ITCwiki - User contributions [en]

Digital Certificates in Asymmetrical Cryptography

2011-12-08T21:43:02Z

Petlast:

As part of protection and encryption of ever increasing network vulnerabilities and security needs, traditional symmetrical algorithms that encrypt information using private keys are not always sufficient. Asymmetric Cryptography, also known as Public Key Cryptography uses two keys instead of one, and contains many more permutations and defenses than an ordinary symmetrical algorithm. The use of these algorithms also allows checks of authenticity with digital signatures.

==Asymmetrical cryptography fundamentals==
The primary feature of public-key cryptography is that it removes the need to use the same key for encryption and decryption. Whereas traditional cryptography uses one key to decode and encrypt messages, asymmetric encryption utilizes two mathematically linked key pairs; a public key and a private key which must be used together to create a connection. The public key is known to everyone and can be freely [[Image: Wswpf_33.jpg|left]]distributed, while the private key is only known the the user who is sending the message. When someone wishes to send a message using any asymmetrical encryption standard, he must use the receiver's public key to send it, then the receiver uses his own private key to decrypt it. Additionally, the connection works both ways; as a message encrypted by a person's private key can be unencrypted by the corresponding public key.
A disadvantage of public-key crypography is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the contents of a message. Symmetrical algorithms are very easy to use and have the advantage of not consuming too much computing power, however there are dangers of the single secret key falling into wrong hands. Therefore, many computer companies use them in tandem.

==Digital certificates==
A Digital Certificate (also known as a public-key certificate)is a form of electronic credentials that associates a public key with an identity by a trusted third party. The third party verifies the owner and that the public key belongs to an owner. A digital Certificate is a pair of files on your computer and operates under the public key infrastructure; a framework of all entities involved in digital certificate management. Parts of a standard X.509 digital certificate include:
[[Image: CertificateError2.png|right]]

* The person's name
*An e-mail address
*A serial number
*A public key
*The hash used to encrypt the digital certificate
*An expiration date (certificates are valid for five years)
*The signature and has algorithms
*A digital signature

Besides standard e-email transactions, Digital Certificates can be used to encrypt HTTPS communications on the internet. A web browser can obtain a certificate from a website using SSL to determine the security of a web server and whether the server has been compromised. The browser requests a certificate using a certificate signing request that has the web site name, contact email address, and company information while the site asks for information to compare it to. The owner then signs it, making the certificate a public certificate.

===Digital Signatures===
Asymmetric cryptography cannot naturally provide authentication: as although a message that is sent with an asymmetric protocol can ensure the message has not been tampered with, it cannot verify whether the sender is who they say they are due to a public key's nature. To provide proof, a digital signature must be created (not to be confused with a digital certificate), which acts as a handwritten signature verifying the sender. It can also confirm that the message had not been altered since it was signed, or prevent the sender from disputing the origin of the message. The purpose of a digital signature is to only show the that the public key labeled as belonging to a person was used to encrypt the message, nothing more. Hashing, in its simplest form is an algorithm that you can run a piece of data through and get out a number that represents the original.

A digital signature consists of three algorithms: A key generation algorithm that selects a private key at random from a set of possible private keys, then uses it to create the private key and public key that corresponds to it; a signing algorithm that produces the signature when given a message and a private key, and a signature verifying algorithm that takes the message, public key and signature either accepts or rejects the message's claim of authenticity.

===Hashing===
Hashing is a form of cryptographic security which can be used to ensure the integrity of a file by guaranteeing no one has tampered with it. Where as encryption has a two step process used to first encrypt and then decrypt a message, hashing condenses a message into a irreversible fixed-length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1; however, they are both found to have vulnerabilities and should be discouraged.

==Certificate Life Cycle==
Digital certificates are removed and added with changes in a companies's network, adding or subtracting users, or privilege changes. As such, certificates are given a lifetime consisting of four stages: Creation, Suspension, Revocation, and Expiration.
**Creation: A user is positively verified and a certificate is created and issued to the user by the Certificate Authority. The CA applies a signature to the certificate and can continually update the certificate.
**Suspension: In the case of a user's absence or vulnerability of the server connected to the certificate, a certificate can be suspended until a later date. On the user's return, the certificate can be reinstated or revoked.
**Revocation: This state may be brought on a vulnerability or a situation where the user's private key may be compromised. The certificate is no longer valid and it is placed into a public repository by either the CA or a user and forgoes expiration.
**Expiration: At this stage, a certificate can no longer be used. Every certificate issued by the CA must have an expiration date. An expired certificate cannot be renewed and a user must follow a process to be granted a new certificate.

==Certificate Authority==
The CA or Certificate authority is a third party agency which manages the distribution of Digital Certificates and is trusted by both the owner and receiver of a certificate. A certificate authority has the responsibilities of:

*Publishing the criteria for granting, revoking, and managing certificates.
*Distributing CA certificates
*Generating, issuing, and distributing public key certificates to applicants.
*Managing certificates (for example, enrolling, renewing, and revoking them).
*Verifying evidence submitted by applicants.
*Providing a means for applicants to request revocation
*Maintaining the security, availability, and continuity of the certificate issuance signing functions.
*Time stamping a digital signature.

