Additional Resources on Network Security
Now that you know security should be a serious part of your network at all levels, and you know some of the Golden Rules of designing a secure network, you might need some additional information regarding the bane of cyber thievescyber cops. An article entitled cyber cops in the March 10, 1997 issue of Forbes Magazine discussed how a Bill Gates-like college student decided the best way to stop cyber thieves was to show companies where their security holes were. A completely logical move, this resulted in a new company called Internet Security Systems (ISS) whose premise is to stage a break-in with their software and then help plug the holes. If you are interested in finding out more and using their evaluation software, you can check out their home page at http://www.iss.net, or you can reach them at 1 (800) 776-2362.
Securing Your OSPF Network
There are many ways to secure your network. The sections that follow discuss the easiest and most basic ways to do this. Controlling access to network equipment is the simplest. There are many levels of security, although understanding how to encrypt data and use OSPF authentication within your network should become familiar to you as well.
Controlling Access to Network Equipment
It is important to control access to all of your network equipment. Most equipment manufacturers now design their equipment with multiple levels of passwords, typically read and then read/write. This is probably the easiest and most basic step in securing your network.
This section will discuss some of the techniques and considerations you must take regarding Cisco router access and the operation of their passwords. You can control access to the router using the following methods:
You can secure the first three of these methods by employing features within the router software. For each method, you can permit nonprivileged access and privileged access for a user (or group of users). Nonprivileged access allows users to monitor the router but not to configure the router. Privileged access enables the user to fully configure the router.
For console port and Telnet access, you can set up two types of passwords. The first type of password, the login password, allows the user nonprivileged access to the router. After accessing the router, the user can enter privileged mode by entering the enable command and the proper password. Privileged mode provides the user with full configuration capabilities.
SNMP access allows you to set up different SNMP community strings for both nonprivileged and privileged access. Nonprivileged access allows users on a host to send the router SNMP get-request and SNMP get-next-request messages. These messages are used for gathering statistics from the router. Privileged access allows users on a host to send the router SNMP set-request messages in order to make changes to the routers configurations and operational state.
Increasing SNMP Security
It is generally understood and agreed upon that in the networking arena, SNMP is not as secure as it can be. In networks where security is extremely important, you can also implement an access list on SNMP to limit who can access the device in question via SNMP. This can be accomplished as shown in the example that follows.
This example permits the host IP addresses of 10.1.3.5 and 10.5.2.53 to access SNMP on the device. You do this by adding the access-list number on the end of the snmp-server community command.
access-list 1 permit 10.1.3.5 access-list 1 permit 10.5.2.53 snmp-server community cisco5 1
Console Port Access
A console is a terminal (PC) attached directly to the router via the console port. Security is applied to the console by asking users to authenticate themselves via passwords. By default, there are no passwords associated with console access.
Telnet: Nonprivileged Mode Password (VTY)
Each Telnet port on the router is known as a virtual terminal. There is a maximum of five virtual terminal (VTY) ports on the router, allowing five concurrent Telnet sessions. (The communication server provides more VTY ports.) On the router, the virtual terminal ports are numbered 0 through 4. You can set up nonprivileged password for Telnet access via the virtual terminal ports with the following configuration commands. You configure a password for nonprivileged mode (also known as VTY) by entering the following commands in the routers configuration file. Remember passwords are case sensitive. In the following example, the password is ospf4U:
line console 0 login password ospf4U
When you log in to the router, the router login prompt is provided:
User Access Verification Password:
You must enter the password ospf4U to gain nonprivileged access to the router. The router response is as follows:
Nonprivileged mode is signified on the router by the > prompt. At this point, you can enter a variety of commands to view statistics on the router, but you cannot change the configuration of the router.
Telnet: Privileged Mode Password (enable or exec)
Configure a password for privileged modeenable or execby entering the following commands in the routers configuration file. In the following example, the password is MCI-good:
To access privileged mode, enter the following command:
OSPF_Router> enable Password:
Enter the password MCI-good to gain privileged access to the router. The router responds as follows:
Privileged mode is signified by the # prompt. In privileged mode (also known as enable mode), you can enter all commands to view statistics and configure the router.