RETIRED! Exam
Multiple Privilege levels
When you connect to a Cisco router, you will be provided with user mode privilege level. It has lowest priority, 0. After entering the privilege mode (by providing appropriate credentials), you will be moved to privilege level 15 (the highest available privilege level). In between, you can configure privilege levels 1 through 14. In enterprise environment, having different privilege levels are useful, so that users may be provided with required command sets to perform their duties, nothing less or nothing more.
Cisco IOS role-based CLI access
Similar to making different commands available to different admins using privilege levels, role-based command-line interface (CLI) views can be used to provide different sets of configuration information to different administrators. However, unlike making commands available via privilege levels, using role-based CLI views you can control precisely the commands that an administrator has access to.
Cisco Security Agent (CSA): CSA is an application that provides IPS services on a host. Therefore, CSA is called a Host-based Intrusion Prevention System (HIPS) application.
Security Device Manager (SDM): Cisco SDM provides a graphical interface for configuring a variety of security features (for example, IPS, IPsec site-to-site VPN, and firewall features). It also provides features of configuring routers.
The Cisco Secure Access Control Server (ACS) application provides an authentication, authorization, and accounting (AAA) function.
Implement Cisco IOS re-silent configuration:
Given below are the recommended practices for choosing passwords:
1. Passwords are at least 10 characters long
2. Does not contain any dictionary words
3. Create a policy as to how and when a password be changed
4. A password should contain alphabets (caps and small letters), numerics, and special characters. In IOS, space is a valid special character. Leading spaces in password are ignored.
Strong Password: A strong password will typically have at least 8 characters long, and consists of numerals, characters, and special characters. The purpose is to make guessing more difficult for the attacker. It is bad idea to use dictionary terms, or just alpha numeric characters.
To configure the console password and secret password follow below instructions
Step 1 : Enter global configuration mode
R1>enable
R1#configure terminal
Step 2 : Set the enable password to "certexam"
R1(config)#enable password certexam
Step 3: Set the enable secret to "certtest"
R1(config)#enable secret certtest
Step 4 : Set the console password to "certtest" for line console 0
R1(config)#line console
0
R1(config-line)#login
R1(config-line)#password certtest
To set the vty password for lines 0 to 4 follow below instructions
Step 1 : Enter global configuration mode
R1>enable
R1#configure terminal
Step 2 : Set the telnet access password to "certexam" for line vty 0-4, this will enable remote users to telnet into vty ports 0-4
R1(config)#line vty 0 4
R1(config-line)#login
R1(config-line)#password certexam
The following are the IOS based security features:
Most of the Integrated Services Routers contain one or more USB drives, which may be used for digital signatures, IOS image updates, and backing up configuration files.
Integrated Services Modules support various modules to facilitate faster response times, and off-load work from the router's processor and memory. These include the following:
There are several methods that Cisco recommends for securing management plane. These include the following:
The following two commands are used to secure boot image, and boot configuration on an IOS router:
Router1(config)#secure boot-image
! Secure the startup-config
Router1(config)#secure boot-config
[flash:.runcfg-20111234-230123.ar]
The following command may be used to verify the boots set:
! Verify the bootset
Router1(config)# do show secure bootset
Displays the status of configuration resilience and the primary bootset filename