About danger and security in Cisco networks

In the modern world of unlimited power of technology, more and more attention is paid to the confidentiality , integrity and availability of stored or transmitted data. And this is understandable, because who wants information that is considered personal or secret got to third parties or (God forbid) competitors or even enemies.

So what is protected information in the field of data networks? An absolutely secure network does not exist and cannot be, and it can be considered fully protected, probably only if you disconnect each device from the network (or even, perhaps, it is better to turn it off, for reliability). But who needs such a network, in which data is not transmitted? True, no one. Thus, the question arises of how to make it as protected as possible, taking into account at the same time all those possible vulnerabilities, again and again thrown up by the manufacturers (soft / hard) war.
')
In this article, I will tell / show some of the nuances of configuring Cisco devices in such a way as to be able to control who has access to these devices, as one of the main network nodes, and what kind of access this will be.

Three main subtopics:

- Setting up access "by roles"

where it will be discussed about the so-called views, which determine which teams can be used (read “available”) for one or another authorized user

- Means to increase the security of the authorization process

where it will be told about the improvements that can be introduced to the user authorization process, such as how many attempts to enter incorrect data can be made, logging the authorization process, etc.

- Protecting iOS images and existing configuration files

where it will be told about the protection and restoration of deleted IOS and configuration files, yes, yes, and it happens.

---

1. Setting up access by roles.

So, in simple terms, setting the role-based access allows you to create profiles of secondary administrators for configurable devices with limited access and a set of commands.

The process of creating a view (profile template):

- Enable AAA (Authorization, Authentication, Accounting)

Router (config) # aaa new-model

- Enable Root View (a mode that is one step above Privilege Mode, it is from it and only from it you can create other view templates)

Router # enable view
note: after executing the above command, the device will ask the secret password when trying to log in to the root view, which can be pre-set using the command: enable secret [password] . After the execution, a corresponding message of the console type should appear:
* Oct 17 20: 53: 57.203:% PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

- Create a new View.

(we will create, for example, one view-template ST_ONLY, with access only to commands starting with “show ...” and “telnet ...”, as well as view-template SP_ONLY with access to the commands “show ...” and “ping” ) and assign a password to the created View (note, not the user, but the view-template) and the set of available commands
Router (config) # parser view ST_ONLY
* Oct 17 20: 58: 12.943:% PARSER-6-VIEW_CREATED: view 'S_ONLY' successfully created.
Router (config-view) # secret pass2st
Router (config-view) # commands exec include all show
Router (config-view) # commands exec include all telnet
Router (config) # parser view SP_ONLY
* Oct 17 21: 00: 12.771:% PARSER-6-VIEW_CREATED: view 'SP_ONLY' successfully created.
Router (config-view) # secret pass2sp
Router (config-view) # commands exec include show
Router (config-view) # commands exec include ping

Now, in the case when it is necessary, you can create a so-called super view, combining several other, simple view-templates:
Router (config) # parser view SUP_VIEW superview
Router (config-view) # secret pass2sview
Router (config-view) # view ST_ONLY
Router (config-view) # view SP_ONLY

After that, you can create users of the local device database. Each created user is assigned a default view, whose commands will be available to this user:
Router (config) # username st_admin view ST_ONLY secret cisco1
Router (config) # username sp_admin view SP_ONLY secret cisco2
Router (config) # username sview_admin view SUP_VIEW secret cisco3

A complete example of a working configuration:

Router> enable
Router # configure terminal
Enter configuration commands, one per line. End with CNTL / Z.
Router (config) # aaa new-model
Router (config) # enable secret supersecretciscopassword
Router (config) # exit
* Oct 17 21: 13: 37.511:% SYS-5-CONFIG_I: Configured from console by console
Router # enable view
Password:
Router #
* Oct 17 21: 13: 56.035:% PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
Router # configure terminal
Enter configuration commands, one per line. End with CNTL / Z.
Router (config) # parser view ST_ONLY
* Oct 17 21: 14: 41.699:% PARSER-6-VIEW_CREATED: view 'ST_ONLY' successfully created.
Router (config-view) # secret pass2st
Router (config-view) # commands exec include all show
Router (config-view) # commands exec include all telnet
Router (config-view) # exit
Router (config) #
Router (config) # parser view SP_ONLY
* Oct 17 21: 15: 32.279:% PARSER-6-VIEW_CREATED: view 'SP_ONLY' successfully created.
Router (config-view) # secret pass2sp
Router (config-view) # commands exec include all show
Router (config-view) # commands exec include all ping
Router (config-view) # exit
Router (config) #
Router (config) # parser view SUP_VIEW superview
* Oct 17 21: 16: 31.783:% PARSER-6-SUPER_VIEW_CREATED: super view 'SUP_VIEW' successfully created.
Router (config-view) # secret pass2sview
Router (config-view) # view ST_ONLY
* Oct 17 21: 17: 39.451:% PARSER-6-SUPER_VIEW_EDIT_ADD: view ST_ONLY added to superview SUP_VIEW.
Router (config-view) # view SP_ONLY
* Oct 17 21: 17: 44.083:% PARSER-6-SUPER_VIEW_EDIT_ADD: view SP_ONLY added to superview SUP_VIEW.
Router (config-view) # exit
Router (config) # username st_admin view ST_ONLY secret cisco1
Router (config) # username sp_admin view SP_ONLY secret cisco2
Router (config) # username sview_admin view SUP_VIEW secret cisco3
Router (config) # aaa authentication login default local
Router (config) # aaa authorization exec default local
Router (config) # aaa authorization console
Router (config) # exit
Router # wr
Building configuration ...

* Oct 17 21: 23: 19.771:% SYS-5-CONFIG_I: Configured from console by console [OK]
Router #

Now, after logging in, the users of st_admin, sp_admin and sview_admin have a very limited number of commands:

---

User Access Verification

Username: st_admin
Password:

Router> ?
Exec commands:
enable turn on privileged commands
exit Exit from the EXEC
show Show running system information
telnet Open a telnet connection

---

Router> User Access Verification

Username: sp_admin
Password:

Router> ?
Exec commands:
enable turn on privileged commands
exit Exit from the EXEC
ping send echo messages
show Show running system information

---

Router> User Access Verification

Username: sview_admin
Password:

Router> ?
Exec commands:
enable turn on privileged commands
exit Exit from the EXEC
ping send echo messages
show Show running system information
telnet Open a telnet connection

---

2. Means to increase the security of the authorization process

In this part, I will give a set of commands aimed at improving the security of the user authorization process on a Cisco device and briefly explain their purpose.

Completely disables the possibility of authorization on the device for a given number of time {sec1} after a certain number of {num} failed attempts during the taken time interval {sec2}.
Router (config) # login block-for {sec1} attempts {num} within {sec2}

Allows a group of devices specified by the access list to access the router even if the authorization feature is blocked by the previous “login block-for ...” command. That is, in other words - in the case when the attacker is trying to find a password by brute force, so that we ourselves could still be able to log in.

Router (config) # access-list 10 permit 10.0.0.0
Router (config) # login quite-mode access-class 10

Sets the interval between authorization attempts in seconds {sec}.
Router (config) # login delay {sec}

Logging failed / successful authorization attempts in SYSLOG.
Router (config) # login on-failure log every {num}
Router (config) # login on-success log every {num}

The minimum password length allowed when a user changes a password.
Router (config) # security password min-length {num}

Time-out after which the user is "thrown out" of the system.
Router (config-line) # exec-timeout {min} {sec}

Encryption stored in the password configuration.
Router (config) # service password-encryption

3. Protecting an IOS image and existing configuration files

If someone still logged into the device and erased the IOS and configuration file, it can lead to a long enough downtime (while IOS download, while config backup is found, if it exists), in certain areas it is simply unacceptable.

Two teams of savior, meet:

This command enables IOS security (creates an unrecoverable copy of IOS)
Router (config) # secure boot-image

This command enables protection of the configuration file (creates an uninstallable copy of startup-config)
Router (config) # secure boot-config
note: a router with a PCMCIA slot is required for being able to restore ISO

In rommon mode, we specify the device to boot from PCMCIA and the image name
rommon> boot slot: c3745-js2-mz.bin
Restore device configuration to a temporary file
Router (config) # secure boot-config restore flash: rescue-cfg
copy the temporary file to the configuration file and after that
Router # copy flash: rescue-cfg startup-config
and reboot.

This article was written under the impression of viewing CCNA Security CBT_Nuggets for generalization and systematization of knowledge, as well as for subsequent preparation for exams.