Bài giảng CCNA Security - Chapter 2: Securing Network Devices

t and process log messages from syslog clients. 2. Syslog clients - Routers or other types of equipment that generate and forward log messages to syslog servers. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Use the following steps to configure system logging. • Step 1. Set the destination logging host using the logging host command. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Step 2. (Optional) Set the log severity (trap) level using the logging trap level command. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Step 3. Set the source interface using the logging source-interface command. • This specifies that syslog packets contain the IPv4 or IPv6 address of a particular interface, regardless of which interface the packet uses to exit the router. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Step 4. Enable logging with the logging on command. • You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands • However, if the logging on command is disabled, no messages are sent to these destinations. • Only the console receives messages. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • For Example: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • To enable syslog logging on your router using Cisco Router and Security Device Manager (SDM), follow these steps. 1. Step 1. Choose Configure > Router > Logging. 2. Step 2. From the Logging pane, click Edit. 3. Step 3. In the Logging window, select Enable Logging Level and choose the logging level from the Logging Level list box. Messages will be logged for the level selected and below. 4. Step 4. Click Add, and enter an IP address of a logging host in the IP Address/Hostname field. 5. Step 5. Click OK to return to the Logging dialog box. 6. Step 6. Click OK to accept the changes and return to the Logging pane. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Syslog for Network Security • Cisco SDM can be used to monitor logging by choosing Monitor > Logging. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • SNMP was developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances, on an IP network. SNMP is an Application Layer protocol that facilitates the exchange of management information between network devices. • SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2) are based on managers (network management systems [NMSs]), agents (managed nodes), and Management Information Bases (MIBs) • The SNMP manager can get information from the agent, and change, or set, information in the agent. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • There are two types of community strings. – Read-only community strings - Provides read-only access to all objects in the MIB, except the community strings. – Read-write community strings - Provides read-write access to all objects in the MIB, except the community strings Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • The current version of SNMPv3 addresses the vulnerabilities of earlier versions by including three important services: authentication, privacy, and access control. • SNMPv3 is an interoperable standards-based protocol for network management. • SNMPv3 provides three security features. – Message integrity - Ensures that a packet has not been tampered with in transit. – Authentication - Determines that the message is from a valid source. – Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • There are three security levels. – noAuth - Authenticates a packet by a string match of the username or community string. – auth - Authenticates a packet by using either the Hashed Message Authentication Code (HMAC) with MD5 method or Secure Hash Algorithms (SHA) method. The HMAC method is described in RFC 2104, HMAC: Keyed-Hashing for Message Authentication. – priv - Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using the Data Encryption Standard (DES), Triple DES (3DES), or Advanced Encryption Standard (AES) algorithms. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • To enable SNMPv1 and SNMPv2 using CCP follow these steps: • Step 1. Choose Configure > Router > SNMP. Click the Edit button. • Step 2. From the SNMP Properties window, select Enable SNMP to enable SNMP support. • Set community strings and enter trap manager information from the same SNMP Properties window used to enable support. • Step 3. In the SNMP Properties window, click Add to create new community strings, click Edit to edit an existing community string, or click Delete to delete a community string. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • An example CLI command that SDM would generate based on a read only community string of cisco123 is snmp-server community cisco123 ro. – ro - Assigns a read-only community string. – rw - Assigns a read-write community string. Using SNMP for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security • CCP can be used to add, edit, or delete a trap receiver: • Step 1. From the SNMP pane in CCP, click Edit. The SNMP Properties window displays. • Step 2. To add a new trap receiver, click Add in the Trap Receiver section of the SNMP Properties window. The Add a Trap Receiver window displays. • Step 3. Enter the IP address or host name of the trap receiver and the password that is used to connect to the trap receiver. Typically, this is the IP address of the SNMP management station that monitors the domain. Check with the site administrator to determine the address if unsure. • Step 4. Click OK to finish adding the trap receiver. • Step 5. To edit an existing trap receiver, choose a trap receiver from the trap receiver list and click Edit. To delete an existing trap receiver, choose a trap receiver from the trap receiver list and click Delete. • Step 6. When the trap receiver list is complete, click OK to return to the SNMP pane. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SNMP for Network Security Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP • Typically, the date and time settings of the router can be set using one of two methods: – Manually editing the date and time – Configuring the Network Time Protocol (NTP) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Stratum Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Stratum • In the world of NTP, stratum levels define the distance from the reference clock. A reference clock is a stratum-0 device that is assumed to be accurate and has lttle or no delay associated with it. The reference clock typically synchronizes to the correct time (UTC) using GPS transmissions, CDMA technology or other time signals such as Irig-B, WWV, DCF77, etc. Stratum-0 servers cannot be used on the network, instead, they are directly connected to computers which then operate as stratum-1 servers. A server that is directly connected to a stratum-0 device is called a stratum-1 server. This includes all time servers with built-in stratum-0 devices, such as the EndRun Time Servers, and also those with direct links to stratum-0 devices such as over an RS-232 connection or via an IRIG-B time code. The basic definition of a stratum-1 time server is that it be directly linked (not over a network path) to a reliable source of UTC time such as GPS, WWV, or CDMA transmissions. A stratum-1 time server acts as a primary network time standard. A stratum-2 server is connected to the stratum-1 server OVER A NETWORK PATH. Thus, a stratum-2 server gets its time via NTP packet requests from a stratum-1 server. A stratum-3 server gets its time via NTP packet requests from a stratum-2 server, and so on. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP • CCP allows a network administrator to view the configured NTP server information, add new information, and edit or delete existing information. • There are seven steps to add an NTP server using CCP: • Step 1. Choose Configure > Router > Time > NTP and SNTP • Step 2. To add a new NTP server, click Add. • Step 3. Add an NTP server by name (if the router is configured to use a Domain Name System server) or by IP address. • Step 4. (Optional) From the NTP Source Interface drop-down list, choose the interface that the router uses to communicate with the NTP server. • Step 5. Select Prefer if this NTP server has been designated as a preferred NTP server. • Step 6. If the NTP server uses authentication, select Authentication Key and enter the key number and key value. • Step 7. Click OK to finish adding the server. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using NTP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default in Cisco routers. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Many practices help ensure a device is secure. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Many practices help ensure a device is secure. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Three security audit tools available include: – Security Audit Wizard – Cisco AutoSecure – One-Step Lockdown Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Security Audit Wizard Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Security Audit Wizard Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Security Audit Wizard Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Security Audit Wizard Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Performing a Security Audit • Security Audit Wizard Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure • Released in IOS version 12.3, Cisco AutoSecure is a feature that is initiated from the CLI and executes a script. • AutoSecure first makes recommendations for fixing security vulnerabilities and then modifies the security configuration of the router. • There are three forwarding plane services and functions: 1. Enables Cisco Express Forwarding (CEF) 2. Enables traffic filtering with ACLs 3. Implements Cisco IOS firewall inspection for common protocols • AutoSecure is often used in the field to provide a baseline security policy on a new router. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure • Config: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure • When the auto secure command is initiated, a wizard is displayed to step the administrator through the configuration of the device. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router using AutoSecure Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP • Step 1: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP • Step 2: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP • Step 3: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP • Step 4: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP • Step 5: Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Locking Down a Router Using CCP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com