Personal Firewall.

OS Patches:
The diagram shows a screenshot of the Microsoft Update Web Site.

Page 2:
Intrusion Detection and Prevention

Intrusion detection systems (IDS) detect attacks against a network and send logs to a management console. Intrusion prevention systems (IPS) prevent attacks against the network and should provide the following active defense mechanisms in addition to detection:

Prevention-Stops the detected attack from executing.
Reaction-Immunizes the system from future attacks from a malicious source.

Either technology can be implemented at a network level or host level, or both for maximum protection.

Host-based Intrusion Detection Systems

Host-based intrusion is typically implemented as inline or passive technology, depending on the vendor.

Passive technology, which was the first generation technology, is called a host-based intrusion detection system (HIDS). HIDS sends logs to a management console after the attack has occurred and the damage is done.

Inline technology, called a host-based intrusion prevention system (HIPS), actually stops the attack, prevents damage, and blocks the propagation of worms and viruses.

Active detection can be set to shut down the network connection or to stop impacted services automatically. Corrective action can be taken immediately. Cisco provides HIPS using the Cisco Security Agent software.

HIPS software must be installed on each host, either the server or desktop, to monitor activity performed on and against the host. This software is referred to as agent software. The agent software performs the intrusion detection analysis and prevention. Agent software also sends logs and alerts to a centralized management/policy server.

The advantage of HIPS is that it can monitor operating system processes and protect critical system resources, including files that may exist only on that specific host. This means it can notify network managers when some external process tries to modify a system file in a way that may include a hidden back door program.

The figure illustrates a typical HIPS deployment. Agents are installed on publicly accessible servers and corporate mail and application servers. The agent reports events to a central console server located inside the corporate firewall. As an alternative, agents on the host can send logs as e-mail to an administrator.

4.1.4 - General Mitigation Techniques
The diagram depicts intrusion detection and prevention tools. A screenshot of Cisco Security Agent is shown.

Page 3:
Common Security Appliances and Applications

Security is a top consideration whenever planning a network. In the past, the one device that would come to mind for network security was the firewall. A firewall by itself is no longer adequate for securing a network. An integrated approach involving firewall, intrusion prevention, and VPN is necessary.

An integrated approach to security, and the necessary devices to make it happen, follows these building blocks:

Threat control-Regulates network access, isolates infected systems, prevents intrusions, and protects assets by counteracting malicious traffic, such as worms and viruses. Devices that provide threat control solutions are:

Cisco ASA 5500 Series Adaptive Security Appliances
Integrated Services Routers (ISR)
Network Admission Control
Cisco Security Agent for Desktops
Cisco Intrusion Prevention Systems

Secure communications-Secures network endpoints with VPN. The devices that allow an organization to deploy VPN are Cisco ISR routers with Cisco IOS VPN solution, and the Cisco 5500 ASA and Cisco Catalyst 6500 switches.

Network admission control (NAC)-Provides a roles-based method of preventing unauthorized access to a network. Cisco offers a NAC appliance.

Cisco IOS Software on Cisco Integrated Services Routers (ISRs)

Cisco provides many of the required security measures for customers within the Cisco IOS software. Cisco IOS software provides built-in Cisco IOS Firewall, IPsec, SSL VPN, and IPS services.

Cisco ASA 5500 Series Adaptive Security Appliance

At one time, the PIX firewall was the one device that a secure network would deploy. The PIX has evolved into a platform that integrates many different security features, called the Cisco Adaptive Security Appliance (ASA). The Cisco ASA integrates firewall, voice security, SSL and IPsec VPN, IPS, and content security services in one device.

Cisco IPS 4200 Series Sensors

For larger networks, an inline intrusion prevention system is provided by the Cisco IPS 4200 series sensors. This sensor identifies, classifies, and stops malicious traffic on the network.

Cisco NAC Appliance

The Cisco NAC appliance uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.

Cisco Security Agent (CSA)

Cisco Security Agent software provides threat protection capabilities for server, desktop, and point-of-service (POS) computing systems. CSA defends these systems against targeted attacks, spyware, rootkits, and day-zero attacks.

In-depth coverage of these appliances is beyond the scope of this course. Refer to the CCNP: Implementing Secure Converged Wide-area Networks and the Network Security 1 and 2 courses for more information.

4.1.4 - General Mitigation Techniques
The diagram depicts common security appliances and applications. Photographs of these include Cisco ASA 5500 Series Adaptive Security Appliance, network admission control (NAC)-appliance, and Cisco I P S 4200 Series Sensors.

4.1.5 The Network Security Wheel

Page 1:
Most security incidents occur because system administrators do not implement available countermeasures, and attackers or disgruntled employees exploit the oversight. Therefore, the issue is not just one of confirming that a technical vulnerability exists and finding a countermeasure that works, it is also critical to verify that the countermeasure is in place and working properly.

To assist with the compliance of a security policy, the Security Wheel, a continuous process, has proven to be an effective approach. The Security Wheel promotes retesting and reapplying updated security measures on a continuous basis.

To begin the Security Wheel process, first develop a security policy that enables the application of security measures. A security policy includes the following:

Identifies the security objectives of the organization.
Documents the resources to be protected.
Identifies the network infrastructure with current maps and inventories.
Identifies the critical resources that need to be protected, such as research and development, finance, and human resources. This is called a risk analysis.

The security policy is the hub upon which the four steps of the Security Wheel are based. The steps are secure, monitor, test, and improve.

Step 1. Secure

Secure the network by applying the security policy and implementing the following security solutions:

Threat defense
Stateful inspection and packet filtering-Filter network traffic to allow only valid traffic and services.

Note: Stateful inspection refers to a firewall keeping information on the state of a connection in a state table so that it can recognize changes in the connection that could mean an attacker is attempting to hijack a session or otherwise manipulate a connection.

Intrusion prevention systems-Deploy at the network and host level to actively stop malicious traffic.
Vulnerability patching-Apply fixes or measures to stop the exploitation of known vulnerabilities.
Disable unnecessary services-The fewer services that are enabled, the harder it is for attackers to gain access.

Secure connectivity

VPNs-Encrypt network traffic to prevent unwanted disclosure to unauthorized or malicious individuals.
Trust and identity-Implement tight constraints on trust levels within a network. For example, systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall.
Authentication-Give access to authorized users only. One example of this is using one-time passwords.
Policy enforcement-Ensure that users and end devices are in compliance with the corporate policy.

Step 2. Monitor

Monitoring security involves both active and passive methods of detecting security violations. The most commonly used active method is to audit host-level log files. Most operating systems include auditing functionality. System administrators must enable the audit system for every host on the network and take the time to check and interpret the log file entries.

Passive methods include using IDS devices to automatically detect intrusion. This method requires less attention from network security administrators than active methods. These systems can detect security violations in real time and can be configured to automatically respond before an intruder does any damage.

An added benefit of network monitoring is the verification that the security measures implemented in step 1 of the Security Wheel have been configured and are working properly.

Step 3. Test

In the testing phase of the Security Wheel, the security measures are proactively tested. Specifically, the functionality of the security solutions implemented in step 1 and the system auditing and intrusion detection methods implemented in step 2 are verified. Vulnerability assessment tools such as SATAN, Nessus, or Nmap are useful for periodically testing the network security measures at the network and host level.

Step 4. Improve

The improvement phase of the Security Wheel involves analyzing the data collected during the monitoring and testing phases. This analysis contributes to developing and implementing improvement mechanisms that augment the security policy and results in adding items to step 1. To keep a network as secure as possible, the cycle of the Security Wheel must be continually repeated, because new network vulnerabilities and risks are emerging every day.

With the information collected from the monitoring and testing phases, IDSs can be used to implement improvements to the security. The security policy should be adjusted as new security vulnerabilities and risks are discovered.

4.1.5 - General Mitigation Techniques
The diagram depicts the network security wheel. The security policy is at the center surrounded by the four steps:
Step One. Secure.
Step Two. Monitor.
Step Three. Test.
Step Four. Improve.

4.1.6 The Enterprise Security Policy

Page 1:
What is a Security Policy?

A security policy is a set of guidelines established to safeguard the network from attacks, both from inside and outside a company. Forming a policy starts with asking questions. How does the network help the organization achieve its vision, mission, and strategic plan? What implications do business requirements have on network security, and how do those requirements get translated into the purchase of specialized equipment and the configurations loaded onto devices?

A security policy benefits an organization in the following ways:

Provides a means to audit existing network security and compare the requirements to what is in place.
Plan security improvements, including equipment, software, and procedures.
Defines the roles and responsibilities of the company executives, administrators, and users.
Defines which behavior is and is not allowed.
Defines a process for handling network security incidents.
Enables global security implementation and enforcement by acting as a standard between sites.
Creates a basis for legal action if necessary.

A security policy is a living document, meaning that the document is never finished and is continuously updated as technology and employee requirements change. It act as a bridge between management objectives and specific security requirements.

4.1.6 - The Enterprise Security Policy
The diagram depicts a definition of a security policy:

A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide.

(RFC 2196, Site Security Handbook)

Page 2:
Functions of a Security Policy

A comprehensive security policy fulfills these essential functions:

Protects people and information
Sets the rules for expected behavior by users, system administrators, management, and security personnel
Authorizes security personnel to monitor, probe, and investigate
Defines and authorizes the consequences of violations

The security policy is for everyone, including employees, contractors, suppliers, and customers who have access to the network. However, the security policy should treat each of these groups differently. Each group should only be shown the portion of the policy appropriate to their work and level of access to the network.

For example, an explanation for why something is being done is not always necessary. You can assume that the technical staff already know why a particular requirement is included. Managers are not likely to be interested in the technical aspects of a particular requirement; they may want just a high-level overview or the principle supporting the requirement. However, when end users know why a particular security control has been included, they are more likely to comply with the policy. Therefore, one document is not likely to meet the needs of the entire audience in a large organization.

4.1.6 - The Enterprise Security Policy
The diagram depicts the functions of a security policy.
- Protects people and information.
- Sets the rules for expected behavior by users, system administrators, management, and security personnel.
- Authorizes security personnel to monitor, probe, and investigate.
- Defines and authorizes the consequences of violations.

Page 3:
Components of a Security Policy

The SANS Institute (http://www.sans.org) provides guidelines developed in cooperation with a number of industry leaders, including Cisco, for developing comprehensive security policies for organizations large and small. Not all organizations need all of these policies.

The following are general security policies that an organization may invoke:

Statement of authority and scope-Defines who in the organization sponsors the security policy, who is responsible for implementing it, and what areas are covered by the policy.
Acceptable use policy (AUP)-Defines the acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization corporate resources and proprietary information.
Identification and authentication policy-Defines which technologies the company uses to ensure that only authorized personnel have access to its data.
Internet access policy-Defines what the company will and will not tolerate with respect to the use of its Internet connectivity by employees and guests.
Campus access policy-Defines acceptable use of campus technology resources by employees and guests.
Remote access policy-Defines how remote users can use the remote access infrastructure of the company.
Incident handling procedure-Specifies who will respond to security incidents, and how they are to be handled.

In addition to these key security policy sections, some others that may be necessary in certain organizations include:

Account access request policy-Formalizes the account and access request process within the organization. Users and system administrators who bypass the standard processes for account and access requests can lead to legal action against the organization.
Acquisition assessment policy-Defines the responsibilities regarding corporate acquisitions and defines the minimum requirements of an acquisition assessment that the information security group must complete.
Audit policy-Defines audit policies to ensure the integrity of information and resources. This includes a process to investigate incidents, ensure conformance to security policies, and monitor user and system activity where appropriate
Information sensitivity policy-Defines the requirements for classifying and securing information in a manner appropriate to its sensitivity level.
Password policy-Defines the standards for creating, protecting, and changing strong passwords.
Risk assessment policy-Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the information infrastructure associated with conducting business.
Global web server policy-Defines the standards required by all web hosts.

With the extensive use of e-mail, an organization may also want to have policies specifically related to e-mail, such as:

Automatically forwarded e-mail policy-Documents the policy restricting automatic e-mail forwarding to an external destination without prior approval from the appropriate manager or director.
E-mail policy-Defines content standards to prevent tarnishing the public image of the organization.
Spam policy-Defines how spam should be reported and treated.

Remote access policies might include:

Dial-in access policy-Defines the appropriate dial-in access and its use by authorized personnel.
Remote access policy-Defines the standards for connecting to the organization network from any host or network external to the organization.
VPN security policy-Defines the requirements for VPN connections to the network of the organization.

It should be noted that users who defy or violate the rules in a security policy may be subject to disciplinary action, up to and including termination of employment.

4.1.6 - The Enterprise Security Policy
The diagram depicts components of a security policy.

Procedure: Statement of authority and scope.
Description: This section specifies who sponsors the security policy and what areas the policy covers.

Procedure: Acceptable use policy.
Description: This section specifies what the company will and will not allow regarding its information infrastructure.

Procedure: Identification and authentication policy.
Description: This section specifies what technologies, equipment, or combination of the two the company will use to ensure that only authorized individuals have access to its data.

Procedure: Internet access policy.
Description: This section specifies what the company considers ethical and proper use of its Internet access capabilities.

Procedure: Campus access policy.
Description: This section specifies how on-campus users will use the company data infrastructure.

Procedure: Remote access policy.
Description: This section specifies how remote users will access the company's data infrastructure.

Procedure: Incident handling procedure.
Description: This section specifies how the company will create an incident response team, and the procedures it will use during and after incident occurs.

Page 4:

4.1.6 - The Enterprise Security Policy
The diagram depicts multiple activities.

Activity One:
In this activity, you select the appropriate word or phrase to fill in the BLANK or BLANKS and complete the sentence. Not all answers are used, and some answers may be used more then once.

Sentences:
One. BLANK is a general term that has historically been used to describe a computer programming expert.

Two. BLANK is generally regarded as the more accurate term to describe someone who tries to gain unauthorized access to network resources with malicious intent.

Three. BLANK is a term used to describe an individual that manipulates the phone network to cause it to perform a function that is normally not allowed.

Four. BLANK is a term used to describe an individual that sends large quantities of unsolicited email messages.

Five. BLANK is a term used to describe an individual that uses email or other means in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords.

Six. BLANK is a term used to describe individuals that use their abilities to find vulnerabilities in systems or networks, and then report these vulnerabilities to the owners of the system so that they can be fixed.

Seven. BLANK is another term for individuals that use their knowledge of computer systems to break into systems or networks that they are not authorized to use.

Words:
A: White hat.
B: Hacker.
C: Phreaker.
D: Spammer.
E: Cracker.
F: Phisher.
G: Black hat.

Activity Two:
In this activity, you identify the type of attack represented by the example given.
Attack Examples:
One. Email bombs.
Two. Internet information queries.
Three. Man-in-the-middle attack.
Four. Packet sniffers.
Five. Password attacks.
Six. Ping of death.
Seven. Ping sweeps.
Eight. Port scans.

