Assegurando Dispositivos de Rede
Assegurando Dispositivos de Rede
Assegurando Dispositivos de Rede
2.0 Introdução
2.6 Resumo
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Single Router Approach (Acesso de Roteador unico)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Tasks:
• Restringir a acessibilidade do dispositivo
• Autenticar acesso
• Autorizar ações
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Local Access Remote Access Using Telnet
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Dedicated Management Network
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Guidelines:
• Use um comprimento de senha de 10 ou mais caracteres.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Virtual login security
enhancements:
• Implemente atrasos entre
tentativas de login sucessivas
• Ative o desligamento de login
se houver suspeita de
ataques DoS
• Gere mensagens de registro
do sistema para detecção de
login
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Command Syntax: login block-for
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Generate Login Syslog Messages
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Example SSH Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Duas maneiras de conectar:
Habilite o SSH e use um roteador Cisco como servidor SSH ou
cliente SSH.
Como servidor, o roteador pode aceitar conexões de cliente SSH
Como cliente, o roteador pode se conectar via SSH a outro
roteador habilitado para SSH
Use um cliente SSH em execução em um host, como PuTTY,
OpenSSH ou TeraTerm.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Ao concluir esta seção, você deverá ser capaz de:
Configure os níveis de privilégio administrativo para controlar a
disponibilidade do comando.
Co n f i g u re o a c es s o à CL I b a s e a d o e m f u n ç ã o p a r a c o n t ro l a r a
disponibilidade do comando.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Privilege levels: Levels of access commands:
• Level 0: Predefined for user-level access privileges. • User EXEC mode (privilege level 1)
Lowest EXEC mode user privileges
• Level 1: Default level for login with the router
prompt. Only user-level command available at the router>
prompt
• Level 2-14: May be customized for user-level
privileges. • Privileged EXEC mode (privilege level 15)
All enable-level commands at the router# prompt
• Level 15: Reserved for the enable mode privileges.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
• No access control to specific interfaces, ports, logical
interfaces, and slots on a router
• Commands available at lower privilege levels are always
executable at higher privilege levels
• Commands specifically set at higher privilege levels are not
available for lower privilege users
• Assigning a command with multiple keywords allows access to
all commands that use those
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
For example:
• Security operator privileges
Configure AAA
Issue show commands
Configure firewall
Configure IDS/IPS
Configure NetFlow
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Step 1
Step 2
Step 3
Step 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Step 1
Step 2
Step 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Enable Root View and Verify All Views
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Upon completion of this section, you should be able to:
Use the Cisco IOS resilient configuration feature to secure the Cisco IOS
image and configuration files.
Compare in-band and out-of band management access.
Configure syslog to log system events.
Configure secure SNMPv3 access using ACL
Configure NTP to enable accurate timestamping between all devices.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Configure the router for server-side SCP with local AAA:
1. Configure SSH
3. Enable AAA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
1. Connect to the console port.
5. Change the default configuration register with the confreg 0x2142 command.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Disable Password Recovery
No Service Password
Recovery
Password Recovery
Functionality is Disabled
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
In-Band Management:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Security Levels
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Step 1
Step 2 (optional)
Step 3
Step 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Cisco MIB
Hierarchy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Message integrity & authentication
Encryption
Access control
• Agent may enforce access control to restrict each principal to certain actions on
specific portions of data.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Sample NTP
Topology
Sample NTP
Configuration on R1
Sample NTP
Configuration on
R2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Upon completion of this section, you should be able to:
• Use security audit tools to determine IOS-based router vulnerabilities.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
There is a detailed list of security settings for protocols and
services provided in Figure 2 of this page in the course.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
1. O comando de segurança automática é inserido
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Upon completion of this section, you should be able to:
• Configure a routing protocol authentication.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Consequências da falsificação de protocolo:
• Redirecione o tráfego para criar loops de roteamento.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Thank you.