Network Security

As the types of threats, attacks, and exploits have evolved, various terms have been coined to describe the individuals involved. Some of the most common terms are as follows:

• White hat-An individual who looks for vulnerabilities in systems or networks and then reports these vulnerabilities to the owners of the system so that they can be fixed
• Hacker
• Black hat-Another term for individuals who use their knowledge of computer systems to break into systems or networks that they are not authorized to use, usually for personal or financial gain
• Cracker
• Phreaker-An individual who manipulates the phone network to cause it to perform a function that is not allowed
• Spammer
• Phisher-Uses e-mail or other means to trick others into providing sensitive information, such as credit card numbers or passwords

Many attackers use this seven-step process to gain information and state an attack.

1. Perform footprint analysis (reconnaissance). A company webpage can lead to information, such as the IP addresses of servers
2. Enumerate information. An attacker can expand on the footprint by monitoring network traffic with a packet sniffer such as Wireshark, finding information such as version numbers of FTP servers and mail servers.
3. Manipulate users to gain access
4. Escalate privileges
5. Gather additional passwords and secrets
6.  Install backdoors.
7. Leverage the compromised system. 

Developing a Security Policy

The first step any organization should take to protect its data and itself from a liability challenge is to develop a security policy. A policy is a set of principles that guide decision-making processes and enable leaders in an organization to distribute authority confidently. RFC2196 states that a "security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide."

A security policy meets these goals:

• Informs users, staff, and managers of their obligatory requirements for protecting technology and information assets
• Specifies the mechanisms through which these requirements can be met
• Provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy 

Vulnerabilities

Vulnerability is the degree of weakness which is inherent in every network and device. This includes routers, switches, desktops, servers, and even security devices. 

Threats are the people interested and qualified in taking advantage of each security weakness. There are three primary vulnerabilities or weaknesses: 

• Technological weaknesses 
• Configuration weaknesses 
• Security policy weaknesses

The four classes of physical threats are:

• Hardware threats-Physical damage to servers, routers, switches, cabling plant, and workstations
• Environmental threats-Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
• Electrical threats-Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
• Maintenance threats-Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling

Types of Network Attacks

There are four primary classes of attacks.

1.  Reconnaissance

Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. It is also known as information gathering and, in most cases, it precedes another type of attack. Reconnaissance attacks can consist of the following:

• Internet information queries
• Ping sweeps
• Port scans
• Packet sniffers

External attackers can use Internet tools, such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity. 

2.  Access

System access is the ability for an intruder to gain access to a device for which the intruder does not have an account or a password. Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.

3.  Denial of Service


Denial of service (DoS) is when an attacker disables or corrupts networks, systems, or services with the intent to deny services to intended users.

4.  Worms, Viruses, and Trojan Horses

Malicious software can be inserted onto a host to damage or corrupt a system, replicate itself, or deny access to networks, systems, or services.

The Network Security Wheel


To assist with the compliance of a security policy, the Security Wheel, a continuous process, has proven to be an effective approach. The Security Wheel promotes retesting and reapplying updated security measures on a continuous basis.

To begin the Security Wheel process, first develop a security policy that enables the application of security measures. A security policy includes the following:

• Identifies the security objectives of the organization. 
• Documents the resources to be protected. 
• Identifies the network infrastructure with current maps and inventories. 
• Identifies the critical resources that need to be protected

Step 1. Secure 

Secure the network by applying the security policy and implementing the following security solutions:

• Threat defense
• Stateful inspection and packet filtering-Filter network traffic to allow only valid traffic and services.
• Intrusion prevention systems
• Vulnerability patching
• Disable unnecessary services
• VPNs-Encrypt network traffic to prevent unwanted disclosure to unauthorized or malicious individuals. 
• Trust and identity-Implement tight constraints on trust levels within a network.
• Authentication
• Policy enforcement

Step 2. Monitor 

Monitoring security involves both active and passive methods of detecting security violations. The most commonly used active method is to audit host-level log files. Passive methods include using IDS devices to automatically detect intrusion. This method requires less attention from network security administrators than active methods. These systems can detect security violations in real time and can be configured to automatically respond before an intruder does any damage.

Step 3. Test 

In the testing phase of the Security Wheel, the security measures are proactively tested. Specifically, the functionality of the security solutions implemented in step 1 and the system auditing and intrusion detection methods implemented in step 2 are verified

Step 4. Improve 

The improvement phase of the Security Wheel involves analyzing the data collected during the monitoring and testing phases. This analysis contributes to developing and implementing improvement mechanisms that augment the security policy and results in adding items to step 1. To keep a network as secure as possible, the cycle of the Security Wheel must be continually repeated, because new network vulnerabilities and risks are emerging every day.


Routers are Targets

Because routers provide gateways to other networks, they are obvious targets, and are subject to a variety of attacks.

Note: This section focuses on securing routers. Most of the best practices discussed can also be used to secure switches


Securing routers at the network perimeter is an important first step in securing the network.

Think about router security in terms in these categories:

• Physical security
• Update the router IOS whenever advisable
• Backup the router configuration and IOS
• Harden the router to eliminate the potential abuse of unused ports and services 

Basic router security consists of configuring passwords. A strong password is the most fundamental element in controlling secure access to a router. For this reason, strong passwords should always be configured.

By default, Cisco IOS software leaves passwords in plain text when they are entered on a router. This is not secure since anyone walking behind you when you are looking at a router configuration could snoop over your shoulder and see the password. 

Using the enable password command or the username username password password command would result in these passwords being displayed when looking at the running configuration. 

For example:

R1(config)# username Student password cisco123

R1(config)# do show run | include username

username Student password 0 cisco123

R1(config)#

The 0 displayed in the running configuration, indicates that password is not hidden. Cisco IOS provides two password protection schemes:

• Simple encryption called a type 7 scheme
• Complex encryption called a type 5 scheme (MD5)

The type 7 encryption can be used by the enable password, username, and line password commands including vty, line console, and aux port. It does not offer very much protection as it only hides the password using a simple encryption algorithm. To encrypt passwords using type 7 encryption, use the service password-encryption global configuration command.

For example:

R1(config)# service password-encryption

R1(config)# do show run | include username

username Student password 7 03075218050061

R1(config)#

The 7 displayed in the running configuration indicates that password is hidden. MD5 encryption is a strong encryption method. It should be used whenever possible. It is configured by replacing the keyword password with secret. Therefore, to protect the privileged EXEC level as much as possible, always configure the enable secret command. The local database usernames should be also configured using the username username secret password global configuration command. For example:

R1(config)# username Student secret cisco

R1(config)# do show run | include username

username Student secret 5 $1$z245$lVSTJzuYgdQDJiacwP2Tv/

R1(config)#

Cisco IOS Software Release 12.3(1) and later allow administrators to set the minimum character length for all router passwords using the security passwords min-length global configuration command.

Configuring SSH Security

To enable SSH on the router, the following parameters must be configured:

• Hostname
• Domain name
• Asymmetrical keys
• Local authentication

Optional configuration parameters include:

• Timeouts
• Retries

The following steps configure SSH on a router.

Step 1: Set router parameters

Configure the router hostname with the hostname hostname command from configuration mode.

Step 2: Set the domain name

A domain name must exist to enable SSH. In this example, enter the ip domain-name command from global configuration mode.

Step 3: Generate asymmetric keys

You need to create a key that the router uses to encrypt its SSH management traffic with the crypto key generate rsa command from configuration mode. The router responds with a message showing the naming convention for the keys. Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Cisco recommends using a minimum modulus length of 1024.

Step 4: Configure local authentication and vty

You must define a local user and assign SSH communication to the vty lines as shown in the figure.

Step 5: Configure SSH timeouts (optional)

Timeouts provide additional security for the connection by terminating lingering, inactive connections. Use the command ip ssh time-out seconds and the command authentication-retries integer to enable timeouts and authentication retries.

Vulnerable Router Services and Interfaces

Services which should typically be disabled are listed below. These include:

• Small services such as echo, discard, and chargen - Use the no service tcp-small-servers or no service udp-small-servers command.
• BOOTP - Use the no ip bootp server command.
• Finger - Use the no service finger command.
• HTTP - Use the no ip http server command.
• SNMP - Use the no snmp-server command. 

It is also important to disable services that allow certain packets to pass through the router, send special packets, or are used for remote router configuration. The corresponding commands to disable these services are:

• Cisco Discovery Protocol (CDP) - Use the no cdp run command. 
• Remote configuration - Use the no service config command. 
• Source routing - Use the no ip source-route command. 
• Classless routing - Use the no ip classless command. 

The interfaces on the router can be made more secure by using certain commands in interface configuration mode:

• Unused interfaces - Use the shutdown command. 
• No SMURF attacks - Use the no ip directed-broadcast command. 
• Ad hoc routing - Use the no ip proxy-arp command.

Securing Routing Protocols - RIP

Routing updates should never be advertised on interfaces which are not connected to other routers. For example, the LAN interfaces on router R1 do not connect to other routers and therefore should not advertise routing updates. Only the S0/0/0 interface on router R1 should advertise routing updates.

In the screen output, the passive-interface default command disables routing advertisements on all interfaces. This also includes the S0/0/0 interface. The no passive-interface s0/0/0 command enables the S0/0/0 interface to send and receive RIP updates.

