Suche senden
Hochladen
Ccnas v11 ch02_eb
•
Als PPTX, PDF herunterladen
•
2 gefällt mir
•
3,838 views
Edgar Benavente
Folgen
CCNA Security v1.1 Cap 02 Español
Weniger lesen
Mehr lesen
Technologie
Bildung
Melden
Teilen
Melden
Teilen
1 von 154
Jetzt herunterladen
Empfohlen
Scanners para detectar vulnerabilidades
Scanners para detectar vulnerabilidades
Carlos Arturo Fyuler
Why you should switch to Cypress for modern web testing?
Why you should switch to Cypress for modern web testing?
Shivam Bharadwaj
Architectural katas
Architectural katas
Muhammad Ali
スケジュール管理・ガントチャートやバックログ の作成について
スケジュール管理・ガントチャートやバックログ の作成について
agileware_jp
Red team and blue team in ethical hacking
Red team and blue team in ethical hacking
Vikram Khanna
Penetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
Arquitectura Orientada a Servicios joseadugarte
Arquitectura Orientada a Servicios joseadugarte
thearcangelboss
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)
Aymeric Lagier
Empfohlen
Scanners para detectar vulnerabilidades
Scanners para detectar vulnerabilidades
Carlos Arturo Fyuler
Why you should switch to Cypress for modern web testing?
Why you should switch to Cypress for modern web testing?
Shivam Bharadwaj
Architectural katas
Architectural katas
Muhammad Ali
スケジュール管理・ガントチャートやバックログ の作成について
スケジュール管理・ガントチャートやバックログ の作成について
agileware_jp
Red team and blue team in ethical hacking
Red team and blue team in ethical hacking
Vikram Khanna
Penetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
Arquitectura Orientada a Servicios joseadugarte
Arquitectura Orientada a Servicios joseadugarte
thearcangelboss
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)
Aymeric Lagier
e2e testing with cypress
e2e testing with cypress
Tomasz Bak
Xss attack
Xss attack
Manjushree Mashal
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
Thomas Roccia
Cypress
Cypress
Jonathan de Britto Sedrez
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
Jenkins Tutorial.pdf
Jenkins Tutorial.pdf
devtestervicky
SwiftのDI方法につい て最近考えてた話
SwiftのDI方法につい て最近考えてた話
Yahoo!デベロッパーネットワーク
Cloudsim & greencloud
Cloudsim & greencloud
nedamaleki87
SAST - Desarrollo Seguro ¿Qué es? ¿Por que utilizarlo?
SAST - Desarrollo Seguro ¿Qué es? ¿Por que utilizarlo?
Carlos Garcia Sanchez
詳説WebAssembly
詳説WebAssembly
祐司 伊藤
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuelles
Xavier Kress
Dev ops using Jenkins
Dev ops using Jenkins
Synergetics Learning and Cloud Consulting
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Erik Van Buggenhout
Développement sécurisé
Développement sécurisé
facemeshfacemesh
DevOps Tools Training | DevOps Tools | What is GIT | What is Jenkins
DevOps Tools Training | DevOps Tools | What is GIT | What is Jenkins
Intellipaat
Redis勉強会資料(2015/06 update)
Redis勉強会資料(2015/06 update)
Yuji Otani
個人のタスク管理からチケット駆動開発の特徴を考える
個人のタスク管理からチケット駆動開発の特徴を考える
Makoto SAKAI
Selenium
Selenium
eduquer
How to Get Started with Cypress
How to Get Started with Cypress
Applitools
Node js 入門
Node js 入門
Satoshi Takami
DISCOS DUROS
DISCOS DUROS
Jorge Luis Carranza Lujan
VIRUS INFORMATICO
VIRUS INFORMATICO
Jorge Luis Carranza Lujan
Weitere ähnliche Inhalte
Was ist angesagt?
e2e testing with cypress
e2e testing with cypress
Tomasz Bak
Xss attack
Xss attack
Manjushree Mashal
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
Thomas Roccia
Cypress
Cypress
Jonathan de Britto Sedrez
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
Jenkins Tutorial.pdf
Jenkins Tutorial.pdf
devtestervicky
SwiftのDI方法につい て最近考えてた話
SwiftのDI方法につい て最近考えてた話
Yahoo!デベロッパーネットワーク
Cloudsim & greencloud
Cloudsim & greencloud
nedamaleki87
SAST - Desarrollo Seguro ¿Qué es? ¿Por que utilizarlo?
SAST - Desarrollo Seguro ¿Qué es? ¿Por que utilizarlo?
Carlos Garcia Sanchez
詳説WebAssembly
詳説WebAssembly
祐司 伊藤
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuelles
Xavier Kress
Dev ops using Jenkins
Dev ops using Jenkins
Synergetics Learning and Cloud Consulting
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Erik Van Buggenhout
Développement sécurisé
Développement sécurisé
facemeshfacemesh
DevOps Tools Training | DevOps Tools | What is GIT | What is Jenkins
DevOps Tools Training | DevOps Tools | What is GIT | What is Jenkins
Intellipaat
Redis勉強会資料(2015/06 update)
Redis勉強会資料(2015/06 update)
Yuji Otani
個人のタスク管理からチケット駆動開発の特徴を考える
個人のタスク管理からチケット駆動開発の特徴を考える
Makoto SAKAI
Selenium
Selenium
eduquer
How to Get Started with Cypress
How to Get Started with Cypress
Applitools
Node js 入門
Node js 入門
Satoshi Takami
Was ist angesagt?
(20)
e2e testing with cypress
e2e testing with cypress
Xss attack
Xss attack
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
Cypress
Cypress
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Jenkins Tutorial.pdf
Jenkins Tutorial.pdf
SwiftのDI方法につい て最近考えてた話
SwiftのDI方法につい て最近考えてた話
Cloudsim & greencloud
Cloudsim & greencloud
SAST - Desarrollo Seguro ¿Qué es? ¿Por que utilizarlo?
SAST - Desarrollo Seguro ¿Qué es? ¿Por que utilizarlo?
詳説WebAssembly
詳説WebAssembly
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuelles
Dev ops using Jenkins
Dev ops using Jenkins
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Développement sécurisé
Développement sécurisé
DevOps Tools Training | DevOps Tools | What is GIT | What is Jenkins
DevOps Tools Training | DevOps Tools | What is GIT | What is Jenkins
Redis勉強会資料(2015/06 update)
Redis勉強会資料(2015/06 update)
個人のタスク管理からチケット駆動開発の特徴を考える
個人のタスク管理からチケット駆動開発の特徴を考える
Selenium
Selenium
How to Get Started with Cypress
How to Get Started with Cypress
Node js 入門
Node js 入門
Andere mochten auch
DISCOS DUROS
DISCOS DUROS
Jorge Luis Carranza Lujan
VIRUS INFORMATICO
VIRUS INFORMATICO
Jorge Luis Carranza Lujan
Instalación Windows Server 2012
Instalación Windows Server 2012
cyberleon95
Nuevo Curso Empowerment - New Horizons Perú.
Nuevo Curso Empowerment - New Horizons Perú.
New Horizons Perú
Certificate - Windows Server 2012 R2 Storage Jump Start New Choices
Certificate - Windows Server 2012 R2 Storage Jump Start New Choices
Asef Liria
Curso diagnostico reparacion de motherboards de computadoras
Curso diagnostico reparacion de motherboards de computadoras
ReparacionPcLaptopsDesktop
Cableado estructurado-de-red-1204886726520124-4
Cableado estructurado-de-red-1204886726520124-4
Jorge Pariasca
Guía Partes Del Cmputador
Guía Partes Del Cmputador
Liliana Prada
Curso Siemon - Cableado Estructurado
Curso Siemon - Cableado Estructurado
Carlos Catturini
Mantenimiento pc
Mantenimiento pc
Andrés Enrique Rodríguez Ramírez
PELIGROS DE UNA COMPUTADORA
PELIGROS DE UNA COMPUTADORA
Jorge Luis Carranza Lujan
Herramientas de un cableado estructurado (1)
Herramientas de un cableado estructurado (1)
siledis
Taller de habilidades-Windows Server 2012
Taller de habilidades-Windows Server 2012
jcausil1
Windows 10
Windows 10
wilson2018
INSTALACION ELECTRICA CENTRO DE COMPUTO
INSTALACION ELECTRICA CENTRO DE COMPUTO
Jorge Luis Carranza Lujan
Normas sobre cableado estructurado
Normas sobre cableado estructurado
Monica Barragan Quinde
Instalación de sql server express edition 2012
Instalación de sql server express edition 2012
Osmar Zaragoza
Disco duro-presentación (2)
Disco duro-presentación (2)
Yury Torres
New Horizons Perú: Programa de Becas de Certificación Internacional Microsof...
New Horizons Perú: Programa de Becas de Certificación Internacional Microsof...
