Szerkesztő:LinguisticMystic/ru/безопасность/4

🔒 04.0. Module 04: Secure Device Access Introduction

Securing device access is critical for protecting network infrastructure from unauthorized users. This involves implementing strong authentication, encrypted communication, and access controls for both local and remote management.

🌟 1. Why Secure Device Access Matters

Prevent Unauthorized Access: Limits access to trusted users.
Protect Configuration: Prevents tampering with device settings.
Ensure Data Integrity: Secures management traffic against interception.
Facilitate Auditing: Tracks user activities for accountability.
Enhance Compliance: Meets regulatory standards for secure access.

🔑 2. Key Components of Secure Device Access

Local Access:
- Access via console or AUX ports.
- Requires password protection and role-based access.
Remote Access:
- SSH for encrypted remote connections (replace Telnet).
- Restrict access based on IP addresses and privilege levels.
Authentication, Authorization, and Accounting (AAA):
- Centralizes user access control and activity tracking.
Access Control Lists (ACLs):
- Limits access to management interfaces.
Logging and Monitoring:
- Tracks login attempts and configuration changes.

🛠️ 3. Best Practices for Secure Device Access

Use SSH Instead of Telnet: Encrypts communication between devices.
Enable Strong Passwords: Enforce complexity and password encryption.
Restrict VTY Access: Limit remote access to trusted IP addresses.
Set Privilege Levels: Control user permissions based on job roles.
Enable AAA: Implement centralized authentication and accounting.
Configure Session Timeouts: Log out inactive users automatically.
Monitor and Log Activities: Enable Syslog and login notifications.
Backup Configurations: Store secure backups for disaster recovery.

🔐 4. Key Secure Access Features

Feature	Description
SSH (Secure Shell)	Encrypts remote administrative sessions.
AAA	Centralizes user authentication and activity tracking.
Role-Based Access	Limits access based on user roles and privilege levels.
ACLs	Restricts management access to trusted IP addresses.
Syslog	Logs login attempts and configuration changes.
Password Encryption	Protects stored passwords from unauthorized access.

⚔️ 5. Common Threats to Device Access

Brute-Force Attacks: Repeated login attempts to guess passwords.
Man-in-the-Middle (MitM) Attacks: Intercepting unencrypted traffic.
Unauthorized Configuration Changes: Malicious or accidental alterations.
Session Hijacking: Exploiting active management sessions.

📚 6. Learning Outcomes for Module 04

After completing this module, you will be able to:
1. Configure secure access for local and remote management.
2. Implement SSH for encrypted remote access.
3. Set privilege levels and role-based access.
4. Enable AAA for centralized authentication and accounting.
5. Monitor and log device access activities.

✅ 7. Conclusion

Secure device access is the first line of defense for protecting network infrastructure. By implementing strong authentication, encrypted communication, and access controls, administrators can prevent unauthorized access and maintain the integrity of network configurations.

🔒 04.1. Secure the Edge Router

The edge router is a critical point of defense, as it connects the internal network to external environments. Properly securing the edge router prevents unauthorized access, mitigates threats, and ensures secure traffic flow.

🌟 1. Why Secure the Edge Router?

Prevent Unauthorized Access: Restricts access to trusted users and devices.
Mitigate Threats: Blocks malicious traffic from external sources.
Protect Configuration: Prevents unauthorized changes to router settings.
Ensure Network Availability: Guards against denial-of-service (DoS) attacks.
Facilitate Auditing: Tracks administrative activities and traffic patterns.

🔑 2. Key Security Features for the Edge Router

Control Plane: Manages router operations and protocols.
Management Plane: Controls administrative access.
Data Plane: Handles user traffic passing through the router.

🛠️ 3. Configuration Steps to Secure the Edge Router

3.1. Secure Administrative Access

Set Strong Enable Secret Password:

!
enable secret StrongPassword123
!

Create Local User Accounts:

!
username admin privilege 15 secret AdminPass123
username support privilege 5 secret SupportPass123
!

