NOTE
Thesecure boot-configcommand functions properly only when the system is configured to run an image from a disk with an Advanced Technology Attachment (ATA) interface.
The commands captured above were from a Cisco 871 ISR that does not support ATA;
thus, we observe the notification “…No ATA disk found for storing archives.”
Now, we’ll execute the command that verifies the bootset:
CiscoISR#show secure bootset
%IOS image and configuration resilience is not active
EXAM ALERT
Remember that the only way you can view the secured copies of the configuration and IOS image is to execute the show secure bootsetcommand.
Protecting Virtual Logins from Attack
Recall from Chapter 1, “Network Insecurity,” that there are two broad cate- gories of attacks: access attacks and DoS attacks. We will examine three meth- ods to mitigate the successfulness of these attacks against SSH, Telnet, and HTTP login to the IOS router:
. Shutting down or “blocking” the login system if DoS attacks are suspected.
. Enforcing a delay between successive login attempts.
. Generating syslog messages for login detection.
Blocking the Login System
When a DoS attack on the login system is detected, subsequent login attemptscan be blocked for a specified time [in seconds]. You must set the threshold of number of trieswithin a specified period [in seconds]. Here is the format of the command:
login block-for seconds attempts tries within seconds
For example, if your security policy stipulates that five login attempts within 60 seconds constitutes a possible DoS attack, you might want to block subsequent logins for 120 seconds:
CiscoISR(config)#login block-for 120 attempts 5 within 60
This enforced blocking period (120 seconds in the preceding example) is known as a quiet period. During that quiet period, no login attempts will be accepted by the router. If you want to specify a policy as to who would be allowed to attempt a login during this quiet period, you can use an ACL to describe the IP addresses that can.
Perhaps this is a management VLAN or IPsec VPN user. Recall from your CCNA studies that the way to limit access to the virtual terminal lines is to use the access- classcommand to apply an ACL to the vtys. In this example, packets that match the named IP ACL “RA-VPN-Users” will be allowed to login during the quiet period. Note the use of the access-classparameter in the command syntax:
CiscoISR(config)#access-list RA-VPN-Users permit 10.1.1.0 0.0.255 CiscoISR(config)#login quiet-mode access-class RA-VPN-Users
Enforcing a Delay Between Logins
To protect the IOS router against possible dictionary attacks, you can enforce a delay between successive login attempts. This will help frustrate an attacker and will also protect the login system such that legitimate users will get an opportu- nity to login to the device. For example, if you want to enforce a login delay of one second between attempts, issue this command:
CiscoISR(config)#login delay ?
<1-10> Time period in seconds CiscoISR(config)#login delay 1
NOTE
If you use the auto securecommand, a login delay of one second is automatically config- ured. The auto securecommand is discussed in Chapter 4.
Generating Syslog Messages for Login Detection
The following two commands generate logging messages for successful and failed login attempts respectively:
CiscoISR(config)#login on-success log CiscoISR(config)#login on-failure log
Verifying the Login Configuration
The show logincommand verifies that the modifications that we have made to the login subsystem of the router will be enforced. The shaded parts of the fol- lowing output indicate these changes:
CiscoISR#show login
A login delay of 1 seconds is applied.
Quiet-Mode access list RA-VPN-Users is applied.
All successful login is logged.
All failed login is logged.
Router enabled to watch for login Attacks.
If more than 5 login failures occur in 60 seconds or less, logins will be disabled for 120 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 57 seconds.
Login failures for current window: 0.
Total login failures: 0.
CiscoISR(config)#
Configuring Banner Messages
Five different banners can be configured on the IOS router:
. Exec.This banner is displayed when an exec mode (user or enable) is entered on the router.
. Incoming.This banner is displayed when there is an incoming connec- tion to a terminal line from a network host.
. Login.This banner is displayed before the username/password prompt.
. MOTD.The message-of-the-day banner.
. SLIP-PPP.This banner is displayed for dial-in users on a Serial Line Internet Protocol (SLIP) or Point-to-Point Protocol (PPP) connection.
Remember that the router, in its role as a perimeter device, is often the first device an attacker is likely to see as he probes the network. The banners are the first thing that users see when they login to the routers. This would be an appro- priate place to put warning messages and legal statements, such as the repercus- sions of unauthorized access to the system. Don’t give away any information in your banner message that might be useful to an attacker. Above all, don’t tell anyone that they’re “Welcome.” If they’re an attacker, they certainly aren’t, and the router’s login banners should not be the equivalent of a welcome mat in any case. Here’s a partial configuration showing an example of a MOTD banner:
banner motd ^C
WARNING: You are connected to $(hostname) $(domain) This system is the property of ABC LLC.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this device. All activities performed on this device
are logged. Any violations of access policy will result in disciplinary action.
