Cisco Device Security

Question 1

IOS Security

Answer 1

When a Cisco router/switch is received from the factory, no security is configured

You can access the command line via console cable with no password required

One of the first tasks is to configure security to ensure that only authorized admins can access the device

Question 2

Basic Line Level Security

Answer 2

Minimal password security can be configured via use of static, locally defined passwords at three different levels:

Console line
–Accessing user exec mode when connecting via console cable

Virtual terminal VTY line
–Accessing user exec mode when connecting remotely via telnet/ssh

Privileged exec mode
–Entering the “enable” command

The levels can be used independently or in combo with each other
They can use the same or different passwords

Question 3

Basic Console Security

Answer 3

Only one admin can connect over console cable at a time so the line number is always 0

“Login” with no following keywords requires the admin to enter the password configured at the line level to log in

Question 4

Command: Set “Flackbox1” as the password in the console line

Answer 4

line console 0
password Flackbox1
login

Question 5

Basic Telnet Security

Answer 5

An admin can use telnet to connect to the CLI of a router/switch over an IP connection

IOS devices do NOT accept incoming telnet sessions by default

An IP address and virtual terminal VTY line access must be configured

Multiple admins can connect at the same time
–Lines are allocated on a first come first serve basis
–Total of 16 lines supported typically (0-15)

If all configured lines are in use then additional admins will not be able to login

Question 6

Command: Telnet Switch Configuration
IP: 192.168.0.10/24
Gateway: 192.168.0.1

Answer 6

interface vlan 1
ip address 192.168.0.10 255.255.255.0
no shutdown
exit

ip default-gateway 192.168.0.1

Question 7

Command: Configure VTY password of “Flackbox2” on all lines

Answer 7

line vty 0 15 –> configures lines 0 through 15
password Flackbox2
login

Question 8

Console & VTY Lines: Exec Timeout

(And command to set or remove)

Answer 8

An admin will be logged out after 10 minutes of inactivity by default
–Applies to both console & VTY lines

You can edit this value with the exec-timeout command
–No exec-timeout OR exec-timeout 0
—-Allows admin to stay logged in indefinitely

Question 9

Command: Change line console exec timeout to 15 minutes

Answer 9

line console 0
exec-timeout 15

Question 10

Command: Change VTY exec timeout to [5 minutes, 30 seconds] on all lines

Answer 10

line vty 0 15
exec-timeout 5 30

Question 11

Command: Configure ACL permissions for host 10.0.0.10 to access all VTY lines

VTY password: Flackbox3

Answer 11

access-list 1 permit host 10.0.0.10

line vty 0 15
login
password Flackbox3
access-class 1 in

Question 12

Command: Configure a login message on VTY

Answer 12

banner login “

Question 13

Command: Create an enable password of Flackbox3

Answer 13

enable password Flackbox3

(not encrypted)

Question 14

Command: Create an enable secret of Flackbox3

Answer 14

enable secret Flackbox3

(Shows as encrypted in running config)

Question 15

Command: Encrypt all passwords in the running config

Answer 15

service password-encryption

Question 16

Command: Create two users (Admin1 & Admin2) with encrypted passwords (Flackbox1 & Flackbox2)

And then add them to VTY and Console Lines

Answer 16

(From global config)
username admin1 secret Flackbox1
username admin2 secret Flackbox2

line console 0
login local

line vty 0 15
login local

Question 17

Privilege Levels

Answer 17

There are 16 privilege levels of admin access (0-15) available on Cisco routers/switches

Usernames can be assigned a privilege level (default is 1)

You can also configure different passwords for direct access to the different privilege levels

Each available command in IOS can be assigned a privilege level
–An admin must be logged in with a privilege level higher to run the command

Question 18

Privilege Levels: 3 Default Levels

Answer 18

All commands are at one of these 3 by default:

Zero-level access allows 5 commands
—Logout, enable, disable, help, exit

User level (1) provides very limited read-only access
—When you enter user exec you’re at privilege 1 by default

Privileged level (15) provides complete control over the router
—When you enter privileged exec, you’re at 15 by default

Question 19

Command: Display current privilege level

Answer 19

show privilege

Question 20

Command: Configure new users
Admin1 (Password Flackbox1) - Privilege 1
Admin2 (Password Flackbox2) - Privilege 15

Answer 20

username admin1 secret Flackbox1

username admin2 privilege 15 secret Flackbox2

Question 21

Command: Change “show run” command to privilege level 5

Answer 21

privilege exec level 5 show running-config

Question 22

Command: Set an enable secret of “Secret2” for level 5 privilege

Answer 22

enable secret level 5 Secret2

Question 23

Command: Enable SSH and create a domain name of flackbox.com

Answer 23

ip domain-name flackbox.com
crypto key generate rsa
768 —> Minimum key size requirement

Question 24

Command: Disable telnet on all VTY lines

Create SSH username Flackbox with password Flackbox1

Set SSH version to 2

Answer 24

username Flackbox password Flackbox1

line vty 0 15
transport input ssh
login local
exit

ip ssh version 2

Question 25

Windows CLI SSH Syntax

Answer 25

ssh -L Flackbox 10.0.0.1

(Where Flackbox is the username)

Question 26

AAA Overview

Answer 26

Authentication, Authorization, Accounting:

Configuring line level security or local usernames on each device has a serious scalability limitation
If a passwords has to be added/changed/removed, it needs to be done on all devices
An external AAA server can be used to centralize this instead
Multiple AAA servers can be implemented for redundancy

Question 27

Authentication

Answer 27

Verifies someone is who they say they are (commonly via username/password)

Mandatory if authorization/accounting are used

Question 28

Authorization

Answer 28

Specifies what a particular user is allowed to do

Optional

Question 29

Accounting

Answer 29

Keeps track of actions a user has carried out

Optional

Question 30

RADIUS Use

Answer 30

Commonly used for end user level services (ex: VPN access)

Question 31

TACACS+ Use

Answer 31

Commonly used for admin access on Cisco devices

Has more granular authorization capabilities

Question 32

Cisco AAA Servers

Answer 32

ISE (Identity Services Engine) —> Cisco’s AAA Server

Cisco also offered the ACS (Access Control Server); now deprecated

Question 33

Command: Set a login message to display after an admin logs in

Answer 33

banner exec “

Question 34

Disable Unused Services

Answer 34

It’s best practice to disable unused services
This reduces attack surface (and load on device)

HTTPS is sometimes used by GUI admin tools
—but HTTP should be disabled

CDP should also be disabled in highly secure environments

Examples:
No ip http server
No cdp run

Question 35

Time Synchronization

Answer 35

All servers & infrastructure devices should be synced to the same time

This aids in troubleshooting as logs will report the correct time that evens occurred

It is also required by several security features such as Kerberos authentication & digital certificates

Question 36

NTP

Answer 36

Network Time Protocol:
Servers & infrastructure devices can use their own internal clock or sync with an external NTP server

An NTP server should be used to ensure all devices have the same time

A Cisco router can function as an NTP server and/or client

Question 37

Command: Verify NTP Info

Answer 37

show ntp status

Question 38

Command: Verify Clock Settings

Answer 38

show clock

Question 39

Command: Configure a router to be an NTP client for the server 10.0.1.100

Answer 39

ntp server 10.0.1.100

Question 40

Command: Set the time zone to PST

Answer 40

clock timezone PST -8 –> 8 hours behind UTC

Question 41

Command: Configure a router to be an NTP server

Answer 41

ntp master