Upload
augustine-oneal
View
216
Download
0
Embed Size (px)
Citation preview
1© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
• Remote access typically involves allowing telnet, SSH connections to the router
• Remote requires that the device have enough networking services installed to be accessed across the network.
• More to follow.
Electronic Access Controls
2© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
• Cisco issues new IOS versions and upgrades fairly frequently.
• If the IOS is not kept current then the device may be susceptible to information gathering and network attacks.
• The Cisco Product Security Incident Response Team (PSIRT) creates and maintains publications, commonly referred to as PSIRT Advisories, for security−related issues in Cisco products.
• Security advisories and responses are available at http://www.cisco.com/go/psirt
Cisco IOS
3© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco – PSIRT
4© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
• Loopback Address
• Banner
• Accounts
• Command Privilege Levels
• Passwords
• Management Ports
• AAA
• Network Services
• NTP
• SNMP
Static Configuration Controls
5© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
• Network devices communicate using various management protocols, such as OSPF, EIGRP, STP, VTP, SNMP, TACACS.
• An internal virtual interface called a loopback interface should be defined and designated as the source interface for most traffic generated by the router itself.
Loopback Address
6© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
• A login banner should be set up on each operational network device.
Banner
banner motd ******************Warning! Warning! Warning!*********************** This system is restricted to authorized users for business purposes only. Unauthorized access is a violation of the law. This service may be monitored for administrative and security reasons. By proceeding you consent to this monitoring. *******************Warning! Warning! Warning! ***********************
7© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
• By default, no accounts established.
• Accounts can be established:
•On device (Login local)
•On AAA server.
• Cisco IOS releases support the RADIUS and TACACS+
• Using AAA with a security server, access to network devices and network services can be controlled from a centralized location.
Accounts
8© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
• Each administrator should have their own unique login user name for the router.
• User name is included in log messages.
• Only allow accounts that are required on the router.
• Review the running –config and verify that unique user-ids have been created for administrators and any users.
• Verify that the privilege level for the accounts is based on a need to know, least privilege basis.
Accounts – Audit Steps