==Types of Digital Certificates==
There are five categories of digital certificate. The common categories are personal digital certificates, server digital certificates, adn software publisher digital certificates.
===Class 1: Personal Digital Certificates===
Personal Digital Certificates are used by individuals when they exchange messages with other users or online services, such as Web Browsers and S/MIME applications.
===Class 2: Serer Digital certificates===
Server Certificates enable Web servers to operate in a secure mode. A Server Certificate unambiguously identifies and authenticates your server and encrypts any information passed between the server and a Web browser. A server digital certificate can perform two functions: ensure authenticity of a web server and enable clients connecting to a web server to examine the identity of a server's owner.
===Class 3: Software Publisher Digital Certificates===
Publisher Digital Certificates use validation to provide customers with the information and assurance they need when downloading software from the Internet. They are used by software publishers to ensure their software has not been tampered with
===Dual-Key and Dual-Sided Digital Certificates===
Dual-key certificates are intrinsically linked certificates that split the functionality of a single certificate between two. The signing certificate is used to sign a message and prove its identity is authentic, while the encryption certificate is used to encrypt the message. A copy of an encryption certificate should always be kep to enable email decryption, but a copy of the signign certificate is not required, although at the cost of reduced security.Dual keys enable a more secure system for backing up certificates.
Dual-Sided certificates allow a client to authenticate a verifiable certificate back to a server. Certain situations, such as in a corporate military/financial setting where in addition to a username and password a user must first authenticate a computer in the same way a website authenticates itself to you.
===X.509 Digital Certificates===
X.509 is the most widely used standard for digital certificates. The X.509 standard specifies formats for Public Key certificates. Layout of this digital certificate can be found above.
===Wildcard Certificates===
Wildcard certificates are a sub-type of digital certificates that encompass an entire domain of website addresses. This is useful in situations where a client cannot differentiate between two different hosts it has to query at the same time.

Digital Certificates in Asymmetrical Cryptography

2011-12-08T21:17:48Z

Petlast:

As part of protection and encryption of ever increasing network vulnerabilities and security needs, traditional symmetrical algorithms that encrypt information using private keys are not always sufficient. Asymmetric Cryptography, also known as Public Key Cryptography uses two keys instead of one, and contains many more permutations and defenses than an ordinary symmetrical algorithm. The use of these algorithms also allows checks of authenticity with digital signatures.

==Asymmetrical cryptography fundamentals==
The primary feature of public-key cryptography is that it removes the need to use the same key for encryption and decryption. Whereas traditional cryptography uses one key to decode and encrypt messages, asymmetric encryption utilizes two mathematically linked key pairs; a public key and a private key which must be used together to create a connection. The public key is known to everyone and can be freely [[Image: Wswpf_33.jpg|left]]distributed, while the private key is only known the the user who is sending the message. When someone wishes to send a message using any asymmetrical encryption standard, he must use the receiver's public key to send it, then the receiver uses his own private key to decrypt it. Additionally, the connection works both ways; as a message encrypted by a person's private key can be unencrypted by the corresponding public key.
A disadvantage of public-key crypography is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the contents of a message. Symmetrical algorithms are very easy to use and have the advantage of not consuming too much computing power, however there are dangers of the single secret key falling into wrong hands. Therefore, many computer companies use them in tandem.

==Digital certificates==
A Digital Certificate (also known as a public-key certificate)is a form of electronic credentials that associates a public key with an identity by a trusted third party. The third party verifies the owner and that the public key belongs to an owner. A digital Certificate is a pair of files on your computer and operates under the public key infrastructure; a framework of all entities involved in digital certificate management. Parts of a digital certificate include:
[[Image: CertificateError2.png|right]]

* The person's name
*An e-mail address
*A serial number
*A public key
*The hash used to encrypt the digital certificate
*An expiration date (certificates are valid for five years)
*The signature and has algorithms
*A digital signature

Besides standard e-email transactions, Digital Certificates can be used to encrypt HTTPS communications on the internet. A web browser can obtain a certificate from a website using SSL to determine the security of a web server and whether the server has been compromised. The browser requests a certificate using a certificate signing request that has the web site name, contact email address, and company information while the site asks for information to compare it to. The owner then signs it, making the certificate a public certificate.

===Digital Signatures===
Asymmetric cryptography cannot naturally provide authentication: as although a message that is sent with an asymmetric protocol can ensure the message has not been tampered with, it cannot verify whether the sender is who they say they are due to a public key's nature. To provide proof, a digital signature must be created (not to be confused with a digital certificate), which acts as a handwritten signature verifying the sender. It can also confirm that the message had not been altered since it was signed, or prevent the sender from disputing the origin of the message. The purpose of a digital signature is to only show the that the public key labeled as belonging to a person was used to encrypt the message, nothing more. Hashing, in its simplest form is an algorithm that you can run a piece of data through and get out a number that represents the original.

