Module 6: Device

Monitoring and
Management
Networking Security v1.0
(NETSEC)
Module Objectives
Module Title: Device Monitoring and Management

Module Objective: Implement the secure management and monitoring of network devices.
Topic Title Topic Objective
Explain how the Cisco IOS resilient configuration feature and Secure
Secure Cisco IOS Image and Configuration Files
Copy are used to secure the Cisco IOS image and configuration files.
Use the correct commands for AutoSecure to enable security on IOS-
Lock Down a Router Using AutoSecure
based routers.
Routing Protocol Authentication Use the correct command to configure routing protocol authentication.

Secure Management and Reporting Compare in-band and out-of-band management access.

Network Security Using Syslog Explain how to configure syslog to log system events.

NTP Configuration Configure NTP to enable accurate timestamping between all devices.

SNMP Configuration Configure SNMP to monitor system status.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
6.1 Secure Cisco IOS Image
and Configuration Files

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Secure Cisco IOS Image and Configuration Files
Cisco IOS Resilient Configuration Feature

The Cisco IOS resilient configuration feature allows for faster recovery if someone
maliciously or unintentionally reformats flash memory or erases the startup
configuration file in nonvolatile random-access memory (NVRAM).

• The configuration file in the primary bootset is a copy of the running configuration
that was in the router when the feature was first enabled.
• The feature secures the smallest working set of files to preserve persistent storage
space.
• No extra space is required to secure the primary Cisco IOS image file. The feature
automatically detects image or configuration version mismatch.
• Only local storage is used for securing files.
• The feature can be disabled only through a console session.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Secure Cisco IOS Image and Configuration Files
Enabling the IOS Image Resilience Feature

To secure the IOS image and enable Cisco IOS image resilience, use the secure
boot-image global configuration mode command. When enabled for the first time, the
running Cisco IOS image is secured, and a log entry is generated.

The Cisco IOS image resilience feature can only be disabled through a console
session using the no form of the command. Use the show secure bootset command
to verify the existence of the archive.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Secure Cisco IOS Image and Configuration Files
Enabling the IOS Image Resilience Feature (Cont.)

▪ The running image and

running configuration
archives are not visible in
the dir command output.

▪ Use the show secure

bootset command to verify
the existence of the archive,
as shown in the figure.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Secure Cisco IOS Image and Configuration Files
The Primary Bootset Image
Restore a primary bootset from a secure archive after the router has been tampered with, as follows:

Step 1. Reload the router using the reload command. If necessary, issue the break sequence to enter ROM
monitor (ROMmon) mode.

Step 2. From ROMmon mode, enter the dir command to list the contents of the device that contains the secure
bootset file.

Step 3. Boot the router with the secure bootset image using the boot command followed by the flash memory
location (e.g. flash0), a colon, and the filename found in Step 2.

Step 4. Enter global configuration mode and restore the secure configuration to a filename of your choice using
the secure boot-config restore command followed by the flash memory location (e.g. flash0), a colon, and a
filename of your choice. In the figure, the filename rescue-cfg is used.

Step 5. Exit global configuration mode and issue the copy command to copy the rescued configuration file to the
running configuration.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Secure Cisco IOS Image and Configuration Files
The Primary Bootset Image (Cont.)

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Secure Cisco IOS Image and Configuration Files
Configuring Secure Copy
The Secure Copy Protocol (SCP) feature is used to remotely copy IOS and configuration files. SCP provides a
secure and authenticated method for copying router configuration or router image files to a remote location. SRC
relies on SCP relies on SSH to secure communication and AAA to provide authentication and authorization.

Configure the router for server-side SCP with local AAA:

Step 1. Configure SSH, if not already configured.

Step 2. For local authentication, configure at least one local database user with privilege level 15.
Step 3. Enable AAA with the aaa new-model global configuration mode command.
Step 4. Use the aaa authentication login default local command to specify that the local database be used for
authentication.
Step 5. Use the aaa authorization exec default local command to configure command authorization. In this
example, all local users will have access to EXEC commands.
Step 6. Enable SCP server-side functionality with the ip scp server enable command.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Secure Cisco IOS Image and Configuration Files
Configuring Secure Copy (Cont.)
In the example, R1 is now an SCP server and will use SSH connections to accept secure copy transfers from
authenticated and authorized users. Transfers can originate from any SCP client whether that client is
another router, switch, or workstation.

• Now assume that we want to securely copy the

backup configuration of a router named R2 to the
SCP server, which is R1.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Secure Cisco IOS Image and Configuration Files
Configuring Secure Copy (Cont.)

Pscp.exe is considered a type of Command-line SCP/SFTP client file.

C:\>pscp.exe -scp admin@192.168.110.156:running-config E:\R1-config-2022.txt

C:\>pscp.exe -scp admin@192.168.110.156:running-config “C:\Users\Mostafa\Desktop\R1-config-2222.txt”

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Secure Cisco IOS Image and Configuration Files
Recover a Router Password
Recover Router Passwords Steps
Step 1. Connect to the console port.
If a router is Step 2. Record the configuration register setting.
compromised or
Step 3. Power cycle the router.
needs to be
Step 4. Issue the break sequence.
recovered from a
misconfigured Change the default configuration register with the confreg 0x2142
Step 5.
command.
password, an
administrator must Step 6. Reboot the router.

use password Step 7. Press Ctrl-C to skip the initial setup procedure.
recovery Step 8. Put the router into privileged EXEC mode.
procedures, such Step 9. Copy the startup configuration to the running configuration.
as those shown in Step 10. Verify the configuration.
the table. Step 11. Change the enable secret password.
Step 12. Enable all interfaces.
Return the configuration-register to the original setting recorded from
Step 13.
Step 2. Use the config-register global config
© 2021 Cisco command.
and/or its affiliates. All rights reserved. Cisco Confidential 12

Step 14. Save the configuration changes.

Secure Cisco IOS Image and Configuration Files
Password Recovery
If someone gained physical access to a router, they could potentially gain control of that
device through the password recovery procedure.

An administrator can mitigate this potential security breach by using the no service
password-recovery global configuration mode command. This command is a hidden Cisco
IOS command and has no arguments or keywords. When the no service password-
recovery command is entered, a warning message displays and must be acknowledged
before the feature is enabled, as shown in the figure.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Secure Cisco IOS Image and Configuration Files
Password Recovery (Cont.)
When it is configured, the show running-config command displays a no service password-
recovery statement, as shown here.

the show running-config all command display all running configuration

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Secure Cisco IOS Image and Configuration Files
Password Recovery (Cont.)

• To recover a device after the no service password-recovery command is

entered, initiate the break sequence within five seconds after the image
decompresses during the boot.

• You are prompted to confirm the break key action. After the action is
confirmed, the startup configuration is completely erased, the password
recovery procedure is enabled, and the router boots with the factory default
configuration.

• If you do not confirm the break action, the router boots normally with the no
service password-recovery command enabled.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
6.2 Lock Down a Router Using
AutoSecure

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Lock Down a Router Using AutoSecure
Discovery Protocols CDP and LLDP

Some of the default services can make the device vulnerable to attack if security is not enabled.

• The Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default on
Cisco routers.

• The Link Layer Discovery Protocol (LLDP) is an open standard that can be enabled on Cisco
devices, as well as other vendor devices that support LLDP.

• The intent of CDP and LLDP is to make it easier for administrators to discover and
troubleshoot other devices on the network. However, because of the security implications,
these discovery protocols should be used with caution.

• Edge devices are an example of a device that should have this feature disabled.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Lock Down a Router Using AutoSecure
Discovery Protocols CDP and LLDP (Cont.)

LLDP configuration and verification is

similar to CDP.

▪ LLDP configuration and verification is similar

to CDP.
▪ In the figure, R1 and S1 are both configured
with LLDP, using the lldp run global
configuration command.
▪ Both devices are running CDP by default.
The output for show cdp neighbors detail
and show lldp neighbors detail will reveal a
device’s address, platform, and operating
system details.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Lock Down a Router Using AutoSecure
Settings for Protocols and Services
Attackers choose services and protocols that make the network more vulnerable to malicious
exploitation. Many of these features should be disabled or restricted in their capabilities based on
the security needs of an organization. These features range from network discovery protocols,
such as CDP and LLDP, to globally available protocols such as ICMP and other scanning tools.
The table summarizes the feature and default settings for protocols and services.
Feature Default
Cisco Discovery Protocol (CDP) Enabled
Link Layer Discovery Protocol (LLDP) Disabled
Configuration autoloading Disabled
FTP server Disabled
TFTP server Disabled
Network Time Protocol (NTP) service Disabled
Packet assembler/disassembler (PAD) service Enabled
TCP and User Datagram Protocol (UDP) minor services Enabled in versions 11.3 and later
Maintenance Operation Protocol (MOP) service Enabled on most Ethernet interfaces
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Lock Down a Router Using AutoSecure
Settings for Protocols and Services (Cont.)
Feature Default
Simple Network Management Protocol (SNMP) Enabled
HTTP or HTTPS configuration and monitoring Setting is Cisco device dependent.
Domain Name System (DNS) Enabled
Internet Control Message Protocol (ICMP) redirects Enabled
IP source routing Enabled
Finger service Enabled
ICMP unreachable notifications Enabled
ICMP mask reply Disabled
IP identification service Enabled
TCP keepalives Disabled
Gratuitous ARP (GARP) Enabled
Proxy ARP Enabled

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Lock Down a Router Using AutoSecure
Settings for Protocols and Services (Cont.)
There are several important practices available to help ensure a device is secure:

▪ Disable unnecessary services and interfaces.

