Configure and verify network device security features
Exam: Cisco 600-502 - Developing with Cisco Network Programmability (NPDEV)
Under the main topic “Network device security” there is a crucial chapter that is called “Configure and verify network device security features”. There are many important topics under this chapter that are essential from the exam point of view. We will try to discuss all the aspects of this section so that the students are better prepared for the exam. The traditional security measures always focussed on ensuring that no unnecessary data is allowed into the router from outside. The switches are important to an organization. These switches make the connectivity easier. One must apply very limited security measures to achieve this. Using the basic security features that are mentioned below one can easily secure the network and the switches.
Device password security
The password should be such that it can easily access the console line. The user can get basic information using the EXEC mode. The VTY lines also must have a password so that the user can access the switch from any remote location. With the help of the enhanced password security feature one can set the MD5 encryption. This encryption will ensure that the password that has been set cannot be reversed. This also ensures that text passwords cannot be retrieved at all.
Enable secret vs. enable
The enable secret command is used to set the password. To get this done the password must be set to orbit. The enable password command is no longer recommended by Cisco. The enable password commands are now stored in a plain text file inside the networking device. Using the service password encryption command one can configure the files in a network device. The same command can be also decrypted with the help of tools that are available on the internet. The enable password command is the one that encrypts the passwords.
It will be better to use the enable secret password. This command is better compared to the enable password command. This will help to configure password for the privileged EXEC mode. These passwords are more secured as they use MD5 algorithm. One point that you must keep in mind is that you cannot use the same password for Enable password command and Enable secret command.
The transport command is a very important command that is used in networking. The TCP transport session option is used for a border gateway protocol (BGP). The transport command is used for family configuration mode. Similarly it can be used to disable the session too. MTU is a common term you will come across it stands for maximum transmission unit. Each session will enable a separate transport session. The TCP transport connection can be used for a single internal (ibgp) and external BGP (ebgp) neighbour. The transport command can be used to disable the TCP path too. Using the same transport command one can also enable separate TCP sessions for each address in the family. The bgp transport command is used to enable session parameters across the globe for all BGP neighbour sessions. These are the different transport commands that you will come across as you work in a network.
The telnet protocols that are designed by Cisco allow TCP/IP connections. It is a network protocol that is used mostly in local area networks. The information that controls telnet is usually contained in an 8 bit byte data. Using the telnet the user located at one particular site can login to a server that is located in another site. It can also allow the user to pass the keystrokes from one to the other system. The telnet has the special ability to accept an address or a domain name for the remote system. This server has a default switch that is of 5000 series.
To disable the telnet the command that is used is “transport input none”. This command can also disable the SSH access.
The SSH is a more reliable option compared to Telnet. The SSH is a reliable way as it provides encryption between a PC and a networking devices. SSH stands for secure shell. This is a protocol that helps to secure the Berkeley r tools. In this protocol the session can be secured using the standard cryptographic mechanism. There are two version of SSH available namely version 1 and version 2. Only SSH means version 1 only. It must be noted here that execution shell is the only application that is supported by SSH. The SSH version 2 alone supports the login banner.
Using the SSH server the client can ensure that they get a proper and secured connection to the Cisco router. When you look at the connectivity closely you will notice that it is similar to that of an inbound telnet connection. Only when the SSH server is enabled the SSH client function is available. To configure the SSH you will first need the enable password command that will allow you to set the password. This will make you enter the global configuration mode where in you can configure the SSH parameters. This will set the SSH on the router that you are using. You can also invoke the SSH for the client.
One point that must be mentioned here is that if the SSH command is rejected it means that the RSA (Rivest, Shamir, Adleman) has not been generated successfully for the router. For a SSH to function the following things are needed:
- An inband on an Ethernet interface
- In the mgmt 0 interface is needed in the out of band
- IP configuration should be at layer 3.
The aim of this chapter was to make the readers more aware of the concepts of “Configure and verify network device security features”. We hope that this will help you to understand the concept better and improve your knowledge on the subject. Do prepare these topics well from the exam point of view. A deep knowledge of this will help you to understand how to deal with problems that often come up in networks.
Related IT Guides
- Configure and verify DHCP (IOS Router)
- Configure and verify NAT for given network requirements
- Configure and verify switch port security
- Describe SNMP v2 and v3
- Describe the purpose and basic operation of the protocols in the OSI and TCP/IP models
- Identify enhanced switching technologies
- Troubleshoot and correct common problems associated with IP addressing and host configurations
- Troubleshoot and resolve Layer 1 problems
- Troubleshoot and resolve OSPF problems
- Troubleshoot and resolve VLAN problem