380 likes | 605 Views
Network Security. Accessing the WAN – Chapter 4 - PART II Modified by Tony Chen. 07/20/2008. Notes:. If you see any mistake on my PowerPoint slides or if you have any questions about the materials, please feel free to email me at chento@cod.edu . Thanks! Tony Chen College of DuPage
E N D
Network Security Accessing the WAN– Chapter 4 - PART II Modified by Tony Chen 07/20/2008
Notes: • If you see any mistake on my PowerPoint slides or if you have any questions about the materials, please feel free to email me at chento@cod.edu. Thanks! Tony Chen College of DuPage Cisco Networking Academy
What is Cisco SDM? • The Cisco Security Device Manager (SDM) is a web-based device-management tool designed for configuring LAN, WAN, and security features on Cisco IOS software-based routers. • It provides easy-to-use smart wizards, • automates router security management, • assists through comprehensive online help. • Cisco SDM ships preinstalled by default on all new Cisco integrated services routers. • If it is not preinstalled, you will have to install it. • If SDM is pre-installed, Cisco recommends using Cisco SDM to perform the initial configuration • SDM files can be installed on router, PC, or both. • An advantage of installing SDM on the PC is that it saves router memory, and allows you to use SDM to manage other routers on the network..
Cisco SDM Features • Cisco SDM simplifies router and security configuration through the use of intelligent wizards to enable efficient configuration of key router VPN and Cisco IOS firewall parameters. • Cisco SDM smart wizards • guide users step-by-step through router and security configuration workflow by systematically configuring LAN and WAN interfaces, firewall, IPS, and VPNs. • intelligently detect incorrect configurations and propose fixes, such as allowing DHCP traffic through a firewall if the WAN interface is DHCP-addressed. • Online help embedded within Cisco SDM contains appropriate background information.
Configuring Router to Support SDM • Before you can install SDM on an operational router, you must ensure that a few configuration settings are present in the router configuration file. • Step 1. Access the router's Cisco CLI interface using Telnet or the console connection • Step 2. Enable the HTTP and HTTPS servers on the router • Step 3 Create a user account defined with privilege level 15 (enable privileges). • Step 4 Configure SSH and Telnet for local login and privilege level 15.
Starting Cisco SDM • To launch the Cisco SDM use the HTTPS protocol and put the IP address of the router into the browser. • The figure shows the browser with an address of https://198.162.20.1 and the launch page for Cisco SDM. • The http:// prefix can be used if SSL is not available. • When the username and password dialog box appears (not shown), enter a username and password for the privileged (privilege level 15) account on the router. • After the launch page appears a signed Cisco SDM Java applet appears which must remain open while Cisco SDM is running. • Because it is a signed Cisco SDM Java applet you may be prompted to accept a certificate.
Cisco SDM Home Page Overview • After you logged in, the Overview page displays • the router model, • total amount of memory, • the versions of flash, IOS, and SDM, • the hardware installed, • a summary of security features, such as firewall status and the number of active VPN connections. • Specifically, it provides basic information about: • Menu bar - The top of the screen has a typical menu bar with File, Edit, View, Tools, and Help. • Tool bar - Below the menu bar, it has the SDM wizards and modes you can select. • Router information - The current mode is displayed on the left side under the tool bar. • Configuration overview - Summarizes the configuration settings.
About Your Router Area • The area of the SDM page that shows: • Host Name - It shows the configured hostname for the router, which is RouterX • Hardware - It shows the router model number, the available and total amounts of RAM available, and the amount of Flash memory available. • Software - It describes the Cisco IOS software and Cisco SDM versions running on the router. • The Feature Availability bar, found across the bottom of the About Your Router tab, shows the features available in the Cisco IOS image that the router is using. • If the indicator beside each feature is green, the feature is available. • If it is red it is not available. • Check marks show that the feature is configured. • In the figure, it shows that IP, firewall, VPN, IPS, and NAC are available, but only IP is configured.