▪ Disable and restrict commonly configured management services, such as SNMP.
▪ Disable probes and scans, such as ICMP. Ensure terminal access security.
▪ Disable gratuitous and proxy Address Resolution Protocols (ARPs).
▪ Disable IP-directed broadcasts.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Lock Down a Router Using AutoSecure
Settings for Protocols and Services (Cont.)
The table below shows recommended security settings for protocols and services.
Feature Recommendation
Link Layer Discovery Protocol (LLDP) Should be disabled globally or on a per-interface basis if it is not required.
Configuration autoloading Should remain disabled when not in use by the router.
FTP server Should be disabled when it is not required.
TFTP server It should be disabled when it is not required.
Network Time Protocol (NTP) service It should remain disabled when it is not required.
Packet assembler/disassembler (PAD) service It should be explicitly disabled when not in use.
TCP and User Datagram Protocol (UDP) minor Disable this service explicitly.
services
Maintenance Operation Protocol (MOP) service It should be explicitly disabled when it is not in use.
Simple Network Management Protocol (SNMP) Disable this service when it is not required.
HTTP or HTTPS configuration and monitoring Disable service if it is not required. If this service is required, restrict access to the router HTTP or
HTTPS service using access control lists (ACLs).
Domain Name System (DNS) Disable when it is not required. If the DNS lookup service is required, ensure that you set the DNS
server address explicitly.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Lock Down a Router Using AutoSecure
Settings for Protocols and Services (Cont.)

Feature Recommendation
Internet Control Message Protocol (ICMP) Disable when it is not required.
redirects
IP source routing Disable this service when it is not required.
Finger service Disable this service when it is not required.
ICMP unreachable notifications Disable on interfaces to untrusted networks.
ICMP mask reply Disable on interfaces to untrusted networks.
IP identification service Service should be explicitly disabled.
TCP keepalives Should be enabled globally to manage TCP connections and prevent certain denial of
service (DoS) attacks. Service is enabled in Cisco IOS Software releases before Cisco IOS
Release 12.0 and is disabled in Cisco IOS Release 12.0 and later. Disable this service when
it is not required.
Gratuitous ARP (GARP) Disable gratuitous ARPs on each router interface unless this service is needed.
Proxy ARP Disable this service on each interface unless the router is being used as a LAN bridge.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Lock Down a Router Using AutoSecure
Cisco AutoSecure
AutoSecure can lock down the management plane functions and the forwarding plane services
and functions of a router.
▪ There are several management plane services and functions:
• Secure BOOTP, CDP, FTP, TFTP, UDP, and TCP small servers, ICMP (redirects, mask-
replies), IP source routing, Finger, password encryption, TCP keepalives, gratuitous ARP,
proxy ARP, and directed broadcast
• Legal notification using a banner
• Secure password and login functions
• Secure NTP
• Secure SSH access
• TCP intercept services
▪ There are three forwarding plane services and functions that AutoSecure enables:
• Cisco Express Forwarding (CEF)
• Traffic filtering with ACLs
• Cisco IOS firewall inspection for common protocols
▪ AutoSecure is often used in the field to provide a baseline security policy on a new router.
▪ Features can then be altered to support the security policy of the organization.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Lock Down a Router Using AutoSecure
Cisco AutoSecure Command Syntax

Use the auto secure command to enable the Cisco AutoSecure feature setup. This
setup can be interactive or non-interactive. The figure shows the command syntax for
the auto secure command.

Parameter Description
no-interact (Optional) The user will not be prompted for any interactive configurations. No interactive dialogue
parameters will be configured, including usernames or passwords.
forwarding (Optional) Only the forwarding plane will be secured.
management (Optional) Only the management plane will be secured.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Lock Down a Router Using AutoSecure
Cisco AutoSecure Command Syntax

Optional Parameters Description

The user will not be prompted for any interactive configurations. No interactive
no-interact
dialogue parameters will be configured, including usernames or passwords.
full The user will be prompted for all interactive questions. This is the default setting.
forwarding Only the forwarding plane will be secured.
management Only the management plane will be secured.
ntp Specifies the configuration of the NTP feature in the AutoSecure CLI.

login Specifies the configuration of the login feature in the AutoSecure CLI.

ssh Specifies the configuration of the SSH feature in the AutoSecure CLI.

firewall Specifies the configuration of the firewall feature in the AutoSecure CLI.

tcp-intercept Specifies the configuration of the TCP intercept feature in the AutoSecure CLI.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Lock Down a Router Using AutoSecure
Cisco AutoSecure Command Syntax
▪ In interactive mode, the router prompts with options to enable and disable services and
other security features. This is the default mode, but it can also be configured using
the auto secure full command.

▪ The non-interactive mode is configured with the auto secure no-interact command.
This will automatically execute the Cisco AutoSecure feature with the recommended
Cisco default settings.

▪ The auto secure command can also be entered with keywords to configure specific
components, such as the management plane (management keyword) and forwarding
plane (forwarding keyword).

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Lock Down a Router Using AutoSecure
Using the auto secure Command
When the auto secure command is initiated, a CLI wizard steps the administrator
through the configuration of the device. User input is required.

Step 1. The auto secure command is entered. The router displays the AutoSecure
configuration wizard welcome message.
Step 2. The wizard gathers information about the outside interfaces.
Step 3. AutoSecure secures the management plane by disabling unnecessary services.
Step 4. AutoSecure prompts for a banner.
Step 5. AutoSecure prompts for passwords and enables password and login features.
Step 6. Interfaces are secured.
Step 7. The forwarding plane is secured.

