David’s Cisco Networking Blog:

Security

Jun 30 2008   8:50AM GMT

How to properly secure your Cisco router with passwords



Posted by: David Davis
Cisco, Password

Just published, my most recent article covers, step by step, how to secure your Cisco router using passwords. I start off with the different levels of the Cisco IOS and the different passwords that are available. Then, I move on to show you exactly how to configure passwords in the Cisco IOS to secure your router. This is already a very popular article and it has only been released in the last few days.

To read the full article, please visit:  How to properly secure your Cisco router with passwords

May 29 2008   7:27PM GMT

Learn how Train Signal’s FREE Training website can help you



Posted by: David Davis
Microsoft Windows, Windows Server 2008, CCNA, Certifications, Cisco, Windows Security, VMware, Videos

Train Signal makes some excellent video training products (covering Windows 2008, Cisco, and much more) but I want to take a second to talk about their sister site - Train Signal Training.com (called TST).

At Train Signal Training, they have a lot of experts who make daily blog posts covering all sorts of Windows, Microsoft office, and Cisco networking topics.  For example, there are tips on how to get a networking job, tips on how to do a address label merge in Word 2007, and many more.  What is most impressive is how their writers deliver these real-world and very useful tips.

Please take a second to check out Train Signal Training and sign up for their free newsletter or RSS feed.


May 29 2008   7:20PM GMT

Introduction to the Petri IT Knowledgebase - www.petri.co.il



Posted by: David Davis
Windows Server 2008, CCNA, CCNP, Certifications, Cisco, Windows Security

Petri IT KnowledgebaseHave you used the Petri IT Knowledgebase? This website is an excellent source for all sorts of Windows, Cisco, Virtualization, CompTIA, and Wireless HOW-TO information. On this site, you will find over 1000 articles covering Windows Vista, Server 2008, Server 2003, Cisco networking, VMware Virtualization, and so much more. Additionally, there are forums filled with thousands of messages and many experts are available to answer technical questions. To check it out, use the link above and if you are looking for Cisco-specific articles, checkout the Petri Cisco index.


May 29 2008   7:07PM GMT

How to configure a Cisco IOS Router to use Windows AD Authentication



Posted by: David Davis
Cisco, Network Management, Security, Password

Why have a separate username/password database on all your routers? What a pain to have to keep seperate accounts to login to all the routers and switches? And what if you want to change the “root” password? Do you have to go to EVERY router and switch to make the change?

Not anymore… Why not use Windows Active Directory (AD) as the username/password database for all your routers & switches? This is very easy to configure. In fact, in my article How to configure the Cisco IOS to use Windows AD Authentication, you will find out how to do it, step by step. Check it out!


May 28 2008   8:39PM GMT

Cisco - the Security Company of the year?



Posted by: David Davis
Cisco, Security

I know, I know, could it be true? Could Cisco be chosen as the computer security company of the year? Or has the ISSA just been watching too many Cisco commercials?

Well, it is hard to say. Don’t get me wrong, I love Cisco hardware. It is rock solid. However, there are a lot of security companies out there and, comparatively, Cisco’s solutions aren’t the strongest, at least in my opinion.

Never the less, they didn’t ask me, and ISSA has chosen Cisco Systems as the “2007 Security Organization of the year”. For more information, read on…
Continued »


Feb 5 2008   12:02PM GMT

Sadly, the PIX Firewall is Discontinued…



Posted by: David Davis
ASA, PIX, Networking, Cisco

What is the name that everyone thinks of when they think of firewalls? The “PIX” firewall, right?

Sadly, the PIX will be discontinued by Cisco, as of January 27, 2009.  This was announced on January 28, 2008 in this Cisco Press Release. If you are a PIX owner, the good news is that Cisco will support it until the year 2013 so, no rush huh?

Of course, we all know that the PIX will be replaced by the ASA 5500 line. When the ASA was announced we all saw this coming, even though Cisco said that they had no plans to discontinue the PIX and that there was a place in the marketplace for both. Still, it just made sense to discontinue the PIX.

So can the ASA become as well known as the PIX? Instead of asking for a firewall will admins just say “we need to install an ASA”? And is it pronounced “A.S.A.” or “Aay-Sah-Uh”? Only time will tell…Cisco ASA 5510 with CSC Card

But seriously, the ASA is a very strong firewall and it can do a lot of things that the PIX could not do because the ASA is a real “UTM” or “Anti-X Appliance”. That means that, when combined with the CSC-SSM card (the card that really provides the Anti-X / UTM), the ASA is a much more complete firewall. The ASA is what businesses need today because, today, it isn’t enough to just maintain TCP states and drop traffic. You need intrusion prevention. You need filtering of traffic for viruses, worms, and malicious attack signatures in the real time. You want content filtering of web traffic. TCisco ASA 5505he ASA can do all that and more.

Do you have a Cisco ASA? What do you think of it? I’d like to hear from you! 

For more information on the Cisco ASA, checkout the ASA homepage over at Cisco.com

-David
Personal Website: HappyRouter.com
Checkout David’s Video Training:
VMware ESX Server Video Training
Cisco CCNA & CCNP Video Training


Dec 10 2007   3:27PM GMT

What is Cisco TrustSec?



Posted by: David Davis
Cisco, Security

I recently read a NetworkWorld article where learned about a new Cisco security framework called “TrustSec”. TrustSec is a new Cisco Security Framework (I know, you are saying “another one???”). The new TrustSec framework is an add-on to the Cisco Self-defending network.

TrustSec is “intended to determine, through policies, the role of users and devices in the network before granting access to resources.”

Bob Gleichauf, CTO of Cisco’s Security Technology Group, says “We’re getting this threat defense thing down pretty good; now let’s start worrying about where we can go in the network.” And that is exactly what TrustSec does.

So what that means is that, not only are the devices connecting to the network authorized by NAC, that “authorization” stays with them as they conduct their business on the network. Once their “businesss” is done, they must be reauthorized to perform another “transaction” on the network. And, as they use this authorization, every switch and router is aware of who they are and their credentials.

Although I know they aren’t the same, this reminds me of Kerberos security because of the concepts of the “ticket” and the “ticket granting server”, etc.

TrustSec is set to be available for Cisco Catalyst 6500 switches in early 2008 and, over the next 18 months, it is supposed to be available for the entire switch lineup.

What do you think of this concept? Please post your comments here!
-David
Personal Website: HappyRouter.com - home of Cisco how-to articles & videos
David Recommends:
HappyRouter Cisco VMware Workstation & Server Video Training Series
HappyRouter Cisco CCNA & CCNP Video Training Series


Dec 6 2007   5:00AM GMT

Tracking Configuration Changes with the Cisco IOS - Built in! - using the Archive command



Posted by: David Davis
Networking, Cisco, Security

As a semi-paranoid admin like me, perhaps you have used (or have wanted to use) applications like Tripwire and Kiwi CatTools to log all Cisco IOS configuration changes.

However, maybe we don’t need external tools. Have you seen the Configuraton Change Notification and Logging features?

It has been available since IOS 12.3(4)T/12.2(25)S (it has really gone mainstream in 12.4).

For each configuration command that is executed, the following information will be logged:

• The command that was executed
• The configuration mode in which the command was executed
• The name of the user that executed the command
• The time at which the command was executed
• A configuration change sequence number
• Parser return codes for the command

Here is a sample of how you configure it:

Router(config)# archive
Router(config-archive)# log config (enters config logging mode)
Router(config-archive-log-config)# logging enable (turns on running config change logging)
Router(config-archive-log-config)# logging size 500 (remembers the last 500 commands entered - 100 are default)
Router(config-archive-log-config)# hidekeys (hides passwords from being shown / logged)
Router(config-archive-log-config)# notify syslog (optional - exports changes to syslog server)

Watch this: this is an example of what the logging looks like in action:
CH_NAME_RTR# show archive log config all
idx sess user@line Logged command
1 1 david@vty0 | logging enable
2 1 david@vty0 | logging size 200
3 2 david@vty0 |hostname CH_NAME_RTR
4 2 david@vty0 |enable secret ***** (this is hidden because of hidekeys command)
5 2 david@vty0 |interface FastEthernet0/0
6 2 david@vty0 | bandwidth 100000

-David
Personal Website: HappyRouter.com - home of Cisco how-to articles & videos
David Recommends:
HappyRouter Cisco VMware Workstation & Server Video Training Series
HappyRouter Cisco CCNA & CCNP Video Training Series


Nov 21 2007   9:37PM GMT

Time for a Security Review!



Posted by: David Davis
Cisco, Security

This week, it was announced that the Monster.com website was attacked by Hackers (for more info see “Hackers jack Monster.com, infect job hunters“).

This, once again, reminds me that everyone one of us who is responsible for a network take some time and review our network security. Hey - why not make it a New Year’s Resolution?

If you aren’t familiar with the Cisco IOS but want to review your security, here are some links to consider (all articles or videos that I have written):

VIDEO: Harden your Cisco Router with IOS ACLs
How to Configure Passwords to Secure your Cisco Router
Configure SSH on your Cisco router
How to be notified when you Cisco router configuration has changed
Cisco - Improving Security on Cisco Routers

And, finally, one more (not by me):
NSA Router Security Configuration Guide

All the Best to You,

David


Nov 9 2007   6:40PM GMT

How do you reset your lost Router or Switch password?



Posted by: David Davis
Cisco, Password, CCNA

Just as with the Windows OS, one of the most frequent questions from new Cisco router or switch users is “how do I reset my lost IOS password”? Perhaps you inherited an old router from another network admin. Perhaps you bought your router on ebay. Or perhaps you just plain forgot what the password was for the router. Password Recovery

Now, you cannot get into the IOS. What do you do?

This involves changing the configuration register to 0×2142, rebooting, recovering or changing the password, and changing the configuration register back to 0×2102.

Instead of telling you HOW to do it, better yet, I would like to SHOW you how to do it.

I created a 10 minute video on my website where I SHOW you how to reset your lost router or switch password. I have gotten a ton of positive reviews on this video with many people saying it “saved their day”. I hope it helps you out too!

-David
Personal Website: HappyRouter.com - home of Cisco how-to articles & videos
David Recommends:
HappyRouter Cisco VMware Workstation & Server Video Training Series
HappyRouter Cisco CCNA & CCNP Video Training Series