Configuration Overview Area • Interfaces and Connections – • the number of connections that are up and down, • the total number of LAN and WAN interfaces that are present in the router, and the number of LAN and WAN interfaces currently configured on the router. • It also displays DHCP information. • Firewall Policies – • if a firewall is in place, it displays • the number of trusted (inside) interfaces, untrusted (outside) interfaces, and DMZ interfaces. • It also displays the name of the interface to which a firewall has been applied, and if the NAT rule has been applied to this interface.
Configuration Overview Area • VPN – • It displays the number of active VPN connections, • the number of configured site-to-site VPN connections, • the number of active VPN clients. • Routing – • This area displays the number of static routes and which routing protocols are configured. • Intrusion Prevention • View Running Config
Cisco SDM Wizard • Cisco SDM provides a number of wizards to help you configure a Cisco ISR router. • The figure shows various Cisco SDM GUI screens for the Basic NAT wizard. • NAT is discussed later in the IP Addressing Services sections course. • Check http://www.cisco.com/go/sdm for the latest information about the Cisco SDM wizards and the interfaces they support.
Locking Down a Router with Cisco SDM • The one-step lockdown wizard is accessed from the Configure GUI interface by clicking the Security Audit task. • The Cisco SDM one-step lockdown wizard implements almost all of the security configurations that Cisco AutoSecure offers. • Do not assume that the network is secure simply because you executed a one-step lockdown. • Not all the features of Cisco AutoSecure are implemented in Cisco SDM. • AutoSecure features that are implemented differently in Cisco SDM include the following: • SDM Disables SNMP, and does not configure SNMP version 3. • Enables and configures SSH on crypto Cisco IOS images • Does not enable Service Control Point or disable other access and file transfer services, such as FTP. Check the accuracy of these statements
Maintaining Cisco IOS Software Images • There are certain guidelines that you must follow when changing the Cisco IOS software on a router. • Updates: An update replaces one release with another without upgrading the feature set. • The software might be updated to fix a bug • Updates are free. • Upgrades: An upgrade replaces a release with one that has an upgraded feature set. • Software is upgraded to add new features or technologies • Upgrades are not free. • It is not always a good idea to upgrade to the latest version of IOS software. Many times that release is not stable. • Cisco recommends a four-phase migration process to simplify network operations and management. • Plan - Set goals, identify resources, profile network hardware and software, and create a schedule for migrating to new releases. • Design - Choose new Cisco IOS releases. • Implement - Schedule and execute the migration. • Operate - Monitor the migration progress and make backup copies of images that are running on your network.
Maintaining Cisco IOS Software Images There are a number of tools available on Cisco.com to aid in migrating Cisco IOS software. The following tools do not require a Cisco.com login: Cisco IOS Reference Guide - Covers the basics of the Cisco IOS software family Cisco IOS software technical documents - Documentation for each release of Cisco IOS software Cisco Feature Navigator - Finds releases that support a set of software features and hardware, and compares releases The following tools require valid Cisco.com login accounts: Download Software - Cisco IOS software downloads Bug Toolkit - Searches for known software fixes based on software version, feature set, and keywords Software Advisor - Compares releases, matches Cisco IOS software and Cisco Catalyst OS features to releases, and finds out which software release supports a given hardware device Cisco IOS Upgrade Planner - Finds releases by hardware, release, and feature set, and downloads images of Cisco IOS software For a complete listing of tools available, go to http://www.cisco.com/en/US/support/tsd_most_requested_tools.html.
Cisco IOS File Systems and Devices • Cisco IOS devices provide a feature called the Cisco IOS Integrated File System (IFS). • The directories available depend on the platform. • The show file systems command lists all file systems. • It provides information such as the amount of available and free memory, type of file systemand its permissions. • Permissions include read only (ro), write only (wo), and read and write (rw). • Flash • The flash file system has an asterisks preceding it indicates that this is the current default file system. • the pound symbol (#) appended to the flash listing indicates that this is a bootable disk. • It contains the file of the current IOS running in RAM. • NVRAM • To change the file system using the cd command. • The pwd command verifies that are in NVRAM • The dir command lists the contents of NVRAM. • It contains the startup-configuration file.
URL Prefixes for Cisco Devices • Administrators do not have visual cues when working at a router CLI. • File locations are specified in Cisco IFS using the URL convention. • The URLs used by Cisco IOS platforms look similar to the format you know from the web. • For instance, the TFTP example in the figure is: tftp://192.168.20.254/configs/backup-configs. • The expression "tftp:" is called the prefix. • Everything after the double-slash (//) defines the location. • 192.168.20.254 is the location of the TFTP server. • "configs" is the master directory. • "backup-configs" is the filename.
Commands for Managing Configuration Files • The copy command is used to move files from one device to another, such as RAM, NVRAM, or a TFTP server. • The examples list two methods to accomplish the same tasks. • Copy the running configuration from RAM to the startup configuration in NVRAM: • R2# copy running-config startup-config • R2# copy system:running-config nvram:startup-config • Copy running configuration from RAM to a remote location: • R2# copy running-config tftp: • R2# copy system:running-config tftp: • Copy configuration from a remote to the running configuration: • R2# copy tftp: running-config • R2# copy tftp: system:running-config • Copy configuration from a remote to the startup configuration: • R2# copy tftp: startup-config • R2# copy tftp: nvram:startup-config
Cisco IOS File Naming Conventions • The IOS image file is based on a special naming convention. The name for the Cisco IOS image file contains multiple parts, each with a specific meaning. • The first part, c1841, identifies the platform on which the image runs. In this example, is a Cisco 1841. • The second part, ipbase, specifies the feature set. In this case, "ipbase" refers to the basic IP internetworking image. Other feature set possibilities: • i - Designates the IP feature set • j - Designates the enterprise feature set (all protocols) • s - Designates a PLUS feature set • 56i - Designates 56-bit IPsec DES encryption • 3 - Designates the firewall/IDS • k2 - Designates the 3DES IPsec encryption (168 bit) • The third part, mz, indicates where the image runs andif the file is compressed. For example, "mz" indicates that the file runs from RAM and is compressed. • The fourth part, 12.3-14.T7, is the version number. • The final part, bin, is the file extension. The .bin extension indicates that this is a binary executable file.
Using TFTP Servers to Manage IOS Images • For any network, it is always prudent to retain a backup copy of the IOS image in case the image in the router becomes corrupted or accidentally erased. • Using a network TFTP server allows image and configuration uploads and downloads over the network. • TFTP server can be another router, or a workstation. • Before changing a Cisco IOS image on the router, you need to complete these tasks: • Determine the memory required for the update. • Set up and test the file transfer capability. • Schedule the required downtime. • When you are ready to do the update, follow steps: • Shut down all interfaces not needed to perform the update. • Back up the current operating system and the current configuration file to a TFTP server. • Load the update for either the operating system or the configuration file. • Test to confirm that the update works properly. If the tests are successful, you can then re-enable the interfaces you disabled.
Using TFTP Servers to Manage IOS Images A new Cisco IOS software resilient configuration feature enables a router to secure and maintain a working copy of the running operating system image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash). This feature is available only on platforms that support a Personal Computer Memory Card International Association (PCMCIA) Advanced Technology Attachment (ATA) disk. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtrescfg.html
Backing up IOS Software Images • To copy a IOS image software from flash to the network TFTP server, follow these steps. • Step 1. Ping the TFTP server to make sure you have access to it. • Step 2. Verify that the TFTP server has sufficient disk space for the Cisco IOS image. • Use the show flash: command to determine : • Total amount of flash memory on the router • Amount of flash memory available • Name of all the files stored in the flash memory • Step 3. Copy current file from the router to TFTP server, using the copy flash: tftp: command. • The command requires that you to enter the IP address of the remote host and the name of the source and destination system image files. • During the copy process, exclamation points (!) indicate the progress. Each exclamation point signifies that one UDP segment has successfully transferred.
