Cisco CCNA 200-301 – Cisco Device Security

1. Introduction

Section you’ll learn about Cisco device security. When you first receive a router switch from the factory, you take it out of the box. One of the first things that you’ll do is enable management of that device. So you’ll set it up for command line access for your administrators, and you want to make sure that it’s only authorized administrators that are able to get onto the command line on that device. You don’t want just anybody being able to get on there and then seeing or even changing your configuration.

So you want to enable access to the device for your administrators, and you want to secure it down as well. And that’s going to be the focus of this section. So we’ll cover the different ways that you can do that using either line level security or using local usernames and passwords or what you’ll most often see in a real world environment, which is using an external A server that is authentication, authorization, and accounting. So we’ll cover that, and then we’ll finish up the section with a look of some of the global best security Q to A practices. Okay, let’s get started.

2. Line Level Security

In this lecture you’ll learn about configuring basic security on your Cisco routers and switches by configuring passwords at the line level. When you first get a router or switch from the factory, you take it out of the box, you can connect it with a console cable and you can immediately start configuring it. There’s no password required. You deploy that router switch into your production environment. You want to make sure that it’s only authorized administrators that can get on there. You don’t want anybody else trying to make any changes. So we’re going to configure security to ensure that. First up, a quick reminder of the iOS command hierarchy. By default, when you first connect to a router switch, you’ll be at user exec mode and this is a very limited level. There’s very few commands that you run here. You can tell you to user exec mode because the command prompt will show the host name of a router or switch and then a greater than symbol.

So to really be able to do much in a router or switch you need to escalate your privilege level. You do that with the enable command and that will get you into privileged exec mode. That’s where you can run all of the show commands and all of the debug commands. When you do enter the enable command, you’ll see the command prompt changes to show the host name and then a hash so you can view information about the router there. To make any changes, you need to get into global configuration mode. The command for that is configure terminal or config Tea. And you’ll see that the prompt changes to include config in brackets. And then when you configure a particular thing on the router or switch like a routing protocol or an interface, you go to that level and then the prompt will change again, for example the host name and then config if for configure interface if you’re at the interface configuration level.

Okay, so basic line level security, minimal password security can be configured through the use of static locally defined passwords at three different levels and we’ll get to the more advanced ways that we can do security later on in this section. So for just the basic minimal level of security you can use local meaning it’s configured on the route with a switch itself and static passwords. They don’t generally change the three levels that you can do this at. The first one is at the console line. So this affects you if you’re accessing user exec mode when connecting via a console cable. Next one is virtual terminal VTY line. This affects you if you’re accessing the device when you’re connecting remotely via telnet or SSH secure shell. And finally we can set a password at the privileged exec mode. We do this by setting a password on going to enter the enable command.

Those three levels can be used independently or in combination with each other and they can use the same or different passwords. So, for example, I could just put a password on the Vtly line if I wanted to, or I could put passwords on there and on the console line and on privilege exec mode as well. If you just put a password on your virtual terminal VTY lines, you would be required to enter a password if you were using Telnet or SSH to access the device. But if you were connected up with a console cable, you wouldn’t require a password. And also if you just did it there, then when you went to the enable mode, you wouldn’t be required to enter an additional password for enable mode. If we did enter passwords at all three levels, I could use password one on the console, password two on VTi, and password three for the enable prompt, or I could use password one on all three of them.

So you can use the same or you can use different passwords. So first one was configuring a password on the console line. If you do this, then whenever you connect with a console cable, you’re going to need to enter that password to actually get access to the command line with a console connection. So when you’re connected up over a console port, only one person can be connected over the console at a time. So when you configure this, the line number is always going to be zero because there’s only one line number available. So for our config, our config would be a global configuration line, console zero, and then password say whatever password you want to be required and then you put in the login command. You have to put in that login command as well. It’s mandatory. When you say login, that means that whenever somebody connects up over the console and they want to get access to the command line, they have to enter the password that is configured under the console line. So we enter that config, then we do hook up to the device with a console cable.

And then when we look at that on our administrator workstation, when we do the connection, we’ll see a prompt. So we see that in the examples are one we’re on here, console line zero is now available. Press return to get started. We hit return and it will then prompt us for a password. So it says user access vertification password and we enter the password in there that we configured under the line. If we enter the wrong password, it will prompt us for the password again. If we enter the correct password, then we will get into the device at the user exec mode. And you can see that down at the bottom there with R, one greater than symbol with a user exec mode. So that was configuring a password on the console line. If you just configure a password on the console line, but you don’t configure a password anywhere else in the other methods, people won’t be prompted for a password.

