Search In This Blog
Showing posts with label Router and Switch internal Security Feature. Show all posts
Showing posts with label Router and Switch internal Security Feature. Show all posts

Monday, 29 June 2020

How to secure Router/ Switch Internally


Router and Switch Basic and internal Security Feature

  • Username and password configuration
  • console login security configuration
  • password length and timeout configuration
  • Router Remote Access (Telnet & SSH) configuration
  • Access list :-
    • Standard Access List
    • Extended Access list
    • Named Access List

Router username & password

            
Router-Rcy(config)#enable secret cisco-------------md5 encryption(more secure) or
Router-Rcy(config)#enable password cisco----------plane text password
Router-Rcy(config)#username swan password cisco----------plane text password or
Router-Rcy(config)#username swan secret cisco-------- ------md5 encryption(more secure)
Router-Rcy(config)#username swan privilege 5 password cisco---password for privilege level 5
Router-Rcy(config)#service password encryption-------------------type 7 encryption (more secure)

Note :- To Recover type 7 password
  • Router(config)# key chain 1…………….1 any no.
  • Router(config)#key string <type 7 password>
  • Router#show key chain


Router console  login


Router-Rcy(config)#line console 0
Router-Rcy(config-line)#password cisco
Router-Rcy(config-line)#login------------------------only check for password----------------or
Router-Rcy(config-line)#login local-------------------it will chek for username as well as password
Router-Rcy(config-line)#exec-timeout 3------------- session time out in 3 minutes
Router-Rcy(config-line)#logging synchronous------- would’t interrupt by some kind of o/p like up/down interface notification message
Router-Rcy(config-line)#exit

Password  length and Other security Measures-------(commands in global configuration mode)

          
Router-Rcy(config)#security password min-lengh 10 ---------------to set mini character length to 10
Router-Rcy(config)#login block-for 180 attempts 5 within 60---block fr 180 sec if 5 attempt in 60 sec
Router-Rcy(config)#login quiet-mode access-class PERMIT-ACCESS
Router-Rcy(config)#login delay <sec>----------delay b/w login attempt in seconds by default is 1 sec
            Router-Rcy(config)#login on-fauilure
            Router-Rcy(config)#login on-success
            Router-Rcy(config)#ip access-list standerd PERMIT-ACCESS
            Router-Rcy(config-std-nacl)#permit <ip address>
            Router-Rcy(config)#exit
            Router-Rcy(config)#do show login

 Note:-Login quiet mode will block all user accept access list named permit access which secure router with dictionary attack

Router Remote access (Telnet)


Router-Rcy(config)#line vty 0 4…………….vty stand for virtual teletype port (Router-Rcy has 4 v-ports) Router-Rcy(config)#password cisco
Router-Rcy(config-line)#login--------------------only check for password
Router-Rcy(config-line)#login local----------cheks for username as well as password from local database
Router-Rcy(config-line)#exec-timeout 3------ time out in 3 minutes but by default is 10 min
Router-Rcy(config-line)#exit


Router Remote access  (ssh)


-l          Log in using this user name
-v         Specify SSH Protocol Version
Nic(config)#enable secret cisco
Nic(config)# username cisco password cisco
Nic(config)#ip domain-name cisco.com
Nic(config)# crypto key generate rsa
how many bits in th modulus[512]: 1024(recommended) but you can do for 2048 but it will take longer to decrypt
Nic(config)#ip ssh version 2-----------------------stronger then ver 1
Nic(config)#ip ssh authentication-retries
Nic(config)#ip ssh time-out 60
Nic(config)#line vty 0  15
Nic(config-line)#transport input ssh----------------now the telnet would no longer work but ssh
Nic#show ip ssh
Nic#wr
pc>ssh –L <username> <ip addrss of remote site>    or
pc>ssh  -v 2 –L <username> <ip addrss of remote site>

Access-list


Type:-

·         standerd access-list 1-99.................closest to destination
·         extended access-list 100-199,,,,,,,,,,closest to source
·         Named Access list

Named-ACl used as:-


Router-Rcy(config)#ip access-list <standard | extended> <name>
Router-Rcy(config-std-nacl)#<permit | deny> <source host or network> <wildcard>
<destination host or network> <wildcard>
Router-Rcy(config-ext-nacl)#<permit|deny><protocol><source host or network> <wildcard>
<destination host or network> <wildcard> <operator> <port>


standerd access list 1-99


examples:-
Deny or permit a class c network:
Router-Rcy(config)#access-list 1 deny 192.168.1.0 0.0.0.255
Router-Rcy(config)#access-list 1 permit 192.168.2.0 0.0.0.255
Deny or permit a host:
Router-Rcy(config)#access-list 1 deny 192.168.1.100 0.0.0.0
Router-Rcy(config)#access-list 1 deny host 192.168.1.2
Router-Rcy(config)#access-list 1 permit 192.168.1.3 0.0.0.0
Router-Rcy(config)#access-list 1 permit host 192.168.1.2

Deny or permit all hosts:
Router-Rcy(config)#access-list 1 deny any
Router-Rcy(config)#access-list 1 permit any

Apply the access list to a router interface outbound and inbound

Router-Rcy(config)#interface fastethernet 0/0
Router-Rcy(config-if)#ip access-group 1 out

Router-Rcy(config)#interface fastethernet 0/1
Router-Rcy(config-if)#ip access-group 1 in


EXTENDED ACCESS-LIST :- What Could do,


  • access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits> <operator> <port or service>

  • access-list <100-199> <deny | permit> <protocol> host <source ip address> host <destination ip address> <operator> <port or service>
  • access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits>



Extended access list examples:



Deny and permit a source class c network to a destination class c network:

Router-Rcy(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
Router-Rcy(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

Deny or permit a source host to a destination /24 network:



Router-Rcy(config)#access-list 100 deny ip 192.168.1.100 0.0.0.0 192.168.4.0 0.0.0.255
Router-Rcy(config)#access-list 100 deny ip host 192.168.1.100 192.168.4.0 0.0.0.255
Router-Rcy(config)#access-list 100 permit ip 192.168.1.101 0.0.0.0 192.168.4.0 0.0.0.255
Router-Rcy(config)#access-list 100 permit ip host 192.168.1.101 192.168.4.0 0.0.0.255

Deny or permit any host to any destination on port 80 (http):


Router-Rcy(config)#access-list 100 deny tcp any any eq 80
Router-Rcy(config)#access-list 100 permit tcp any any eq 80

Deny or permit all hosts:
Router-Rcy(config)#access-list 100 deny any any
Router-Rcy(config)#access-list 100 permit any any

Apply the access list to a router interface outbound and inbound

Router-Rcy(config)#interface fastethernet 0/0
Router-Rcy(config-if)#ip access-group 100 out

Router-Rcy(config)#interface fastethernet 0/1
Router-Rcy(config-if)#ip access-group 100 in
By - No comments:
Labels:
Subscribe to: Posts (Atom)

Networking Products:- Buy Directly from Amazon

ePackets

Loading...

Your Words

Loading...