Securing-Cisco-Router-Installations-and-Administra.ppt

Slide Title,Body Text,Second Level,Third Level,Fourth Level,Fifth Level,Cisco Network Academy.All rights reserved.,.,CCNP+ISCW v1.0,Cisco Device Hardening,Securing Cisco Router Installations and Administrative Access,Configuring Router Passwords,Configuring Router Passwords,A console is a terminal connected to a router console port.Console,是作为终端管理设备连接到路由器的管理接口,.,The terminal can be a dumb terminal or a PC with terminal emulation software.,管理设备通常安装有终端管理软件的,PC,主机,比如安装有超级终端的,PC,主机,Password,Creation Rules,Passwords can be 1 to 25 characters in length.,密码可以为,1,到,25,个字符的长度,Passwords can include:,密码可以包含如下字符,:,A,lphanumeric characters,阿拉伯字母,U,ppercase and lowercase characters,大小写敏感,S,ymbols and spaces,符号字符和空格,Password-leading spaces are ignored,but any spaces after the first character are not ignored.,密码的首位的空格不作为密码一部分，但是密码尾部的空格将认定为密码字符,.,Change passwords.,可以修改密码,Initial Configuration Dialog,Would you like to enter the initial configuration dialog?yes/no y,Configuring global parameters:,Enter host name Router:Boston,The enable secret is a password used to protect access to privileged EXEC and configuration modes.This password,after entered,becomes encrypted in the configuration.,Enter enable secret:CantG,u,essMe,The enable password is used when you do not specify an enable secret password,with some older software versions,and some boot images.,Enter enable password:WontG,u,essMe,The virtual terminal password is used to protect access to the router over a network interface.,Enter virtual terminal password:CantG,u,essMeVTY,Configur,e,the Line-Level Password,router(config)#,line console 0,line aux 0,line vty 0 4,router(config-line)#,login,router(config-line)#,password,password,Enters line configuration mode,(console,auxiliary,or vty),进入线路配置模式,Enables password checking at login,启用登录时密码检测,Sets the line-level password,配置线路级别密码,Boston(config)#,line con 0,Boston(config-line)#,login,Boston(config-line)#,password ConUser1,Password,Minimum Length Enforcement,router(config,)#,security passwords min-length,length,Sets the minimum length of all Cisco IOS passwords,指定用于,Cisco IOS,的最小密码长度,Boston(config)#,security passwords min-length 10,Encrypting,Passwords,Using theservice password-encryption Command,service password-encryption,Encrypts all passwords in the router configuration file,加密所有路由器配置文件中的明文密码,router(config)#,Boston(config)#,service password-encryption,Boston(config)#,exit,Boston#,show running-config,enable password 7 06020026144A061E!line con 0password 7 0956F57A109A!line vty 0 4password 7 034A18F366A0!line aux 0password 7 7A4F5192306A,Enhanced Username Password Security,router(config)#,username,name,secret 0,password,|5,encrypted-secret,Uses MD5 hashing for,strong,password,protection,使用,MD5,散列算法提供强壮的密码保护,Better than the type 7 encryption found in,service password-encryption,command,相对于,service password-encryption,命令的类型,7,的加密更为优异,Boston(config)#,username rtradmin secret 0 Curium96,Boston(config)#,username rtradmin secret 5,$1$feb0$a104Qd9UZ./Ak00,7,router(config)#,username,name,password,0,password,|,7,hidden,-,password,Traditional user configuration with,plain,text password,为用户配置密码,Securing ROMMON with the,n,o password-recovery Command,router(config)#,no service password-recovery,By default,Cisco routers are factory configured with,the,service password-recovery,set.,默认情况下，,Cisco,路由器的配置是,service password-recovery,，即可以进行密码恢复操作。,The,no service password-recovery,command,prevents console from accessing ROMMON.,此命令阻止了通过,ROMMON,模式进行密码恢复操作,Boston(config)#,no service password-recovery,WARNING:,Executing this command will disable password recovery mechanism.Do not execute this command without another plan for password recovery.,Are you sure you want to continue?yes/no:,yes,Boston(config)#,在任何设备上请慎用此命令！,Setting a Login Failure Rate,Authentication,Failure Rate,with Login,router(config)#,security authentication failure rate,threshold-rate,log,Configures the number of allowable unsuccessful login attempts,配置允许客户有多少次失败的登录操作,By default,router allows 10 login failures before initiating a 15-second delay,默认的路由器在,10,次失败登录后将产生,15,秒的延迟,Generates a syslog message when rate is exceeded,如果超出失败次数将产生,syslog,消息,Boston(config)#,security authentication failure,rate 10,log,Setting a Login Failure,Blocking Period,router(config)#,login block-for,seconds,attempts,tries,within,seconds,Blocks access for a quiet period after a configurable number of failed login attempts within a specified period,当用户对路由器超过失败登录的次数后，即阻止多长时间周期内不允许再次访问，此过程被为“,Quiet,Period”,Must be entered before any other login command,必须在任何,login,命令之前配置,Mitigates DoS and break-in attacks,减轻,DoS,的攻击,Boston(config)#,login block-for 100 attempts 2 within 100,Excluding Addresses from Login Blocking,router(config)#,login quiet-mode