Enable SSH and Disable Telnet:

!
hostname EdgeRouter
ip domain-name example.com
crypto key generate rsa
ip ssh version 2
!
line vty 0 4
transport input ssh
login local
exec-timeout 10 0
!

Explanation:
- SSH: Encrypts remote management traffic.
- VTY Lines: Restrict remote access to SSH only.
- Timeout: Logs out inactive sessions after 10 minutes.

3.2. Restrict Management Access with ACLs

Limit access to trusted IP addresses.

Create an ACL for Management Access:

!
ip access-list standard MGMT_ACCESS
permit 192.168.1.0 0.0.0.255
deny any
!

Apply ACL to VTY Lines:

!
line vty 0 4
access-class MGMT_ACCESS in
!

Explanation:
- Only devices from the 192.168.1.0/24 subnet can access the router.

3.3. Secure the Control Plane

Enable Control Plane Policing (CoPP):

!
class-map match-any ICMP-TRAFFIC
 match protocol icmp
!
policy-map CONTROL-PLANE-POLICY
 class ICMP-TRAFFIC
  police 8000 conform-action transmit exceed-action drop
!
control-plane
 service-policy input CONTROL-PLANE-POLICY
!

Explanation:
- CoPP: Limits excessive traffic to the control plane.

3.4. Filter Traffic with ACLs (Data Plane)

Block malicious traffic at the edge.

Create an Extended ACL:

!
ip access-list extended OUTBOUND-TRAFFIC
permit tcp any any established
deny ip any any log
!

Apply ACL to the Outside Interface:

!
interface GigabitEthernet0/0
ip access-group OUTBOUND-TRAFFIC out
!

Explanation:
- Established: Allows only return traffic for initiated connections.

3.5. Disable Unused Services

Turn off unnecessary services to reduce the attack surface.

!
no ip http server
no ip http secure-server
no service finger
no ip bootp server
!

Explanation:
- These services are often targeted by attackers.

3.6. Enable Logging and Monitoring

Configure Syslog:

!
logging host 192.168.1.100
logging trap warnings
!

Enable Login and Configuration Logs:

!
login on-success log
login on-failure log
archive
 log config
 notify syslog
!

Explanation:
- Logs successful and failed login attempts.

3.7. Enable SNMP for Monitoring (Optional)

Configure SNMPv3:

!
snmp-server group SNMPv3GROUP v3 auth
snmp-server user SNMPv3User SNMPv3GROUP v3 auth sha StrongSNMPKey123 priv aes 128 StrongEncryptKey123
!

Explanation:
- SNMPv3: Provides secure device monitoring with encryption.

3.8. Backup Router Configuration

Schedule regular configuration backups.

!
archive
 path flash:backup
 maximum 5
!

Explanation:
- This allows quick recovery after configuration errors or device failures.

🔍 4. Verification and Monitoring

Check SSH and VTY Configuration:

show running-config | include ssh
show running-config | section line vty

Verify ACLs:

show access-lists

Monitor Logs:

show logging

Check SNMP Status:

show snmp user

✅ 5. Summary of Key Commands

Task	Command Example
Enable SSH	`ip ssh version 2`
Create Local User Accounts	`username admin privilege 15 secret Admin123`
Restrict VTY Access	`access-class MGMT_ACCESS in`
Enable CoPP	`service-policy input CONTROL-PLANE-POLICY`
Block Unwanted Traffic	`ip access-group OUTBOUND-TRAFFIC out`
Disable Unused Services	`no ip http server`
Enable Syslog	`logging host 192.168.1.100`
Configure SNMPv3	`snmp-server user SNMPv3User ...`
Backup Configuration	`archive path flash:backup`

🔐 6. Best Practices for Edge Router Security

Use Strong Authentication: Enable SSH and enforce password complexity.
Restrict Access: Apply ACLs to management interfaces.
Limit Services: Disable unused protocols (HTTP, Finger, BootP).
Monitor Logs: Enable Syslog and login notifications.
Implement CoPP: Protect the control plane from excessive traffic.
Update Firmware: Apply security patches regularly.
Backup Configurations: Store backups in a secure location.

⚔️ 7. Troubleshooting Tips

Issue	Possible Cause	Solution
SSH Connection Fails	RSA key not generated or ACL blocking	Verify `crypto key generate rsa` and ACLs.
Access Denied	Incorrect ACL or login failure	Check `show access-lists` and user credentials.
High CPU Usage	Excessive traffic to control plane	Implement Control Plane Policing (CoPP).
Syslog Not Logging	Incorrect server IP or log level	Verify `logging host` and `logging trap` settings.
SNMP Not Responding	Wrong community string or blocked port	Ensure UDP port 161 is open and SNMPv3 is configured.

🌟 8. Benefits of Edge Router Security

Improved Network Protection: Blocks unauthorized access.
Enhanced Performance: Prevents traffic overload.
Regulatory Compliance: Supports security audits and reporting.
Quick Recovery: Ensures configuration backups are available.
Efficient Management: Provides secure remote administration.

🔒 04.2. Configure Secure Administrative Access

Securing administrative access is essential for protecting network devices from unauthorized changes and potential breaches. This involves implementing strong authentication, encrypted communication, and access controls.

🔑 1. Best Practices for Secure Administrative Access

Use Encrypted Access:
- Replace Telnet with Secure Shell (SSH) for remote access.
- Use HTTPS instead of HTTP for web-based management.
Strong Authentication:
- Enforce strong passwords with complexity requirements.
- Implement multi-factor authentication (MFA).
Access Control:
- Restrict administrative access based on IP addresses.
- Use Access Control Lists (ACLs) to limit access to management interfaces.
Role-Based Access Control (RBAC):
- Assign different privilege levels based on user roles.
- Use privilege levels and command authorization.
Session Management:
- Set timeout values for inactive sessions.
- Enable logging for all administrative activities.
Backup and Recovery:
- Regularly back up device configurations and system images.

🛠️ 2. Configuring Secure Administrative Access on Cisco Devices

Here’s how to configure secure administrative access step by step:

2.1. Configure Strong Passwords

Set password complexity and enable password encryption.

!
enable secret strong_password123
service password-encryption
!

Explanation:
- enable secret secures privileged EXEC mode with a hashed password.
- service password-encryption prevents clear-text password display.

2.2. Create User Accounts

Create individual user accounts with varying privilege levels.

!
username admin privilege 15 secret AdminPass123
username support privilege 5 secret SupportPass123
!

Explanation:
- privilege 15 provides full administrative access.
- privilege 5 limits access to specific commands.

2.3. Enable SSH Access

Disable Telnet and enable SSH for secure remote management.

Configure a hostname and domain name:

!
hostname Router1
ip domain-name example.com
!

Generate RSA keys:

!
crypto key generate rsa
!

Enable SSH version 2:

!
ip ssh version 2
!

Restrict virtual terminal (VTY) access to SSH only:

!
line vty 0 4
transport input ssh
login local
!

Explanation:
- RSA keys secure SSH communication.
- login local requires local user authentication.
- transport input ssh disables Telnet access.

2.4. Set Session Timeout

Automatically log out inactive sessions.

!
line vty 0 4
exec-timeout 10 0
!

Explanation:
- exec-timeout 10 0 logs out users after 10 minutes of inactivity.

2.5. Restrict Access with ACLs

Limit administrative access to specific IP addresses.

Create an ACL:

!
ip access-list standard ADMIN_ACCESS
permit 192.168.1.0 0.0.0.255
deny any
!

Apply the ACL to VTY lines:

!
line vty 0 4
access-class ADMIN_ACCESS in
!

Explanation:
- This allows only IP addresses from the 192.168.1.0/24 subnet to access the device.

2.6. Enable Logging

Log all administrative activities for auditing purposes.

!
logging buffered 10000
logging console
!

Explanation:
- logging buffered stores logs in memory for review.
- logging console displays logs in the terminal session.

📚 3. Verification and Monitoring

Verify SSH Configuration:

show ip ssh

Check VTY Line Configuration:

show running-config | section line vty

Monitor Logins and Activity:

show logging

⚔️ 4. Troubleshooting Tips

Connection Refused: Ensure SSH is enabled and Telnet is disabled.
Authentication Failure: Verify user credentials and privilege levels.
Access Denied: Check ACLs applied to VTY lines.
Key Generation Failure: Ensure the device has a hostname and domain name.

