Professional Documents
Culture Documents
ISCW-Mod5_L1
ISCW-Mod5_L1
ISCW-Mod5_L1
This module will help you to understand how hackers operate and what attack strategies they can employ. Once you know the nature of the threat, you will be better able to implement the full set of security features contained in Cisco IOS software to provide security for your network.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
Also discussed are the most ubiquitous authentication, authorisation, and accounting (AAA) protocols - RADIUS and TACACS+, and explanations of the differences between them.
ISCW-Mod5_L1
Objectives
At the completion of this first lesson, you will be able to:
Describe the steps taken by a potential network hacker to gain unauthorised access Explain the detailed information that a hacker is looking to learn, and how this may be used to compromise network security Describe the basic steps that need to be taken to mitigate network attacks
ISCW-Mod5_L1
ISCW-Mod5_L1
Hacking a Network
The goal of any hacker is to compromise the intended target or application Hackers begin with little or no information about the intended target, but by the end of their analysis, they will have accessed the network and will have begun to compromise their target Their approach is always careful and methodical never rushed and never reckless The seven-step process outlined in the previous slide is a good representation of the method that hackers use and a starting point for an analysis of how to defeat it
ISCW-Mod5_L1
ISCW-Mod5_L1
ISCW-Mod5_L1
10
ISCW-Mod5_L1
11
Software Tools
Hackers can use some of the tools listed here. All of these tools are readily available to download, and security staff should know how these tools work. Netcat: Netcat is a featured networking utility that reads and writes data across network connections using the TCP/IP protocol. Microsoft EPDump and Remote Procedure Call (RPC) Dump: These tools provide information about Microsoft RPC services on a server:
The Microsoft EPDump application shows what is running and waiting on dynamically assigned ports. The RPC Dump (rpcdump.exe) application is a command-line tool that queries RPC endpoints for status and other information on RPC..
GetMAC: This application provides a quick way to find the MAC (Ethernet) layer address and binding order for a computer running Microsoft Windows 2000 locally or across a network.. Software development kits (SDKs): SDKs provide hackers with the basic tools that they need to learn more about systems.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
12
There is a great deal of anecdotal evidence that this is one of the most successful techniques
ISCW-Mod5_L1
13
Password Cracking
Hackers use many tools and techniques to crack passwords:
Word lists Brute force Hybrids The yellow Post-It stuck on the side of the monitor, or in top of desk drawer..
Password cracking attacks any application or service that accepts user authentication, including those listed here:
NetBIOS over TCP (TCP 139) Direct host (TCP 445) FTP (TCP 21) Telnet (TCP 23) SNMP (UDP 161) PPTP (TCP 1723) Terminal services (TCP 3389)
ISCW-Mod5_L1
14
Escalate Privileges
After securing a password for a user account and user-level privileges to a host, hackers attempt to escalate their privileges. The hacker will review all the information he or she can see on the host:
Files containing user names and passwords Registry keys containing application or user passwords Any available documentation (for example, e-mail)
If the host cannot be seen by the hacker, the hacker may launch a Trojan application such as W32/QAZ to provide it.
ISCW-Mod5_L1
15
Hackers can use legitimate tools including pwdump and lsadump applications. Hackers gain administrative access to all computers by cross-referencing user names and password combinations
ISCW-Mod5_L1
16
Port redirectors:
Port redirectors can help bypass port filters, routers, and firewalls and may even be encrypted over an SSL tunnel to evade intrusion detection devices.
ISCW-Mod5_L1
17
ISCW-Mod5_L1
18
ISCW-Mod5_L1
19
ISCW-Mod5_L1
20
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1
21
Objectives
At the completion of this second lesson, you will be able to:
Describe some of the more common network attacks, and explain what effect they have on the network Explain how to mitigate the effects of these common attacks
ISCW-Mod5_L1
22
Reconnaissance
Reconnaissance is the unauthorised discovery and mapping of systems, services, or vulnerabilities. Reconnaissance is also known as information gathering, and in most cases, precedes an access or Denial of Service (DoS) attack. The malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive and then determines which services or ports are active on the live IP addresses. The intruder then queries the ports to determine the type and version of the application and operating system that is running on the target host. Reconnaissance attacks can consist of the following:
Packet sniffers Port scans Ping sweeps Internet information queries
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
23
24
ISCW-Mod5_L1
25
Packet Sniffing
A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN
Packet sniffers can only work in the same collision domain as the network being attacked
Promiscuous mode is a mode in which the network adapter card sends all packets that are received on the physical network wire to an application for processing Some network applications distribute network packets in plaintext. Because the network packets are not encrypted, the packets can be processed and understood by any application that can pick them off the network and process them Because the specifications for network protocols, such as TCP/IP, are widely published, a third party can easily interpret the network packets and develop a packet sniffer. Numerous freeware and shareware packet sniffers are available that do not require the user to understand anything about the underlying protocols
ISCW-Mod5_L1
26
Packet Sniffers
A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. Packet sniffers: Exploit information passed in plaintext. Protocols that pass information in plaintext are Telnet, FTP, SNMP, POP, and HTTP. Must be on the same collision domain. Can be used legitimately or can be designed specifically for attack.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
27
28
29
ISCW-Mod5_L1
30
Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge routers
When these services are turned off, network diagnostic data is lost
Network-based IPS and host-based IPS (HIPS) can usually notify when a reconnaissance attack is under way ISPs compare incoming traffic to the intrusion detection system (IDS) or the IPS signatures in the IPS database.
Signatures are characteristics of particular traffic patterns. A signature, such as several packets to different destination ports from the same source address within a short period of time, can be used to detect port scans
A stealth scan is more difficult to detect, and many intrusion detection and prevention systems will not notice this scan taking place. Discovering stealth scans requires kernel-level work
31
ISCW-Mod5_L1
ISCW-Mod5_L1
32
IP address queries can reveal information such as who owns a particular IP address or range of addresses and which domain is associated with the addresses
ISCW-Mod5_L1
33
34
ISCW-Mod5_L1
35
Password Attacks
Hackers implement password attacks using the following:
Brute-force attacks Trojan horse programs IP spoofing Packet sniffers
ISCW-Mod5_L1
36
Password Attacks
Password attacks can be implemented using several methods, including brute-force attacks, Trojan horse programs, IP spoofing, and packet sniffers. One security risk is the fact that passwords can be stored as plaintext. To overcome this risk, passwords should be encrypted. On most systems, passwords are run through an encryption algorithm to generate a one-way hash. In granting authorisation, the hashes are calculated and compared rather than using the plain password. To use this encryption method, you supply an account and password during the login process, and the algorithm generates a one-way hash. This hash is compared to the hash stored on the system. If they are the same, the system assumes that the proper password was supplied.
37
ISCW-Mod5_L1
ISCW-Mod5_L1
38
ISCW-Mod5_L1
39
Trust Exploitation
Trust exploitation refers to an individual taking advantage of a trust relationship within a network. An example of when trust exploitation takes place is when a perimeter network is connected to a corporate network.
These network segments often contain DNS, SMTP, and HTTP servers. Because these servers all reside on the same segment, a compromise of one system can lead to the compromise of other systems if those other systems also trust systems that are attached to the same network.
Another example of trust exploitation is a Demilitarised Zone (DMZ) host that has a trust relationship with an inside host that is connected to the inside firewall interface. The inside host trusts the DMZ host. When the DMZ host is compromised, the attacker can leverage that trust relationship to attack the inside host.