A digital signature consists of three algorithms: A key generation algorithm that selects a private key at random from a set of possible private keys, then uses it to create the private key and public key that corresponds to it; a signing algorithm that produces the signature when given a message and a private key, and a signature verifying algorithm that takes the message, public key and signature either accepts or rejects the message's claim of authenticity.

===Hashing===
Hashing is a form of cryptographic security which can be used to ensure the integrity of a file by guaranteeing no one has tampered with it. Where as encryption has a two step process used to first encrypt and then decrypt a message, hashing condenses a message into a irreversible fixed-length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1; however, they are both found to have vulnerabilities and should be discouraged.

==Certificate Life Cycle==
Digital certificates are removed and added with changes in a companies's network, adding or subtracting users, or privilege changes. As such, certificates are given a lifetime consisting of four stages: Creation, Suspension, Revocation, and Expiration.
**Creation: A user is positively verified and a certificate is created and issued to the user by the Certificate Authority. The CA applies a signature to the certificate and can continually update the certificate.
**Suspension: In the case of a user's absence or vulnerability of the server connected to the certificate, a certificate can be suspended until a later date. On the user's return, the certificate can be reinstated or revoked.
**Revocation: This state may be brought on a vulnerability or a situation where the user's private key may be compromised. The certificate is no longer valid and it is placed into a public repository by either the CA or a user and forgoes expiration.
**Expiration: At this stage, a certificate can no longer be used. Every certificate issued by the CA must have an expiration date. An expired certificate cannot be renewed and a user must follow a process to be granted a new certificate.

==Certificate Authority==
The CA or Certificate authority is a third party agency which manages the distribution of Digital Certificates and is trusted by both the owner and receiver of a certificate. A certificate authority has the responsibilities of:

*Publishing the criteria for granting, revoking, and managing certificates.
*Distributing CA certificates
*Generating, issuing, and distributing public key certificates to applicants.
*Managing certificates (for example, enrolling, renewing, and revoking them).
*Verifying evidence submitted by applicants.
*Providing a means for applicants to request revocation
*Maintaining the security, availability, and continuity of the certificate issuance signing functions.
*Time stamping a digital signature.

==Types of Digital Certificates==
===Class 1: Personal Digital Certificates===
===Class 2: Serer Digital certificates===
===Class 3: Software Publisher Digital Certificates===
===Dual-Key and Dual-Sided Digital Certificates===
===X.509 Digital Certificates===

===Wildcard Certificates===
Wildcard certificates are a sub-type of digital certificates that encompass an entire domain of website addresses. This is useful in situations where a client cannot differentiate between two different hosts it has to query at the same time.
==Trust Models
A trust model is a type of trusting relationship that can exist between two individuals or entities.

Digital Certificates in Asymmetrical Cryptography

2011-12-08T21:17:01Z

Petlast:

As part of protection and encryption of ever increasing network vulnerabilities and security needs, traditional symmetrical algorithms that encrypt information using private keys are not always sufficient. Asymmetric Cryptography, also known as Public Key Cryptography uses two keys instead of one, and contains many more permutations and defenses than an ordinary symmetrical algorithm. The use of these algorithms also allows checks of authenticity with digital signatures.

==Asymmetrical cryptography fundamentals==
The primary feature of public-key cryptography is that it removes the need to use the same key for encryption and decryption. Whereas traditional cryptography uses one key to decode and encrypt messages, asymmetric encryption utilizes two mathematically linked key pairs; a public key and a private key which must be used together to create a connection. The public key is known to everyone and can be freely [[Image: Wswpf_33.jpg|left]]distributed, while the private key is only known the the user who is sending the message. When someone wishes to send a message using any asymmetrical encryption standard, he must use the receiver's public key to send it, then the receiver uses his own private key to decrypt it. Additionally, the connection works both ways; as a message encrypted by a person's private key can be unencrypted by the corresponding public key.
A disadvantage of public-key crypography is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the contents of a message. Symmetrical algorithms are very easy to use and have the advantage of not consuming too much computing power, however there are dangers of the single secret key falling into wrong hands. Therefore, many computer companies use them in tandem.

==Digital certificates==
A Digital Certificate (also known as a public-key certificate)is a form of electronic credentials that associates a public key with an identity by a trusted third party. The third party verifies the owner and that the public key belongs to an owner. A digital Certificate is a pair of files on your computer and operates under the public key infrastructure; a framework of all entities involved in digital certificate management. Parts of a digital certificate include:
[[Image: CertificateError2.png|right]]

* The person's name
*An e-mail address
*A serial number
*A public key
*The hash used to encrypt the digital certificate
*An expiration date (certificates are valid for five years)
*The signature and has algorithms
*A digital signature

Besides standard e-email transactions, Digital Certificates can be used to encrypt HTTPS communications on the internet. A web browser can obtain a certificate from a website using SSL to determine the security of a web server and whether the server has been compromised. The browser requests a certificate using a certificate signing request that has the web site name, contact email address, and company information while the site asks for information to compare it to. The owner then signs it, making the certificate a public certificate.

