Chapter 1, Router Security, addresses the importance of router security and where routers fit into an overall information security plan.. Chapter 3, Basic Access Control, discusses the s
Trang 1Master one single topic, and everything becomes clearer
The field of network security is a huge subject To be a network security expert, you must be an expert on routers, switches, hubs, firewalls, intrusion detection systems (IDS), servers, desktops, email, HTTP, instant messages, sniffers, and a thousand other topics There are many books on network security, and the good ones tend to
be tomes of 1000+ pages that are intimidating even to their authors This book takes the opposite approach It takes a single, but vitally important, topic and expands on
it Routers are your first line of defense If they are compromised, everything else is compromised This book describes how to secure your routers Once you learn how
to secure them, routers can protect the rest of your network
To reemphasize, this is not a book on network security; there are hundreds of those already in print You will not find long discussions on firewalls, Virtual Private Net-works (VPNs), network IDS systems, or even access lists (ACLs) This book is more fundamental than that This book shows how to harden the foundation of your net-work—the router Once you have mastered the information in this book, you will find that your ability to build firewalls and configure IDS systems will increase You will be building on a secure foundation
Organization
This book consists of 11 chapters and 5 appendixes At the end of most chapters is a checklist summarizing the hardening techniques described in that chapter Appendix A provides a complete hardening checklist made up of the chapter check-lists The book is designed to be read either straight through for those new to router security, or a chapter at a time for those interested in specific topics I recommend, however, that before reading the book, you review the checklist provided in Appendix A This checklist will give you a good feel for the information covered in
Trang 2each chapter and familiarize you with the scope of the book Here is a brief descrip-tion of what each chapter and appendix covers
Chapter 1, Router Security, addresses the importance of router security and where
routers fit into an overall information security plan Additionally, this chapter dis-cusses which routers are the most important to secure and how secure routers are necessary (and often overlooked) parts of both firewall design and the overall infor-mation security strategy of a company
Chapter 2, IOS Version Security, discusses security issues involving the router IOS
software It outlines current IOS revisions, shows how to determine current IOS ver-sions, and details the importance of running a current IOS
Chapter 3, Basic Access Control, discusses the standard ways to access a Cisco router,
the security implications of each of these methods, and how to secure basic Cisco router access These methods include console, VTY, AUX, and HTTP access controls
Chapter 4, Passwords and Privilege Levels, discusses the three ways that Cisco
rout-ers store passwords and the security implications of each method This chapter con-tinues to discuss the router’s default security levels and shows how to modify these levels to increase the security and accountability on your routers
Chapter 5, AAA Access Control, discusses how to use the advanced AAA
authentica-tion and authorizaauthentica-tion configuraauthentica-tion for Cisco routers It also shows how to use a network access server running RADIUS or TACACS+ to control these services on the router
Chapter 6, Warning Banners, discusses the importance of having warning banners on
routers This chapter not only talks about the need to have banners, but also pre-sents legal dos and don’ts for security banners Finally, the chapter provides an example recommended banner to use on Cisco routers
Chapter 7, Unnecessary Protocols and Services, discusses the unnecessary services
that are commonly run on Cisco routers Many of these services are enabled by
default, and this chapter explains why services such as HTTP, finger, CDP, echo, and chargen are dangerous and details how to turn them off.
Chapter 8, SNMP Security, demonstrates how to disable SNMP or configure it
securely It presents the differences between SNMP Versions 1, 2, and 3; talks about read-only versus read-write access; and shows how to use access lists to limit SNMP access to only a few specific machines
Chapter 9, Secure Routing and Antispoofing, discusses routing protocol security
Spe-cifically, it discusses how to add security to RIP, OSPF, EIGRP, and BGP These routing protocols allow authentication to prevent fake routing updates The chapter also presents the importance of antispoofing filters and how to perform ingress and egress filtering using CLs on older routers and Cisco’s RPF and CEF antispoofing mechanisms on newer ones
Trang 3Chapter 10, NTP, discusses NTP and how to use it to make sure all routers have the
exact same time This chapter discusses the importance of having the time on all your routers and logging servers synchronized and provides examples of how to con-figure a Cisco router to use NTP time services
Chapter 11, Logging, discusses how Cisco routers perform logging and why logging is
important The chapter then demonstrates why and how to manipulate logging
buff-ers, how to configure routers to use syslog, and when to do ACL violation logging Appendix A, Checklist Quick Reference, allows you to secure your Cisco routers and
verify that important security issues have been addressed The checklist is presented
in a manner that makes it easy to quickly refer back to the chapter addressing the items outlined in the checklist reference Finally, this appendix briefly talks about using the checklist to harden and audit Cisco routers
Appendix B, Physical Security, talks about the importance of physically securing your
routers It presents common physical vulnerabilities and discusses how to overcome them
Appendix C, Incident Response, gets you thinking about how to react when a
break-in is discovered The goal of this chapter is not to provide an exhaustive explanation
of incident response, but to provide emergency guidelines that you can follow when
an incident occurs
Appendix D, Configuration Examples, provides common Cisco router configuration
examples that combine the examples throughout the book
Appendix E, Resources, provides a list of resources that you might find useful if you
need to brush up on ACLs, network access protocols such as TACACS or RADIUS,
and services such as SNMP or syslog.
Audience
This book assumes you are already familiar with configuring, administering, and troubleshooting Cisco routers A CCNA should be comfortable with the contents of each chapter A CCNP or above will probably want to first turn to the checklist pro-vided in Appendix A To get the most out of this book, you should be familiar with:
• Accessing your router through the console and VTYs
• Using TCP/IP and subnet masks
• Configuring your router from the command line
• Upgrading your IOS
• Configuring standard and extended ACLs
• Routing protocols such as RIP, IGRP, and OSPF
Trang 4Conventions Used in This Book
The following formatting conventions are used throughout this book:
• Italic is used for commands, passwords, error messages, filenames, emphasis,
and the first use of technical terms
• Constant width is used for IP addresses and router configuration examples
• Constant width italic is used for replaceable text
• Constant width bold is used for user input
This icon indicates a note or tip.
This icon indicates a warning.
How to Contact Us
Please address comments and questions concerning this book to the publisher: O’Reilly & Associates, Inc
1005 Gravenstein Highway North
Sebastopol, CA 95472
(800) 998-9938 (in the United States or Canada)
(707) 829-0515 (international/local)
(707) 829-0104 (fax)
There is a web site for this book, which lists errata, examples, or any additional information You can access this page at:
http://www.oreilly.com/catalog/hardcisco
To comment or ask technical questions about this book, send email to:
bookquestions@oreilly.com
For more information about books, conferences, resource centers, and the O’Reilly Network, see the O’Reilly web site at:
http://www.oreilly.com
Trang 5First, always, is my wife Abigail Akin Neither of us knew how hard this would be, but it was her encouragement (and occasional kick in the pants) that gave me the courage and discipline to write and finish this book Honey, this first book is for you Second, for his near infinite patience, is Jim Sumser, my editor It was Jim who took
a chance on an unknown author He pushed me when I needed it and always had a word of praise to keep me on track just when I was about to throw my computer out the window
My technical reviewers gave invaluable input: Ian J Brown, CCIE #3372, Mark Jackson, CCIE #4736, and Elsa Lankford Ian and Mark kept me towing the line technically, while Elsa kept me from getting bogged down in details, missing the for-est for the trees Ian and Mark, the configuration examples in Appendix Dare for you, and, Elsa, the resources in Appendix E are yours
Also, my friends in law enforcement: thanks to Steve Edwards from the Georgia Bureau of Investigation and Cassandra Schansman, Georgia’s Assistant Attorney General, for both their support and review of Appendix C Thanks to Patrick Gray from the FBI’s Atlanta Computer Crimes Squad for providing the warning banner in Chapter 6
Next, Jeff Crabtree, my former boss and long-time friend He gave me my start in information technology and has supported me, many times at his own expense, for almost a decade I owe you and Lisa some serious margaritas
Finally, the two people who have taught me that integrity and love are the most important parts of being successful—my father Morgan Akin and my mother Cathy Coulmas