(No Ratings Yet)
Loading ...
Print This PostThere are several general configuration items that should be configured on all Cisco devices running standard IOS. Some layer2 only switches will ignore a few of the commands in this article that are layer3 specific.
The first place to start is with the service commands
service password-encryption
Explanation:
The router administrator will ensure passwords are not viewable when displaying the router configuration. Type 5 encryption must be used for the enable mode password.
no service udp-small-servers no service tcp-small-servers
Explanation:
All IOS versions above 12.0 has small-servers disabled by default. However, it is good to make sure these services didn’t get enabled somewhere along the way. The commands above won’t show up in the configuration, since they are off by default. Cisco IOS provides these “small services” which include echo, chargen, and discard. These services are completely unnecessary to run on Cisco devices.
In corporate environments, I.T. professionals are constantly trying to adhere to the latest guidelines that apply to the line of business they are a part of. Most organizations are guided by one or more of the following: HIPPA (Healthcare), PCI (Credit Card Industry), and SOX among others. These guidelines definitely overlap with each other in areas. If your privileged enough to have to satisfy more than one of these governing bodies, many times an issue addressed in one will also address the same issue in another. The overlap exists largely because all of these guidelines are based on ‘best practices’. When you have a list of these best practices available to audit against, it allows you to score yourself before the formal audits happen that are required by the various governing bodies. It is also wise to be aware of the best practices before implementing a new system, in order to prevent having to go back and revisit after the implementation.
The good news is there are resources available to anyone and are provided by Defense Information Systems Agency (DISA) which is a government agency that is part of the Department of Defense (DoD). These guides are separated into two different types: One set is called Security Technical Informational Guides (STIG) and the other is called Security Checklists. These guides are developed to provide guidance for people who build and manage DoD networks. They are also used in audits performed within Department of Defense networks.
None of the DoD offered materials has anything to do with HIPPA, PCI, SOX, etc. on the surface, but the thing they do have in common is they are focused on security best practices. In my experience dealing with HIPPA, PCI, SOX, and DoD networks, using these guides as a reference to secure a network or platform will cover 90+% of anything that would come up in a HIPPA, PCI, or SOX audit.
Finally, an update (well, sort of) to the Cisco TACACS server for Windows that was provided here. The first version provided on this site was compiled from the original 4.0.4 Cisco version of tac_plus.
This version is actually based on 4.03, but has many added features that doesn’t exist in the 4.0.4 Cisco release. The version given to this particular code distribution is F4.0.3.alpha-9a.
It runs just like the other version, (yes, with all the same qwerks as well) with additional options available to you.
When designing a robust network, the requirement that should make the top of the list is redundancy. Most of the time, this is pretty easy. When linking switches together, connect multiple links. When connecting servers to the network, using multiple network adapters with teaming is the norm. Connecting more than one interface on a router for redundancy is usually a little different. Most of the time, you would take two interfaces on a router and assign an IP network to each and use a routing protocol for interacting with other connected routers for link selection. However, there are some devices that are router types that don’t perform routing functions.
IOS devices functioning as some type of gateway comes to mind as a type of device that won’t route traffic – however network redundancy to the device is still desired. In this example, a Cisco VG224 is used in a network to provide dial tone to analog devices over an IP network. The VG224 gateway has multiple interfaces and does have the ability to run a routing protocol for reachability, but would be considered a bloated solution just to provide redundant network connections to the device.
In this example, we will accomplish network link redundancy by using a feature called Integrated routing and bridging or IRB for short. In an IRB configuration, multiple physical interfaces are assigned to a common bridge group. The two interfaces then form a bridge what communicates with a bridge virtual interface. The device IP address then gets assigned to the virtual interface.
Cisco IOS Software Modularity is available for the two newest Supervisor modules, the Sup720 and Sup32, which go into the Cisco 6500 series platform. Basically, by using the modular IOS, the switch runs more efficiently. This is accomplished by splitting up major components inside the IOS into separate subsystems, which will run in different processes. The modularity also allows the patching of portions of the IOS, without having to install an entirely new IOS. Think about this: How many times have you installed a new IOS image to fix a specific bug, but the new software caused a problem in another area that was previously not broken? Now, fixing issues by only patching the part of the software with a problem helps insure the rest of the device’s operation will continue to operate as it did in the past.