✅ 5. Summary of Key Commands

Task	Command Example
Set Privileged Password	`enable secret strong_password123`
Create User Accounts	`username admin privilege 15 secret AdminPass123`
Enable SSH	`ip ssh version 2`
Generate RSA Keys	`crypto key generate rsa`
Set Session Timeout	`exec-timeout 10 0`
Restrict Access with ACLs	`access-class ADMIN_ACCESS in`
Enable Logging	`logging buffered 10000`

🔒 04.3. Configure Enhanced Security for Virtual Logins

Virtual login security involves protecting remote access to network devices through Secure Shell (SSH) or Telnet (although Telnet should be avoided due to its lack of encryption). This section focuses on strengthening virtual terminal (VTY) line security.

🔑 1. Best Practices for VTY Security

Use SSH Instead of Telnet: Ensure encrypted communication for remote access.
Strong Authentication: Enforce username/password combinations and multi-factor authentication (MFA).
Access Control: Restrict remote access to trusted IP addresses.
Session Timeout: Automatically log out inactive sessions.
Logging and Monitoring: Enable logging of login attempts and session activity.

🛠️ 2. Configuration Steps for Enhanced VTY Security

2.1. Enable SSH for Secure Access

Disable Telnet and enable SSH for encrypted remote management.

Set hostname and domain name:

!
hostname Router1
ip domain-name example.com
!

Generate RSA key pair:

!
crypto key generate rsa
!

Enable SSH version 2:

!
ip ssh version 2
!

Restrict VTY access to SSH:

!
line vty 0 4
transport input ssh
login local
!

Explanation:
- RSA key generation enables secure key exchange for SSH.
- ip ssh version 2 ensures stronger encryption.
- transport input ssh blocks Telnet access.

2.2. Configure Local User Authentication

Create user accounts with strong passwords.

!
username admin privilege 15 secret AdminPass123
username support privilege 5 secret SupportPass123
!

Explanation:
- privilege 15 grants full administrative access.
- privilege 5 limits access to specific commands.

2.3. Restrict Access with ACLs

Limit remote access to trusted IP addresses.

Create an access list:

!
ip access-list standard VTY_ACCESS
permit 192.168.1.0 0.0.0.255
deny any
!

Apply ACL to VTY lines:

!
line vty 0 4
access-class VTY_ACCESS in
!

Explanation:
- Only users from the 192.168.1.0/24 subnet can access the VTY lines.

2.4. Set Session Timeout

Automatically log out idle sessions.

!
line vty 0 4
exec-timeout 10 0
!

Explanation:
- exec-timeout 10 0 logs out users after 10 minutes of inactivity.

2.5. Enable Login Attack Prevention

Prevent brute-force attacks by limiting login attempts.

!
login block-for 120 attempts 3 within 60
!

Explanation:
- Blocks login for 2 minutes if 3 failed attempts occur within 1 minute.

2.6. Enable Logging and Notifications

Monitor login attempts and session activity.

!
logging buffered 10000
login on-success log
login on-failure log
!

Explanation:
- login on-success log records successful logins.
- login on-failure log tracks failed login attempts.

📚 3. Verification and Monitoring

Verify SSH Configuration:

show ip ssh

Check VTY Line Configuration:

show running-config | section line vty

Monitor Login Attempts:

show login failures

Review Logs:

show logging

⚔️ 4. Troubleshooting Tips

SSH Connection Refused:
- Ensure SSH is enabled (ip ssh version 2).
- Verify RSA key generation.
Authentication Failure:
- Check user credentials and privilege levels.
- Verify login local is applied to VTY lines.
Access Denied:
- Confirm ACL configuration for VTY access.
- Verify IP address matches the permitted range.

