Module 6 Flashcards
The Cisco IOS resilient configuration feature allows for faster recovery if someone maliciously or unintentionally reformats flash memory or erases the startup configuration file in ____ The feature maintains a secure working copy of the router IOS image file and a copy of the running configuration file. These secure files cannot be removed by the user and are referred to as the primary bootset.
nonvolatile random-access memory (NVRAM).
Here are a few facts about the Cisco IOS resilient configuration:
The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.
The feature secures the smallest working set of files to preserve persistent storage space.
No extra space is required to secure the primary Cisco IOS image file. The feature automatically detects image or configuration version mismatch.
Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.
The feature can be disabled only through a console session.
To secure the IOS image and enable Cisco IOS image resilience, use the ____ global configuration mode command.
secure boot-image
To take a snapshot of the router running configuration and securely archive it in persistent storage, use the ___ global configuration mode command,
secure boot-config
use the ____ command repeatedly to upgrade the configuration archive to a newer version after new configuration commands have been issued.
secure boot-config
Secured files do not appear in the output of a ___ command that is issued from the CLI. This is because the Cisco IOS file system prevents secure files from being listed. The running image and running configuration archives are not visible in the___ command output.
dir
Use the _____ command to verify the existence of the archive,
show secure bootset
The Primary Bootset Image
Step 1. Reload the router using the reload command. If necessary, issue the break sequence to enter ROM monitor (ROMmon) mode.
Step 2. From ROMmon mode, enter the dir command to list the contents of the device that contains the secure bootset file.
Step 3. Boot the router with the secure bootset image using the boot command followed by the flash memory location (e.g. flash0), a colon, and the filename found in Step 2.
Step 4. Enter global configuration mode and restore the secure configuration to a filename of your choice using the secure boot-config restore command followed by the flash memory location (e.g. flash0), a colon, and a filename of your choice. In the figure, the filename rescue-cfg is used.
Step 5. Exit global configuration mode and issue the copy command to copy the rescued configuration file to the running configuration.
The Cisco IOS Resilient feature provides a method for securing the IOS image and configuration files locally on the device.
The _____ feature is used to remotely copy these files.
____ provides a secure and authenticated method for copying router configuration or router image files to a remote location.
Secure Copy Protocol (SCP)
Secure Copy Protocol (SCP) relies on:
SSH to secure communication
AAA to provide authentication and authorization
Use the following steps to configure a router for server-side SCP with local AAA: or
Configure Secure Copy
Step 1. Configure SSH, if not already configured.
Step 2. For local authentication, configure at least one local database user with privilege level 15.
Step 3. Enable AAA with the aaa new-model global configuration mode command.
Step 4. Use the aaa authentication login default local command to specify that the local database be used for authentication.
Step 5. Use the aaa authorization exec default local command to configure command authorization. In this example, all local users will have access to EXEC commands.
Step 6. Enable SCP server-side functionality with the ip scp server enable command.
Recover a Router Password
Step 1. Connect to the console port.
Step 2. Use the show version command to display the configuration register setting and document the value (e.g., 0x2102).
Step 3. Power cycle the router.
Step 4. Issue the break sequence (e.g., CTRL-BREAK) to enter ROMMON mode.
Step 5. Change the default configuration register with the confreg 0x2142 command.
Step 6. Reboot the router by using the reset command in ROMMON mode.
Step 7. Press Ctrl-C to skip the initial setup procedure.
Step 8. Enter privileged EXEC mode.
Step 9. Copy the startup configuration to the running configuration using the copy startup-config running-config command.
Step 10. Verify the configuration.
Step 11. Change the enable secret password.
Step 12. Enable all interfaces using the no shutdown command.
Step 13. Return the configuration register setting to the original setting that was documented in Step 2 with the config-register global configuration command. On the next reboot, the router will use these settings and load the new startup configuration file that contains the changed password.
Step 14. Save the configuration changes.
This command is a hidden Cisco IOS command and has no arguments or keywords. If a router is configured with the ____ command, all access to ROMmon mode is disabled.
no service password-recovery
Released in IOS version 12.3, ____ is a feature that is initiated from the CLI and executes a script. ____ first makes recommendations for fixing security vulnerabilities and then modifies the security configuration of the router.
Cisco AutoSecure
AutoSecure can lock down the management plane functions and the forwarding plane services and functions of a router. There are several management plane services and functions:
Secure BOOTP, CDP, FTP, TFTP, PAD, UDP, and TCP small servers, MOP, ICMP (redirects, mask-replies), IP source routing, Finger, password encryption, TCP keepalives, gratuitous ARP, proxy ARP, and directed broadcast
Legal notification using a banner
Secure password and login functions
Secure NTP
Secure SSH access
TCP intercept services
There are three forwarding plane services and functions that AutoSecure enables:
Cisco Express Forwarding (CEF)
Traffic filtering with ACLs
Cisco IOS firewall inspection for common protocols
autosecure
Router# auto secure {no-interact | full} [forwarding | management] [ntp | login | ssh | firewall | top-intercept]
OSPF supports routing protocol authentication using ____. ___ authentication can be enabled globally for all interfaces or on a per interface basis.
MD5
Enable OSPF MD5 authentication globally:
ip ospf message-digest-key key md5 password interface configuration command.
area area-id authentication message-digest router configuration command.
This method forces authentication on all OSPF enabled interfaces. If an interface is not configured with the ip ospf message-digest-key command, it will not be able to form adjacencies with other OSPF neighbors.
Enable MD5 authentication on a per interface basis:
ip ospf message-digest-key key md5 password interface configuration command.
ip ospf authentication message-digest interface configuration command.
MD5 is now considered vulnerable to attacks and should only be used when stronger authentication is not available. Cisco IOS release 15.4(1)T added support for ____ authentication, as detailed in RFC 5709. Therefore, the administrator should use SHA authentication as long as all of the router operating systems support ____authentication.
OSPF SHA
OSPF SHA authentication includes two major steps. The syntax for the commands is shown in the figure:
Step 1. Specify an authentication key chain in global configuration mode:
Step 2. Use the following syntax to assign the authentication key to the desired interfaces with the ip ospf authentication key-chain command.
Configure a key chain name with the key chain command.
Router(config)# key chain name
Assign the key chain a number and a password with the key and key-string commands.
Router(config-keychain)# key key-id
Router(config-keychain-key)# key-string string
Specify SHA authentication with the cryptographic-algorithm command.
Router(config-keychain-key)# cryptographic-algorithm {hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5}
(Optional) Specify when this key will expire with the send-lifetime command.
Router(config-keychain-key)# send-lifetime start-time {infinite | end-time | duration seconds}
step 2
Router(config)# interface type number
Router(config-if)# ip ospf authentication key-chain name
Types of Management Access
When logging and managing information, the information flow between management hosts and the managed devices can take two paths:
In-band - Information flows across an enterprise production network, the internet, or both, using regular data channels.
Out-of-band (OOB) - Information flows on a dedicated management network on which no production traffic resides.
OOB management guidelines are :
Provide the highest level of security.
Mitigate the risk of passing insecure management protocols over the production network.
In-band management guidelines are:
Apply only to devices that need to be managed or monitored.
Use IPsec, SSH, or SSL when possible.
Decide whether the management channel needs to be open at all times.
___ is a term used to describe a standard. It is also used to describe the protocol developed for that standard. The ____ protocol was developed for UNIX systems in the 1980s but was first documented as RFC 3164 by IETF in 2001.
Syslog
syslog uses ____ to send event notification messages across IP networks to event message collectors.
UDP port 514
The syslog logging service provides three primary functions, as follows:
The ability to gather logging information for monitoring and troubleshooting
The ability to select the type of logging information that is captured
The ability to specify the destinations of captured syslog messages
popular destinations for syslog messages include the:
Logging buffer (RAM inside a router or switch)
Console line
Terminal line
Syslog server
These messages are error messages about software or hardware malfunctions; these types of messages mean that the functionality of the device is affected. The severity of the issue determines the actual syslog level applied.
Emergency Level 0 - Warning Level 4:
This notifications level is for normal, but significant events. For example, interface up or down transitions, and system restart messages are displayed at the notifications level.
Notification Level 5:
This is a normal information message that does not affect device functionality. For example, when a Cisco device is booting, you might see the following informational message: %LICENSE-6-EULA_ACCEPT_ALL: The Right to Use End User License Agreement is accepted.
Informational Level 6:
This level indicates that the messages are output generated from issuing various debug commands.
Debugging Level 7:
System Unusable
Level 0 - Emergency
Immediate Action Needed
Level 1 - Alert
Critical Condition
Level 2 - Critical
Error Condition
Level 3 - Error
