Resumen Gym
Content
If the verification procedure indicates that your Frame Relay configuration is not working properly, you need to troubleshoot the configuration. Use the debug frame-relay lmi command to determine whether the router and the Frame Relay switch are sending and receiving LMI packets properly. Look at the figure and examine the output of an LMI exchange. "out" is an LMI status message sent by the router. "in" is a message received from the Frame Relay switch. A full LMI status message is a "type 0" (not shown in the figure). An LMI exchange is a "type 1". "dlci 100, status 0x2" means that the status of DLCI 100 is active (not shown in figure). When an Inverse ARP request is made, the router updates its map table with three possible LMI connection states. These states are active state, inactive state, and deleted state ACTIVE States indicates a successful end-to-end (DTE to DTE) circuit.
INACTIVE State indicates a successful connection to the switch (DTE to DCE) without a DTE detected
on the other end of the PVC. This can occur due to residual or incorrect configuration on the switch. DELETED State indicates that the DTE is configured for a DLCI the switch does not recognize as valid for that interface. The possible values of the status field are as follows: 0x0 - The switch has this DLCI programmed, but for some reason it is not usable. The reason could possibly be the other end of the PVC is down. 0x2 - The Frame Relay switch has the DLCI and everything is operational. 0x4 - The Frame Relay switch does not have this DLCI programmed for the router, but that it was programmed at some point in the past. This could also be caused by the DLCIs being reversed on the router, or by the PVC being deleted by the service provider in the Frame Relay cloud.
Routers are Targets Because routers provide gateways to other networks, they are obvious targets, and are subject to a variety of attacks. Here are some examples of various security problems: Compromising the access control can expose network configuration details, thereby facilitating attacks against other network components. Compromising the route tables can reduce performance, deny network communication services, and expose sensitive data. Misconfiguring a router traffic filter can expose internal network components to scans and attacks, making it easier for attackers to avoid detection. Attackers can compromise routers in different ways, so there is no single approach that network administrators can use to combat them. The ways that routers are compromised are similar to the types of attacks you learned about earlier in this chapter, including trust exploitation attacks, IP spoofing, session hijacking, and MITM attacks. Note: This section focuses on securing routers. Most of the best practices discussed can also be used to secure switches. However, this section does not cover Layer 2 threats, such as MAC address flooding attacks and STP attacks, because these are covered in CCNA Exploration: LAN Switching and Wireless.
Securing Your Network Securing routers at the network perimeter is an important first step in securing the network. Think about router security in terms in these categories: Physical security Update the router IOS whenever advisable Backup the router configuration and IOS Harden the router to eliminate the potential abuse of unused ports and services
To provide physical security, locate the router in a locked room that is accessible only to authorized personnel. It should also be free of any electrostatic or magnetic interference, and have controls for temperature and humidity. To reduce the possibility of DoS due to a power failure, install an uninterruptible power supply (UPS) and keep spare components available. Physical devices used to connect to the router should be stored in a locked facility, or they should remain in the possession of a trustworthy individual so that they are not compromised. A device that is left in the open could have Trojans or some other sort of executable file stored on it. Provision the router with the maximum amount of memory possible. Availability of memory can help protect against some DoS attacks, while supporting the widest range of security services.
The security features in an operating system evolve over time. However, the latest version of an operating system may not be the most stable version available. To get the best security performance from your operating system, use the latest stable release that meets the feature requirements of your network. Always have a backup copy of a configuration and IOS on hand in case a router fails. Keep a secure copy of the router operating system image and router configuration file on a TFTP server for backup purposes. Harden the router to make it as secure as possible. A router has many services enabled by default. Many of these services are unnecessary and may be used by an attacker for information gathering or exploitation. You should harden your router configuration by disabling unnecessary services.
By default, Cisco IOS software leaves passwords in plain text when they are entered on a router. This is not secure since anyone walking behind you when you are looking at a router configuration could snoop over your shoulder and see the password. Using the enable password command or the username username password password command would result in these passwords being displayed when looking at the running configuration. For example: R1(config)# username Student password cisco123 R1(config)# do show run | include username username Student password 0 cisco123 R1(config)# The 0 displayed in the running configuration, indicates that password is not hidden. For this reason, all passwords should be encrypted in a configuration file. Cisco IOS provides two password protection schemes: Simple encryption called a type 7 scheme. It uses the Cisco-defined encryption algorithm and will hide the password using a simple encryption algorithm. Complex encryption called a type 5 scheme. It uses a more secure MD5 hash. The type 7 encryption can be used by the enable password, username, and line password commands including vty, line console, and aux port. It does not offer very much protection as it only hides the password using a simple encryption algorithm. Although not as secure as the type 5 encryption, it is still better than no encryption. To encrypt passwords using type 7 encryption, use the service password-encryption global configuration command as displayed in the figure. This command prevents passwords that are displayed on the screen from being readable. For example: R1(config)# service password-encryption R1(config)# do show run | include username username Student password 7 03075218050061 R1(config)# The 7 displayed in the running configuration indicates that password is hidden. In the figure, you can see the line console password is now hidden.
Click the Configure Password button in the figure. Cisco recommends that Type 5 encryption be used instead of Type 7 whenever possible. MD5 encryption is a strong encryption method. It should be used whenever possible. It is configured by replacing the keyword password with secret. Therefore, to protect the privileged EXEC level as much as possible, always configure the enable secret command as shown in the figure. Also make sure that the secret password is unique and does not match any other user password. A router will always use the secret password over the enable password. For this reason, the enable password command should never be configured as it may give away a system password. Note: If you forget the privileged EXEC password, then you will have to perform the password recovery procedure. This procedure is covered later in this chapter. The local database usernames should be also configured using the username username secret password global configuration command. For example: R1(config)# username Student secret cisco R1(config)# do show run | include username username Student secret 5 $1$z245$lVSTJzuYgdQDJiacwP2Tv/ R1(config)# Note: Some processes may not be able to use type 5 encrypt ed passwords. For example PAP uses clear text passwords and cannot use MD5 encrypted passwords.
Click the Password Length button in the figure. Cisco IOS Software Release 12.3(1) and later allow administrators to set the minimum character length for all router passwords using the security passwords min-length global configuration command, as shown in the figure. This command provides enhanced security access to the router by allowing you to specify a minimum password length, eliminating common passwords that are prevalent on most networks, such as "lab" and "cisco." This command affects any new user passwords, enable passwords and secrets, and line passwords created after the command was executed. The command does not affect existing router passwords. ecuring Administrative Access to Routers Network administrators can connect to a router or switch locally or remotely. Local access through the console port is the preferred way for an administrator to connect to a device to manage it because it is secure. As companies get bigger and the number of routers and switches in the network grows, the administrator workload to connect to all the devices locally can become overwhelming.
Remote administrative access is more convenient than local access for administrators that have many devices to manage. However, if it is not implemented securely, an attacker could collect valuable confidential information. For example, implementing remote administrative access using Telnet can be very insecure because Telnet forwards all network traffic in clear text. An attacker could capture network traffic while an administrator is logged in remotely to a router and sniff the administrator passwords or router configuration information. Therefore, remote administrative access must be configured with additional security precautions. To secure administrative access to routers and switches, first you will secure the administrative lines (VTY, AUX), then you will configure the network device to encrypt traffic in an SSH tunnel. Remote Administrative Access with Telnet and SSH Having remote access to network devices is critical for effectively managing a network. Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTP Secure (HTTPS), or SNMP connections to the router from a computer on the same internetwork as the router. If remote access is required, your options are as follows: Establish a dedicated management network. The management network should include only identified administration hosts and connections to infrastructure devices. This could be
accomplished using a management VLAN or by using an additional physical network to connect the devices to. Encrypt all traffic between the administrator computer and the router. In either case, a packet filter can be configured to only allow the identified administration hosts and protocol to access the router. For example, only permit the administration host IP address to initiate an SSH connection to the routers in the network. Remote access not only applies to the VTY line of the router, it also applies to the TTY lines and the auxiliary (AUX) port. TTY lines provide asynchronous access to a router using a modem. Although less common than they once were, they still exist in some installations. Securing these ports is even more important than securing local terminal ports. The best way to protect a system is to ensure that appropriate controls are applied on all lines, including VTY, TTY, and AUX lines. Administrators should make sure that logins on all lines are controlled using an authentication mechanism, even on machines that are supposed to be inaccessible from untrusted networks. This is especially important for VTY lines and for lines connected to modems or other remote access devices. Logins may be completely prevented on any line by configuring the router with the login and no password commands. This is the default configuration for VTYs, but not for TTYs and the AUX port. Therefore, if these lines are not required, ensure that they are configured with the login and no password command combination. Click Config in the Prevent Logins button to view an example. Controlling VTYs By default, all VTY lines are configured to accept any type of remote connection. For security reasons, VTY lines should be configured to accept connections only with the protocols actually needed. This is done with the transport input command. For example, a VTY that was expected to receive only Telnet sessions would be configured with transport input telnet, and a VTY permitting both Telnet and SSH sessions would have transport input telnet ssh configured. Click the VTY Access button in the figure. The first configuration example displays how to configure the VTY to only accept Telnet and SSH connections, while the second example displays how to configure the VTY to only accept SSH connections. If the Cisco IOS image on a router supports SSH, it is strongly advisable to enable only that protocol. A Cisco IOS device has a limited number of VTY lines, usually five. When all of the VTYs are in use, no more additional remote connections can be established. This creates the opportunity for a DoS attack. If an attacker can open remote sessions to all the VTYs on the system, the legitimate administrator may not be able to log in. The attacker does not have to log in to do this. The sessions can simply be left at the login prompt.
One way of reducing this exposure is to configure the last VTY line to accept connections only from a single, specific administrative workstation, whereas the other VTYs can accept connections from any address in a corporate network. This ensures that at least one VTY line is available to the administrator. To implement this, ACLs, along with the ip access-class command on the last VTY line, must be configured. This implementation is discussed in Chapter 5. Another useful tactic is to configure VTY timeouts using the exec-timeout command. This prevents an idle session from consuming the VTY indefinitely. Although its effectiveness against deliberate attacks is relatively limited, it provides some protection against sessions accidentally left idle. Similarly, enabling TCP keepalives on incoming connections by using the service tcp-keepalives-in command can help guard against both malicious attacks and orphaned sessions caused by remote system crashes. Click the Secure VTY button in the figure. The configuration displays how to set the executive timeout to 3 minutes and enable TCP keepalives. Implementing SSH to Secure Remote Administrative Access Traditionally, remote administrative access on routers was configured using Telnet on TCP port 23. However, Telnet was developed in the days when security was not an issue. For this reason, all Telnet traffic is forwarded in plain text. SSH has replaced Telnet as the best practice for providing remote router administration with connections that support strong privacy and session integrity. SSH uses port TCP 22. It provides functionality that is similar to that of an outbound Telnet connection, except that the connection is encrypted. With authentication and encryption, SSH allows for secure communications over an insecure network. Not all Cisco IOS images support SSH. Only cryptographic images can. Typically, these images have image IDs of k8 or k9 in their image names. Image names are discussed in Section 5. The SSH terminal-line access feature enables administrators to configure routers with secure access and perform the following tasks: Connect to a router that has multiple terminal lines connected to consoles or serial ports of other routers, switches, and devices. Simplify connectivity to a router from anywhere by securely connecting to the terminal server on a specific line. Allow modems attached to routers to be used for dial-out securely. Require authentication to each of the lines through a locally defined username and password, or a security server such as a TACACS+ or RADIUS server. Cisco routers are capable of acting as the SSH client and server. By default, both of these functions are enabled on the router when SSH is enabled. As a client, a router can SSH to another router. As a server, a router can accept SSH client connections.
INACTIVE State indicates a successful connection to the switch (DTE to DCE) without a DTE detected
on the other end of the PVC. This can occur due to residual or incorrect configuration on the switch. DELETED State indicates that the DTE is configured for a DLCI the switch does not recognize as valid for that interface. The possible values of the status field are as follows: 0x0 - The switch has this DLCI programmed, but for some reason it is not usable. The reason could possibly be the other end of the PVC is down. 0x2 - The Frame Relay switch has the DLCI and everything is operational. 0x4 - The Frame Relay switch does not have this DLCI programmed for the router, but that it was programmed at some point in the past. This could also be caused by the DLCIs being reversed on the router, or by the PVC being deleted by the service provider in the Frame Relay cloud.
Routers are Targets Because routers provide gateways to other networks, they are obvious targets, and are subject to a variety of attacks. Here are some examples of various security problems: Compromising the access control can expose network configuration details, thereby facilitating attacks against other network components. Compromising the route tables can reduce performance, deny network communication services, and expose sensitive data. Misconfiguring a router traffic filter can expose internal network components to scans and attacks, making it easier for attackers to avoid detection. Attackers can compromise routers in different ways, so there is no single approach that network administrators can use to combat them. The ways that routers are compromised are similar to the types of attacks you learned about earlier in this chapter, including trust exploitation attacks, IP spoofing, session hijacking, and MITM attacks. Note: This section focuses on securing routers. Most of the best practices discussed can also be used to secure switches. However, this section does not cover Layer 2 threats, such as MAC address flooding attacks and STP attacks, because these are covered in CCNA Exploration: LAN Switching and Wireless.
Securing Your Network Securing routers at the network perimeter is an important first step in securing the network. Think about router security in terms in these categories: Physical security Update the router IOS whenever advisable Backup the router configuration and IOS Harden the router to eliminate the potential abuse of unused ports and services
To provide physical security, locate the router in a locked room that is accessible only to authorized personnel. It should also be free of any electrostatic or magnetic interference, and have controls for temperature and humidity. To reduce the possibility of DoS due to a power failure, install an uninterruptible power supply (UPS) and keep spare components available. Physical devices used to connect to the router should be stored in a locked facility, or they should remain in the possession of a trustworthy individual so that they are not compromised. A device that is left in the open could have Trojans or some other sort of executable file stored on it. Provision the router with the maximum amount of memory possible. Availability of memory can help protect against some DoS attacks, while supporting the widest range of security services.
The security features in an operating system evolve over time. However, the latest version of an operating system may not be the most stable version available. To get the best security performance from your operating system, use the latest stable release that meets the feature requirements of your network. Always have a backup copy of a configuration and IOS on hand in case a router fails. Keep a secure copy of the router operating system image and router configuration file on a TFTP server for backup purposes. Harden the router to make it as secure as possible. A router has many services enabled by default. Many of these services are unnecessary and may be used by an attacker for information gathering or exploitation. You should harden your router configuration by disabling unnecessary services.
By default, Cisco IOS software leaves passwords in plain text when they are entered on a router. This is not secure since anyone walking behind you when you are looking at a router configuration could snoop over your shoulder and see the password. Using the enable password command or the username username password password command would result in these passwords being displayed when looking at the running configuration. For example: R1(config)# username Student password cisco123 R1(config)# do show run | include username username Student password 0 cisco123 R1(config)# The 0 displayed in the running configuration, indicates that password is not hidden. For this reason, all passwords should be encrypted in a configuration file. Cisco IOS provides two password protection schemes: Simple encryption called a type 7 scheme. It uses the Cisco-defined encryption algorithm and will hide the password using a simple encryption algorithm. Complex encryption called a type 5 scheme. It uses a more secure MD5 hash. The type 7 encryption can be used by the enable password, username, and line password commands including vty, line console, and aux port. It does not offer very much protection as it only hides the password using a simple encryption algorithm. Although not as secure as the type 5 encryption, it is still better than no encryption. To encrypt passwords using type 7 encryption, use the service password-encryption global configuration command as displayed in the figure. This command prevents passwords that are displayed on the screen from being readable. For example: R1(config)# service password-encryption R1(config)# do show run | include username username Student password 7 03075218050061 R1(config)# The 7 displayed in the running configuration indicates that password is hidden. In the figure, you can see the line console password is now hidden.
Click the Configure Password button in the figure. Cisco recommends that Type 5 encryption be used instead of Type 7 whenever possible. MD5 encryption is a strong encryption method. It should be used whenever possible. It is configured by replacing the keyword password with secret. Therefore, to protect the privileged EXEC level as much as possible, always configure the enable secret command as shown in the figure. Also make sure that the secret password is unique and does not match any other user password. A router will always use the secret password over the enable password. For this reason, the enable password command should never be configured as it may give away a system password. Note: If you forget the privileged EXEC password, then you will have to perform the password recovery procedure. This procedure is covered later in this chapter. The local database usernames should be also configured using the username username secret password global configuration command. For example: R1(config)# username Student secret cisco R1(config)# do show run | include username username Student secret 5 $1$z245$lVSTJzuYgdQDJiacwP2Tv/ R1(config)# Note: Some processes may not be able to use type 5 encrypt ed passwords. For example PAP uses clear text passwords and cannot use MD5 encrypted passwords.
Click the Password Length button in the figure. Cisco IOS Software Release 12.3(1) and later allow administrators to set the minimum character length for all router passwords using the security passwords min-length global configuration command, as shown in the figure. This command provides enhanced security access to the router by allowing you to specify a minimum password length, eliminating common passwords that are prevalent on most networks, such as "lab" and "cisco." This command affects any new user passwords, enable passwords and secrets, and line passwords created after the command was executed. The command does not affect existing router passwords. ecuring Administrative Access to Routers Network administrators can connect to a router or switch locally or remotely. Local access through the console port is the preferred way for an administrator to connect to a device to manage it because it is secure. As companies get bigger and the number of routers and switches in the network grows, the administrator workload to connect to all the devices locally can become overwhelming.