ISCW-Mod5_L1
40
Trust Exploitation
A hacker leverages existing trust relationships. Several trust models exist: Windows: Domains Active directory Linux and UNIX: NIS NIS+
ISCW-Mod5_L1
41
Trust Exploitation
Trust exploitation-based attacks can be mitigated through tight constraints on trust levels within a network
Systems that are inside a firewall should never absolutely trust systems that are outside a firewall. Absolute trust should be limited to specific protocols and, where possible, should be validated by something other than an IP address
In the DMZ example, the hacker connected to the Internet has already exploited some vulnerability of the DMZ host connected to the DMZ interface of the firewall The hackers next goal is to compromise the inside host that is connected to the inside (trusted) interface of the firewall
To attack the inside host from the DMZ host, the hacker needs to find the protocols that are permitted from the DMZ to the inside interface. Once the protocols are known, the attacker searches for vulnerabilities on the inside host. This attack can be stopped if the firewall allows only minimum or no connectivity from the DMZ to the inside interface
ISCW-Mod5_L1
42
ISCW-Mod5_L1
43
Port Redirection
A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise have been dropped. Port redirection bypasses the firewall rule sets by changing the normal source port for a type of network traffic. You can mitigate port redirection by using proper trust models that are network-specific. Assuming a system is under attack, an IPS can help detect a hacker and prevent installation of such utilities on a host.
ISCW-Mod5_L1
44
Port Redirection
ISCW-Mod5_L1
45
Man-in-the-Middle Attacks
Man-in-the-middle attacks have these purposes:
Theft of information Hijacking of an ongoing session to gain access to your internal network resources Traffic analysis to obtain information about your network and network users DoS Corruption of transmitted data Introduction of new information into network sessions
An example of a man-in-the-middle attack is when someone working for your ISP gains access to all network packets that transfer between your network and any other network Man-in-the-middle attacks can be mitigated by encrypting traffic in a VPN tunnel. Encryption allows the hacker to see only cipher text
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
46
A man-in-the-middle attack requires that the hacker has access to network packets that come across a network A man-in-the-middle attack is implemented using the following: Network packet sniffers Routing and transport protocols Man-in-the-middle attacks can be effectively mitigated only through the use of cryptographic encryption
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
47
The hacker community regards DoS attacks as trivial and considers them unsophisticated because the attack requires so little effort to execute
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
48
ISCW-Mod5_L1
49
ISCW-Mod5_L1
50
ISCW-Mod5_L1
51
ISCW-Mod5_L1
52
53
Additional authentication requirement that does not use IP address-based authentication; examples are:
Cryptographic (recommended) Strong, two-factor, one-time passwords
ISCW-Mod5_L1
54
ISCW-Mod5_L1
55
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1
56
Objectives
At the completion of this third lesson, you will be able to:
Describe the difference between virus, trojan and worm threats Show how these threats are propagated Explain techniques for dealing with these threats Describe system software that can aid in defending and mitigating against host machine attacks
ISCW-Mod5_L1
57
ISCW-Mod5_L1
58
Viruses
A computer virus is a malicious computer program (executable file) that can copy itself and infect a computer without permission or knowledge of the user. The original may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus A virus can only spread from one computer to another when its host is taken to an uninfected computer, for instance by a user sending it over a network as a file or as an email payload or carrying it on a removable medium such as a floppy disk, USB disk (memory stick), or CD / DVD Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages
Source: Wikepedia Computer virus
ISCW-Mod5_L1
59
Trojan Horse
A Trojan horse is a program that - unlike a virus - contains or installs a malicious program the payload or 'trojan Trojan horses may appear to be useful or interesting programs, or at the very least harmless to an unsuspecting user, but are actually harmful when executed There are two common types of Trojan horses
One is otherwise useful software that has been corrupted by a hacker inserting malicious code that executes while the program is used The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
60
Worms
A computer worm is a self-replicating executable computer program. It uses a network to send copies of itself to other hosts (end-user machines on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.
ISCW-Mod5_L1
61
ISCW-Mod5_L1
62
ISCW-Mod5_L1
63
64
ISCW-Mod5_L1
65
ISCW-Mod5_L1
66
Netcat
Netcat is a tool that reads or writes data on any TCP/UDP connections, relays TCP connections, and can act as a TCP/UDP server.
#nc -h connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -i secs delay interval for lines sent, ports scanned -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -s addr local source address -u UDP mode -v verbose [use twice to be more verbose] port numbers can be individual or ranges: lo-hi [inclusive]
67
ISCW-Mod5_L1
Netcat Example
ISCW-Mod5_L1
68
ISCW-Mod5_L1
69
ISCW-Mod5_L1
70
Management Protocols
These management protocols can be compromised:
SNMP: The community string information for simple authentication is sent in plaintext. syslog: Data is sent as plaintext between the managed device and the management host. TFTP: Data is sent as plaintext between the requesting host and the TFTP server. NTP: Many NTP servers on the Internet do not require any authentication of peers.
ISCW-Mod5_L1
71
ISCW-Mod5_L1
72
ISCW-Mod5_L1
73
ISCW-Mod5_L1
74
ISCW-Mod5_L1
75
Wireshark (Ethereal)
Wireshark is the world's foremost network protocol analyser, and is the standard in many industries. It is the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it is still under active development. Wireshark
http://www.wireshark.org/about.html
ISCW-Mod5_L1
76
ISCW-Mod5_L1
77
Nmap
Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It is designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source
ISCW-Mod5_L1
78
ISCW-Mod5_L1
79
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1
80
ISCW-Mod5_L1
81
Cisco IOS routers can be used as: Edge devices Firewalls Internal routers Routers have default services that create potential vulnerabilities (for example, BOOTP, CDP, FTP, TFTP, NTP, Finger, SNMP, TCP/UDP minor services, IP source routing, and proxy ARP Vulnerabilities can be exploited regardless of where the routers are placed.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
82
ISCW-Mod5_L1
83
Best Practice
Disable Disable if not required Disable if not required Disable if not required. Otherwise encrypt traffic within an IPsec tunnel. Disable if not required. Otherwise encrypt traffic within an IPsec tunnel. Disable if not required. Otherwise configure NTPv3 and control access between permitted devices using ACLs. Disable if not required
TFTP server
Disabled
Network Time Protocol (NTP) service Packet assembler and disassembler (PAD) service TCP and UDP minor services Maintenance Operation Protocol (MOP) service
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
Disabled
Best Practice
Disable the service. Otherwise configure SNMPv3. Disable if not required.
Device dependent
Disable if not required. Otherwise explicitly configure the DNS server address.
ISCW-Mod5_L1
85
Best Practice
Disable the service
Enabled
ISCW-Mod5_L1
86
Best Practice
Disable if not required. Disable explicitly on untrusted interfaces. Disable explicitly on untrusted interfaces.
Enabled
Disabled
ISCW-Mod5_L1
87
Best Practice
Disable
Disabled
Enable
ISCW-Mod5_L1
88
ARP Service
ARP Service Gratuitous ARP Proxy ARP Enabled by Default
Enabled
Best Practice
Disable if not required.
Enabled
ISCW-Mod5_L1
89
ISCW-Mod5_L1
90
ISCW-Mod5_L1
91
AutoSecure Functions
AutoSecure can selectively lock down:
Management plane services and functions: Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner Also provides password security and SSH access Forwarding plane services and functions: CEF, traffic filtering with ACLs Firewall services and functions: Cisco IOS Firewall inspection for common protocols Login functions: Password security NTP protocol SSH access TCP Intercept services
ISCW-Mod5_L1
92
ISCW-Mod5_L1
93
auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]
Cisco AutoSecure Interactive Steps: Step 1 Identify outside interfaces. Step 2 Secure the management plane. Step 3 Step 4 Step 5 Step 6 Create security banner. Configure passwords, AAA, and SSH. Secure the interface settings. Secure the forwarding plane.
