The following lessons and case studies are dedicated to basic Cisco IOS Software security configuration methods and are grouped into several scenarios, variations of which you are likely to encounter in the CCIE Security lab exam or in real life.
Lesson 15-1: Configuring Passwords, Privileges, and Logins
In this lesson, R2 is the router that needs to have basic Cisco IOS Software security features configured. Once R2 is configured, a remote host attempts to log in and perform some tasks.
This lesson covers the following configuration steps:
Step 1Setting passwords Step 2 Limiting connection time Step 3 Configuring vtys and accessing the network remotely Step 4 Creating user accounts Step 5 Assigning privileges Step 6 Local authentication, authorization, and accounting Step 7 Remote administration with FTP Step 8 Hiding Telnet addresses Step 9 Verification
Step 1: Setting Passwords
First, you have to protect access to a router by setting various passwords. Prevent unauthorized login by configuring passwords on the console and virtual terminal lines. The syntax for both of them is identical, as follows:
After the line passwords are set, you need to take care of the privileged EXEC level. You should not use the enable password command because it is not secure and can give away a system password. Instead, opt for the following command:
R3(config)#enable secret string
The enable secret command, as well as the username passwords described in "Creating User Accounts," later in this lesson, can be up to 25 characters long, including spaces, and are case sensitive. Example 15-1 demonstrates the application of passwords on R3. Note that both the console and the vty passwords appear scrambled. This is because service password-encryption is enabled on the router to hide the real string from a passerby.
version 12.4 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! enable secret 5 $1$36h1$rJTseJncrJCshy7ry3.zB1 ! line con 0
line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1
Step 2: Limiting Connection Time
For security reasons, you do not want to leave the connection to any port, be it console or remote connection, logged in indefinitely. If the connections are configured to time out automatically, the administrator is logged out by a router after a specified period if he forgets to do it himself. The syntax is the same for any line and is as follows:
R3(config-line)#exec-timeout minutes seconds In Example 15-2, the console and auxiliary (aux) port are both configured to time out after a 5- minute interval.
line con 0 exec-timeout 5 0 privilege level 15 password 7 00171B0F084B0A logging synchronous stopbits 1
line aux 0 exec-timeout 5 0 privilege level 15 logging synchronous stopbits 1
line vty 0 4 login
When you are in a lab-testing environment, a constant timeout can turn into a nuisance. If security is not an immediate concern, you can choose to set the timeout interval to infinity by using the exec-timeout 0 0 command. However, you should never do so in real-world networking .
Step 3: Configuring vtys and Accessing the Network Remotely
As you know, vtys are used for remote network connections to the router. Generally, all the router's vtys have the same configuration. If there are extra vtys that are not used, it is a good practice to disable them with the no line vty command.
Applying an access list to vtys can effectively limit access to the router by specifying which connections are allowed. The command for assigning an access list to vtys is as follows:
R3(config-line)#access-class access-list in
Some of the protocols supported by the vtys (for example, rlogin and web) are not secure. To minimize the security risk, you can confine the acceptable type of connection to Telnet only with the following command:
R3(config-line)#transport input [telnet]
Example 15-3 shows IP access-list 5, which permits host 192.168.1.3. Applying access-list 5 to vty lines for inbound connections means that only one particular host can Telnet to R3 and 220.127.116.11 is not able telnet to R3. Same way R3 is able to telnet to the R2 but not R4 because access policy for telnet on R2 and R4 are configure that way so that R3 only allow to telnet to the R2 and not to the R4.
line aux 0 exec-timeout 5 0 privilege level 15 logging synchronous stopbits 1
line vty 0 3 login
line vty 4 access-class 5 in login transport input telnet
While configuring these commands, make sure that you are connected via an aux or console port. If you perform the commands while logged in to the router via Telnet, you might inadvertently disconnect yourself.
Step 4: Creating User Accounts
In this scenario, administrators log in according to the local router database. Each administrator receives his own username, password, and privilege level assigned, which indicates the level of control an administrator has over the router. The following command places a user in a local database:
R3(config)#username name privilege level password string
In Example 15-4, five administrators are assigned to the database. When they attempt to log in, they are authenticated by their username and corresponding password and are authorized to operate on the prescribed level.
! privilege exec level 5 telnet privilege exec level 9 enable privilege exec level 10 disable privilege exec level 7 show ip route privilege exec level 7 show ip privilege exec level 3 show startup-config privilege exec level 7 show
Now that you have specified privilege levels for your users, you can assign a set of commands to a privilege level. Every user at the same privilege level can execute the same set. By default, every command in the Cisco IOS Software is designated for either level 1 or level 15. Level 0 exists, but it is rarely used. It includes following five commands:
To change the default level and sign up certain commands to another level, use the following command:
Keep in mind that for security reasons, you should move some commands that allow too much freedom for a lower level to a higher level, not the other way around. If you move higher-level commands, such as the configure command, down, you might enable a user to make unauthorized changes by letting him modify his own level to a higher one. Example 15-5 shows how privilege level 3 is limited to three commands:
username sam privilege 15 password 7 14141B180F0B ! !
