Configure secure administrative access:

username name password password username name secret password

Configure enhanced security for virtual logins The following commands are available to configure a Cisco IOS device to support the enhanced login features. Router# configure terminal Router(config)# login block-for seconds attempts tries within seconds Router(config)# login quiet-mode access-class {acl-name | acl-number} Router(config)# login delay seconds Router(config)# login on-failure log [every login] Router(config)# login on-success log [every login]

SSH configuration

Configure privilege level

Configure Role based CLI Access

Securing the Cisco IOS image & configuration files

Using syslog for Network security

Use the following steps to configure system logging. Step 1. Set the destination logging host using the logging host command. Step 2. (Optional) Set the log severity (trap) level using the logging trap level command. Step 3. Set the source interface using the logging source-interface command. This specifies that syslog packets contain the IPv4 or IPv6 address of a particular interface, regardless of which interface the packet uses to exit the router. Step 4. Enable logging with the logging on command. You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands. However, if the logging on command is disabled, no messages are sent to these destinations. Only the console receives messages.

Using NTP

Performing security audit Locking down the router using auto secure

AAA

AAA accounting functions

In this case, a standard ACL can be applied outbound on interface Fa0/0: R1(config)# access-list 1 deny 172.16.4.0 0.0.0.255 R1(config)# access-list 1 permit any R1(config)# interface FastEthernet 0/0 R1(config-if)# ip access-group 1 out

As compared to standard ACLs, extended ACLs allow for specific types of traffic to be denied or permitted. Imagine a scenario in which FTP traffic from one subnet must be denied on another subnet. In this case, an extended ACL is required because a specific traffic type is filtered. R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 R1(config)# access-list 101 permit ip any any Router(config)# interface fastethernet 0/1 Router(config-if)# ip access-group 101 in

A network administrator has a situation that requires time-based ACLs. Users are not allowed to access the Internet during business hours, except during lunch and after hours until 7 p.m. when the office closes. This is a time-based ACL that supports the requirement: R1(config)# time-range employee-time R1(config-time-range)# periodic weekdays 12:00 to 13:00 R1(config-time-range)# periodic weekdays 17:00 to 19:00 R1(config-time-range)# exit R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range employee-time R1(config)# access-list 100 deny ip any any R1(config)# interface FastEthernet 0/1 R1(config-if)# ip access-group 100 in R1(config-if)# exit

CBAC provides four main functions: traffic filtering, traffic inspection, intrusion detection, and generation of audits and alerts. The first CBAC commands were introduced to Cisco IOS software in 1997. CBAC is a dramatic improvement over the TCP established and reflexive ACL firewall options in several fundamental ways:
y y y y y y y

Monitors TCP connection setup Tracks TCP sequence numbers Inspects DNS queries and replies Inspects common ICMP message types Supports applications that rely on multiple connections Inspects embedded addresses Inspects Application Layer information

Router(config)# ip inspect alert-off Router(config)# ip inspect audit-trail

Router# show ip inspect [parameter]

Router# debug ip inspect protocol parameter

Router# show policy-map type inspect zone-pair session

Step 1. Download the IOS IPS files. Step 2. Create an IOS IPS configuration directory in flash.

Step 3. Configure an IOS IPS crypto key.

Step 4. Enable IOS IPS.

Step 5. Load the IOS IPS signature package to the router.

These are the steps for configuring port security on an access port: Step 1. Configure an interface as an access interface. Switch(config-if)# switchport mode access If an interface is in the default mode (dynamic auto), it cannot be configured as a secure port. Step 2. Enable port security on the interface using the switchport port-security. The complete syntax includes a number of optional parameters.

Switch(config-if)# switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}]] | [mac-address sticky [mac-address| vlan {vlan-id | {access | voice}}]] [maximum value [vlan {vlan-list | {access | voice}}]] Step 3. (Optional) Set the maximum number of secure MAC addresses for the interface. Switch(config-if)# switchport port-security maximum value The range is 1 to 132. The default is 1.