✅ 5. Summary of Key Commands

Task	Command Example
Enable SSH	`ip ssh version 2`
Create User Accounts	`username admin privilege 15 secret AdminPass123`
Restrict VTY to SSH	`transport input ssh`
Set Session Timeout	`exec-timeout 10 0`
Limit Login Attempts	`login block-for 120 attempts 3 within 60`
Apply ACL to VTY	`access-class VTY_ACCESS in`
Enable Logging	`login on-success log`

🔒 04.4. Configure SSH

SSH (Secure Shell) provides encrypted communication between devices, ensuring secure remote management of network equipment. It replaces insecure protocols like Telnet, which transmit data in plain text.

🔑 1. Benefits of SSH

Encryption: Protects data during transmission.
Authentication: Verifies user identity.
Integrity: Ensures data is not altered in transit.
Access Control: Limits access to authorized users only.

🛠️ 2. Steps to Configure SSH on Cisco Devices

2.1. Set Device Hostname and Domain Name

SSH requires a unique hostname and domain name for RSA key generation.

!
hostname Router1
ip domain-name example.com
!

Explanation:
- hostname assigns a device name.
- ip domain-name sets the domain for RSA key generation.

2.2. Generate RSA Key Pair

Generate RSA keys for SSH encryption.

!
crypto key generate rsa
!

Explanation:
- The device prompts for key length. Choose 2048 bits for strong encryption.
- RSA keys are used for secure key exchange.

2.3. Enable SSH Version 2

SSH version 2 provides stronger encryption and security features.

!
ip ssh version 2
!

Explanation:
- Version 2 improves security compared to version 1.

2.4. Create Local User Accounts

Define user accounts for SSH authentication.

!
username admin privilege 15 secret AdminPass123
username support privilege 5 secret SupportPass123
!

Explanation:
- privilege 15 grants full administrative rights.
- privilege 5 limits access to specific commands.
- secret ensures password hashing.

2.5. Configure VTY Lines for SSH Access

Restrict virtual terminal (VTY) lines to SSH only.

!
line vty 0 4
transport input ssh
login local
exec-timeout 10 0
!

Explanation:
- transport input ssh disables Telnet access.
- login local uses local user accounts for authentication.
- exec-timeout 10 0 logs out users after 10 minutes of inactivity.

2.6. Restrict Access with ACL

Limit SSH access to trusted IP addresses.

Create an ACL:

!
ip access-list standard SSH_ACCESS
permit 192.168.1.0 0.0.0.255
deny any
!

Apply ACL to VTY lines:

!
line vty 0 4
access-class SSH_ACCESS in
!

Explanation:
- Only users from the 192.168.1.0/24 subnet can access the device via SSH.

2.7. Set SSH Timeout and Retry Limits

Improve session security by limiting retries and session duration.

!
ip ssh time-out 60
ip ssh authentication-retries 3
!

Explanation:
- time-out 60 closes idle SSH sessions after 60 seconds.
- authentication-retries 3 limits failed login attempts to three.

2.8. Enable Logging of SSH Sessions

Log SSH login attempts for auditing purposes.

!
logging buffered 10000
login on-success log
login on-failure log
!

Explanation:
- login on-success log records successful logins.
- login on-failure log tracks failed login attempts.

📚 3. Verification and Testing

Verify SSH Configuration:

show ip ssh

Example Output:

SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3

Check RSA Key Pair:

show crypto key mypubkey rsa

Verify VTY Line Configuration:

show running-config | section line vty

Test SSH Access from a Remote Device:

ssh -l admin 192.168.1.1

Explanation:
- -l admin specifies the username.
- 192.168.1.1 is the IP address of the Cisco device.

⚔️ 4. Troubleshooting Tips

Connection Refused: Ensure SSH is enabled (ip ssh version 2).
Key Generation Failure: Verify hostname and domain name are set.
Authentication Failure: Check user credentials and privilege levels.
Access Denied: Verify ACL configuration for VTY lines.