Attack Type:
Reconnaissance attacks.
Access attacks.
D o S and D D o S attacks.

4.2 Securing Cisco Routers

4.2.1 Router Security Issues

Page 1:
The Role of Routers in Network Security

You know that you can build a LAN by connecting devices with basic Layer 2 LAN switches. You can then use a router to route traffic between different networks based on Layer 3 IP addresses.

Router security is a critical element in any security deployment. Routers are definite targets for network attackers. If an attacker can compromise and access a router, it can be a potential aid to them. Knowing the roles that routers fulfill in the network helps you understand their vulnerabilities.

Routers fulfill the following roles:

Advertise networks and filter who can use them.
Provide access to network segments and subnetworks.

4.2.1 - Router Security Issues
The diagram depicts the role of routers in network security.

Network Topology:
Two inside networks are connected by a router. The inside network 192.168.10.0/24 consists of PC1 connected to switch S1, which is connected to router R1. The inside network 192.168.30.0 /24 consists of PC3 connected to switch S3, which is connected to router R3. Routers R1 and R3 connect to router R2. Router R2 routes between the two inside local networks and is the gateway to the Internet and an external TFTP server. Router R1 provides access for hosts in the 192,168.10.0 network to the other networks.

Page 2:
Routers are Targets

Because routers provide gateways to other networks, they are obvious targets, and are subject to a variety of attacks. Here are some examples of various security problems:

Compromising the access control can expose network configuration details, thereby facilitating attacks against other network components.
Compromising the route tables can reduce performance, deny network communication services, and expose sensitive data.
Misconfiguring a router traffic filter can expose internal network components to scans and attacks, making it easier for attackers to avoid detection.

Attackers can compromise routers in different ways, so there is no single approach that network administrators can use to combat them. The ways that routers are compromised are similar to the types of attacks you learned about earlier in this chapter, including trust exploitation attacks, IP spoofing, session hijacking, and MITM attacks.

Note: This section focuses on securing routers. Most of the best practices discussed can also be used to secure switches. However, this section does not cover Layer 2 threats, such as MAC address flooding attacks and STP attacks, because these are covered in CCNA Exploration: LAN Switching and Wireless.

4.2.1 - Router Security Issues
The diagram depicts the fact that routers are targets.

Network Topology:
The network topology is the same as 4.2.1 Diagram 1 with the addition of text referencing the role of router R2. R2 connects to the Internet. As a gateway, it is a target for outside attackers.

Page 3:
Securing Your Network

Securing routers at the network perimeter is an important first step in securing the network.

Think about router security in terms in these categories:

Physical security
Update the router IOS whenever advisable
Backup the router configuration and IOS
Harden the router to eliminate the potential abuse of unused ports and services

To provide physical security, locate the router in a locked room that is accessible only to authorized personnel. It should also be free of any electrostatic or magnetic interference, and have controls for temperature and humidity. To reduce the possibility of DoS due to a power failure, install an uninterruptible power supply (UPS) and keep spare components available.

Physical devices used to connect to the router should be stored in a locked facility, or they should remain in the possession of a trustworthy individual so that they are not compromised. A device that is left in the open could have Trojans or some other sort of executable file stored on it.

Provision the router with the maximum amount of memory possible. Availability of memory can help protect against some DoS attacks, while supporting the widest range of security services.

The security features in an operating system evolve over time. However, the latest version of an operating system may not be the most stable version available. To get the best security performance from your operating system, use the latest stable release that meets the feature requirements of your network.

Always have a backup copy of a configuration and IOS on hand in case a router fails. Keep a secure copy of the router operating system image and router configuration file on a TFTP server for backup purposes.

Harden the router to make it as secure as possible. A router has many services enabled by default. Many of these services are unnecessary and may be used by an attacker for information gathering or exploitation. You should harden your router configuration by disabling unnecessary services.

4.2.1 - Router Security Issues
The network topology is a simplified version of 4.2.1 Diagram 1. Routers R1, R2, and R3 are labeled Inside Routers. R2 connects to the Internet and is vulnerable to attacks. Apply router security features to R2.

4.2.2 Applying Cisco IOS Security Features to Routers

Page 1:
Before you configure security features on a router, you need a plan for all the Cisco IOS security configuration steps.

The figure shows the steps to safeguard a router. The first five steps are discussed in this chapter. Though access control lists (ACLs) are discussed in the next chapter, they are a critical technology and must be configured to control and filter network traffic.

4.2.2 - Applying Cisco I O S Security Features to Routers
The diagram lists the steps to safeguard a router:
Step 1. Manage router security.
Step 2. Secure remote administrative access to routers.
Step 3. Log router activity.
Step 4. Secure vulnerable router services and interfaces.
Step 5. Secure routing protocols.
Step 6. Control and filter network traffic.

4.2.3 Manage Router Security

Page 1:
Basic router security consists of configuring passwords. A strong password is the most fundamental element in controlling secure access to a router. For this reason, strong passwords should always be configured.

Good password practices include the following:

Do not write passwords down and leave them in obvious places such as your desk or on your monitor.
Avoid dictionary words, names, phone numbers, and dates. Using dictionary words makes the passwords vulnerable to dictionary attacks.
Combine letters, numbers, and symbols. Include at least one lowercase letter, uppercase letter, digit, and special character.
Deliberately misspell a password. For example, Smith can be spelled as Smyth or can also include numbers such as 5mYth. Another example could be Security spelled as 5ecur1ty.
Make passwords lengthy. The best practice is to have a minimum of eight characters. You can enforce the minimum length using a feature that is available on Cisco IOS routers, discussed later in this topic.
Change passwords as often as possible. You should have a policy defining when and how often the passwords must be changed. Changing passwords frequently provides two advantages. This practice limits the window of opportunity in which a hacker can crack a password and limits the window of exposure after a password has been compromised.

Note: Password-leading spaces are ignored, but all spaces after the first character are not ignored.

Passphrases

A recommended method for creating strong complex passwords is to use passphrases. A passphrase is basically a sentence or phrase that serves as a more secure password. Make sure that the phrase is long enough to be hard to guess but easy to remember and type accurately.

Use a sentence, quote from a book, or song lyric that you can easily remember as the basis of your strong password or passphrase. The figure provides examples of passphrases.

4.2.3 - Manage Router Security
The diagram lists pass-phrase examples:
- All people seem to need data processing translates to Apstndp.
- My favorite spy is James Bond 007 translates to MfsiJB007.
- It was the best of times, it was the worst of times translates to Iwtbotiwtwot.
- Fly me to the moon. And let me play among the stars translates to Fmttm.Almpats.

Page 2:
By default, Cisco IOS software leaves passwords in plain text when they are entered on a router. This is not secure since anyone walking behind you when you are looking at a router configuration could snoop over your shoulder and see the password.

Using the enable password command or the username username password password command would result in these passwords being displayed when looking at the running configuration.

For example:

R1(config)# username Student password cisco123
R1(config)# do show run | include username
username Student password 0 cisco123
R1(config)#

The 0 displayed in the running configuration, indicates that password is not hidden.

For this reason, all passwords should be encrypted in a configuration file. Cisco IOS provides two password protection schemes:

Simple encryption called a type 7 scheme. It uses the Cisco-defined encryption algorithm and will hide the password using a simple encryption algorithm.
Complex encryption called a type 5 scheme. It uses a more secure MD5 hash.

The type 7 encryption can be used by the enable password, username, and line password commands including vty, line console, and aux port. It does not offer very much protection as it only hides the password using a simple encryption algorithm. Although not as secure as the type 5 encryption, it is still better than no encryption.

To encrypt passwords using type 7 encryption, use the service password-encryption global configuration command as displayed in the figure. This command prevents passwords that are displayed on the screen from being readable.

For example:

R1(config)# service password-encryption
R1(config)# do show run | include username
username Student password 7 03075218050061
R1(config)#

The 7 displayed in the running configuration indicates that password is hidden. In the figure, you can see the line console password is now hidden.

Click the Configure Password button in the figure.

Cisco recommends that Type 5 encryption be used instead of Type 7 whenever possible. MD5 encryption is a strong encryption method. It should be used whenever possible. It is configured by replacing the keyword password with secret.

Therefore, to protect the privileged EXEC level as much as possible, always configure the enable secret command as shown in the figure. Also make sure that the secret password is unique and does not match any other user password.
A router will always use the secret password over the enable password. For this reason, the enable password command should never be configured as it may give away a system password.

Note: If you forget the privileged EXEC password, then you will have to perform the password recovery procedure. This procedure is covered later in this chapter.

The local database usernames should be also configured using the username username secret password global configuration command. For example:

R1(config)# username Student secret cisco
R1(config)# do show run | include username
username Student secret 5 $1$z245$lVSTJzuYgdQDJiacwP2Tv/
R1(config)#

Note: Some processes may not be able to use type 5 encrypted passwords. For example PAP uses clear text passwords and cannot use MD5 encrypted passwords.

Click the Password Length button in the figure.

Cisco IOS Software Release 12.3(1) and later allow administrators to set the minimum character length for all router passwords using the security passwords min-length global configuration command, as shown in the figure. This command provides enhanced security access to the router by allowing you to specify a minimum password length, eliminating common passwords that are prevalent on most networks, such as "lab" and "cisco."

This command affects any new user passwords, enable passwords and secrets, and line passwords created after the command was executed. The command does not affect existing router passwords.

4.2.3 - Manage Router Security
The diagram depicts configuring router passwords. This includes information on encrypting passwords, configuring passwords, and password length.

Encrypting Passwords:
R1(config)#service password-encryption
R1(config)#end

R1(config)#show run

Line con 0
Password 7 0956F57A109A

Administrator encrypts all passwords in the configuration file.

Configuring Passwords:
R1(config)#enable secret 2-mAny-rOUtEs
R1(config)#no enable password
R1(config)#end

Administrator configures a type 5 (MD5 hash) password and disables the type 7 password.

Password Length Enforcement:
R1(config)#security passwords min-length 10
R1(config)#end

Administrator sets the router configuration file to require 10 characters in all passwords.

4.2.4 Securing Remote Administrative Access to Routers

Page 1:
Securing Administrative Access to Routers

Network administrators can connect to a router or switch locally or remotely. Local access through the console port is the preferred way for an administrator to connect to a device to manage it because it is secure. As companies get bigger and the number of routers and switches in the network grows, the administrator workload to connect to all the devices locally can become overwhelming.

Remote administrative access is more convenient than local access for administrators that have many devices to manage. However, if it is not implemented securely, an attacker could collect valuable confidential information. For example, implementing remote administrative access using Telnet can be very insecure because Telnet forwards all network traffic in clear text. An attacker could capture network traffic while an administrator is logged in remotely to a router and sniff the administrator passwords or router configuration information. Therefore, remote administrative access must be configured with additional security precautions.

To secure administrative access to routers and switches, first you will secure the administrative lines (VTY, AUX), then you will configure the network device to encrypt traffic in an SSH tunnel.

4.2.4 - Securing Remote Administrative Access to Routers
The diagram depicts restricting administrative access to routers.

Network Topology:
PC1 and an administration host are connected to switch S1 on the Management LAN, which is connected to router R1. Router R1 is connected to router R2 via a WAN link. R2 is connected to the ISP router via a WAN link. A laptop PC is connected directly to R2, which provides local access to R2. The administration host laptop PC connected to switch S1 provides remote access to R2 through R1.

Page 2:
Remote Administrative Access with Telnet and SSH

Having remote access to network devices is critical for effectively managing a network. Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTP Secure (HTTPS), or SNMP connections to the router from a computer on the same internetwork as the router.

If remote access is required, your options are as follows:

Establish a dedicated management network. The management network should include only identified administration hosts and connections to infrastructure devices. This could be accomplished using a management VLAN or by using an additional physical network to connect the devices to.
Encrypt all traffic between the administrator computer and the router. In either case, a packet filter can be configured to only allow the identified administration hosts and protocol to access the router. For example, only permit the administration host IP address to initiate an SSH connection to the routers in the network.

Remote access not only applies to the VTY line of the router, it also applies to the TTY lines and the auxiliary (AUX) port. TTY lines provide asynchronous access to a router using a modem. Although less common than they once were, they still exist in some installations. Securing these ports is even more important than securing local terminal ports.

The best way to protect a system is to ensure that appropriate controls are applied on all lines, including VTY, TTY, and AUX lines.

Administrators should make sure that logins on all lines are controlled using an authentication mechanism, even on machines that are supposed to be inaccessible from untrusted networks. This is especially important for VTY lines and for lines connected to modems or other remote access devices.

Logins may be completely prevented on any line by configuring the router with the login and no password commands. This is the default configuration for VTYs, but not for TTYs and the AUX port. Therefore, if these lines are not required, ensure that they are configured with the login and no password command combination.

Click Config in the Prevent Logins button to view an example.

Controlling VTYs

By default, all VTY lines are configured to accept any type of remote connection. For security reasons, VTY lines should be configured to accept connections only with the protocols actually needed. This is done with the transport input command. For example, a VTY that was expected to receive only Telnet sessions would be configured with transport input telnet, and a VTY permitting both Telnet and SSH sessions would have transport input telnet ssh configured.

Click the VTY Access button in the figure.

The first configuration example displays how to configure the VTY to only accept Telnet and SSH connections, while the second example displays how to configure the VTY to only accept SSH connections. If the Cisco IOS image on a router supports SSH, it is strongly advisable to enable only that protocol.

A Cisco IOS device has a limited number of VTY lines, usually five. When all of the VTYs are in use, no more additional remote connections can be established. This creates the opportunity for a DoS attack. If an attacker can open remote sessions to all the VTYs on the system, the legitimate administrator may not be able to log in. The attacker does not have to log in to do this. The sessions can simply be left at the login prompt.

One way of reducing this exposure is to configure the last VTY line to accept connections only from a single, specific administrative workstation, whereas the other VTYs can accept connections from any address in a corporate network. This ensures that at least one VTY line is available to the administrator. To implement this, ACLs, along with the ip access-class command on the last VTY line, must be configured. This implementation is discussed in Chapter 5.

Another useful tactic is to configure VTY timeouts using the exec-timeout command. This prevents an idle session from consuming the VTY indefinitely. Although its effectiveness against deliberate attacks is relatively limited, it provides some protection against sessions accidentally left idle. Similarly, enabling TCP keepalives on incoming connections by using the service tcp-keepalives-in command can help guard against both malicious attacks and orphaned sessions caused by remote system crashes.

Click the Secure VTY button in the figure.

The configuration displays how to set the executive timeout to 3 minutes and enable TCP keepalives.

4.2.4 - Securing Remote Administrative Access to Routers
The diagram depicts controlling remote administrative access with Telnet and SSH. This includes information on preventing logins on unused lines, V T Y access, and securing V T Y.

The topology is the same as 4.2.4 Diagram One. A conversation bubble pointing to R1 says, Administrator secures AUX and V T Y lines.

Preventing Logins:
R1(config)#line aux 0
R1(config-line)#no password
R1(config-line)#login
% Login disabled on line 65, until password is set
R1(config-line)#exit

V T Y Access:
R1(config)#line v t y 0 4
R1(config-line)#no transport input
R1(config-line)transport input telnet ssh
R1(config-line)#exit

Supports incoming Telnet and SSH sessions.

R1(config)#line v t y 0 4
R1(config-line)no transport input
R1(config-line)transport input telnet ssh
R1(config-line)#exit

Supports only incoming SSH sessions.

Securing V T Y:
R1(config)#line v t y 0 4
R1(config-line) exec timeout 3
R1(config-line)#exit
R1(config-line) service tcp-keepalives-in

Page 3:
Implementing SSH to Secure Remote Administrative Access

Traditionally, remote administrative access on routers was configured using Telnet on TCP port 23. However, Telnet was developed in the days when security was not an issue. For this reason, all Telnet traffic is forwarded in plain text.

SSH has replaced Telnet as the best practice for providing remote router administration with connections that support strong privacy and session integrity. SSH uses port TCP 22. It provides functionality that is similar to that of an outbound Telnet connection, except that the connection is encrypted. With authentication and encryption, SSH allows for secure communications over an insecure network.

Not all Cisco IOS images support SSH. Only cryptographic images can. Typically, these images have image IDs of k8 or k9 in their image names. Image names are discussed in Section 5.

The SSH terminal-line access feature enables administrators to configure routers with secure access and perform the following tasks:

Connect to a router that has multiple terminal lines connected to consoles or serial ports of other routers, switches, and devices.
Simplify connectivity to a router from anywhere by securely connecting to the terminal server on a specific line.
Allow modems attached to routers to be used for dial-out securely.
Require authentication to each of the lines through a locally defined username and password, or a security server such as a TACACS+ or RADIUS server.

Cisco routers are capable of acting as the SSH client and server. By default, both of these functions are enabled on the router when SSH is enabled. As a client, a router can SSH to another router. As a server, a router can accept SSH client connections.

4.2.4 - Securing Remote Administrative Access to Routers
The diagram depicts controlling remote administrative access with SSH. The topology is the same as 4.2.4 Diagram One, except that a pipe labeled Secure Tunnel passes from the Administrative Host on the LAN through switch S1 and router R1 to router R2. The Administrative Host text is: Host is an SSH client. The router R2 text is: SSH Server and client.

Page 4:
Configuring SSH Security

To enable SSH on the router, the following parameters must be configured:

Hostname
Domain name
Asymmetrical keys
Local authentication

Optional configuration parameters include:

Timeouts
Retries

The following steps configure SSH on a router.

Step 1: Set router parameters

Configure the router hostname with the hostname hostname command from configuration mode.

Step 2: Set the domain name

A domain name must exist to enable SSH. In this example, enter the ip domain-name command from global configuration mode.

Step 3: Generate asymmetric keys

You need to create a key that the router uses to encrypt its SSH management traffic with the crypto key generate rsa command from configuration mode. The router responds with a message showing the naming convention for the keys. Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. As a best practice, Cisco recommends using a minimum modulus length of 1024. You should be aware that a longer modulus takes longer to generate and to use, but it offers stronger security.

You can learn more about the crypto key command in the Network Security course.

Step 4: Configure local authentication and vty

You must define a local user and assign SSH communication to the vty lines as shown in the figure.

Step 5: Configure SSH timeouts (optional)

Timeouts provide additional security for the connection by terminating lingering, inactive connections. Use the command ip ssh time-out seconds and the command authentication-retries integer to enable timeouts and authentication retries. Set the SSH timeout to 15 seconds and the amount of retries to 2.

To connect to a router configured with SSH, you have to use an SSH client application such as PuTTY or TeraTerm. You must be sure to choose the SSH option and that it uses TCP port 22.

Click the Use SSH button in the figure.

Using TeraTerm to connect securely to the R2 router with SSH, once the connection is initiated, the R2 displays a username prompt, followed by a password prompt. Assuming that the correct credentials are provided, TeraTerm displays the router R2 user EXEC prompt.

4.2.4 - Securing Remote Administrative Access to Routers
The diagram depicts five steps for configuring SSH security. The topology is the same as 4.2.4 Diagram One.

Step 1. Set router parameters.
R2(config)#hostname R2

Step 2. Set the domain name.
R2(config)#i p domain-name cisco. com

Step 3. Generate asymmetric keys.
R2(config)#crypto key generate r s a
Choose the size of the key modulus in the range of 360 to 2048 for your general purpose keys.
Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024

Generating 1024 bit RSA keys, keys will be non-exportable.

Step 4. Configure local authentication and v t y.
R2(config)# username student secret cisco
R1(config)#line v t y 0 4
R1(config-line) transport input ssh
R1(config-line) login local

Step 5. Configure SSH timeouts (optional).
R1(config)# i p ssh time-out 15
R1(config)# i p ssh authentication-retries 2

Use SSH:
Screenshots are shown of a PC using Tera Term to initiate an SSH connection to router R2 using the SSH client. The client selects the SSH service and enters the R2 host IP address. The router presents an authentication challenge, and the client provides a login of student and a password. After authenticated, the SSH window opens, and the terminal window shows the R2 router prompt R greater than sign.

Page 5:

4.2.4 - Securing Remote Administrative Access to Routers
The diagram depicts an activity in which you sequence the commands in the proper order to configure SSH security on R1 based on the step numbers and prompts provided. Replace the BLANK with the proper command.

Steps and Prompts:

Step 1. Set router parameters.
Router (config)# BLANK
R1(config)# BLANK
R1(config)# BLANK

Step 2. Generate asymmetric keys.
Choose the size of the key modulus in the range of 360 to 2048 for your general purpose keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: Enter
Generating 512 bit RSA keys, keys will be non-exportable. OK.
Sep 21 15:41:51.015: SSH-5-ENABLED: SSH 1.5 has been enabled.

Step 3. Configure SSH timeouts and username.
R1(config)# BLANK
R1(config)# BLANK
R1(config)# BLANK

Step 4. Configure local authentication and v t y.
R1(config)#line v t y 0 4
R1(config-line)# BLANK
R1(config-line)# BLANK
R1(config-line)#end

Commands:
A: i p ssh authentication-retries 2.
B: username student secret cisco.
C: crypto key generate r s a.
D: i p ssh time-out 15.
E: hostname R1.
F: i p domain-name cisco.com.
G: transport input ssh.
H: login local.

4.2.5 Logging Router Activity

Page 1:
Logs allow you to verify that a router is working properly or to determine whether the router has been compromised. In some cases, a log can show what types of probes or attacks are being attempted against the router or the protected network.

Configuring logging (syslog) on the router should be done carefully. Send the router logs to a designated log host. The log host should be connected to a trusted or protected network or an isolated and dedicated router interface. Harden the log host by removing all unnecessary services and accounts. Routers support different levels of logging. The eight levels range from 0, emergencies indicating that the system is unstable, to 7 for debugging messages that include all router information.

Logs can be forwarded to a variety of locations, including router memory or a dedicated syslog server. A syslog server provides a better solution because all network devices can forward their logs to one central station where an administrator can review them. An example of a syslog server application is Kiwi Syslog Daemon.

Also consider sending the logs to a second storage device, for example, to write-once media or a dedicated printer, to deal with worst-case scenarios (for example, a compromise of the log host).

The most important thing to remember about logging is that logs must be reviewed regularly. By checking over the logs regularly, you can gain a feeling for the normal behavior of your network. A sound understanding of normal operation and its reflection in the logs helps you identify abnormal or attack conditions.

Accurate time stamps are important to logging. Time stamps allow you to trace network attacks more credibly. All routers are capable of maintaining their own time of day, but this is usually not sufficient. Instead, direct the router to at least two different reliable time servers to ensure the accuracy and availability of time information. A Network Time Protocol (NTP) server may have to be configured to provide a synchronized time source for all devices. Configuring this option is beyond the scope of this course.

For example:

R2(config)#service timestamps ?
debug Timestamp debug messages
log Timestamp log messages

R2(config)#service timestamps

Later in this chapter you will learn about the debug command. Output from the debug command can also be sent to logs.

4.2.5 - Logging Router Activity
The diagram depicts a host used for logging.

Network Topology:
The logging host PC1 and an administration host are connected to switch S1 on the Management LAN, which is connected to router R1. Router R1 is connected to router R2 via a WAN link. R2 is connected to the ISP router via a WAN link.

The logging host is:
- Dedicated to storing logs.
- Connected on a protected network or a dedicated router interface.

4.3 Secure Router Network Services

4.3.1 Vulnerable Router Services and Interfaces

Page 1:
Vulnerable Router Services and Interfaces

Cisco routers support a large number of network services at Layers 2, 3, 4, and 7, as described in the figure. Some of these services are Application layer protocols that allow users and host processes to connect to the router. Others are automatic processes and settings intended to support legacy or specialized configurations that pose security risks. Some of these services can be restricted or disabled to improve security without degrading the operational use of the router. General security practice for routers should be used to support only the traffic and protocols a network needs.

Most of the services listed in this section are usually not required. The table in the figure describes general vulnerable router services and lists best practices associated to those services.

Turning off a network service on the router itself does not prevent it from supporting a network where that protocol is employed. For example, a network may require TFTP services to backup configuration files and IOS images. This service is typically provided by a dedicated TFTP server. In certain instances, a router could also be configured as a TFTP server. However, this is very unusual. Therefore, in most cases the TFTP service on the router should be disabled.

In many cases, Cisco IOS software supports turning a service off entirely, or restricting access to particular network segments or sets of hosts. If a particular portion of a network needs a service but the rest does not, the restriction features should be employed to limit the scope of the service.

Turning off an automatic network feature usually prevents a certain kind of network traffic from being processed by the router, or prevents it from traversing the router. For example, IP source routing is a little-used feature of IP that can be utilized in network attacks. Unless it is required for the network to operate, IP source routing should be disabled.

Note: CDP is leveraged in some IP Phone implementations. This needs to be considered before broadly disabling the service.

4.3.1 - Vulnerable Router Services and Interfaces
The diagram depicts a tabular listing of vulnerable router services. The columns in the table are Feature, Description, Default, and Recommendation.

Feature: Cisco Discovery Protocol (CDP)
Description: Proprietary Layer 2 protocol between Cisco devices.
Default: Enabled.
Recommendation: CDP is almost never needed; disable it.

Feature: TCP small servers.
Description: Standard TCP network services: echo, chargen, and so on.
Default: >=11.3: disabled, 11.2: enabled.
Recommendation: This is a legacy feature; disable it explicitly.

Feature: UDP small servers
Description: Standard UDP network services: echo, discard, and so on.
Default: >=11.3: disabled, 11.2: enabled
Recommendation: This is a legacy feature; disable it explicitly.

Feature: Finger.
Description: UNIX user lookup service, allows remote listing of users.
Default: Enabled.
Recommendation: Unauthorized persons do not need to know this; disable it.

Feature: HTTP server.
Description: Some Cisco I O S devices offer a web-based configuration.
Default: Varies by device.
Recommendation: If not in use, explicitly disable; otherwise, restrict access.

Feature: BOOT P server.
Description: Service to allow other routers to boot from this one.
Default: Enabled.
Recommendation: This is rarely needed and may open a security hole; disable it.

Feature: Configuration auto-loading.
Description: Router attempts to load its configuration via TFTP.
Default: Disabled.
Recommendation: This is rarely used; disable it if it is not in use.

Feature: IP source routing.
Description: IP feature that allows packets to specify their own routes.
Default: Enabled.
Recommendation: This rarely used feature can be helpful in attacks; disable it.

Feature: Proxy ARP.
Description: Router acts as a proxy for Layer 2 address resolution.
Default: Enabled.
Recommendation: Disable this service unless the router is serving as a LAN bridge.

Feature: IP directed broadcast.
Description: Packets can identify a target LAN for broadcasts.
Default: >=11.3: enabled.
Recommendation: Directed broadcast can be used for attacks; disable it.

Feature: Classless routing behavior.
Description: Router forwards packets with no concrete route.
Default: Enabled.
Recommendation: Certain attacks can benefit from this; disable it, unless your network requires it.

Feature: IP unreachable notifications.
Description: Router explicitly notifies senders of incorrect IP addresses.
Default: Enabled.
Recommendation: Can aid network mapping; disabled on interfaces to untrusted networks.

Feature: IP mask reply.
Description: Router sends an IP address mask of the interface in response to an ICMP mask request.
Default: Disabled.
Recommendation: Can aid IP address mapping; explicitly disable on interfaces to untrusted networks.

Feature: IP redirects.
Description: Router sends an ICMP redirect message in response to certain routed IP packets.
Default: Enabled.
Recommendation: Can aid network mapping; disable on interfaces to untrusted networks.

Feature: NTP service.
Description: Router can act as a time server for other devices and hosts.
Default: Enabled (if NTP is configured).
Recommendation: If not in use, explicitly disable; otherwise, restrict access.

Feature: Simple Network Management Protocol.
Description: Routers can support SNMP remote query and configuration.
Default: Enabled.
Recommendation: If not in use, explicitly disable; otherwise, restrict access.

Feature: Domain Name Service
Description: Routers can perform DNS name resolution.
Default: Enabled
Recommendation: Set the DNS server address explicitly, or disable DNS.

Page 2:
There are a variety of commands that are required to disable services. The show running-config output in the figure provides a sample configuration of various services which has been disabled.
Services which should typically be disabled are listed below. These include:

Small services such as echo, discard, and chargen - Use the no service tcp-small-servers or no service udp-small-servers command.
BOOTP - Use the no ip bootp server command.
Finger - Use the no service finger command.
HTTP - Use the no ip http server command.
SNMP - Use the no snmp-server command.

It is also important to disable services that allow certain packets to pass through the router, send special packets, or are used for remote router configuration. The corresponding commands to disable these services are:

Cisco Discovery Protocol (CDP) - Use the no cdp run command.
Remote configuration - Use the no service config command.
Source routing - Use the no ip source-route command.
Classless routing - Use the no ip classless command.

The interfaces on the router can be made more secure by using certain commands in interface configuration mode:

Unused interfaces - Use the shutdown command.
No SMURF attacks - Use the no ip directed-broadcast command.
Ad hoc routing - Use the no ip proxy-arp command.

4.3.1 - Vulnerable Router Services and Interfaces
The diagram depicts a terminal window with commands for disabling vulnerable router interfaces.
IP and network services section
no cdp run
no i p source-route
no i p classless
no service tcp-small-servers
no service udp-small-servers
no i p finger
no i p boot p server
no i p http server
no i p name-server
Boot control section
no boot network
no service config
SNMP section (for totally disabling SNMP)
set up totally restrictive access list
no access-list 70
access-list 70 deny any
make SNMP read-only and subject to access list
snmp-server community a q i y t j i 7 2 6 5 4 0 9 4 2 roll
disable SNMP trap and system-shutdown features
no snmp-server enable traps
no snmp-server systek-shutdown
no snmp-server trap-auth
turn off SNMP altogether
no snmp-server
Per-interface services section
interface ethernet 0/0
description Outside interface to 14.1.0.0 /16 net
no i p proxy-arp
no i p directed-broadcast
no i p unreachable
no i p redirect

Page 3:
SNMP, NTP, and DNS Vulnerabilities

The figure describes three management services which should also be secured. The methods for disabling or tuning the configurations for these services are beyond the scope of this course. These services are covered in the CCNP: Implementing Secure Converged Wide-area Network course.
The descriptions and guidelines to secure these services are listed below.

SNMP

SNMP is the standard Internet protocol for automated remote monitoring and administration. There are several different versions of SNMP with different security properties. Versions of SNMP prior to version 3 shuttle information in clear text. Normally, SNMP version 3 should be used.

NTP

Cisco routers and other hosts use NTP to keep their time-of-day clocks accurate. If possible, network administrators should configure all routers as part of an NTP hierarchy, which makes one router the master timer and provides its time to other routers on the network. If an NTP hierarchy is not available on the network, you should disable NTP.

Disabling NTP on an interface does not prevent NTP messages from traversing the router. To reject all NTP messages at a particular interface, use an access list.

DNS

Cisco IOS software supports looking up hostnames with the Domain Name System (DNS). DNS provides the mapping between names, such as central.mydomain.com to IP addresses, such as 14.2.9.250.

Unfortunately, the basic DNS protocol offers no authentication or integrity assurance. By default, name queries are sent to the broadcast address 255.255.255.255.

If one or more name servers are available on the network, and it is desirable to use names in Cisco IOS commands, explicitly set the name server addresses using the global configuration command ip name-server addresses. Otherwise, turn off DNS name resolution with the command no ip domain-lookup. It is also a good idea to give the router a name, using the command hostname. The name given to the router appears in the prompt.

4.3.1 - Vulnerable Router Services and Interfaces
The diagram depicts SNMP, NTP, and DNS vulnerabilities.

SNMP: Versions 1 and 2 pass management information and community strings (passwords) in clear text.

NTP: NTP leaves listening ports open and vulnerable.

DNS: Can help attackers connect IP addresses to domain names.

4.3.2 Securing Routing Protocols

Page 1:
Routing Protocol Authentication Overview

As a network administrator, you have to be aware that your routers are at risk from attack just as much as your end-user systems. Anyone with a packet sniffer such as Wireshark can read information propagating between routers. In general, routing systems can be attacked in two ways:

Disruption of peers
Falsification of routing information

Disruption of peers is the less critical of the two attacks because routing protocols heal themselves, making the disruption last only slightly longer than the attack itself.

A more subtle class of attack targets the information carried within the routing protocol. Falsified routing information may generally be used to cause systems to misinform (lie to) each other, cause a DoS, or cause traffic to follow a path it would not normally follow. The consequences of falsifying routing information are as follows:

1. Redirect traffic to create routing loops as shown in the figure

2. Redirect traffic so it can be monitored on an insecure link

3. Redirect traffic to discard it

A straightforward way to attack the routing system is to attack the routers running the routing protocols, gain access to the routers and inject false information. Be aware that anyone "listening" can capture routing updates.

Click the Play button in the figure to view an animation of a routing loop attack.

The animation shows an example of an attack that creates a routing loop. An attacker has been able to connect directly to the link between routers R2 and R3. The attacker injects false routing information destined to router R1 only, indicating that R3 is the preferred destination to the 192.168.10.10/32 host route. Although R1 has a routing table entry to the directly connected 192.168.10.0/24 network, it will add the injected route to its routing table because of the longer subnet mask. A route with a longer matching subnet mask is considered to be superior to a route with a shorter subnet mask. Consequently when a router receives a packet it will select the longer subnet mask because it is a more precise route to the destination.

When PC3 sends a packet to PC1 (192.168.10.10/24), R1 will not forward the packet to the PC1 host. Instead it will route the packet to router R3, because, as far as it is concerned, the best path to 192.168.10.10/32 is through R3. When R3 gets the packet, it will look in its routing table and forward the packet back to R1, which creates the loop.

The best way to protect routing information on the network is to authenticate routing protocol packets using message digest algorithm 5 (MD5). An algorithm like MD5 allows the routers to compare signatures that should all be the same.

Click the Protect Update button in the figure.

The figure shows how each router in the update chain creates a signature. The three components of such a system include:

1. Encryption algorithm, which is generally public knowledge

2. Key used in the encryption algorithm, which is a secret shared by the routers authenticating their packets

3. Contents of the packet itself

Click the Operation button in the figure.

Click Play to view an animation.

In the animation we see how each router authenticates the routing information. Generally, the originator of the routing information produces a signature using the key and routing data it is about to send as inputs to the encryption algorithm. The routers receiving this routing data can then repeat the process using the same key, the data it has received, and the same routing data. If the signature the receiver computes is the same as the signature the sender computes, the data and key must be the same as the sender transmitted, and the update is authenticated.

RIPv2, EIGRP, OSPF, IS-IS, and BGP all support various forms of MD5 authentication.

4.3.2 - Securing Routing Protocols
The diagram depicts an overview of routing protocol authentication. Information is provided on attacks, protecting updates, and operation.

Attack:
Network Topology:
PC1 is connected to switch S1, which is connected to router R1. Router R1 is connected to router R2 with a WAN link. Router R2 is connected to a cloud and then to R3, which is connected to switch S3 and finally PC3.

PC1 IP Address: 192.168.10.10/24
PC3 IP Address: 192.168.30.10/24

Attack:
As the animation progresses:
A. An attacker sends an update that says: Tell R1 that 192.168.10.10/32 is reachable through R3. As a result, R1 updates its routing table.
B. PC3 sends a packet to R3 destined for PC1 at 192.168.10.10.
C. R1 receives the packet and should forward it to PC1.
D. The attacker manipulated R1's routing information, so R1 forwards the packet to R3.
E. Router R3 knows better and sends the packet back to R1, thereby creating a loop.

Protecting Updates:
The diagram shows using the MD5 encryption algorithm to authenticate packets. A key (for example, cisco) and routing data are fed into the MD5 encryption algorithm to create a signature.

Operation:
The network topology is the same as the one for the attack animation, except that routers R2 and R3 are connected via a WAN link.
As the animation progresses:
A. R3 sends an update and computed signature to R2.
B. Router R2 receives the update and computes the signature.
C. Router R1 then receives the update and also computes the signature.
D. The routers compare signatures, and the routing updates are authenticated.

Page 2:
Configuring RIPv2 with Routing Protocol Authentication

The topology in the figure is displaying a network configured with RIPv2 routing protocol. RIPv2 supports routing protocol authentication. To secure routing updates each router must be configured to support authentication. The steps to secure RIPv2 updates are as follows:

Step 1. Prevent RIP routing update propagation

Step 2. Prevent unauthorized reception of RIP updates

Step 3. Verify the operation of RIP routing

Prevent RIP Routing Update Propagation

You need to prevent an intruder listening on the network from receiving updates to which they are not entitled. You do this by forcing all interfaces on the router into passive mode, and then bringing up only those interfaces that are required for sending and receiving RIP updates. An interface in passive mode receives updates but does not send updates. You must configure passive mode interfaces on all the routers in the network.

Click the Config button then Step 1.

The figure shows the configuration commands to control which interfaces will participate in the routing updates. Routing updates should never be advertised on interfaces which are not connected to other routers. For example, the LAN interfaces on router R1 do not connect to other routers and therefore should not advertise routing updates. Only the S0/0/0 interface on router R1 should advertise routing updates.

In the screen output, the passive-interface default command disables routing advertisements on all interfaces. This also includes the S0/0/0 interface. The no passive-interface s0/0/0 command enables the S0/0/0 interface to send and receive RIP updates.

Click the Topology button then Step 2.

Prevent Unauthorized Reception of RIP Updates

In the figure the intruder is prevented from intercepting RIP updates because MD5 authentication has been enabled on routers, R1, R2 and R3; the routers that are participating in the RIP updates.

Click the Config button then Step 2.

The output shows the commands to configure routing protocol authentication on router R1. Routers R2 and R3 also need to be configured with these commands on the appropriate interfaces.

The example shows commands to create a key chain named RIP_KEY. Although multiple key can be considered our example only shows one key. Key 1 is configured to contain a key string called cisco. The key string is similar to a password and routers exchanging authentication keys must configured with the same key string. Interface S0/0/0 is configured to support MD5 authentication. The RIP_KEY chain and the routing update, are processed using the MD5 algorithm to produce a unique signature.

Once R1 is configured, the other routers will receive routing updates with a unique signature and consequently will no longer be able to decipher the updates from R1. This condition will remain until each router in the network is configured with routing protocol authentication.

Click the Topology button then Step 3.

Verify the Operation of RIP Routing

After you have configured all the routers in the network you need to verify the operation of RIP routing in the network.

Click the Config button then Step 3.

Using the show ip route command the output confirms that router R1 has authenticated with the other routers and has been able to acquire the routes from the routers R2 and R3.

4.3.2 - Securing Routing Protocols
The diagram depicts configuring RIP v2 with routing protocol authentication using three steps. The network topology is the same as the one for the attack animation, except that the R1 S0/0/0 interface has an IP address of 10.1.1.1/30, and the R2 S0/0/0 interface has an IP address of 10.1.1.2/30. LAN 192.168.20.1 /24 is also attached to R2.

Step One - Prevent RIP routing update propagation. A text bubble is pointing to routers R1 and R3 stating: Prevent RIP routing update propagation to those without entitlement.

R1 configuration commands:
R1(config)#router rip
R1(config-router)#passive-interface default
R1(config-router)#no passive-interface s0/0/0

Step Two - Prevent unauthorized reception of RIP updates. A text bubble is pointing to routers R1, R2, and R3 stating: Configure RIP authentication.

R1 configuration commands:
R1(config)#key chain RIP_KEY
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco

R1(config)#int s0/0/0
R1(config-i f)# i p rip authentication mode md5
R1(config-i f)# i p rip authentication key-chain RIP_KEY

Step Three - Verify RIP routing. A text bubble is pointing to router R1 stating: Verify RIP routing.

R1 verification commands:
R1#show i p route
Codes: C - connected,S - static,R - RIP,
Output omitted.

R192.168.30.0 /24 [120 /2] via 10.1.1.2, 00:00:16, Serial 0/0/0
C192.168.10.0 /24 is directly connected, FastEthernet 0/0
R192.168.20.0 /24 [120 /1] via 10.1.1.2, 00:00:13, Serial 0/0/0
10.0.0.0 /8 is variably subnetted, 2 subnets, 1 masks
Output omitted.

Page 3:
Overview of Routing Protocol Authentication for EIGRP and OSPF

Routing protocol authentication should also be configured for other routing protocols such as EIGRP and OSPF. For details on routing protocol authentication for EIGRP and OSPF, refer to CCNP2: Implementing Secure Converged Wide-area Networks.

Click the EIGRP button in the figure.

EIGRP

The figure shows the commands used to configure routing protocol authentication for EIGRP on router R1. These commands are very similar to the ones you used for RIPv2 MD5 authentication. The steps to configure EIGRP routing protocol authentication on router R1 are as follows:

Step 1. The top highlighted area shows how to create a key chain to be used by all routers in your network. These commands create a key chain named EIGRP_KEY and places your terminal in keychain configuration mode, a key number of 1 and a key string value of cisco.

Step 2. The bottom highlighted area shows how to enable MD5 authentication in EIGRP packets traversing an interface.

Click the OSPF button in the figure.

OSPF

The figure shows the commands used to configure routing protocol authentication for OSPF on router R1 on interface S0/0/0. The first command specifies the key that will be used for MD5 authentication. The next command enables MD5 authentication.

4.3.2 - Securing Routing Protocols
The diagram depicts the configuration of EIGRP and OSPF routing protocol authentication.

Network Topology:
There are three routers, R1, R2, and R3. Router R1 is connected to router R2 with a WAN link. Router R2 is connected to R3 with a WAN link. Diagram text states: MD5 authentication can be configured for EIGRP and OSPF.

The figure shows the commands used to configure routing protocol authentication for OSPF.

Router R1 S0/0/0 interface IP Address: 10.1.1.1 / 30
Router R2 S0/0/0 interface IP Address: 10.1.1.2 / 30
Router R2 S0/0/1 interface IP Address: 10.2.2.1 / 30
Router R3 S0/0/1 interface IP Address: 10.2.2.2 / 30

EIGRP MD5 authentication configuration:
R1(config)#key chain EIGRP_KEY
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco
R1(config-keychain-key)#exit
R1(config-keychain)#exit

R1(config)#interface s0/0/0
R1(config-i f)# i p authentication mode eigrp md5
R1(config-i f)# i p authentication key-chain eigrp 1 EIGRP_KEY

OSPF authentication configuration:
R1(config)#interface s0/0/0
R1(config-i f)# i p ospf message-digest-key md5 cisco
R1(config-i f)# i p ospf authentication message-digest
R1(config-i f)#exit

R1(config)#router ospf 10
R1(config-router)#area 0 authentication message-digest

Page 4:
This activity covers both OSPF simple authentication and OSPF MD5 (message digest 5) authentication. You can enable authentication in OSPF to exchange routing update information in a secure manner. With simple authentication, the password is sent in clear-text over the network. Simple authentication is used when devices within an area cannot support the more secure MD5 authentication. With MD5 authentication, the password is not sent over the network. MD5 is considered the most secure OSPF authentication mode. When you configure authentication, you must configure an entire area with the same type of authentication. In this activity, you will configure simple authentication between R1 and R2, and MD5 authentication between R2 and R3.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.

4.3.2 - Securing Routing Protocols
Link to Packet Tracer Exploration: Configuring OSPF Authentication

4.3.3 Locking Down Your Router with Cisco Auto Secure

Page 1:
Cisco AutoSecure uses a single command to disable non-essential system processes and services, eliminating potential security threats. You can configure AutoSecure in privileged EXEC mode using the auto secure command in one of these two modes:

Interactive mode - This mode prompts you with options to enable and disable services and other security features. This is the default mode.
Non-interactive mode - This mode automatically executes the auto secure command with the recommended Cisco default settings. This mode is enabled with the no-interact command option.

Click the Router Output button in the figure.

Perform AutoSecure on a Cisco Router

The screen output shows a partial output from a Cisco AutoSecure configuration. To start the process of securing a router issue the auto secure command. Cisco AutoSecure will ask you for a number of items including :

Interface specifics
Banners
Passwords
SSH
IOS firewall features

Note: The Cisco Router and Security Device Manager (SDM) provides a similar feature as the Cisco AutoSecure command. This feature is described in the "Using Cisco SDM" section.

4.3.3 - Locking Down Your Router with Cisco Auto Secure
The diagram depicts locking down your router with Cisco AutoSecure.

Network Topology:
P1 is connected to switch S1, which is connected to router R1. Router R1 is connected to router R2 with a WAN link. Router R2 is connected to ISP with a WAN link. A system administrator laptop is connected to R2. A text bubble states: System administrator locks down R2 using Cisco AutoSecure.

Router R1 AutoSecure configuration:
R1#auto secure
Is this router connected to internet? [no]:y
Enter the number of interface facing internet [1]:1
Enter the interface name that is facing internet: Serial 0 /1 /0
Securing Management plane services..

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
(output omitted)

4.4 Using Cisco SDM

4.4.1 Cisco SDM Overview

Page 1:
What is Cisco SDM?

The Cisco Router and Security Device Manager (SDM) is an easy-to-use, web-based device-management tool designed for configuring LAN, WAN, and security features on Cisco IOS software-based routers.

The figure shows the main screen of SDM. The interface helps network administrators of small- to medium-sized businesses perform day-to-day operations. It provides easy-to-use smart wizards, automates router security management, and assists through comprehensive online help and tutorials.

Cisco SDM supports a wide range of Cisco IOS software releases. It ships preinstalled by default on all new Cisco integrated services routers. If it is not preinstalled, you will have to install it. The SDM files can be installed on the router, a PC, or on both. An advantage of installing SDM on the PC is that it saves router memory, and allows you to use SDM to manage other routers on the network. If Cisco SDM is pre-installed on the router, Cisco recommends using Cisco SDM to perform the initial configuration.

4.4.1 - Cisco SDM Overview
The diagram depicts a screenshot of the Cisco router and Security Device Manager (SDM) main screen. SDM is a web-based, device-management tool designed for configuring LAN, WAN, and security features on Cisco I O S software-based routers.

Page 2:
Cisco SDM Features

Cisco SDM simplifies router and security configuration through the use of several intelligent wizards to enable efficient configuration of key router virtual private network (VPN) and Cisco IOS firewall parameters. This capability permits administrators to quickly and easily deploy, configure, and monitor Cisco access routers.

Cisco SDM smart wizards guide users step-by-step through router and security configuration workflow by systematically configuring LAN and WAN interfaces, firewall, IPS, and VPNs.

Cisco SDM smart wizards can intelligently detect incorrect configurations and propose fixes, such as allowing DHCP traffic through a firewall if the WAN interface is DHCP-addressed. Online help embedded within Cisco SDM contains appropriate background information, in addition to step-by-step procedures to help users enter correct data in Cisco SDM.

4.4.1 - Cisco SDM Overview
The diagram depicts a listing of Cisco SDM features. These include:
- Embedded web-based management tool
- Intelligent wizards
- Tools for more advanced users
- ACL
- VPN crypto map editor
- Cisco I O S C L I preview

4.4.2 Configuring Your Router to Support Cisco SDM

Page 1:
Cisco SDM should be installed on all new Cisco routers. If you have a router that is already in use but that does not have Cisco SDM, you can install and run it without disrupting network traffic. Before you can install it on an operational router, you must ensure that a few configuration settings are present in the router configuration file. The figure shows a topology in which the system administrator will install Cisco SDM on router R1.

To configure Cisco SDM on a router already in use, without disrupting network traffic, follow these steps:

Step 1. Access the router's Cisco CLI interface using Telnet or the console connection

Step 2. Enable the HTTP and HTTPS servers on the router

Step 3 Create a user account defined with privilege level 15 (enable privileges).

Step 4 Configure SSH and Telnet for local login and privilege level 15.

Click the Router Output button in the figure.

The screen output shows an example of the configuration needed to ensure you can install and run Cisco SDM on a production router without disrupting network traffic.

4.4.2 - Configuring Your Router to Support Cisco SDM
The diagram depicts the configuration of a router to support SDM.

Network Topology:
PC1 is connected to switch S1, which is connected to router R1. Router R1 is connected to router R2 with a WAN link. A TFTP server with IP address 192.168.20.254 /24 is connected to R2. A system administrator laptop is connected to switch S1. A text bubble states: Administrator configures router R1 so Cisco SDM can be installed and run without disrupting network traffic.

Router R1 SDM configuration:
R1#configure terminal
Enter configuration commands, one per line. End with CTRL/Z.
R1(config)# i p http server
R1(config)# i p http secure-server
R1(config)# i p http authentication local
R1(config)# username Student privilege 15 secret cisco
R1(config)# line v t y 0 4
R1(config-line)# privilege level 15
R1(config-line)# login local
R1(config-line)# transport input telnet ssh
R1(config-line)# exit

4.4.3 Starting Cisco SDM

Page 1:
Cisco SDM is stored in the router flash memory. It can also be stored on a local PC. To launch the Cisco SDM use the HTTPS protocol and put the IP address of the router into the browser. The figure shows the browser with an address of https://198.162.20.1 and the launch page for Cisco SDM. The http:// prefix can be used if SSL is not available. When the username and password dialog box appears (not shown), enter a username and password for the privileged (privilege level 15) account on the router. After the launch page appears a signed Cisco SDM Java applet appears which must remain open while Cisco SDM is running. Because it is a signed Cisco SDM Java applet you may be prompted to accept a certificate. The certificate security alert appears in the bottom right of the figure.

Note: The sequence of login steps may vary depending on if you run Cisco SDM from a personal computer, or directly from a Cisco ISR router.

4.4.3 - Starting Cisco SDM
The diagram depicts three overlapping screenshots of initial screens displayed when starting SDM using a browser.

4.4.4 The Cisco SDM Interface

Page 1:
Cisco SDM Home Page Overview

After Cisco SDM has started and you have logged in, the first page displayed is the Overview page.

This page displays the router model, total amount of memory, the versions of flash, IOS, and SDM, the hardware installed, and a summary of some security features, such as firewall status and the number of active VPN connections.

Specifically, it provides basic information about the router hardware, software, and configuration:

Menu bar - The top of the screen has a typical menu bar with File, Edit, View, Tools, and Help menu items.
Tool bar - Below the menu bar, it has the SDM wizards and modes you can select.
Router information - The current mode is displayed on the left side under the tool bar.

Note: The menu bar, tool bar, and current mode are always displayed at the top of each screen. The other areas of the screen change based upon the mode and function you are performing.

Configuration overview - Summarizes the configuration settings. To view the running configuration, click the View Running Config button.

4.4.4 - The Cisco SDM Interface
The diagram depicts a screenshot of the Cisco SDM Home Page. Four areas on the screen are identified:

Menu Bar - The top of the screen has a typical menu bar with File, Edit, View, Tools, and Help menu items.
Tool bar - Below the menu bar, the tool bar has the SDM wizards and modes that you can select.
About Your Router - The current mode is displayed on the left side under the tool bar.
Configuration overview - Summarizes the configuration settings.

Page 2:
About Your Router Area

When you click the buttons in the figure, you will be able to see the details associated with each of the following GUI elements:

About Your Router - The area of the Cisco SDM home page that shows you basic information about the router hardware and software, and includes the following elements:

Host Name - This area shows the configured hostname for the router, which is RouterX
Hardware - This area shows the router model number, the available and total amount of RAM, and the amount of Flash memory available.
Software - This area describes the Cisco IOS software and Cisco SDM versions running on the router.
The Feature Availability bar, found across the bottom of the About Your Router tab, shows the features available in the Cisco IOS image that the router is using. If the indicator beside each feature is green, the feature is available. If it is red it is not available. Check marks show that the feature is configured on the router. In the figure, Cisco SDM shows that IP, firewall, VPN, IPS, and NAC are available, but only IP is configured.

4.4.4 - The Cisco SDM Interface
The diagram depicts a screenshot highlighting the About Your Router area. Three areas on the screen are identified:

Host Name - This area shows the configured hostname for the router, which is Router X.
Hardware - This area shows the router model number, the available and total amounts of RAM, and the amount of Flash memory available.
Software - This area describes the Cisco I O S software and Cisco SDM versions running on the router.

Page 3:
Configuration Overview Area

The figure shows the configuration overview area of the Cisco SDM home page. When you click the buttons in the figure, you will be able to see the details associated with each of the following GUI elements:

Interfaces and Connections - This area displays interface-related and connection-related information, including the number of connections that are up and down, the total number of LAN and WAN interfaces that are present in the router, and the number of LAN and WAN interfaces currently configured on the router. It also displays DHCP information.
Firewall Policies - This area displays firewall-related information, including if a firewall is in place, the number of trusted (inside) interfaces, untrusted (outside) interfaces, and DMZ interfaces. It also displays the name of the interface to which a firewall has been applied, whether the interface is designated as an inside or an outside interface, and if the NAT rule has been applied to this interface.
VPN - This area displays VPN-related information, including the number of active VPN connections, the number of configured site-to-site VPN connections, and the number of active VPN clients.
Routing - This area displays the number of static routes and which routing protocols are configured.

4.4.4 - The Cisco SDM Interface
The diagram depicts a screenshot highlighting the Configuration Overview area. Six areas on the screen are identified:

Interfaces and Connections - This area displays interface-related and connection-related information, including the number of connections that are up and down, the total number of LAN and WAN interfaces that are present in the router, and the number of LAN and WAN interfaces currently configured on the router. It also displays DHCP information.
Firewall Policies - This area displays firewall-related information, including if a firewall is in place, the number of trusted (inside) interfaces, untrusted (outside) interfaces, and DMZ interfaces. It also displays the name of the interface to which a firewall has been applied, whether the interface is designated as an inside or an outside interface, and if the NAT rule has been applied to this interface.
VPN - This area displays VPN-related information, including the number of active VPN connections, the number of configured site-to-site VPN connections, and the number of active VPN clients.
Routing - This area displays the number of static routes and which routing protocols are configured.
Intrusion Prevention - Shows the number of active signatures and the number of I P S-enabled interfaces.
View Running Config - Displays the current router running config.

4.4.5 Cisco SDM Wizards

Page 1:
Cisco SDM provides a number of wizards to help you configure a Cisco ISR router. Once a task is selected from the task area in the Cisco SDM GUI, the task pane allows you to select a wizard. The figure shows various Cisco SDM GUI screens for the Basic NAT wizard. NAT is discussed later in the IP Addressing Services sections course.

Check http://www.cisco.com/go/sdm for the latest information about the Cisco SDM wizards and the interfaces they support.

4.4.5 - Cisco SDM Wizards
The diagram depicts overlapping screenshots of the Network Address Translation (NAT) wizard. The Basic NAT Wizard is selected from the Tasks Option. As the wizard progresses, the NAT screens are as follows:

Screenshot 1. Initial NAT configuration screen.
Screenshot 2. Welcome to the Basic NAT Wizard.
Screenshot 3. Sharing the Internet Connection.
Screenshot 4. Summary of the Configuration.

4.4.6 Locking Down a Router with Cisco SDM

Page 1:
The Cisco SDM one-step lockdown wizard implements almost all of the security configurations that Cisco AutoSecure offers. The one-step lockdown wizard is accessed from the Configure GUI interface by clicking the Security Audit task. The one-step lockdown wizard tests your router configuration for potential security problems and automatically makes any necessary configuration changes to correct any problems found.

Do not assume that the network is secure simply because you executed a one-step lockdown. In addition, not all the features of Cisco AutoSecure are implemented in Cisco SDM. AutoSecure features that are implemented differently in Cisco SDM include the following:

Disables SNMP, and does not configure SNMP version 3.
Enables and configures SSH on crypto Cisco IOS images
Does not enable Service Control Point or disable other access and file transfer services, such as FTP.

Click the buttons in the figure to explore the steps of the Cisco one-step lockdown wizard.

4.4.6 - Locking Down a Router with Cisco SDM
The diagram depicts locking down a router with Cisco SDM. Multiple steps are required as follows:

Step 1. Select Configure.
Step 2. Select Security Audit.
Step 3. Click One-step lockdown.
Step 4. In the SDM Warning dialog box, select yes.
Step 5. SDM reviews the current configuration and compares against best-known security practices.
Step 6. SDM displays a list of recommenced settings.
Step 7. The commands are prepared for delivery to the router.
Step 8. The commands are delivered to the router.

4.5 Secure Router Management

4.5.1 Maintaining Cisco IOS Software Images

Page 1:
Periodically, the router requires updates to be loaded to either the operating system or the configuration file. These updates are necessary to fix known security vulnerabilities, support new features that allow more advanced security policies, or improve performance.

Note: It is not always a good idea to upgrade to the very latest version of Cisco IOS software. Many times that release is not stable.

There are certain guidelines that you must follow when changing the Cisco IOS software on a router. Changes are classified as either updates or upgrades. An update replaces one release with another without upgrading the feature set. The software might be updated to fix a bug or to replace a release that is no longer supported. Updates are free.

An upgrade replaces a release with one that has an upgraded feature set. The software might be upgraded to add new features or technologies, or replace a release that is no longer supported. Upgrades are not free. Cisco.com offers guidelines to assist in determining which method applies.

Cisco recommends following a four-phase migration process to simplify network operations and management. When you follow a repeatable process, you can also benefit from reduced costs in operations, management, and training. The four phases are:

Plan-Set goals, identify resources, profile network hardware and software, and create a preliminary schedule for migrating to new releases.
Design-Choose new Cisco IOS releases and create a strategy for migrating to the releases.
Implement-Schedule and execute the migration.
Operate-Monitor the migration progress and make backup copies of images that are running on your network.

There are a number of tools available on Cisco.com to aid in migrating Cisco IOS software. You can use the tools to get information about releases, feature sets, platforms, and images. The following tools do not require a Cisco.com login:

Cisco IOS Reference Guide-Covers the basics of the Cisco IOS software family
Cisco IOS software technical documents-Documentation for each release of Cisco IOS software
Cisco Feature Navigator-Finds releases that support a set of software features and hardware, and compares releases

The following tools require valid Cisco.com login accounts:

Download Software-Cisco IOS software downloads
Bug Toolkit-Searches for known software fixes based on software version, feature set, and keywords
Software Advisor-Compares releases, matches Cisco IOS software and Cisco Catalyst OS features to releases, and finds out which software release supports a given hardware device
Cisco IOS Upgrade Planner-Finds releases by hardware, release, and feature set, and downloads images of Cisco IOS software

For a complete listing of tools available on Cisco.com, go to http://www.cisco.com/en/US/support/tsd_most_requested_tools.html.

4.5.1 - Maintaining Cisco I O S Software Images
The diagram depicts a system administrator maintaining the most recent versions of Cisco I O S software. The following recommendations are provided.

First, do this:
- Confirm size of update.
- Test terminal to router communication.
- Plan update for quiet time.

Next, do this:
- Shut down unused interfaces.
- Back up running configuration and Cisco I O S image to TFTP.
- Execute file transfers.
- Test update function and bring up shutdown interfaces.

4.5.2 Managing Cisco IOS Images

Page 1:
Cisco IOS File Systems and Devices

The availability of the network can be at risk if a router configuration or operating system is compromised. Attackers who gain access to infrastructure devices can alter or delete configuration files. They can also upload incompatible IOS images or delete the IOS image. The changes are invoked automatically or invoked once the device is rebooted.

To mitigate against these problems, you have to be able to save, back up, and restore configuration and IOS images. To do so, you learn how to carry out a few file management operations in Cisco IOS software.

Cisco IOS devices provide a feature called the Cisco IOS Integrated File System (IFS). This system allows you to create, navigate, and manipulate directories on a Cisco device. The directories available depend on the platform.

For instance, the figure displays the output of the show file systems command which lists all of the available file systems on a Cisco 1841 router. This command provides insightful information such as the amount of available and free memory, the type of file system and its permissions. Permissions include read only (ro), write only (wo), and read and write (rw).

Although there are several file systems listed, of interest to us will be the tftp, flash and nvram file systems. The remainder of the file systems listed are beyond the scope of this course.

Network file systems include using FTP, trivial FTP (TFTP), or Remote Copy Protocol (RCP). This course focuses on TFTP.

Notice that the flash file system also has an asterisks preceding it which indicates that this is the current default file system. Recall that the bootable IOS is located in flash, therefore the pound symbol (#) appended to the flash listing indicates that this is a bootable disk.

Click the Flash button in the figure.

This figure lists the content of the current default file system, which in this case is flash as was indicated by the asterisks preceding the listing in the previous figure. There are several files located in flash, but of specific interest is the last listing. that is the file image name of the current IOS running in RAM.

Click the NVRAM button in the figure.

To view the contents of NVRAM, you must change the current default file system using the cd change directory command. The pwd present working directory command verifies that we are located in the NVRAM directory. Finally, the dir command lists the contents of NVRAM. Although there are several configuration files listed, of specific interest to us is the startup-configuration file.

4.5.2 - Managing Cisco I O S Images
The diagram depicts commands used to display router file systems, Flash memory, and NV RAM.

File Systems:
The show file systems command lists all file systems in the router, including nvram and flash. Information shown includes the amount of available and free memory, the type of file system, and its permissions.

Flash:
The dir command lists the content of the current default file system, which in this case is flash. Several files are located in flash, but of specific interest is the file image name of the current Cisco I O S running in RAM.

NV RAM:
To view the contents of NV RAM, you must change the current default file system using the cd change directory command. The pwd present working directory command verifies that you are located in the NV RAM directory. Finally, the dir command lists the contents of NV RAM. Several configuration files are listed. Of specific interest is the startup-configuration file.

Page 2:
URL Prefixes for Cisco Devices

When a network administrator wants to move files around on a computer, the operating system offers a visible file structure to specify sources and destinations. Administrators do not have visual cues when working at a router CLI. The show file systems command in the previous topic displayed the various file systems available on the Cisco 1841 platform.

File locations are specified in Cisco IFS using the URL convention. The URLs used by Cisco IOS platforms look similar to the format you know from the web.

For instance, the TFTP example in the figure is: tftp://192.168.20.254/configs/backup-config.

The expression "tftp:" is called the prefix.
Everything after the double-slash (//) defines the location.
192.168.20.254 is the location of the TFTP server.
"configs" is the master directory.
"backup-config" is the filename.

The URL prefix specifies the file system. Scroll over the various buttons in the figure to view common prefixes and syntax associated to each.

4.5.2 - Managing Cisco I O S Images
The diagram depicts URL prefixes for Cisco devices. Router R2 is connected to a TFTP server with IP address 192.168.20.254/24. Flash memory, RAM, and NV RAM are associated with the router. The prefix, URL path, and an example is given for each file location.

TFTP:
Prefix - tftp:
URL Path: [[[//location] / directory]/filename]
Example: tftp://192.168.20.254 /configs/backup-config

Flash memory:
Prefix - flash:
URL Path: [[/directory] / filename]
Example: flash:configs/backup-config

RAM:
Prefix - system:
URL Path: filename]
Example: system:running-config

NV RAM:
Prefix - nvram:
URL Path: filename]
Example: nvram:startup-config

Page 3:
Commands for Managing Configuration Files

Good practice for maintaining system availability is to ensure you always have backup copies of the startup configuration files and IOS image files. The Cisco IOS software copy command is used to move configuration files from one component or device to another, such as RAM, NVRAM, or a TFTP server. The figure highlights the command syntax.

The following provides examples of common copy command use. The examples list two methods to accomplish the same tasks. The first example is a simple syntax and the second example provides a more explicit example.

Copy the running configuration from RAM to the startup configuration in NVRAM:

R2# copy running-config startup-config

R2# copy system:running-config nvram:startup-config

Copy the running configuration from RAM to a remote location:

R2# copy running-config tftp:

R2# copy system:running-config tftp:

Copy a configuration from a remote source to the running configuration:

R2# copy tftp: running-config

R2# copy tftp: system:running-config

Copy a configuration from a remote source to the startup configuration:

R2# copy tftp: startup-config

R2# copy tftp: nvram:startup-config

4.5.2 - Managing Cisco I O S Images
The diagram depicts commands for managing configuration files. The structure is as follows.

Command syntax: command source-url: destination-url:
Command example: copy
Source-url example: system:, nvram:, or tftp:
Destination-url example: system:, nvram:, or tftp:

Page 4:
Cisco IOS File Naming Conventions

The Cisco IOS image file is based on a special naming convention. The name for the Cisco IOS image file contains multiple parts, each with a specific meaning. It is important that you understand this naming convention when upgrading and selecting an IOS.

For example, the filename in the figure is explained as follows:

The first part, c1841, identifies the platform on which the image runs. In this example, the platform is a Cisco 1841.

The second part, ipbase, specifies the feature set. In this case, "ipbase" refers to the basic IP internetworking image. Other feature set possibilities include:

i - Designates the IP feature set

j - Designates the enterprise feature set (all protocols)

s - Designates a PLUS feature set (extra queuing, manipulation, or translations)

56i - Designates 56-bit IPsec DES encryption

3 - Designates the firewall/IDS

k2 - Designates the 3DES IPsec encryption (168 bit)

The third part, mz, indicates where the image runs and if the file is compressed. In this example, "mz" indicates that the file runs from RAM and is compressed.

The fourth part, 12.3-14.T7, is the version number.

The final part, bin, is the file extension. The .bin extension indicates that this is a binary executable file.

4.5.2 - Managing Cisco I O S Images
The diagram depicts Cisco I O S file naming conventions:

An example Cisco I O S filename is given and the parts are explained.

Example: C1841-i p base-mz.123-14.T7.bin

Parts of the filename:

C1841: Platform - Cisco 1841 ISR
i p base: Feature set - IP Base
mz: File format - m (runs in RAM), z (compressed or zipped)
123-14.T7: Version number - 12.3(14)T7
dot bin: File extension - binary executable

4.5.3 TFTP Managed Cisco IOS Images

Page 1:
Using TFTP Servers to Manage IOS Images

Production internetworks usually span wide areas and contain multiple routers. It is an important task of an administrator to routinely upgrade Cisco IOS images whenever exploits and vulnerabilities are discovered. It is also a sound practice to ensure that all of your platforms are running the same version of Cisco IOS software whenever possible. Finally, for any network, it is always prudent to retain a backup copy of the Cisco IOS software image in case the system image in the router becomes corrupted or accidentally erased.

Widely distributed routers need a source or backup location for Cisco IOS software images. Using a network TFTP server allows image and configuration uploads and downloads over the network. The network TFTP server can be another router, a workstation, or a host system.

As any network grows, storage of Cisco IOS software images and configuration files on the central TFTP server enables control of the number and revision level of Cisco IOS images and configuration files that must be maintained.

Before changing a Cisco IOS image on the router, you need to complete these tasks:

Determine the memory required for the update and, if necessary, install additional memory.
Set up and test the file transfer capability between the administrator host and the router.
Schedule the required downtime, normally outside of business hours, for the router to perform the update.

When you are ready to do the update, carry out these steps:

Shut down all interfaces on the router not needed to perform the update.
Back up the current operating system and the current configuration file to a TFTP server.
Load the update for either the operating system or the configuration file.
Test to confirm that the update works properly. If the tests are successful, you can then re-enable the interfaces you disabled. If the tests are not successful, back out the update, determine what went wrong, and start again.

A great challenge for network operators is to minimize the downtime after a router has been compromised and the operating software and configuration data have been erased from persistent storage. The operator must retrieve an archived copy (if one exists) of the configuration and restore a working image to the router. Recovery must then be performed for each affected router, which adds to the total network downtime.

Bear in mind that the Cisco IOS software resilient configuration feature enables a router to secure and maintain a working copy of the running operating system image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).

4.5.3 - Managing Cisco I O S Images
The diagram depicts using TFTP servers to manage Cisco I O S images.

Network Topology:
There are three routers, R1, R2, and R3. Router R1 is connected to router R2 with a WAN link. Router R2 is connected to R3 with a WAN link. A TFTP server with IP address 192.168.20.254 /24 is connected to R2.

Text for the arrow pointing from R2 to the TFTP server says: Backup image to TFTP.
Text for arrows pointing to each of the three routers says: Upgrade all to Cisco I O S c1841-ipbase-mz.123-14.T7.bin.

4.5.4 Backing up and Upgrading Software Image

Page 1:
Backing Up IOS Software Image

Basic management tasks include saving backups of your configuration files as well as downloading and installing upgraded configuration files when directed. A software backup image file is created by copying the image file from a router to a network TFTP server.

To copy a Cisco IOS image software from flash memory to the network TFTP server, you should follow these suggested steps.

Click the Topology and Config buttons in the figure as you progress through each step.

Step 1. Ping the TFTP server to make sure you have access to it.

Step 2. Verify that the TFTP server has sufficient disk space to accommodate the Cisco IOS software image. Use the show flash: command on the router to determine the size of the Cisco IOS image file.

The show flash: command is an important tool to gather information about the router memory and image file. It can determine the following:

Total amount of flash memory on the router
Amount of flash memory available
Name of all the files stored in the flash memory

With steps 1 and 2 completed, now back up the software image.

Step 3. Copy the current system image file from the router to the network TFTP server, using the copy flash: tftp: command in privileged EXEC mode. The command requires that you to enter the IP address of the remote host and the name of the source and destination system image files.

During the copy process, exclamation points (!) indicate the progress. Each exclamation point signifies that one UDP segment has successfully transferred.

4.5.4 - Backing Up and Upgrading Cisco I O S Software Image
The diagram depicts a three-step process to save an Cisco I O S software image.

Network Topology:
PC1 and a system administrator laptop are connected to switch S1, which is connected to router R1. Router R1 is connected to router R2 via WAN links. A TFTP server with IP address 192.168.20.254 is connected to R2.

The process of saving the Cisco I O S software image of R1 on the TFTP server is described in three steps.

Step 1. Ping the TFTP server to make sure that you have access to it. The output shows successful ping results.

Step 2. Use the show flash colon command on the router to determine the size of the Cisco I O S image file and verify that the TFTP server has sufficient disk space to accommodate the file. The output shows the Cisco I O S image filename and its size in bytes.

Step 3. Use the copy flash colon tftp colon command to copy the current system image file from the router to the network TFTP server. The output shows prompts for the source filename, address of remote host, and destination filename. Exclamation points and a message indicting the number of bytes copied verify a successful file transfer.

Page 2:
Upgrading IOS Software Images

Upgrading a system to a newer software version requires a different system image file to be loaded on the router. Use the copy tftp: flash: command to download the new image from the network TFTP server.

Click the Config button in the figure.

The command prompts you for the IP address of the remote host and the name of the source and destination system image file. Enter the appropriate filename of the update image just as it appears on the server.

After these entries are confirmed, the Erase flash: prompt appears. Erasing flash memory makes room for the new image. Erase flash memory if there is not sufficient flash memory for more than one Cisco IOS image. If no free flash memory is available, the erase routine is required before new files can be copied. The system informs you of these conditions and prompts for a response.

Each exclamation point (!) means that one UDP segment has successfully transferred.

Note: Make sure that the Cisco IOS image loaded is appropriate for the router platform. If the wrong Cisco IOS image is loaded, the router could be made unbootable, requiring ROM monitor (ROMmon) intervention.

4.5.4 - Backing Up and Upgrading Cisco I O S Software Image
The diagram depicts the process of upgrading Cisco I O S software images using the copy tftp colon flash colon command to download the new image from the network TFTP server.

The network topology is the same as 5.4.5 Diagram 1.

Procedure: Use the copy tftp colon flash colon command to copy the new system image file from the TFTP server to the router. The output shows prompts for the address of the remote host, source filename, and destination filename. The Erase flash colon prompt appears. Erasing Flash makes room for the new image. A series of E's indicates that the existing Cisco I O S image is being erased, and exclamation points verify a successful file transfer.

Page 3:
In this activity, you will configure access to a TFTP server and upload a newer, more advanced Cisco IOS image. Although Packet Tracer simulates upgrading the Cisco IOS image on a router, it does not simulate backing up a Cisco IOS image to the TFTP server. In addition, although the image you are upgrading to is more advanced, this Packet Tracer simulation will not reflect the upgrade by enabling more advanced commands. The same Packet Tracer command set will still be in effect.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.

4.5.4 - Backing Up and Upgrading Cisco I O S Software Image
Link to Packet Tracer Exploration: Using a TFTP Server to Upgrade a Cisco I O S Image

4.5.5 Recovering Software Images

Page 1:
Restoring IOS Software Images

A router cannot function without its Cisco IOS software. Should the IOS be deleted or become corrupt, an administrator must then copy an image to the router for it to become operational again

One method to accomplish this would be to use the Cisco IOS image that was previously saved to the TFTP server. In the example in the figure, the IOS image on R1 was backed up to a TFTP server connected to R2. R1 is not able to reach that TFTP server in its current state.

When an IOS on a router is accidentally deleted from flash, the router is still operational because the IOS is running in RAM. However, it is crucial that the router is not rebooted at this time since it would not be able to find a valid IOS in flash.

