• Chapter 1: Describing Network Requirements
• Chapter 2: Topologies for Teleworker Connectivity
• Chapter 3: Using Cable to Connect to a Central Site
• Chapter 4: Using DSL to Connect to a Central Site
• Chapter 5: Configuring DSL Access with PPPoE
• Chapter 6: Configuring DSL Access with PPPoA
• Chapter 7: DSL Connection Troubleshooting
• Chapter 8: The MPLS Conceptual Model
• Chapter 9: MPLS Architecture
• Chapter 10: Configuring Frame Mode MPLS
• Chapter 11: MPLS VPN Technologies
• Chapter 12: IPsec Overview
• Chapter 13: Site-to-Site VPN Operations
• Chapter 14: GRE Tunneling over IPsec
• Chapter 15: IPsec High Availability Options
• Chapter 16: Configuring Cisco Easy VPN
• Chapter 18: Cisco Device Hardening
• Chapter 19: Securing Administrative Access
• Chapter 20: Using AAA to Scale Access Control
• Chapter 21: Cisco IOS Threat Defense Features
• Chapter 22: Implementing Cisco IOS Firewalls
• Chapter 23: Implementing Cisco IDS and IPS

Chapter 19: Securing Administrative Access

Security Measures

Login Limitations

Example base Authentication, Authorization and Accounting (AAA) configuration:

Router(config)# aaa new-model
Router(config)# aaa authentication attempts login 5
Router(config)# aaa authentication login default local

Authentication failure logging generates a syslog message after a number of failed attempts within one minute, and prevents future logins for 15 seconds:

Router(config)# security authentication failure rate <attempts> log

Login blocking:

Router(config)# login block-for <seconds> attempts <number> within <seconds>

Failed login delay:

Router(config)# login delay <seconds>

Success and failure logging:

Router(config)# login on-success log
Router(config)# login on-failure log

Quiet mode maps an access class matching origins exempt from these login restrictions:

Router(config)# login quiet-mode access-class <ACL>

Login restrictions can be viewed with show login.

Line Protections

An access-class can be applied to restrict logins to permitted sources:

Router(config)# line vty 0 15
Router(config-line)# access-class 10 in

An idle timeout can be enforced:

Router(config-line)# exec-timeout <minutes> [<seconds>]

Setting the exec-timeout to 0 disabled the idle timer.

Minimum Password Lengths

Router(config)# security passwords min-length <characters>

Password Encryption

Router(config)# service password-encryption

Banners

A message of the day (MOTD) banner can be defined to advertise policy:

Router(config)# banner motd #
*** Unauthorized users will be shot. ***
#

Custom Privilege Levels

There are 16 privilege levels (0 through 15).

Level 0 is user mode, level 15 is privileged mode, and levels 1 through 14 are customizable.

Router(config)# privilege <mode> level <level> <command>
Router(config)# enable secret level <level> <password>

Role-based CLI

Role-based CLI allows for users to belong to multiple views rather than a privilege level.

Router(config)# parser view <name>
Router(config-view)# secret <password>
Router(config-view)# commands <type> {include | exclude | include-exclusive}
 {<line> | all}

Router# enable view <name>

Superviews link individual views:

Router(config)# parser view <name> superview
Router(config-view)# secret <password>
Router(config-view)# view <name>

Mitigating Physical Access

Password recovery can be disabled to prevent someone with physical access to a device from rebooting into ROMMON:

Router(config)# no service password-recovery