5. Avoid unnecessary web page inputs. Some websites allow users to enter usernames and passwords. A hacker can enter
more than just a username. For example, entering "jdoe; rm -
rf /" might allow an attacker to remove the root file system
from a UNIX server. Programmers should limit input characters and not accept invalid characters such as | ; < > as input.

6. Perform backups and test the backed up files on a regular basis.

7. Educate employees about the risks of social engineering, and develop strategies to validate identities over the
phone, via email, or in person.

8. Encrypt and password-protect sensitive data.

9. Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN) devices, anti-virus
software, and content filtering.

10. Develop a written security policy for the company.

2.
Physical Security

Provide physical security for the routers:

Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized
personnel, is free of electrostatic or magnetic interference, has fire suppression, and has controls for temperature
and humidity.

Install an uninterruptible power supply (UPS) and keep spare components available. This reduces the possibility of a
DoS attack from power loss to the building.

3.
Operating System Security

Secure the features and performance of the router operating systems:

Configure the router with the maximum amount of memory possible. The availability of memory can help protect the
network from some DoS attacks, while supporting the widest range of security services.

Use the latest stable version of the operating system that meets the feature requirements of the network. Security
features in an operating system evolve over time. Keep in mind that the latest version of an operating system might
not be the most stable version available.

Keep a secure copy of the router operating system image and router configuration file as a backup.

4. Router
Hardening

Eliminate potential abuse of unused ports and services:

Secure administrative control. Ensure that only authorized personnel have access and that their level of access is
controlled.

Disable unused ports and interfaces. Reduce the number of ways a device can be accessed.

Disable unnecessary services. Similar to many computers, a router has services that are enabled by default. Some of
these services are unnecessary and can be used by an attacker to gather information or for exploitation.

5. Several
important tasks are involved in securing administrative access to an infrastructure device:

Restrict device accessibility - Limit the accessible ports, restrict the permitted communicators, and restrict
the permitted methods of access.

Log and account for all access - For auditing purposes, record anyone who accesses a device, including what
occurs and when.

Authenticate access - Ensure that access is granted only to authenticated users, groups, and services. Limit
the number of failed login attempts and the time between logins.

Authorize actions - Restrict the actions and views permitted by any particular user, group, or service.

Present Legal Notification - Display a legal notice, developed in conjunction with company legal counsel, for
interactive sessions.

Ensure the confidentiality of data - Protect locally stored sensitive data from viewing and copying. Consider
the vulnerability of data in transit over a communication channel to sniffing, session hijacking, and man-in-the-
middle (MITM) attacks.

6. Enable
Secret Password

# enable secret csc5io

                # line console
0                   &nbs
p;            / line vty 0
4                   &nbs
p;   / line aux 0

&n
bsp; # password
csc5io

&n
bsp; # login

                   &n
bsp;            # exec-timeout   minutes
seconds                &n
bsp;          //
Disable Unattended Connections

7. Minimum
Character Length

# security passwords min-length length

# security authentication failure rate <2-1024>
log

8. Encrypt
All Passwords

(config)# service password-
encryption

9.
Configuring Local Username Account

(config)# username name password password

(config)# username name secret password //more secure

(config)# Line con 0

(config-line)# Login local //enable local database for
authentication

10. Login
Feature

Router
(config)# login
block-for seconds attempts tries within seconds

Router
(config)# login
quiet-mode access-class {acl-name | acl-number}

Router
(config)# login
delay seconds //wait [seconds] before try other pwd

Router
(config)# login
on-failure log [every login]

Router
(config)# login
on-success log [every login]

Ex:

(config)# username ADMIN secret cisco54321

(config)# line vty 0 4

(config-line)# login local

(config)# login block-for 120 attempts 5 within 60

(config)# ip access-list standard PERMIT-ADMIN

(config-std-nacl)#
remark Permit only Administrative hosts

(config-std-nacl)#
permit 192.168.10.10

(config)# login quiet-de access-class PERMIT-
ADMIN

(config)# login on-success log

(config)# login on-failure log

11. Banner

(config)# banner {exec | incoming | login | motd | slip-ppp} d message d

12. Configure
SSH

(config)# ip domain-name domain-
name //if router’s unique
hostname.