AutoSecure should be used when a router is initially being configured. It is not

recommended on production routers.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Lock Down a Router Using AutoSecure
Cisco AutoSecure Configuration Example
you will use AutoSecure to secure R1.
▪ Configure Serial0/0/0 as the interface facing the internet. Note: The interface name is
case-specific.
▪ Create an motd banner using #Unauthorized Access is Prohibited!#.
▪ Create a local username Admin01 and password Admin01pa55 to access the router.
▪ Configure a 60 second login shutdown if 2 failed login attempts are made
within 30 seconds.
▪ Use example.com as the domain name for the SSH server.
▪ Do not configure CBAC (Context-Based Access Control ) firewall.
▪ Apply the configuration from AutoSecure to the running-config.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Lock Down a Router Using AutoSecure
Lab - Configure Automated Security Features

In this lab, you will complete the following objectives:

• Part 1: Configure basic device settings.
• Part 2: Configure automated security features.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6.3 Routing Protocol
Authentication

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Routing Protocol Authentication
Dynamic Routing Protocols

• Dynamic routing protocols perform

several activities: including network
discovery and maintaining routing
tables.

• Important advantages of dynamic

routing protocols are the ability to select
a best path, and the ability to
automatically discover a new best path
when there is a change in the topology.

• A dynamic routing protocol allows the The figure shows routers R1 and R2 using a
routers to automatically learn about common routing protocol to share network
these networks from other routers. information.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Routing Protocol Authentication
Routing Protocol Spoofing

▪ Routing systems can be attacked by disrupting peer network routers, or by

falsifying or spoofing the information carried within the routing protocols.
▪ Spoofing routing information may generally be used to cause systems to misinform
(lie to) each other, cause a DoS attack, or cause traffic to follow a path it would not
normally follow.

▪ There are several consequences of routing information being spoofed:

▪ Redirecting traffic to create routing loops

▪ Redirecting traffic so it can be monitored on an insecure link
▪ Redirecting traffic to discard it
6.3.2 Attackers Can Manipulate Unauthenticated Routing Updates
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Routing Protocol Authentication
Routing Protocol Spoofing
6.3.2 Attackers Can Manipulate Unauthenticated Routing Updates

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Routing Protocol Authentication
OSPF MD5 Routing Protocol Authentication
OSPF supports routing protocol authentication using MD5.
MD5 authentication can be enabled globally for all interfaces or on a per interface basis.
• ip ospf message-digest-key key md5 password interface configuration
command.
• area area-id authentication message-digest router configuration command.
• This method forces authentication on all OSPF enabled interfaces. If an interface
is not configured with the ip ospf message-digest-key command, it will not be
able to form adjacencies with other OSPF neighbors.

Enable MD5 authentication on a per interface basis:

• ip ospf message-digest-key key md5 password interface configuration

command.
• ip ospf authentication message-digest interface configuration command.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Routing Protocol Authentication
OSPF Configured Without Authentication

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Routing Protocol Authentication
OSPF Configured With MD5 Authentication

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Routing Protocol Authentication
OSPF SHA Routing Protocol Authentication

MD5 is now considered vulnerable to attacks and should only be used when stronger
authentication is not available. Administrators should use SHA authentication as long as all of the
router operating systems support OSPF SHA authentication.

Step 1. Specify an authentication key chain in global configuration mode:

• Configure a key chain name with the key chain command.
• Assign the key chain a number and a password with the key and key-string commands.
• Specify SHA authentication with the cryptographic-algorithm command.
• (Optional) Specify when this key will expire with the send-lifetime command.

Hash-based Message Authentication

© 2021 Cisco Code
and/or its affiliates. All rights (HMAC)
reserved. Cisco Confidential 38
Routing Protocol Authentication
OSPF SHA Routing Protocol Authentication (Cont.)

Step 2. Assign the authentication key to the desired interfaces

with the ip ospf authentication key-chain command.

The next slide shows an SHA authentication example for R1 and R2.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Routing Protocol Authentication
OSPF SHA Routing Protocol Authentication (Cont.)

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Routing Protocol Authentication
Lab - Basic Device Configuration and OSPF Authentication

In this lab, you will complete the following objectives:

• Part 1: Configure basic device settings.
• Part 2: Secure the control plane.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Routing Protocol Authentication
Packet Tracer - Configure OSPF Authentication

In this Packet Tracer activity, you will configure OSPF MD5 authentication.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
6.4 Secure Management and
Reporting

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Secure Management and Reporting
Types of Management Access

(From a reporting standpoint, most networking devices

can send log data that can be invaluable when
troubleshooting network problems or security threats.
This data can be viewed in real time, on demand, and
in scheduled reports.

When logging and managing information, the

information flow between management hosts and the
managed devices can take two paths:

• In-band - Information flows across an enterprise production

network, the Internet, or both, using regular data channels.
• Out-of-band (OOB) - Information flows on a dedicated
management network on which no production traffic
resides.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Secure Management and Reporting
Out-of-Band and In-Band Access
As a general rule, for security purposes, OOB management is appropriate for large enterprise networks.
However, it is not always desirable. The decision to use OOB management depends on the type of
management applications running and the protocols being monitored.

OOB management guidelines are:

• Provide the highest level of security.
• Mitigate the risk of passing insecure management protocols over the production network.

In-band management is recommended in smaller networks as a means of achieving a more cost-effective

security deployment. In such architectures, management traffic flows in-band in all cases. It is made as
secure as possible using secure management protocols, for example using SSH instead of Telnet.

In-band management guidelines are:

• Apply only to devices that need to be managed or monitored.
• Use IPsec, SSH, or SSL when possible.
• Decide whether the management channel needs to be open at all times.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Secure Management and Reporting
Out-of-Band and In-Band Access

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Secure Management and Reporting
Out-of-Band and In-Band Access
▪ Implementation of an out-of-band management solution allows a network administrator to
have full control over all the elements in wide area networks when in-band and IP based
management strategies fail.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
6.5 Network Security Using
Syslog

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Network Security Using Syslog
Introduction to Syslog
The most common method of accessing system messages is to use a
protocol called syslog.

Syslog is a term used to describe a standard. It is also used to describe

the protocol developed for that standard. Many networking devices
support syslog, including routers, switches, application servers,
firewalls, and other network appliances. The syslog protocol allows
networking devices to send their system messages across the network
to syslog servers.

The syslog logging service provides three primary functions, as follows:

• The ability to gather logging information for monitoring and troubleshooting
• The ability to select the type of logging information that is captured
• The ability to specify the destinations of captured syslog messages

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Network Security Using Syslog
Syslog Operation
On Cisco network devices, the syslog protocol starts by sending
system messages and debug output to a local logging process
that is internal to the device. How the logging process manages
these messages and outputs is based on device configurations.

As shown in the figure, popular destinations for syslog messages

include the:
• Logging buffer (RAM inside a router or switch)
• Console line
• Terminal line
• Syslog server

It is possible to remotely monitor system messages by viewing the logs on a syslog server, or
by accessing the device through Telnet, SSH, or through the console port.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Network Security Using Syslog
Syslog Message Format
Cisco devices produce syslog messages as a result of network events. Every syslog
message contains a severity level and a facility.

The smaller numerical levels are the more critical syslog alarms.
Severity Name Severity Level Description
Emergency Level 0 System Unusable
Alert Level 1 Immediate Action Needed
Critical Level 2 Critical Condition
Error Level 3 Error Condition
Warning Level 4 Warning Condition
Notification Level 5 Normal, but Significant Condition
Informational Level 6 Informational Message
Debugging Level 7 Debugging Message

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Network Security Using Syslog
Syslog Facilities

Syslog facilities are service identifiers that identify and categorize system state data for error
and event message reporting. The logging facility options that are available are specific to the
networking device.

By default, the format of syslog messages on the Cisco IOS Software is as follows:

For example, sample output on a Cisco switch for an EtherChannel link changing state to up
is:

Here the facility is LINK and the severity level is 3, with a MNEMONIC of UPDOWN

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Network Security Using Syslog
Configure Syslog Timestamps
By default, log messages are not timestamped. Log messages should be timestamped so that when they
are sent to another destination, such as a Syslog server, there is record of when the message was
generated.

Use the command service timestamps log datetime to force logged events to display the date and time.
As shown in the command output, when the R1 GigabitEthernet 0/0/0 interface is reactivated, the log
messages now contain the date and time.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Network Security Using Syslog
Syslog Systems
Syslog implementations always contain two
types of systems:

• Syslog servers - Also known as log

hosts, these systems accept and process
log messages from syslog clients.
• Syslog clients - Routers or other types
of equipment that generate and forward
log messages to syslog servers.

The topology in the figure identifies the

syslog server at IP address 10.2.2.6. The
rest of the servers and devices in the
topology can be configured as syslog
clients, which send syslog messages to the
syslog server.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Network Security Using Syslog
Syslog Configuration

Configure system logging with the following steps:

Step 1. Set the destination logging host using the

logging [host] command.

Step 2. (Optional) Set the log severity (trap) level

using the logging trap command.

Step 3. (Optional) Set the source interface using

the logging source-interface command.

Step 4. (Optional) Enable logging to all enabled

destinations with the logging on command.
The figure shows the syslog reference topology.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Network Security Using Syslog
Syslog Configuration (Cont.)

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Network Security Using Syslog
Syslog Configuration (Cont.)
Before we start configuring logging, let’s look at how logging is configured by
default.
R1# show run all | include logging • Modify buffered logging.
logging queue-limit trap 1024
logging buffered 4096 debugging The logging buffer is set to hold 4096 bytes in a
logging reload message-limit 1000 notifications circular buffer and keep log messages at the
no logging persistent debugging level and below.
logging rate-limit console 40 except errors set the size of the buffer to 16384 bytes.
no logging console guaranteed
logging console debugging R1(config)# logging buffered 16384
logging monitor debugging
logging cns-events informational • Modify the logging trap level.
logging on
R1(config)# logging trap informational

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
6.6 NTP Configuration

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
NTP Configuration
Time and Calendar Services

The software clock on a router or switch starts when the system boots. It is the
primary source of time for the system. It is important to synchronize the time across
all devices on the network because all aspects of managing, securing,
troubleshooting, and planning networks require accurate timestamping.

The date and time settings on a router or switch can be manually configured, using
the clock set command, as shown in the example.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
NTP Configuration
NTP Operation

NTP networks use a hierarchical system of time sources. Each level in this
hierarchical system is called a stratum. The stratum level is defined as the number of
hop counts from the authoritative source.

The sample network consists of four stratum

levels who acquire their times as follows:
• Stratum 1 server gets its time from the stratum
0 time source.
• Stratum 2 server gets its time from the stratum
1 server.
• Stratum 3 server gets its time from the stratum
2 server.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
NTP Configuration
Configure and Verify NTP

The figure shows the topology used to demonstrate NTP configuration and verification

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
NTP Configuration
Configure and Verify NTP (Cont.)

Before NTP is configured on the network, the show clock detail command displays the time source is
user configuration.

Use the ntp server ip-address command to configure a NTP server the device should use as a
source. If the source is another Cisco device, it must be configured with the ntp master [stratum]
command.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
NTP Configuration
Configure and Verify NTP (Cont.)

Use the show ntp associations and show ntp status commands to verify the device is synchronized
with the NTP server.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
NTP Configuration
Configure and Verify NTP (Cont.)
Next, the clock on S1 is configured to synchronize to R1 with the ntp server command and then the
configuration is verified with the show ntp associations command, as displayed.

Output from the show ntp

associations command verifies
that the clock on S1 is now
synchronized with R1 at
192.168.1.1 via NTP. R1 is a
stratum 2 device and NTP
server to S1. Now S1 is a
stratum 3 device that can
provide NTP service to other
devices in the network, such as
end devices.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
NTP Configuration
Packet Tracer - Configure and Verify NTP

NTP synchronizes the time of day among a set of distributed time servers and clients.
While there are a number of applications that require synchronized time, this lab will
focus on the need to correlate events when listed in the system logs and other time-
specific events from multiple network devices

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
6.7 SNMP Configuration

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
SNMP Configuration
Introduction to SNMP
SNMP is an application layer protocol that
provides a message format for communication
between managers and agents.

The SNMP system consists of three elements:

• SNMP manager
• SNMP agents (managed node)
• Management Information Base (MIB)
To configure SNMP on a networking device, it
is first necessary to define the relationship As shown in the figure, the SNMP manager can collect
between the manager and the agent. information from an SNMP agent by using the “get” action. It
can change configurations on an agent by using the “set”
The SNMP manager is part of a network action. In addition, SNMP agents can forward information
management system (NMS). The SNMP directly to a network manager by using “traps”.
manager runs SNMP management software.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
SNMP Configuration
SNMP Operation
There are two primary SNMP manager requests:

• get request - Used by the NMS to query the device for data.
• set request - Used by the NMS to change configuration variables in the agent device. A set request can also
initiate actions within a device. For example, a set request can cause a router to reboot, send a configuration
file, or receive a configuration file.

The SNMP manager uses the get and set actions to perform the operations described in the table.

get-request Retrieves a value from a specific variable.

get-next-request Retrieves a value from a variable within a table; the SNMP manager does not need to know the exact variable
name. A sequential search is performed to find the needed variable from within a table.

get-bulk-request Retrieves large blocks of data, such as multiple rows in a table, that would otherwise require the transmission of
many small blocks of data. (Only works with SNMPv2 or later.)

get-response Replies to a get-request, get-next-request, and set-request sent by an NMS.

set-request Stores a value in a specific variable.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
SNMP Configuration
Management Information Base (MIB)
The MIB organizes variables hierarchically. MIB variables enable
the management software to monitor and control the network
device. DOD:
US Department
of Defense
Formally, the MIB defines each variable as an object ID (OID).
OIDs uniquely identify managed objects in the MIB hierarchy. The
MIB organizes the OIDs based on RFC (Request for Comments)
standards into a hierarchy of OIDs, usually shown as a tree.

The figure shows portions of the MIB structure defined by Cisco.

Note how the OID can be described in words or numbers to help
locate a particular variable in the tree. OIDs belonging to Cisco,
are numbered as follows: .iso (1).org (3).dod (6).internet
(1).private (4).enterprises (1).cisco (9). Therefore, the OID is
1.3.6.1.4.1.9.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
 Debugging
MIBs
OID means an "Object Identifier.“
To define OID, it's an address used to uniquely identify managed devices and their statuses. Want to
know the temperature reading coming from a sensor at your mountaintop remote facility? There's an
OID for that.
How do you read an OID?
The format of an OID tree can be confusing at first. It's a huge
string of numbers like this:
 Debugging
MIBs
SNMP OID example
Then we look at the first few numbers, which rarely change:
The first part of the OID will be the same for every piece of equipment you'll ever use:
SNMP Configuration
SNMP Versions
Here are several versions of SNMP:
• SNMPv1 - This is the Simple Network Management Protocol, a Full Internet Standard, that is
defined in RFC 1157.
• SNMPv2c - This is defined in RFCs 1901 to 1908. It uses a community-string-based
Administrative Framework.
• SNMPv3 - This is an interoperable standards-based protocol originally defined in RFCs 2273 to
2275. It provides secure access to devices by authenticating and encrypting packets over the
network. It includes these security features: message integrity to ensure that a packet was not
tampered with in transit, authentication to determine that the message is from a valid source,
and encryption to prevent the contents of a message from being read by an unauthorized
source.
All versions use SNMP managers, agents, and MIBs. Cisco IOS software supports the above three
versions. Both SNMPv1 and SNMPv2c use a community-based form of security. The community
of managers that is able to access the MIB of the agent is defined by a community string. SNMPv3
provides for both security models and security levels.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
SNMP Configuration
SNMP Versions
SNMPv1 and SNMPv2c SNMPv3 noAuthNoPriv
Level noAuthNoPriv Level noAuthNoPriv

Authentication Community string Authentication Username

Encryption No Encryption No

Uses a community string Uses a username match for authentication

Result Result
match for authentication. (an improvement over SNMPv2c).