So we want to enable a password for sure when people are connecting remotely over telnet or SSH. We’ll talk about telnet first in this lecture. I’ll show you how to enable SSH in a later lecture. So an administrator can use telnet to connect to the command line of a router or switch remotely over an IP connection. But your router or switch does not accept incoming sessions by default. For telnet, you need to set this up. So what you need to do is you need to configure an IP address and you need to enable telnet access under the VT wireline. VT wireline is a virtual terminal and that is used for incoming telnet and SSH connections. So first thing that we needed to do there was to configure an IP address. You already know how to configure an IP address on your router. We covered it on the switch before as well. But I’ll just give you a quick reminder here.

So a layer two switch is not IP routing aware. It’s a layer two device. It does, however, support a single IP address for management, so that you’ll be able to tell net or SSH into it. A default gateway will also need to be configured if you want it to have connectivity to other IP subnets. So our configuration for this is we do it under the Svi, the switched virtual interface, that’s interface VLAN one. Or you could use a different VLAN number if you want, give it an IP address, then say no shutdown and exit. And then to configure the default gateway router, it’s going to use IP default gateway and the IP address of the router. So that gets an IP address on your switch so that you’re going to be able to tell next to it if it’s a layer to switch. If you try to add a second IP address, it’s going to overwrite the first one. You’re only ever allowed to have one IP address on there.

Okay, so basic telnet security with our constant line, as you saw earlier, only one person can connect over that at a time. But for Telnet and SSH, you can have multiple administrators working on the device at the same time. But there’s a limited number of lines that are available depending on the device. Usually it’s 16. Those lines are allocated on a first come, first serve basis. So if all 16 lines are already in use, and then another administrator ties to telnet onto the box, they’re going to be rejected. So our configuration here is line VT y zero and then 15 that’s configuring all of our terminal lines. Then we say password. We’re using flatbox two here and the login login again means use the password that is configured under the line. You will sometimes see a configuration here saying line VT y zero and then four. If you do that, you’ve only got five lines available so it’s better to enable all of the different lines. Once we have configured that if I’m on my administrator workstation and I go to telnet to the router.

So the way I would do that would be telnet 100 one, the IP address. It will then prompt me for a password and I have to enter the correct password there. When I do that, I’ll get into the user exec mode, as you see here. Okay, so that was console and telnet passwords. Another thing to talk about here is the exact time out. By default, you will be logged out if you don’t enter any commands on router or switch for ten minutes. The reason this is maybe we’re working on the device at your desk and then you go away to make a cup of coffee and then you get talking to somebody. And when that happens, you don’t want to leave yourself logged in at your desk in case somebody is walking past and then they can jump on and see the configuration on that router.

So it’s a security feature that you’ll be automatically logged out after ten minutes of inactivity by default. But you can change that to a different value if you want. So you could set it to log you out quicker, or you could set it to log you out after a longer period. If you say no exact time out or exact time out zero, that disables the exact time out, which means you can stay logged in indefinitely. The commands to configure this again, it’s configured at the line level, so you can do it separately for console and for telnet. For the console, we’ve got line console zero, exact timeout 15, which means we’ll be logged out after 15 minutes of inactivity and then we say line VTi 15 for our telnet lines. Exact timeout five, space 30. If you put in two numbers here, the first one is a value in minutes, the second one is a value in seconds. So there we would be logged out after five minutes and 30 seconds of inactivity. Another good reason that it’s good to have the exact time out, if we go back a slide, a couple of slides was when we were talking about if all the lines are in use, then nobody else is going to be able to get in. So let’s say that you had configured your 15 lines, but the administrators have not been clearing their sessions properly.

Then if all 15 are in use and you’ve disabled the exact time out, then nobody’s going to be able to tell that into that router. You would have to go and connect with a console connection to clear those sessions. So it’s a really good idea to have that exact time out configured on there. Don’t disable it both for security reasons and to make sure that users administers will be timed out if they did not clear. Recessions cleanly. Okay, moving on. Next thing we can secure our virtual terminal lines with access lists to get an additional level of security so that can be used to limit telnet and SSH access, so that only your administrator workstations are going to be able to log in.

To do this, we configure a standard ACL. So I’ve got access list one permit host ten is my administrator workstation in this example. It doesn’t have to be an individual host. We could specify an entire subnet here. If you’ve got multiple administrators, all with source IP address in the same subnet, and then to apply it to the terminal lines, we see line Vqi 15, we’ve got our login password, we’ve got our login command and our password command as usual. And then we see access class one in to apply that access list.

Now what happens is for an administrator to be able to log in, we need to enter that password that we configured on the line, and they need to be coming in from an approved IP address as well. So if I try to tell net into this device now, and I’m not using IP address Ten 00:10, I’m coming from a different location, the error message I’ll see is connection refused by remote host. Well, we were talking about that. So I said earlier that for telnet access you need to configure an IP address and you need to configure telnet access under the line as well. If you do not specify a login under your VTi lines, then nobody is going to be able to tell to that device.

• Category: Uncategorized