Securing the Management Plane of a Cisco Network Device

Date: Jul 11, 2011

Return to the article

When people think about the security of networking devices, they tend to think about the different types of attacks that can occur through these devices or what types of attack could be used to take down a networking device. A simpler idea, however, is to just take control of the device by attempting access using easy password or simply exploit lax management access policies. This article takes a look at a couple of the different features that can be used to secure the management plane of a Cisco network device (or devices) and reviews the basic configuration of these features.

When people think about the security of networking devices, they tend to think about the different types of attack that can occur through these devices or what types of attack could be used to take down a networking device. A simpler idea, however, is to just take control of the device by attempting access using easy passwords or simply exploiting lax management access policy. This article takes a look at a couple of the different features that can be used to secure the management plane of a Cisco network device(s) and reviews the basic configuration of these features.

Device Password and Command Security

Some of the easiest ways to protect a network device involve the implementation of a password and/or command configuration.

Device Passwords

One of the simplest methods to secure a device is by configuring a complex password (or passwords) that is used to access the device through the various login methods. There are a number of different passwords that are able to be configured on a Cisco device:

Note, however, that Cisco devices, by default, store many passwords in the configuration in plaintext, which provides absolutely no password protection should the configuration file be accessed. This lack of protection can be prevented by issuing a single configuration command. The command required to prevent this issue is shown in the next section.

Device Password Configuration

The configuration of device passwords is rather simple and each is covered in the tables below:

Table 1

Step 1

Enter privileged mode.

router>enable

Step 2

Enter global configuration mode.

router#configure terminal

Step 3

Enable service password encryption.

router(config)#service password-encryption

Step 4

Configure a secure privileged mode access password.

router(config)#enable secret password

Step 5

Enter console configuration mode.

router(config)#line con 0

Step 6

Configure a console password.

router(config-line)#password password

Step 7

Enter VTY configuration mode (on most devices the beginning line is 0 and the ending line is 4).

router(config-line)#line vty beginning-line ending-line

Step 8

Configure a VTY password.

router(config-line)#password password

Step 9

Enter AUX configuration mode (if available).

router(config-line)#line aux 0

Step 10

Configure a AUX password.

router(config-line)#password password

Step 11

Exit configuration mode.

router(config-line)#end

Privilege Levels

By default, users that log in to a Cisco device use one of two different privilege levels: 1 for user EXEC mode, and 15 for privileged EXEC mode. However, it is possible to configure the levels between 1 and 15 with access to a subset of commands. The configuration of different passwords and/or users within each configured privilege level can be either done on the device itself or via a Remote Authentication Dial In User Service (RADIUS) or Terminal Access Controller Access-Control System Plus (TACACS+) server.

Privilege Levels Configuration

There are two different methods of configuring the use of privilege levels on a Cisco device (not using RADIUS or TACACS+): using different enable passwords per privilege level, or configuring usernames that are set up with specific privilege levels. Both can be configured independently or together, and both utilize the same commands to setup the specific commands permitted within each level configured; Table 2 below shows the configuration commands required.

Table 2

Step 1

Enter privileged mode.

router>enable

Step 2

Enter global configuration mode.

router#configure terminal

Step 3

Configure the privilege levels and the commands that are permitted (this command can be entered multiple times).

There are a number of different modes supported; the easiest way to look up these is to go here.

router(config)#privilege mode [all] {level level | reset} command-string

Step 4

Configure a secure privileged mode access password using privilege levels.

router(config)#enable secret level level password

Step 5

Configure a username and password using privilege levels AND enable the used of the local database for login (this can be enabled on multiple line types).

router(config)#username username privilege level secret password

AND

router(config)#line line-type begin-line end-line

AND

router(config-line)#login local

Step 6

Exit configuration mode.

router(config-line)#end

AutoSecure

Another method to secure a Cisco networking device is to take advantage of the AutoSecure feature. The AutoSecure feature is used to automate a process that secures the access of a device. AutoSecure focuses on the security of the management plane and the forwarding plane, and allows them to be configured separately. Keep in mind that the AutoSecure feature uses the information that is in the existing configuration, which is entered in during configuration to make changes; if these configuration items are changed after the AutoSecure feature is run, a device can become insecure again.

AutoSecure Management Plane Security

The management plane security provided by the AutoSecure feature will automatically disable any unneeded or insecure services on the device, while at the same time enabling certain features to increase the security of the device. The different features that are affected are further classified into a number of sub-groups:

AutoSecure Forwarding Plane Security

The forwarding plane security provided by the AutoSecure feature will configure features that are specific to potential attacks to the forwarding (data) plane:

AutoSecure Configuration

The steps required to configure the AutoSecure feature are shown in Table 2.

Table 3

Step 1

Enter privileged mode

router>enable

Step 2

Enter the AutoSecure configuration command

router#auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall]

Summary

There are certainly a number of different methods of exploiting network devices; the best advice to any network engineer is to try to protect for everything and to keep an eye on all attack attempts. Hopefully the information in this article will give a head start to those looking to secure the network device against management plane attacks.

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |