Secure Management - Paiet/Tech-Journal-for-Everything GitHub Wiki

• Secure Management

  • 2.1.a Compare in-band and out-of band | In-Band | Out-of-Band (OOB) | |--------|--------| |Management and Data traffic are on the same network|Management traffic are on a separate network and user data is on a separate network| |Less-secure| More-secure| |When Layer 4 Checks are required|Preferred| |More economical| Can be more expensive|
  • 2.1.b Configure secure network management
    • Use Strong Passwords
      • Configure Strong Passwords (See Below)

• Configure Strong Passwords (Works on Routers and Switches)

R1#configure terminal ! configure encrypted password R1(config)# username admin privilege 15 secret ciscosec ! protect the console port R1(config)# line console 0 R1(config-line)# password ciscosec R1(config-line)# login R1(config)# exit ! protect the vty access lines R1(config)# line vty 0 4 R1(config-line)# password ciscosec R1(config-line)# login R1(config-line)# exit R1(config)# exit ! protect the aux port R1(config)# line aux 0 R1(config-line)# no exec R1(config-line)# password ciscosec R1(config-line)# login R1(config-line)# exit R1(config)# do show run | i userename R1(config)# do show run | i password ! Encrypt all plaintext passwords (basic) R1(config)# service password-encryption R1(config)# do show run | b line ! Require a certain length passwords R1(config)#security password min-length 10

• Secure Management

  • 2.1.b Configure secure network management
    • Require Authentication and use AAA
      • Authentication, Authorization and Accounting
      • Local, or Remote Server
      • RADIUS or TACACS+
    • Login Retry lockout
      • Cisco IOS must support AAA
    • Role Based Access Control (RBAC)
      • Similar to Privileged and User mode but with more control. Default, the current views are "ALL" or nothing.
      • Views allow you to create views inbetween.
      • "Root View" has all privileges of level 15 and can configure new views and add or remove commands from a view.
    • Use encrypted protocols (e.g. SSH or HTTPS)
      • Setup SSH Access
      • Setup HTTPS
      • See Cofiguration Example (Below)

• Encrypt all plaintext passwords (basic) R1(config)# service password-encryption R1(config)# do show run | b line ! Require a certain length passwords R1(config)#security password min-length 8

• Enable AAA Services

R1# Configure Terminal R1(config)# aaa new-model R1(config)# aaa authentication login default local enable R1(config)# aaa authorization commands 15 default R1(config)# username Ronald privilege 15 secret ciscosec R1(config)# line vty 0 4 R1(config-line)# login authentication default R1(config-line)# authorization commands 15 default ! Test login in through telnet R1(config-line)# ctrl+z R1#debug aaa authentication --from 192.168.1.200 telnet to 192.168.1.1 --take look at console output to verify aaa is working

• Limit the number of login attempts and clear unsuccessful login attempts

R1#configure terminal R1(config)#aaa local authentication attempts max-fail 3 R1(config)# ctrl+z R1#clear aaa local user lockout username Daniel R1#clear aaa local user fail-attempts username Daniel

• Role Based Access Control (RBAC)

R1>enable view R1#configure terminal R1(config)# parser view MyFirstView R1(config)# secret 5 viewpassword R1(config-view)# commands exec include show version R1(config-view)# interface fa0/1 R1(config-view)# exit R1(config)#exit R1#enable view MyFirstView R1#show parser view R1#config t R1(config)#username Dan MyFirstView secret ciscosec

• Configure SSH access R1(config)#ip domain-name itprotvdemo.com R1(config)#crypto key generate rsa !key length 1024 R1(config)#ip ssh version 2 R1(config)#line vty 0 935 R1(config)#transport input SSH ! run wireshark capture ! Attempt to telnet from R2 ! SSH from R2