A new feature that comes along with the modular image is the inclusion of Cisco Embedded Event Manager (EEM). This feature allows the EEM process to ‘catch’ a defined event and then spawn an action from that raised event. For example, the device can generate and send an email when the CPU goes over a certain percentage for a period that is longer than a defined threshold. The engine behind this functionality is controlled using the Python scripting language. Using Python to write these embedded event handlers provides some powerful capabilities at your fingertips.
Read more…
In the previous article, Running commands on a Cisco device from the Windows command line , I wrote on how to run commands from the Windows command line against a Cisco device. The article was based on using the Unix utility rsh aka Remote Shell. The biggest downfall of using rsh is the security issues around the protocol. How about another method of doing the same thing, but with using a more secure process?
Anyone who has worked around any network device knows about putty. It is one of the greatest gifts given to a network/system administrator. One of the biggest reasons behind the popularity of this program is the cost, which is *free*… Add tons and tons of functionality on top of that and you have yourself a winner for one of the greatest proggies of all times! Putty has a sister program that is called plink. Like putty, plink is a standalone executable that is capable of accessing remote devices using telnet or ssh. Plink is basically used in place of putty when you want the input/output of the program to use STDIN/STDOUT. So, for example you can open a command prompt, invoke plink and connect to a device. The interaction with the session will look just as if it would when using the telnet.exe from the XP/Vista command line. One of the features of plink is that it can share the saved sessions created in Putty. By default, putty will use the Windows registry to store saved connection information. However, the configuration can be changed to store the sessions in the local file system.
In this initial example, lets configure a router to accept an incoming ssh connection with a locally defined username/password combination. The basic IOS configuration to accomplish this task will look like the following:
Read more…
With the addition of USB ports on the newer Cisco routers, it has made it much easier to load IOS upgrades in staging areas – where equipment is being configured prior to being installed. In the past, having a PC either directly connected to the staging equipment or plugged into the same network as the device was the way to upgrade the IOS using tftp. Sometimes that staging area is a cubicle and causes a hassle if there isn’t a dedicated PC available for upgrades, because it means unhooking your primary pc from the network (which is the same pc needed to download all the software upgrades from cisco.com).
I have one USB thumb drive that is used strictly for Cisco gear. First I started with a 256Mb freebie that come from a vendor and inserted it into a 2811 router that was up and running. The flash was then formatted from the router to insure there would be no issues with the filesystem when using it in future Cisco devices.
Router#format usbflash1: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "usbflash1:". Continue? [confirm] Format: Drive communication & 1st Sector Write OK... Format: All system sectors written. OK... Format: Total data sectors in formatted partition: 511435 Format: Total data bytes in formatted partition: 261854720 Format: Operation completed successfully. Format of usbflash1 complete Router#
Network Drawing:
Router Platform(s): 7200, 3600
IOS Version: 12.4(11)T1, 12.4(18)
IOS Feature Set: Service Provider, Enterprise
IOS File Name: c7200-spservicesk9-mz.124-11.T1.bin, c3640-js-mz.124-18.uncompressed.bin
idlepc: 0×61280c1c, 0×60428c4c
IOS Image Uncompressed before use: Yes , Yes
IOS Memory Requirements: 256Mb, 128Mb
Average Dynamips.exe CPU Utilization: 30%
To increase bandwidth on a given Cisco network device, typically etherchannel technology is used to accomplish this task. In most scenarios, etherchannel is used between two switches to provide additional bandwidth to the uplink connections. In less common instances, Network cards in servers that have drivers supporting the proprietary technology will be configured for etherchannel. The requirement is usually to increase bandwidth available on a link between two devices.
Etherchannel has not been used nearly as much for such requirements as redundancy, because there is a limitation on all the interfaces that belongs to an etherchannel group, each interface has to be plugged into the same switch. The stackable 3750 switches have allowed a little more redundant ability, in the sense that you can have two switches stacked via the stackwise ports in the back of the switch, which basically extends the backplane. By doing this, you are allowed to have an Etherchannel interface plugged into two different switches (as long as they are stacked). Let’s take a look at an example diagram for clarification:
Let’s take a look at the router configuration to accomplish the task of adding bandwidth.
There are scenarios where it would be desirable for a host or group of hosts to take a different route through the network than what is considered the normal path. Consider this as creating a detour of sorts, forcing an alternate route to the destination. This can be accomplished on a selective basis, by picking out certain hosts to apply the detour to without changing the course of other hosts on the same network.
The solution in this scenario is to use something called policy based routing: