Tải bản đầy đủ (.pptx) (85 trang)

Ccnasv2 instructorppt ch2

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (2.77 MB, 85 trang )

Chapter 2:
Securing Network Devices
CCNA Security v2.0


2.0 Introduction
2.1 Securing Device Access
2.2 Assigning Administrative Roles

Chapter Outline

2.3 Monitoring and Managing Devices
2.4 Using Automated Security Features
2.5 Securing the Control Plane
2.6 Summary

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

2


Section 2.1:
Securing Device Access
Upon completion of this section, you should be able to:
• Explain how to secure a network perimeter.
• Configure secure administrative access to Cisco routers.
• Configure enhanced security for virtual logins.
• Configure an SSH daemon for secure remote management.


© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

3


Topic 2.1.1:
Securing the Edge Router

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

4


Securing the Network Infrastructure

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

5


Edge Router Security Approaches
• Single Router Approach
A single router connects the
internal LAN to the Internet. All

security policies are
configured on this device.

Router 1 (R1)
Internet

LAN 1
192.168.2.0

• Defense-in-depth Approach
Passes everything through to
the firewall. A set of rules
determines what traffic the
router will allow or deny.

R1

Firewall

Internet

LAN 1
192.168.2.0

• DMZ Approach
The DMZ is set up between
two routers. Most traffic
filtering left to the firewall

© 2013 Cisco and/or its affiliates. All rights reserved.


Internet

R1 Firewall R2

LAN 1
192.168.2.0

DMZ

Cisco Public

6


Three Areas of Router Security
• Physical Security
Place router in a secured, locked
room
Install an uninterruptible power
supply

• Operating System Security
Use the latest stable version that meets
network requirements
Keep a copy of the O/S and configuration
file as a backup

• Router Hardening
Secure administrative

control
Disable unused ports
and interfaces
Disable unnecessary
services

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

7


Secure Administrative Access
Tasks:
• Restrict device accessibility
• Log and account for all access
• Authenticate access
• Authorize actions
• Present legal notification
• Ensure the confidentiality of data

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

8


Secure Local and Remote Access

Local Access

Remote Access Using Telnet

Remote Access Using Modem and Aux Port

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

9


Secure Local and Remote Access (Cont.)
Dedicated Management Network

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10


Topic 2.1.2:
Configuring Secure Administrative Access

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public


11


Strong Passwords
Guidelines:
• Use a password length of 10 or more characters.
• Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.
• Avoid passwords based on easily identifiable pieces of information.
• Deliberately misspell a password (Smith = Smyth = 5mYth).
• Change passwords often.
• Do not write passwords down and leave them in obvious places.
Weak Password

Why it is Weak

Strong Password

Why it is Strong

secret

Simple dictionary password

b67n42d39c

Combines alphanumeric characters

smith

Mother’s maiden name


12^h u4@1p7

Combines alphanumeric characters,
symbols, and includes a space

toyota

Make of car

bob1967

Name and birthday of user

Blueleaf23

Simple words and numbers

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

12


Increasing Access Security
To increase the security of passwords, use additional configuration
parameters:



Minimum password lengths should be enforced



Unattended connections should be disabled



All passwords in the configuration file
should be encrypted

R1(config)# service password-encryption
R1(config)# exit
R1# show running-config
line con 0
exec-timeout 3 30
password 7 094F471A1A0A
login
line aux 0
exec-timeout 3 30
password 7 094F471A1A0A
login

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13



Secret Password Algorithms
Guidelines:
• Configure all secret passwords using type 8 or type 9 passwords
• Use the enable algorithm-type command syntax to enter an unencrypted

password

• Use the username name algorithm-type command to specify type 9

encryption

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

14


Securing Line Access
R1(config)# enable secret cisco

Command to restrict access to
privileged EXEC mode
Commands to establish a
login password for dial-up
modem connections

Commands to establish a login
password on incoming Telnet sessions
R1(config)# line vty 0 4

R1(config-line)# password cisco
R1(config-line)# login

R1

R1(config)# line aux 0
R1(config-line)# password cisco
R1(config-line)# login

R1(config)# line con 0
R1(config-line)# password cisco
R1(config-line)# login

Commands to establish a
login password on the
console line
© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

15


Topic 2.1.3:
Configuring Enhanced Security for Virtual Logins

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public


16


Enhancing the Login Process
Virtual login security enhancements:
• Implement delays between

successive login attempts
• Enable login shutdown if DoS attacks

are suspected
• Generate system-logging messages

for login detection

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17


Configuring Login Enhancement Features

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18



Enable Login Enhancements
Command Syntax: login block-for

Example: login quiet-mode access-class

Example: login delay

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

19


Logging Failed Attempts
Generate Login Syslog Messages

Example: show login failures

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

20



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay
×