Upgrade IOS Software Images • Upgrading a system to a newer version requires a different system image file to be loaded. • Use the copy tftp: flash: command to download the new image from the network TFTP server. • The command prompts you for the IP address of the remote host and the name of the source and destination system image file. • After these entries are confirmed, the Erase flash: prompt appears. • Erase flash memory if there is not sufficient flash memory for more than one Cisco IOS image. If no free flash memory is available, the erase routine is required before new files can be copied. • Each exclamation point (!) means that one UDP segment has successfully transferred. • Note: Make sure that the Cisco IOS image loaded is appropriate for the router platform. If the wrong Cisco IOS image is loaded, the router could be made unbootable, requiring ROM monitor (ROMmon) intervention.
Using tftpdnld to Restore an IOS Image • When an IOS on a router is accidentally deleted from flash, the router is still operational because the IOS is running in RAM. • However, it is crucial that the router is not rebooted since it would not be able to find a valid IOS in flash. • When the router is rebooted and can no longer load an IOS. It is now loading the ROMmon prompt by default. • In the figure, the IOS on router R1 has accidentally been deleted from flash. Unfortunately, the router has been rebooted and can no longer load an IOS. Follow the 3 steps below to restore the IOS. • Step 1. Connect the devices. • Connect the PC to the console port on the affected router. • Connect the TFTP server to the first Ethernet port on the router. • Configure it with a static IP address 192.168.1.1/24.
Using tftpdnld to Restore an IOS Image Step 2. Set the ROMmon variables. Because the router does not have a valid Cisco IOS image, the router boots into ROMmon mode. You must enter all of the variables listed in the figure. Be aware of the following: Variable names are case sensitive. Do not include any spaces before or after the = symbol. Navigational keys are not operational. Although the IP addresses, subnet mask, and image name in the figure are only examples. The actual variables will vary depending on your configuration. Step 3. Enter the tftpdnld command at the prompt. The command displays the required variables and warns that all existing data in flash will be erased. Type y to proceed, and press Enter. When connected, the download begins as indicated by the exclamation mark (!) marks. You can use the reset command to reload the router with the new Cisco IOS image.
Using xmodem to Restore an IOS Image • Using the tftpdnld command is a very quick way of copying the image file. • Another method for restoring a Cisco IOS image to a router is by using Xmodem. • However, the file transfer is accomplished using the console cable and is therefore very slow when compared to the tftpdnld command. • Follow the 4 steps below to restore the IOS. • Step 1. Connect the PC of the system administrator to the console port on the affected router.
Using xmodem to Restore an IOS Image Step 2. Boot the router and issue the xmodem command at the ROMmon command prompt. The command syntax is xmodem [-cyr] [filename]. The cyr option varies depending on the configuration. For instance, -c specifies CRC-16, y specifies the Ymodem protocol, and r copies the image to RAM. Step 3. The figure shows the process for sending a file using HyperTerminal. In this case, Select Transfer > Send File. Step 4. Browse to the location of the IOS image you want to transfer and choose the Xmodem protocol. Click Send. A dialog box appears displaying the status of the download. It takes several seconds before the host and the router begin transferring the information. The download time could be dramatically improved if you change the connection speed of HyperTerminal and the router from 9600 b/s to 115000 b/s. When the transfer is complete, the router automatically reloads with the new Cisco IOS.
Troubleshooting Cisco IOS Configurations • Two commands that are used in network administration • Show command. • A show command lists the configured parameters and their values. • Use the show command to verify configurations. • Debug command • The debug command allows you to trace the execution of a process. • Use the debug command to identify traffic flows through interfaces and router processes.
Using the show Command • The show command displays static information. • Use show commands when gathering facts for isolating problems in an internetwork, including problems with interfaces, nodes, media, servers, clients, or applications. • You may also use it frequently to confirm that configuration changes have been implemented. • When you are at the command prompt, type show ? for a list of available show commands for the level and mode you are operating.