New Horizons Perú
HERRAMIENTAS
HERRAMIENTAS
Jorge Luis Carranza Lujan
Andere mochten auch
(20)
DISCOS DUROS
DISCOS DUROS
VIRUS INFORMATICO
VIRUS INFORMATICO
Instalación Windows Server 2012
Instalación Windows Server 2012
Nuevo Curso Empowerment - New Horizons Perú.
Nuevo Curso Empowerment - New Horizons Perú.
Certificate - Windows Server 2012 R2 Storage Jump Start New Choices
Certificate - Windows Server 2012 R2 Storage Jump Start New Choices
Curso diagnostico reparacion de motherboards de computadoras
Curso diagnostico reparacion de motherboards de computadoras
Cableado estructurado-de-red-1204886726520124-4
Cableado estructurado-de-red-1204886726520124-4
Guía Partes Del Cmputador
Guía Partes Del Cmputador
Curso Siemon - Cableado Estructurado
Curso Siemon - Cableado Estructurado
Mantenimiento pc
Mantenimiento pc
PELIGROS DE UNA COMPUTADORA
PELIGROS DE UNA COMPUTADORA
Herramientas de un cableado estructurado (1)
Herramientas de un cableado estructurado (1)
Taller de habilidades-Windows Server 2012
Taller de habilidades-Windows Server 2012
Windows 10
Windows 10
INSTALACION ELECTRICA CENTRO DE COMPUTO
INSTALACION ELECTRICA CENTRO DE COMPUTO
Normas sobre cableado estructurado
Normas sobre cableado estructurado
Instalación de sql server express edition 2012
Instalación de sql server express edition 2012
Disco duro-presentación (2)
Disco duro-presentación (2)
New Horizons Perú: Programa de Becas de Certificación Internacional Microsof...
New Horizons Perú: Programa de Becas de Certificación Internacional Microsof...
HERRAMIENTAS
HERRAMIENTAS
Ähnlich wie Ccnas v11 ch02_eb
Chapter 2 overview
Chapter 2 overview
ali raza
CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
Day 5.2 startingarouter
Day 5.2 startingarouter
CYBERINTELLIGENTS
network security
network security
Dayanna Moyano
CCNA_Security_02.ppt
CCNA_Security_02.ppt
veracru1
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
galerussel59292
R1
R1
Tuan Nguyen
CCNA Security 06- AAA
CCNA Security 06- AAA
Ahmed Habib
Samplab19
Samplab19
Noman Ashraf (CCNA, MCTS)
CCNA (R & S) Module 04 - Scaling Networks - Chapter 1
CCNA (R & S) Module 04 - Scaling Networks - Chapter 1
Waqas Ahmed Nawaz
Itn6 instructor materials_chapter2
Itn6 instructor materials_chapter2
limenih muluneh
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
angelitoh11
Detailed explanation of Basic router configuration
Detailed explanation of Basic router configuration
samreenghauri786
8 steps to protect your cisco router
8 steps to protect your cisco router
IT Tech
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
Harris Andrea
CCNA ppt Day 4
CCNA ppt Day 4
VISHNU N
Cis81 ccna1v5-2-configuring networkoperatingsystem
Cis81 ccna1v5-2-configuring networkoperatingsystem
Betselove
CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1
Chaing Ravuth
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
NetProtocol Xpert
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
Michael Smith
Ähnlich wie Ccnas v11 ch02_eb
(20)
Chapter 2 overview
Chapter 2 overview
CCNA Security - Chapter 2
CCNA Security - Chapter 2
Day 5.2 startingarouter
Day 5.2 startingarouter
network security
network security
CCNA_Security_02.ppt
CCNA_Security_02.ppt
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
R1
R1
CCNA Security 06- AAA
CCNA Security 06- AAA
Samplab19
Samplab19
CCNA (R & S) Module 04 - Scaling Networks - Chapter 1
CCNA (R & S) Module 04 - Scaling Networks - Chapter 1
Itn6 instructor materials_chapter2
Itn6 instructor materials_chapter2
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
Detailed explanation of Basic router configuration
Detailed explanation of Basic router configuration
8 steps to protect your cisco router
8 steps to protect your cisco router
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
CCNA ppt Day 4
CCNA ppt Day 4
Cis81 ccna1v5-2-configuring networkoperatingsystem
Cis81 ccna1v5-2-configuring networkoperatingsystem
CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
Mehr von Edgar Benavente
CCNA_SEC_v11 Cap_04_part_I_EB
CCNA_SEC_v11 Cap_04_part_I_EB
Edgar Benavente
Exploration routing chapter_11
Exploration routing chapter_11
Edgar Benavente
Exploration routing chapter_10
Exploration routing chapter_10
Edgar Benavente
Exploration routing chapter_9
Exploration routing chapter_9
Edgar Benavente
Exploration routing chapter_7
Exploration routing chapter_7
Edgar Benavente
Exploration routing chapter_5
Exploration routing chapter_5
Edgar Benavente
Exploration routing chapter_4
Exploration routing chapter_4
Edgar Benavente
Exploration routing chapter_3
Exploration routing chapter_3
Edgar Benavente
Exploration routing chapter_2
Exploration routing chapter_2
Edgar Benavente
Exploration routing chapter_1
Exploration routing chapter_1
Edgar Benavente
Exploration network chapter9
Exploration network chapter9
Edgar Benavente
Exploration network chapter8
Exploration network chapter8
Edgar Benavente
Exploration network chapter7
Exploration network chapter7
Edgar Benavente
Exploration network chapter6
Exploration network chapter6
Edgar Benavente
Exploration network chapter5
Exploration network chapter5
Edgar Benavente
Exploration network chapter4
Exploration network chapter4
Edgar Benavente
Exploration network chapter3
Exploration network chapter3
Edgar Benavente
Exploration routing chapter_6
Exploration routing chapter_6
Edgar Benavente
Exploration network chapter2
Exploration network chapter2
Edgar Benavente
Exploration network chapter1
Exploration network chapter1
Edgar Benavente
Mehr von Edgar Benavente
(20)
CCNA_SEC_v11 Cap_04_part_I_EB
CCNA_SEC_v11 Cap_04_part_I_EB
Exploration routing chapter_11
Exploration routing chapter_11
Exploration routing chapter_10
Exploration routing chapter_10
Exploration routing chapter_9
Exploration routing chapter_9
Exploration routing chapter_7
Exploration routing chapter_7
Exploration routing chapter_5
Exploration routing chapter_5
Exploration routing chapter_4
Exploration routing chapter_4
Exploration routing chapter_3
Exploration routing chapter_3
Exploration routing chapter_2
Exploration routing chapter_2
Exploration routing chapter_1
Exploration routing chapter_1
Exploration network chapter9
Exploration network chapter9
Exploration network chapter8
Exploration network chapter8
Exploration network chapter7
Exploration network chapter7
Exploration network chapter6
Exploration network chapter6
Exploration network chapter5
Exploration network chapter5
Exploration network chapter4
Exploration network chapter4
Exploration network chapter3
Exploration network chapter3
Exploration routing chapter_6
Exploration routing chapter_6
Exploration network chapter2
Exploration network chapter2
Exploration network chapter1
Exploration network chapter1
Kürzlich hochgeladen
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
The Digital Insurer
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Dropbox
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
Zilliz
Kürzlich hochgeladen
(20)
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
Ccnas v11 ch02_eb
1.
Asegurando los Dispositivos de
Red. © 2012 Cisco and/or its affiliates. All rights reserved. 1
2.
• El gran
cambio es que ahora se tienen interfaces GigabitEthernet http://www.cisco.com/en/US/products/ps10906/Products_Sub_Category_Home.html# © 2012 Cisco and/or its affiliates. All rights reserved. 2
3.
Router 1 (R1) •
Escenario 1: LAN 1 Internet – El router protege la LAN. 192.168.2.0 Scenario 1 • Escenario 2: – El router recibe el trafico antes de R1 Firewall LAN 1 un firewall (PIX/ASA). Internet 192.168.2.0 Scenario 2 • Escenario 3: R1 Firewall R2 – La zona conectada al firewall es LAN 1 Internet 192.168.2.0 llamada DMZ. – Los equipos que se acceden desde DMZ Internet son localizados en esta Scenario 3 DMZ. © 2012 Cisco and/or its affiliates. All rights reserved. 3
4.
• La seguridad
física – Instalar los equipos de infraestructura en una habitación cerrada con llave – Instalar un sistema de alimentación ininterrumpida (UPS) y mantener los componentes de repuesto disponibles para reducir la posibilidad de un ataque DoS. • Sistema Operativo – Configure el router con la mayor cantidad de memoria posible. – Utilizar la “última versión estable” del sistema operativo que cumpla con los requisitos de características de la red. – Guardar una copia de seguridad de la imagen del router sistema operativo y el archivo de configuración del router como una copia de seguridad. © 2012 Cisco and/or its affiliates. All rights reserved. 4
5.