Remote administrative access is more convenient than local access for administrators that have many devices to manage. However, if it is not implemented securely, an attacker could collect valuable confidential information. For example, implementing remote administrative access using Telnet can be very insecure because Telnet forwards all network traffic in clear text. An attacker could capture network traffic while an administrator is logged in remotely to a router and sniff the administrator passwords or router configuration information. Therefore, remote administrative access must be configured with additional security precautions. To secure administrative access to routers and switches, first you will secure the administrative lines (VTY, AUX), then you will configure the network device to encrypt traffic in an SSH tunnel. Remote Administrative Access with Telnet and SSH Having remote access to network devices is critical for effectively managing a network. Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTP Secure (HTTPS), or SNMP connections to the router from a computer on the same internetwork as the router. If remote access is required, your options are as follows: Establish a dedicated management network. The management network should include only identified administration hosts and connections to infrastructure devices. This could be
accomplished using a management VLAN or by using an additional physical network to connect the devices to. Encrypt all traffic between the administrator computer and the router. In either case, a packet filter can be configured to only allow the identified administration hosts and protocol to access the router. For example, only permit the administration host IP address to initiate an SSH connection to the routers in the network. Remote access not only applies to the VTY line of the router, it also applies to the TTY lines and the auxiliary (AUX) port. TTY lines provide asynchronous access to a router using a modem. Although less common than they once were, they still exist in some installations. Securing these ports is even more important than securing local terminal ports. The best way to protect a system is to ensure that appropriate controls are applied on all lines, including VTY, TTY, and AUX lines. Administrators should make sure that logins on all lines are controlled using an authentication mechanism, even on machines that are supposed to be inaccessible from untrusted networks. This is especially important for VTY lines and for lines connected to modems or other remote access devices. Logins may be completely prevented on any line by configuring the router with the login and no password commands. This is the default configuration for VTYs, but not for TTYs and the AUX port. Therefore, if these lines are not required, ensure that they are configured with the login and no password command combination. Click Config in the Prevent Logins button to view an example. Controlling VTYs By default, all VTY lines are configured to accept any type of remote connection. For security reasons, VTY lines should be configured to accept connections only with the protocols actually needed. This is done with the transport input command. For example, a VTY that was expected to receive only Telnet sessions would be configured with transport input telnet, and a VTY permitting both Telnet and SSH sessions would have transport input telnet ssh configured. Click the VTY Access button in the figure. The first configuration example displays how to configure the VTY to only accept Telnet and SSH connections, while the second example displays how to configure the VTY to only accept SSH connections. If the Cisco IOS image on a router supports SSH, it is strongly advisable to enable only that protocol. A Cisco IOS device has a limited number of VTY lines, usually five. When all of the VTYs are in use, no more additional remote connections can be established. This creates the opportunity for a DoS attack. If an attacker can open remote sessions to all the VTYs on the system, the legitimate administrator may not be able to log in. The attacker does not have to log in to do this. The sessions can simply be left at the login prompt.
One way of reducing this exposure is to configure the last VTY line to accept connections only from a single, specific administrative workstation, whereas the other VTYs can accept connections from any address in a corporate network. This ensures that at least one VTY line is available to the administrator. To implement this, ACLs, along with the ip access-class command on the last VTY line, must be configured. This implementation is discussed in Chapter 5. Another useful tactic is to configure VTY timeouts using the exec-timeout command. This prevents an idle session from consuming the VTY indefinitely. Although its effectiveness against deliberate attacks is relatively limited, it provides some protection against sessions accidentally left idle. Similarly, enabling TCP keepalives on incoming connections by using the service tcp-keepalives-in command can help guard against both malicious attacks and orphaned sessions caused by remote system crashes. Click the Secure VTY button in the figure. The configuration displays how to set the executive timeout to 3 minutes and enable TCP keepalives. Implementing SSH to Secure Remote Administrative Access Traditionally, remote administrative access on routers was configured using Telnet on TCP port 23. However, Telnet was developed in the days when security was not an issue. For this reason, all Telnet traffic is forwarded in plain text. SSH has replaced Telnet as the best practice for providing remote router administration with connections that support strong privacy and session integrity. SSH uses port TCP 22. It provides functionality that is similar to that of an outbound Telnet connection, except that the connection is encrypted. With authentication and encryption, SSH allows for secure communications over an insecure network. Not all Cisco IOS images support SSH. Only cryptographic images can. Typically, these images have image IDs of k8 or k9 in their image names. Image names are discussed in Section 5. The SSH terminal-line access feature enables administrators to configure routers with secure access and perform the following tasks: Connect to a router that has multiple terminal lines connected to consoles or serial ports of other routers, switches, and devices. Simplify connectivity to a router from anywhere by securely connecting to the terminal server on a specific line. Allow modems attached to routers to be used for dial-out securely. Require authentication to each of the lines through a locally defined username and password, or a security server such as a TACACS+ or RADIUS server. Cisco routers are capable of acting as the SSH client and server. By default, both of these functions are enabled on the router when SSH is enabled. As a client, a router can SSH to another router. As a server, a router can accept SSH client connections.
