Securing-Cisco-Router-Installations-and-Administrative-Access.ppt

CiscoDeviceHardening,SecuringCiscoRouterInstallationsandAdministrativeAccess,ConfiguringRouterPasswords,ConfiguringRouterPasswords,Aconsoleisaterminalconnectedtoarouterconsoleport.Console是作为终端管理设备连接到路由器的管理接口.TheterminalcanbeadumbterminaloraPCwithterminalemulationsoftware.管理设备通常安装有终端管理软件的PC主机,比如安装有超级终端的PC主机,PasswordCreationRules,Passwordscanbe1to25charactersinlength.密码可以为1到25个字符的长度Passwordscaninclude:密码可以包含如下字符:Alphanumericcharacters阿拉伯字母Uppercaseandlowercasecharacters大小写敏感Symbolsandspaces符号字符和空格Password-leadingspacesareignored,butanyspacesafterthefirstcharacterarenotignored.密码的首位的空格不作为密码一部分，但是密码尾部的空格将认定为密码字符.Changepasswords.可以修改密码,InitialConfigurationDialog,Wouldyouliketoentertheinitialconfigurationdialog?yes/noyConfiguringglobalparameters:EnterhostnameRouter:BostonTheenablesecretisapasswordusedtoprotectaccesstoprivilegedEXECandconfigurationmodes.Thispassword,afterentered,becomesencryptedintheconfiguration.Enterenablesecret:CantGuessMeTheenablepasswordisusedwhenyoudonotspecifyanenablesecretpassword,withsomeoldersoftwareversions,andsomebootimages.Enterenablepassword:WontGuessMeThevirtualterminalpasswordisusedtoprotectaccesstotherouteroveranetworkinterface.Entervirtualterminalpassword:CantGuessMeVTY,ConfiguretheLine-LevelPassword,router(config)#,lineconsole0lineaux0linevty04,router(config-line)#,login,router(config-line)#,passwordpassword,Enterslineconfigurationmode(console,auxiliary,orvty)进入线路配置模式,Enablespasswordcheckingatlogin启用登录时密码检测,Setstheline-levelpassword配置线路级别密码,Boston(config)#linecon0Boston(config-line)#loginBoston(config-line)#passwordConUser1,PasswordMinimumLengthEnforcement,router(config)#,securitypasswordsmin-lengthlength,SetstheminimumlengthofallCiscoIOSpasswords指定用于CiscoIOS的最小密码长度,Boston(config)#securitypasswordsmin-length10,EncryptingPasswordsUsingtheservicepassword-encryptionCommand,servicepassword-encryption,Encryptsallpasswordsintherouterconfigurationfile加密所有路由器配置文件中的明文密码,router(config)#,Boston(config)#servicepassword-encryptionBoston(config)#exitBoston#showrunning-configenablepassword706020026144A061E!linecon0password70956F57A109A!linevty04password7034A18F366A0!lineaux0password77A4F5192306A,EnhancedUsernamePasswordSecurity,router(config)#,usernamenamesecret0password|5encrypted-secret,UsesMD5hashingforstrongpasswordprotection使用MD5散列算法提供强壮的密码保护Betterthanthetype7encryptionfoundinservicepassword-encryptioncommand相对于servicepassword-encryption命令的类型7的加密更为优异,Boston(config)#usernamertradminsecret0Curium96Boston(config)#usernamertradminsecret5$1$feb0$a104Qd9UZ./Ak007,router(config)#,usernamenamepassword0password|7hidden-password,Traditionaluserconfigurationwithplaintextpassword为用户配置密码,SecuringROMMONwiththenopassword-recoveryCommand,router(config)#,noservicepassword-recovery,Bydefault,Ciscoroutersarefactoryconfiguredwiththeservicepassword-recoveryset.默认情况下，Cisco路由器的配置是servicepassword-recovery，即可以进行密码恢复操作。Thenoservicepassword-recoverycommandpreventsconsolefromaccessingROMMON.此命令阻止了通过ROMMON模式进行密码恢复操作,Boston(config)#noservicepassword-recoveryWARNING:Executingthiscommandwilldisablepasswordrecoverymechanism.Donotexecutethiscommandwithoutanotherplanforpasswordrecovery.Areyousureyouwanttocontinue?yes/no:yesBoston(config)#,在任何设备上请慎用此命令！,SettingaLoginFailureRate,AuthenticationFailureRatewithLogin,router(config)#,securityauthenticationfailureratethreshold-ratelog,Configuresthenumberofallowableunsuccessfulloginattempts配置允许客户有多少次失败的登录操作Bydefault,routerallows10loginfailuresbeforeinitiatinga15-seconddelay默认的路由器在10次失败登录后将产生15秒的延迟Generatesasyslogmessagewhenrateisexceeded如果超出失败次数将产生syslog消息,Boston(config)#securityauthenticationfailurerate10log,SettingaLoginFailureBlockingPeriod,router(config)#,loginblock-forsecondsattemptstrieswithinseconds,Blocksaccessforaquietperiodafteraconfigurablenumberoffailedloginattemptswithinaspecifiedperiod当用户对路由器超过失败登录的次数后，即阻止多长时间周期内不允许再次访问，此过程被为“QuietPeriod”Mustbeenteredbeforeanyotherlogincommand必须在任何login命令之前配置MitigatesDoSandbreak-inattacks减轻DoS的攻击,Boston(config)#loginblock-for100attempts2within100,ExcludingAddressesfromLoginBlocking,router(config)#,loginquiet-modeaccess-classacl-name|acl-number,SpecifiesanACLthatisappliedtotherouterwhenitswitchestothequietmode.当交换机切换到quietmode时，配置ACL指出哪些源是否受限制的Ifnotconfigured,allloginrequestswillbedeniedduringthequietmode.如果没有配置，哪么在quietmode周期内所有的登录请求将拒绝ExcludesIPaddressesfromfailurecountingforloginblock-forcommand.排除Loginblock-for命令对某些IP的计数,Boston(config)#loginquiet-modeaccess-classmyacl,SettingaLoginDelay,router(config)#,logindelayseconds,Configuresadelaybetweensuccessiveloginattempts.配置连接登录企图行为时间的延迟Helpsmitigatedictionaryattacks.能够有效的减轻字典攻击Ifnotset,adefaultdelayofonesecondisenforcedaftertheloginblock-forcommandisconfigured.如果没有配置，当loginblock-for命令配置后默认的延迟为1秒,Boston(config)#logindelay30,VerifyingLogin,router#,showloginfailures,Displaysloginparametersandfailures显示登录参数和失败信息,Boston(config)#showloginAdefaultlogindelayof1secondsisapplied.NoQuiet-Modeaccesslisthasbeenconfigured.AllsuccessfulloginisloggedandgenerateSNMPtraps.AllfailedloginisloggedandgenerateSNMPtraps.RouterenabledtowatchforloginAttacks.Ifmorethan15loginfailuresoccurin100secondsorless,loginswillbedisabledfor100seconds.RouterpresentlyinWatch-Mode,willremaininWatch-Modefor95seconds.Presentloginfailurecount5.,SettingTimeouts,SettingTimeoutsforRouterLines,router(config-line)#,exec-timeoutminutesseconds,Defaultis10minutesTerminatesanunattendedconnectionProvidesanextrasafetyfactorwhenanadministratorwalksawayfromanactiveconsolesession,Terminatesanunattendedconsoleandauxiliaryconnectionafter3minutesand30seconds,Boston(config)#lineconsole0Boston(config-line)#exec-timeout330Boston(config)#lineaux0Boston(config-line)#exec-timeout330,SettingMultiplePrivilegeLevels,SettingMultiplePrivilegeLevels,router(config)#,privilegemodelevellevelcommand|resetcommand,Level0ispredefinedforuser-levelaccessprivileges.Levels1to14maybecustomizedforuser-levelprivileges.Level15ispredefinedforenablemode(enablecommand).,Boston(config)#privilegeexeclevel2pingBoston(config)#enablesecretlevel2Patriot,ConfiguringBannerMessages,ConfiguringBannerMessages,router(config)#,bannerexec|incoming|login|motd|slip-pppdmessaged,Specifieswhatis“properuse”ofthesystemSpecifiesthatthesystemisbeingmonitoredSpecifiesthatprivacyshouldnotbeexpectedwhenusingthissystem,Boston(config)#bannermotd%WARNING:Youareconnectedto$(hostname)ontheCiscoSystems,Incorporatednetwork.Unauthorizedaccessanduseofthisnetworkwillbevigorouslyprosecuted.%,ConfiguringRole-BasedCLI,Role-BasedCLIOverview,TraditionalapproachoflimitingCLIaccessbasedonprivilegelevelsandenablepasswordsprovidedtoolittlecontrol:NoaccesscontroltospecificinterfacesCommandsplacedonahigherprivilegelevelcouldnotbereusedforlower-privilegedusersCLIviewsprovidemoregranularcontrol.CLIviewsincludeaccessiblecommandsandinterfaces.Accesstoaviewisprotectedwithasecret.Viewscanbegroupedtosuperviewstocreatelargesetsofaccessiblecommandsandinterfaces.,Role-BasedCLIDetails,Rootviewisthehighestadministrativeview.Creatingandmodifyingavieworsuperviewispossibleonlyfromrootview.Thedifferencebetweenrootviewandprivilege15isthatonlyarootviewusercancreateormodifyviewsandsuperviews.CLIviewsrequireAAAnew-model:NecessaryevenwithlocalviewauthenticationViewauthenticationcanbeoffloadedtoanAAAserverusingthenewattributecli-view-nameAmaximumof15CLIviewscanexistinadditiontotherootview.,GettingStartedwithRole-BasedCLI,router#,enableprivilege-levelviewview-name,EnteraprivilegeleveloraCLIview.Useenablecommandwiththeviewparametertoentertherootview.Rootviewrequiresprivilege15authentication.Theaaa-newmodelmustbeenabled.,Boston(config)#aaanew-modelBoston(config)#exitBoston#enableviewPassword:Boston#%PARSER-6-VIEW_SWITCH:successfullysettoviewroot,ConfiguringCLIViews,router(config)#,Createsaviewandentersviewconfigurationmode,Boston(config)#parserviewmonitor_viewBoston(config-view)#password5hErMeNe%GiLdE!Boston(config-view)#commandsexecincludeshowversion,parserviewview-name,router(config-view)#,password5encrypted-passwordcommandsparser-modeinclude|include-exclusive|excludeallinterfaceinterface-name|command,SetsapasswordtoprotectaccesstotheviewAddscommandsorinterfacestoaview,ConfiguringSuperviews,router(config)#,Createsa(super)viewandentersitsconfiguration,Boston(config)#parserviewmonitor_auditBoston(config-view)#password5AnA6TaSiA$Boston(config-view)#viewmonitor_viewBoston(config-view)#viewaudit_view,parserviewview-name,router(config-view)#,password5encrypted-passwordviewview-name,SetsapasswordtoprotectaccesstothesuperviewAddsaCLIviewtoasuperview,Role-BasedCLIMonitoring,router#,DisplaysthecurrentviewnameTheoptionall:DisplaysallCLIviewsconfiguredontherouterIsbydefaultavailableonlytorootusersCanbeaddedtootherCLIviews,showparserviewall,router#,debugparserview,Displaysdebugmessagesforallviews,Role-BasedCLIConfigurationExample,Boston(config)#aaanew-modelBoston(config)#exitBoston#enableview%PARSER-6-VIEW_SWITCH:successfullysettoviewroot.Boston#configureterminalBoston(config)#parserviewfirst%PARSER-6-VIEW_CREATED:viewfirstsuccessfullycreated.Boston(config-view)#secret5firstpassBoston(config-view)#commandexecincludeshowversionBoston(config-view)#commandexecincludeconfigureterminalBoston(config-view)#commandexecincludeallshowipBoston(config-view)#exit,Role-BasedCLIVerification,BostonenableviewfirstPassword:%PARSER-6-VIEW_SWITCH:successfullysettoviewfirst.Boston#?Execcommands:configureEnterconfigurationmodeenableTurnonprivilegedcommandsexitExitfromtheEXECshowShowrunningsysteminformationBoston#show?ipIPinformationparserDisplayparserinformationversionSystemhardwareandsoftwarestatus,Role-BasedCLIVerification(Cont.),Boston#showip?access-listsListIPaccesslistsaccountingTheactiveIPaccountingdatabasealiasesIPaliastablearpIPARPtableas-path-access-listListASpathaccesslistsbgpBGPinformationcacheIPfast-switchingroutecachecasaDisplaycasainformationcefCiscoExpressForwardingcommunity-listListcommunity-listdfpDFPinformationdhcpShowitemsintheDHCPdatabasedrp-More-,SecureConfigurationFiles,SecureConfigurationFilesIntroduction,Traditionalriskthattheconfigurationandtheimageareerasedafteraroutercompromise:Availabilitythreat(downtime)Needtosecuretheprimarybootset(configurationfileandtherunningimage)AlsoknownastheCiscoIOSResilientConfigurationfeatureSpeedsuptherecoveryprocessFilesmustbestoredlocallyFeaturecanbedisabledthroughaconsolesession,SecuringConfigurationFiles,router(config)#,EnablesCiscoIOSimageresilience,Boston(config)#secureboot-imageBoston(config)#secureboot-config,secureboot-image,router(config)#,secureboot-config,Storesasecurecopyoftheprimarybootsetinpersistentstorage,router#,Displaysthestatusofconfigurationresilienceandtheprimarybootsetfilename,showsecurebootset,CiscoIOSResilientConfigurationFeatureVerification,Boston#showsecurebootsetIOSresiliencerouteridJMX0704L5GHIOSimageresilienceversion12.3activatedat08:16:51UTCSunJun162005Securearchiveslot0:c3745-js2-mztypeisimage(elf)filesizeis25469248bytes,runsizeis25634900bytesRunnableimage,entrypoint0 x80008000,runfromramIOSconfigurationresilienceversion12.3activatedat08:17:02UTCSunJun162002Securearchiveslot0:.runcfg-20020616-081702.artypeisconfigconfigurationarchivesize10