SNMPv3 authNoPriv
Level authNoPriv

Authentication Message Digest 5 (MD5) or Secure Hash Algorithm (SHA)

Encryption No

Provides authentication based on the HMAC-MD5 or

Result
HMAC-SHA algorithms. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
SNMP Configuration
SNMP Versions
SNMPv3 authPriv
Level authPriv (requires the cryptographic software image)
Authentication MD5 or SHA
Data Encryption Standard (DES) or Advanced Encryption Standard
Encryption
(AES)

Provides authentication based on the HMAC-MD5 or HMAC-SHA

algorithms. Allows specifying the User-based Security Model (USM)
with these encryption algorithms:
Result ▪ DES 56-bit encryption in addition to authentication based on the
CBC-DES (DES-56) standard
▪ 3DES 168-bit encryption
▪ AES 128-bit, 192-bit, or 256-bit encryption

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
SNMP Configuration
SNMP Vulnerabilities

In any network topology, at least one

manager node should run SNMP
management software. Network
devices that can be managed, such
as switches, routers, servers, and
workstations, are equipped with the
SNMP agent software module.

SNMP is vulnerable to attack

precisely because SNMP agents can
be polled with get requests and
accept configuration changes with
set requests, as shown in the figure.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
SNMP Configuration
SNMPv3

SNMPv3 provides three security features:

• Message integrity and authentication - Ensures that a packet has not

been tampered with in transit and is from a valid source.

• Encryption - Scrambles the contents of a packet to prevent it from being

seen by an unauthorized source.

• Access control - Restricts each principal to certain actions on specific

portions of data.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
SNMP Configuration
SNMPv3 Security Configuration
SNMPv3 can be secured with only a few commands:
Step 1. Configure an ACL that will permit access to authorized SNMP managers.

Step 2. Configure an SNMP view with the snmp-server view command to identify the
MIB OIDs that the SNMP manager will be able to read. Configuring a view is required to
limit SNMP messages to read-only access.

Step 3. Configure SNMP group features with the snmp-server group command:
• Configure a name for the group.
• Set the SNMP version to 3 with the v3 keyword.
• Require authentication and encryption with the priv keyword.
• Associate a view to the group and give it read only access with the read command.
• Specify the ACL configured in Step 1.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
SNMP Configuration
SNMPv3 Security Configuration (Cont.)
SNMPv3 can be secured with only a few commands:
Step 4. Configure SNMP group user features with the snmp-server user command:
▪ Configure a username and associate the user with the group name configured in Step
3.
▪ Set the SNMP version to 3 with the v3 keyword.
▪ Set the authentication type to either md5 or sha and configure an authentication
password. SHA is preferred and should be supported by the SNMP management
software.
▪ Require encryption with the priv keyword and configure an encryption password.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
SNMP Configuration
SNMPv3 Security Configuration Example

The figure shows an example configuration for securing SNMPv3.

Step 1. A standard ACL is named PERMIT-ADMIN and is configured to permit only the 192.168.1.0/24
network.

Step 2. An SNMP view is named SNMP-RO and is configured to include the entire iso tree from the
MIB.

Step 3. An SNMP group is configured with the name ADMIN, SNMPv3, and access for those allowed
with the PERMIT-ADMIN ACL.

Step 4. An SNMP user, BOB, is configured as a member of the group ADMIN using SNMPv3, with
SHA authentication, AES 256 encryption, and the encryption password.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
SNMP Configuration
SNMPv3 Verification

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
SNMP Configuration
SNMPv3 Verification (Cont.)

Verify most of the SNMPv3 security configuration by viewing the running configuration, as
shown in in the figure. Notice that the snmp-server user configuration is hidden. Use the show
snmp user command to view the user information.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
SNMP Configuration
SNMPv3 Verification (Cont.)

▪ Verify that the SNMP manager

can send get requests to R1 by
using an SNMP management
tool, such as the
ManageEngine’s free SNMP
MIB Browser.
▪ Configure the tool with the user
details. When a user is
configured, use the SNMP
management tool’s features to
test that the configured user
can access the SNMP agent.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
SNMP Configuration
SNMPv3 Verification (Cont.)

In the figure below, the network

administrator entered the OID
for the IP addressing table. The
get request returned all the
addressing information for R1.
The network administrator
authenticated with the
appropriate credentials.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
SNMP Configuration
SNMPv3 Verification (Cont.)

Verify that the data was encrypted

by running a protocol analyzer,
such as Wireshark, and capture
the SNMP packets.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
SNMP Configuration
Lab - Configure Cisco IOS Resilience Management and Reporting

In this lab, you will complete the following objectives:

• Part 1: Configure basic device settings.

