CCNAS V1.2 Chapter 02 Securing Network Devices

Securing outgoing network traffic and scrutinizing incoming traffic are critical aspects of network security. Securing the edge router, which connects to the outside network, is an important first step in securing the network.

Device hardening is a critical task when securing the network. It involves implementing proven methods for physically securing the router and protecting the router’s administrative access using the Cisco IOS command-line interface (CLI) and the Cisco Configuration Professional (CCP). Some of these methods involve securing administrative access, including maintaining passwords, configuring enhanced virtual login features, and implementing Secure Shell (SSH). Because not all information technology personnel should have the same level of access to the infrastructure devices, defining administrative roles in terms of access is another important aspect of securing infrastructure devices.

Securing the management and reporting features of Cisco IOS devices is also important. Recommended practices for securing syslog, using Simple Network Management Protocol (SNMP), and configuring Network Time Protocol (NTP) are examined.

Many router services are enabled by default. A number of these features are enabled for historical reasons, but are no longer required today. This chapter discusses some of these services and examines router configurations with the Security Audit feature of CCP. This chapter also examines the One-Step Lockdown mode of the CCP Security Audit and the auto secure command, which can be used to automate device-hardening tasks.