^C
NOTE
You can use replaceable parameters in the banner message. For example, the parameters
$(hostname) and $(domain) will be replaced with the system’s hostname and domain name suffix respectively when the banner is displayed upon login.
Introducing Cisco SDM
Cisco Security Device Manager (SDM) is a web-based tool that can be used to man- age Cisco IOS routers. It can be used as an alternative to the CLI because the major- ity of tasks that can be performed with the CLI can also be completed with the SDM. As the Security Device Manager evolves, Cisco is putting heavier emphasis on its use in their courses. Time mastering the SDM here will be time well spent.
NOTE
In Q2 of 2008, Cisco announced a new web-based GUI tool called the Cisco Configuration Professional (CCP). It is expected that CCP will eventually replace SDM. Not all ISRs are supported by CCP, however, though this support is coming. For more information on CCP, navigate to http://www.cisco.com/go/ccp.
There are five basic services that SDM manages:
. Routing . Switching
. Security (including VPN, firewall, and IOS) . Wireless
. QoS
It also contains a knowledge base of Cisco IOS configurations. Its built-in tuto- rials, context-sensitive help, and smart wizards supplement its ease of use.
Figure 3.3 is a screenshot of the opening Cisco SDM screen on a Cisco 871 ISR.
Not all ISRs have enough flash to run the full SDM out of flash. If this is the case, you can either:
. Install Cisco SDM locally on a Windows PC.
. Run the Cisco SDM Express.
FIGURE 3.3 Cisco router and Security Device Manager (SDM).
Files Required to Run Cisco SDM from the Router
There are certain files that are required to run the Cisco SDM from the router’s flash file system. If these files don’t exist, they will need to be downloaded from Cisco. They come as part of a comprehensive download that also includes the files required to run the SDM applet from a PC workstation. Factory fresh routers from Cisco will have these files in flash. If they are not there, it means that someone has deleted them, perhaps because the organization’s security pol- icy specifies that only the CLI can be used to configure the router.
NOTE
For more information about Cisco SDM and to download a package that contains the files necessary to run SDM from flash as well as the standalone SDM applet for use on a PC, navigate to http://www.cisco.com/go/sdm.
These files are needed to run Cisco SDM 2.2a and later from the router:
. sdmconfig-modelxxx.cfg: The default configuration for the model of ISR (for example: sdmconfig-2811.cfg)
. sdm.tar
. es.tar (for SDM Express; can be deleted if only the SDM is being used) . common.tar
. home.shtml . home.tar
. wlanui.tar (if ISR has wireless interfaces)
This router does not have all the files necessary to run SDM:
cisco871#show flash
28672K bytes of processor board System flash (Intel Strataflash) Directory of flash:/
1 -rwx 18924888 Mar 15 2008 16:51:09 -05:00 c870- advipservicesk9-mz.124-15.T4.bin
2 -rwx 3179 Feb 14 2008 19:21:31 -05:00 sdmconfig-8xx.cfg 3 -rwx 1038 Feb 14 2008 19:21:10 -05:00 home.shtml 4 -rwx 112640 Feb 14 2008 19:21:46 -05:00 home.tar 5 -rwx 931840 Feb 14 2008 19:23:48 -05:00 es.tar 6 -rwx 1505280 Feb 14 2008 19:28:44 -05:00 common.tar
… output omitted …
27611136 bytes total (4065280 bytes free)
Using Cisco SDM Express
Because the router in the previous example doesn’t have enough flash memory, not all the files necessary to run the Cisco SDM are present. If you browse to https://router-ip-address, the Cisco SDM Express will launch instead.
On a new router, you browse to http://10.10.10.1that is the default IP address of a new router. The initial configuration is completed by using the Cisco SDM Express Wizard. After the initial configuration of the router is complete, the Cisco SDM Express is no longer offered. Subsequent changes to the configura- tion use the full Cisco SDM.
Figure 3.4 illustrates the Cisco SDM Express.
FIGURE 3.4 Cisco SDM Express.
Launching Cisco SDM
After you have completed the router’s initial configuration with the SDM Express, you can now launch the SDM for more advanced configuration chores.
There are two ways to launch the SDM, as follows:
. Cisco SDM on a PC.Use the Cisco SDM Launcher. The default loca- tion is Start->Programs->All Programs->Cisco Systems->Cisco SDM->Cisco SDM.
. Cisco SDM in Router Flash Memory.Open up a web browser and browse using either HTTP or HTTPS to the IP address that has been configured on the router.
Figure 3.5 shows both the SDM Launcher and using a web browser to access the Cisco SDM.
If you choose to use a web browser to launch SDM, it must meet the require- ments in Table 3.1.
FIGURE 3.5 Two methods to launch the SDM.
TABLE 3.1 Browser Software Requirements
Software Requirements
Browser Microsoft Internet Explorer 5.5 or later.
Netscape Navigator 7.1 or 7.2.
Mozilla Firefox 1.0.5.
Java Software Java Virtual Machine–enabled browsers are required.
Java plug-in: Java 2 Standard Edition (J2SE); Java Runtime Environment (JRE) Version 1.4.2_05 or later.
Check this box to use HTTPS Web browser
SDM Launcher
NOTE
Other java-enabled web browsers are likely to work, but Cisco TAC will support those list- ed in Table 3.1.
Accomplishing tasks on the Cisco SDM is done through buttons along the top of the SDM home page corresponding to different modes. Figure 3.6 illustrates these buttons.
FIGURE 3.6 SDM modes.
In summary, these modes are as follows:
. Configure Mode.Provides its own task panel with buttons that repre- sent the different configuration tasks and wizards for the novice.
. Monitor Mode.Provides its own task panel with views to the current status of the router.
. Refresh.Updates the current running configuration on the router with the Cisco SDM.
. Save.Saves the running configuration to the startup configuration on the router (CLI: copy running-config startup-config).
Cisco SDM Smart Wizards
When you press the Configuremode button, a task panel appears. Pressing some of the buttons in this task panel will launch a smart wizard. Figure 3.7 shows some of the tasks that come up when you press the Configuremode button.
The following smart wizards are available from the tasks shown in Figure 3.7.
Note that there is more than one wizard for each task. For example, in the Virtual Private Network (VPN) Wizards, you can configure site-to-site IPsec VPNs, remote-access Ipsec and Secure Sockets Layer (SSL) VPNs, Dynamic Multipoint VPNs (DMVPNs), and others. VPNs are discussed in Chapter 7,
“Virtual Private Networks with Ipsec.”
. Interfaces and Connections Wizards.Configure serial and LAN inter- faces.
. Firewall and ACL Wizards.Configure basic or advanced firewall.
. VPN Wizards.Configure different types of VPNs.
Configure Button
Monitor Button Save Button Refresh Button
. Security Audit Wizards.Perform a router security audit.
. Routing Wizards.Configure static routes and dynamic routing proto- cols.
. NAT Wizards.Configure basic and advanced NAT.
. Intrusion Prevention Wizards.Configure the IOS IPS.
. Quality of Service Wizards.Configure QoS to prioritize traffic as it flows through the router.
. NAC Wizards.Configure Network Admission Control policies.
Advanced Configuration with SDM
If you scroll down one more button in the Configuration Task Panel (shown in Figure 3.7), you see a button marked Additional Tasks. Figure 3.8 shows the advanced configuration tasks that come up when you click the Additional Tasks button.
FIGURE 3.7 Configuration task panel.
Here are the tasks that can be completed in the Additional Tasks menu illustrat- ed in Figure 3.8:
. Router Properties.Some of the tasks that you can complete include configuring the router hostname, domain, password, date, and time.
. Router Access.Some of the tasks that you can complete include role- based user access, management, and SSH.
. DNS and DDNS. Some of the tasks that you can complete include con- figuring Domain Name Service (DNS) and Dynamic DNS.
. ACLs.You can create and edit standard, extended, and named ACLs here.
. AAA.The major tasks that you can accomplish include configuring local and external authentication and authorization.
. Router Provisioning. The USB port can be configured here for secure device provisioning.
. 802.1X.Port-based authentication through IEEE standard Extensible Authentication Protocol (EAP) using IEEE 802.1X can be configured here.
FIGURE 3.8 Additional configuration tasks.
Cisco SDM Monitor Mode
In monitor mode, you can view important information about your router, including the firewall status, interface status, and active VPN connections. You can also view the router event log. This is illustrated in Figure 3.9.
FIGURE 3.9 Cisco SDM monitor mode.
Here is a summary of the information that can be viewed in monitor mode:
. Monitor Overview Window.Shows router status (CPU usage, flash memory usage, and flash usage) and a list of the error log entries.
. Interface Status. Shows whether interfaces are up or down, bandwidth utilization, and so on.
. Firewall Status. Shows a log with the number of access attempts that the router’s firewall has denied.
. VPN Status. Statistics about active VPN connections.
. QoS Status. Shows policy information on the interfaces.
. NAC Status. Shows the number of NAC sessions on the router.
. Logging.Contains the router event log grouped by severity level.
Configuring Local Database AAA on a Cisco Router
There are many instances where simple password-based authentication will not be adequate. Certainly many security policies will dictate that both username and password will be required if for no other reason than that the person who logs in to the router needs to be identified (authenticated) and his activities need to be tracked (accounted). What users are allowed to do (authorization) is some- thing else we can control if we know who they are in the first place. You can’t do all these things if the system simply uses passwords. Let’s first define AAA, and then quickly itemize Cisco’s four solutions. Then we’ll get back to configuring local database AAA on a Cisco router.
The next section contains a more formal definition of authentication, authori- zation, and accounting (AAA)—the functions that AAA servers perform.
Authentication, Authorization, and Accounting (AAA)
The following list represents a simple definition of the three A’s in AAA.
. Authentication.Establishes who youare.
. Authorization.Now that we know who youare, we can establish what youcan do and what youcan access.
. Accounting.Also, now that we know who youare, we can establish what youdid, how long youdid it, and how often youdid it.
Note the heavy emphasis on you. (This isn’t a comment on society, by the way!) Clearly it all starts with authentication, because authorization and accounting would not be possible without establishing an individual’s identity first.
EXAM ALERT
Memorize the meaning of the three A’s in AAA.
Two Reasons for Implementing AAA on Cisco Routers
Cisco specifies two main reasons for implementing AAA on Cisco routers.
These are outlined in the following list:
. Remote User Network Access.AAA is performed in support of IPsec and SSL VPN users and dial-up users before they are permitted access to an organization’s network.
. Administrative Access.AAA is performed before a user is permitted administrative access to a router (console, Telnet/SSH/HTTP, auxiliary).
Cisco’s Implementation of AAA for Cisco Routers
Let’s now look at how Cisco implements AAA for Cisco routers. There are two main categories of AAA implementations: local AAA (or “self-contained” AAA) and external AAA. These are outlined next:
. Self-Contained AAA.Local authentication on the router or other net- work access server (NAS) using a local username/password database.
Essentially, the device is acting both as AAA client and server.
EXAM ALERT
The terms “Network Access Server (NAS)” and “AAA client” mean the same thing.
Cisco favors the term “AAA client” mostly, but you will still see the term NAS here and there in Cisco literature.
. External Authentication.Authentication using an external Cisco Secure Access Control Server (ACS). There are three separate Cisco Secure ACS external AAA solutions:
. Cisco Secure Access Control Server for Microsoft Windows Server.
. Cisco Secure ACS Express: An entry-level RADIUS and TACACS+
AAA 1U server appliance. Supports up to 50 AAA clients, as well as 350 unique user logons in a 24-hour period.
. Cisco Secure ACS Solution Engine: An appliance that supports many more AAA clients and unique user logons than Cisco Secure ACS Express.
NOTE
Readers who are familiar with AAA will note the heavy emphasis on Cisco solutions for external AAA. In reality, Cisco is one of many vendors of external AAA solutions. The mar- ket abounds with choices, including Microsoft IAS (Internet Authentication Service), FreeRadius (Open Source), and Livingston’s Steel-Belted Radius.
Recall from the “Two Reasons for Implementing AAA on Cisco Routers” sec- tion in this chapter that there are two types of access. Access to the router is called “remote administrative access”. Access through the router to networks beyond the router is called “remote network access.” Figure 3.10 illustrates this difference, as does Table 3.2, which defines how Cisco further categorizes these two main types of access.
Remote Network Access
Remote Administrative
Access IT
Resource
External AAA Server
Choices:
• External AAA and/or
• Self-Contained AAA
FIGURE 3.10 Types of access and AAA placement.
TABLE 3.2 Types for Router Access
Type of Access Modes NAS (AAA Client) Common AAA
Ports Command Elements
Remote Administrative Character mode tty, vty, auxiliary, login, exec, and
Access (line or EXEC mode) and console enable
Remote Network Packet mode async, group-async, ppp and network
Access (interface mode) BRI, and PRI
Tasks to Configure Local Database AAA on a Cisco Router
There are four basic tasks to configuring local AAA (whether character or pack- et mode) on a router:
Task 1:Configure user accounts by creating a username/password data- base on the router.