access-class,acl-name|acl-number,Specifies an ACL,that is,applied to the router when it switches to,the,quiet mode,.,当交换机切换到,quiet mode,时，配置,ACL,指出哪些源是否受限制的,If not configured,all login requests will be denied during,the,quiet mode.,如果没有配置，哪么在,quiet mode,周期内所有的登录请求将拒绝,Excludes IP addresses from failure counting for,login block-for,command.,排除,Login block-for,命令对某些,IP,的计数,Boston(config)#,login quiet-mode access-class myacl,Setting a Login Delay,router(config)#,login,delay,seconds,Configures a delay between successive login attempts,.,配置连接登录企图行为时间的延迟,Helps mitigate dictionary attacks.,能够有效的减轻字典攻击,If not set,a default delay of,one,second is enforced after the,login block-for,command is configured,.,如果没有配置，当,login block-for,命令配置后默认的延迟为,1,秒,Boston(config)#,login,delay 30,Verifying Login,router#,show,login,failures,Displays login parameters and failures,显示登录参数和失败信息,Boston(config)#,show login,A default login delay of 1 seconds is applied.,No Quiet-Mode access list has been configured.,All successful login is logged and generate SNMP traps.,All failed login is logged and generate SNMP traps.,Router enabled to watch for login Attacks.,If more than 15 login failures occur in 100 seconds or less,logins will be disabled for 100 seconds.,Router presently in Watch-Mode,will remain in Watch-Mode for 95 seconds.,Present login failure count 5.,Setting Timeouts,Setting Timeouts,for Router Lines,router(config-line)#,exec-timeout,minutes,seconds,Default is 10 minutes,Terminates an unattended connection,Provides an extra safety factor when an administrator walks away from an active console session,Terminates an unattended console,and,auxiliary connection after 3 minutes and 30 seconds,Boston(config)#,line console 0,Boston(config-line)#,exec-timeout 3 30,Boston(config)#,line aux 0,Boston(config-line)#,exec-timeout 3 30,Setting Multiple Privilege Levels,Setting Multiple Privilege Levels,router(config)#,privilege,mode,level,level,command,|reset,command,Level 0 is predefined for user-level access privileges.,Levels 1,to,14 may be customized for user-level privileges.,Level 15 is predefined for enable mode(,enable,command).,Boston(config)#,privilege exec level 2 ping,Boston(config)#,enable secret level 2 Patriot,Configuring Banner Messages,Configuring Banner Messages,router(config)#,banner exec|incoming|login|motd|,slip-ppp,d message d,Specifies what is“proper use”of the system,Specifies that the system is being monitored,Specifies that privacy should not be expected when using this system,Boston(config)#,banner motd%,WARNING:You are connected to$(hostname)on the Cisco Systems,Incorporated network.Unauthorized access and use of this network will be vigorously prosecuted.%,Configuring,Role,-,Based CLI,Role,-,Based CLI,Overview,Traditional approach of limiting CLI access based on privilege levels and enable passwords provided too little control:,No access control to specific interfaces,Commands placed on a higher privilege level could not be reused for lower-privileged users,CLI views provide more granular control.,CLI views include accessible commands and interfaces.,Access to a view is protected with a secret.,Views can be grouped to superviews to create large sets of accessible commands and interfaces.,Role,-,Based CLI,Details,Root view is the highest administrative view.,Creating and modifying a view or superview,is,possible only from root view.,The d,ifference between root view and privilege 15 is that only a rootview user can create or modify views and superviews.,CLI views require AAA new-model:,Necessary even with local view authentication,View authentication can be offloaded to an AAA server using,the new attribute cli-view-name,A,maximum,of,15 CLI views can exist in addition to the root view.,Getting Started with,Role-Based CLI,router,#,enable,privilege-level,view,view-name,Enter a privilege level or a CLI view,.,Use,enable,command with the,view,parameter to enter the root view,.,Root view requires privilege 15 authentication,.,The aaa-new model must be enabled,.,Boston(config)#,aaa new-model,Boston(config)#,exit,Boston#,enable view,Password:,Boston#,%PARSER-6-VIEW_SWITCH:successfully set to view root,Configuring,CLI Views,router(config),#,Creates a view and enters view configuration mode,Boston(config)#,parser view monitor_view,Boston(config-view)#,password 5 hErMeNe%GiLdE!,Boston(config-view)#,commands exec include show version,parser,view,view-name,router(config-view),#,password,5,encrypted-password,commands,parser-mode,include|include-exclusive|exclude all,interface,interface-name,|,command,Sets a password to protect access to the view,Adds commands or interfaces to a view,Configuring Superviews,router(config),#,Creates a,(super),view and enters,its,configuration,Boston(config)#,parser view monitor_audit,Boston(config-view)#,password 5 