Using the debug Command • The debug command displays dynamic events. • Use debug to check the flow of protocol traffic for problems, protocol bugs, or misconfigurations. • By default, the router sends the output from debug commands to the console. • You can redirect debug output to a syslog server. • Debugging output is assigned high priority in the CPU process queue and can therefore interfere with normal production processes on a network. • use debug commands during quiet hours and only to troubleshoot specific problems. • All debug commands are entered in privileged EXEC mode. • To list a brief description of all the debugging command options, enter the debug ? command. • The best way to ensure there are no lingering debugging operations running is to use the no debug all command.
Considerations when using the debug Command • It is one thing to use debug commands to troubleshoot a lab network that lacks end-user application traffic. It is another thing to use debug commands on a production network that users depend on for data flow. Without proper precautions, the impact of a broadly focused debug command could make matters worse. • With proper, selective, and temporary use of debug commands, you can obtain potentially useful information without needing a protocol analyzer or other third-party tool.
Commands Related to the debug Command • To optimize your efficient use of the debug command, these commands can help you: • The service timestamps command • is used to add a time stamp to a debug message. • This feature provide information about when debug elements occurred. • The show processes command • displays the CPU use for each process. • This data can influence decisions about using a debug command if it indicates that the system is too heavily used for adding a debug command. • The no debug all command • disables all debug commands. • This command can free up system resources after you finish debugging. • The terminal monitor command • displays debug output and system error messages for the current terminal and session. • When you Telnet to a device and issue a debug command, you will not see output unless this commands is entered.
Recovering a Lost Router Password • Recovering a Lost Router Password • You need physical access to the router. • You connect your PC to the router through a console cable. • The enable password and the enable secret password protect access to privileged EXEC and configuration modes. • The enable password can be recovered, • The enable secret password is encrypted and must be replaced with a new password. • The configuration register is similar to your PC BIOS settings, which control the bootup process. • In a router, a configuration register, represented by a single hexadecimal value, tells the router what specific steps to take when powered on. • Configuration registers have many uses, and password recovery is probably the most used.
Recovering a Lost Router Password • Prepare the Device • Step 1. Connect to the console port. • Step 2. If still have access to user EXEC mode. • Type show version at the prompt, and record the configuration register setting. R>#show version <show command output omitted> Configuration register is 0x2102 R1> • Configuration register is usually set to 0x2102. • If you can no longer access the router, you can assume it is set to 0x2102. • Step 3. Use the power switch to turn off the router, and then turn the router back on. • Step 4. Press Break on the terminal keyboard within 60 seconds of power up to put the router into ROMmon.
Recovering a Lost Router Password Bypass Startup Step 5. Type confreg 0x2142 at the rommon 1> prompt. This causes the router to bypass the startup configuration where the forgotten enable password is stored. Step 6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration. Step 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure. Step 8. Type enable at the Router> prompt. This puts you into enable mode, and you should be able to see the Router# prompt.
Recovering a Lost Router Password Access NVRAM Step 9. Type copy startup-config running-config to copy the NVRAM into memory. Be careful! Do not type copy running-config startup-config or you will erase your startup configuration. Step 10. Type show running-config to view passwords. In this configuration, the shutdown command appears under all interfaces because all the interfaces are currently shut down. Most importantly though, you can now see the passwords (enable password, enable secret, vty, console passwords) either in encrypted or unencrypted format. You can reuse unencrypted passwords. You must change encrypted passwords to a new password.
Recovering a Lost Router Password Reset Passwords Step 11. Type configure terminal. Step 12. Type enable secret password to change the enable secret password. R1(config)# enable secret cisco Step 13. Issue the no shutdown command on every interface that you want to use. You can issue a show ip interface brief command to confirm that your interface configuration is correct. Step 14. Type config-register configuration_register_setting. R1(config)#config-register 0x2102 Step 15. Press Ctrl-Z or type end. Step 16. Type copy running-config startup-config to commit the changes. You have now completed password recovery.
Chapter Summary • In this chapter, you have learned to: • Identify security threats to enterprise networks • Describe methods to mitigate security threats to enterprise networks • Configure basic router security • Disable unused router services and interfaces • Use the Cisco SDM one-step lockdown feature • Manage files and software images with the Cisco IOS Integrated File System (IFS) Tony Chen COD Cisco Networking Academy