FNS10 Mod02

DRAFT May 2003. All rights reserved.
For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights
© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0 1
Module 2
Basic Router and Switch Security
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

Learning Objectives

• Describe the need for securing routers and
switches.
• Disable unneeded services
• Securing the perimeter
• Router Management
• Securing Switches and LAN access

Overview

This chapter focuses on some of the tools that
are available to network administrators to
protect network traffic. Administrators can
control access to the router, switch, and the
network by managing access at the console
ports and terminal lines, as well as setting up
passwords, accounts and privilege levels.

Key terms
• Perimeter

• DMZ
• SSL
• SSH
• NAT
• PAT
• Mitigation
• NTP
• 802.1X
• IBNS
General Router and Switch
Security

Router Topologies—
Standalone Perimeter Router

–Small Business
–Minimal Protection

Perimeter Router and Firewall

–Medium/Large Business
–Greater Protection
–Greater flexibility
Perimeter Router with integrated Firewall

–Small/Medium Business
–Greater Protection than just router
–Better Interoperability
Router Topologies—Perimeter Router,
Internal Router, and Firewall

–Medium/Large Business
–Greater Protection & Performance
–Greater Routing options
Installation Risk Assessment
•Low-risk

• Mobile worker
• PC
•High-risk
• NAS
• Firewall
• Router
• Switch
• Servers

Common Threats to Router and
Switch Physical Installations

• Hardware threats
• Environmental threats
• Electrical threats
• Maintenance threats

Hardware Threat Mitigation
SECURE INTERNET ACCESS COMPUTER ROOM How do you plan to limit

physical damage to the

AC UPS BAY
equipment?
• No unauthorized access
SVRS
(lock it up)
• No access via ceiling
LAN
• No access via raised flooring

WAN
• No access via ductwork
HELP DESK
• No window access
• Log all entry attempts
Card Reader
(electronic log/monitor)
• Security cameras (recorded
log)

Environmental Threat Mitigation

How do you plan to limit
environmental damage
to the equipment?
• Temperature control
• Humidity control
• Positive air flow
• Remote environmental
alarming and recording,
and monitoring

Electrical Threat Mitigation


electrical supply problems?
• Install UPS systems
• Install generator sets
• Follow a preventative
maintenance plan
• Install redundant power
supplies
• Perform remote alarming
and monitoring

Maintenance-Related Threat
Mitigation

maintenance-related
threats?
• Use neat cable runs
• Label critical cables and
components
• Use ESD procedures
• Stock critical spares
• Control access to console
ports

Access Control

•Console Port
•TTY
•VTY
• A console is a terminal connected to a router console port.

• The terminal can be a dumb terminal or PC with terminal
emulation software.

Passwords
Passwords are the most critical tools in controlling
access to a router. There are two password
protection schemes in Cisco IOS:

• Type 7 uses the Cisco-defined encryption
algorithm
• Type 5 uses an MD5 hash, which is much stronger.
• Cisco recommends that Type 5 encryption be used
instead of Type 7 where possible. Type 7
encryption is used by the enable password,
username, and line password commands
• Service password encryption should be used
• Use good password practices when creating
passwords
• Configure both username and password
combinations
Good Password Practices
• Avoid dictionary words, names, phone numbers, and

dates.
• Include at least one lowercase letter, uppercase letter,
digit, and special character.
• Make all passwords at least eight characters long.
• Avoid more than four digits or same-case letters in a
row.
•Change passwords often.

Initial Configuration Dialog
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no] y

Configuring global parameters:
Enter host name [Router]: Boston
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: CantGessMe
The enable password is used when you do not specify an enable
secret password, with some older software versions, and some boot
images.
Enter enable password: WontGessMe
The virtual terminal password is used to protect access to the
router over a network interface.
Enter virtual terminal password: CantGessMeVTY
.
.

Configure the Enable Password
Using enable secret
router(config)#
enable secret password

• Encrypts the password in the router configuration file
• Uses a strong encryption algorithm based on MD5
Boston(config)# enable secret Curium96
Boston# show running-config

!
hostname Boston
!
no logging console
enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/
!

Configure the Console Port
User-Level Password
router(config)#
line console line-number
• Enters console line configuration mode

router(config-line)#
login
• Enables password checking at login
Password password
• Sets the user-level password to password
Boston(config)# line console 0

Boston(config-line)# login
Boston(config-line)# password ConUser1
• Creates the user-level password “ConUser1”
• The password is unencrypted
Configure a VTY User-Level Password
router(config)#
line vty start-line-number end-line-number
• Enters VTY line configuration mode

• Specifies the range of VTY lines to configure
login
• Enables password checking at login for VTY (Telnet)
sessions
password password
Boston(config)# line vty 0 4

Boston(config-line)# password CantGessMeVTY
Configure an Auxiliary
User-Level Password
router(config)#
line aux line-number

• Enters auxiliary line configuration mode
login
• Enables password checking at login for Aux connections
password password
Boston(config)# line aux 0

Boston(config-line)# password NeverGessMeAux
Encrypting Passwords Using
service password-encryption
router(config)#
service password-encryption

• Encrypts all passwords in the router configuration file
Boston(config)# service password-encryption

Boston# show running-config
!
line con 0
password 7 0956F57A109A
!
line vty 0 4
password 7 034A18F366A0
!
line aux 0
password 7 7A4F5192306A
• Uses a weak encryption algorithm that can be easily cracked
Setting Timeouts for Router Lines
exec-timeout minutes [seconds]

• Default is 10 minutes
• Terminates an unattended console connection
• Provides an extra safety factor when an
administrator walks away from an active console
session
Boston(config)# line console 0

Boston(config-line)#exec-timeout 3 30
Boston(config)# line aux 0

Boston(config-line)#exec-timeout 3 30
• Terminates an unattended console/auxiliary
connection after 3 minutes and 30 seconds
Setting Multiple Privilege Levels
router(config)#

privilege mode {level level command | reset
command}
• Level 1 is predefined for user-level access privileges
• Levels 2–14 may be customized for user-level privileges
• Level 15 is predefined for enable mode (enable command)
Boston(config)# privilege exec level 2 ping

Boston(config)# enable secret level 2 Patriot

Banners
•Banners should be used on all network devices

•A banner should include

– A notice that the system is to be logged into or accessed
only by authorized personnel, and information about who
may authorize use.
– A notice that any unauthorized use of the system is
unlawful, and may be subject to civil and criminal penalties,
or both.
– A notice that any use of the system may be logged or
monitored without further notice, and that the resulting logs
may be used as evidence in court.
– Specific notices required by specific local laws.
•A login banner usually should not contain any specific
information about the router, its name, its model, what
software it is running, or its ownership.
Configuring Banner Messages
router(config)#
banner {exec | incoming | login | motd |

slip-ppp} d message d
• Specify what is “proper use” of the system
• Specify that the system is being monitored
• Specify that privacy should not be expected when using
this system
• Do not use the word “welcome”
• Have legal department review the content of the message
Boston(config)# banner motd #

WARNING: You are connected to $(hostname) on
the Cisco Systems, Incorporated network.
Unauthorized access and use of this network
will be vigorously prosecuted. #
Disable or Secure Services

Security-Related Router Services
• Bootp server • IP redirects


• Cisco Discovery Protocol • IP source routing
(CDP) • IP unreachable
• Classless Routing Behavior notifications
• Configuration auto-loading • NTP service
• DNS • Proxy ARP
• Finger • SNMP
• HTTP server • TCP small servers
• IP directed broadcast • UDP small servers
• IP mask reply

Disable Bootp Server

Router(config)#
no ip bootp server
• Globally disables the Bootp service for this router.
Austin1(config)# no ip bootp server

Disable CDP Server

Router(config)#
no cdp run
• Globally disables the CDP service for this router.
Austin4(config)# no cdp run

Disable IP Classless Routing Service

Router(config)#
no ip classless
• Globally disables the IP classless routing service for this router.
Austin4(config)# no ip classless

Disable Configuration Auto-Loading
Service

Router(config)#
no boot network remote-url
Austin4(config)# no boot network
tftp://AustinTFTP/TFTP/Austin4.confg
Router(config)#
no service config
Austin4(config)# no service config
Restricting DNS Service

Router(config)#
ip name-server server-address1
[server-address2…server-address6]
Austin4(config)# ip name-server 16.1.1.20
Router(config)#
no ip domain-lookup
Austin3(config)# no ip domain-lookup
Disable Finger Service

Router(config)#
no ip finger
Austin4(config)# no ip finger
Austin4(config)# no service finger
Austin4(config)# exit
Austin4# connect 16.1.1.15 finger
Trying 16.1.1.15, 79 ...
% Connection refused by remote host
Disable HTTP Service

Router(config)#
no ip http server
Austin4(config)# no ip http server

Disable IP Directed Broadcast

Router(config-if)#
no ip directed-broadcast
Austin2(config)# interface e0/1
Austin2(config-if)# no ip directed-broadcast

Disable IP Mask Replies

Router(config-if)#
no ip mask-reply
Austin2(config-if)# no ip mask-reply

Disable IP Redirects

Router(config-if)#
no ip redirect
Austin2(config-if)# no ip redirect

Disable IP Source Routing

Router(config)#
no ip source-route
Austin2(config)# no ip source-route

Disable IP Unreachable Messages

Router(config-if)#
no ip unreachable
Austin2(config-if)# no ip unreachable

Disable NTP Service

Router(config-if)#
ntp disable
Austin4(config-if)# ntp disable

Disable Proxy ARP

Router(config-if)#
no ip proxy-arp
Austin1(config-if)# no ip proxy-arp

Disable SNMP

Austin1(config)# no snmp-server community public ro
Austin1(config)# no snmp-server community config rw
Austin1(config)# no access-list 60
Austin1(config)# access-list 60 deny any
Austin1(config)# snmp-server community dj1973 ro 60
Austin1(config)# no snmp-server enable traps
Austin1(config)# no snmp-server system-shutdown
Austin1(config)# no snmp-server
Disable Small Servers
Router(config)#

no service tcp-small-servers
Router(config)#
no service udp-small-servers
Austin2(config)# no service tcp-small-servers

Austin2(config)# no service udp-small-servers

Disable Unused Router Interfaces
Attack Austin1

host
e0/0 e0/1
Internet
e0/2
Router(config-if)#
shutdown
Austin1(config-if)# shutdown

Securing the Perimeter Router

Network Address Translation (NAT)

•Static Translation
•Dynamic Translation
•Overloading or Port Address Translation (PAT)

NAT Terminology Review
•Inside local address – The IP address assigned to a host on the


inside network. The address is usually not an IP address
assigned by the Network Information Center (NIC) or service
provider. This address is likely to be an RFC 1918 private
address.
•Inside global address – A legitimate IP address assigned by the
NIC or service provider that represents one or more inside local
IP addresses to the outside world.
•Outside local address – The IP address of an outside host as it
known to the hosts in the inside network.
•Outside global address – The IP address assigned to a host on
the outside network. The owner of the host assigns this
address.

Ingress and Egress Filtering

Access List Directional Filtering

FNS 1.0
Theoretical Network
© 2003, Cisco Systems, Inc. All rights reserved.

OSPF Service Filtering
Corporate LAN
16.1.0.0/16
R1 Public Web Mail Admin


Internet server server server
User
e0/0 e0/1 16.2.2.3 16.2.2.4 16.2.2.5
16.2.2.6
16.2.0.1 16.1.1.1
0
R3
e0/0 e0/1 DMZ LAN 16.2.2.0/24

DNS 16.1.10.1 16.2.2.1
16.1.1.4
R1(config)# access-list 12 deny 16.2.2.0 0.0.0.255 any

R1(config)# access-list 12 permit any
R1(config)# router ospf 1
R1(config-router)# distribute-list 12 out
R1(config-router)# end

IP Address Spoof Mitigation—Inbound

R2(config)# access-list 150 deny ip 16.2.1.0 0.0.0.255 any log
R2(config)# access-list 150 deny 192.168.0.0 0.0.255.255 any log
R2(config)# access-list 150 deny ip host 255.255.255.255 any log
R2(config)# access-list 150 permit ip any 16.2.1.0 0.0.0.255
R2(config)# interface e0/0
R2(config-if)# ip address 16.1.1.2 255.255.0.0
R2(config-if)# ip access-group 150 in
R2(config-if)# exit

IP Address Spoof Mitigation—
Outbound

R2(config)# no access-list 105
R2(config)# access-list 105 permit ip 16.2.1.0 0.0.0.255 any
R2(config)# access-list 105 deny ip any any log
R2(config-if)#ip access-group 105 in
R2(config-if)# end

DoS TCP SYN Attack Mitigation—
Blocking External Access

R2(config)# access-list 109 permit tcp any 16.2.1.0 0.0.0.255
established
R2(config-if)# end

DoS TCP SYN Attack Mitigation—
Using TCP Intercept

R2(config)# ip tcp intercept list 110
R2(config)# access-list 110 permit tcp any 16.2.1.0 0.0.0.255
R2(config-if)# end

DoS Land Attack Mitigation

R2(config)# access-list 160 deny ip host 16.1.1.2 host 16.1.1.2 log
R2(config)# access-list 160 permit ip any any
R2(config-if)# end

DoS Smurf Attack Mitigation

R2(config)# access-list 111 deny ip any host 16.2.1.255 log
R2(config)# access-list 111 deny ip any host 16.2.1.0 log
R2(config-if)# end

Filtering ICMP Messages—Inbound

R2(config)# access-list 112 deny icmp any any echo log
R2(config)# access-list 112 deny icmp any any redirect log
R2(config)# access-list 112 deny icmp any any mask-request log
R2(config)# access-list 112 permit icmp any 16.2.1.0 0.0.0.255
R2(config-if)# end

Filtering ICMP Messages—Outbound

R2(config)# access-list 114 permit icmp 16.2.1.0 0.0.0.255 any echo
R2(config)# access-list 114 permit icmp 16.2.1.0 0.0.0.255 any
parameter-problem
packet-too-big
source-quench
R2(config)# access-list 114 deny icmp any any log
R2(config-if)# end

Filtering ICMP Traceroute Messages

R2(config)# access-list 120 deny udp any any range 33400 34400 log
R2(config-if)# end
R2(config)# access-list 121 permit udp 16.2.1.0 0.0.0.255 any range
33400 34400 log
R2(config-if)# end

DDoS Attack Mitigation—TRIN00

R2(config)# access-list 190 deny tcp any any eq 27665 log
R2(config)# access-list 190 deny udp any any eq 31335 log
R2(config)# access-list 190 deny udp any any eq 27444 log

DDoS Attack Mitigation—Stacheldraht


DDoS Attack Mitigation—TrinityV3


DDoS Attack Mitigation—Subseven

R2(config)# access-list 190 deny tcp any any range 6711 6712 log

IOS Firewall Router

Cisco IOS features plus:
• CBAC (Stateful traffic inspection)
• Authentication Proxy
• Intrusion Detection
CBAC
• Packets are inspected entering the firewall by CBAC if they

are not specifically denied by an ACL.

• CBAC permits or denies specified TCP and UDP traffic
through a firewall.
• A state table is maintained with session information.
• ACLs are dynamically created or deleted.
• CBAC protects against DoS attacks.
TCP
Internet
UDP

Authentication Proxy
• HTTP-based authentication.

• Provides dynamic, per-user authentication and
authorization via TACACS+ and RADIUS
protocols.

Intrusion Detection
• Acts as an in-line intrusion detection sensor.
• When a packet or packets match a signature, it can perform any

of the following configurable actions:
– Alarm—Send an alarm to a CIDS Director or Syslog server.
– Drop—Drop the packet.
– Reset—Send TCP resets to terminate the session.
• Identifies up to 100 common attacks depending on release.
TCP
Internet
UDP

Router Management

Management Tasks

• Logging
• Time
• Software Maintenance (IOS)
• Configuration Maintenance

Logging

Logging methods:
• Console
• Buffered
• Terminal Line
• Syslog
• SNMP

Log Severity Levels
Level Name Description


0 Emergencies Router unusable
1 Alerts Immediate action required
2 Critical Condition is critical
3 Errors Error condition
4 Warnings Warning condition
5 Notifications Normal but important event
6 Informational Informational message
7 Debugging Debug message

Log Message Format
Time message Log message

was generated name and

(timestamp) severity level
Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by

vty0 (16.2.2.6)
Message text

Syslog

Syslog client
Syslog server
(destination host)
• Syslog server—A host that accepts and processes log

messages from one or more Syslog clients.
• Syslog client—A host that generates log messages and
forwards them to a Syslog server.
Syslog Router Commands
Router(config)#
logging [host-name | ip-address]

Router(config)#
logging trap level
Router(config)#
logging facility facility-type
Router(config)#
logging source-interface interface-type
interface-number
Router(config)#
logging on

Implementing Syslog

R3(config)# logging 16.2.2.6
R3(config)# logging trap informational
R3(config)# logging facility local6
R3(config)# logging source-interface ethernet 0/1
R3(config)# logging on

Logging Recommendations
When possible, the following practices are

advised:
• Encrypt Syslog traffic within an IPSec tunnel.
• When allowing Syslog access from devices on the
outside of a firewall, you should implement RFC 2827
filtering at the perimeter router.
• ACLs should also be implemented on the firewall in order
to allow Syslog data from only the managed devices
themselves to reach the management hosts.

Configuration Management

• Configuration management protocols include SSH, SSL,
and Telnet.
• Telnet issues include the following:
– The data within a Telnet session is sent as clear text,
and may be intercepted by anyone with a packet sniffer
located along the data path between the device and the
management server.
– The data may include sensitive information, such as
the configuration of the device itself, passwords, and
so on.

Configuration Management
Recommendations
When possible, the following practices are

advised:
• Use IPSec, SSH, SSL, or any other encrypted and
authenticated transport.
• ACLs should be configured to allow only
management servers to connect to the device. All
attempts from other IP addresses should be denied
and logged.
• RFC 2827 filtering at the perimeter router should be
used to mitigate the chance of an outside attacker
spoofing the addresses of the management hosts.

TFTP
• Many network devices use TFTP for transferring
configuration or system files across the network. TFTP
uses port 69 for both TCP and UDP.

• The following are TFTP issues:
– TFTP uses UDP for the data stream between the device
and the TFTP server.
– TFTP sends data in clear text. The network
administrator should recognize that the data within a
TFTP session may be intercepted by anyone with a
packet sniffer located along the data path between the
requesting host and the TFTP server.
• When possible, TFTP traffic should be encrypted within
an IPSec tunnel in order to mitigate the chance of its
being intercepted.
• Other options include using FTP or Secure Copy (SCP)

Time Sources
Satellite

NTP GPS
Server
Modem
• Troubleshooting
• Fault analysis
• Security incident tracking
NTP
• NTP is used to synchronize the clocks of various devices across a
network. It is critical for digital certificates, and for correct interpretation of
events within Syslog data. NTP uses port 123 for both UDP and TCP
connections.

• The following are NTP issues:
– An attacker could attempt a DoS attack on a network by sending bogus
NTP data across the Internet in an attempt to change the clocks on
network devices in such a manner that digital certificates are
considered invalid.
– An attacker could attempt to confuse a network administrator during an
attack by disrupting the clocks on network devices.
– Many NTP servers on the Internet do not require any authentication of
peers.
• The following are NTP recommendations:
– Implement your own master clock for the private network
synchronization.
– Use NTP Version 3 or above as these versions support a cryptographic
authentication mechanism between peers.
– Use ACLs that specify which network devices are allowed to
synchronize with other network devices.
Software and Configuration Maintenance

• Keep secure backups
– Configurations
– IOS Images
• Check PSIRT for vulnerabilities
– http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/p
• Upgrade image as needed
• Keep track of utilization patterns

SSH
SSH Server and


Client
TCP Port 22
SSH Client

SSH Server Configuration
Router(config)#
hostname host-name

Router(config)#
ip domain-name domain-name.com
Router(config)#
crypto key generate rsa
Router(config)#
line vty 0 4
Router(config-line)#
transport input ssh

SSH Client
Router#
ssh –l username –c encryption destination address

Router#
Router# ssh ?
-c Select encryption algorithm
-l Log in using this user name
-o Specify options
-p Connect to this port
Router# ssh –l cisco –c 3des 172.30.1.2 –p 2222

Securing Switches and LAN
Access

Overview
Secure Access Devices

• Switches

• Access points
Port security
• limit the Media Access Control (MAC) addresses
• port-based authentication using 802.1x
VLANs
• management
• private VLANs (PVlans)
Monitoring
• SNMPv3
• Switch Port Analyzer (SPAN)
Access-lists
• Port ACLs (PACLs)
• Router ACLs (RACLs)
• VLAN ACLs (VACLs)

Identity Based Network Services (IBNS)

VLANs

• Improve network performance
• Increase security
Summary

Summary
• Access to the router, switch, and the network should be controlled
• Passwords, accounts and privilege levels should be configured

• Network devices should be configured to only support the traffic and
protocols the network needs.
• Disable unneeded services and secure all required services
• Filter packets using Access Control Lists (ACLs) on inbound and
outbound traffic.
• Network Address Translation (NAT) can also be used to separate a
LAN from an untrusted network.
• Careful management and thorough audits of router and switch
operations are also necessary to reduce network downtime, improve
security, and aid in the analysis of suspected security breaches.
• Event logging should be used
• Authoritative time sources should be defined
• Software and configuration maintenance should be performed
• Use SSH when managing routers, switches and other key network
devices
• Configure port security, VLANs, monitoring, and switch specific
access-lists
© 2003, Cisco Systems, Inc. All rights reserved. 97

FNS10 Mod02

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FNS10 Mod02

Uploaded by

Copyright:

Available Formats

DRAFT May 2003. All rights reserved.

For review only. Please do not distribute

Basic Router and Switch Security

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

For review only. Please do not distribute

For review only. Please do not distribute

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

SECURE INTERNET ACCESS COMPUTER ROOM How do you plan to limit

physical damage to the

For review only. Please do not distribute

• No access via raised flooring

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

How do you plan to limit

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

• A console is a terminal connected to a router console port.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

protection schemes in Cisco IOS:

For review only. Please do not distribute

• Avoid dictionary words, names, phone numbers, and

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

For review only. Please do not distribute

Boston(config)# enable secret Curium96

Boston# show running-config

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

• Enters console line configuration mode

For review only. Please do not distribute

Boston(config)# line console 0

For review only. Please do not distribute

Boston(config)# line vty 0 4

For review only. Please do not distribute

Boston(config)# line aux 0

For review only. Please do not distribute

Boston(config)# service password-encryption

For review only. Please do not distribute

Boston(config)# line console 0

Boston(config)# line aux 0

For review only. Please do not distribute

Boston(config)# privilege exec level 2 ping

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0

•Banners should be used on all network devices

•A banner should include