Search In This Blog

Monday, 29 June 2020

How to secure Router/ Switch Internally


Router and Switch Basic and internal Security Feature

  • Username and password configuration
  • console login security configuration
  • password length and timeout configuration
  • Router Remote Access (Telnet & SSH) configuration
  • Access list :-
    • Standard Access List
    • Extended Access list
    • Named Access List

Router username & password

            
Router-Rcy(config)#enable secret cisco-------------md5 encryption(more secure) or
Router-Rcy(config)#enable password cisco----------plane text password
Router-Rcy(config)#username swan password cisco----------plane text password or
Router-Rcy(config)#username swan secret cisco-------- ------md5 encryption(more secure)
Router-Rcy(config)#username swan privilege 5 password cisco---password for privilege level 5
Router-Rcy(config)#service password encryption-------------------type 7 encryption (more secure)

Note :- To Recover type 7 password
  • Router(config)# key chain 1…………….1 any no.
  • Router(config)#key string <type 7 password>
  • Router#show key chain


Router console  login


Router-Rcy(config)#line console 0
Router-Rcy(config-line)#password cisco
Router-Rcy(config-line)#login------------------------only check for password----------------or
Router-Rcy(config-line)#login local-------------------it will chek for username as well as password
Router-Rcy(config-line)#exec-timeout 3------------- session time out in 3 minutes
Router-Rcy(config-line)#logging synchronous------- would’t interrupt by some kind of o/p like up/down interface notification message
Router-Rcy(config-line)#exit

Password  length and Other security Measures-------(commands in global configuration mode)

          
Router-Rcy(config)#security password min-lengh 10 ---------------to set mini character length to 10
Router-Rcy(config)#login block-for 180 attempts 5 within 60---block fr 180 sec if 5 attempt in 60 sec
Router-Rcy(config)#login quiet-mode access-class PERMIT-ACCESS
Router-Rcy(config)#login delay <sec>----------delay b/w login attempt in seconds by default is 1 sec
            Router-Rcy(config)#login on-fauilure
            Router-Rcy(config)#login on-success
            Router-Rcy(config)#ip access-list standerd PERMIT-ACCESS
            Router-Rcy(config-std-nacl)#permit <ip address>
            Router-Rcy(config)#exit
            Router-Rcy(config)#do show login

 Note:-Login quiet mode will block all user accept access list named permit access which secure router with dictionary attack

Router Remote access (Telnet)


Router-Rcy(config)#line vty 0 4…………….vty stand for virtual teletype port (Router-Rcy has 4 v-ports) Router-Rcy(config)#password cisco
Router-Rcy(config-line)#login--------------------only check for password
Router-Rcy(config-line)#login local----------cheks for username as well as password from local database
Router-Rcy(config-line)#exec-timeout 3------ time out in 3 minutes but by default is 10 min
Router-Rcy(config-line)#exit


Router Remote access  (ssh)


-l          Log in using this user name
-v         Specify SSH Protocol Version
Nic(config)#enable secret cisco
Nic(config)# username cisco password cisco
Nic(config)#ip domain-name cisco.com
Nic(config)# crypto key generate rsa
how many bits in th modulus[512]: 1024(recommended) but you can do for 2048 but it will take longer to decrypt
Nic(config)#ip ssh version 2-----------------------stronger then ver 1
Nic(config)#ip ssh authentication-retries
Nic(config)#ip ssh time-out 60
Nic(config)#line vty 0  15
Nic(config-line)#transport input ssh----------------now the telnet would no longer work but ssh
Nic#show ip ssh
Nic#wr
pc>ssh –L <username> <ip addrss of remote site>    or
pc>ssh  -v 2 –L <username> <ip addrss of remote site>

Access-list


Type:-

·         standerd access-list 1-99.................closest to destination
·         extended access-list 100-199,,,,,,,,,,closest to source
·         Named Access list

Named-ACl used as:-


Router-Rcy(config)#ip access-list <standard | extended> <name>
Router-Rcy(config-std-nacl)#<permit | deny> <source host or network> <wildcard>
<destination host or network> <wildcard>
Router-Rcy(config-ext-nacl)#<permit|deny><protocol><source host or network> <wildcard>
<destination host or network> <wildcard> <operator> <port>


standerd access list 1-99


examples:-
Deny or permit a class c network:
Router-Rcy(config)#access-list 1 deny 192.168.1.0 0.0.0.255
Router-Rcy(config)#access-list 1 permit 192.168.2.0 0.0.0.255
Deny or permit a host:
Router-Rcy(config)#access-list 1 deny 192.168.1.100 0.0.0.0
Router-Rcy(config)#access-list 1 deny host 192.168.1.2
Router-Rcy(config)#access-list 1 permit 192.168.1.3 0.0.0.0
Router-Rcy(config)#access-list 1 permit host 192.168.1.2

Deny or permit all hosts:
Router-Rcy(config)#access-list 1 deny any
Router-Rcy(config)#access-list 1 permit any

Apply the access list to a router interface outbound and inbound

Router-Rcy(config)#interface fastethernet 0/0
Router-Rcy(config-if)#ip access-group 1 out

Router-Rcy(config)#interface fastethernet 0/1
Router-Rcy(config-if)#ip access-group 1 in


EXTENDED ACCESS-LIST :- What Could do,


  • access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits> <operator> <port or service>

  • access-list <100-199> <deny | permit> <protocol> host <source ip address> host <destination ip address> <operator> <port or service>
  • access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits>



Extended access list examples:



Deny and permit a source class c network to a destination class c network:

Router-Rcy(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
Router-Rcy(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

Deny or permit a source host to a destination /24 network:



Router-Rcy(config)#access-list 100 deny ip 192.168.1.100 0.0.0.0 192.168.4.0 0.0.0.255
Router-Rcy(config)#access-list 100 deny ip host 192.168.1.100 192.168.4.0 0.0.0.255
Router-Rcy(config)#access-list 100 permit ip 192.168.1.101 0.0.0.0 192.168.4.0 0.0.0.255
Router-Rcy(config)#access-list 100 permit ip host 192.168.1.101 192.168.4.0 0.0.0.255

Deny or permit any host to any destination on port 80 (http):


Router-Rcy(config)#access-list 100 deny tcp any any eq 80
Router-Rcy(config)#access-list 100 permit tcp any any eq 80

Deny or permit all hosts:
Router-Rcy(config)#access-list 100 deny any any
Router-Rcy(config)#access-list 100 permit any any

Apply the access list to a router interface outbound and inbound

Router-Rcy(config)#interface fastethernet 0/0
Router-Rcy(config-if)#ip access-group 100 out

Router-Rcy(config)#interface fastethernet 0/1
Router-Rcy(config-if)#ip access-group 100 in
By -
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Networking Products:- Buy Directly from Amazon

ePackets

Loading...

Your Words

Loading...