Network Device Management

Question 1

Syslog Message Format

Answer 1

Full format
Seq no:time stamp: %facility-severity-MNEMONIC:description

Seq no
Optional sequence number

Time stamp
Time of event

%facility
The thing that generated the event

Severity
The severity level

MNEMONIC
Short description of what happened

Description
A more detailed description of what happened

Question 2

Syslog Severity Levels

Answer 2

0 = Emergency
System is unusable. A panic condition

1 = Alert
A condition that should be corrected immediately
Ex: corrupted system database

2 = Critical
Critical conditions, such as hard device errors

3 = Error
Error conditions

4 = Warning
Warning conditions

5 = Notice
Normal but significant conditions. Not errors, but may require special handling

6 = Informational
Informational messages

7 = Debug
Messages that contain info normally of use only when debugging a program

Question 3

Logging Locations

Answer 3

Console Line
—Events will be shown in the CLI when you are logged in over console connection
—All events logged by default

VTY Terminal Lines
—Events will be shown in CLI when you are logged in via Telnet/SSH
—Not enabled by default

The logging buffer
—Events saved in RAM, you can review them with the “show logging” command
—All events logged by default

External Syslog servers

Question 4

Specifying Severity Levels to Log

Answer 4

You can specify the same or different severity levels to log for each location
All messages of that severity level & higher will be logged

Example:
If you set a logging level of 3 for the console
It will log 0, 1, 2, & 3 events

If you set a logging level of 7 for an external Syslog server
Events from all severity levels 0-7 will be logged there

Question 5

Command: Disable logging on the console line

Answer 5

no logging console

Question 6

Command: Events with severity level informational & higher will be logged to VTY lines

Answer 6

logging monitor 6

Question 7

Command: Events with severity level 7 & higher will be logged to the buffer

Answer 7

Logging buffered debugging

Question 8

Logging to an External Syslog Server (With configuration)

Answer 8

You can log to an external Syslog server to centralize event reporting

You will typically set verbose logging to provide detailed troubleshooting info

Configuration
Logging 10.0.0.100
Logging trap debugging

Question 9

SIEM

Answer 9

Security Information & Events Management:

A basic Syslog server provides a centralized location for Syslog logging messages

SIEMs provide a centralized location for all logging messages
—And typically provide advanced analysis & correlation of events

Question 10

Command: View logging buffer

Answer 10

show logging

Question 11

Logging Synchronous

Answer 11

When working in a CLI session, by default any syslog messages will be printed into the middle of any commands you are currently typing
—Super annoying

To Override:
Logging synchronous

This causes a new line to be printed where you were in the command

Question 12

Debug & Terminal Monitor

Commands:
-Enable debug output to VTY lines
-Turn off debug

Answer 12

Show & Debug commands can be used to view specific info over & above the standard syslog messages

Show output shows a static point in time state

Debug output dynamically updates in real time

Be careful with debug commands in production environments
—A large amount of output can overwhelm a device

Debug output is logged to the console line & buffer by default

Enable debug output to VTY lines:
Terminal monitor

Turn off debug:
Undebug all
Or you can abbreviate to “u all”

Question 13

SNMP

Answer 13

Simple Network Management Protocol:

SNMP is an open standard for network monitoring

Question 14

SNMP Manager/Server/NMS

Answer 14

SNMP Manager | SNMP Server | NMS (Network Management System):

Can collect & organize info from an SNMP Agent

Can pull info from the device (Get)
—Ex: Manager could query traffic statistics from device

Or the device can push it to the server (Trap)
—Ex: Device reports HSRP state change

Question 15

SNMP Agent

Answer 15

Software which runs on managed devices (routers, switches)

Question 16

MIB

Answer 16

Management Information Base:

The database of things you can gather info on from devices

Data variables on SNMP managed systems are organized in a MIB

The SNMP manager & agent need to share the MIB so they know which variables can be reported on

Question 17

SNMP Versions

Answer 17

Version 1:
Uses plaintext authentication between manager/agent using matching community strings

Version 2:
Uses plaintext community strings. Supports bulk retrieval

Version 3:
Supports strong authentication & encryption
Preferred version; not supported on all devices

Question 18

SNMPv2c Community Strings

Answer 18

SNMPv2c uses community strings rather than username/password to authenticate the SNMP manager & agent to each other

Matching community strings need to be set on both sides for them to communicate

RO Community (Read Only):
Used by the manager to read info

RW Community (Read/Write):
Used by the manager to set info

Question 19

SNMP Security Best Practice

Answer 19

Most devices use a default ro Community string of “public” and a default rw Community string of “private”
—Attackers can use this to read or set info on your devices

Disable SNMP on devices where it is not used

Use version 3
—If v3 is not supported, use non-default community strings

Question 20

SNMPv3

Answer 20

The SNMPv3 security model works with users & groups

A matching user account is set up on the NMS server & network device

Settings are derived from the group the user is a member of

Question 21

SNMPv3 Security Levels

Answer 21

noAuthnoPriv (noAuth in configuration):
—No authentication password exchange
—Communication between agent/server not encrypted
—Username serves as replacement for community string

AuthNoPriv (Auth in configuration):
—Password authentication used
—No encryption used for communication between devices

AuthPriv (Priv in configuration):
—Password authentication used
—Encrypted communication between devices

Question 22

Command: SNMP Group Configuration

Group Name: Flackbox-group
Version: 3
AuthPriv

Answer 22

snmp-server group Flackbox-group v3 priv ?

The last part of the command will be explained on another card

Question 23

SNMP Group Configuration Final Part of Syntax

Answer 23

Access:
Can be used to reference an access-list which limits the device to communicating with the IP address of the NMS server only

Context:
Used on switches to specify which VLANs are accessible via SNMP

Match:
Context name match criteria

Views (Notify/Read/Write):
Can be used to limit what info is accessible to NMS server

If you don’t specify read view
—All MIB objects are accessible to read

If you don’t specify write view
—No MIB objects are accessible to write

NMS server gets read only access to all MIBs by default

The notify view is used to send notifications to members of the group
—If you don’t specify any then it will be disabled by default

Question 24

SNMP User Configuration

Answer 24

Snmp-server user Flackbox-user Flackbox-group v3 auth sha AUTHPASS priv aes 128 PRIVPASS

Flackbox-user is the username

Flackbox-group is the group to assign the user

SHA is the hashing algorithm user in authentication
—Can also choose md5

AUTHPASS is the authentication password

AES is the encryption algorithm used for priv
—128 is the key size (128, 192, or 256)

PRIVPASS is the priv password

Question 25

Syslog vs. SNMP

Answer 25

Both Syslog & SNMP provide logging functionality

Syslog can often provide more granular detail than SNMP but it has support for the device pushing info only (not pulling or setting from the server)

NMS servers will typically support both Syslog & SNMP

Question 26

NMS vs. SIEM

Answer 26

There is some overlap between NMS/SIEM products

Both can gather logging info from network infrastructure devices (routers/switches/firewalls) using protocols like Syslog, SNMP, Netflow

NMS
—Will focus on collating network info & provide reports
—Early warnings for network events
—Easier troubleshooting of network events

SIEM
—Will focus on collating security info & provide reports
—Early warnings for security events
—Easier troubleshooting of security events