Router With Cisco Auto Secure


Cisco AutoSecure uses a single command to disable non-essential system processes and services, eliminating potential security threats. You can configure AutoSecure in privileged EXEC mode using the auto secure command in one of these two modes:

Interactive mode - This mode prompts you with options to enable and disable services and other security features. This is the default mode.
Non-interactive mode - This mode automatically executes the auto secure command with the recommended Cisco default settings. This mode is enabled with the no-interact command option.
Perform AutoSecure on a Cisco Router The screen output shows a partial output from a Cisco AutoSecure configuration. To start the process of securing a router issue the auto secure command. Cisco AutoSecure will ask you for a number of items including :
Interface specifics
Banners
Passwords
SSH
IOS firewall features
Note: The Cisco Router and Security Device Manager (SDM) provides a similar feature as the Cisco AutoSecure command. This feature is described in the "Using Cisco SDM" section.

Cisco SDM Overview:
What is Cisco SDM?
The Cisco Router and Security Device Manager (SDM) is an easy-to-use, web-based device-management tool designed for configuring LAN, WAN, and security features on Cisco IOS software-based routers.
The interface helps network administrators of small- to medium-sized businesses perform day-to-day operations. It provides easy-to-use smart wizards, automates router security management, and assists through comprehensive online help and tutorials.
Cisco SDM supports a wide range of Cisco IOS software releases. It ships preinstalled by default on all new Cisco integrated services routers. If it is not preinstalled, you will have to install it. The SDM files can be installed on the router, a PC, or on both. An advantage of installing SDM on the PC is that it saves router memory, and allows you to use SDM to manage other routers on the network. If Cisco SDM is pre-installed on the router, Cisco recommends using Cisco SDM to perform the initial configuration.

Cisco SDM Features:
Cisco SDM simplifies router and security configuration through the use of several intelligent wizards to enable efficient configuration of key router virtual private network (VPN) and Cisco IOS firewall parameters. This capability permits administrators to quickly and easily deploy, configure, and monitor Cisco access routers.
Cisco SDM smart wizards guide users step-by-step through router and security configuration workflow by systematically configuring LAN and WAN interfaces, firewall, IPS, and VPNs.
Cisco SDM smart wizards can intelligently detect incorrect configurations and propose fixes, such as allowing DHCP traffic through a firewall if the WAN interface is DHCP-addressed. Online help embedded within Cisco SDM contains appropriate background information, in addition to step-by-step procedures to help users enter correct data in Cisco SDM.

Starting Cisco SDM:
Cisco SDM is stored in the router flash memory. It can also be stored on a local PC. To launch the Cisco SDM use the HTTPS protocol and put the IP address of the router into the browser. The http:// prefix can be used if SSL is not available. When the username and password dialog box appears (not shown), enter a username and password for the privileged (privilege level 15) account on the router. After the launch page appears a signed Cisco SDM Java applet appears which must remain open while Cisco SDM is running. Because it is a signed Cisco SDM Java applet you may be prompted to accept a certificate. The certificate security alert appears in the bottom right of the figure.
Note: The sequence of login steps may vary depending on if you run Cisco SDM from a personal computer, or directly from a Cisco ISR router.

The Cisco SDM Interface:
Cisco SDM Home Page Overview
After Cisco SDM has started and you have logged in, the first page displayed is the Overview page.
This page displays the router model, total amount of memory, the versions of flash, IOS, and SDM, the hardware installed, and a summary of some security features, such as firewall status and the number of active VPN connections.





Specifically, it provides basic information about the router hardware, software, and configuration:
Menu bar - The top of the screen has a typical menu bar with File, Edit, View, Tools, and Help menu items.
Tool bar - Below the menu bar, it has the SDM wizards and modes you can select.
Router information - The current mode is displayed on the left side under the tool bar.
Note: The menu bar, tool bar, and current mode are always displayed at the top of each screen. The other areas of the screen change based upon the mode and function you are performing.
Configuration overview - Summarizes the configuration settings. To view the running configuration, click the View Running Config button.

About Your Router Area
When you click the buttons in the figure, you will be able to see the details associated with each of the following GUI elements:
About Your Router - The area of the Cisco SDM home page that shows you basic information about the router hardware and software, and includes the following elements:
Host Name - This area shows the configured hostname for the router, which is RouterX
Hardware - This area shows the the router model number, the available and total amounts of RAM available, and the amount of Flash memory available.
Software - This area describes the Cisco IOS software and Cisco SDM versions running on the router.
The Feature Availability bar, found across the bottom of the About Your Router tab, shows the features available in the Cisco IOS image that the router is using. If the indicator beside each feature is green, the feature is available. If it is red it is not available. Check marks show that the feature is configured on the router. In the figure, Cisco SDM shows that IP, firewall, VPN, IPS, and NAC are available, but only IP is configured.

Configuration Overview Area
The figure shows the configuration overview area of the Cisco SDM home page. When you click the buttons in the figure, you will be able to see the details associated with each of the following GUI elements:
Interfaces and Connections - This area displays interface- and connection-related information, including the number of connections that are up and down, the total number of LAN and WAN interfaces that are present in the router, and the number of LAN and WAN interfaces currently configured on the router. It also displays DHCP information.
Firewall Policies - This area displays firewall-related information, including if a firewall is in place, the number of trusted (inside) interfaces, untrusted (outside) interfaces, and DMZ interfaces. It also displays the name of the interface to which a firewall has been applied, whether the interface is designated as an inside or an outside interface, and if the NAT rule has been applied to this interface.
VPN - This area displays VPN-related information, including the number of active VPN connections, the number of configured site-to-site VPN connections, and the number of active VPN clients.
Routing - This area displays the number of static routes and which routing protocols are configured.

Cisco SDM Wizard:
Cisco SDM provides a number of wizards to help you configure a Cisco ISR router. Once a task is selected from the task area in the Cisco SDM GUI, the task pane allows you to select a wizard. The figure shows various Cisco SDM GUI screens for the Basic NAT wizard. NAT is discussed later in the IP Addressing Services sections course.
Check http://www.cisco.com/go/sdm for the latest information about the Cisco SDM wizards and the interfaces they support.

Locking Down a Router With Cisco SDM:
The Cisco SDM one-step lockdown wizard implements almost all of the security configurations that Cisco AutoSecure offers. The one-step lockdown wizard is accessed from the Configure GUI interface by clicking the Security Audit task. The one-step lockdown wizard tests your router configuration for potential security problems and automatically makes any necessary configuration changes to correct any problems found.
Do not assume that the network is secure simply because you executed a one-step lockdown. In addition, not all the features of Cisco AutoSecure are implemented in Cisco SDM. AutoSecure features that are implemented differently in Cisco SDM include the following:
Disables SNMP, and does not configure SNMP version 3.
Enables and configures SSH on crypto Cisco IOS images
Does not enable Service Control Point or disable other access and file transfer services, such as FTP.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog