Professional Documents
Culture Documents
2 Securing Network Devices
2 Securing Network Devices
Authentication (local)
(config)# username name password { [0] password | 7 encrypted-password}
# Predefined:
Level 0: only five commands (disable, enable, exit, help and logout)
Level 1: User EXEC mode
Level 15: Privileged EXEC mode
# BANNERS:
(config)# banner {exec | incoming | login | motd | slip-ppp} d message d
bootset !
# Example:
# Configs:
1. (config)# aaa new-model
2. # enable view
(to enter the root view, the root keyword can be added, enable secret must be
configured)
3. (config)# parser view view-name (add superview keyword for superviews)
4. (config-view)# secret encrypted-password (must be created immediately
after creating a view)
5. (config-view)# commands parser-mode {include | include-exclusive |
exclude} [all] [interface interface-name | command]
# Conditions:
1. The right IOS version (12.1(1)T or later with IPSec feature set)
2. Unique hostname
3. Domain name
4. Local authentication or AAA services
CH2
Securing Network Devices
# Steps:
1. (config)# hostname hostname
2. (config)# ip domain-name domain-name
3. (config)# crypto key generate rsa general-keys modulus modulus-size
4. (config)# username name secret secret
5. (config-line)# login local
6. (config-line)# transport input ssh
(config)# ntp server {ip-address | hostname} [version number] [key key-id] [source interface] [prefer]
(config-if)# ntp broadcast client
Other Commands:
# show crypto key mypubkey rsa
(config)# crypto key zeroize rsa
NTP
# Additional Commands:
Severity Levels
(default = 3)
Types
Syslog
Defense-In-Depth Approach
Screening Router
DMZ Approach
Physical
# Configs:
(config)# logging host [ hostname | ip-address ]
(config)# logging trap level
(config)# logging source-interface int-type int-number
(specifies the source in the syslog packets regardless of the exit interface)
(config)# logging on
Hardening
# Components:
Manager, Agent and MIBs