Back to Dashboard
Module 36
Device Hardening and Security
β Previous Module
Next Module β
# π CCNA 200-301 - Video 36: Device Hardening and Security ## Deep Study Notes --- ## π Learning Objectives By the end of this video, you should understand: - Network device security best practices - Password management and encryption - SSH configuration for secure management - Management plane protection (CoPP, control plane policing) - Control plane security - Syslog and NTP for security - Security features (login banners, port security, etc.) --- ## π§ Core Concepts ### 1. What is Device Hardening? **Definition:** Device hardening is the process of securing network devices by reducing vulnerabilities, disabling unnecessary services, and implementing security best practices. **Analogy:** Think of device hardening like securing a house. You lock doors (passwords), disable unused entrances (unnecessary services), install security cameras (logging), and establish rules for who can enter (ACLs). ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β DEVICE HARDENING LAYERS β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β PHYSICAL SECURITY β β β β (Locked rooms, secure access) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βΌ β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β MANAGEMENT ACCESS β β β β (SSH, AAA, role-based access control) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βΌ β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β CONTROL PLANE β β β β (CoPP, control plane filtering, BGP/OSPF security) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βΌ β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β DATA PLANE β β β β (Port security, ACLs, DHCP snooping) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βΌ β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β MONITORING & LOGGING β β β β (Syslog, SNMP, NetFlow, time synchronization) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 2. Password Management **Password Best Practices:** ```cisco ! Set minimum password length Router(config)# security passwords min-length 12 ! Enable password encryption for all clear-text passwords Router(config)# service password-encryption ! Configure password complexity requirements Router(config)# password-policy complexity Router(config)# password-policy max-retry 3 Router(config)# password-policy lockout 15 ! Use strong enable secret (not enable password) Router(config)# enable secret StrongP@ssw0rd123 ! Configure different privilege levels Router(config)# enable secret level 15 StrongP@ssw0rd123 Router(config)# enable secret level 5 OperatorP@ss123 ``` **Password Types:** | Type | Command | Security | |------|---------|----------| | **Type 0** | `enable password` | Clear text (unencrypted) | | **Type 5** | `enable secret` | MD5 hash (reasonably secure) | | **Type 7** | `service password-encryption` | Weak encryption (VigenΓ¨re cipher) | | **Type 8** | `enable secret type 8` | PBKDF2 (strong) - IOS 15.3+ | | **Type 9** | `enable secret type 9` | SCRYPT (strongest) - IOS 16.3+ | ```cisco ! Use stronger password encryption (IOS 15.3+) Router(config)# enable secret type 8 StrongP@ssw0rd123 ! View password encryption type Router# show running-config | include enable secret ! enable secret 8 $8$3Nk5T8Z5a3NtY3... ``` --- ### 3. Console and AUX Port Security ```cisco ! Console Port Security Router(config)# line console 0 Router(config-line)# password ConsoleP@ss123 Router(config-line)# login Router(config-line)# exec-timeout 5 0 ! 5 minute timeout Router(config-line)# logging synchronous ! Prevents console interruptions Router(config-line)# history size 100 ! Command history Router(config-line)# privilege level 15 ! Direct privileged access Router(config-line)# exit ! AUX Port Security (if present) Router(config)# line aux 0 Router(config-line)# password AuxP@ss123 Router(config-line)# login Router(config-line)# exec-timeout 5 0 Router(config-line)# transport input none ! Disable AUX input Router(config-line)# exit ``` --- ### 4. VTY (Virtual Terminal) Lines Security ```cisco ! Configure VTY lines (0-4 for Telnet/SSH, 5-15 for additional) Router(config)# line vty 0 15 Router(config-line)# password VtyP@ss123 Router(config-line)# login Router(config-line)# exec-timeout 5 0 Router(config-line)# logging synchronous Router(config-line)# history size 100 Router(config-line)# transport input ssh ! Only allow SSH (no Telnet) Router(config-line)# transport output ssh