✅ 5. Summary of Key Commands

Task	Command Example
Set Hostname and Domain	`hostname Router1` and `ip domain-name example.com`
Generate RSA Keys	`crypto key generate rsa`
Enable SSH Version 2	`ip ssh version 2`
Create User Accounts	`username admin privilege 15 secret AdminPass123`
Restrict VTY to SSH	`transport input ssh`
Set Timeout and Retries	`ip ssh time-out 60` and `ip ssh authentication-retries 3`
Apply ACL to VTY	`access-class SSH_ACCESS in`
Enable Logging	`login on-success log`

🌟 6. Benefits of SSH Configuration

Secure Communication: Encrypts remote management sessions.
Authentication: Ensures only authorized users can access the device.
Access Control: Restricts SSH access to trusted IP addresses.
Monitoring: Logs login attempts for auditing and troubleshooting.

🔒 04.5. Secure Device Access Summary

Securing device access involves protecting network infrastructure from unauthorized access by implementing encryption, strong authentication, and access controls. This ensures that only authorized users can manage and configure devices.

🛡️ 1. Key Components of Secure Device Access

Authentication: Verifies user identity before granting access.
Authorization: Limits user privileges based on roles.
Accounting: Tracks user activities for auditing.
Encryption: Protects communication during remote management.
Access Control: Restricts access to trusted devices and users.

🔑 2. Best Practices for Securing Device Access

Use Encrypted Access:
- Replace Telnet with SSH for remote management.
- Enable HTTPS for web-based management.
Implement Strong Authentication:
- Enforce complex passwords and multi-factor authentication (MFA).
- Use local user accounts or centralized AAA servers.
Restrict Administrative Access:
- Limit access to specific IP addresses using ACLs.
- Apply role-based access control (RBAC).
Enforce Session Management:
- Set idle session timeouts.
- Limit login attempts and block after failures.
Enable Logging and Monitoring:
- Log successful and failed login attempts.
- Monitor administrative activities using Syslog and SNMP.

🛠️ 3. Key Configuration Steps for Cisco Devices

3.1. Configure Secure Passwords

Ensure all passwords are encrypted and meet complexity requirements.

!
enable secret strongpassword123
service password-encryption
!

3.2. Enable SSH for Remote Access

Set hostname and domain name:

hostname Router1
ip domain-name example.com

Generate RSA key pair:

crypto key generate rsa

Enable SSH version 2:

ip ssh version 2

Restrict VTY lines to SSH only:

line vty 0 4
transport input ssh
login local
exec-timeout 10 0

3.3. Create Local User Accounts

Create individual user accounts with privilege levels.

!
username admin privilege 15 secret AdminPass123
username support privilege 5 secret SupportPass123
!

3.4. Restrict Access with ACLs

Limit remote access to trusted IP addresses.

Create an ACL:

ip access-list standard SSH_ACCESS
permit 192.168.1.0 0.0.0.255
deny any

Apply ACL to VTY lines:

line vty 0 4
access-class SSH_ACCESS in

3.5. Enable Login Attack Prevention

Block brute-force login attempts.

!
login block-for 120 attempts 3 within 60
!

3.6. Set Session Timeout

Automatically log out idle sessions.

!
line vty 0 4
exec-timeout 10 0
!

3.7. Enable Logging

Log login attempts and administrative activities.

!
logging buffered 10000
login on-success log
login on-failure log
!

📊 4. Verification and Monitoring

Verify SSH Configuration:

show ip ssh

Check User Accounts:

show running-config | section username

Monitor Login Attempts:

show login failures

View Log Messages:

show logging

✅ 5. Summary of Key Commands

Task	Command Example
Enable Strong Passwords	`enable secret strongpassword123`
Enable SSH	`ip ssh version 2`
Create User Accounts	`username admin privilege 15 secret pass`
Restrict Access with ACLs	`access-class SSH_ACCESS in`
Set Session Timeout	`exec-timeout 10 0`
Limit Login Attempts	`login block-for 120 attempts 3 within 60`
Enable Logging	`login on-success log`

🔐 6. Benefits of Secure Device Access

Enhanced Security: Protects devices from unauthorized access.
Data Integrity: Encrypts remote management traffic.
Access Control: Limits administrative privileges.
Auditing: Tracks user activities for accountability.
Business Continuity: Reduces risk of device compromise.