===Digital Signatures===
Asymmetric cryptography cannot naturally provide authentication: as although a message that is sent with an asymmetric protocol can ensure the message has not been tampered with, it cannot verify whether the sender is who they say they are due to a public key's nature. To provide proof, a digital signature must be created (not to be confused with a digital certificate), which acts as a handwritten signature verifying the sender. It can also confirm that the message had not been altered since it was signed, or prevent the sender from disputing the origin of the message. The purpose of a digital signature is to only show the that the public key labeled as belonging to a person was used to encrypt the message, nothing more. Hashing, in its simplest form is an algorithm that you can run a piece of data through and get out a number that represents the original.

A digital signature consists of three algorithms: A key generation algorithm that selects a private key at random from a set of possible private keys, then uses it to create the private key and public key that corresponds to it; a signing algorithm that produces the signature when given a message and a private key, and a signature verifying algorithm that takes the message, public key and signature either accepts or rejects the message's claim of authenticity.

===Hashing===
Hashing is a form of cryptographic security which can be used to ensure the integrity of a file by guaranteeing no one has tampered with it. Where as encryption has a two step process used to first encrypt and then decrypt a message, hashing condenses a message into a irreversible fixed-length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1; however, they are both found to have vulnerabilities and should be discouraged.

==Certificate Life Cycle==
Digital certificates are removed and added with changes in a companies's network, adding or subtracting users, or privilege changes. As such, certificates are given a lifetime consisting of four stages: Creation, Suspension, Revocation, and Expiration.
Creation: A user is positively verified and a certificate is created and issued to the user by the Certificate Authority. The CA applies a signature to the certificate and can continually update the certificate.
Suspension: In the case of a user's absence or vulnerability of the server connected to the certificate, a certificate can be suspended until a later date. On the user's return, the certificate can be reinstated or revoked.
Revocation: This state may be brought on a vulnerability or a situation where the user's private key may be compromised. The certificate is no longer valid and it is placed into a public repository by either the CA or a user and forgoes expiration.
Expiration: At this stage, a certificate can no longer be used. Every certificate issued by the CA must have an expiration date. An expired certificate cannot be renewed and a user must follow a process to be granted a new certificate.

==Certificate Authority==
The CA or Certificate authority is a third party agency which manages the distribution of Digital Certificates and is trusted by both the owner and receiver of a certificate. A certificate authority has the responsibilities of:

*Publishing the criteria for granting, revoking, and managing certificates.
*Distributing CA certificates
*Generating, issuing, and distributing public key certificates to applicants.
*Managing certificates (for example, enrolling, renewing, and revoking them).
*Verifying evidence submitted by applicants.
*Providing a means for applicants to request revocation
*Maintaining the security, availability, and continuity of the certificate issuance signing functions.
*Time stamping a digital signature.

==Types of Digital Certificates==
===Class 1: Personal Digital Certificates===
===Class 2: Serer Digital certificates===
===Class 3: Software Publisher Digital Certificates===
===Dual-Key and Dual-Sided Digital Certificates===
===X.509 Digital Certificates===

===Wildcard Certificates===
Wildcard certificates are a sub-type of digital certificates that encompass an entire domain of website addresses. This is useful in situations where a client cannot differentiate between two different hosts it has to query at the same time.
==Trust Models
A trust model is a type of trusting relationship that can exist between two individuals or entities.

Digital Certificates in Asymmetrical Cryptography

2011-12-08T19:46:18Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T19:45:29Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T03:23:58Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T03:23:10Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T03:22:39Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T03:21:39Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T03:20:18Z

Petlast:

File:Wswpf 33.jpg

2011-12-08T03:19:18Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T03:18:01Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T03:17:04Z

Petlast:

File:CertificateError2.png

2011-12-08T03:16:42Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T03:15:05Z

Petlast:

File:CertificateError.png

2011-12-08T03:14:32Z

Petlast: certificate error

certificate error

Digital Certificates in Asymmetrical Cryptography

2011-12-08T03:12:40Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T02:58:36Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-08T02:33:01Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-07T23:58:16Z

Petlast: /* Asymmetrical cryptography fundamentals */

Digital Certificates in Asymmetrical Cryptography

2011-12-07T23:57:16Z

Petlast:

Digital Certificates in Asymmetrical Cryptography

2011-12-07T03:29:21Z

Petlast: Created page with "As part of protection and encryption of ever increasing network vulnerabilities and security needs, traditional symmetrical algorithms that encrypt information using private keys..."

Basic and Advanced Router Security Configuration

2011-04-21T22:42:54Z

Petlast:

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

[[Image: cisco.jpg|right]]
==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.
[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''.
[[Image: enable_password_encryption.png]]
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
[[Image: enable_secret.png]]
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.
[[Image: vty_connection_password.png‎]]

[[Image: Configure_console_password.png]]
===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.

