2) Two Perimeters - A firewall establishes a second perimeter behind the router.
3) Screened Subnet - A DMZ is established on a firewall that, in turn, is deployed inside the Cisco IOS router.
Cisco ISRs features include:
1) USB Port - USB eToken, USB Flash
2) Unified Network Services - PVDM modules, Media Authentication and Encryption with SRST
3) Integrated Security - 3DES and AES, NAC
4) Mobility - 3G WAN, Wireless LAN
5) Application Intelligence - Performance routing, Cisco WAAS
Cisco router passwords can be a minimum of 0 characters by default, but best practices require 10 characters or more. You can apply a weak encryption to the passwords (Type 7) through:
service password-encryptionHowever, the encryption is so weak that we can decrypt them simply by putting them on certain Internet decryption service sites. However, this helps with shoulder surfing.
You can create views much analogously similar to the ones we have in Database Design. Views are created from the global configuration mode:
conf t
parser view ISP
secret 0 secretlongpassword
commands exec include ping
commands exec include all show
commands exec include all configure
commands configure include access-l
commands configure include all interface
commands configure include all ipTo log into the view, use:
enable view ISP>The five basic services that SDM manages are:
1) Wireless
2) Routing
3) Security
4) Switching
5) QoS
AAA stands for Authentication, Authorization and Accounting.
Cisco Secure ACS Solution Engine is an appliance-based solution. Cisco Secure ACS provides RADIUS and TACACS+ services. It also works with many external databases including Active Directory, LDAP, Novell Directory Services and ODBC. It is configured through a Web-based GUI.
RADIUS has rich accounting, and TACACS+ is capable of customizable user-level policies such as command authorization. RADIUS uses UDP:1812/1813/(Cisco's Default are 1645/1646) for transport and TACACS+ uses TCP:49. RADIUS is open source while TACACS+ is proprietary.
When designing an AAA solution, remote administrative access is also known as character mode. Another name for remote network access is packet mode. Exec policies are those that define access rules to the router. Network policies are those that define access through the router.
To display a list of all local AAA users who have been locked out, use:
show aaa local user lockoutTo display detailed statistics of all logged in users:
show aaa user allTo display current sessions of users have been AAA'ed by the AAA module:
show aaa sessionsThe three main tasks in setting up external AAA is:
1) Configuring the AAA Network (Client and Server)
2) Setting up users in Cisco Secure ACS (Or other servers)
3) Identify Traffic to which AAA will be applied (Client)
No comments :
Post a Comment