Solved: security Question

joseph.steve · ‎07-03-2012

Hi

Got some security question, looking for some kind input

how to disable cdp on specific interface on a router
how to tight the snmp security for RW access ( not only with password )
how to check if SNMP is a dictionary based string
how to encrypt snmp password - normally its clear text
how to encrypt isakmp key - normally its clear text
correct steps to configure SSH on router and switch

thanks all

SJ

John Blakley · ‎07-03-2012

A lot of your snmp questions can be addressed with configuring snmp v3:

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html

1. You would go under the interface and enter "no cdp enable". You'd do this for every interface that you'd want to disable it on.

5. For encryption of your isakmp key, depending on the IOS version I believe, you could do the following:

password encryption aes

key config-key password-encrypt testing123

6. SSH is configured by creating a domain-name, setting the hostname of the router, and creating an rsa key:

ip domain-name

hostname R1

crypto key generate rsa modul 768 (768 minimum is required for ssh v2)

Enable aaa:

aaa new-model

aaa authentication login SSH local

username cisco password cisco

enable secre cisco

line vty 0 4

login authentication SSH

transport input ssh

transport output ssh

When enabling aaa, be careful not to get locked out of the router. I always test my aaa configuration first by opening another ssh session to make sure that the configuration works before I exit out of my first session. Otherwise, you'll need to do a password reset on the router and that's never fun.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎07-03-2012

A lot of your snmp questions can be addressed with configuring snmp v3:

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html

1. You would go under the interface and enter "no cdp enable". You'd do this for every interface that you'd want to disable it on.

5. For encryption of your isakmp key, depending on the IOS version I believe, you could do the following:

password encryption aes

key config-key password-encrypt testing123

6. SSH is configured by creating a domain-name, setting the hostname of the router, and creating an rsa key:

ip domain-name

hostname R1

crypto key generate rsa modul 768 (768 minimum is required for ssh v2)

Enable aaa:

aaa new-model

aaa authentication login SSH local

username cisco password cisco

enable secre cisco

line vty 0 4

login authentication SSH

transport input ssh

transport output ssh

When enabling aaa, be careful not to get locked out of the router. I always test my aaa configuration first by opening another ssh session to make sure that the configuration works before I exit out of my first session. Otherwise, you'll need to do a password reset on the router and that's never fun.

HTH,

John

HTH, John *** Please rate all useful posts ***

Vivek Ganapathi · ‎07-03-2012

Hello Joseph,

1) how to disable cdp on specific interface on a router

Get onto the interface & issue the command no cdp enable

2) how to tight the snmp security for RW access ( not only with password )

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml <-- this section will explain the SNMP security

3) how to check if SNMP is a dictionary based string

Requires clarification, do you mean if SNMP string is a dictionary word? Is your question more aligned towards dictionary attacks?

4) how to encrypt snmp password - normally its clear text

Using SNMP v3 would provide you an option to encrypt your pwd using AES or 3DES

5) how to encrypt isakmp key - normally its clear text

You need to setup an AES Master key

R1(config)#key config-key password-encrypt 1LoVenCrypti0N <--- This is the master key
R1(config)#password encryption aes
R1(config)#crypto isakmp key 0 c1sc0 address 192.168.1.100 0.0.0.0

By doing the above, when you do a show run, you would see your crypto isakmp key to be in encrypted format. Remember most important, if you deleted your master key, then you need to recreate your ISAKMP keys as well.

6) correct steps to configure SSH on router and switch

Firstly, you must have an image with supports SSH Below is a link you can visit to get details

https://supportforums.cisco.com/docs/DOC-4662

Thanks

Vivek

cadet alain · ‎07-03-2012

Hi,

1) no cdp enable on the interface

2)http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html

http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf014.html

3) use some external tools for snmp attack

4)http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/snmpv3ae.html

5) http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml

6)http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Regards.

Alain.

Don't forget to rate helpful posts.