'''===Advanced security commands==='''

*Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]

[[Image: login_block_small.png‎]]

*Login Delay – Adds a delay at the point of a login being unsuccessful
'''(config)# login delay [seconds]

[[Image: login_delay_small.png]]
*Login Logging – Generates a log after a certain amount of failed or successful attempts.
'''(config)# login on-failure log''' [#]

[[Image: success_login_small.png]]
[[Image: fail_login_small.png]]
*Min Password length – Ensures that any new password created on the router meets a minimum password length.
'''(config)# security password min-length [number of characters]

[[Image: fail_login_small.png]]
*Set Timeout – Sets a time out period for the connection line (con / vty).
'''(config-line)# exec-timeout''' [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on. These differ from enable and encryption commands as they are actions the router actively takes part in and incorporates in everyday activities.
**Service tcp-keepalives-in/out: Prevents VTY and Line messages from being sent indefinitely. This command orders the router sends and recieve TCP keepalive messages. When a set amount of time has passed, the TCP protocol sends and empty TCP segment with only the ACK flag turned on. If the initiator sends a reply ACK, the connection resumes; but if not the router assumes the connection has died.
***Service TCP-keepalives-in: generates keepalive packets on incoming network connections (initiated by remote hosts).

::*'''(config)# service tcp-keepalives-in'''
::*'''(config)# end'''
:*Service tcp-keepalives-out: Generates keepalive packets on outgoing network commands(initiated by user).
::*'''(config)# service tcp-keepalives-out'''
::*'''(config)# end'''

:*Service Timestamp Logging: An application on the router that records debugging or system log events forwarded through the router. [debug]indicates timestamp is applied to debugging, [log]indicates system loggingg messages, [uptime] indicates the time the system was rebooted (listed in HHHH:MM:SS), [datetime] indicates the current time. and [year] indicates the year of the date.
::*'''Service timestamps''' [debug | log] [ uptime | datetime [year]
:*Service Timestamp standard logging: A more simple version that only records events occuring on the system log.
'''Service timestamps''' [log] [datetime] [msec] [show-timezone] [localtime]

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

Basic and Advanced Router Security Configuration

2011-04-21T22:14:49Z

Petlast:

Basic and Advanced Router Security Configuration

2011-04-21T22:13:39Z

Petlast:

Basic and Advanced Router Security Configuration

2011-04-21T21:38:58Z

Petlast:

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

[[Image: cisco.jpg|right]]
==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.
[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''.
[[Image: enable_password_encryption.png]]
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
[[Image: enable_secret.png]]
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.
[[Image: vty_connection_password.png‎]]

[[Image: Configure_console_password.png]]
===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.

'''====Advanced security commands===='''
*Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]

[[Image: login_block_small.png‎]]
*Quiet Login – Allows a user to still login once the router has blocked login attempts because of above.
'''(config)# login quiet-mode access-class''' [acl]
*Login Delay – Adds a delay at the point of a login being unsuccessful
'''(config)# login delay [seconds]

[[Image: login_delay_small.png]]
*Login Logging – Generates a log after a certain amount of failed or successful attempts.
'''(config)# login on-failure log''' [#]
*Min Password length – Ensures that any new password created on the router meets a minimum password length.
'''(config)# security password min-length [number of characters]

[[Image: success_login_small.png]]
*Set Timeout – Sets a time out period for the connection line (con / vty).
'''(config-line)# exec-timeout''' [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on. These differ from enable and encryption commands as they are actions the router actively takes part in and incorporates in everyday activities.
**Service tcp-keepalives-in/out: Prevents VTY and Line messages from being sent indefinitely. This command orders the router sends and recieve TCP keepalive messages. When a set amount of time has passed, the TCP protocol sends and empty TCP segment with only the ACK flag turned on. If the initiator sends a reply ACK, the connection resumes; but if not the router assumes the connection has died.
***Service TCP-keepalives-in: generates keepalive packets on incoming network connections (initiated by remote hosts).

::*'''(config)# service tcp-keepalives-in'''
::*'''(config)# end'''
:*Service tcp-keepalives-out: Generates keepalive packets on outgoing network commands(initiated by user).
::*'''(config)# service tcp-keepalives-out'''
::*'''(config)# end'''

:*Service Timestamp Logging: An application on the router that records debugging or system log events forwarded through the router. [debug]indicates timestamp is applied to debugging, [log]indicates system loggingg messages, [uptime] indicates the time the system was rebooted (listed in HHHH:MM:SS), [datetime] indicates the current time. and [year] indicates the year of the date.
::*'''Service timestamps''' [debug | log] [ uptime | datetime [year]
:*Service Timestamp standard logging: A more simple version that only records events occuring on the system log.
'''Service timestamps''' [log] [datetime] [msec] [show-timezone] [localtime]

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

Basic and Advanced Router Security Configuration

2011-04-21T21:37:35Z

Petlast:

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

[[Image: cisco.jpg|right]]
==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.
[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''.
[[Image: enable_password_encryption.png]]
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
[[Image: enable_secret.png]]
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.
[[Image: vty_connection_password.png‎]]

[[Image: Configure_console_password.png]]
===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.