• Robustez del
Router – Control administrativo seguro para garantizar que sólo el personal autorizado tenga acceso y que su nivel de acceso esté controlado. – Deshabilitar los puertos e interfaces no utilizados a fin de reducir el número de maneras que se puede acceder al dispositivo. – Desactivar los servicios innecesarios que pueden ser utilizados por un atacante para obtener información o para la explotación. R1 © 2012 Cisco and/or its affiliates. All rights reserved. 5
6.
• Restringir el
acceso a dispositivo • Iniciar y dar cuenta de todos los accesos • Autenticar el acceso • Autorizar las acciones • Aviso Legal Actual • Garantizar la confidencialidad de los datos © 2012 Cisco and/or its affiliates. All rights reserved. 6
7.
Asegurar el acceso
administrativo © 2012 Cisco and/or its affiliates. All rights reserved. 7
8.
• Todos los
routers necesitan una contraseña local para el acceso al nivel privilegiado y a otros accesos. R1(config)# enable secret cisco R1(config)# line vty 0 4 R1(config)# line aux 0 R1(config-line)# password cisco R1(config-line)# password cisco R1(config-line)# login R1(config-line)# login R1 R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# login © 2012 Cisco and/or its affiliates. All rights reserved. 8
9.
• Modificar las
contraseñas frecuentemente. • Las reglas locales pueden hacer que las contraseñas sean más segura. © 2012 Cisco and/or its affiliates. All rights reserved. 9
10.
– Básicamente una
oración / frase que sirve como contraseña más segura. • Por ejemplo: – “My favorite spy is James Bond 007.” = MfsiJB007. – “Fly me to the moon. And let me play among the stars.” = FmttmAlmpats. © 2012 Cisco and/or its affiliates. All rights reserved. 10
11.
• Utilice una
longitud de contraseña de 10 caracteres o más. • Haga contraseñas complejas mediante la inclusión de una combinación de letras mayúsculas y minúsculas, números, símbolos y espacios. • Evite contraseñas basadas en secuencias de repetición, palabras del diccionario, letras o números, nombres de usuario, nombres de mascotas o relativos, información biográfica, como fechas de nacimiento, números de identificación, nombres de los antepasados, u otras piezas fácilmente identificables de la información. • Intencionadamente cree una mala contraseña. – Por ejemplo, Smith = Smyth = 5mYth o Security = 5ecur1ty . • Cambie las contraseñas con frecuencia por lo que si una contraseña se ve comprometida, sin saberlo, la ventana de oportunidad para que el atacante utilice la contraseña es limitado. • No escriba contraseñas y dejarlas en lugares obvios, como en el escritorio o un monitor. © 2012 Cisco and/or its affiliates. All rights reserved. 11
12.
• Para aumentar
la seguridad de las contraseñas, se debe utilizar los siguientes comandos del Cisco IOS: – Longitud mínima de caracteres : security passwords min-length. – Desactivar las conexiones sin actividad: exec-timeout. – Encriptar las contraseñas del archivo de configuración: service password-encryption. Nota: – El comando exec-timeout 0 0 que no habrá tiempo de espera y la sesión permanecerá activa durante un tiempo ilimitado. © 2012 Cisco and/or its affiliates. All rights reserved. 12
13.
• Por defecto
son 10 minutos. • Finaliza una conexión desatendida (consola o vty). • Ofrece un nivel adicional de seguridad si el administrador se aleja de una sesión de consola activa. Router(config-line)# exec-timeout minutes [seconds] – Para finalizar una conexión de consola desatendida después de 3 minutos y 30 segundos: Sudbury(config)# line console 0 Sudbury(config-line)# exec-timeout 3 30 – Para deshabilitar conexiones una linea particular: Sudbury(config)# line aux 0 Sudbury(config-line)# no exec-timeout © 2012 Cisco and/or its affiliates. All rights reserved. 13
14.
Router(config)#
service password-encryption R1(config)# service password-encryption R1(config)# exit R1# show running-config enable password 7 06020026144A061E ! line con 0 password 7 094F471A1A0A login ! line aux 0 password 7 01100F175804575D72 login line vty 0 4 password 7 03095A0F034F38435B49150A1819 login © 2012 Cisco and/or its affiliates. All rights reserved. 14
15.
– Configuración de
usuario tradicional con contraseña en texto plano. username name password {[0] password | 7 hidden-password} – El uso de hash MD5 para la protección de contraseña segura. – Más seguro que el cifrado de tipo 7. username name secret {[0] password | encrypted-secret} © 2012 Cisco and/or its affiliates. All rights reserved. 15
16.
R1# conf t
R1(config)# username JR-ADMIN password letmein % Password too short - must be at least 10 characters. Password configuration failed R1(config)# username JR-ADMIN password cisco12345 R1(config)# username ADMIN secret cisco54321 R1(config)# line con 0 R1(config-line)# login local R1# show run | include username username JR-ADMIN password 7 060506324F41584B564347 username ADMIN secret 5 $1$G3oQ$hEvsd5iz76WJuSJvtzs8I0 R1# R1 con0 is now available Press RETURN to get started. User Access Verification Username: ADMIN Password: R1> © 2012 Cisco and/or its affiliates. All rights reserved. 16
17.
R1# configure terminal
R1(config)# username ADMIN secret cisco54321 R1(config)# line vty 0 4 R1(config-line)# login local R1(config)# exit R1(config)# login block-for 120 attempts 5 within 60 R1(config)# ip access-list standard PERMIT-ADMIN R1(config-std-nacl)# remark Permit only Administrative hosts R1(config-std-nacl)# permit 192.168.10.10 R1(config-std-nacl)# permit 192.168.11.10 R1(config-std-nacl)# exit R1(config)# login quiet-mode access-class PERMIT-ADMIN R1(config)# login delay 10 R1(config)# login on-success log R1(config)# login on-failure log R1(config)# exit © 2012 Cisco and/or its affiliates. All rights reserved. 17
18.
R1# show login
A login delay of 10 seconds is applied. Quiet-Mode access list PERMIT-ADMIN is applied. Router enabled to watch for login Attacks. If more than 5 login failures occur in 60 seconds or less, logins will be disabled for 120 seconds. Router presently in Normal-Mode. Current Watch Window Time remaining: 5 seconds. Login failures for current window: 4. Total login failures: 4. © 2012 Cisco and/or its affiliates. All rights reserved. 18
19.
R1#
*Dec 10 15:38:54.455: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 12 secs, [user: admin] [Source: 10.10.10.10] [localport: 23] [Reason: Login Authentication Failed - BadUser] [ACL: PERMIT-ADMIN] at 15:38:54 UTC Wed Dec 10 2008 R1# show login A login delay of 10 seconds is applied. Quiet-Mode access list PERMIT-ADMIN is applied. Router enabled to watch for login Attacks. If more than 5 login failures occur in 60 seconds or less, logins will be disabled for 120 seconds. Router presently in Quiet-Mode. Will remain in Quiet-Mode for 105 seconds. Restricted logins filtered by applied ACL PERMIT-ADMIN. R1# © 2012 Cisco and/or its affiliates. All rights reserved. 19
20.
R1# show login
failures Total failed logins: 22 Detailed information about last 50 failures Username SourceIPAddr lPort Count TimeStamp admin 1.1.2.1 23 5 15:38:54 UTC Wed Dec 10 2011 Admin 10.10.10.10 23 13 15:58:43 UTC Wed Dec 10 2011 admin 10.10.10.10 23 3 15:57:14 UTC Wed Dec 10 2011 cisco 10.10.10.10 23 1 15:57:21 UTC Wed Dec 10 2011 R1# • In this example, the command identifies the number of failures, usernames tried, and offending IP addresses with a timestamp added to each unsuccessful attempt. © 2012 Cisco and/or its affiliates. All rights reserved. 20
21.
• Los mensajes
de Banner deben implementarse para advierten a los posibles intrusos que no son bienvenidos en la red. © 2012 Cisco and/or its affiliates. All rights reserved. 21
22.
• Especifique lo
que es “uso apropiado" del sistema. • Especificar que el sistema se está supervisando. • Especifica que la privacidad no debe esperarse cuando se utiliza este sistema. • No use la palabra "bienvenido“. • El departamento legal ha revisado el contenido del mensaje. Router(config)# banner {exec | incoming | login | motd | slip-ppp} d message d © 2012 Cisco and/or its affiliates. All rights reserved. 22
23.
• Paso 1:
Configure el nombre de dominio IP. • Paso 2: Genere llaves RSA de una via • Paso 3: Crear un username en la base de datos local. • Paso 4: Habilitar sesiones entrantes via SSH. R1# conf t R1(config)# ip domain-name span.com R1(config)# crypto key generate rsa general-keys modulus 1024 The name for the keys will be: R1.span.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] R1(config)# *Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has been enabled R1(config)# username Bob secret cisco R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh R1(config-line)# exit © 2012 Cisco and/or its affiliates. All rights reserved. 23
24.
– Versión de
SSH • ip ssh version {1 | 2} – Numero de reintentos de autenticación • ip ssh authentication-retries integer – Periodo de timeout SSH. • ip ssh time-out seconds © 2012 Cisco and/or its affiliates. All rights reserved. 24
25.
R1# show ip
ssh SSH Enabled - version 1.99 Authentication timeout: 120 secs; Authentication retries: 3 R1# R1# conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)# ip ssh version 2 R1(config)# ip ssh authentication-retries 2 R1(config)# ip ssh time-out 60 R1(config)# ^Z R1# R1# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 60 secs; Authentication retries: 2 R1# © 2012 Cisco and/or its affiliates. All rights reserved. 25
26.
2
R2 establishes an SSH connection with R1. R2# ssh -l Bob 192.168.2.101 Password: R1> 1 There are no current SSH sessions ongoing with R1. R1# sho ssh %No SSHv2 server connections running. %No SSHv1 server connections running. R1# 3 There is an incoming and outgoing SSHv2 session with user Bob. R1# sho ssh Connection Version Mode Encryption Hmac State Username 0 2.0 IN aes128-cbc hmac-sha1 Session started Bob 0 2.0 OUT aes128-cbc hmac-sha1 Session started Bob %No SSHv1 server connections running. R1# © 2012 Cisco and/or its affiliates. All rights reserved. 26
27.
© 2012 Cisco
and/or its affiliates. All rights reserved. 27
28.
© 2012 Cisco
and/or its affiliates. All rights reserved. 28
29.
© 2012 Cisco
and/or its affiliates. All rights reserved. 29
30.
© 2012 Cisco
and/or its affiliates. All rights reserved. 30
31.
© 2012 Cisco
and/or its affiliates. All rights reserved. 31
32.
© 2012 Cisco
and/or its affiliates. All rights reserved. 32
33.
© 2012 Cisco
and/or its affiliates. All rights reserved. 33
34.
Niveles de Privilegios ©
2012 Cisco and/or its affiliates. All rights reserved. 34
35.
© 2012 Cisco
and/or its affiliates. All rights reserved. 35
36.
• Las necesidades
de un operador de seguridad de la red puede no ser la misma que la del ingeniero WAN. • Los Routers Cisco permiten la configuración en varios niveles de privilegios para los administradores. – Diferentes contraseñas se pueden configurar para controlar quién tiene acceso a los diferentes niveles de privilegio. • Existen 16 niveles de privilegios. – Los niveles del 2 al 14 pueden ser configurados haciendo uso del comando privilege en modo de configuracion global. © 2012 Cisco and/or its affiliates. All rights reserved. 36
37.
• Nivel 0:
– Predefinidas para los privilegios de acceso Nivel de usuario. – Rara vez usado, sino que hacen uso los siguientes comandos: disable, enable, exit, help y logout. • Nivel 1(Modo EXEC): – El nivel predeterminado de inicio de sesión Router>. – Un usuario no puede realizar ningún cambio o ver el archivo de configuración en ejecución. • Niveles 2 –14: – Puede ser personalizado por los privilegios a nivel de usuario. – Los comandos de los niveles inferiores pueden ser movidos a un nivel más alto, comandos desde niveles más altos puede ser movidos a un nivel inferior. • Nivel 15 (Modo EXEC Privilegiado): – Reservado para los niveles privilegiados ( comando enable). – Los usuarios pueden ver y cambiar todos los aspectos de la configuración. © 2012 Cisco and/or its affiliates. All rights reserved. 37
38.
Router(config)#
privilege mode {level level command | reset command} Comando Descripcion Este comando especifica el modo de configuración. mode Utilice el símbolo “?” para ver una lista de los modos del router. (Opcional) Este comando permite establecer un nivel de privilegio con un comando level especificado. (Opcional) Este parámetro es el nivel de privilegios que está asociado con un level command comando. Se puede especificar hasta 16 niveles de privilegios, utilizando números del 0 al 15. reset (Opcional) Este comando resetea el nivel de privilegio de un comando. (Opcional) Este es el argumento de comando para utilizar cuando se quiere command restablecer el nivel de privilegio. © 2012 Cisco and/or its affiliates. All rights reserved. 38
39.
R1# conf t
R1(config)# username USER privilege 1 secret cisco R1(config)# R1(config)# privilege exec level 5 ping R1(config)# enable secret level 5 cisco5 R1(config)# username SUPPORT privilege 5 secret cisco5 R1(config)# R1(config)# privilege exec level 10 reload R1(config)# enable secret level 10 cisco10 R1(config)# username JR-ADMIN privilege 10 secret cisco10 R1(config)# R1(config)# username ADMIN privilege 15 secret cisco123 R1(config)# © 2012 Cisco and/or its affiliates. All rights reserved. 39
40.
User Access Verification
Username: user Password: <cisco> R1> show privilege Current privilege level is 1 R1# ping 10.10.10.1 ^ % Invalid input detected at '^' marker. R1> © 2012 Cisco and/or its affiliates. All rights reserved. 40
41.
R1> enable 5
Password:<cisco5> R1# R1# show privilege Current privilege level is 5 R1# R1# ping 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1# R1# reload Translating "reload" Translating "reload" % Unknown command or computer name, or unable to find computer address R1# © 2012 Cisco and/or its affiliates. All rights reserved. 41
42.
R1# enable 10
Password:<cisco10> R1# show privilege Current privilege level is 10 R1# ping 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1# reload System configuration has been modified. Save? [yes/no]: ^C R1# show running-config ^ % Invalid input detected at '^' marker. R1# © 2012 Cisco and/or its affiliates. All rights reserved. 42
43.
R1# enable 15
Password: <cisco123> R1# show privilege Current privilege level is 15 R1# show running-config Building configuration... Current configuration : 1145 bytes ! version 12.4 <output omitted> © 2012 Cisco and/or its affiliates. All rights reserved. 43
44.
• No hay
control de acceso a las interfaces, puertos, interfaces lógicas y slots en un router. • Los comandos disponibles en niveles de privilegios inferiores siempre son ejecutables en los niveles superiores. • Los comandos establecidos en un nivel de privilegio superior no están disponibles para los usuarios con privilegios bajos. • La asignación de un comando con varias palabras clave a un nivel de privilegio específico también asigna todos los comandos asociados a las primeras palabras clave en el mismo nivel de privilegio. – Un ejemplo es el comando show ip route. © 2012 Cisco and/or its affiliates. All rights reserved. 44
45.
• Los niveles
de privilegio y las contraseñas del modo enableno proveen el nivel necesario de detalle cuando se trabaja en routers y switches Cisco. • El acceso a la CLI basado en roles le permite al administrador definir “vistas”. – Las vistas son un conjunto de comandos operativos y capacidades de configuración que proporcionan acceso selectivo o parcial del modo privilegiado y comandos de modos de configuración. – Las vistas restringen el acceso a la informacion de configuracion del Cisco IOS, es decir, una vista puede definir qué comandos son aceptados y qué información de configuración es visible.. © 2012 Cisco and/or its affiliates. All rights reserved. 45
46.
• La vista
Root es requerida para definir Vistas y Supervistas. • Una vista contiene comandos • Un comando puede aparecer en mas de una vista. Root View View #1 View #2 View #3 View #4 View #5 View #6 show show ip route show run int fa0/0 interfaces © 2012 Cisco and/or its affiliates. All rights reserved. 46
47.
• La vista
raíz es la vista de mas alto nivel administrativo. – La creación y modificación de una vista o 'supervista' sólo es posible desde ésta. – La diferencia entre la vista raíz y nivel de privilegio 15 es que sólo el usuario root el cual puede crear vistas o modificar puntos de vista y supervistas. • Las vistas de CLI basadas en roles requieren del AAA new- modelo: – Esto es necesario incluso con la autenticación de vista local. • Pueden existir además de la vista raíz, un máximo de 15 puntos de vista de la CLI. © 2012 Cisco and/or its affiliates. All rights reserved. 47
48.
• Antes de
que una vista pueda ser creada, debe ser habilitado AAA mediante el comando aaa new-model. • A continuacion, use el comando enable con el parametro view para ingresar a la vista root. – Adicionalmente se puede usa el comando enable view root. • Use la contraseña de privilegio 15 (enable secret), si es necesario para la autenticacion. Router# enable [privilege-level] [view [view-name]] R1(config)# aaa new-model R1(config)# exit R1# enable view Password: R1# %PARSER-6-VIEW_SWITCH: successfully set to view 'root' © 2012 Cisco and/or its affiliates. All rights reserved. 48
49.
• Cree una
vista e ingresa en el modo de configuracion. Router(config)# parser view view-name • Fije un password para proteger el acceso a la vista. • Agregue comandos o interfaces a una vista. Router(config-view)# secret encrypted-password commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] • Ejemplo R1(config)# parser view MONITOR-VIEW R1(config-view)# secret cisco R1(config-view)# commands exec include show version © 2012 Cisco and/or its affiliates. All rights reserved. 49
50.
Router(config-view)#
commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] Parametro Descripcion parser-mode Especifica el modo en el cual existe el comando especificado. include Agrega un comando o una interface a la vista y permite que el mismo comando o interface sea agregado a una vista adicional. include-exclusive Agrega un comando o una interface a la vista y excluye el mismo comando o interface sea agregado a todas las vistas. exclude Excluye un comando o una interface desde la vista. all (Opcional) Especifica un “comodín” que permite a cada comando en un modo de configuración especificado que comience con la misma palabra clave o cada subinterfaz para una interfaz especificada para ser parte de la vista. interface interface-name (Opcional) Especifica una interfaz que se añade a la vista.. command (Opcional) Especifica un comando que se añade a la vista. © 2012 Cisco and/or its affiliates. All rights reserved. 50
51.
R1(config)# aaa new-model
R1(config)# exit R1# enable view %PARSER-6-VIEW_SWITCH: successfully set to view ‘root’. R1# configure terminal R1(config)# parser view FIRST %PARSER-6-VIEW_CREATED:view ‘FIRST’ successfully created. R1(config-view)# secret firstpass R1(config-view)# command exec include show version R1(config-view)# command exec include configure terminal R1(config-view)# command exec include all show ip R1(config-view)# exit © 2012 Cisco and/or its affiliates. All rights reserved. 51
52.
R1> enable view
FIRST Password: %PARSER-6-VIEW_SWITCH:successfully set to view „FIRST'. R1# ? Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system information R1# show ? ip IP information parser Display parser information version System hardware and software status © 2012 Cisco and/or its affiliates. All rights reserved. 52
53.
R1# show ip
? access-lists List IP access lists accounting The active IP accounting database aliases IP alias table arp IP ARP table as-path-access-list List AS path access lists bgp BGP information cache IP fast-switching route cache casa Display casa information cef Cisco Express Forwarding community-list List community-list dfp DFP information dhcp Show items in the DHCP database drp --More-- • Por ultimo se asigna la vista a un usuario R1# config t R1(config)# username Bob view FIRST password cisco123 © 2012 Cisco and/or its affiliates. All rights reserved. 53
54.
R1(config)# parser view
SHOWVIEW *Mar 1 09:54:54.873: %PARSER-6-VIEW_CREATED: view „SHOWVIEW' successfully created. R1(config-view)# secret cisco R1(config-view)# commands exec include show version R1(config-view)# exit R1(config)# parser view VERIFYVIEW *Mar 1 09:55:24.813: %PARSER-6-VIEW_CREATED: view „VERIFYVIEW' successfully created. R1(config-view)# commands exec include ping % Password not set for the view VERIFYVIEW R1(config-view)# secret cisco5 R1(config-view)# commands exec include ping R1(config-view)# exit R1(config)# parser view REBOOTVIEW R1(config-view)# *Mar 1 09:55:52.297: %PARSER-6-VIEW_CREATED: view „REBOOTVIEW' successfully created. R1(config-view)# secret cisco10 R1(config-view)# commands exec include reload R1(config-view)# exit © 2012 Cisco and/or its affiliates. All rights reserved. 54
55.
R1# show running-config
<Output omitted> parser view SHOWVIEW secret 5 $1$GL2J$8njLecwTaLAc0UuWo1/Fv0 commands exec include show version commands exec include show ! parser view VERIFYVIEW secret 5 $1$d08J$1zOYSI4WainGxkn0Hu7lP1 commands exec include ping ! parser view REBOOTVIEW secret 5 $1$L7lZ$1Jtn5IhP43fVE7SVoF1pt. commands exec include reload ! © 2012 Cisco and/or its affiliates. All rights reserved. 55
56.
• Supervistas contienen
Vistas por no comandos. • Dos Supervistas pueden usar la misma Vista. • Por ejemplo, tanto la Supervista 1 y Supervista 2 pueden incluir la Vista de CLI 4 Root View CLI Views View #1 View #2 View #3 View #4 View #5 View #6 command exec … command exec … command exec … command exec … command exec … command exec … Superview #1 Superview #2 View #1 View #2 View #3 View #5 command exec … command exec … command exec … command exec … View #4 command exec … View #4 View #6 command exec … command exec … © 2012 Cisco and/or its affiliates. All rights reserved. 56
57.
• Una vista
puede ser compartido entre múltiples supervistas. • Los comandos no se pueden configurar para un supervista. – Los comandos se añaden a las opciones de la CLI. – Los usuarios que estén conectados a un supervista pueden acceder a todos los comandos que están configurados para cualquiera de los puntos de vista de la CLI que forman parte de la supervista. • Cada supervista tiene una contraseña que se utiliza para cambiar entre supervistas o desde una vista de CLI a un supervista. © 2012 Cisco and/or its affiliates. All rights reserved. 57
58.
• Si se
agrega palabra clave superview a la sentencia parser view de se crea una supervista y se ingresa al modo de configuración de vista Router(config)# parser view view-name superview • Establece una contraseña para proteger el acceso a la supervista. • La contraseña debe ser creada inmediatamente después de crear una vista de otra manera un mensaje de error. Router(config-view)# secret encrypted-password • Añade una vista CLI a un supervista. • Las vistas múltiples pueden ser añadidas. • Las vistas pueden ser compartidos entre supervistas Router(config-view)# view view-name © 2012 Cisco and/or its affiliates. All rights reserved. 58
59.
R1(config)# parser view
USER superview * Mar 1 09:56:26.465 : %PARSER-6-SUPER_VIEW_CREATED: super view 'USER' successfully created. R1(config-view)# secret cisco R1(config-view)# view SHOWVIEW *Mar 1 09:56:33.469: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview USER. R1(config-view)# exit R1(config)# parser view SUPPORT superview *Mar 1 09:57:33.825 : %PARSER-6-SUPER_VIEW_CREATED: super view 'SUPPORT' successfully created. R1(config-view)# secret cisco1 R1(config-view)# view SHOWVIEW *Mar 1 09:57:45.469: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview SUPPORT. R1(config-view)# view VERIFYVIEW *Mar 1 09:57:57.077: %PARSER-6-SUPER_VIEW_EDIT_ADD: view VERIFYVIEW added to superview SUPPORT. R1(config-view)# exit R1(config)# parser view JR-ADMIN superview *Mar 1 09:58:09.993: %PARSER-6-SUPER_VIEW_CREATED: super view 'JR-ADMIN' successfully created. R1(config-view)# secret cisco2 R1(config-view)# view SHOWVIEW *Mar 1 09:58:26.973: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview JR- ADMIN. R1(config-view)# view VERIFYVIEW *Mar 1 09:58:31.817: %PARSER-6-SUPER_VIEW_EDIT_ADD: view VERIFYVIEW added to superview JR- ADMIN. R1(config-view)# view REBOOTVIEW *Mar 1 09:58:39.669: %PARSER-6-SUPER_VIEW_EDIT_ADD: view REBOOTVIEW added to superview JR- ADMIN. R1(config-view)# exit © 2012 Cisco and/or its affiliates. All rights reserved. 59
60.
R1# show running-config
<output omitted> ! parser view SUPPORT superview secret 5 $1$Vp1O$BBB1N68Z2ekr/aLHledts. view SHOWVIEW view VERIFYVIEW ! parser view USER superview secret 5 $1$E4k5$ukHyfYP7dHOC48N8pxm4s/ view SHOWVIEW ! parser view JR-ADMIN superview secret 5 $1$8kx2$rbAe/ji220OmQ1yw.568g0 view SHOWVIEW view VERIFYVIEW view REBOOTVIEW ! © 2012 Cisco and/or its affiliates. All rights reserved. 60
61.
R1# enable view
USER Password: *Mar 1 09:59:46.197: %PARSER-6-VIEW_SWITCH: successfully set to view 'USER'. R1# ? Exec commands: enable Turn on privileged commands exit Exit from the EXEC show Show running system information R1# R1# show ? flash: display information about flash: file system version System hardware and software status R1# © 2012 Cisco and/or its affiliates. All rights reserved. 61
62.
R1# enable view
SUPPORT Password: *Mar 1 10:00:11.353: %PARSER-6-VIEW_SWITCH: successfully set to view 'SUPPORT'. R1# ? Exec commands: enable Turn on privileged commands exit Exit from the EXEC ping Send echo messages show Show running system information R1# © 2012 Cisco and/or its affiliates. All rights reserved. 62
63.
R1# enable view
JR-ADMIN Password: *Mar 1 10:00:28.365: %PARSER-6-VIEW_SWITCH: successfully set to view 'JR-ADMIN'. R1# ? Exec commands: enable Turn on privileged commands exit Exit from the EXEC ping Send echo messages reload Halt and perform a cold restart show Show running system information R1# © 2012 Cisco and/or its affiliates. All rights reserved. 63
64.
• Para monitorear
CLI basada en roles, use el comando show parser view para visualizar la información referente a la vista donde está el usuario actualmente. – Con el comando all se muestra la informacion para todas las vistas configuradas. Este comando esta disponible solo para los usuarios root. • Para visualizar mensajes debug para todas las vistas, use el comando debug parser view en modo privilegiado. © 2012 Cisco and/or its affiliates. All rights reserved. 64
65.
