1 / 21

Securing the Router

Securing the Router. Chris Cunningham. Chris Cunningham chris.Cunningham@nhcomputerlearning.com CCSI #33650 CCNA & CCNP Routing and Switching / CCNA Security MCITP (Server Enter. Admin & Vista), MCTS (Server 08 & Vista) A +, Network+, Security+. Before Implementing Security Changes.

carr
Download Presentation

Securing the Router

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the Router Chris Cunningham

  2. Chris Cunningham chris.Cunningham@nhcomputerlearning.com CCSI #33650 CCNA & CCNP Routing and Switching / CCNA Security MCITP (Server Enter. Admin & Vista), MCTS (Server 08 & Vista) A+, Network+, Security+

  3. Before Implementing Security Changes • Consult Change Management Documents and Processes • Lab it up to be sure it will do what you think it will do • Consult Security Documentation to verify it fits in with the Security Policy of the organization • Above all else, when finished. . . Document!!

  4. Planes of Security

  5. Management Plane How Tech’s Connect to the device Control Plane How the Router Decides to forward traffic Data Plane The data being forwarded

  6. Management Plane

  7. Encrypted Communications • SSH Version 2 • HTTPs for GUI Configuration

  8. Secure Login • Use Radius or TACACS+ Router(config)# aaanew-model Router(config)# radius server Router(config-radius-server)#address ipv4 10.0.0.1 acct-port 1813 auth-port 1812 key apple Router(config)# aaaauthentication login default group radius local Router(config)# username admin secret 0 apple • Login Lockouts (local accounts) Router(config)# aaa local authentication attempts max-fail 3 Router# clearaaa local user lockout [username | all] • Disable Password Recovery (disables access to RMON by disabling the BREAK sequence) Router (config)#no service password-recovery • Access Class • Exec-timeout

  9. Network Monitoring • Use SNMP Version 3 with ACL to limit which SNMP Servers can connect Router(config)#ip access-list extended snmp-server Router(config-ext-nacl)#permit ip 10.1.0.100 any Router(config)# snmp-server group group1 v3 auth access snmp-server Router(config)# snmp-server engineID remote 10.1.0.100 udp-port 120 1a2833c0129a Router(config)# snmp-server user user1 group1 v3 auth md5 password123 Or Router(config)#snmp-server community server1 RO snmp-serverRouter(config)#snmp-server community server2 RW snmp-server • Use Syslog with separate Network (VLAN) for communication • Disable Console Logging to reduce the CPU load on the device

  10. Secure Configurations • Use the Archive Feature to allow for rapid recovery when device is misconfigured • Use Secure Boot-Image to secure the IOS so it can’t be deleted Router(config)# secure boot-image • Use Secure Boot-Config to secure the startup-config from being removed Router(config)# secure boot-config Verify Router# show secure bootset

  11. Control Plane

  12. Secure Routing Protocols • Use MD5 Password Hashes Router(config)# enable secret apple Router(config)# username chris secret 0 apple • Passive interfaces • Also Secure FHRP (HSRP, VRRP, GLBP) with Authentication Router(config)# key chain secure Router(config-keychain)#key 1 Router(config-keychain-key)#key-string apple Router(config-keychain-key)#inter fa 0/0 Router(config-if#standby1 authentication md5 key-chain secure

  13. Preserve CPU Resources • Access Control List logging

  14. Control Plane Policing (CoPP) • Allows you more control over what protocols and data are allowed to enter the router and thus the Control Plane

  15. Data Plane

  16. IP Traffic • Fragmentation Router(config)# ip access-list extended SecureRouter(config-ext-nacl)#deny tcp any any fragmentsRouter(config-ext-nacl)# deny udp any any fragmentsRouter(config-ext-nacl)# deny icmp any any fragmentsRouter(config-ext-nacl)# deny ip any any fragments • IP Options Router(config-ext-nacl)# deny ip any any option any-options • TTL to short to make it through the network Router(config-ext-nacl)# deny ip any anyttllt 6 * All this traffic gets Process Switched instead of using CEF

  17. Prevent Spoofed Packets • Unicast Reverse Path Forwarding (Unicast RPF) Router(config-if)#ip verify unicast source reachable-via rx

  18. Monitor with NetFlow

  19. Wrap-Up

  20. Secure All Planes of a Device • Management Plane • Control Plane • Data Plane • Document, Document, Document

  21. Questions??

More Related