'''====Advanced security commands===='''
*Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]

[[Image: login_block_small.png‎]]
*Quiet Login – Allows a user to still login once the router has blocked login attempts because of above.
'''(config)# login quiet-mode access-class''' [acl]
*Login Delay – Adds a delay at the point of a login being unsuccessful
'''(config)# login delay [seconds]

[[Image: login_delay_small.png]]
*Login Logging – Generates a log after a certain amount of failed or successful attempts.
'''(config)# login on-failure log''' [#]
*Min Password length – Ensures that any new password created on the router meets a minimum password length.
'''(config)# security password min-length [number of characters]

[[Image: success_login_small.png]]
*Set Timeout – Sets a time out period for the connection line (con / vty).
'''(config-line)# exec-timeout''' [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on. These differ from enable and encryption commands as they are actions the router actively takes part in and incorporates in everyday activities.
**Service tcp-keepalives-in/out: Prevents VTY and Line messages from being sent indefinitely. This command orders the router sends and recieve TCP keepalive messages. When a set amount of time has passed, the TCP protocol sends and empty TCP segment with only the ACK flag turned on. If the initiator sends a reply ACK, the connection resumes; but if not the router assumes the connection has died.
***Service TCP-keepalives-in: generates keepalive packets on incoming network connections (initiated by remote hosts).

::*'''(config)# service tcp-keepalives-in'''
::*'''(config)# end'''
:*Service tcp-keepalives-out: Generates keepalive packets on outgoing network commands(initiated by user).
::*'''(config)# service tcp-keepalives-out'''
::*'''(config)# end'''

:*Service Timestamp Logging: An application on the router that records debugging or system log events forwarded through the router. [debug]indicates timestamp is applied to debugging, [log]indicates system loggingg messages, [uptime] indicates the time the system was rebooted (listed in HHHH:MM:SS), [datetime] indicates the current time. and [year] indicates the year of the date.
::*'''Service timestamps''' [debug | log] [ uptime | datetime [year]
:*Service Timestamp standard logging: A more simple version that only records events occuring on the system log.
'''Service timestamps''' [log] [datetime] [msec] [show-timezone] [localtime]

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

Basic and Advanced Router Security Configuration

2011-04-21T21:20:06Z

Petlast:

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

[[Image: cisco.jpg|right]]
==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.
[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''.
[[Image: enable_password_encryption.png]]
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
[[Image: enable_secret.png]]
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.
[[Image: vty_connection_password.png‎]]

[[Image: Configure_console_password.png]]
===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.
Advanced security commands
Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]
Quiet Login – Allows a user to still login once the router has blocked login attempts because of above.
(config)# login quiet-mode access-class [acl]
Login Delay – Adds a delay at the point of a login being unsuccessful
(config)# login delay [seconds]
Login Logging – Generates a log after a certain amount of failed or successful attempts.
(config)# login on-failure log [#]
Min Password length – Ensures that any new password created on the router meets a minimum password length.
(config)# security password min-length [number of characters]
Set Timeout – Sets a time out period for the connection line (con / vty).
(config-line)# exec-timeout [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on. These differ from enable and encryption commands as they are actions the router actively takes part in and incorporates in everyday activities.
**Service tcp-keepalives-in/out: Prevents VTY and Line messages from being sent indefinitely. This command orders the router sends and recieve TCP keepalive messages. When a set amount of time has passed, the TCP protocol sends and empty TCP segment with only the ACK flag turned on. If the initiator sends a reply ACK, the connection resumes; but if not the router assumes the connection has died.
***Service TCP-keepalives-in: generates keepalive packets on incoming network connections (initiated by remote hosts).

::*'''(config)# service tcp-keepalives-in'''
::*'''(config)# end'''
:*Service tcp-keepalives-out: Generates keepalive packets on outgoing network commands(initiated by user).
::*'''(config)# service tcp-keepalives-out'''
::*'''(config)# end'''

:*Service Timestamp Logging: An application on the router that records debugging or system log events forwarded through the router. [debug]indicates timestamp is applied to debugging, [log]indicates system loggingg messages, [uptime] indicates the time the system was rebooted (listed in HHHH:MM:SS), [datetime] indicates the current time. and [year] indicates the year of the date.
::*'''Service timestamps''' [debug | log] [ uptime | datetime [year]
:*Service Timestamp standard logging: A more simple version that only records events occuring on the system log.
'''Service timestamps''' [log] [datetime] [msec] [show-timezone] [localtime]

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

Basic and Advanced Router Security Configuration

2011-04-21T20:31:48Z

Petlast:

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

[[Image: cisco.jpg|right]]
==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.
[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''.
[[Image: enable_password_encryption.png]]
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
[[Image: enable_secret.png]]
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.
[[Image: vty_connection_password.png‎]]

[[Image: Configure_console_password.png]]
===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.
Advanced security commands
Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]
Quiet Login – Allows a user to still login once the router has blocked login attempts because of above.
(config)# login quiet-mode access-class [acl]
Login Delay – Adds a delay at the point of a login being unsuccessful
(config)# login delay [seconds]
Login Logging – Generates a log after a certain amount of failed or successful attempts.
(config)# login on-failure log [#]
Min Password length – Ensures that any new password created on the router meets a minimum password length.
(config)# security password min-length [number of characters]
Set Timeout – Sets a time out period for the connection line (con / vty).
(config-line)# exec-timeout [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on.
**Service tcp-keepalives-in
**Service tcp-keepalives-out
**Service timestamps debug datetime msec show-timezone localtime
**Service timestamps log datetime msec show-timezone localtime