R1# show parser
view No view is active ! Currently in Privilege Level Context R1# R1# enable view Password: *Mar 1 10:38:56.233: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'. R1# R1# show parser view Current view is 'root' R1# R1# show parser view all Views/SuperViews Present in System: SHOWVIEW VERIFYVIEW REBOOTVIEW SUPPORT * USER * JR-ADMIN * ADMIN * -------(*) represent superview------- R1# © 2012 Cisco and/or its affiliates. All rights reserved. 65
66.
• Si un
router esta comprometido, es un riesgo que la configuracion y el IOS puedan ser borrados. • Necesidad de garantizar la bootset primario. – Archivo de configuracion y el IOS que está corriendo • Nota de SCP: – Además de la característica de configuración resistente, los archivos de configuración e imagen se puede copiar de forma segura a otro dispositivo mediante Secure Copy (SCP). – Proporciona un método seguro y autenticado para copiar los archivos de configuración del router entre dispositivos. – Se basa en SSH. © 2012 Cisco and/or its affiliates. All rights reserved. 66
67.
• La función
de Resistencia del Cisco IOS le permite al equipo asegurar y mantener una copia funcional de la imagen en ejecución y los archivos de configuración. – Acelera el proceso de recuperación. – Los archivos son almacenados localmente. – Esta función puede ser desactivada a través de una sesión de consola. © 2012 Cisco and/or its affiliates. All rights reserved. 67
68.
• Para habilitar
la función, se ejecuta el comando: Router(config)# secure boot-image • Para almacenar una copia del bootset primaria en un lugar persistente, use el comando: Router(config)# secure boot-config R1(config)# secure boot-image R1(config)# secure boot-config © 2012 Cisco and/or its affiliates. All rights reserved. 68
69.
R1# show secure
bootset IOS resilience router id JMX0704L5GH IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2005 Secure archive slot0:c3745-js2-mz type is image (elf) [] file size is 25469248 bytes, run size is 25634900 bytes Runnable image, entry point 0x80008000, run from ram IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002 Secure archive slot0:.runcfg-20020616-081702.ar type is config configuration archive size 1059 bytes © 2012 Cisco and/or its affiliates. All rights reserved. 69
70.
• Si el
router está en peligro, hay que volver a cargar para iniciar el proceso de recuperación. – Recarga no es siempre necesario, y puede depender de las circunstancias. Debe entrar en el modo ROMMON. • Utilice los comandos dir y boot para listar el contenido del dispositivo con bootset seguro y arrancar el router utilizando la imagen bootset seguro. rommon 1 > dir [filesystem:] boot [partition-number:][filename] • Luego use el comando secure boot-config restore para recuperar la startup-config asegurada Router(config)# secure boot-config [restore filename] © 2012 Cisco and/or its affiliates. All rights reserved. 70
71.
R1# erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete R1# show startup-config startup-config is not present R1# reload System configuration has been modified. Save? [yes/no]: n Proceed with reload? [confirm] ... Router> enable Router# show secure bootset %IOS image and configuration resilience is not active © 2012 Cisco and/or its affiliates. All rights reserved. 71
72.
Router# config t
Router(config)# secure boot-config restore flash:archived-config ios resilience:configuration successfully restored as flash:archived-config Router(config)# ^C Router# configure replace flash:archived-config This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not a partial configuration. Enter Y if you are sure you want to proceed. ? [no]: y Total number of passes: 1 Rollback Done R1# copy run start © 2012 Cisco and/or its affiliates. All rights reserved. 72
73.
R1# format flash:
Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "flash:". Continue? [confirm] Writing Monlib sectors... Monlib write complete Format: All system sectors written. OK... Format: Total sectors in formatted partition: 250848 Format: Total bytes in formatted partition: 128434176 Format: Operation completed successfully. Format of flash: complete R1# © 2012 Cisco and/or its affiliates. All rights reserved. 73
74.
• En el
caso de que el router esté en peligro o necesita ser recuperado de un mala contraseña, el administrador debe comprender los procedimientos de recuperación de contraseña. • Por razones de seguridad, la recuperación de contraseñas requiere que el administrador tiene acceso físico al router mediante un cable de consola © 2012 Cisco and/or its affiliates. All rights reserved. 76
75.
© 2012 Cisco
and/or its affiliates. All rights reserved. 77
76.
© 2012 Cisco
and/or its affiliates. All rights reserved. 78
77.
© 2012 Cisco
and/or its affiliates. All rights reserved. 79
78.
© 2012 Cisco
and/or its affiliates. All rights reserved. 80
79.
R1(config)# no service
password-recovery WARNING: Executing this command will disable password recovery mechanism. Do not execute this command without another plan for password recovery. Are you sure you want to continue? [yes/no]: yes R1(config) R1# sho run Building configuration... Current configuration : 836 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service password-recovery System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. PLD version 0x10 GIO ASIC version 0x127 c1841 platform with 131072 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled PASSWORD RECOVERY FUNCTIONALITY IS DISABLED program load complete, entry point: 0x8000f000, size: 0xcb80 © 2012 Cisco and/or its affiliates. All rights reserved. 81
80.
Securing Management and Reporting Features © 2012
Cisco and/or its affiliates. All rights reserved. 82
81.
• Configuring logging
for a few devices is a fairly simple and straightforward operation. • Configuring logging for hundreds of devices can be very challenging. © 2012 Cisco and/or its affiliates. All rights reserved. 83
82.
• Information flow
between management hosts and the managed devices can take two paths. Out of Band (OOB): In-Band: • Information flows within a • Information flows across the network on which no enterprise production production traffic resides. network or the Internet (or both). © 2012 Cisco and/or its affiliates. All rights reserved. 84
83.
• Some questions
that must be considered when designing an in- band management solution: – Which management protocols does each device support? – Does the management channel need to be active at all times? – Is SNMP necessary? – Which are the most important logs? – How are important messages separated from routine notifications? – How do you prevent tampering with logs? – How do you make sure time stamps match? – What log data is needed in criminal investigations? – How do you deal with the volume of log messages? – How do you manage all the devices? – How can you track changes when attacks or network failures occur? © 2012 Cisco and/or its affiliates. All rights reserved. 85
84.
• Apply only
to devices needing to be managed or monitored. • Use IPsec when possible. • Use SSH or SSL instead of Telnet. • Decide whether the management channel needs to be open at all times. • Keep clocks on hosts and network devices synchronized. • Record changes and archive configurations. © 2012 Cisco and/or its affiliates. All rights reserved. 86
85.
• Provide highest
level of security and mitigate the risk of passing insecure management protocols over the production network. • Keep clocks on hosts and network devices synchronized. • Record changes and archive configurations. © 2012 Cisco and/or its affiliates. All rights reserved. 87
86.
• Routers should
be configured to send log messages to one or more of these: – Console – Terminal lines – Memory buffer – SNMP Server – Syslog Server © 2012 Cisco and/or its affiliates. All rights reserved. 88
87.
• Be aware
that the logging destination used affects system overhead. Most overhead – Logging to the console. – Logging to VTY. – Logging to a Syslog Server. – Logging to an internal buffer. Least overhead © 2012 Cisco and/or its affiliates. All rights reserved. 89
88.
• Syslog server:
– A host that accepts and processes log messages from one or more syslog clients. • Syslog client: – A host that generates log messages and forwards them to a syslog server. – Routers, switches, PIXs, ASAs, APs, servers, … © 2012 Cisco and/or its affiliates. All rights reserved. 90
89.
Highest Level
Lowest Level • By default, Severity level 7 (debugging) messages are sent to the router's console port (line con0). • Note: Level varies by platform and IOS release. © 2012 Cisco and/or its affiliates. All rights reserved. 91
90.
Level and Name
Definition Example Cisco IOS software could 0 LOG_EMERG A panic condition normally broadcast to all users not load A condition that should be corrected immediately, such as a 1 LOG_ALERT Temperature too high corrupted system database Unable to allocate 2 LOG_CRIT Critical conditions; for example, hard device errors memory 3 LOG_ERR Errors Invalid memory size 4 LOG_WARNING Warning messages Crypto operation failed Conditions that are not error conditions but should possibly be Interface changed state, 5 LOG_NOTICE addressed up or down 6 LOG_INFO Informational messages Packet denied by ACL Messages that contain information that is normally used only 7 LOG_DEBUG Packet type invalid when debugging © 2012 Cisco and/or its affiliates. All rights reserved. 92
91.
Time Stamp
Message Text Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.2.6) Log Message Name and Severity Level Note: The log message name is not the same as a severity level name. © 2012 Cisco and/or its affiliates. All rights reserved. 93
92.
1. Set the
destination logging host. – You can specify the IP address or the DNS name. Router(config)# logging host [host-name | ip-address] Parameter Description host-name The name of the host you want to use as a syslog server ip-address The IP address of the host you want to use as a syslog server © 2012 Cisco and/or its affiliates. All rights reserved. 94
93.
2. (Optional) Set
the log severity (trap) level. Router(config)# logging trap level Parameter Description Limits the logging of messages to the syslog servers to a specified level. level You can enter the level number (0 to 7) or level name. © 2012 Cisco and/or its affiliates. All rights reserved. 95
94.
3. (Optional) Set
the source interface. – Specifies that syslog packets contain the IP or IPv6 address of a particular interface, regardless of which interface the packet uses to exit the router. Router(config)# logging source-interface interface-type interface-number Parameter Description interface-type The interface type (for example, FastEthernet) interface-number The interface number (for example, 0/1) © 2012 Cisco and/or its affiliates. All rights reserved. 96
95.
4. Enable logging
– You can enable or disable logging individually: • [no] logging buffered • [no] logging monitor – However, if the no logging on command is configured, no messages will be sent to these destinations. Router(config)# logging on © 2012 Cisco and/or its affiliates. All rights reserved. 97
96.
Lo
0 R3 R3(config)# logging 10.2.2.6 R3(config)# logging trap informational R3(config)# logging source-interface loopback 0 R3(config)# logging on © 2012 Cisco and/or its affiliates. All rights reserved. 98
97.
• The VTY
monitoring option is the most practical method for viewing logging events in real time. • To view system messages over a VTY session (line vty 0 - 4), logging monitor must be configured. • To enable monitor logging, use the configuration command logging monitor [severity]. © 2012 Cisco and/or its affiliates. All rights reserved. 99
98.
• Hmmm …
I‟m Telnetted into a router and entered debug ip packet but don‟t see any output. Why? • You have to enter the enable exec command terminal monitor to activate logging and see console message output to the vty. © 2012 Cisco and/or its affiliates. All rights reserved. 100
99.
• Telnet from
another host and use the EXEC command terminal monitor to view the output. R3(config)# logging monitor R3(config)# logging monitor error © 2012 Cisco and/or its affiliates. All rights reserved. 101
100.
• It is
recommended to establish two VTY sessions: – One for displaying event reporting data. – The other for command execution. • Why? – Once terminal monitoring is enabled, it cannot be disabled on that VTY session. – A large amount of logging data can be generated, obscuring the VTY with logging output and making command entry quite difficult at times. © 2012 Cisco and/or its affiliates. All rights reserved. 102
101.
• The logging
synchronous line configuration command also affects the display of messages to the console. • When enabled, messages will appear only after the user types a carriage return. • Without the this command, console messages displayed can interfere with command line entry. © 2012 Cisco and/or its affiliates. All rights reserved. 103
102.
© 2012 Cisco
and/or its affiliates. All rights reserved. 104
103.
© 2012 Cisco
and/or its affiliates. All rights reserved. 105
104.
Configuring NTP © 2012
Cisco and/or its affiliates. All rights reserved. 106
105.
• “Time has
been invented in the universe so that everything would not happen at once.” – The NTP FAQ and HOWTO - http://www.ntp.org/ntpfaq/ • Many features in a computer network depend on time synchronization: – For accurate time information in syslog messages. – Certificate-based authentication in VPNs. – ACLs with time range configuration. © 2012 Cisco and/or its affiliates. All rights reserved. 107
106.
• The heart
of the router time service is the software-based system clock. – This clock keeps track of time from the moment the system starts. • The system clock can be set from a number of sources and can be used to distribute the current time through various mechanisms to other systems. – When a router with a system calendar is initialized or rebooted, the system clock is set based on the time in the internal battery-powered system calendar. • The system clock can then be set: – Manually using the set clock privileged EXEC command. – Automatically using the Network Time Protocol (NTP). • NTP is an Internet protocol used to synchronize the clocks of network connected devices to some time reference. – NTP is an Internet standard protocol currently at v3 and specified in RFC 1305. © 2012 Cisco and/or its affiliates. All rights reserved. 108
107.
• NTP is
designed to time-synchronize a network. – NTP runs over UDP. • An NTP network usually obtains the time from an authoritative time source, such as a radio clock or an atomic clock. – NTP then distributes this time across the network. – NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within 1 mSec of one another. • Cisco devices support specifications for NTP v3 (RFC 1305). – NTP v4 is under development but NTP v3 is the Internet standard. • NTP services are enabled on all interfaces by default. – To disable NTP on a specific interface, use the ntp disable command in the interface configuration mode. © 2012 Cisco and/or its affiliates. All rights reserved. 109
108.
• To configure
a router as the authoritative time source, use the ntp master command in global configuration mode. • To configure a router as an NTP client, either: – Create an association to a server using the ntp server command. – Configure the router to listen to NTP broadcast packets using the ntp broadcast client command. © 2012 Cisco and/or its affiliates. All rights reserved. 110
109.
• Although the
router can be configured with either a peer or a server association, NTP clients are typically configured with a server association (meaning that only this system will synchronize to the other system, and not vice versa). • To allow the software clock to be synchronized by an NTP time server, use the ntp server command in global configuration mode. Router(config)# ntp server {ip-address | hostname} [version number] [key keyid] [source interface] [prefer] © 2012 Cisco and/or its affiliates. All rights reserved. 111
110.
• NTP broadcast
client: – In addition to or instead of creating unicast NTP associations, the system can be configured to listen to broadcast packets on an interface-by-interface basis. • To do this, use the ntp broadcast client command in interface configuration mode. Router(config-if)# ntp broadcast client © 2012 Cisco and/or its affiliates. All rights reserved. 112
111.
• The time
that a machine keeps is a critical resource, so the security features of NTP should be used to avoid the accidental or malicious setting of incorrect time. • Two mechanisms are available: – ACL-based restriction scheme – Encrypted authentication © 2012 Cisco and/or its affiliates. All rights reserved. 113
112.
Command
Description Enables the NTP authentication feature. If this command is specified, the system will not ntp authenticate synchronize to another system unless the other system‟s NTP messages carry one of the specified authentication keys. Defines an authentication key supported by using MD5. ntp authentication-key number The key type md5 is currently the only key type that md5 value this command supports. The key value can be any arbitrary string of up to eight characters. ntp trusted-key key-number Defines trusted authentication keys. © 2012 Cisco and/or its affiliates. All rights reserved. 114
113.
• Enable the
authentication feature. Router(config)# ntp authentication • Define the authentication key to be used for both peer and server associations. Router(config)# ntp authentication-key key-number md5 value • Define which key is to be trusted. Router(config)# ntp trusted-key key-number © 2012 Cisco and/or its affiliates. All rights reserved. 115
114.
209.165.201.1
209.165.200.225 Fa0/0 Fa0/1 R1 Internet R2 R3 R1(config)# ntp master 5 R1(config)# ntp authentication-key 1 md5 R1-SECRET R1(config)# ntp peer 209.165.200.225 key 1 R2(config)# ntp authentication-key 1 md5 R1-SECRET R2(config)# ntp authentication-key 2 md5 R2-SECRET R2(config)# ntp trusted-key 1 R2(config)# ntp server 209.165.201.1 R2(config)# interface Fastethernet0/0 R2(config-if)# ntp broadcast R3(config)# ntp authentication-key 1 md5 R2-SECRET R3(config)# ntp trusted-key 1 R3(config)# interface Fastethernet0/1 R3(config-if)# ntp broadcast client © 2012 Cisco and/or its affiliates. All rights reserved. 116
115.
Disabling Unused Cisco Router Network Services
and Interfaces © 2012 Cisco and/or its affiliates. All rights reserved. 117
116.
• Medium size
and large networks typically use a firewall appliance (PIX / ASA) behind the perimeter router, which adds security features and performs user authentication and more advanced packet filtering. • Firewall installations also facilitate the creation of Demilitarized Zones (DMZs), where the firewall „places‟ hosts that are commonly accessed from the Internet. © 2012 Cisco and/or its affiliates. All rights reserved. 118
117.
• As an
alternative, Cisco IOS software can incorporate many firewall features in the perimeter router. – Option is valid only for small-to-medium business perimeter security requirements. • However, Cisco IOS routers run many services that create potential vulnerabilities. – To secure an enterprise network, all unneeded router services and interfaces must be disabled. © 2012 Cisco and/or its affiliates. All rights reserved. 119
118.
Router Service
Description Default Best Practice • This service allows a router to act as a BOOTP Disable. BOOTP server server for other routers. Enabled no ip bootp server • If not required, disable this service. • CDP obtains information of neighboring Cisco Cisco Discovery devices. Disable if not required. Enabled Protocol (CDP) • If not required, disable this service globally or on a no cdp run per-interface basis. • Auto-loading of configuration files from a network Configuration auto- Disable if not required. server should remain disabled when not in use by Disabled loading no service config the router. • The FTP server enables you to use your router as an FTP server for FTP client requests. Disable if not required. FTP server • Because this server allows access to certain files in Disabled Otherwise encrypt traffic the router Flash memory, this service should be within an IPsec tunnel. disabled when not required. Disable if not required. TFTP server • Same as FTP. Disabled Otherwise encrypt traffic within an IPsec tunnel. • When enabled, the router acts as a time server for other network devices. Disable if not required. • If configured insecurely, NTP can be used to Network Time Protocol Otherwise configure NTPv3 corrupt the router clock and potentially the clock of Disabled (NTP) service and control access between other devices that learn time from the router. permitted devices using ACLs. • If this service is used, restrict which devices have access to NTP. © 2012 Cisco and/or its affiliates. All rights reserved. 120
119.
