Cisco NFP (Network Foundation Protection) is a framework which provides infrastructure protection based on IOS features designed specifically to protect the device control plane (services and routing protocols); the device data plane (malicious traffic) and the device management plane.
This document briefly describes a simple way to protect THE DEVICE MANAGEMENT PLANE.
HOSTNAME.
- Router>enable
- Router#configure terminal
- Router(config)#hostname ccna_sec
USERS
- ccna_sec(config)#service password-encryption
- ccna_sec(config)#enable secret "PASSWORD"
- ccna_sec(config)#username "USER" privilege 15 secret "PASSWORD"
SSH
- ccna_sec(config)#ip domain-name "DOMAIN.NAME"
- ccna_sec(config)#crypto key generate rsa modulus 1024
- ccna_sec(config)#ip ssh version 2
- ccna_sec(config)#ip ssh authentication-retries 3
- ccna_sec(config)#ip ssh time-out 120
HTTPS
- ccna_sec(config)#ip http authentication local
- ccna_sec(config)#no ip http server
- ccna_sec(config)#ip http secure-server
LINE VTY
- ccna_sec(config)#line vty 0 4
- ccna_sec(config-line)#login local
- ccna_sec(config-line)#transport input ssh
- ccna_sec(config-line)#exec-timeout 3
- ccna_sec(config-line)#exit
LINE CONSOLE
- ccna_sec(config)#line console 0
- ccna_sec(config-line)#login local
- ccna_sec(config-line)#exec-timeout 3
BANNERS
- ccna_sec(config)#banner login " MESSAGE "
- ccna_sec(config)#banner exec " MESSAGE "
ACCESS LOG
- ccna_sec(config)#login block-for 10 attempts 3 within 20
- ccna_sec(config)#login delay 10
- ccna_sec(config)#login on-failure log
- ccna_sec(config)#login on-success log
ACL + ACCESS LOG
- ccna_sec(config)#ip access-list standard SSH-ADMIN
- ccna_sec(config-std-nacl)#remark Admin Management ACL
- ccna_sec(config-std-nacl)#permit X.X.X.X log
- ccna_sec(config-std-nacl)#exit
- ccna_sec(config)#login quiet-mode access-class SSH-ADMIN
- ccna_sec(config)#line vty 0 4
- ccna_sec(config-line)#access-class SSH-ADMIN in
- ccna_sec(config)#exit
DEBUG
- ccna_sec#show running-config
- ccna_sec#show login
- ccna_sec#show login failures
- ccna_sec#sh access-lists
Regards.
https://twitter.com/julioask
about.me/juliomtz