• Part 2: Configure SNMPv3 security using an ACL.
• Part 3: Configure a router as a synchronized time source for other devices
using NTP.
• Part 4: Configure syslog support on a router.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
SNMP Configuration
Packet Tracer - Configure Cisco Devices for Syslog, NTP, and SSH
Operations
In this Packet Tracer activity, you will complete the following objectives:

• Part 1: Configure Syslog Service

• Part 2: Generate Logged Events
• Part 3: Manually Set Switch Clocks
• Part 4: Configure NTP Service
• Part 5: Verify Timestamped Log

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
6.8 Device Monitoring and
Management Summary

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
Device Monitoring and Management Summary
What Did I Learn in this Module?
• The Cisco IOS resilient configuration feature maintains a secure working copy of the router IOS image file
and a copy of the running configuration file, which cannot be removed by the user and is referred to as the
primary bootset.
• To secure the IOS image and enable Cisco IOS image resilience, use the secure boot-image global
configuration mode command.
• To take a snapshot of the router running configuration and securely archive it in persistent storage, use the
secure boot-config global configuration mode command.
• The SCP feature provides a secure and authenticated method for copying router configuration or router
image files to a remote location.
• Some default services, such as CDP and LLDP, can make the network vulnerable to attack.
• AutoSecure is often used in the field to provide a baseline security policy on a new router. However, it is not
recommended on production routers.
• Dynamic routing protocols are used by routers to automatically share information about the reachability and
status of remote networks.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
Device Monitoring and Management Summary
What Did I Learn in this Module?
• Dynamic routing protocols are used by routers to automatically share information about the reachability and
status of remote networks.
• Routing systems can be attacked by disrupting peer network routers, or by falsifying or spoofing the
information carried within the routing protocols.
• Routing protocol updates can be configured to use MD5 or SHA authentication. This helps ensure that
routing protocol updates are coming from trusted sources.
• In-band information paths use the production network, the internet or both. Management traffic is sent on the
same network as user traffic.
• Out-of-band (OOB) management paths use dedicated management networks which do not transmit user
traffic.
• The most common method of accessing system messages is to use a protocol called syslog.
• On Cisco network devices, the syslog protocol can send system messages and debug command output to a
local logging process that is internal to the device or can send messages to an internal buffer.
• Syslog messages contain a severity level that can range from Level 0 to Level 7. The lower the level
number, the higher the severity.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
Device Monitoring and Management Summary
What Did I Learn in this Module?
• The service timestamps log datetime command configures the device to use system timestamps for all
messages.
• A Cisco device is configured to use syslog by specifying the logging host with the logging command and
activating the logging process with the logging on command.
• It is desirable to configure devices to use NTP to synchronize time between all network devices.
• NTP uses a hierarchical system of time sources that are arranged in strata. Stratum 0 is the most
authoritative time source, and it may use atomic or GPS clocks. The lower the strata number, the closer the
source is to the Strata 0 authoritative source.
• NTP is configured on a device with the ntp server command.
• SNMP defines how management information is exchanged between network management applications and
management agents.
• The SNMP system requires three elements and consists of an SNMP manager, SNMP agent, and the MIB.
• SNMPv1 is obsolete. SNMPv2c should be used at a minimum. SNMPv3 strongly recommended.
• SNMPv3 authenticates and encrypts packets over the network to provide secure access to devices.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
Device Monitoring and Management Summary
New Terms and Commands
• nonvolatile random-access memory (NVRAM) • auto secure
• primary bootset • dynamic routing protocols
• secure boot-image • ip ospf message-digest-key key md5 password
• show secure bootset • area area-id authentication message-digest
• Secure Copy Protocol (SCP) • ip ospf authentication message-digest
• aaa new-model • key chain name
• aaa authentication login default local • key key-id
• aaa authorization exec default local • key-string string
• ip scp server enable • cryptographic-algorithm {hmac-sha-1 | hmac-sha-256 |
• confreg 0x2142 hmac-sha-384 | hmac-sha-512 | md5}
• config-register • send-lifetime start-time {infinite | end-time | duration
seconds}
• no service password-recovery
• ip ospf authentication key-chain name
• Cisco Discovery Protocol (CDP)
• in-band and out-of-band (OOB) information flows
• Link Layer Discovery Protocol (LLDP)
• syslog
• Cisco AutoSecure
• logging buffer
• Cisco Express Forwarding (CEF) © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91

• service timestamps log datetime

Device Monitoring and Management Summary
New Terms and Commands
• logging host [hostname | ip-address] • network management system (NMS)
• logging trap level • get, set, and traps
• logging source-interface interface • get-request
• logging on • get-next-request
• clock set • get-bulk-request
• Network Time Protocol (NTP) • get-response
• stratum level • set-request
• show clock detail • MIB object ID (OID)
• ntp server ip-address • SNMPv1, SNMPv2c, and SNMPv3
• ntp master [stratum] • snmp-server view view-name oid-tree
• show ntp associations • snmp-server group group-name v3 priv read view-name
• show ntp status access [acl-number | acl-name]
• Simple Network Management Protocol (SNMP) • snmp-server user username group-name v3 auth {md5
| sha} auth-password priv {des | 3des | aes {128 | 192 |
• SNMP manager
256}} priv-password
• SNMP agent
• show snmp user
• Management Information Base (MIB) © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92