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

File:Enable password encryption.png

2011-04-21T20:28:46Z

Petlast:

File:Enable password.png

2011-04-21T20:15:13Z

Petlast:

Basic and Advanced Router Security Configuration

2011-04-21T20:03:20Z

Petlast:

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

[[Image: cisco.jpg|right]]
==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.
[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''.
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
[[Image: enable_secret.png]]
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.
[[Image: vty_connection_password.png‎]]

[[Image: Configure_console_password.png]]
===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.
Advanced security commands
Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]
Quiet Login – Allows a user to still login once the router has blocked login attempts because of above.
(config)# login quiet-mode access-class [acl]
Login Delay – Adds a delay at the point of a login being unsuccessful
(config)# login delay [seconds]
Login Logging – Generates a log after a certain amount of failed or successful attempts.
(config)# login on-failure log [#]
Min Password length – Ensures that any new password created on the router meets a minimum password length.
(config)# security password min-length [number of characters]
Set Timeout – Sets a time out period for the connection line (con / vty).
(config-line)# exec-timeout [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on.
**Service tcp-keepalives-in
**Service tcp-keepalives-out
**Service timestamps debug datetime msec show-timezone localtime
**Service timestamps log datetime msec show-timezone localtime

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

File:Enable secret.png

2011-04-21T20:01:28Z

Petlast:

Basic and Advanced Router Security Configuration

2011-04-21T19:59:02Z

Petlast:

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

[[Image: cisco.jpg|right]]
==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.
[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''.
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.
[[Image: vty_connection_password.png‎]]

[[Image: Configure_console_password.png]]
===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.
Advanced security commands
Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]
Quiet Login – Allows a user to still login once the router has blocked login attempts because of above.
(config)# login quiet-mode access-class [acl]
Login Delay – Adds a delay at the point of a login being unsuccessful
(config)# login delay [seconds]
Login Logging – Generates a log after a certain amount of failed or successful attempts.
(config)# login on-failure log [#]
Min Password length – Ensures that any new password created on the router meets a minimum password length.
(config)# security password min-length [number of characters]
Set Timeout – Sets a time out period for the connection line (con / vty).
(config-line)# exec-timeout [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on.
**Service tcp-keepalives-in
**Service tcp-keepalives-out
**Service timestamps debug datetime msec show-timezone localtime
**Service timestamps log datetime msec show-timezone localtime

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

Basic and Advanced Router Security Configuration

2011-04-21T19:53:16Z

Petlast:

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

[[Image: cisco.jpg|right]]
==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.
[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''.
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.
[[Image: vty_connection_password.png‎]]

===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.
Advanced security commands
Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]
Quiet Login – Allows a user to still login once the router has blocked login attempts because of above.
(config)# login quiet-mode access-class [acl]
Login Delay – Adds a delay at the point of a login being unsuccessful
(config)# login delay [seconds]
Login Logging – Generates a log after a certain amount of failed or successful attempts.
(config)# login on-failure log [#]
Min Password length – Ensures that any new password created on the router meets a minimum password length.
(config)# security password min-length [number of characters]
Set Timeout – Sets a time out period for the connection line (con / vty).
(config-line)# exec-timeout [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on.
**Service tcp-keepalives-in
**Service tcp-keepalives-out
**Service timestamps debug datetime msec show-timezone localtime
**Service timestamps log datetime msec show-timezone localtime

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

Basic and Advanced Router Security Configuration

2011-04-21T19:50:09Z

Petlast:

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.
[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''.
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.
[[Image: vty_connection_password.png‎]]

===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.
Advanced security commands
Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]
Quiet Login – Allows a user to still login once the router has blocked login attempts because of above.
(config)# login quiet-mode access-class [acl]
Login Delay – Adds a delay at the point of a login being unsuccessful
(config)# login delay [seconds]
Login Logging – Generates a log after a certain amount of failed or successful attempts.
(config)# login on-failure log [#]
Min Password length – Ensures that any new password created on the router meets a minimum password length.
(config)# security password min-length [number of characters]
Set Timeout – Sets a time out period for the connection line (con / vty).
(config-line)# exec-timeout [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on.
**Service tcp-keepalives-in
**Service tcp-keepalives-out
**Service timestamps debug datetime msec show-timezone localtime
**Service timestamps log datetime msec show-timezone localtime

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

User:Petlast

2011-04-21T19:45:22Z

Petlast: moved User:Petlast to Basic and Advanced Router Security Configuration

#REDIRECT [[Basic and Advanced Router Security Configuration]]

Basic and Advanced Router Security Configuration

2011-04-21T19:45:22Z

Petlast: moved User:Petlast to Basic and Advanced Router Security Configuration

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''. [[Image: basic_router_security.png]]
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.