The example shows commands to create a key chain named RIP_KEY. Although multiple key can be considered our example only shows one key. Key 1 is configured to contain a key string called cisco. The key string is similar to a password and routers exchanging authentication keys must configured with the same key string. Interface S0/0/0 is configured to support MD5 authentication. The RIP_KEY chain and the routing update, are processed using the MD5 algorithm to produce a unique signature.


After you have configured all the routers in the network you need to verify the operation of RIP routing in the network. Using the show ip route command the output confirms that router R1 has authenticated with the other routers and has been able to acquire the routes from the routers R2 and R3.



Once R1 is configured, the other routers will receive routing updates with a unique signature and consequently will no longer be able to decipher the updates from R1. This condition will remain until each router in the network is configured with routing protocol authentication.

Securing Routing Protocols - EIGRP and OSPF

Routing protocol authentication should also be configured for other routing protocols such as EIGRP and OSPF. The figure shows the commands used to configure routing protocol authentication for EIGRP on router R1. These commands are very similar to the ones you used for RIPv2 MD5 authentication. The steps to configure EIGRP routing protocol authentication on router R1 are as follows:

Step 1. The top highlighted area shows how to create a key chain to be used by all routers in your network. These commands create a key chain named EIGRP_KEY and places your terminal in keychain configuration mode, a key number of 1 and a key string value of cisco.

Step 2. The bottom highlighted area shows how to enable MD5 authentication in EIGRP packets traversing an interface.

Cisco AutoSecure


Cisco AutoSecure uses a single command to disable non-essential system processes and services, eliminating potential security threats. You can configure AutoSecure in privileged EXEC mode using the auto secure command in one of these two modes:

• Interactive mode - This mode prompts you with options to enable and disable services and other security features. This is the default mode.
• Non-interactive mode - This mode automatically executes the auto secure command with the recommended Cisco default settings. This mode is enabled with the no-interact command option.

To start the process of securing a router issue the auto secure command. Cisco AutoSecure will ask you for a number of items including :

• Interface specifics
• Banners
• Passwords
• SSH
• IOS firewall features

Cisco SDM

The Cisco Router and Security Device Manager (SDM) is an easy-to-use, web-based device-management tool designed for configuring LAN, WAN, and security features on Cisco IOS software-based routers. 

Cisco SDM supports a wide range of Cisco IOS software releases. It ships preinstalled by default on all new Cisco integrated services routers. If it is not preinstalled, you will have to install it. The SDM files can be installed on the router, a PC, or on both. An advantage of installing SDM on the PC is that it saves router memory, and allows you to use SDM to manage other routers on the network. If Cisco SDM is pre-installed on the router, Cisco recommends using Cisco SDM to perform the initial configuration.

Before you can install SDM on an operational router, you must ensure that a few configuration settings are present in the router configuration file:

To configure Cisco SDM on a router already in use, without disrupting network traffic, follow these steps:

Step 1. Access the router's Cisco CLI interface using Telnet or the console connection

Step 2. Enable the HTTP and HTTPS servers on the router

Step 3 Create a user account defined with privilege level 15 (enable privileges).

Step 4 Configure SSH and Telnet for local login and privilege level 15.


Cisco SDM is stored in the router flash memory. It can also be stored on a local PC. To launch the Cisco SDM use the HTTPS protocol and put the IP address of the router into the browser. When the username and password dialog box appears (not shown), enter a username and password for the privileged (privilege level 15) account on the router

Managing Cisco IOS Images

Good practice for maintaining system availability is to ensure you always have backup copies of the startup configuration files and IOS image files. The Cisco IOS software copy command is used to move configuration files from one component or device to another, such as RAM, NVRAM, or a TFTP server. The figure highlights the command syntax.

The following provides examples of common copy command use. Copy the running configuration from RAM to the startup configuration in NVRAM:

R2# copy running-config startup-config


R2# copy system:running-config nvram:startup-config

Copy the running configuration from RAM to a remote location:

R2# copy running-config tftp:


R2# copy system:running-config tftp:


Copy a configuration from a remote source to the running configuration:

R2# copy tftp: running-config


R2# copy tftp: system:running-config

Copy a configuration from a remote source to the startup configuration:

R2# copy tftp: startup-config


R2# copy tftp: nvram:startup-config

The Cisco IOS image file is based on a special naming convention. The name for the Cisco IOS image file contains multiple parts, each with a specific meaning. It is important that you understand this naming convention when upgrading and selecting an IOS.

Recovering Software Images

In the figure, the IOS on router R1 has accidentally been deleted from flash. Unfortunately, the router has been rebooted and can no longer load an IOS. It is now loading the ROMmon prompt by default. While in this state, router R1 needs to retrieve the IOS which was previously copied to the TFTP server connected to R2. In this scenario, the TFTP will be directly connected to router R1. Having made preparations with the TFTP server, carry out the following procedure.

Step 1. Connect the devices.

• Connect the PC of the system administrator to the console port on the affected router.
• Connect the TFTP server to the first Ethernet port on the router. In the figure, R1 is a Cisco 1841, therefore the port is Fa0/0. Enable the TFTP server and configure it with a static IP address 192.168.1.1/24

Step 2. Boot the router and set the ROMmon variables.

Because the router does not have a valid Cisco IOS image, the router boots automatically into ROMmon mode. There are very few commands available in ROMmon mode. You can view these commands by typing ? at the rommon> command prompt. 

You must enter all of the variables listed in the figure. When you enter the ROMmon variables, be aware of the following:

• Variable names are case sensitive.
• Do not include any spaces before or after the = symbol.
• Where possible, use a text editor to cut and paste the variables into the terminal window. The full line must be typed accurately.
• Navigational keys are not operational.

Router R1 must now be configured with the appropriate values to connect to the TFTP server. The syntax of the ROMmon commands is very crucial. Although the IP addresses, subnet mask, and image name in the figure are only examples, it is vital that the syntax displayed be followed when configuring the router. Keep in mind that the actual variables will vary depending on your configuration.

Step 3. Enter the tftpdnld command at the ROMmon prompt.

The command displays the required environment variables and warns that all existing data in flash will be erased. Type y to proceed, and press Enter. The router attempts to connect to the TFTP server to initiate the download.

You can use the reset command to reload the router with the new Cisco IOS image.

Using xmodem to Restore an IOS Image

If the Cisco IOS image is lost, the router goes into ROMmon mode when it boots up. ROMmon supports Xmodem. With that capability, the router can communicate with a terminal emulation application, such as HyperTerminal, on the PC of a system administrator.


The steps the administrator follows are shown in the figure.

Step 1. Connect the PC of the system administrator to the console port on the affected router. Open a terminal emulation session between the router R1 and the PC of the system administrator.

Step 2. Boot the router and issue the xmodem command at the ROMmon command prompt.

Step 3. The figure shows the process for sending a file using HyperTerminal. In this case, Select Transfer > Send File.

Step 4. Browse to the location of the Cisco IOS image you want to transfer and choose the Xmodem protocol. Click Send.

About Password Recovery

The first thing that you have to know about password recovery is that for security reasons, you need physical access to the router. You connect your PC to the router through a console cable. The enable password can be recovered, but the enable secret password is encrypted and must be replaced with a new password.

The configuration register is a concept that you will learn more about later in your studies. The configuration register is similar to your PC BIOS settings, which control the bootup process.


Step 1. Connect to the console port.

Step 2. If you have lost the enable password, you would still have access to user EXEC mode. Type show version at the prompt, and record the configuration register setting.

R>#show version
<show command output omitted>
Configuration register is 0x2102
R1>

The configuration register is usually set to 0x2102 or 0x102. If you can no longer access the router (because of a lost login or TACACS password), you can safely assume that your configuration register is set to 0x2102.


Step 3. Use the power switch to turn off the router, and then turn the router back on.

Step 4. Issue a Break signal from the terminal within 60 seconds of power up to put the router into ROMmon. A Break signal is sent using a break key sequence appropriate for the terminal program and the operating system.

Step 5. Type confreg 0x2142 at the rommon 1> prompt. This causes the router to bypass the startup configuration where the forgotten enable password is stored.

Step 6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration.

Step 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure.

Step 8. Type enable at the Router> prompt. This puts you into enable mode, and you should be able to see the Router# prompt.

Step 9. Type copy startup-config running-config to copy the NVRAM into memory. Be careful! Do not type copy running-config startup-config or you will erase your startup configuration.

Step 10. Type show running-config. In this configuration, the shutdown command appears under all interfaces because all the interfaces are currently shut down.

Step 11. Type configure terminal. The R1(config)# prompt appears.

Step 12. Type enable secret password to change the enable secret password. For example:

R1(config)# enable secret cisco

Step 13. Issue the no shutdown command on every interface that you want to use. You can issue a show ip interface brief command to confirm that your interface configuration is correct. Every interface that you want to use should display up up.

Step 14. Type config-register configuration_register_setting. The configuration_register_setting is either the value you recorded in Step 2 or 0x2102 . For example:

R1(config)#config-register 0x2102

Step 15. Press Ctrl-Z or type end to leave configuration mode. The R1# prompt appears.

Step 16. Type copy running-config startup-config to commit the changes.