Cisco Device Monitoring and Hardening: step by step guide with examples

This article provides information about the following topics:


Network administrators need to be able to perform more than just the configuration of network devices. They need to be able to monitor network devices to ensure that the network is operating as efficiently as possible and to identify potential bottlenecks or trouble spots. The following sections deal with protocols that can help monitor a network.

It is important to keep a copy of a router’s configuration in a location other than NVRAM. Automated jobs can be set up to copy configurations from the router at regular intervals to local or remote file systems.

Tip

To create an archive copy manually, use the archive config command from EXEC mode:

Edmonton# archive config

Tip

When the write-memory command is enabled, the copy running-config startup-config command triggers an archive to occur.

Network administrators should implement logging to get insight into what is occurring in their network. When a router reloads, all local logs are lost, so it is important to implement logging to an external destination. These next sections deal with the different mechanisms that you can use to configure logging to a remote location.

The general format of syslog messages generated on Cisco IOS Software is as follows:

seq no:timestamp: %facility-severity-MNEMONIC:description

Table 22-1 shows the eight levels of severity in logging messages.

Setting a level means you will get that level and everything numerically below it. Level 6 means you will receive messages for levels 0 through 6.

The easiest syslog message to use as an example is the one that shows up every time you exit from global configuration mode back to privileged EXEC mode. You have just finished entering a command, and you want to save your work, but after you type exit you see something like this:

Edmonton(config)# exit
Edmonton#
*Jun 23:22:45:20.878: %SYS-5-CONFIG_I: Configured from console by
  console
Edmonton#

(Your output will differ depending on whether you have sequence numbers or time/date stamps configured.)

So what does this all mean?

  • No sequence number is part of this message.

  • The message occurred at June 23, at 22:45:20.878 (or 10:45 PM, and 20.878 seconds).

  • It is a sys message, and it is level 5 (a notification).

  • It is a config message; specifically, the configuration occurred from the console.

Device security is critical to network security. A compromised device can cause the network to be compromised on a larger scale. The following sections deal with different ways to secure your Cisco IOS devices.

These commands work on both routers and switches.

Caution

The enable password is not encrypted; it is stored as clear text. For this reason, recommended practice is that you never use the enable password command. Use only the enable secret password command in a router or switch configuration.

Tip

You can set both enable secret password and enable password to the same password. However, doing so defeats the use of encryption.

Caution

Line passwords are stored as clear text. They should be encrypted using the service password-encryption command at a bare minimum. However, this encryption method is weak and easily reversible. It is therefore recommended to enable authentication by the username command with the secret option because the password option to the username command still stores information using clear text.

Tip

The best place to store passwords is on an external authentication, authorization, and accounting (AAA) server.

Caution

If you have turned on service password encryption, used it, and then turned it off, any passwords that you have encrypted stay encrypted. New passwords remain unencrypted.

Tip

The service password-encryption command works on the following passwords:

  • Username

  • Authentication key

  • Privileged command

  • Console

  • Virtual terminal line access

  • BGP neighbors

Passwords using this encryption are shown as type 7 passwords in the router configuration:

Click here to view code image

Edmonton# show running-config
                  <output omitted>
enable secret 4 Rv4kArhts7yA2xd8BD2YTVbts (4 signifies SHA-256 hash)
<output omitted>
line con 0
  password 7 00271A5307542A02D22842 (7 signifies Vigenere cipher)
line vty 0 4
  password 7 00271A5307542A02D22842 (7 signifies Vigenere cipher)
<output omitted>
R1#

There are different algorithm types available to hash a password in Cisco IOS:

  • Type 4: Specified an SHA-256 encrypted secret string

    • Deprecated due to a software bug that allowed this password to be viewed in plaintext under certain conditions

  • Type 5: Specifies a message digest algorithm 5 (MD5) encrypted secret

  • Type 8: Specifies a Password-Based Key Derivation Function 2 with SHA-256 hashed secret (PBKDF2 with SHA-256)

  • Type 9: Specifies a scrypt hashed secret (SCRYPT)

Tip

Configure all secret passwords using type 8 or type 9.

Note

Type 5, 8, and 9 passwords are not reversible.

Caution

If you configure type 8 or type 9 passwords and then downgrade to an IOS release that does not support type 8 and type 9 passwords, you must configure the type 5 passwords before downgrading. If not, you are locked out of the device and a password recovery is required.

Although Telnet is the default way of accessing a router, it is the most unsecure way. Secure Shell (SSH) provides an encrypted alternative for accessing a router.

Caution

SSH Version 1 implementations have known security issues. It is recommended to use SSH Version 2 whenever possible.

Note

The device name cannot be the default Switch (on a switch) or Router (on a router). Use the hostname command to configure a new host name of the device.

Note

The Cisco implementation of SSH requires Cisco IOS Software to support Rivest, Shamir, Adleman (RSA) authentication and minimum Data Encryption Standard (DES) encryption (a cryptographic software image).

Tip

When restricting access on vty lines, use the access-class command rather than the access-group command, which is used when applying an ACL to a physical interface.

Caution

Do not apply an ACL intending to restrict vty traffic on a physical interface. If you apply it to a physical interface, all packets are compared to the ACL before it can continue on its path to its destination. This can lead to a large reduction in router performance. An ACL on a physical interface has to specify the SSH or Telnet port number that you are trying to deny, in addition to identifying all the router’s addresses that you could potentially SSH/Telnet to.

Services that are not being used on a router can represent a potential security risk. If you do not need a specific service, you should disable it.

Tip

If a service is off by default, disabling it does not appear in the running configuration.

Tip

Do not assume that a service is disabled by default; you should explicitly disable all unneeded services, even if you think they are already disabled.

Tip

Depending on the IOS Software release, some services are on by default; some are off. Be sure to check the IOS configuration guide for your specific software release to determine the default state of the service.

Table 22-2 lists the services that you should disable if you are not using them.

Вас заинтересует / Intresting for you:

Cisco Discovery Protocol (CDP)...
Cisco Discovery Protocol (CDP)... 991 views Валерий Павлюков Sat, 05 Feb 2022, 17:35:12
Configuring a Cisco Router: fi...
Configuring a Cisco Router: fi... 1324 views Валерий Павлюков Sun, 06 Feb 2022, 18:18:52
Cisco: Shortcuts for Entering ...
Cisco: Shortcuts for Entering ... 1627 views Андрей Волков Wed, 17 Feb 2021, 15:59:18
Cisco: Resetting Switch Config...
Cisco: Resetting Switch Config... 1699 views Андрей Волков Mon, 15 Feb 2021, 19:13:09
Comments (0)
There are no comments posted here yet
Leave your comments
Posting as Guest
×
Suggested Locations