ISCW-Mod5_L1
94
ISCW-Mod5_L1
95
ISCW-Mod5_L1
96
ISCW-Mod5_L1
97
ISCW-Mod5_L1
98
ISCW-Mod5_L1
99
Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces
ISCW-Mod5_L1
100
ISCW-Mod5_L1
101
Create banner.
banner #This system is the property of Cisco Systems, Inc. Set minimum UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.#
password length.
security passwords min-length 6 security authentication failure rate 10 log
ISCW-Mod5_L1
102
Configure local authentication on console, auxiliary and VTY lines for telnet.
ISCW-Mod5_L1
103
timestamps debug datetime msec localtime show-timezone timestamps log datetime msec localtime show-timezone facility local2 trap debugging sequence-numbers Configure logging console critical parameters. buffered
ISCW-Mod5_L1
104
105
audit-trail dns-timeout 7 tcp idle-time 14400 udp idle-time 1800 name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect
cuseeme timeout 3600 ftp timeout 3600 http timeout 3600 rcmd timeout 3600 realaudio timeout 3600 smtp timeout 3600 tftp timeout 30 udp timeout 15 tcp timeout 3600
106
ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any Apply CBAC inspect list to outside interface Serial0/0 ip inspect autosec_inspect interface. out ip access-group autosec_firewall_acl in
ISCW-Mod5_L1
107
ISCW-Mod5_L1
108
ISCW-Mod5_L1
109
ISCW-Mod5_L1
110
2. 3.
ISCW-Mod5_L1
111
ISCW-Mod5_L1
112
ISCW-Mod5_L1
113
ISCW-Mod5_L1
114
ISCW-Mod5_L1
115
ISCW-Mod5_L1
116
2.
3.
ISCW-Mod5_L1
117
ISCW-Mod5_L1
118
ISCW-Mod5_L1
119
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1
120
Objectives
At the completion of this fifth lesson, you will be able to:
Correctly and securely set passwords on a Cisco router Protect line access from insecure users Protect a router against a password reset Correctly set timeouts on router access Describe and demonstrate how to correctly set banner messages
ISCW-Mod5_L1
121
When creating passwords for routers etc, always keep these rules in mind: Make passwords lengthy.
The best practice is to have a minimum of ten characters. You can enforce the minimum length using a feature that is available in IOS routers
ISCW-Mod5_L1
122
Password-leading spaces are ignored, but all spaces after the first character are NOT ignored Change passwords as often as possible
There should be a policy defining when and how often the passwords must be changed. Changing passwords frequently provides two advantages. This practice limits the window of opportunity in which a hacker can crack a password and limits the window of exposure after a password has been compromised
ISCW-Mod5_L1
123
Use a sentence, quote from a book, or song lyric that you can easily remember as the basis of the strong password or pass phrase. For example:
My favorite spy is James Bond 007. would translate into MfsiJB007. It was the best of time, it was the worst of times. would translate into Iwtbotiwtwot. Fly me to the moon. And let me play among the stars. would translate into FmttmAlmpats. Tis better to be brief than tedious (Richard III, I:4) TbtbbttR3I4
ISCW-Mod5_L1
124
Consoles are only one of the ways to obtain administrative access to configure and manage routers Other ways to gain administrative access include:
Telnet SSH SNMP Cisco SDM access using HTTP or HTTPS
ISCW-Mod5_L1
125
The hard BREAK sequence may be disabled using the no service password-recovery command
If a router is configured with the no service password-recovery command, all access to the ROM Monitor (ROMMON) is disabled.
By default, the console port does not require a password for console administrative access. However, a console port line-level password should always be configured There are two ways to configure a console line password:
Enter the password during the initial configuration dialog, or Use the password command in the console line configuration mode.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
126
127
The following are more things to consider when securing Telnet connections to a Cisco router: If an enable mode password is NOT set for the router, privilegedEXEC mode can NOT be accessed using Telnet. Use either the enable password or enable secret password command to set the enable password
ISCW-Mod5_L1
128
This example shows ACL 30 restricting Telnet access only from host 10.0.1.1 and implicitly denying access from all other hosts for vty 0 to 4:
Perth(config)#access-list 30 permit 10.0.1.1 0.0.0.0 Perth(config)#line vty 0 4 Perth(config-line)#access-class 30 in
Passwords must be configured for all of the vty lines on the router Remember that more vty lines can be added to the router
The default vty lines 0 to 4 and any additional lines MUST be protected
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
129
ISCW-Mod5_L1
130
ISCW-Mod5_L1
131
ISCW-Mod5_L1
132
service password-encryption
ISCW-Mod5_L1
133
router(config)#
Uses MD5 hashing for strong password protection Better than the type 7 encryption found in service passwordencryption command
Perth(config)#username rtradmin secret 0 Curium96 Perth(config)#username rtradmin secret 5 $1$feb0$a104Qd9UZ./Ak007
ISCW-Mod5_L1
134
Description The username (Optional) Indicates that the following clear text password will be hashed using MD5 The plaintext password to be hashed using MD5 Indicates that the following encrypted secret password was hashed using MD5 The MD5 encrypted secret password that is stored as the encrypted user password
ISCW-Mod5_L1
135
ISCW-Mod5_L1
136
ISCW-Mod5_L1
137
Configures the number of allowable unsuccessful login attempts By default, router allows 10 login failures before initiating a 15-second delay Generates a syslog message when login failure rate is exceeded
Perth(config)#security authentication failure rate 10 log
Description This is the number of allowable unsuccessful login attempts. The default is 10 (the range is 2 to 1024). The log keyword is required. This keyword results in a generated syslog event.
138
ISCW-Mod5_L1
Blocks access for a quiet period after a configurable number of failed login attempts within a specified period Must be entered before any other login command Mitigates DoS and break-in attacks
ISCW-Mod5_L1
139
ISCW-Mod5_L1
140
Specifies an ACL that is applied to the router when it switches to the quiet mode If not configured, all login requests will be denied during the quiet mode Excludes IP addresses from failure counting for login block-for command
Perth(config)#login quiet-mode access-class myacl
ISCW-Mod5_L1
141
Configures a delay between successive login attempts Helps mitigate dictionary attacks If not set, a default delay of one second is enforced after the login block-for command is configured
Perth(config)#login delay 30
ISCW-Mod5_L1
142
Verifying Login
router#
ISCW-Mod5_L1
143
ISCW-Mod5_L1
144
Setting Timeouts
By default, an administrative interface stays active (and logged on) for ten minutes after the last session activity. After that time, the interface times out and logs out of the session. Fine-tune these timers to limit the amount of time from two or three minutes maximum. Setting the exec-timeout value to 0 means that there will be no timeout and the session will stay active for an unlimited time. Do not set the value to 0! These timers can be adjusted by using the exectimeout command in line configuration mode for each of the line types used.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
145
ISCW-Mod5_L1
146
privilege Parameters
Parameter Mode Level Level Description This command specifies the configuration mode. This command enables setting a privilege level with a specified command. This is the privilege level that is associated with a command. You can specify up to 16 privilege levels, using numbers 0 to 15. This sets the command that the privilege level is associated with. This command resets the privilege level of a command. This is the command that you want to reset the privilege level for.
