A message-of-the-day banner like this in your network equipment is effective. It pretty much covers all the possible consequences and goes so far as to state that there will be consequences based upon users actions. Privilege Level Security This feature was introduced by Cisco in release 10.3 and allows for the establishment of 16 levels of access within the router. Default privilege levels are: 1=user and 15=privileged. Privilege levels can be used a variety of ways within a router:
Privilege Level Command Modes There are a variety of different command modes that you can implement using privilege levels. All of them are global configuration commands except exec.
Privilege Level Configuration Example To associate a privilege level with a specific command, you need to configure the router as shown here: OSPF_Router(config)#privilege exec level 6 ping OSPF_Router(config)#privilege exec level 6 clear The preceding two commands, if applied to a routers VTY port (the ones you Telnet to), allow anyone accessing the router using just the vty command to perform extended pings and a variety of clear commands (that is counters, interface, router, and so forth). To establish a specific enable password for a privilege level, you enter the following: OSPF_Router(config)# enable password level <level #> <password> To associate a privilege level with a terminal line, you enter the following: OSPF_Router(config)# line vty 0 4 OSPF_Router(config-line)# privilege level <level #> Network Data EncryptionTo safeguard your network data, Cisco provides network data encryption and router authentication services. This section briefly discusses how this is done and how it can benefit your network. Further discussion on the proper techniques and process involved in deploying this feature in your network is beyond the scope of this book. At the end of this section, additional resources will be provided in case you need further reading on this subject. Network data encryption is provided at the IP packet level. IP packet encryption prevents eavesdroppers from reading the data that is being transmitted. When IP packet encryption is used, IP packets can be seen during transmission, but the IP packet contents (payload) cannot be read. Specifically, the IP header and upper-layer protocol (TCP or UDP) headers are not encrypted, but all payload data within the TCP or UDP packet will be encrypted and therefore not readable during transmission. The actual encryption and decryption of IP packets occurs only at routers that you configure for network data encryption with router authentication. Such routers are considered to be peer encrypting routers (or simply peer routers). Intermediate hops do not participate in encryption/decryption. Typically, when an IP packet is initially generated at a host, it is unencrypted (cleartext). This occurs on a secured (internal) portion of your network. Then when the transmitted IP packet passes through an encrypting router, the router determines if the packet should be encrypted. If the packet is encrypted, the encrypted packet will travel through the unsecured network portion (usually an external network such as the Internet) until it reaches the remote peer encrypting router. At this point, the encrypted IP packet is decrypted and forwarded to the destination host as cleartext.
Router authentication enables peer encrypting routers to positively identify the source of incoming encrypted data. This means that attackers cannot forge transmitted data or tamper with transmitted data without detection. Router authentication occurs between peer routers each time a new encrypted session is established. An encrypted session is established each time an encrypting router receives an IP packet that should be encrypted (unless an encrypted session is already occurring at that time).
To provide IP packet encryption with router authentication, Cisco implements the following standards: the Digital Signature Standard (DSS), the Diffie-Hellman (DH) public key algorithm, and the Data Encryption Standard (DES). DSS is used in router authentication. The DH algorithm and DES standard are used to initiate and conduct encrypted communication sessions between participating routers. Additional Resources on Network Data Encryption This section was provided to make you aware that it is possible to encrypt all the data flowing within your network. This is not to say that you should immediately deploy data encryption or that this is the best way to protect your data, only that it is possible. The next section discusses how OSPF can encrypt routing updates, which does not encrypt the networks data. If you require further information on this subject, you should consult the Cisco IOS Security by Cisco Systems, Inc.
|