Router Service
Description Default Best Practice Packet assembler • The PAD service allows access to X.25 PAD and disassembler Enabled Disable if not required. commands when forwarding X.25 packets. (PAD) service Disable if not required. • The minor services are provided by small Enabled no service tcp- TCP and UDP minor servers (daemons) that run in the router. The (pre 11.3) small-servers services services are potentially useful for diagnostics, Disabled no service udp- but are rarely used. (11.3+) small-servers Maintenance • MOP is a Digital Equipment Corporation (DEC) Disable explicitly if not Operation Protocol maintenance protocol that should be explicitly Enabled required. (MOP) service disabled when not in use. © 2012 Cisco and/or its affiliates. All rights reserved. 121
120.
Service
Description Default Best Practice • The SNMP service allows the router to respond to remote SNMP queries and configuration requests. Simple Network Disable the service. • If required, restrict which SNMP systems have Management Enabled Otherwise configure access to the router SNMP agent and use Protocol (SNMP) SNMPv3. SNMPv3 whenever possible because version 3 offers secure communication that is not available in earlier versions of SNMP. • This service allows the router to be monitored or have the router configuration modified from a web browser via an application such as the Disable if not required. HTTP configuration Cisco Security Device Manager (SDM). You Device Otherwise restrict access and monitoring should disable this service if the service is not dependent using ACLs. required. If this service is required, restrict no ip http server access to the router HTTP service by using access control lists (ACLs). • By default, Cisco routers broadcast name Disable if not required. requests to 255.255.255.255. Otherwise explicitly • Restrict this service by disabling DNS when the Client Domain Name configure the DNS server service is not required. Service – System (DNS) address. • If the DNS lookup service is required, make Enabled no ip domain-lookup sure that you set the DNS server address no ip name-server explicitly. © 2012 Cisco and/or its affiliates. All rights reserved. 122
121.
Path Integrity
Description Default Best Practice Mechanisms • ICMP redirects cause the router to send ICMP redirect messages whenever the router is forced to resend a packet through the same ICMP redirects Enabled Disable the service. interface on which the packet was received. • This information can be used by attackers to redirect packets to an untrusted device. • The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that a datagram will take toward the datagram‟s ultimate destination, and generally the route that any reply will take. • These options can be exploited by an attacker Disable if not required. IP source routing to bypass the intended routing path and Enabled no ip source-route security of the network. • Also, some older IP implementations do not process source-routed packets properly, and hackers may be able to crash machines that run these implementations by sending datagrams with source routing options. © 2012 Cisco and/or its affiliates. All rights reserved. 123
122.
Probes and Scan
Description Default Best Practice Features • The finger protocol (port 79) can obtain a list of the users who are currently logged into a Disable if not required. Finger service device. Enabled no ip finger • Unauthorized persons can use this information no service finger for reconnaissance attacks. • ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Cisco routers automatically send ICMP messages. • Attackers commonly use three ICMP ICMP unreachable messages: Disable explicitly on • Host unreachable Enabled notifications untrusted interfaces. • Redirect • Mask Reply • Automatic generation of these messages should be disabled on all interfaces, especially interfaces that are connected to untrusted networks. • When enabled, this service tells the router to respond to ICMP mask requests by sending ICMP mask reply messages that contain the Disable explicitly on ICMP mask reply Disabled interface IP address mask. untrusted interfaces. • This information can be used to map the network © 2012 Cisco and/or its affiliates. All rights reserved. 124
123.
Terminal Access
Description Default Best Practice Security • The identification protocol (specified in RFC 1413) reports the identity of a TCP connection IP identification initiator to the receiving host. Enabled Disable. service • This data can be used by an attacker to gather information about your network • TCP keepalives help “clean up” TCP connections where a remote host has rebooted or otherwise stopped processing TCP traffic. TCP Keepalives Disabled Enable. • Keepalives should be enabled globally to manage TCP connections and prevent certain DoS attacks. © 2012 Cisco and/or its affiliates. All rights reserved. 125
124.
Terminal Access
Description Default Best Practice Security • Gratuitous ARP is the main mechanism that Gratuitous ARP Enabled Disable if not required. hackers use in ARP poisoning attacks. • Proxy ARP enables a Cisco router to act as an intermediary for ARP, responding to ARP queries on selected interfaces and thus enabling transparent access between multiple Proxy ARP LAN segments. Enabled Disable if not required. • Proxy ARP should be used only between two LAN segments at the same trust level, and only when absolutely necessary to support legacy network architectures. © 2012 Cisco and/or its affiliates. All rights reserved. 126
125.
IP Directed
Description Default Best Practice Broadcasts • IP directed broadcasts are used in the common and popular smurf DoS attack and other related attacks. Enabled • Directed broadcasts permit a host on one LAN IP Directed (pre 12.0) segment to initiate a physical broadcast on a Disable if not required. Broadcasts Disabled different LAN segment. (12.0+) • This technique was used in some old DoS attacks, and the default Cisco IOS configuration is to reject directed broadcasts. © 2012 Cisco and/or its affiliates. All rights reserved. 127
126.
•Router(config)#
no ip bootp server •Router(config)# no cdp run •Router(config)# no ip source-route •Router(config)# no ip classless •Router(config)# no service tcp-small-servers •Router(config)# no service udp-small-servers •Router(config)# no ip finger •Router(config)# no service finger •Router(config)# no ip http server •Router(config)# no ip name-server •Router(config)# no boot network •Router(config)# no service config © 2012 Cisco and/or its affiliates. All rights reserved. 128
127.
• By default,
a Cisco router will make an attempt to route almost any IP packet. – If a packet arrives addressed to a subnet of a network with no default network route, then IOS will use IP classless routing to forward the packet along the best available route. • This feature is often not needed therefore on routers where IP classless routing is not needed. Disable it using the no ip classless command. © 2012 Cisco and/or its affiliates. All rights reserved. 129
128.
• Use only
static routes: – Works well in small networks. – Unsuitable for large networks. • Authenticate route table updates: – Configure routing authentication. – Authenticated router updates ensure that the update messages come from legitimate sources. © 2012 Cisco and/or its affiliates. All rights reserved. 130
129.
• Configure the
passive-interface command to prevent hackers from learning about the existence of certain routes or routing protocols used. © 2012 Cisco and/or its affiliates. All rights reserved. 131
130.
• Attackers can
exploit unused router services and interfaces. • Administrators do not need to know how to exploit the services, but they should know how to disable them. • It is tedious to disable the services individually. • An automated method is needed to speed up the hardening process. © 2012 Cisco and/or its affiliates. All rights reserved. 132
131.
• The AutoSecure
feature was released in Cisco IOS Release 12.3. • AutoSecure is a single privileged EXEC program that allows elimination of many potential security threats quickly and easily. – AutoSecure helps to make you more efficient at securing Cisco routers. • AutoSecure allows two modes of operation: – Interactive mode: Prompts to choose the way you want to configure router services and other security-related features. – Noninteractive mode: Configures security-related features on your router based on a set of Cisco defaults. © 2012 Cisco and/or its affiliates. All rights reserved. 133
132.
• Management plane
services and functions: – Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner – password security and SSH access • Forwarding plane services and functions: – CEF, traffic filtering with ACLs • Firewall services and functions: – Cisco IOS Firewall inspection for common protocols • Login functions: – Password security • NTP protocol • SSH access • TCP Intercept services © 2012 Cisco and/or its affiliates. All rights reserved. 134
133.
• If AutoSecure
fails to complete its operation, the running configuration may be corrupt: – In Cisco IOS Release 12.3(8)T and later releases a pre-AutoSecure configuration snapshot is stored in the flash under filename pre_autosec.cfg. – Rollback reverts the router to the router‟s pre-autosecure configuration using the configure replace flash:pre_autosec.cfg command. – If the router is using software prior to Cisco IOS Release 12.3(8)T, the running configuration should be saved before running AutoSecure. © 2012 Cisco and/or its affiliates. All rights reserved. 135
134.
• Cisco AutoSecure
Interactive Steps: – Step 1 – Identify outside interfaces. – Step 2 – Secure the management plane. – Step 3 – Create the security banner. – Step 4 – Configure passwords, AAA, and SSH. – Step 5 – Secure the forwarding plane. Router# auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept] © 2012 Cisco and/or its affiliates. All rights reserved. 136
Jetzt herunterladen