In the figure, the IOS on router R1 has accidentally been deleted from flash. Unfortunately, the router has been rebooted and can no longer load an IOS. It is now loading the ROMmon prompt by default. While in this state, router R1 needs to retrieve the IOS which was previously copied to the TFTP server connected to R2. In this scenario, the TFTP will be directly connected to router R1. Having made preparations with the TFTP server, carry out the following procedure.

Step 1. Connect the devices.

Connect the PC of the system administrator to the console port on the affected router.
Connect the TFTP server to the first Ethernet port on the router. In the figure, R1 is a Cisco 1841, therefore the port is Fa0/0. Enable the TFTP server and configure it with a static IP address 192.168.1.1/24.

Step 2. Boot the router and set the ROMmon variables.

Because the router does not have a valid Cisco IOS image, the router boots automatically into ROMmon mode. There are very few commands available in ROMmon mode. You can view these commands by typing ? at the rommon> command prompt.

You must enter all of the variables listed in the figure. When you enter the ROMmon variables, be aware of the following:

Variable names are case sensitive.
Do not include any spaces before or after the = symbol.
Where possible, use a text editor to cut and paste the variables into the terminal window. The full line must be typed accurately.
Navigational keys are not operational.

Router R1 must now be configured with the appropriate values to connect to the TFTP server. The syntax of the ROMmon commands is very crucial. Although the IP addresses, subnet mask, and image name in the figure are only examples, it is vital that the syntax displayed be followed when configuring the router. Keep in mind that the actual variables will vary depending on your configuration.

When you have entered the variables, proceed to the next step.

Step 3. Enter the tftpdnld command at the ROMmon prompt.

The command displays the required environment variables and warns that all existing data in flash will be erased. Type y to proceed, and press Enter. The router attempts to connect to the TFTP server to initiate the download. When connected, the download begins as indicated by the exclamation mark (!) marks. Each ! indicates that one UDP segment has been received by the router.

You can use the reset command to reload the router with the new Cisco IOS image.

4.5.5 - Recovering Software Images
The diagram depicts the loss of the Cisco I O S image and the use of tftpdnld and a three-step process to restore the Cisco I O S software images.

Network Topology:
PC1 and a system administrator laptop are connected to switch S1, which is connected to router R1. Router R1 is connected to router R2 via WAN links. A TFTP server with IP address 192.168.20.254 is connected to R2. Router R1 loses its Cisco I O S image.

Step 1. Connect the devices. Connect the PC of the system administrator to the console port on the affected router. Connect the TFTP server to the first Ethernet port on the router. In this case, R1 interface FA0/0. Enable the TFTP server and configure it with a static IP address 192.168.1.1 /24.

Step 2. Boot the router and set the ROM mon variables.
Rom mon1> IP_ADDRESS=192.168.1.2
Rom mon2> IP_SUBNET_MASK=255.255.255.0
Rom mon3> DEFAULT_GATEWAY=192.168.1.1
Rom mon4> TFTP_SERVER=192.168.1.1
Rom mon5> TFTP_FILE=c1841-ipbase-mz. 123-14.T7.bin

Step 3. Enter the tftpdnld command at the ROM mon prompt. The command displays the required environment variables and warns that all existing data in flash will be erased. The router connects to the TFTP server to initiate the download. When connected, the download begins as indicated by the exclamation marks.

Page 2:
Using xmodem to Restore an IOS Image

Using the tftpdnld command is a very quick way of copying the image file. Another method for restoring a Cisco IOS image to a router is by using Xmodem. However, the file transfer is accomplished using the console cable and is therefore very slow when compared to the tftpdnld command.

If the Cisco IOS image is lost, the router goes into ROMmon mode when it boots up. ROMmon supports Xmodem. With that capability, the router can communicate with a terminal emulation application, such as HyperTerminal, on the PC of a system administrator. A system administrator who has a copy of the Cisco IOS image on a PC can restore it to the router by making a console connection between the PC and the router and running Xmodem from HyperTerminal.

The steps the administrator follows are shown in the figure.

Step 1. Connect the PC of the system administrator to the console port on the affected router. Open a terminal emulation session between the router R1 and the PC of the system administrator.

Step 2. Boot the router and issue the xmodem command at the ROMmon command prompt.

The command syntax is xmodem [-cyr] [filename]. The cyr option varies depending on the configuration. For instance, -c specifies CRC-16, y specifies the Ymodem protocol, and r copies the image to RAM. The filename is the name of the file to be transferred.

Accept all prompts when asked, as shown in the figure.

Step 3. The figure shows the process for sending a file using HyperTerminal. In this case, Select Transfer > Send File.

Step 4. Browse to the location of the Cisco IOS image you want to transfer and choose the Xmodem protocol. Click Send. A dialog box appears displaying the status of the download. It takes several seconds before the host and the router begin transferring the information.

As the download begins, the Packet and Elapsed fields increment. Take note of the estimated time remaining indicator. The download time could be dramatically improved if you change the connection speed of HyperTerminal and the router from 9600 b/s to 115000 b/s.

When the transfer is complete, the router automatically reloads with the new Cisco IOS.

4.5.5 - Recovering Software Images
The diagram depicts the loss of the Cisco I O S image and the use of X modem and a four-step process to restore a Cisco I O S image. The network topology is the same as 4.5.4 Diagram 1. Router R1 loses its Cisco I O S image.

Step 1. Connect the PC of the system administrator to the console port on the affected router.

Step 2. Boot the router. and issue the xmodem command. The following command is shown in the terminal window:
Rom mom1> xmodem -c c1841-ipbase-mz.123-14.T7.bin
The command warns that all existing data in flash will be erased. The router is now ready to receive the file.

Step 3. The screenshot shows the process for sending a file using HyperTerminal. In this case, select the Send File under the Transfer menu.

Step 4. The screenshot shows browsing to the location of the Cisco I O S image to be transferred, selecting the X modem protocol, and clicking Send.

4.5.6 Troubleshooting Cisco IOS Configurations

Page 1:
Cisco IOS Troubleshooting Commands

When you have a valid Cisco IOS image running on all the routers in the network, and all the configurations are backed up, you can manually tune configurations for individual devices to improve their performance in the network.

Two commands that are extensively used in day-to-day network administration are show and debug. The difference between the two is significant. A show command lists the configured parameters and their values. The debug command allows you to trace the execution of a process. Use the show command to verify configurations. Use the debug command to identify traffic flows through interfaces and router processes.

The figure summarizes the characteristics of the show and debug commands. The best time to learn about the output generated by these commands is when a network is fully operational. This way you will be able to recognize what is missing or incorrect when using the commands to troubleshoot a problem network.

4.5.6 - Troubleshooting Cisco I O S Configurations
The diagram depicts a comparison between the Cisco I O S show and debug troubleshooting commands.

Comparison Criterion: Processing characteristic
Show: Static
Debug: Dynamic

Comparison Criterion: Processing load
Show: Low overhead
Debug: High overhead

Comparison Criterion: Primary use
Show: Gather facts
Debug: Observe processes

Page 2:
Using the show Command

The show command displays static information. Use show commands when gathering facts for isolating problems in an internetwork, including problems with interfaces, nodes, media, servers, clients, or applications. You may also use it frequently to confirm that configuration changes have been implemented.

The example in the figure provides a sample output of the show protocols command. The Cisco IOS command guide lists 1,463 show commands. When you are at the command prompt, type show ? for a list of available show commands for the level and mode you are operating.

4.5.6 - Troubleshooting Cisco I O S Configurations
The diagram depicts using the Cisco I O S show command.

Network Topology:
PC1 and a system administrator laptop are connected to switch S1, which is connected to router R1. Router R1 is connected to router R2 via WAN links. A TFTP server with IP address 192.168.20.254 is connected to R2. The text bubble for the system administrator laptop states: System Administrator can get help with show commands.

The show protocols command output is displayed in a terminal window as an example.

Page 3:
Using the debug Command

When you configure a router, the commands you enter initiate many more processes than you see in the simple line of code. Therefore, tracing your written configurations line-by-line does not reveal all the possibilities for error. Instead, you need some way of capturing data from the device as each step in a running process is initiated.

By default, the router sends the output from debug commands and system error messages to the console. Remember that you can redirect debug output to a syslog server.

Note: Debugging output is assigned high priority in the CPU process queue and can therefore interfere with normal production processes on a network. For this reason, use debug commands during quiet hours and only to troubleshoot specific problems.

The debug command displays dynamic data and events. Use debug to check the flow of protocol traffic for problems, protocol bugs, or misconfigurations. The debug command provides a flow of information about the traffic being seen (or not seen) on an interface, error messages generated by nodes on the network, protocol-specific diagnostic packets, and other useful troubleshooting data. Use debug commands when operations on the router or network must be viewed to determine if events or packets are working properly.

All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments. To list and see a brief description of all the debugging command options, enter the debug ? command in privileged EXEC mode.

Caution: It is important to turn off debugging when you have finished your troubleshooting. The best way to ensure there are no lingering debugging operations running is to use the no debug all command.

4.5.6 - Troubleshooting Cisco I O S Configurations
The diagram depicts using the Cisco I O S debug command.

Network Topology:
Two inside LAN's are connected by routers running RIP. LAN 1 consists of PC1 connected to switch S1, which is connected to router R1. LAN 2 network 192.168.30.0 /24 consists of PC3 connected to switch S3, which is connected to router R3. Routers R1 and R3 connect to router R2. Router R2 routes between the two LAN's and is the gateway to the Internet and an external Web/TFTP server.

A system administrator laptop is connected to router R1. A text bubble for the system administrator laptop shows the command: R1# debug i p rip.

The debug i p rip command output is displayed in a terminal window as an example, and the no debug all command is used to turn debugging off.

Page 4:
Considerations when using the debug Command

It is one thing to use debug commands to troubleshoot a lab network that lacks end-user application traffic. It is another thing to use debug commands on a production network that users depend on for data flow. Without proper precautions, the impact of a broadly focused debug command could make matters worse.

With proper, selective, and temporary use of debug commands, you can obtain potentially useful information without needing a protocol analyzer or other third-party tool.

Other considerations for using debug commands are as follows:

When the information you need from the debug command is interpreted and the debug (and any other related configuration setting, if any) is finished, the router can resume its faster switching. Problem-solving can be resumed, a better-targeted action plan created, and the network problem resolved.
Be aware that the debug commands may generate too much data that is of little use for a specific problem. Normally, knowledge of the protocol or protocols being debugged is required to properly interpret the debug outputs.
When using debug troubleshooting tools, be aware that output formats vary with each protocol. Some generate a single line of output per packet, others generate multiple lines of output per packet. Some debug commands generate large amounts of output; others generate only occasional output. Some generate lines of text, and others generate information in field format.

4.5.6 - Troubleshooting Cisco I O S Configurations
The diagram depicts considerations when using the debug command.

- debug gets CPU priority. Plan debug use carefully.
- debug can help resolve persistent issues, outweighing its effect on network performance.
- debug can generate too much output. Know what you are looking for before you start.
- Different debugs generate different output formats. Do not be caught by surprise.
- Plan the use of the debug command. Use it with great care.

Page 5:
Commands Related to the debug Command

To effectively use debugging tools, you must consider the following:

Impact that a troubleshooting tool has on router performance
Most selective and focused use of the diagnostic tool
How to minimize the impact of troubleshooting on other processes that compete for resources on the network device
How to stop the troubleshooting tool when diagnosing is complete so that the router can resume its most efficient switching

To optimize your efficient use of the debug command, these commands can help you:

The service timestamps command is used to add a time stamp to a debug or log message. This feature can provide valuable information about when debug elements occurred and the duration of time between events.
The show processes command displays the CPU use for each process. This data can influence decisions about using a debug command if it indicates that the production system is already too heavily used for adding a debug command.
The no debug all command disables all debug commands. This command can free up system resources after you finish debugging.
The terminal monitor command displays debug output and system error messages for the current terminal and session. When you Telnet to a device and issue a debug command, you will not see output unless this commands is entered.

4.5.6 - Troubleshooting Cisco I O S Configurations
The diagram depicts commands related to the debug command. These include the following:

R1(config)#service timestamps debug datetime m sec
Adds a timestamp to a debug or log message.

R1#show processes
Displays the CPU use for each process.

R1#no debug all
Disables all debug commands.

R1#terminal monitor
Displays debug output and system error messages for the current v t y session.

4.5.7 Recovering a Lost Router Password

Page 1:
About Password Recovery

Have you ever forgotten the password to a router? Maybe not, but sometime in your career, you can expect someone to forget, and you will need to recover it.

The first thing that you have to know about password recovery is that for security reasons, you need physical access to the router. You connect your PC to the router through a console cable.

The enable password and the enable secret password protect access to privileged EXEC and configuration modes. The enable password can be recovered, but the enable secret password is encrypted and must be replaced with a new password.

The configuration register is a concept that you will learn more about later in your studies. The configuration register is similar to your PC BIOS settings, which control the bootup process. Among other things, the BIOS tells the PC from which hard disk to boot. In a router, a configuration register, represented by a single hexadecimal value, tells the router what specific steps to take when powered on. Configuration registers have many uses, and password recovery is probably the most used.

4.5.7 - Recovering a Lost Router Password
The diagram depicts information about router password recovery.

Network Topology:
PC1 is connected to switch S1, which is connected to router R1. Routers R1 and R3 are connected to router R2 via WAN links. A TFTP server with IP address 192.168.20.254 is connected to R2. R2 also provides a gateway to the Internet. The text bubble for the R1 states: Administrator has to recover the enable passwords on R1.

Page 2:
Router Password Recovery Procedure

To recover a router password, do the following:

Prepare the Device

Step 1. Connect to the console port.

Step 2. If you have lost the enable password, you would still have access to user EXEC mode. Type show version at the prompt, and record the configuration register setting.

R>#show version

Configuration register is 0x2102
R1>

The configuration register is usually set to 0x2102 or 0x102. If you can no longer access the router (because of a lost login or TACACS password), you can safely assume that your configuration register is set to 0x2102.

Step 3. Use the power switch to turn off the router, and then turn the router back on.

Step 4. Issue a Break signal from the terminal within 60 seconds of power up to put the router into ROMmon. A Break signal is sent using a break key sequence appropriate for the terminal program and the operating system.

Click Bypass Startup in the figure.

Step 5. Type confreg 0x2142 at the rommon 1> prompt. This causes the router to bypass the startup configuration where the forgotten enable password is stored.

Step 6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration.

Step 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure.

Step 8. Type enable at the Router> prompt. This puts you into enable mode, and you should be able to see the Router# prompt.

Click Access NVRAM in the figure.

Step 9. Type copy startup-config running-config to copy the NVRAM into memory. Be careful! Do not type copy running-config startup-config or you will erase your startup configuration.