R5#192.168.2.1 Trying 192.168.2.1 ... Open User Access Verification Password: R4>en Translating "en"
Translating "en" % Unknown command or computer name, or unable to find computer address
Step 7: Remote Administration with FTP
You can use File Transfer Protocol (FTP) to transfer configuration files to and from the router for remote administration. FTP is preferred because Trivial File Transfer Protocol (TFTP) does not support authentication and is, therefore, less secure and should not be used to transfer configuration files. The following commands are used to make the router FTP ready:
R3(config)#ip ftp source-interface interface-type number
R3(config)#ip ftp username name
R3(config)#ip ftp password string
The first command specifies the local interface that is set up for the FTP connection. The two subsequent commands create the username and password for authentication on the FTP server. Example 15-7 shows the FTP configuration on R3.
ip ftp source-interface FastEthernet0/0
ip ftp username user
ip ftp password 7 111A0A08
no ip domain lookup
Step 8: Hiding Telnet Addresses
Normally, when you try to Telnet to a device, the router displays the address to which the connection is attempted along with other connection messages. This allows an unauthorized passerby to see it. To suppress the Telnet address, issue the following command:
Step 6: Local Authentication, Authorization, and Accounting (AAA)
AAA has the following three separate functions:
Authentication— Authentication identifies users before admitting them into a network.
Authorization— Once a user is authenticated, authorization dictates what a user can
accomplish on the network.
Accounting— Accounting tracks the user's actions and logs them to monitor resource
Example 15-6 illustrates the AAA commands configured on R3. To start an AAA process, the aaa new-model command is defined. The next command, aaa authentication login default local, names a local database as the one that is used for authentication on R3. The aaa authorization config-commands command enables AAA authorization of configuration commands specified by the aaa authorization commands statement that follows. The aaa authorization exec default local command specifies the local database as the source of authorization information, and the aaa authorization commands 3 default local if- authenticated command means that provided the user has been authenticated successfully, he is authorized by the router, after looking up the local database, to use the specified privilege level 3 commands. The latter command is helpful in the debugging process. Its practical usage is discussed in "Verification," later in this lesson.
User admin is authorized to operate at privilege level 3 only if the user accesses the router via vty. If the same user
! aaa new-model ! aaa authentication login default local aaa authorization config-commands aaa authorization exec default local aaa authorization commands 3 default local if-authenticated ! aaa session-id common !
User admin is authorized to operate at privilege level 3 only if the user accesses the router via vty. If the same user attempted to access R8 via console, the user would receive privilege level 15.
Step 9: Verification
Example 15-8 demonstrates the output of the debug aaa authentication command followed by the debug aaa authorization command. The combination of these two commands shows the process a router goes through while authenticating and authorizing a user admin logging in from the remote host 192.168.1.6, permitted by access-list 5.
Example 15-8 Debugging AAA
R4#debug aaa authentication AAA Authentication debugging is on R4#debug aaa autho R4#debug aaa authorization AAA Authorization debugging is on R4# *Oct 1 16:20:35.271: AAA/BIND(0000000D): Bind i/f *Oct 1 16:20:35.275: AAA/AUTHEN/LOGIN (0000000D): Pick method list 'default' R4# *Oct 1 16:20:51.123: AAA/AUTHOR (0xD): Pick method list 'default' *Oct 1 16:20:51.131: AAA/AUTHOR/EXEC(0000000D): processing AV cmd= *Oct 1 16:20:51.131: AAA/AUTHOR/EXEC(0000000D): processing AV priv-lvl=3 *Oct 1 16:20:51.131: AAA/AUTHOR/EXEC(0000000D): Authorization successful R4# *Oct 1 16:21:10.931: AAA/BIND(0000000E): Bind i/f *Oct 1 16:21:10.939: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'default' R4# *Oct 1 16:21:17.395: AAA/AUTHOR (0xE): Pick method list 'default' *Oct 1 16:21:17.399: AAA/AUTHOR/EXEC(0000000E): processing AV cmd= *Oct 1 16:21:17.403: AAA/AUTHOR/EXEC(0000000E): processing AV priv-lvl=7 *Oct 1 16:21:17.403: AAA/AUTHOR/EXEC(0000000E): Authorization successful R4#
Note that the aaa authorization config-commands commands and aaa authorization commands 3 default local if-authenticated commands of this scenario's AAA configuration were not yet set at the time the debug commands from Example 15-8 were issued. This resulted in the debug output not displaying the user's activity after the user has been authorized.
Example 15-9 shows the debug command output after aaa authorization config-commands commands and aaa authorization commands 3 default local if-authenticated commands have been applied. You can see that the user has issued the show startup-config command authorized for their privilege level.
Example 15-9 Debugging AAA after the authorization config-commands Commands