ISCW-Mod5_L1
147
Description
Virtual private dialup network (VPDN) group accept dialin configuration mode VPDN group accept dialout configuration mode Address family configuration mode ATM bundle member configuration mode ATM bundle configuration mode ATM virtual circuit configuration mode ATMSIG E164 table Channel associated signaling (CAS) custom configuration mode Global configuration mode Controller configuration mode Crypto map configuration mode DHCP pool configuration mode Digital signal processor (DSP) farm configuration mode EXEC mode
148
ISCW-Mod5_L1
Description
Flow aggregation cache configuration mode Interface configuration mode Frame Relay data-link connection identifier (DLCI) configuration mode Configure IP VPN routing and forwarding (VRF) parameters Line configuration mode Map class configuration mode Map list configuration mode Null interface configuration mode AAA preauth definitions VPDN group request dialin configuration mode VPDN group request dialout configuration mode Route map configuration mode Router configuration mode VPDN group configuration mode Dial peer configuration mode
ISCW-Mod5_L1
149
ISCW-Mod5_L1
150
Perth(config)#banner motd % WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. %
ISCW-Mod5_L1
151
ISCW-Mod5_L1
152
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1
153
Objectives
At the completion of this sixth lesson, you will be able to:
Describe and configure role based CLI on IOS routers Configure CLI views and Superviews Describe the use of secure configuration files
ISCW-Mod5_L1
154
ISCW-Mod5_L1
155
ISCW-Mod5_L1
156
ISCW-Mod5_L1
157
ISCW-Mod5_L1
158
Enter a privilege level or a CLI view. Use enable command with the view parameter to enter the root view. Root view requires privilege Level 15 authentication. The aaa-new model must be enabled.
Perth(config)#aaa new-model Perth(config)#exit Perth#enable view Password: Perth# %PARSER-6-VIEW_SWITCH: successfully set to view 'root'
ISCW-Mod5_L1
159
enable Parameters
Parameter privilege-level view Description (Optional) Sets the privilege level at which to log in. (Optional) Enters root view, which enables users to configure CLI views. This keyword is required if you want to configure a CLI view. (Optional) Enters or exits a specified CLI view. This keyword can be used to switch from one CLI view to another CLI view.
view-name
ISCW-Mod5_L1
160
parser view view-name Creates a view and enters view configuration mode
router(config-view)#
password 5 encrypted-password commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
Sets a password to protect access to the view Adds commands or interfaces to a view
Perth(config)#parser view monitor_view Perth(config-view)#password 5 hErMeNe%GiLdE! Perth(config-view)#commands exec include show version
ISCW-Mod5_L1
161
commands Parameters
Parameter parser-mode include include-exclusive Description Specifies the mode that the specified command exists in Adds a command or an interface to the view and allows the same command or interface to be added to an additional view Adds a command or an interface to the view and excludes the same command or interface from being added to all other views Excludes a command or an interface from the view; that is, customers cannot access a command or an interface (Optional) Specifies a wildcard that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view (Optional) Specifies an interface that is added to the view (Optional) Specifies a command that is added to the view
exclude all
ISCW-Mod5_L1
162
Configuring Superviews
router(config)#
Sets a password to protect access to the superview Adds a CLI view to a superview
Perth(config)#parser view monitor_audit Perth(config-view)#password 5 AnA6TaSiA$ Perth(config-view)#view monitor_view Perth(config-view)#view audit_view
ISCW-Mod5_L1
163
Configuring Superviews
Superviews have these characteristics:
A CLI view can be shared among multiple superviews Commands cannot be configured for a superview; that is, you must add commands to the CLI view and add that CLI view to the superview Users who are logged in to a superview can access all of the commands that are configured for any of the CLI views that are part of the superview Each superview has a password that is used to switch between superviews or from a CLI view to a superview If a superview is deleted, all CLI views associated with that superview are not also deleted
ISCW-Mod5_L1
164
ISCW-Mod5_L1
165
Displays the current view name The option all: Displays all CLI views configured on the router Is by default available only to root users Can be added to other CLI views
router#
ISCW-Mod5_L1
166
ISCW-Mod5_L1
167
ISCW-Mod5_L1
168
ISCW-Mod5_L1
169
ISCW-Mod5_L1
170
Need to secure the primary bootset (configuration file and the running image) Also known as the Cisco IOS Resilient Configuration feature Speeds up the recovery process Files must be stored locally Feature can be disabled through a console session
ISCW-Mod5_L1
171
secure boot-image
secure boot-config
Displays the status of configuration resilience and the primary bootset filename
Perth(config)#secure boot-image Perth(config)#secure boot-config
ISCW-Mod5_L1
172
ISCW-Mod5_L1
173
Lists the contents of the device with secure bootset Boots up the router using the secure bootset image
router(config)#
ISCW-Mod5_L1
174
ISCW-Mod5_L1
175
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1
176
Objectives
At the completion of this seventh lesson, you will be able to:
Describe various network attack techniques that use distributed clients Design and write access lists that mitigate well known network attacks Apply these ACLs to routers within the network
ISCW-Mod5_L1
177
ISCW-Mod5_L1
178
Standard IP ACLs: A standard ACL only allows permission or denial of traffic from specific IP addresses. The destination of the packet and the ports that are involved do not matter. Extended IP ACLs: An IP extended ACL is a list of statements that can filter IP packets based on several attributes (protocol type, source and IP address, destination IP address, source TCP or User Datagram Protocol [UDP] ports, destination TCP or UDP ports, or optional protocol type information for finer granularity of control).
ISCW-Mod5_L1
179
Identifying ACLs
Either a number or a name can identify Cisco ACLs and the protocols that they filter Using numbered ACLs is effective on smaller networks that do not have as wide a range of traffic types as do larger networks.
There can be up to 99 standard IP ACLs in the numbered range from 1 to 99 The extended IP ACL number range is assigned from 100 to 199 and from 2000 to 2699
ACLs can also be identified with an alphanumeric string (a name) rather than a number. Named ACLs allow configuration of more ACLs in a router than if using numbered ACLs alone
If the ACL is identified with a name rather than a number, the mode and command syntax for the ACL are slightly different. Currently, only packet and route filters can use a named ACL
ISCW-Mod5_L1
180
181
Test:
If possible, test the ACLs in a secure environment before placing them into production. Testing is a common-sense approach to any router configuration changes. While testing may appear to be an unnecessary cost, testing can save a great amount of time, money and heartache!
ISCW-Mod5_L1
182
ISCW-Mod5_L1
183
Inbound (in): Data flows toward router interface Outbound (out): Data flows away from router interface
ISCW-Mod5_L1
184
ISCW-Mod5_L1
Use ACLs to filter ingress and egress from routers and firewall appliances. Use ACLs to disable and limit services, ports, and protocols.
ISCW-Mod5_L1
186
ISCW-Mod5_L1
187
R2(config)#access-list 150 deny ip 10.2.1.0 0.0.0.255 any log R2(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any log R2(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any log R2(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any log R2(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any log R2(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any log R2(config)#access-list 150 deny ip host 255.255.255.255 any log R2(config)#access-list 150 permit ip any 10.2.1.0 0.0.0.255 R2(config)#interface e0/0 R2(config-if)#ip access-group 150 in R2(config-if)#exit
ISCW-Mod5_L1
188
R2(config)#access-list 105 permit ip 10.2.1.0 0.0.0.255 any R2(config)#access-list 105 deny ip any any log R2(config)#interface e0/1 R2(config-if)#ip access-group 105 in R2(config-if)#end
ISCW-Mod5_L1
189
R2(config)#access-list 109 permit tcp any 10.2.1.0 0.0.0.255 established R2(config)#access-list 109 deny ip any any log R2(config)#interface e0/0 R2(config-if)#ip access-group 109 in R2(config-if)#end
ISCW-Mod5_L1
190
R2(config)#ip tcp intercept list 110 R2(config)#access-list 110 permit tcp any 10.2.1.0 0.0.0.255 R2(config)#access-list 110 deny ip any any R2(config)#interface e0/0 R2(config-if)#ip access-group 110 in R2(config-if)#end
ISCW-Mod5_L1
191
R2(config)#access-list 111 deny ip any host 10.2.1.255 log R2(config)#access-list 111 permit ip any 10.2.1.0 0.0.0.255 log R2(config)#access-list 112 deny ip any host 10.1.1.255 log R2(config)#access-list 112 permit ip any 10.1.1.0 0.0.0.255 log R2(config)#interface e0/0 R2(config-if)#ip access-group 111 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 112 in R2(config-if)#end
ISCW-Mod5_L1
192
R2(config)#access-list 112 deny icmp any any echo log R2(config)#access-list 112 deny icmp any any redirect log R2(config)#access-list 112 deny icmp any any mask-request log R2(config)#access-list 112 permit icmp any 10.2.1.0 0.0.0.255 R2(config)#interface e0/0 R2(config-if)#ip access-group 112 in R2(config-if)#end
ISCW-Mod5_L1
193
R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 problem R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 too-big R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 quench R2(config)#access-list 114 deny icmp any any log R2(config)#interface e0/1 R2(config-if)#ip access-group 114 in R2(config-if)#end
ISCW-Mod5_L1
194
R2(config)#access-list 120 deny udp any any range 33400 34400 log R2(config)#access-list 120 permit ip any 10.1.1.0 0.0.0.255 log R2(config)#interface e0/1 R2(config-if)#ip access-group 120 in R2(config-if)#end
ISCW-Mod5_L1
195
Generally, routers cannot prevent all DDoS attacks, but they can help reduce the number of occurrences of attacks by building ACLs that filter known attack ports. Methods used to block DDoS by blocking selected ports aim at stopping TRIN00, Stacheldraht, Trinity v3, and SubSeven ACL rules are generally applied to inbound and outbound traffic between the protected network and the Internet
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
196
DDoS attacks exploit specific ports. ACLs can control access on a port-by-port basis.
ISCW-Mod5_L1
197
ISCW-Mod5_L1
198
199
TRIN00 attack
TRIN00 is a distributed SYN DoS attack The attack method is a UDP flood The TRIN00 attack sets up communications between clients, handlers, and agents using these ports:
1524 tcp 27665 tcp 27444 udp 31335 udp
The mitigation tactic for the TRIN00 attack, as well as for the other DoS attacks, is to block both interfaces in the in direction. The goal is to prevent infected outside systems from sending messages to an internal network and to prevent any infected internal systems from sending messages out of an internal network to the vulnerable ports
200
ISCW-Mod5_L1
R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny udp any R2(config)#access-list 190 deny udp any R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end
eq eq eq eq
ISCW-Mod5_L1
201
Stacheldraht attack
Stacheldraht is a DDoS tool that first appeared in 1999 and combines features of TRIN00 and Tribe Flood Network (TFN) Stacheldraht also contains some advanced features such as encrypted attacker-master communication and automated agent updates Possible Stacheldraht attacks are similar to the attacks of TFN; namely, ICMP flood, SYN flood, UDP flood, and smurf attacks
A Stacheldraht attack sets up communication between clients, handlers, and agents using these ports: 16660 tcp 65000 tcp
ISCW-Mod5_L1
202
R2(config)#access-list 190 deny tcp any any eq 16660 log R2(config)#access-list 190 deny tcp any any eq 65000 log R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end
ISCW-Mod5_L1
203
Trinity
Trinity is capable of launching several types of flooding attacks on a victim site including UDP, fragment, SYN, restore (RST), acknowledgement (ACK), and other floods Communication from the handler or intruder to the agent is accomplished via Internet Relay Chat (IRC) or ICQ from AOL Trinity appears to use primarily TCP port 6667 and also has a backdoor program that listens on TCP port 33270
ISCW-Mod5_L1
204
R2(config)#access-list 190 deny tcp any any eq 39168 log R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end
ISCW-Mod5_L1
205
SubSeven
SubSeven is a backdoor Trojan that targets Windows machines Once a machine is infected, the attacker can take complete control over the system and has full access as if they were a local user The attacker can then use the victims machine to launch DDoS attacks Depending on the version, an attacker will try to exploit the following TCP ports:
1243, 2773, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, and 54283
ISCW-Mod5_L1
206
R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
eq 1243 log eq 2773 log range 6711 6713 log eq 6776 log eq 7000 log eq 7215 log eq 27374 log eq 27573 log eq 54283 log
207
Delete ACL 126 to make sure that you create a new ACL.
ISCW-Mod5_L1
208
access-list 126 deny ip 10.2.1.0 0.0.0.255 any log ! access-list 126 deny ip 127.0.0.0 0.255.255.255 any log access-list 126 deny ip 0.0.0.0 0.255.255.255 any log access-list 126 deny ip 172.16.0.0 0.15.255.255 any log access-list 126 deny ip 192.168.0.0 0.0.255.255 any log access-list 126 deny ip 224.0.0.0 15.255.255.255 any log ! access-list 126 deny ip any host 10.2.1.255 log access-list 126 deny ip any host 10.2.1.0 log !
ISCW-Mod5_L1
210
Deny all remaining traffic and provide detailed logging information of denied traffic.
ISCW-Mod5_L1
211
212
access-list 128 permit tcp 10.2.1.0 0.0.0.255 gt 1023 any lt 1024 access-list 128 permit udp 10.2.1.0 0.0.0.255 gt 1023 any eq 53 access-list 128 permit udp 10.2.1.0 0.0.0.255 any range 33400 34400 log ! access-list 128 deny tcp any range 0 65535 any range 0 65535 log access-list 128 deny udp any range 0 65535 any range 0 65535 log access-list 128 deny ip any any log
Deny all remaining access and provide detailed logging of denied access.
ISCW-Mod5_L1
213
ACL Caveats
Statement (Implicit) Deny All Caveat You may not see this statement, but the statement does exist.
Standard ACL limitation You may need to create extended ACLs to implement security policies. Statement evaluation order Order of ACL statements Directional filtering ACL statements are evaluated from top down, so always consider the order of the statements. Place more specific ACL statements higher in the ACL. Ensure that statements at the top of the ACL do not negate any statements found lower in the list. Always double-check the direction (inbound or outbound) of data that your ACL is filtering.
ISCW-Mod5_L1
214
ISCW-Mod5_L1
215
ISCW-Mod5_L1
216
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1
217
Objectives
At the completion of this eighth lesson, you will be able to:
Describe and demonstrate how to set up syslog reporting for a large network Demonstrate the importance of secure channels for syslog information Describe the difference between inband and out-of-band reporting Read and analyse syslog reports
ISCW-Mod5_L1
218
219
ISCW-Mod5_L1
220
Information Paths
Information flow between management hosts and the managed devices can take two paths:
In-band: Information flows across the enterprise production network or the Internet (or both) Out of Band (OOB): Information flows within a network on which no production traffic resides
ISCW-Mod5_L1
221
Information Paths
ISCW-Mod5_L1
222
ISCW-Mod5_L1
223
224
1. Configure the IP domain name. 2. Generate the RSA keys. 3. (Optional) Display generated keys. 4. Configure the SSH timeout interval. 5. Configure the SSH retries. 6. Disable vty inbound Telnet sessions. 7. Enable vty inbound SSH sessions.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
225
ISCW-Mod5_L1
226
Syslog Systems
Syslog server: A host that accepts and processes log messages from one or more syslog clients Syslog client: A host that generates log messages and forwards them to a syslog server
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
227
Unable to allocate memory Invalid memory size Crypto operation failed Interface changed state, up or down Packet denied by ACL Packet type invalid
6 LOG_INFO 7 LOG_DEBUG
ISCW-Mod5_L1
228
Note: The log message name is not the same as a severity level name.
ISCW-Mod5_L1
229
Description The name of the host you want to use as a syslog server The IP address of the host you want to use as a syslog server
ISCW-Mod5_L1
230
ISCW-Mod5_L1
231
ISCW-Mod5_L1
232
Router(config)#
logging on
5. Enables logging
ISCW-Mod5_L1
233
ISCW-Mod5_L1
Configuring SNMP
ISCW-Mod5_L1
235
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1
236
Objectives
At the completion of this ninth lesson, you will be able to:
Describe the concepts behind the use of SNMP Explain the various SNMP actions Explain why the use of SNMP v1 and 2 is not recommended Demonstrate how to configure Cisco routers to use SNMPv3
ISCW-Mod5_L1
237
SNMP
SNMP the Simple Network Management Protocol forms part of the internet protocol suite as defined by the IETF SNMP is used by network management systems to monitor network-attached devices for conditions that warrant administrative attention It consists of a set of standards for network management, including an Application Layer protocol, a database schema, and a set of data objects The current version is SNMPv3
SNPv1 and v2 are considered obsolete, and are extremely insecure. It is recommended they NOT be used on a publicly attached network
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
238
SNMP Components
An SNMP-managed network consists of three key components:
1. Managed devices 2. Agents 3. Network-management systems (NMSs)
1. A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices can be routers and access servers, switches and bridges, hubs, computer hosts, or printers. 2. An agent is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. 3. An NMS executes applications that monitor (and possibly control) managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network.
Ref: Wikepedia - SNMP
ISCW-Mod5_L1
239
ISCW-Mod5_L1
240
ISCW-Mod5_L1
241
SNMP Actions
The SNMP protocol specifies (in version 1) five core PDUs:
1. GET REQUEST - used to retrieve a piece of management information. 2. GETNEXT REQUEST - used iteratively to retrieve sequences of management information. 3. GET RESPONSE - used agent responds with data to get and set requests from the manager. 4. SET REQUEST - used to initialise and make a change to a value of the network element. 5. TRAP - used to report an alert or other asynchronous event about a managed subsystem. In SNMPv1, asynchronous event reports are called traps while they are called notifications in later versions of SNMP.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
242
SNMP Actions
Other PDUs were added in later versions, including:
GETBULK REQUEST - a faster iterator used to retrieve sequences of management information. INFORM - an acknowledged trap.
Typically, SNMP uses UDP ports 161 for the agent and 162 for the manager. The Manager may send Requests from any available ports (source port) to port 161 in the agent (destination port). The agent response will be given back to the source port. The Manager will receive traps on port 162. The agent may generate traps from any available port.
ISCW-Mod5_L1
243
Community Strings
SNMPv1 and SNMPv2 use a community string to access router SNMP agents SNMP community strings act like passwords An SNMP community string is a text string used to authenticate messages between a management station and an SNMP engine If the manager sends one of the correct read-only community strings, the manager can get information but NOT set information in an agent If the manager uses one of the correct read-write community strings, the manager can get or set information in the agent
ISCW-Mod5_L1
244
Community Strings
In effect, having read-write access is equivalent to having the enable password! SNMP agents accept commands and requests only from SNMP systems that use the correct community string. By default, most SNMP systems use a community string of public If the router SNMP agent is configured to use this commonly known community string, anyone with an SNMP system is able to read the router MIB Router MIB variables can point to entities like routing tables and other security-critical components of a router configuration, so it is very important that custom SNMP community strings are created
ISCW-Mod5_L1
245
ISCW-Mod5_L1
246
ISCW-Mod5_L1
247
ISCW-Mod5_L1
248
Features
Message integrity: Ensures that a packet has not been tampered with in transit Authentication: Determines that the message is from a valid source Encryption: Scrambles the contents of a packet to prevent the packet from being seen by an unauthorised source Data can be collected securely from SNMP devices without fear of the data being tampered with or corrupted Confidential information, such as SNMP Set command packets that change a router configuration, can be encrypted to prevent the contents from being exposed on the network
Benefits
ISCW-Mod5_L1
249
ISCW-Mod5_L1
250
If an individualised ID is required do not specify the entire 24character engine ID if the ID contains trailing zeros.
Specify only the portion of the engine ID up to the point at which only zeros remain in the value. This portion must be 10 hexadecimal characters or more. For example, to configure an engine ID of 123400000000000000000000, specify snmp-server engineID local 1234000000.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
251
ISCW-Mod5_L1
252
An SNMP view is a mapping between SNMP objects and the access rights that are available for those objects
An object can have different access rights in each view Access rights indicate whether the object is accessible by either a community string or a user
ISCW-Mod5_L1
253
snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] Configures a new SNMP group or a table that maps SNMP users to SNMP views
PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv
The top example shows how to define a group johngroup for SNMP v3 using authentication but not privacy (encryption) The bottom example shows how to define a group billgroup for SNMP v3 using both authentication and privacy
ISCW-Mod5_L1
254
ISCW-Mod5_L1
255
snmp-server user username groupname [remote ipaddress [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]} [access access-list]
The first example (below) shows how to define a user John belonging to the group johngroup. Authentication uses the password john2passwd and no privacy (no encryption) is applied. The second example shows how user Bill, belonging to the group billgroup, is defined using the password bill3passwd and privacy (encryption) is applied
user John johngroup v3 auth md5 john2passwd user Bill billgroup v3 auth md5 bill3passwd des56 group johngroup v3 auth group billgroup v3 auth priv
256
An SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU.
Informs consume more computing resources in the agent and in the network.
If an snmp-server host command is NOT entered, no notifications are sent. To configure the router to send SNMP notifications, at least one snmp-server host command must be entered
If the command is entered with no keywords, all trap types are enabled for the host.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
257
ISCW-Mod5_L1
258
snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type]
The example (below) shows how to send configuration informs to the 10.1.1.1 remote host
PR1(config)#snmp-server PR1(config)#snmp-server PR1(config)#snmp-server PR1(config)#snmp-server PR1(config)#snmp-server PR1(config)#snmp-server engineID remote 10.1.1.1 1234 user bill billgroup remote 10.1.1.1 v3 group billgroup v3 noauth enable traps host 10.1.1.1 inform version 3 noauth bill manager
259
ISCW-Mod5_L1
ISCW-Mod5_L1
260
SNMPv3 Configuration
The next slide shows how to configure Cisco IOS routers for SNMPv3. The router Trap_sender is configured to send traps to the NMS host with the IP address 172.16.1.1. The traps are encrypted using the credentials that are configured for the local user snmpuser who belongs to the group snmpgroup. The Trap_sender router sends traps that are related to CPU, configuration, and SNMP. The trap packets are sourced from the router loopback 0 interface The router Walked_device is configured so that the NMS host can read the MIBs on the local device. The NMS server needs to use the username credentials that are configured on the Walked_device (snmpuser with respective authentication and encryption passwords) to gain access to the SNMP information of the router
ISCW-Mod5_L1
261
Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server des56 encryptpassword Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server
group snmpgroup v3 auth group snmpgroup v3 priv user snmpuser snmpgroup v3 auth md5 authpassword priv enable traps cpu enable traps config enable traps snmp host 172.16.1.1 traps version 3 priv snmpuser source-interface traps loopback 0
Walked_device(config)#snmp-server group snmpgroup v3 auth Walked_device(config)#snmp-server group snmpgroup v3 priv Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encrypt password
ISCW-Mod5_L1
262
ISCW-Mod5_L1
263
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1
264
Objectives
At the completion of this tenth lesson, you will be able to:
Explain how a router maintains an accurate time Describe NTP and how it is configured Configure NTP on a router as a server and a client Associate with NTP servers
ISCW-Mod5_L1
265
Understanding NTP
Time has been invented in the universe so that everything would not happen at once
The NTP FAQ and HOWTO - http://www.ntp.org/ntpfaq/
Many features in a computer network depend on time synchronisation, such as accurate time information in syslog messages, certificate-based authentication in VPNs, ACLs with time range configuration, and key rollover in routing protocol authentication (EIGRP and RIP) Most Cisco routers have two clocks: a battery-powered system calendar in the hardware and a software-based system clock These two clocks are managed separately
ISCW-Mod5_L1
266
System Clock
The heart of the router time service is the software-based system clock This clock starts to keep track of time from the moment the system starts The system clock can be set from a number of sources and can be used to distribute the current time through various mechanisms to other systems When a router with a system calendar is initialised or rebooted, the system clock is set based on the time in the internal batterypowered system calendar The system clock can then be set manually or by using the Network Time Protocol (NTP) - an Internet protocol used to synchronise the clocks of network connected devices to some time reference
NTP is an Internet standard protocol currently at v3 and specified in RFC 1305
ISCW-Mod5_L1
267
UTC - GMT
UTC (Temps Universel Coordonn or, in English, Coordinated Universal Time) is an official standard for the current time. UTC evolved from the former GMT (Greenwich Mean Time) that was previously used to accurately set the clocks on sailing ships before they left London for a long journey (very important to determine longitude and avoid navigational embarrassment..) Later GMT was adopted as the world's standard time. It has now been replaced by UTC.
