It is important ensure the security of management traffic between a network device and the remote host used to manage the device.

SSH

Telnet is commonly used to remotely manage Cisco devices. Telnet is inherently insecure and the reason for this insecurity is that all Telnet messages are sent in plain text including configuration commands and even usernames and passwords in those configuration commands. All what an attacker has to do is to be able to sniff this communication and then he owns your network. Once your network devices are compromised, they can be used as launching pad for attcking more interesting systems such as servers.

One effective alternative to this inherent lack of security in Telnet is the Secure Shell (SSH) protocol. SSH uses sevure tunnels established over an insecure network to exchange information. SSH is a client server application and your Cisco device can be configured to serve both as SSH server and client. However, a Cisco device is usually configured as SSH server to accept incoming SSH connections from a remote management station. SSH has two major versions that are referred to as SSH-1 and SSH-2. The standard TCP port 22 has been assigned for SSH and SSH servers listen on this port for incoming connections.

Just like Telnet, you can use SSH to remotely connect to a Cisco device and enter IOS commands or copy files over the network. SSH uses encrypted messages so network communications are secure. PuTTY is a popular and free Telnet/SSH client that is available for both Windows and Linux platforms.

A Cisco router has to be configured with hostname and domain name before initial SSH configuration. The configuration goes something like this:

Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#ip domain-name certificationkits.com
R1(config)#crypto key generate rsa modulus 512 

SSH has also to be enabled on vty lines before the router starts accepting SSH connections for remote management:

R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#end
R1# 

SNMP

Simple Network Management Protocol (SNMP) is used by enterprises to manage and monitor a large number of network devices. SNMP has several uses, from monitoring and generating alerts to device configuration.

There are three main versions of SNMP:

  • Version 1: This version is defined in RFC 1157 and simple security based on SNMP communities.
  • Version 2c: This version is defined in RFCs 1901, 1905, and 1906 and it also uses community-based security.
  • Version 3: This version is defined in RFCs 3413 thru 3415 and introduces a new security model supporting message integrity, authentication and encryption.

The community-based security model used by SNMP versions 1 and 2c is a known security vulnerability because of its lack of encryption and authentication. It just uses a simple community name for security. Configuration of SNMP version 3 is more complex, and it should be preferred for enhanced security especially when traffic has to be moved across untrusted networks.

Syslog

Syslog is a method that can be used to collect system messages from Cisco devices to a system running a syslog server. All system messages are sent to the central syslog server which helps in aggregation of logs and alerts. Cisco devices can send their logging messages to a Unix-like SYSLOG service. A SYSLOG service simply accepts log messages, and stores them in files or prints them according to a configuration file. Syslog uses UDP as its transport protocol and listens on port 512. This form of logging is the best available for Cisco devices because it can provide external long-term storage of logs. But this external storage of logs can be useful in incident handling when a device is compromised or undergoes a crash.

These logs are also useful in routine maintenance activities and the timestamps with each log message provide an accurate chronological record of important events happening in your Cisco device. But in order to make these timestamps meaningful, the time on your network devices must be accurate and synchronized to the same source. Network Time Protocol (NTP) is typically used to make sure timing information in Syslog messages is accurate. Network devices can use NTP to synchronize their clocks to a central accurate source of timing information.

Network Time Protocol (NTP)

Network Time Protocol (NTP) is used to synchronize the time on the Cisco device clock. NTP usually gets its time from an accurate and trusted time source, such as a radio clock or an atomic clock attached to a time server. NTP is a client server protocol and uses UDP port 123 as both the source and destination. NTP communications can be secured using an authentication mechanism that uses the MD5 algorithm.

NTP is absolutely essential for syslog messages as it is used to keep accurate timing information. Timestamps with syslog messages have to be accurate to make the logging information useful for troubleshooting or incident handling. The Cisco IOS ntp command is used in global configuration mode for al NTP related configurations.