Network Device Management Flashcards
Syslog Message Format
Full format
Seq no:time stamp: %facility-severity-MNEMONIC:description
Seq no
Optional sequence number
Time stamp
Time of event
%facility
The thing that generated the event
Severity
The severity level
MNEMONIC
Short description of what happened
Description
A more detailed description of what happened
Syslog Severity Levels
0 = Emergency
System is unusable. A panic condition
1 = Alert
A condition that should be corrected immediately
Ex: corrupted system database
2 = Critical
Critical conditions, such as hard device errors
3 = Error
Error conditions
4 = Warning
Warning conditions
5 = Notice
Normal but significant conditions. Not errors, but may require special handling
6 = Informational
Informational messages
7 = Debug
Messages that contain info normally of use only when debugging a program
Logging Locations
Console Line
—Events will be shown in the CLI when you are logged in over console connection
—All events logged by default
VTY Terminal Lines
—Events will be shown in CLI when you are logged in via Telnet/SSH
—Not enabled by default
The logging buffer
—Events saved in RAM, you can review them with the “show logging” command
—All events logged by default
External Syslog servers
Specifying Severity Levels to Log
You can specify the same or different severity levels to log for each location
All messages of that severity level & higher will be logged
Example:
If you set a logging level of 3 for the console
It will log 0, 1, 2, & 3 events
If you set a logging level of 7 for an external Syslog server
Events from all severity levels 0-7 will be logged there
Command: Disable logging on the console line
no logging console
Command: Events with severity level informational & higher will be logged to VTY lines
logging monitor 6
Command: Events with severity level 7 & higher will be logged to the buffer
Logging buffered debugging
Logging to an External Syslog Server (With configuration)
You can log to an external Syslog server to centralize event reporting
You will typically set verbose logging to provide detailed troubleshooting info
Configuration
Logging 10.0.0.100
Logging trap debugging
SIEM
Security Information & Events Management:
A basic Syslog server provides a centralized location for Syslog logging messages
SIEMs provide a centralized location for all logging messages
—And typically provide advanced analysis & correlation of events
Command: View logging buffer
show logging
Logging Synchronous
When working in a CLI session, by default any syslog messages will be printed into the middle of any commands you are currently typing
—Super annoying
To Override:
Logging synchronous
This causes a new line to be printed where you were in the command
Debug & Terminal Monitor
Commands:
-Enable debug output to VTY lines
-Turn off debug
Show & Debug commands can be used to view specific info over & above the standard syslog messages
Show output shows a static point in time state
Debug output dynamically updates in real time
Be careful with debug commands in production environments
—A large amount of output can overwhelm a device
Debug output is logged to the console line & buffer by default
Enable debug output to VTY lines:
Terminal monitor
Turn off debug:
Undebug all
Or you can abbreviate to “u all”
SNMP
Simple Network Management Protocol:
SNMP is an open standard for network monitoring
SNMP Manager/Server/NMS
SNMP Manager | SNMP Server | NMS (Network Management System):
Can collect & organize info from an SNMP Agent
Can pull info from the device (Get)
—Ex: Manager could query traffic statistics from device
Or the device can push it to the server (Trap)
—Ex: Device reports HSRP state change
SNMP Agent
Software which runs on managed devices (routers, switches)
MIB
Management Information Base:
The database of things you can gather info on from devices
Data variables on SNMP managed systems are organized in a MIB
The SNMP manager & agent need to share the MIB so they know which variables can be reported on
SNMP Versions
Version 1:
Uses plaintext authentication between manager/agent using matching community strings
Version 2:
Uses plaintext community strings. Supports bulk retrieval
Version 3:
Supports strong authentication & encryption
Preferred version; not supported on all devices
SNMPv2c Community Strings
SNMPv2c uses community strings rather than username/password to authenticate the SNMP manager & agent to each other
Matching community strings need to be set on both sides for them to communicate
RO Community (Read Only):
Used by the manager to read info
RW Community (Read/Write):
Used by the manager to set info
SNMP Security Best Practice
Most devices use a default ro Community string of “public” and a default rw Community string of “private”
—Attackers can use this to read or set info on your devices
Disable SNMP on devices where it is not used
Use version 3
—If v3 is not supported, use non-default community strings
SNMPv3
The SNMPv3 security model works with users & groups
A matching user account is set up on the NMS server & network device
Settings are derived from the group the user is a member of
SNMPv3 Security Levels
noAuthnoPriv (noAuth in configuration):
—No authentication password exchange
—Communication between agent/server not encrypted
—Username serves as replacement for community string
AuthNoPriv (Auth in configuration):
—Password authentication used
—No encryption used for communication between devices
AuthPriv (Priv in configuration):
—Password authentication used
—Encrypted communication between devices
Command: SNMP Group Configuration
Group Name: Flackbox-group
Version: 3
AuthPriv
snmp-server group Flackbox-group v3 priv ?
The last part of the command will be explained on another card
SNMP Group Configuration Final Part of Syntax
Access:
Can be used to reference an access-list which limits the device to communicating with the IP address of the NMS server only
Context:
Used on switches to specify which VLANs are accessible via SNMP
Match:
Context name match criteria
Views (Notify/Read/Write):
Can be used to limit what info is accessible to NMS server
If you don’t specify read view
—All MIB objects are accessible to read
If you don’t specify write view
—No MIB objects are accessible to write
NMS server gets read only access to all MIBs by default
The notify view is used to send notifications to members of the group
—If you don’t specify any then it will be disabled by default
SNMP User Configuration
Snmp-server user Flackbox-user Flackbox-group v3 auth sha AUTHPASS priv aes 128 PRIVPASS
Flackbox-user is the username
Flackbox-group is the group to assign the user
SHA is the hashing algorithm user in authentication
—Can also choose md5
AUTHPASS is the authentication password
AES is the encryption algorithm used for priv
—128 is the key size (128, 192, or 256)
PRIVPASS is the priv password
Syslog vs. SNMP
Both Syslog & SNMP provide logging functionality
Syslog can often provide more granular detail than SNMP but it has support for the device pushing info only (not pulling or setting from the server)
NMS servers will typically support both Syslog & SNMP
NMS vs. SIEM
There is some overlap between NMS/SIEM products
Both can gather logging info from network infrastructure devices (routers/switches/firewalls) using protocols like Syslog, SNMP, Netflow
NMS
—Will focus on collating network info & provide reports
—Early warnings for network events
—Easier troubleshooting of network events
SIEM
—Will focus on collating security info & provide reports
—Early warnings for security events
—Easier troubleshooting of security events