(config)# crypto key generate
rsa general-key modulus modulus-size
//encrypt

- Verify

o Show crypto key mypubkey rsa

o Crypto key zeroize rsa //if there are existing
key pairs

(config)# username name secret secret

(config)# line vty 0 4
//enable VTY login line

(config-line)# login
local

(config-line)# Transport input ssh

- Optional SSH command

# Ip Ssh version

# Ip Ssh timeout
period

# Ip Number of authentication retries

- Connect SSH router to router

# Ssh –l Bob 192.168.2.101
//Bob is username

13. Configuring
Privilege Levels

(router)# privilege mode {level level command | reset} command

1. Assign Level the commands

- (config)# privilege exec level 5
ping

2. Assign pwd to level

- (config)# enable secret level 5
cisco5

3. Assign a specific user

- (config)# username ADMIN privilege
5 secret cisco5

14. Configure Role-
Based CLI Access

Create and manage specific view

1. Enable AAA & enter root view

#
Aaa new-
model

#
Enable [view
[view-name]]

2. Create view & enter configuration mode

#
Parser view
view-name

3. Assign pwd to the
view **Must be set immediately after
create view

#
Secret encrypted-pwd

4. Assign cmds to the view

#
Commands
parser-mode
{include | include-exclusive
| exclude} [all] [interface interface-name |
command]

Ex:

(config)# parser view SHOWVIEW

(config-view)# secret
cisco

(config-view)# commands exec include
show

(config-view)# exit

(config)# parser view VERIFYVIEW

(config-view)# command exec include
ping

% Password not set for the view VERIFYVIEW

(config-view)# secret
cisco5

(config-view)# commands exec include
ping

Create and manage a superview

1. Create view

#
Enable view-
root

#
Parser view
view-name superview

2. Assign pwd

#
Secret
encrypt-pwd

3. Assign an existing view

#
View view-name

Ex:

(config)# parser view USER superview

(config-view)# secret
cisco

(config-view)# view
SHOWVIEW

(config-view)# view
VERIFYVIEW

Verify

# enable view
view-name

# show parser
view all

15. Securing the
Cisco IOS Image and Configuration Files

1. Enable IOS image resilience

#
Secure boot-
image

2. Snapshot running-config

#
Secure boot-config

3. Verify

#
Show secure bootset

16. Restore a primary
bootset from a secure archive

1. Reload

2. ROMmom> dir //list the contents

3. Boot Filename

4. Conf t

5. Secure boot-config restor
filename

17. Recovering a
router password

1. Connect to console

2. View and record the configuration register

Ø Show version

- <Output omitted>

- Configuration register is 0x2102 or 0x102

3. Switch power Off and On

4. Press “Break” within 60s to ROMmon

5. Change to bypass

Ø Roomon 1>
Confreg 0x2142

6. Reboot

Ø Rommon 2>
reset

7. Skip the initial setup

Ø Type
No or Ctrl+C

8. Router> enable

9. Copy startup-config running-config

10.Show running-config //** all interfaces are shutdown

11.Enable secret pwd

12.No shutdown //to all interfaces

13.Config-register 0x2102

14.Copy running-config startup-config

18. *
DISABLE ROMmon ***

(config)# no service password-recovery

****** recovery ******* BOOT - press BREAK within 5s – Confirm – startup-config erased
=> password recovery is enabled.

19. Configure
system logging

#
Logging host
[host-name
| ip-
add]

//set destination

#
Logging trap
level                 &n
bsp;      //optional

#
Logging source-interface
interface-type interface-
number //particular int

#
Logging
on                   &nb
sp;            //enable logging

Ex:

(config)#
logging host 10.2.2.6

(config)#
logging trap informational

(config)#
logging source-interface loopback 0

(config)#
logging on

Configure system logging (SDM):

Step 1. Choose Configure > Additional Tasks > Router Properties > Logging.

Step 2. From the Logging pane, click Edit.

Step 3. In the Logging window, select Enable Logging Level and choose the logging level from the Logging
Level list box. Messages will be logged for the level selected and below.

