Network Security
Network Security Fundamentals
Defense-in-Depth
If you want to be pro-active (and you should) by adopting a defensive posture for your network, you must first secure devices including routers, switches, servers, and hosts. This can be done by employing a defense-in-depth approach (also known as a layered approach) to security. This requires a combination of networking devices and services.
In the figure below, there are several security devices and services that have been implemented to protect its users and assets against TCP/IP threats. All network devices including the router and switches are also hardened as indicated by the combination locks on their respective icons.
Security devices and services implemented to protect a network may include:
VPN - In this network a router provides a secured VPN connection to the network that will support remote user.
ASA Firewall - Adaptive Security Appliance Firewall is a dedicated (stateful) type of firewall. It provides secure traffic by making sure traffic initiated inside the network goes out and return, but traffic initiated outside your network cannot reach your inside hosts.
IPS - An Intrusion Detection System will monitor all traffic in the network actively looking for malware, network attack signatures, and more. If it recognizes a threat, it can immediately stop it.
ESA/WSA - The email security appliance (ESA) filters spam and suspicious emails. The web security appliance (WSA) filters known and suspicious internet malware sites.
AAA Server - This server contains a secure database of who is authorized to access and manage network devices. Network devices authenticate administrative users using this database.
Device Password Security
Passwords
To protect network devices, it is important to use strong passwords. Here are standard guidelines to follow:
Use a password length of at least eight characters, preferably 10 or more characters. A longer password is a more secure password.
Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.
Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
Change passwords often. If a password is unknowingly compromised, the window of opportunity for the threat actor to use the password is limited.
Do not write passwords down and leave them in obvious places such as on the desk or monitor.
Additional Password Security
Strong passwords are only useful if they are secret. There are several steps that can be taken to help ensure that passwords remain secret on a Cisco router and switch including these:
Encrypting all plaintext passwords
Setting a minimum acceptable password length
Deterring brute-force password guessing attacks
Disabling an inactive privileged EXEC mode access after a specified amount of time.
As shown in the sample configuration in the figure below, the service password-encryption global configuration command prevents unauthorized individuals from viewing plaintext passwords in the configuration file. This command encrypts all plaintext passwords. Notice in the example, that the password “cisco123” has been encrypted as “0822455D0A16544541”.
To ensure that all configured passwords are a minimum of a specified length, use the security passwords min-length length# command in global configuration mode. In the figure, any new password configured would have to have a minimum length of eight characters.
Threat actors may use password cracking software to conduct a brute-force attack on a network device. This attack continuously attempts to guess the valid passwords until one works. Use the login block-for # attempts # within # global configuration command to deter this type of attack. In the figure for example, the login block-for 120 attempts 3 within 60 command will block vty login attempts for 120 seconds if there are three failed login attempts within 60 seconds.
Network administrators can become distracted and accidently leave a privileged EXEC mode session open on a terminal. This could enable an internal threat actor access to change or erase the device configuration.
By default, Cisco routers will logout an EXEC session after 10 minutes of inactivity. However, you can reduce this setting using the exec-timeout minutes and seconds line configuration command. This command can be applied on console, auxiliary, and vty lines. In the figure, we are telling the Cisco device to automatically disconnect an inactive user on a vty line after the user has been idle for 5 minutes and 30 seconds.
Improved Passwords Using Enable Secret Command:
Unfortunately, the service password-encryption command does not protect the passwords very well. Now, armed with the encrypted value, you can search the Internet and find sites with tools to decrypt these passwords. In fact, if you take a look at the result of the do show running-config | section enable you can take the result encrypted password from the enable password command in this example "08740D1B0A49440426035F5C797E73", plug it into this site, and it decrypts to “5!5c0!sTh38357”, the clear text. So, the service password-encryption command will slow down the curious, but it will not stop a knowledgeable attacker. On the other hand, take the result of the Cisco enable secret command ($1$mERr$302UhrGcbxQffs.llxp3G0) and try to decrypt it, enable secret command protects the password value by never even storing the clear-text password in the configuration.
Enable SSH
To configure a Cisco device to support SSH using the following six steps:
Step 1. Configure a unique device hostname. A device must have a unique hostname other than the default.
Step 2. Configure the IP domain name. Configure the IP domain name of the network by using the global configuration mode command ip domain-name name.
Step 3. Generate a key to encrypt SSH traffic. SSH encrypts traffic between source and destination. However, to do so, a unique authentication key must be generated by using the global configuration command crypto key generate rsa general-keys modulus bits#. The modulus bits determines the size of the key and can be configured from 360 bits to 2048 bits. The larger the bit value, the more secure the key. However, larger bit values also take longer to encrypt and decrypt information. The minimum recommended modulus length is 1024 bits.
Step 4. Verify or create a local database entry. Create a local database username entry using the username global configuration command. In the example, the parameter secret is used so that the password will be encrypted using MD5.
Step 5. Authenticate against the local database. Use the login local line configuration command to authenticate the vty line against the local database.
Step 6. Enable vty inbound SSH sessions. By default, no input session is allowed on vty lines. You can specify multiple input protocols including Telnet and SSH using the transport input {ssh | telnet} command.
As shown in the example, router R1 is configured with the bitsinthewire.com domain. This information is used along with the bit value specified in the crypto key generate rsa general-keys modulus command to create an encryption key. Next, a local database entry for a user named Hector is created. Finally, the vty lines are configured to authenticate against the local database and to only accept incoming SSH sessions.