Router(config-line)# ip access-class 10 in ! ACL to restrict access Router(config-line)# exit ! ACL to restrict VTY access Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255 Router(config)# access-list 10 deny any ``` --- ### 5. SSH Configuration **SSH Configuration Steps:** ```cisco ! Step 1: Configure hostname and domain name Router(config)# hostname Router Router(config)# ip domain-name example.com ! Step 2: Generate RSA key pair Router(config)# crypto key generate rsa modulus 2048 ! The name for the keys will be: Router.example.com ! How many bits in the modulus [512]: 2048 ! % Generating 2048 bit RSA keys ... [OK] ! Step 3: Configure SSH version Router(config)# ip ssh version 2 ! Step 4: Set SSH timeout and authentication retries Router(config)# ip ssh time-out 60 Router(config)# ip ssh authentication-retries 3 ! Step 5: Create local user for SSH Router(config)# username admin privilege 15 secret StrongP@ss123 ! Step 6: Configure VTY lines for SSH Router(config)# line vty 0 15 Router(config-line)# transport input ssh Router(config-line)# login local Router(config-line)# exec-timeout 5 0 ! Step 7: (Optional) Enable SSH for console Router(config)# ip ssh logging ! Step 8: Verify SSH Router# show ip ssh Router# show ssh ``` **SSH Verification:** ```cisco Router# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 60 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 IOS Keys in SECSH format(ssh-rsa, base64 encoded): YES Router# show ssh Connection Version Mode Encryption Hmac State 0 2.0 IN aes256-ctr hmac-sha2-256 Session started 0 2.0 OUT aes256-ctr hmac-sha2-256 Session started %No SSHv1 server connections running. ``` --- ### 6. Login Banner and MOTD ```cislog ! MOTD (Message of the Day) - Legal warning Router(config)# banner motd ^C Unauthorized access is prohibited! All activities are monitored and recorded. ^C ! Login banner (after MOTD) Router(config)# banner login ^C Warning: This system is for authorized users only. ^C ! EXEC banner (after login) Router(config)# banner exec ^C Welcome to the network device! ^C ``` --- ### 7. Disable Unnecessary Services ```cisco ! Disable TCP and UDP small servers Router(config)# no service tcp-small-servers Router(config)# no service udp-small-servers ! Disable IP redirects Router(config)# no ip redirects ! Disable IP unreachables Router(config)# no ip unreachables ! Disable IP mask reply Router(config)# no ip mask-reply ! Disable IP proxy-ARP Router(config)# no ip proxy-arp ! Disable CDP (Cisco Discovery Protocol) if not needed Router(config)# no cdp run Router(config)# interface gigabitEthernet 0/0 Router(config-if)# no cdp enable ! Disable LLDP if not needed Router(config)# no lldp run ! Disable HTTP server Router(config)# no ip http-server Router(config)# no ip http-secure-server ! Disable SNMP if not used Router(config)# no snmp-server ! Disable bootp server Router(config)# no ip bootp server ! Disable finger service Router(config)# no service finger ! Disable domain lookup (prevents command delays) Router(config)# no ip domain-lookup ``` --- ### 8. Management Plane Protection (CoPP) **Control Plane Policing (CoPP):** Protects the router's CPU from excessive traffic. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β CONTROL PLANE POLICING (CoPP) β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Control Plane (CPU) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Control Plane Policing β β β β β β β β Traffic to CPU β Classify β Police β Permit/Drop β β β β β β β β β’ Limits rate of control plane traffic β β β β β’ Prevents DoS attacks from overwhelming CPU β β β β β’ Protects routing protocols, management access β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **CoPP Configuration:** ```cisco ! Step 1: Create ACL for traffic to police access-list 100 permit tcp any any eq 22 ! SSH access-list 100 permit tcp any any eq 443 ! HTTPS access-list 100 permit udp any any eq 161 ! SNMP access-list 100 permit udp any any eq 123 ! NTP access-list 100 permit ospf any any access-list 100 permit eigrp any any ! Step 2: Create class map class-map COPP-CRITICAL match access-group 100 ! Step 3: Create policy map policy-map COPP-POLICY class COPP-CRITICAL police 512000 8000 conform-action transmit exceed-action drop class class-default police 128000 8000 conform-action transmit exceed-action drop ! Step 4: Apply policy to control plane control-plane service-policy input COPP-POLICY ``` --- ### 9. Logging and Monitoring ```cisco ! Configure logging levels Router(config)# logging buffered 16384 Router(config)# logging buffered informational ! Send logs to syslog server Router(config)# logging host 192.168.1.100 Router(config)# logging trap notifications ! Log source interface Router(config)# logging source-interface loopback 0 ! Logging timestamp Router(config)# service timestamps log datetime msec localtime show-timezone Router(config)# service timestamps debug datetime msec localtime show-timezone ! Enable logging for specific events Router(config)# logging snmp-trap authentication Router(config)# logging snmp-trap config ! Configure logging to console (limit to warnings) Router(config)# logging console warnings ! Configure logging to terminal (for VTY) Router(config)# logging monitor informational ``` **Logging Levels:** | Level | Keyword | Description | |-------|---------|-------------| | **0** | emergencies | System unusable | | **1** | alerts | Immediate action needed | | **2** | critical | Critical conditions | | **3** | errors | Error conditions | | **4** | warnings | Warning conditions | | **5** | notifications | Normal but significant | | **6** | informational | Informational messages | | **7** | debugging | Debug messages | --- ### 10. NTP (Network Time Protocol) for Security ```cisco ! Configure NTP for accurate time stamps Router(config)# ntp server 0.pool.ntp.org Router(config)# ntp server 1.pool.ntp.org prefer ! Configure timezone Router(config)# clock timezone EST -5 Router(config)# clock summer-time EDT recurring ! Authenticate NTP (prevents spoofing) Router(config)# ntp authenticate Router(config)# ntp authentication-key 1 md5 StrongNTPKey123 Router(config)# ntp trusted-key 1 Router(config)# ntp server 192.168.1.100 key 1 ! Verify NTP Router# show ntp status Router# show ntp associations ``` --- ### 11. Port Security Review ```cisco ! Enable port security on access ports interface FastEthernet0/1 switchport mode access switchport access vlan 10 switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 60 switchport port-security aging type inactivity ! ! Verify port security Router# show port-security Router# show port-security interface fastEthernet 0/1 ``` --- ### 12. DHCP Snooping Review ```cisco ! Enable DHCP snooping globally Router(config)# ip dhcp snooping ! Enable DHCP snooping on VLAN Router(config)# ip dhcp snooping vlan 10,20,30 ! Configure trusted interfaces Router(config)# interface gigabitEthernet 0/24 Router(config-if)# ip dhcp snooping trust ! Rate limit DHCP messages Router(config)# ip dhcp snooping limit rate 100 ! Verify DHCP snooping Router# show ip dhcp snooping Router# show ip dhcp snooping binding ``` --- ### 13. Device Security Checklist ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β DEVICE SECURITY CHECKLIST β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β PHYSICAL SECURITY: β β β Devices in locked rooms/cages β β β Console ports secured β β β Emergency access procedures documented β β β β ACCESS SECURITY: β β β Strong passwords (min 12 chars) β β β Enable secret with type 8 or 9 β β β Service password-encryption enabled β β β SSH enabled, Telnet disabled β β β VTY ACL restricting management access β β β Login banners with legal warnings β β β AAA configured (TACACS+/RADIUS) β β β β CONTROL PLANE SECURITY: β β β CoPP configured β β β Routing protocol authentication enabled β β β Unnecessary services disabled β β β β DATA PLANE SECURITY: β β β ACLs on interfaces β β β Port security on access ports β β β DHCP snooping enabled β β β ARP inspection enabled β β β BPDU guard enabled on PortFast ports β β β β MONITORING: β β β Syslog server configured β β β NTP configured β β β SNMPv3 configured (if used) β β β NetFlow/IPFIX configured for monitoring β β β Regular configuration backups β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 14. Security Verification Commands | Command | Purpose | |---------|---------| | `show running-config | include password` | View password configuration | | `show ip ssh` | Display SSH configuration | | `show ssh` | Display active SSH sessions | | `show control-plane` | Display control plane statistics | | `show logging` | Display syslog messages | | `show ntp status` | Display NTP synchronization | | `show port-security` | Display port security status | | `show ip dhcp snooping` | Display DHCP snooping status | --- ## π§ Complete Configuration Examples ### Lab 1: Basic Device Hardening ```cisco hostname Router ! ! Password Security security passwords min-length 12 service password-encryption enable secret type 8 StrongP@ssw0rd123 ! ! Banner banner motd ^C UNAUTHORIZED ACCESS IS PROHIBITED! ^C ! ! Disable Unnecessary Services no ip http-server no ip http-secure-server no cdp run no ip redirects no ip unreachables no ip domain-lookup ! ! SSH Configuration ip domain-name example.com crypto key generate rsa modulus 2048 ip ssh version 2 ip ssh time-out 60 ip ssh authentication-retries 3 ! ! Local User username admin privilege 15 secret type 8 AdminP@ss123 ! ! VTY Lines line vty 0 15 transport input ssh login local exec-timeout 5 0 logging synchronous ! ! Console Line line console 0 password ConsoleP@ss123 login exec-timeout 5 0 logging synchronous ! ! NTP clock timezone EST -5 ntp server 0.pool.ntp.org ntp server 1.pool.ntp.org prefer ! ! Logging logging buffered 16384 informational service timestamps log datetime msec localtime show-timezone ! end ``` --- ### Lab 2: CoPP Configuration ```cisco ! ACL for critical management protocols ip access-list extended COPP-CRITICAL permit tcp any any eq 22 permit tcp any any eq 443 permit udp any any eq 161 permit udp any any eq 123 permit ospf any any permit eigrp any any permit icmp any any echo ! ! Class map for critical traffic class-map match-any COPP-CRITICAL-CLASS match access-group name COPP-CRITICAL ! ! Class map for normal traffic class-map match-any COPP-NORMAL-CLASS match protocol arp match protocol dhcp ! ! Policy map policy-map COPP-POLICY class COPP-CRITICAL-CLASS police 512000 8000 conform-action transmit exceed-action drop class COPP-NORMAL-CLASS police 256000 8000 conform-action transmit exceed-action drop class class-default police 128000 8000 conform-action transmit exceed-action drop ! ! Apply to control plane control-plane service-policy input COPP-POLICY ! ! Verify Router# show control-plane ``` --- ### Lab 3: Management Access ACL ```cisco ! Create ACL for management access access-list 10 permit 192.168.1.0 0.0.0.255 access-list 10 permit 10.1.1.0 0.0.0.255 access-list 10 deny any ! ! Apply ACL to VTY lines line vty 0 15 access-class 10 in ! ! Apply ACL to SNMP (if used) snmp-server community public RO 10 ! ! Verify Router# show access-lists 10 Router# show line vty ``` --- ## β Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **SSH Configuration** | Hostname, domain, RSA key, version 2 | | **Password Types** | Type 5 (MD5), Type 8 (PBKDF2), Type 9 (SCRYPT) | | **VTY Security** | `transport input ssh`, `login local`, `access-class` | | **Banners** | MOTD (legal warning), login, exec | | **CoPP** | Protects CPU from DoS attacks | | **NTP** | Accurate timestamps for logs | | **Port Security** | Sticky MAC, violation modes | ### Common Exam Scenarios: **Scenario 1:** "A router needs to be configured for secure remote management. Which protocol should be used and what are the required configuration steps?" - **Answer:** SSH; hostname, domain name, RSA key, SSH version 2, local user, VTY transport input ssh **Scenario 2:** "What is the purpose of CoPP?" - **Answer:** Protects the control plane (CPU) from excessive traffic, preventing DoS attacks **Scenario 3:** "Why is NTP important for network security?" - **Answer:** Ensures accurate timestamps on logs for incident correlation and forensic analysis ### Mnemonics: **SSH Configuration Steps:** **"H-D-R-V-U" - Hostname, Domain, RSA key, Version, User** - **H**ostname - **D**omain name - **R**SA key - **V**ersion 2 - **U**ser authentication **Security Layers:** **"P-M-C-D" - Physical, Management, Control, Data** - **P**hysical security - **M**anagement security - **C**ontrol plane security - **D**ata plane security --- ## π Summary (1-Minute Revision) ``` DEVICE HARDENING: PASSWORD MANAGEMENT: βββ enable secret type 8/9 (strong) βββ service password-encryption (weak) βββ security passwords min-length 12 βββ password-policy complexity SSH CONFIGURATION: βββ hostname and ip domain-name βββ crypto key generate rsa 2048 βββ ip ssh version 2 βββ username admin secret βββ line vty 0 15 transport input ssh βββ login local DISABLE UNNECESSARY SERVICES: βββ no ip http-server βββ no cdp run βββ no ip redirects βββ no ip unreachables βββ no ip domain-lookup CONTROL PLANE SECURITY: βββ Control Plane Policing (CoPP) βββ Routing protocol authentication βββ Limit management access MONITORING: βββ NTP for accurate timestamps βββ Syslog for logging βββ SNMPv3 for monitoring (if used) DATA PLANE SECURITY: βββ ACLs on interfaces βββ Port security on access ports βββ DHCP snooping βββ BPDU guard / root guard KEY COMMANDS: βββ show ip ssh βββ show control-plane βββ show port-security βββ show logging βββ show ntp status ``` --- ## π§ͺ Practice Questions **1. Which command enables SSH version 2 on a Cisco router?** - A) `ip ssh version 2` - B) `ssh version 2` - C) `crypto ssh version 2` - D) `ip ssh 2` <details> <summary>Answer</summary> <b>A) `ip ssh version 2`</b> - This configures the router to use SSH version 2. </details> **2. What is the minimum recommended RSA key size for SSH?** - A) 512 bits - B) 1024 bits - C) 2048 bits - D) 4096 bits <details> <summary>Answer</summary> <b>C) 2048 bits</b> - 2048-bit RSA keys are the current recommended minimum. </details> **3. Which command restricts VTY access to SSH only?** - A) `transport input ssh` - B) `transport output ssh` - C) `login ssh` - D) `access-class ssh` <details> <summary>Answer</summary> <b>A) `transport input ssh`</b> - This allows only SSH connections to the VTY lines. </details> **4. What is the purpose of CoPP (Control Plane Policing)?** - A) Encrypt management traffic - B) Protect the router CPU from DoS attacks - C) Secure routing protocols - D) Monitor network traffic <details> <summary>Answer</summary> <b>B) Protect the router CPU from DoS attacks</b> - CoPP limits the rate of traffic destined to the control plane. </details> **5. Which command sets the minimum password length to 12 characters?** - A) `security password min-length 12` - B) `security passwords min-length 12` - C) `password min-length 12` - D) `service password min-length 12` <details> <summary>Answer</summary> <b>B) `security passwords min-length 12`</b> - This sets the minimum password length. </details> **6. Which banner should contain a legal warning about unauthorized access?** - A) Login banner - B) MOTD banner - C) EXEC banner - D) Incoming banner <details> <summary>Answer</summary> <b>B) MOTD banner</b> - Message of the Day banner is displayed before login. </details> **7. What is the purpose of `service password-encryption`?** - A) Encrypts all passwords in running-config - B) Enables SSH - C) Sets password complexity requirements - D) Configures AAA <details> <summary>Answer</summary> <b>A) Encrypts all passwords in running-config</b> - Uses Type 7 encryption (weak). </details> **8. Which command displays active SSH sessions?** - A) `show ip ssh` - B) `show ssh` - C) `show crypto ssh` - D) `show sessions` <details> <summary>Answer</summary> <b>B) `show ssh`</b> - Displays active SSH sessions. </details> **9. Which protocol should be used for secure remote management?** - A) Telnet - B) HTTP - C) SSH - D) SNMP <details> <summary>Answer</summary> <b>C) SSH</b> - Secure Shell encrypts all traffic, unlike Telnet. </details> **10. What is the effect of `no ip http-server`?** - A) Disables HTTP server - B) Disables HTTPS server - C) Disables both HTTP and HTTPS - D) Disables SSH <details> <summary>Answer</summary> <b>A) Disables HTTP server</b> - Disables the insecure HTTP server. </details> **11. Which command enables logging to a syslog server?** - A) `logging host 192.168.1.100` - B) `syslog server 192.168.1.100` - C) `log server 192.168.1.100` - D) `logger host 192.168.1.100` <details> <summary>Answer</summary> <b>A) `logging host 192.168.1.100`</b> - Configures the syslog server address. </details> **12. What is the purpose of the `exec-timeout` command on VTY lines?** - A) Limit SSH session duration - B) Set idle session timeout - C) Configure password expiration - D) Set command execution timeout <details> <summary>Answer</summary> <b>B) Set idle session timeout</b> - Automatically disconnects idle sessions. </details> --- ## π Next Steps After completing Video 36, you should be ready for: - **Video 37:** AAA (Authentication, Authorization, Accounting) - **Video 38:** 802.1X and Network Access Control (NAC) **Lab Practice:** 1. Configure SSH on a router 2. Disable unnecessary services 3. Configure VTY ACL for management access 4. Configure NTP and syslog 5. Set up logging to a server 6. Configure CoPP to protect CPU 7. Verify all security configurations --- **Ready for Video 37?** Share the link or say "next" and I'll continue with AAA (Authentication, Authorization, Accounting). I'll continue with **Video 37: AAA (Authentication, Authorization, Accounting)** based on the standard CCNA 200-301 curriculum. ---