Step 10. Type show running-config. In this configuration, the shutdown command appears under all interfaces because all the interfaces are currently shut down. Most importantly though, you can now see the passwords (enable password, enable secret, vty, console passwords) either in encrypted or unencrypted format. You can reuse unencrypted passwords. You must change encrypted passwords to a new password.

Click Reset Passwords in the figure.

Step 11. Type configure terminal. The R1(config)# prompt appears.

Step 12. Type enable secret password to change the enable secret password. For example:

R1(config)# enable secret cisco

Step 13. Issue the no shutdown command on every interface that you want to use. You can issue a show ip interface brief command to confirm that your interface configuration is correct. Every interface that you want to use should display up up.

Step 14. Type config-register configuration_register_setting. The configuration_register_setting is either the value you recorded in Step 2 or 0x2102 . For example:

R1(config)#config-register 0x2102

Step 15. Press Ctrl-Z or type end to leave configuration mode. The R1# prompt appears.

Step 16. Type copy running-config startup-config to commit the changes.

You have now completed password recovery. Entering the show version command will confirm that the router will use the configured config register setting on the next reboot.

4.5.7 - Recovering a Lost Router Password
The diagram depicts the router password recovery procedure.

Network Topology:
PC1 is connected to switch S1, which is connected to router R1. A system administrator laptop is connected to R1 using a console connection.

The router password recovery procedure is as follows:

Prepare the Device:
Prepare R1 for password recovery by booting it up in ROM mon mode.

Step 1. Administrator sets console connections parameters.

Step 2. Record the configuration register value.
R1> show version
show command output omitted
Configuration register is 0x2102
R1>

Step 3. Power the router off and then on.

Step 4. Press Break on the terminal keyboard within 60 seconds of power up to put the router in ROM mon.

Bypass Startup:
Enable router configuration, but bypass the existing startup configuration.

Step 5. Change the config register setting.
rommon1> confreg 0x2142

Step 6. Reboot. Ignore saved configuration.
rommon 2> reset

Step 7. Skip the initial setup procedure.

Step 8. Type enable to get to the Router # prompt.

Access NV RAM:
Make the startup configuration available for viewing.

Step 9. Copy the startup-configuration from NV RAM to the running-config in RAM.
Router#copy startup-config running-config

Step 10. View passwords by running the show running-config command.
Router#show running-config

Reset Passwords:

Step 11. Enter global configuration mode using the configure terminal command.

Step 12. Set a new secret password.
Router(config)#enable secret cisco

Step 13. Issue the no shutdown command on every operational interface on the router.

Step 14. Set the location of the configuration register.
R1(config)#config-register 0x2102

Step 15. Exit configuration mode by pressing Ctrl-Z or typing end.

Step 16. Commit the changes.
Router#copy running-config startup-config

4.6 Chapter Labs

4.6.1 Basic Security Configuration

Page 1:
In this lab, you will learn how to configure basic network security using the network shown in the topology diagram. You will learn how to configure router security three different ways: using the CLI, the auto-secure feature, and Cisco SDM. You will also learn how to manage Cisco IOS software.

4.6.1 - Basic Security Configuration
Link to Hands-on Lab: Basic Security Configuration

4.6.2 Challenge Security Configuration

Page 1:
In this lab, you will configure security using the network shown in the topology diagram. If you need assistance, refer to the Basic Security lab. However, try to do as much on your own as possible. For this lab, do not use password protection or login on any console lines because they might cause accidental logout. However, you should still secure the console line using other means. Use ciscoccna for all passwords in this lab.

4.6.2 - Challenge Security Configuration
Link to Hands-on Lab: Challenge Security Configuration

4.6.3 Troubleshooting Security Configuration

Page 1:
Your company just hired a new network engineer who has created some security issues in the network with misconfigurations and oversights. Your boss has asked you to correct the errors the new engineer has made configuring the routers. While correcting the problems, make sure that all the devices are secure but are still accessible by administrators, and that all networks are reachable. All routers must be accessible with SDM from PC1. Verify that a device is secure by using tools such as Telnet and ping. Unauthorized use of these tools should be blocked, but also ensure that authorized use is permitted. For this lab, do not use login or password protection on any console lines to prevent accidental lockout. Use ciscoccna for all passwords in this scenario.

4.6.3 - Troubleshooting Security Configuration
Link to Hands-on Lab: Troubleshooting Security Configuration

4.7 Chapter Summary

4.7.1 Chapter Summary

Page 1:
The importance of network security cannot be under estimated. This chapter stressed the importance of developing an effective security policy and then adhering to what it requires you to do. You know the threats to your network, both from within and from without, and you know the basic steps you need to take to protect yourself from these threats. Moreover, you now understand the requirements to balance security against access.

Network attacks come from all directions and in many forms. Password attacks are easy to launch, but easily defended against. The tactics of social engineering require users to develop a degree of suspiciousness and care. Once an attacker gains network access, they can literally open all the locks. But attackers need not always gain access to wreak havoc. Denial of service attacks can be launched that can overload network resources to the point they can no longer function. Worms, viruses and Trojan horses can penetrate networks and continue spreading and infecting devices.

A key task in securing a network is to secure the routers. Routers are the gateway into the network and are obvious targets. Basic administrative talks including good physical security, maintaining updated IOS and backing up configuration files are a start. Cisco IOS software provides a wealth of security features to harden routers and close doors opened by used ports and services, most of which can be completed using the one-step lockdown feature of Cisco SDM.

4.7.1 - Chapter Summary
In this chapter, you have learned to:
- Identify security threats to enterprise networks.
- Describe methods to mitigate security threats to enterprise networks.
- Configure basic router security.
- Disable unused router services and interfaces.
- Use the Cisco SDM one-step lockdown feature.
- Manage files and software images with the Cisco I O S Integrated File System (I F S).

Page 2:

4.7.1 - Chapter Summary
This is a review and is not a quiz. Questions and answers are provided.
Question One. List the four types of reconnaissance attacks and provide an example of a tool that can be used for each type of attack.
Answer:
Internet information queries:
- n s lookup or whois
Ping sweeps:
- f ping or g ping
Port scans:
- N map or Superscan
Packet sniffers:
- Wireshark

Question Two. List the four types of access attacks.
Answer:
- Password Attack.
- Trust Exploitation Attack.
- Port Redirection Attack.
- Man-in-the-Middle Attack.

Question Three. List three types of D o S attacks and three types of D D o S attacks.
Answer:
D o S Attacks
- Ping of death attack
- SYN flood attack
- Packet fragmentation and reassembly attack
- E-mail bomb attack
- CPU hogging attack
- Malicious applet attack
D D o S Attacks
- SMURF attack
- Tribe Flood Network (T F N)
- Stacheldraht
- My Doom

Question Four. List and explain the anatomy of a worm attack and the four steps to mitigate the worm attack.
Answer:
The anatomy of a worm attack is as follows:
- The enabling vulnerability - A worm installs itself by exploiting known vulnerabilities in systems, such as naive end users who open unverified executable attachments on e-mails.
- Propagation mechanism - After gaining access to a host, a worm copies itself to that host and then selects new targets.
- Payload - After a host is infected with a worm, the attacker has access to the host, often as a privileged user. Attackers could use a local exploit to escalate their privilege level to administrator.

The following are the recommended steps for worm attack mitigation:
- Step 1 Containment - Contain the spread of the worm into your network and within your network. Compartmentalize uninfected parts of your network.
- Step 2 Inoculation - Start patching all systems and, if possible, scanning for vulnerable systems.
- Step 3 Quarantine - Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network.
- Step 4 Treatment - Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

Question Five
Refer to the description of the Tera Term connection screenshot and the R1 configuration output described below for R1 to answer the question.

Tera Term screenshot:
Host IP address: 192.168.10.1
Service selected: SSH
TCP port number: 23

R1 configuration:
hostname R1
username student secret cisco 1 2 3
line v t y 0 4
no transport input
transport input telnet

Question:
To increase administrative access security, you have applied the above configuration to R1. However, you are unable to establish an SSH connection to router R1. Assume that you were able to telnet to the router before, and that the hostname, i p domain name, and crypto key have been correctly configured. Which changes would correct this problem?

Answer:
On router R1:
- The transport input command should have been transport input ssh.
- The login local command is missing from the line v t y 0 4 configuration mode.
- The SSH port number in the Tera Term window should be referencing TCP port 22.

Question Six. List five vulnerable Cisco I O S network services and provide the best practices associated to them. For example, unused interfaces should be disabled.
Answer:
- Small services such as echo, discard, and chargen should be disabled.
- BOOT P should be disabled.
- Finger should be disabled.
- Hypertext Transfer Protocol (HTTP) should be disabled and secure HTTP S configured (if required).
- Simple Network Management Protocol (SNMP) v1 and v2 should be disabled and SNMP v3 configured.
- Cisco Discovery Protocol (CDP) should be disabled unless required.
- Remote configuration should be disabled.
- Source routing should be disabled.
- Classless routing should be disabled.
- no i p directed-broadcast should be configured to stop SMURF attacks.
- no i p proxy-arp should be configured to stop ad hoc routing attacks.

Question Seven. List the five required steps to enable the lockdown feature of SDM.
Answer:
Step 1. Select Configure.
Step 2. Select Security Audit.
Step 3. Click One-step lockdown.
Step 4. In the Cisco SDM warning dialog box, select Yes.
Step 5. Deliver commands to the router.

Question Eight. List the three steps required to update a router with a new Cisco I O S image file located on a TFTP server.
Answer:
Step 1. Ping the TFTP server to make sure that you have access to it.
Step 2. Use the show flash colon command to verify that the router has enough room in flash to accommodate the size of the Cisco I O S image file.
Step 3. Copy the new Cisco I O S image from the TFTP server using the copy tftp flash colon command in privileged EXEC mode.

Page 3:
This activity is a cumulative review of the chapter covering OSPF routing, authentication, and upgrading the Cisco IOS image.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.

4.7.1 - Chapter Summary
Link to Packet Tracer Exploration: Packet Tracer Skills Integration Challenge

4.8 Chapter Quiz

4.8.1 Chapter Quiz

Page 1:

4.8.1 - Chapter Quiz
1. Match the term to the associated description.
Terms:
A: Operating system weakness.
B: Unsecured user accounts.
C: Network equipment weaknesses.
D: Unsecured default settings.
E: Lack of consistency and continuity.
F: TCP/IP and ICMP weaknesses.
G: Lack of disaster recovery plan.

Descriptions:
One. Technological Weakness.
Two. Configuration Weakness.
Three. Security Policy Weakness.

2. Which two pieces of information can be determined from opening the Cisco SDM homepage of a router? (Choose two.)
A. Routing table.
B. CDP neighbors.
C. Snapshot of the router configuration.
D. Interface status.
E. Features supported by the Cisco I O S software.

3. A technician has been asked to perform a Cisco SDM one-step lockdown test. Which location should be used to initiate the test?
A. Diagnostic mode on the Firewall page.
B. Configure mode on the Security Audit page.
C. Test mode on the Security Audit page.
D. Test mode on the Firewall page.

4. Match the term to the associated description.
Terms:
A: Reconnaissance attack.
B: Password attack.
C: Port redirection.
D: Worm, virus, Trojan horse.
E: D o S attack.

Descriptions:
One. Dictionary cracking and brute force attack.
Two. Using a compromised host to pass traffic through a firewall that would otherwise be dropped.
Three. Using ping sweeps, port scans, and packet sniffers to gain information about a network.
Four. Flooding a network device with traffic in an attempt to render it unusable for legitimate traffic.
Five. Malicious software designed to damage a system, replicate itself, or deny services or access to networks, systems, or services.

5. What is a major advantage of H I P S over H I D S?
A. H I P S does not require host-based client software.
B. H I P S consumes fewer system resources.
C. H I P S can prevent intrusions.
D. H I P S prevents the need to update signature files as often.

6. What is the core or hub component of the Security Wheel?
A. secure.
B. monitor.
C. improve.
D. test.
E. security policy.

7. As part of a network security plan, where does Cisco recommend that administrators send events captured by syslog?
A. flash.
B. NV RAM.
C. designated log hosts.
D. designated TFTP clients.
E. designated SNMP clients.

8. Which protocol should be used when strong privacy and session integrity are needed for remote router administration?
A. HTTP.
B. SNMP.
C. SSH.
D. Telnet.
E. TFTP.

9. Match the policy to its description. Not all options are used.
Policies:
A: Account access request policy.
B: Remote access policy.
C: Risk assessment policy.
D: Audit policy.
E: Acceptable use policy.

Descriptions:
One. Defines the standards for connecting to the internal network from outside the organization.
Two. Specifies procedures to investigate incidents, ensure conformance to security policies, and monitor user and system activity.
Three: Defines how network resources may and may not be employed.
Four: Formalizes the process of how users request access to systems.

10. Match the three items required to configure SDM to the steps in the proper sequence. Not all options are used.
Items:
A: Use the auto secure command to configure router security.
B: Enable the HTTP and HTTP S servers on the router.
C: Create a user account defined with privilege level 15.
D: Create a user account defined with privilege level 0.
E: Create an ACL to allow HTTP traffic into the router and apply it to the v t y's.
F: Configure SSH and Telnet for local login and privilege level 15.
G: Configure SSH and Telnet for local login and privilege level 0.

Step required to configure SDM:
One.
Two.
Three.

11. Which three services should be disabled on a router to prevent security vulnerabilities? (Choose three.)
A. Network Time Protocol (NTP).
B. Domain Name System (DNS).
C. Secure Socket Layer (SSL).
D. Cisco Express Forwarding (C E F).
E. Simple Network Management Protocol (SNMP).
F. Secure Shell (SSH).

12. Which feature provides a straightforward one-touch device lockdown for configuring the security posture of routers?
A. SSH.
B. SDM.
C. AutoSecure.
D. SNMP.

13. Match the description to the correct network management service.
Descriptions:
A: Application Layer protocol that provides a facility for retrieving and posting data for monitoring and management of devices in a network using TCP for 161.
B: Protocol designed to synchronize the time on a network of machines and runs over UDP using port 123.
C: Distributed database that maps hostnames to IP addresses using services on a designated server.

Services:
Network Time Protocol (NTP).
Domain Name System (DNS).
Simple Network Management Protocol (SNMP).

14. Which feature is a web-based-management tool for Cisco I O S software-based routers?
A. SSH.
B. SDM.
C. AutoSecure.
D. SNMP.

15. Which three SDM wizards are available to configure a router? (Choose three.)
A. security audit.
B. firewall.
C. DHCP.
D. Q o S.
E. routing.
F. access list.

1 comments:

Unknown said...: Excellent post. From this post one can easily learn almost everything about network security. You have covered all the important as well as basic points about how to secure networks. Thank you for this useful information.
digital certificates; March 12, 2014 at 12:28 AM

World of Cisco Networking