Cisco® CCNA Security Exam Notes : Security On Cisco Routers


Go to latest CCNA Exam Cram

4. Secure Routing and Switching

4.1 Security on Cisco routers

Multiple Privilege levels

When you connect to a Cisco router, you will be provided with user mode privilege level. It has lowest priority, 0. After entering the privilege mode (by providing appropriate credentials), you will be moved to privilege level 15 (the highest available privilege level). In between, you can configure privilege levels 1 through 14. In enterprise environment, having different privilege levels are useful, so that users may be provided with required command sets to perform their duties, nothing less or nothing more.

Cisco IOS role-based CLI access

Similar to making different commands available to different admins using privilege levels, role-based command-line interface (CLI) views can be used to provide different sets of configuration information to different administrators. However, unlike making commands available via privilege levels, using role-based CLI views you can control precisely the commands that an administrator has access to.

Cisco Security Agent (CSA): CSA is an application that provides IPS services on a host. Therefore, CSA is called a Host-based Intrusion Prevention System (HIPS) application.

Security Device Manager (SDM): Cisco SDM provides a graphical interface for configuring a variety of security features (for example, IPS, IPsec site-to-site VPN, and firewall features). It also provides features of configuring routers.

The Cisco Secure Access Control Server (ACS) application provides an authentication, authorization, and accounting (AAA) function.

Implement Cisco IOS re-silent configuration:

Given below are the recommended practices for choosing passwords:

1. Passwords are at least 10 characters long

2. Does not contain any dictionary words

3. Create a policy as to how and when a password be changed

4. A password should contain alphabets (caps and small letters), numerics, and special characters. In IOS, space is a valid special character. Leading spaces in password are ignored.

Strong Password: A strong password will typically have at least 8 characters long, and consists of numerals, characters, and special characters. The purpose is to make guessing more difficult for the attacker. It is bad idea to use dictionary terms, or just alpha numeric characters.

To configure the console password and secret password follow below instructions

Step 1 : Enter global configuration mode

R1#configure terminal

Step 2 : Set the enable password to "certexam"

R1(config)#enable password certexam

Step 3: Set the enable secret to "certtest"

R1(config)#enable secret certtest

Step 4 : Set the console password to "certtest" for line console 0

R1(config)#line console 0
R1(config-line)#password certtest

To set the vty password for lines 0 to 4 follow below instructions

Step 1 : Enter global configuration mode

R1#configure terminal

Step 2 : Set the telnet access password to "certexam" for line vty 0-4, this will enable remote users to telnet into vty ports 0-4

R1(config)#line vty 0 4
R1(config-line)#password certexam

The following are the IOS based security features:

  • Stateful inspection - Performs stateful inspection using Context Based Access Control (CBAC).
  • Virtual Private Networks (VPN) - Provides tunnels for virtual private communication.
  • Intruder Prevention System (IPS) - Cisco IOS may be configured to detect an attacker and prevent him from proceeding further, and report the same.
  • VPN Routing and Forwarding - aware Firewall - A VRF-aware firewall maintains a separate routing and forwarding table for each VPN,

Most of the Integrated Services Routers contain one or more USB drives, which may be used for digital signatures, IOS image updates, and backing up configuration files.

Integrated Services Modules support various modules to facilitate faster response times, and off-load work from the router's processor and memory. These include the following:

  • Cisco HWIC-AP: An IEEE 802.11 wireless module supporting a variety of wireless standards.
  • Cisco IDS Network Module: Includes a hard drive containing multiple signatures of well-known attacks. Used to detect and subsequently prevent malicious traffic.
  • Cisco Content Engine: Includes a hard drive for caching web content.
  • Cisco Network Analysis Module (NAM): Provides a detailed analysis of traffic flow.
  • AIM-VPN - Several models available, used for VPN processing and relieves router processor off VPN processing load.

There are several methods that Cisco recommends for securing management plane. These include the following:

  • Passwords - At the very least, network admins can secure the network devices using hard to guess passwords.
  • User Authentication using AAA - One disadvantage of using just passwords is that it is not possible to know who had accessed a network device. By using username and password combination, admins can keep track of who had logged in. The user authentication services may be provided by AAA (Authentication, Authorization, and Accounting) server.
  • Role Based Access Control (RBAC) - Role-based access control (RBAC) is a method of regulating access to computer or network devices based on the roles of individual users within an enterprise. In this context, access is the ability of an individual user to perform a specific task, such as view, create, or modify a file. you can control this through AAA and custom privilege levels/parser views.
  • Encrypted management protocols - You can use secure protocols, such as https (instead of http), and ssh for securely communicating to the network device.
  • Secure system files - By securing IOS images, and configuration files, you make it difficult to delete or modify those files by the attacker.
  • Logging - Logging ensures that events are recorded for future analysis. Different types of logging include a) commands logging, b) system events logging, c) error messages logging, etc.
  • Network Time Protocol (NTP) - NTP enables to maintain proper time stamps and keep all devices in time sync. It makes logging messages more trust worthy.

The following two commands are used to secure boot image, and boot configuration on an IOS router:

Router1(config)#secure boot-image

! Secure the startup-config

Router1(config)#secure boot-config


The following command may be used to verify the boots set:
! Verify the bootset

Router1(config)# do show secure bootset

Displays the status of configuration resilience and the primary bootset filename

Previous   Contents   Next