Computer Network Security - Cheatsheet === [ToC] # Useful commands ``` Router(config)# no ip domain-lookup ``` # Secure Administrative Access ## Enable password ``` Router(config)# security passwords min-length 10 Router(config)# enable algorithm-type scrypt secret cisco12345 ``` ### Console password *Easy - most regular way* ``` Router(config)# line console 0 Router(config-line)# login local Router(config-line)# exec-timeout 5 0 Router(config-line)# logging synchronous ``` *Advanced - with a defined password* ``` Router(config)# line console 0 Router(config-line)# password ciscoconpass Router(config-line)# login Router(config-line)# exec-timeout 5 0 Router(config-line)# logging synchronous ``` ### AUX password *Easy - most regular way* ``` Router(config)# line aux 0 Router(config-line)# login local Router(config-line)# exec-timeout 5 0 ``` *Advanced - with a defined password* ``` Router(config)# line aux 0 Router(config-line)# password ciscoauxpass Router(config-line)# exec-timeout 5 0 Router(config-line)# login ``` ### VTY password *Easy - most regular way* ``` Router(config)# line vty 0 4 Router(config-line)# login local Router(config-line)# transport input ssh Router(config-line)# exec-timeout 5 0 ``` *Advanced - with a defined password* ``` Router(config)# line vty 0 4 Router(config-line)# password ciscovtypass Router(config-line)# transport input ssh Router(config-line)# exec-timeout 5 0 Router(config-line)# login ``` ### Encrypt clear text passwords *How to encrypt the console, aux, and vty passwords* ``` Router(config)# service password-encryption ``` ## Warning banner *The dollar sign ($) is used to start and end the message* ``` Router(config)# banner motd $Unauthorized access strictly prohibited!$ ``` ## Enable SSH **STEP 0 : Configure users** ``` Router(config)# username user01 algorithm-type scrypt secret user01pass Router(config)# username admin privilege 15 algorithm-type scrypt secret cisco12345 ``` **STEP 1 : Configure a domain name** ``` Router(config)# ip domain-name netsec.com ``` **STEP 1 : Generate the RSA encryption key pair** ``` Router(config)# crypto key zeroize rsa Router(config)# crypto key generate rsa general-keys modulus 2048 ``` **STEP 2 : Configure SSH timeouts and authentication parameters** ``` Router(config)# ip ssh version 2 Router(config)# ip ssh time-out 90 Router(config)# ip ssh authentication-retries 2 ``` **STEP 3 : Configure the incoming VTY lines** ``` Router(config)# line vty 0 4 Router(config-line)# privilege level 15 (user with the privilege level 15 will default to privileged EXEC mode) Router(config-line)# login local Router(config-line)# transport input ssh ``` **STEP 4 : Verify the SSH configuration** ``` Router# show ip ssh Router# show users ``` ## User/admin account creation ``` Router(config)# username user01 algorithm-type scrypt secret user01pass ``` ``` Router(config)# username admin privilege 15 algorithm-type sha256 secret cisco12345 ``` ## Server-based RADIUS authentication *How to setup* ``` Router(config)# aaa new-model Router(config)# aaa authentication login default group radius none Router(config)# radius server NetSec Router(config-radius-server)# address ipv4 RADIUS_SERVER_IP auth-port 1812 acct-port 1813 Router(config-radius-server)# key $trongPass Router(config-radius-server)# end ``` *How to verify* ``` Router# test aaa group radius RadUser RadUserpass legacy Router# show radius server-group radius ``` # OSPF Authentication **STEP 0 : Configure OSPF routing on all routers** ``` Router(config)# router ospf 1 Router(config-router)# network 192.168.1.0 0.0.0.255 area 0 Router(config-router)# network 10.1.1.0 0.0.0.3 area 0 Router(config-router)# passive-interface g0/0/X (int which is user-network side) ``` **STEP 1 : Configure a key chain on all routers** ``` Router(config)# key chain NetAcad Router(config-keychain)# key 1 Router(config-keychain-key)# key-string NetSeckeystring Router(config-keychain-key)# cryptographic-algorithm hmac-sha-256 ``` **STEP 2 : Configure the interfaces to use OSPF authentication** ``` Router(config)# interface g0/0/X (int which is router-network side) Router(config-if)# ip ospf authentication key-chain NetAcad ``` **STEP 3 : Verify OSPF Routing and Authentication is correct** ``` Router# show ip ospf interface g0/0/X >>Cryptographic authentication enabled<< >>Sending SA: Key 1, Algorithm HMAC-SHA-256 - key chain NetAcad<< ``` ``` Router# show ip ospf neighbor Router# show ip route ``` # Configure ZPF - Zone-based Policy Firewall [todo] # STP Security ## Secure Trunk Ports [todo] **STEP 1 : Set the router-connected switch as "root"** ``` Switch1(config)# spanning-tree vlan 1 priority 0 ``` *How to verify* ``` Switch1# show spanning-tree >>This bridge is the root<< ``` **STEP 2 : Configure trunk ports between switches** *Switch 1* ``` Switch1(config)# interface f0/X Switch1(config-if)# switchport mode trunk ``` *Switch 2* ``` Switch2(config)# interface f0/X Switch2(config-if)# switchport mode trunk ``` *How to verify* ``` Switch1# show interfaces trunk ``` **STEP 3 : Change the native VLAN for the trunk ports on switches** ## STP Attacks Protection ### Enable Portfast ``` Switch(config)# interface fa0/X Switch(config-if)# spanning-tree portfast ``` ### Enable BPDU Guard ``` Switch(config)# interface fa0/X Switch(config-if)# spanning-tree bpduguard enable ``` ### Enable Root Guard ``` Switch(config)# interface fa0/X Switch(config-if)# spanning-tree guard root ``` ### Enable Loop Guard ``` Switch(config)# interface fa0/X Switch(config-if)# spanning-tree loopguard default ``` ``` Switch# show spanning-tree summary ``` ## Port Security ``` Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 5 Switch(config-if)# switchport port-security violation {protect | restrict | shutdown | shutdown vlan} Switch(config-if)# switchport port-security mac-address sticky ``` ``` Switch# show port-security interface fa0/X ``` ## Disable Unused Ports ``` Switch(config)# interface range f0/X - Y, fa0/Z - [...] Switch(config-if-range)# shutdown ``` ## Change default VLAN ``` Switch(config)# vlan 20 Switch(config-vlan)# name Users Switch(config)# interface f0/X Switch(config-if-range)# switchport access vlan 20 ``` ## PVLAN Edge Feature ``` Switch(config)# interface f0/X Switch(config-if)# switchport protected Switch(config-if)# interface f0/Y Switch(config-if)# switchport protected ``` ``` Switch# show interfaces f0/X switchport >>Protected: true<< ``` # L2 Security Features (for switches) ## DHCP Snooping **STEP 1 : Enable DHCP Snooping globally** ``` Switch(config)# ip dhcp snooping ``` **STEP 1-bis : Enable DHCP Snooping on a specified VLAN** ``` Switch(config)# ip dhcp snooping vlan number [number] ``` **STEP 2 : Configure the trusted interface** ``` Switch(config)# interface fa0/X (the one connected to DHCP server) Switch(config-if)# ip dhcp snooping trust Switch(config-if)# ip dhcp snooping limit rate [rate] (optionnal) ``` **STEP 3 : Verify the configuration** ``` Switch# show ip dhcp snooping ``` **STEP 4 : Debug if needed** ``` Switch# debug ip dhcp snooping event Switch# debug ip dhcp snooping packet ``` ## VTP / DTP / CDP ### Disable VTP - VLAN Trunk Protocol ``` Switch(config)# vtp mode off ``` ### Disable DTP - Dynamic Trunking Protocol *Solution 1* ``` Switch(config-if)# switchport mode access ``` *Solution 2* ``` Switch(config-if)# switchport mode trunk Switch(config-if)# switchport nonegotiate ``` *How to verify* ``` Switch# show interfaces fa0/X switchport >> Negotiation of Trunking: Off << ``` ### Disable CDP - Cisco Discovery Protocol ``` Switch(config)# no cdp run ``` ## IP Source Guard ``` Switch(config-if)# ip verify source port-security ``` ## ARP inspection ``` Switch(config-if)# ip arp inspection trust ``` # DHCP *How to setup* ``` ip dhcp excluded-address 192.168.3.1 ip dhcp pool RouterDHCP network 192.168.3.0 255.255.255.0 default-router 192.168.3.1 ``` # Syslog *How to setup* ``` Router(config)# logging SERVER_IP_FOR_LOGGING Router(config)# logging on Router(config)# logging trap 5 ``` *How to verify* > Open Wireshark on server logging host > Filter on "udp.port==514" > Filter on "syslog" might work aswell > You should see incoming syslog messages (if not, trigger a syslog event, or increase the "trap" level) # NTP - Network Time Protocol ## NTP Server *How to setup server side* ``` Router(config)# ntp master 1 Router(config)# ntp authentication-key 1 md5 password Router(config)# ntp authenticate Router(config)# ntp max-associations 3 ``` *How to verify* ``` Router# show ntp associations Router# show ntp status ``` ## NTP Client *How to setup client side* ``` Router(config)# ntp authentication-key 1 md5 password Router(config)# ntp trusted-key 1 Router(config)# ntp server SERVER_IP key 1 Router(config)# ntp authenticate ``` *How to verify* ``` Router# show ntp associations Router# show ntp status ``` # SNMPv3 *How to setup "view", "group" and "user"* ``` Router(config)# snmp-server view WRITE system included Router(config)# snmp-server view WRITE interfaces excluded Router(config)# snmp-server view READ system included Router(config)# snmp-server group group1 v3 priv read READ write WRITE Router(config)# snmp-server user user1 group1 v3 auth md5 authpass priv aes 128 aespass ``` *How to verify* ``` Router# show snmp group Router# show snmp user user1 ``` # ASA Configuration ``` CiscoASA(config)# configure factory-default CiscoASA# write erase (erase startup-config) CiscoASA# reload --- ASA-Init(config)# hostname NETSEC-ASA NETSEC-ASA(config)# domain-name netsec.com NETSEC-ASA(config)# passwd cisco NETSEC-ASA(config)# enable password class --- NETSEC-ASA(config)# http server enable NETSEC-ASA(config)# http 192.168.1.0 255.255.255.0 INSIDE NETSEC-ASA(config)# username cisco password cisco privilege 15 NETSEC-ASA(config)# aaa authentication http console LOCAL ``` ## Configure DHCP ``` NETSEC-ASA(config)# dhcpd address 192.168.1.5-192.168.1.100 INSIDE NETSEC-ASA(config)# dhcpd dns 209.165.201.2 (optional) NETSEC-ASA(config)# dhcpd enable INSIDE NETSEC-ASA(config)# show run dhcpd ``` ## Configure AAA ``` NETSEC-ASA(config)# username admin password cisco12345 NETSEC-ASA(config)# aaa authentication ssh console LOCAL ``` ## Configure SSH ``` NETSEC-ASA(config)# crypto key generate rsa modulus 2048 NETSEC-ASA(config)# username admin password cisco12345 NETSEC-ASA(config)# ssh 192.168.1.0 255.255.255.0 INSIDE NETSEC-ASA(config)# ssh 172.16.3.3 255.255.255.255 OUTSIDE NETSEC-ASA(config)# ssh timeout 10 ``` ## Configure DMZ ``` ``` ## Configure Static NAT ## Configure "Routing" ``` ASA(config)# same-security-traffic permit inter-interface ``` # Site-To-Site IPSec VPN - What - How - Where ---