One of the reasons that GMT has been replaced as official standard time was the fact that it was based on the mean solar time. Newer methods of time measurement showed that the mean solar time varied appreciably.
ISCW-Mod5_L1
268
Authoritative Time
In a router, the system clock keeps track of time internally based on UTC (which, despite the comment in the curriculum is not technically the same as GMT.) Information can be configured about the local time zone and daylight savings time so that the time appears correctly relative to the local time zone The system clock keeps track of whether the time is authoritative or not (that is, whether the time has been set by a time source that is considered to be authoritative) If the time is NOT considered authoritative, the time is available only for display purposes and is not redistributed within the network
ISCW-Mod5_L1
269
NTP
NTP is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP An NTP network usually obtains the time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronise two machines to within 1mS of one another
As of early 2007, NTP v4 has not completed IETF standardisation. RFC 1305 documents NTP v3 Cisco devices support only RFC specifications of NTPv3
NTP uses the concept of a stratum to describe how many NTP hops away a machine is from an authoritative time source A stratum 1 time server typically has a radio or atomic clock directly attached to the server; a stratum 2 time server receives the time via NTP from a stratum 1 time server, etc, etc.
A machine that runs NTP automatically chooses the machine with the lowest stratum number to communicate with via NTP as the machines time source This strategy effectively builds a self-organising tree of NTP speakers
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
270
NTP
NTP is careful to avoid synchronising to a machine whose time may not be accurate. NTP avoids doing so in two ways:
1. NTP never synchronises to a machine that is not synchronised itself 2. NTP compares the time that is reported by several machines and does not synchronise to a machine whose time is significantly different than the others, even if the machines stratum number is lower
The communications (known as associations) between machines that run NTP are usually statically configured; each machine is given the IP address of all machines with which the machine should form associations Accurate timekeeping is possible by exchanging NTP messages between each pair of machines with an association In a LAN environment, NTP can be configured to use IP broadcast messages instead
This alternative reduces configuration complexity because each machine can be configured to send or receive broadcast messages. However, the accuracy of timekeeping is marginally reduced because the information flow is one-way only
ISCW-Mod5_L1
271
NTP Security
The time that a machine keeps is a critical resource, so the security features of NTP should be used to avoid the accidental or malicious setting of incorrect time Two mechanisms are available:
1. an ACL-based restriction scheme 2. an encrypted authentication mechanism.
Time service for a network should be derived from the public NTP servers that are available on the Internet
If the network is isolated from the Internet, the Cisco implementation of NTP allows a machine to be configured so that the machine acts as though the machine is synchronised via NTP when in fact the machine has determined the time using other means. Other machines then synchronise to that machine via NTP
ISCW-Mod5_L1
272
NTP Association
When multiple sources of time (eg, manual configuration) are available, NTP is always considered to be more authoritative NTP time overrides the time set by any other method An NTP association can be a peer association (this system is willing to either synchronise to the other system or to allow the other system to synchronise to it), or the association can be a server association (only this system will synchronise to the other system, and not vice versa)
ISCW-Mod5_L1
273
274
To authenticate the associations with other systems for security purposes, use the commands in the NTP Authentication Commands table (see next slide)
ISCW-Mod5_L1
275
ntp Defines an authentication key. Message authentication authentication-key support is provided using the MD5 algorithm. The key number md5 value type md5 is currently the only key type that this command supports. The key value can be any arbitrary string of up to eight characters. ntp trusted-key key-number Defines trusted authentication keys.
The first command enables the NTP authentication feature. The second command defines each of the authentication keys. Each key has a key number, a type, and a value. Currently the only key type supported is md5. Finally, a list of trusted authentication keys is defined. If a key is trusted, this system is ready to synchronise to a system that uses this key in the systems NTP packets
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
276
ntp authenticate
Defines the authentication keys Used for both peer and server associations
Router(config)#
Defines the trusted authentication keys Required to synchronise to a system (server association)
R1(config)#ntp authentication R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs R1(config)#ntp trusted-key 1
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
277
ntp broadcast client: In addition to or instead of creating unicast NTP associations, the system can be configured to listen to broadcast packets on an interface-by-interface basis
To do this, use the ntp broadcast client command in interface configuration mode
ISCW-Mod5_L1
278
ntp server {ip-address | hostname} [version number] [key keyid] [source interface] [prefer]
ISCW-Mod5_L1
279
280
ISCW-Mod5_L1
281
You can make a router an authoritative NTP server, even if the system is not synchronised to an outside time source. Two options to establish a peer association:
1. Unicast 2. Broadcast
ISCW-Mod5_L1
282
ntp peer ip-address [normal-sync][version number] [key keyid] [source interface] [prefer]
ISCW-Mod5_L1
283
Intermediate(config)#ntp authentication-key 1 md5 secretsource Intermediate(config)#ntp authentication-key 2 md5 secretclient Intermediate(config)#ntp trusted-key 1 Intermediate(config)#ntp server 172.16.0.1 Intermediate(config)#ntp source loopback 0 Intermediate(config)#interface Fastethernet0/0 Intermediate(config-int)#ntp broadcast Client(config)#ntp authentication-key 1 md5 secretclient Client(config)#ntp trusted-key 1 Client(config)#interface Fastethernet0/1 Client(config-int)#ntp broadcast client
ISCW-Mod5_L1
284
ISCW-Mod5_L1
285
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1
286
Objectives
At the completion of this eleventh lesson, you will be able to:
Describe what is meant by the term triple A Explain how and why AAA should be used to secure router and switch access Configure AAA using the IOS CLI and SDM Describe the use of external AAA servers, including a brief overview of CSACS
ISCW-Mod5_L1
287
also known as AAA These AAA services provide a higher degree of scalability than line-level and privileged-EXEC authentication to networking components Unauthorised access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment, services and data Using a Cisco AAA architecture enables consistent, systematic and scalable access security
ISCW-Mod5_L1
288
Authorisation
Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet
Accounting
Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes
ISCW-Mod5_L1
289
Authentication
Authentication is the way a user is identified prior to being allowed access to the network and network services AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces The method list defines the types of authentication to be performed and the sequence in which they will be performed; it MUST be applied to a specific interface before any of the defined authentication methods will be performed
The only exception is the default method list (default). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.
All authentication methods, except for local, line password, and enable authentication, MUST be defined through AAA
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
290
Authorisation
Authorisation provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet AAA authorisation works by assembling a set of attributes that describe what the user is authorised to perform These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions
The database can be located locally on the access server or router, or it can be hosted remotely on a RADIUS or TACACS+ security server
As with authentication, AAA authorisation is configured by defining a named list of authorisation methods, and then applying that list to various interfaces
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
291
Accounting
Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting - user identities, start and stop times, executed commands, number of packets, and number of bytes Accounting enables tracking of the services users are accessing as well as the amount of network resources they are consuming With AAA accounting activated, the NAS reports user activity to the RADIUS or TACACS+ security server in the form of accounting records Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analysed for network management, client billing, and/or auditing All accounting methods must be defined through AAA. Accounting is configured by defining a named list of accounting methods, and then applying that list to various interfaces
ISCW-Mod5_L1
292
Access Control
In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer security functions If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA
ISCW-Mod5_L1
293
Implementing AAA
Cisco provides three ways of implementing AAA services for Cisco routers, network access servers (NAS), and switch equipment:
1. Self-contained AAA: AAA services can be self-contained in the router or NAS itself (also known as local authentication) 2. Cisco Secure ACS for Windows Server: AAA services on the router or NAS contact an external Cisco Secure Access Control Server (ACS) for Windows system for user and administrator authentication 3. Cisco Secure ACS Solution Engine: AAA services on the router or NAS contact an external Cisco Secure ACS Solution Engine for user and administrator authentication
There are also open source AAA servers available that work in conjunction with Cisco IOS devices
ISCW-Mod5_L1
294
Implementing AAA
Administrative access: Console, Telnet, and AUX access Remote user network access: Dialup or VPN access
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
295
Character mode allows a network administrator with a large number of routers in a network to authenticate one time as the user, and then access all routers that are configured in this method Primary applications for the Cisco Secure ACS include securing dialup access to a network and securing the management of routers within a network. Both applications have unique AAA requirements. With CSACS, a variety of authentication methods can be chosen, each providing a set of authorisation privileges. Router ports must be secured using the Cisco IOS software and a CSACS server
296
ISCW-Mod5_L1
ISCW-Mod5_L1
297
ISCW-Mod5_L1
298
TACACS+ provides many benefits for configuring Cisco devices to use AAA for management and terminal services. TACACS+ can control the authorisation level of users; RADIUS cannot
Because TACACS+ separates authentication and authorisation, it is possible to use TACACS+ for authorisation and accounting, while using a different method for authentication, such as Kerberos
ISCW-Mod5_L1
299
RADIUS Features
Radius is an IETF standard protocol - RFC 2865 Standard attributes can be augmented by proprietary attributes:
Vendor-specific attribute 26 allows any TACACS+ attribute to be used over RADIUS
Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by default) It includes only two security features:
1.Encryption of passwords (MD5 encryption) 2.Authentication of packets (MD5 fingerprinting)
ISCW-Mod5_L1
300
The example shows how RADIUS exchange starts once the NAS is in possession of the username and password The ACS can reply with Access-Accept message, or AccessReject if authentication is not successful
ISCW-Mod5_L1
301
RADIUS Messages
There are four types of messages involved in a RADIUS authentication exchange:
1. Access-Request: Contains AV pairs for the username, password (this is the only information that is encrypted by RADIUS), and additional information such as the NAS port 2. Access-Challenge: Necessary for challenge-based authentication methods such as Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MSCHAP), and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) 3. Access-Accept: The positive answer if the user information is valid 4. Access-Reject: Sent as a negative reply if the user information is invalid
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
302
RADIUS AV Pairs
RADIUS messages contain zero or more AV-pairs, for example:
1. 2. 3. 4. 5. User-Name User-Password (this is the only encrypted entity in RADIUS) CHAP-Password Service-Type Framed-IP-Address
There are approximately 50 standard-based attributes (RFC 2865) RADIUS allows proprietary attributes Basic attributes are used for authentication purposes Most other attributes are used in the authorisation process Cisco has added several vendor-specific attributes on the server side. Cisco IOS devices will, by default, always use Cisco AV pairs, but Cisco devices can be configured to use only IETF attributes for standard compatibility Accounting information is sent within special RADIUS accounting messages
303
ISCW-Mod5_L1
TACACS+ uses TCP on well-known port number 49 TACACS+ establishes a dedicated TCP session for every AAA action Cisco Secure ACS can use one persistent TCP session for all actions Protocol security includes authentication and encryption of all TACACS+ datagrams
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.
304
TACACS+ Authentication
The example shows how TACACS+ exchange starts before the user is prompted for username and password. The prompt text can be supplied by the TACACS+ server.
ISCW-Mod5_L1
305
The example shows the process of network authorisation that starts after successful authentication.
ISCW-Mod5_L1
306
The example illustrates the command authorisation process that repeatedly starts for every command that requires authorisation (based on command privilege level).
ISCW-Mod5_L1
307
ISCW-Mod5_L1
308
RADIUS
ISCW-Mod5_L1
309
ISCW-Mod5_L1
310
aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2 [method3 [method4]]]
ISCW-Mod5_L1
311
default
This command creates a default that is automatically applied to all lines and interfaces, specifying the method or sequence of methods for authentication. This command creates a list, with a name of your choosing, that is applied explicitly to a line or interface using the method or methods specified. This defined list overrides the default when you apply the defined list to a specific line or interface. These methods specify the use of an AAA server. The group radius and group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. The group-name string allows the use of a predefined group of RADIUS or TACACS+ servers for authentication (created with the aaa group server radius or aaa group server tacacs+ command).
list-name
ISCW-Mod5_L1
312
Uses the enable password for authentication sUses server-group sUses Kerberos Version 5 for authentication sUses the line password for authentication Uses the local username and password database for authentication sUses case-sensitive local username authentication sUses no authentication
ISCW-Mod5_L1
313
ISCW-Mod5_L1
314
Because the authentication has not been specified for line con 0 and aux 0, the default option is used
ISCW-Mod5_L1
315
ISCW-Mod5_L1
316
ISCW-Mod5_L1
317
ISCW-Mod5_L1
318
ISCW-Mod5_L1
319
ISCW-Mod5_L1
320
ISCW-Mod5_L1
321
ISCW-Mod5_L1
322
ISCW-Mod5_L1
323
ISCW-Mod5_L1
324
ISCW-Mod5_L1
325
ISCW-Mod5_L1
326
ISCW-Mod5_L1
327
ISCW-Mod5_L1
328
Troubleshoot AAA Login Authentication on Cisco Routers Use the debug aaa authentication command on routers to trace AAA packets and monitor authentication The command displays debugging messages on authentication functions
router#
ISCW-Mod5_L1
329
ISCW-Mod5_L1
330
router(config)# aaa authorization {network | exec | commands level | config-commands | reverse-access} {default|list-name} method1 [method2...]
Example:
router(config)#aaa authorization exec default group radius local none
ISCW-Mod5_L1
331
Each session that is established through the Cisco Secure ACS can be fully accounted for and stored on the server. This stored information can be very helpful for management, security audits, capacity planning, and network usage billing.
ISCW-Mod5_L1
332
router(config)# aaa accounting {command level | connection | exec | network | system} {default | list-name} {start-stop | stop-only | wait-start} group {tacacs+ | radius}
Example:
R2(config)#aaa accounting exec default start-stop group tacacs+
ISCW-Mod5_L1
333
The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality. Accounting tracks events that occur on the network. The next slide shows a TACACS+ report from Windows ACS
ISCW-Mod5_L1
334
ISCW-Mod5_L1
335
Troubleshooting Accounting
Use this command to help troubleshoot AAA accounting problems.
router#
R2#debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
ISCW-Mod5_L1
336
ISCW-Mod5_L1
337