Step 4. Click Add, and enter an IP address of a logging host in the IP Address/Hostname
field.

Step 5. Click OK to return to the Logging dialog box.

Step 6. Click OK to accept the changes and return to the Logging pane.

20. Using SNMP for
Network Security

To enable SNMPv1 and SNMPv2 using Cisco SDM:

Step 1. Choose Configure > Additional Tasks > Router Properties > SNMP. Click the Edit
button.

Step 2. From the SNMP Properties window, select Enable SNMP to enable SNMP
support.

Set community strings and enter trap manager information from the same
SNMP Properties window used to enable support.

Step 3. In the SNMP Properties window, click Add to create new community strings, click Edit to edit an
existing community string, or click Delete to delete a community
string.

An example CLI command that
SDM would generate based on a read only community string of cisco123 is

(config)# snmp-server community cisco123 ro

ro -
Assigns a read-only community string.

rw -
Assigns a read-write community string.

Cisco SDM can be used to add, edit, or delete a trap receiver.

Step 1. From the SNMP pane in Cisco SDM, click Edit. The SNMP Properties window
displays.

Step 2. To add a new trap receiver, click
Add in the Trap Receiver section of the SNMP Properties
window. The Add a Trap Receiver window displays.

Step 3. Enter the IP address or host name of the trap receiver and the password that is used to
connect to the trap receiver. Typically, this is the IP address of the SNMP management station that monitors your
domain. Check with the site administrator to determine the address if unsure.

Step 4. Click OK to finish adding the trap receiver.

Step 5. To edit an existing trap receiver, choose a trap receiver from the trap receiver list
and click Edit. To delete an existing trap receiver, choose a trap receiver from the trap receiver list and click
Delete.

Step 6. When the trap receiver list is complete, click OK to return to the SNMP
pane.

21. Network Time
Protocol (NTP)

NTP uses UDP port 123 and is documented in
RFC 1305

(config)# clock set 10:28:00 DEC 16
2010

Configure NTP Master

(config)# ntp master [stratum]
//Make NTP
server

(config)# ntp server
{ip-add | hostname} [version number] [key
keyid] [source interface] [prefer]
//allow synchronized by NTP
server

(config-if)# ntp broadcast client //receive NTP broadcast on int

NTP security

(config)# ntp authenticate
//enable authentication feature

(config)# ntp
authentication-key key-number md5 key-value //defin
key

(config)# ntp trusted-
key key-number //Authen NTP will syn

(config)# show ntp
associations detail //verify

Locking down a router using AutoSecure

#auto
secure []

22. Local AAA
authentication

1. # username XXXX secret xxxxxxxx //Add username & password

2. # aaa new-
model
//Enable AAA globally

3. # aaa authen login defau local-case //Configure AAA parameters

4. #
aaa local authen attempts max-fail [num]

//fail
attempts

5. Confirm and troubleshoot

# Show aaa local user
lockout

# Clear aaa local user
lockout

# Show aaa sessions

# Debug aaa []

Ex:

(config)#
username ADMIN secret cisco12345

(config)#
aaa new-model

(config)#
aaa authentication login default local-
case

(config)#
aaa authentication login TELNET-LOGIN local-
case

(config)#
line vty 0 4

(config-line)# login authentication TELNET-LOGIN

(config)#
aaa local authentication attempts max-fail
10

Firewall Technology

Access Control List (ACLs)

Standard ACLs:

based on source address; placed as close to the destination as possible.

(config)# access-list {1-99} {permit | deny} source-add [source-wildcard]

Extended ACLs:

Based on destination address, placed on routers as close as possible to the
source that is being filtered.

(config)# access-list {100-199} {permit |
deny} protocol source-add
[source-wildcard][operator operand] destination-add [destination-wildcard] [operator operand] [established]

Apply ACL to an interface:

(config-if)# ip access-group access-list-number {in | out}

Apply ACL to VTY line:

(config-line)# access-
class access-list-number {in | out}

Ex: Standard ACLs

Ex: Extended ACLs

R1(config)# ip access-list extended ACL-1

R1(config-ext-nacl)#
remark LAN ACL

R1(config-ext-nacl)#
deny ip host 192.168.1.6 any

R1(config-ext-nacl)#
permit tcp 192.168.1.0 0.0.0.255 any established

R1(config-ext-nacl)#
deny ip any any

R1(config-ext-nacl)#
exit

R1(config)# interface
Fa0/0

R1(config-if)# ip access-group ACL-1 in

R1(config-if)#
exit

R1(config)# ip access-list extended ACL-2

R1(config-ext-nacl)#
remark DMZ ACL

R1(config-ext-nacl)#
permit tcp any host 192.168.2.5 eq 25

R1(config-ext-nacl)#
permit tcp any host 192.168.2.6 eq 80

R1(config-ext-nacl)#
deny ip any any

R1(config-ext-nacl)#
exit

R1(config)# interface
Fa0/1

R1(config-if)# ip access-group ACL-2 out

At the end of an ACL statement, the administrator has the option to configure
the log parameter. Should be enabled only during attack.

R1
(config)#
access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 22 log

Configure Time-Based ACLs

1. Define time range

(config)# time-range
time_range_name

2. Apply time range to ACLs

(config-time-range)# absolute [start-time start-date] [end-time end-date]

3. Apply ACL to interface

(config-time-range)# periodic day-of-the-week hh:mm to [day
-of-the-week] hh:mm

Ex: User can’t access ANY except during Time-Range

R1(config)# time-
range employee-time

R1(config-time-range)#
periodic weekdays 12:00 to 13:00

R1(config-time-range)#
periodic weekdays 17:00 to 19:00

R1(config-time-range)#
exit

R1(config)# access-
list 100 permit ip 192.168.1.0 0.0.0.255 any time-range employee-
time

R1(config)# access-
list 100 deny ip any any

R1(config)# interface
FastEthernet 0/1

R1(config-if)# ip access-group 100 in

R1(config-if)#
exit

Troubleshooting Complex ACL Implementations

# show access
-lists [access-list-number | access-list-name]

# debug ip packet [access-list-number] [detail]

# show access-lists

Configuring CBAC

Context-based access control (CBAC) provides four main functions: traffic filtering, traffic inspection, intrusion
detection, and generation of audits and alerts.

There are four steps to configure CBAC:

Step 1. Pick an interface - internal or external.

Step 2. Configure IP ACLs at the interface.

Step 3. Define inspection rules.

(config)# ip inspect name inspection_name
protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

Ex: ip inspect name
FWRULE smtp alert on audit-trail on timeout
300

ip inspect name FWRULE ftp alert on audit-trail
on timeout 300

Step 4. Apply an inspection rule to an interface.

(config-if)# ip inspect inspection_name {in | out}

Ex:

R1(config)# access-
list 101 permit tcp 10.10.10.0 0.0.0.255 any

R1(config)# access-
list 101 permit udp 10.10.10.0 0.0.0.255 any

R1(config)# access-
list 101 permit icmp 10.10.10.0 0.0.0.255 any

R1(config)# access-
list 101 deny ip any any

This ACL is
applied to the internal interface in the inbound direction. The ACL processes traffic initiating from the internal
network prior to leaving the network.

R1(config)# interface
Fa0/0

R1(config-if)# ip access-group 101 in

Next, create
an extended ACL in which SMTP and HTTP traffic is permitted from the external network to the DMZ network only, and all
other traffic is denied.

R1(config)# access-
list 102 permit tcp any 209.165.201.1 0.0.0.0 eq
80

R1(config)# access-list 102 permit tcp any 209.165.201.2 0.0.0.0 eq smtp

R1(config)# access-
list 102 permit icmp any any echo-reply

R1(config)# access-
list 102 permit icmp any any
unreachable

R1(config)# access-
list 102 permit icmp any any administratively-
prohibited

R1(config)# access-
list 102 permit icmp any any packet-too-
big

R1(config)# access-
list 102 permit icmp any any
echo &
nbsp;

R1(config)# access-
list 102 permit icmp any any time-
exceeded

R1(config)# access-
list 102 deny ip any any

This ACL is
applied to the interface connecting to the external network in the inbound direction.

R1(config)# interface
S0/0/0

R1(config-if)# ip access-group 102 in

If the
configuration stopped here, all returning traffic, with the exception of ICMP messages, is denied because of the
external ACL. Next, create inspection rules for TCP inspection and UDP inspection.

R1(config)# ip inspect name MYSITE tcp

R1(config)# ip inspect name MYSITE udp

These
inspection rules are applied to the internal interface in the inbound direction.

R1(config)# interface
Fa0/0

R1(config-if)# ip inspect MYSITE in

CBAC inspection supports two types of logging functions: alerts and
audits.

Alert:

(config)# ip inspect alert-off

(config)# no ip inspect alert-off //Enable
alert

Audit:

(config)# ip inspect audit-trail

By default, it displays on console line, but it can be logged to other
location.

(config)# logging on

(config)# logging host 10.10.0.3

(config)# ip inspect audit-
trail

(config)# no ip inspect alert-
off

Troubleshooting:

Router# show ip inspect [parameter]

Router# show ip inspect name inspect_outbound

Router# show ip inspect
sessions

Router# show ip access-
list

Router# debug ip inspect protocol
parameter

debug policy-firewall

Zone-Based Policy Firewall

Design zone-based firewall

1. Determine the
Zones

2. Establish policies between
zones

3. Design the physical
infrastructure

4. Identify subset within zones and merge
traffic requirements

Configure ZPF:

1. Create the zones

#
(config)# Zone security
zone-name

#
(config-sec-zone)# description
line-of-description

2. Define traffic
classes

#
(config)# Class-map type inspect
[match-any | match-all] class-map-name

For Layer3 & 4

#
(config)# Class-map type inspect
protocol-name [match-any | match-all] class-map-name

Match ACLs

# (config-cmap)# match
access-group {access-group | name access-group-name}

Match Protocols

# (config-cmap)# match
protocol protocol-name

Nested class

# (config-cmap)# match
class-map class-map-name

3. Define firewall
policies

Create policy maps

#
(config)# Policy-map type inspect
policy-map-name

Traffic classes

# (config-pmap)# class type inspect
class-name

Default class (matching all remaining traffic)

# (config-pmap)# class class-
default

Action to take on traffic is specified

# (config-pmap-c)# pass | inspect | drop [log] | police

Layer 7

# (config-pmap-c)# service-policy {h323 | http | im | imap | p2p | pop3 | sip | smtp | sunrpc
| urlfilter} policy-map

4. Assign policy maps to zone
pairs

#
Zone-pair security

5. Assign router interfaces to
zones

Apply FW policy

#
(config)# Zone-pair security
zone-pair-name [source source-zone-name | self] destination [self | destination-
zone-name]

#
(config-sec-zone-pair)# service-
policy type inspect policy-map-name

Assign interface

#
(config-if)# zone-member security
zone-name

Ex:

FW(config)# zone
security INSIDE

FW(config-
sec-zone)# description Inside Network

FW(config)#
class-map type inspect FOREXAMPLE

FW(config-
cmap)# match access-group 101

FW(config)#
access-list 101 permit ip 10.0.0.0 0.0.0.255 any

FW(config)# policy-
map type inspect InsideToOutside

FW(config-pmap)#
class type ispect FOREXAMPLE

FW(config-pmap-c)# inspect

FW(config)# zone-pair
security InsideToOutside source Inside destination Outside

FW(config-sec-zone-
pair)# description Internet Access

FW(config-sec-zone-
pair)# service-policy type inspect InsideToOutside

FW(config-sec-zone-
pair)# interface F0/0

FW(config-if)# zone-
member security Inside

FW(config-if)#
interface S0/0/0.100 point-to-point

FW(config-if)# zone-
member security Outside

Troubleshooting:

Router# show policy-map type inspect zone-pair
session

Implementing Intrusion Prevention

1. Configure
IPS

2.
Download the IOS IPS Files

IOS-SXXX-CLI.pkg //signature
package

Realm-cisco.pub.key.txt //public crypto key used by
IOS IPS

3.
Create an IOS IPS configuration Directory in
Flash

Mkdir directory-name

Rename current-name new-name

Dir flash: //verify

4.
Configure an IOS IPS Crypto Key

Crypto key pubkey-chain rsa

Name-key realm-cisco.pub
signature

Key-string

Quit

Exit

Show run //verify

5.
Enable IOS IPS

a.
Identify the IPS rule name and specify the
location

(config)# Ip ips name [rule
name] [optional ACL]

Ip ips name iosips // IPS rule iosips is created

Ip ips name ips list ?

(config)# Ip ips config location flash:directory-name

Ip ips config location flash:ips //IPS
location in flash:ips

b.
Enable SDEE and logging event notification

(config)# Ip http server //if HTTP server not enable,
router cannot respond SDEE

(config)# Ip ips notify sdee //enable IPS SDEE

(config)# Ip ips notify log //enable logging

c.
Configure the signature category

(config)# Ip ips signature-category

(config-ips-category)# Category all

(config-ips-category-action)# Retired true

(config-ips-category-action)# Exit

(config-ips-category)# Category ios_ips
basic

(config-ips-category-action)# Retired false

(config-ips-category-action)# Exit

(config-ips-category)# Exit

[confirm] Y

d.
Apply IPS rule to a
interface

Interface Giga 0/0 //IPS
rule is applied in an incoming direction

Ip ips iosips
in

Exit

Interface Giga 0/1 //IPS
rule is applied in an incoming & outgoing direction

Ip ips iosips
in

Ip ips iosips
out

Exit

6.
Load the IOS IPS signature package to the Router

Copy ftp://ftp_user:pwd@Server_IP_Add/signature_package idconf

# Copy
ftp://cisco:cisco@10.1.1.1/IOS-S376-CLI.pkg idconf

# Show
ip ips signature count //verify the signature

2. Modify
Cisco IOS IPS Signature

How to retire
individual signatures, signature 6130 with sbusig
ID of 10.

(config)# ip ips
signature-definition

(config-sigdef)# signature 6130 10

(config-sigdef-sig)# status

(config-sigdef-sig-status)#
retired true

(config-sigdef-sig-status)# exit //3 times

[confirm] Y

How to unretired all signatures that belong to the IOS IPS Basic catregory

(config)#
ip ips signature-category

(config-ips-category)# category ios_ips
basic

(config-ips-category-action)# retired false

(config-ips-category-action)# exit //2times

[confirm] Y

How to change signature actions to alert, drop, and reset for signature
6130 with subsig ID of 10

(config)#
ip ips signature-definition

(config-sigdef)#
signature 6130 10

(config-sigdef-sig)# engine

(config-sigdef-sig-engine)# event-action production-alert

(config-sigdef-sig-engine)# event-action deny-packet-inline

(config-sigdef-sig-engine)# event-action reset-tcp-connection

(config-sigdef-sig-engine)# exit //3times

[confirm] Y

How to change event action for
all signature that belong to the signature IOS IPS Basic category

(config)#
ip ips signature-definition

(config-ips-category)# category ios_ips
basic

(config-ips-category-action)# event-action produce-alert

(config-ips-category-action)# event-action deny-packet-inline

(config-ips-category-action)# event-action reset-tcp-connection

(config-ips-category-action)# exit

[confirm] Y

3. Verifying
Cisco IOS IPS

Show ip ips all

Monitor Cisco IOS IPS

(config)#
Logging 192.168.10.100

(config)# Ip ips notify log

(config)#
logging
on

Monitor IPS by SDEE

(config)#
ip http server

(config)#
Ip http secure-server

(config)#
Ip ips notify sdee

(config)#
Ip sdee events 500

Main Page

CCNA Security Summary

Firewall Technology

Create and manage specific view

Create and manage a superview

16. Restore a primary bootset from a secure archive

17. Recovering a router password

18. ******* DISABLE ROMmon *********

19. Configure system logging

20. Using SNMP for Network Security

21. Network Time Protocol (NTP)

22. Local AAA authentication

Extended ACLs:

16. Restore a primary
bootset from a secure archive

17. Recovering a
router password

18. *
DISABLE ROMmon ***

19. Configure
system logging

20. Using SNMP for
Network Security

21. Network Time
Protocol (NTP)

22. Local AAA
authentication