AnA6TaSiA$,Boston(config-view)#,view monitor_view,Boston(config-view)#,view audit_view,parser,view,view-name,router(config-view),#,password,5,encrypted-password,view,view-name,Sets a password to protect access to the superview,Adds a CLI view to a superview,Role-Based CLI Monitoring,router,#,Displays the current view name,The option,all,:,Displays all CLI views configured on the router,Is by default available only to root users,Can be added to other CLI views,show parser,view,all,router,#,debug parser view,Displays debug messages for all views,Role,-,Based CLI,Configuration Example,Boston,(config)#,aaa new-model,Boston,(config)#,exit,Boston,#,enable view,%PARSER-6-VIEW_SWITCH:successfully set to view root.,Boston,#,configure terminal,Boston,(config)#,parser view first,%PARSER-6-VIEW_CREATED:view,first,successfully created.,Boston,(config-view)#,secret 5 firstpass,Boston,(config-view)#,command exec include show version,Boston,(config-view)#,command exec include configure terminal,Boston,(config-view)#,command exec include all show ip,Boston,(config-view)#,exit,Role,-,Based CLI,Verification,Boston,enable view first,Password:%PARSER-6-VIEW_SWITCH:successfully set to view first.,Boston,#,?,Exec commands:,c,onfigure,Enter configuration mode,e,nable,Turn on privileged commands,e,xit,Exit from the EXEC,s,how,Show running system information,Boston,#,show?,i,p,IP information,p,arser,Display parser information,v,ersion,System hardware and software status,Role,-,Based CLI,Verification(Cont.),Boston,#,show ip?,access-lists,List IP access lists,accounting,The active IP accounting database,aliases,IP alias table,a,rp,IP ARP table,as-path-access-list,List AS path access lists,b,gp,BGP information,cache,IP fast-switching route cache,casa,D,isplay casa information,cef,Cisco Express Forwarding,community-list,List community-list,dfp,DFP information,dhcp,Show items in the DHCP database drp,-More-,Secure Configuration Files,Secure Configuration Files,Introduction,Traditional risk that the configuration and the image are erased after a router compromise:,Availability threat(downtime),Need to secure the primary bootset(configuration file and the running image),Also known as the,Cisco IOS Resilient Configuration feature,Speeds up the recovery process,Files must be stored locally,Feature can be disabled through a console session,Securing Configuration Files,router(config),#,Enables Cisco IOS image resilience,Boston(config)#,secure boot-image,Boston(config)#,secure boot-config,secure boot-image,router(config),#,secure boot-config,Stores a secure copy of the primary,bootset,in persistent storage,router,#,Displays the status of configuration resilience and the primary,bootset,filename,show secure bootset,Cisco IOS Resilient ConfigurationFeature Verification,Boston,#,show secure bootset,IOS resilience router id JMX0704L5GH,IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 200,5,Secure archive slot0:c3745-js2-mz type is image(elf),file size is 25469248 bytes,run size is 25634900 bytes,Runnable image,entry point 0 x80008000,run from ram,IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002,Secure archive slot0:.runcfg-20020616-081702.ar,type is config configuration archive size 1059 bytes,Secure Configuration Files Recovery,rommon 1,Lists the contents of the device,with,secure,bootset,Boots up the router using the secure,bootset,image,rommon 1,dir slot0:,rommon 2,boot slot0:c3745-js2-mz,.,Router(config)#,secure boot-config restore slot0:re,scue,Router#,copy,slot0:re,scue,running-config,dir,filesystem,:,boot,partition-number,:,filename,router(config),#,Restores the secure configuration to,a,filename,secure boot-config,restore,filename,Summary,Strong passwords and protection of all access methods are essential for router security.,Enable secrets should be used in addition or instead of enable passwords for increased password protection.,Password-encryption service encrypts all system passwords with,Vigenere cipher,to protect against shoulder surfing.,Enhanced username password security provides a strong MD5 password encryption.,Login failure rate and blocking period after login failures mitigate password attacks.,Summary,(Cont.),Banner messages should warn against unauthorized access.,Privilege levels facilitate management by multiple administrators.,Role-based CLI provides more manag,e,ability than privilege levels.,The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage(NVRAM and flash).,1,、字体安装与设置,如果您对PPT模板中的字体风格不满意，可进行批量替换，一次性更改各页面字体。,在,“,开始”,选,项卡,中,，点击“,替,换”按,钮右,侧箭,头,，,选,择“,替,换,字,体,”。（如下,图）,在图“替换”下拉列表中选择要更改字体。（如下图）,在“替换为”下拉列表中选择替换字体。,点击“替换”按钮，完成。,41,2,、替换模板中的图片,模板中的图片展示页面，您可以根据需要替换这些图片，下面介绍两种替换方法。,方法一：更改图片,选中模版中的图,片,（,有些图片与其他,对象,进行了组合，,选,择,时,一定要选中图,片 本身，而不是组合）。,单击鼠标右键，选择“更改图片”，选择要替换的图片。（如下图）,注意：,为防止替换图片发生变形，请使用与原图长宽比例相同的图片。,41,赠送精美图标,