===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.
Advanced security commands
Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]
Quiet Login – Allows a user to still login once the router has blocked login attempts because of above.
(config)# login quiet-mode access-class [acl]
Login Delay – Adds a delay at the point of a login being unsuccessful
(config)# login delay [seconds]
Login Logging – Generates a log after a certain amount of failed or successful attempts.
(config)# login on-failure log [#]
Min Password length – Ensures that any new password created on the router meets a minimum password length.
(config)# security password min-length [number of characters]
Set Timeout – Sets a time out period for the connection line (con / vty).
(config-line)# exec-timeout [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on.
**Service tcp-keepalives-in
**Service tcp-keepalives-out
**Service timestamps debug datetime msec show-timezone localtime
**Service timestamps log datetime msec show-timezone localtime

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

Basic and Advanced Router Security Configuration

2011-04-21T19:42:48Z

Petlast:

== Configuring a Cisco Router ==
• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

==Basic Router Security Configuration==
*90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

===Prevent access from inside the network===
*Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

====Password Control====
*The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
*The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.

*The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

===The Four Basics===
There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.
*Set a console password
**The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering '''(config)# enable password''', followed by your chosen password.[[Image: configure_console_password.png]]
*Encrypt passwords in your running configuration
**Console passwords are written in cleartext by default. They can be encrypted by inputting '''(config)# enable password-encryption'''. [[Image: basic_router_security.png]]
*Limit user capabilities with privilege level commands
**Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering '''(config)#''', '''enable secret''', followed by your chosen password.
*Set Telnet and Console passwords
**Encrypt the lines that allows users over a network to interface with the router. Performed by entering '''(config)# line console 0''' for console, '''line vty''' for Telnet; enter and inputting login, enter, password, followed by your desired password.

===Password Retry Logout===
Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have.
Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.
*'''(config)#''' [username] [privilege level] '''password encryption-type password'''
*'''(config)# aaa new-model'''
*'''(config)# aaa local authentication attempts max-fail''' [number of attempts allowed]
*'''(config)# aaa authentication login default''' [method, eg. '''Local''']

==Advanced Router Security Configuration==
Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

===Prevent Access from the Internet===
A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.
Advanced security commands
Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]
Quiet Login – Allows a user to still login once the router has blocked login attempts because of above.
(config)# login quiet-mode access-class [acl]
Login Delay – Adds a delay at the point of a login being unsuccessful
(config)# login delay [seconds]
Login Logging – Generates a log after a certain amount of failed or successful attempts.
(config)# login on-failure log [#]
Min Password length – Ensures that any new password created on the router meets a minimum password length.
(config)# security password min-length [number of characters]
Set Timeout – Sets a time out period for the connection line (con / vty).
(config-line)# exec-timeout [min/hour]

====Securing ports and applications====
*Some beneficial services are not enabled by default that can be turned on.
**Service tcp-keepalives-in
**Service tcp-keepalives-out
**Service timestamps debug datetime msec show-timezone localtime
**Service timestamps log datetime msec show-timezone localtime

===Disabling unused services/Router Hardening===
There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.
*'''(config)# no service tcp-small-servers''' Disables unnecessary services such as echo, discard, and chargen. Disabled by default
*'''(config)# No service udp-small-servers''' Disables minor User Datagram Protocol services. Disabled by default.
*'''(config)# No service dhcp''' Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
*'''(config)# No ip finger''' Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
*'''(config)# No service config''' Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
*'''(config)# No snmp-server''' Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
*'''(config)# No ip bootp server''' Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
*'''(config)# No ip http server''' Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
*'''(config)# No ip http secure-server''' Disables Hyper Transfer Protocol Secure. Enabled by default
*'''(config)# No ip gratuitous-arps''' Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
*'''(config)# No ip source-route''' Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
*'''(config)# No ip directed-broadcast''' Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
*'''(config)# No ip unreachables''' Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
*'''(config)# No cdp run''' Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
*'''(config)# ip options drop''' Drops or ignores IP option packets that are sent to the router. Enabled by default
====Commands for Individual Interfaces====
*'''No ip directed-broadcast'''
*'''No ip unreachables'''
*'''No ip redirects''' Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
*'''No ip mask-reply''' Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
*'''No ip proxy-arp''' Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default
===Disable interfaces===
Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces.
The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.
*'''Router> enable'''
*'''Router# config terminal'''
*'''Router(config)# int ''''''[interface name, eg.'''''' fa0/1''']
*'''Router(config-if)# shutdown'''

File:Cisco.jpg

2011-04-21T19:35:08Z

Petlast:

File:Vty connection password.png

2011-04-21T19:31:03Z

Petlast:

File:Success login small.png

2011-04-21T19:30:24Z

Petlast:

File:Min length.png

2011-04-21T19:13:31Z

Petlast:

File:Login delay small.png

2011-04-21T19:12:59Z

Petlast:

File:Login block small.png

2011-04-21T19:12:16Z

Petlast:

File:Login block attempts small.png

2011-04-21T19:11:44Z

Petlast:

File:Fail login small.png

2011-04-21T19:10:49Z

Petlast:

File:Enable password min length example.png

2011-04-21T19:10:13Z

Petlast:

File:Configure console password.png

2011-04-21T19:09:39Z

Petlast:

File:Basic router security.png

2011-04-21T19:09:15Z

Petlast: