This document explains the way of Securing Terminal Line.
Router running Security Feature set.
One biggest security risk on Cisco-based network is the VTY lines of routers and switches. These lines are used for remote access (via telnet, by default) and are suseptible to brute force password attacks. Below mentioned are few simple steps you can follow to ensure your security at VTV lines.
1.) Enabling username / password based authentication: There are many solutions for authentication ranging from the incredibly complicated to the exceptionally simple. Here you can see the easiest way to enable username / password authentication.
First, you will enable username / password authentication. For this example, we'll use the local user database and only create one user, tiger.
The first line turns on the new authentication model. The second line sets the default authentication mechanism to the "local" database — that's the list of users you are going to be entering by hand. The final line adds a user called 'tiger' with password '11ercghu!#nj045'. The password is hashed inside the configuration.
2.) Restricting VTY line access with an access-list: Once you've defined a list of management addresses, you should apply the list to your VTY lines in order to prevent requests from unwanted IP addresses for connection.
Brute force passwordattacks attempts happen on network devices all day every day. All it takes is one weak password for your device to be compromised. If we lock out all machines that should not be attempting to access the system, we've done a great deal to prevent maliciousness.
We'll use an access-list to define a block of IPs that should be allowed to access our Cisco router (or IOS-based Catalyst switch) and then apply it to our virtual terminal (VTY) lines.
We are using a standard access-list rather than an extended access-list because we are not concerned with matching sources and destinations. We have allowed the first 16 consecutive IPs from 172.16.9.0 through 172.16.9.15. By way of example, we'll assume these are the IP addresses of the hosts used by our network administrators. A single host at 172.16.9.99 is also permitted to access the system. A monitoring server, perhaps. Finally, we deny access by all other hosts.
3.) Use SSH-enabled version of IOS: telnet traffic is sent clear text or unencrypted and represents a major security risk on the network. Even if your devices are behind a firewall, you are still exposing your telnet and enable passwords to your internal network. Using telnet should be avoided.
Once we've installed an SSH-enabled version of IOS, the SSH server will start automatically once you generate the encryption keys with the command mentioned below:
crypto key generate rsa
You need to apply the access-list to the VTY lines and force users to use SSH as shown below:
Hello, When I recently became unable to print on my LAN, and I did some troubleshooting, I realized that 3 copies of the Anyconnect Socket Filter load automatically after each restart, without me having to run the Anyconnect app. It occurs...
Upon boot the LED indicator for WiFi on this ASA-5506W cycles through blinking green to blinking red. The documentation says it means "Ethernet link not operational". Since this is a hardware addon, I assume ethernet link is hard wired inside. To make sur...
I'm messing around in lab and trying to get the FTDv to do jumbo frames. According to the documentation its pretty simple but I've not had any luck. I set the MTU on the Interface to 9000 and FMC said it was enabling jumbo frames and to reboot...
Hi All, Can some advise on the design strategy for large scale deployment. We are trying to deploy a 28-30 node deployment with individual nodes in DC and DR and some dedicated local PSNs as VM in critical sites so that local user authenti...
Hello,I have a question regarding HA setup within a LAN, in a scenario where there are 2 main buildings. I'm curious as to how this would be best achieved through either configuration or from a design standpoint. I have attached an image showing the setup...