Secure network management requires securing each and every device. At the very least, use password protection and some basic configuration options such as NTP, SNMP, SCP, and SSH.
- [Narrator] Organizational security is a holistic approach, which requires monitoring all attack vectors and staying abreast of current threats. The security analyst oversees the entire organization, which includes the network, administrative policies, applications, services, along with the human factor. The network administrator monitors the network domain, which in itself is very complex.
For a proactive approach, a comprehensive view of the network is necessary. Gather and monitor access control lists, protocols, services, routing tables, vulnerabilities, and patches. Assess what you might be missing, such as logins, banners, passwords, and access control list entries. Baseline each subnetwork on an annual basis to get a clear picture of what is happening, and use network maps with hard copy printouts for easy reference.
With a macro view of the network in hand, the network administrator is better prepared to face the daily challenges and keep the network up and operational. At the heart of network administration, is secure network management. Although we view the network as a whole, we must secure each and every individual device, either via console or virtual terminal access. Let's look at some common security features and best practices.
Most modern devices have a number of built-in security features. The network administrator should familiarize themselves on all available features, along with how to activate and monitor the features. One of the most basic configuration options is to use a complex password along with a secured enabled password. I'm in Packet Tracer and let's do a couple of password enabled.
I'm going to use Cisco for my password, just to keep it simple, although of course on a production system, you're going to use something more complex. (typing) Now that's simply entering a password, Cisco, but keep in mind, protocol analyzers can sniff network traffic and read passwords that are in plain text. So we want to increase security by encrypting passwords, so I'll type the following in global config mode.
Now let's use a password on the VTY lines. (typing) Finally, it's a good idea to set timeout values on your VTY lines so that idle sessions won't remain up indefinitely.
Now let's check our work by showing run config. (typing) Alright, there we can see the encrypted password, and the password for our VTY lines. The network administrator should configure several standard services, such as Network Time Protocol, Simple Network Management Protocol, Secure Copy Protocol, and Secure Shell.
Whatever protocols or services the network administrator selects, it's important to use the most secure version that the device supports. Simple Network Management Protocol gathers and reports information on the status of the network. Configure for remote management along with remote alerts such as traps or informs. In the early days of networking, the network administrator used Telnet, or Terminal Network, to access a command line interface on a device.
Telnet is not secure as it sends data in plain text. To securely access and manage a device, we use Secure Shell, which uses encryption to protect data in transit. Time values skew throughout the course of the day. Even a few seconds will make a difference. So it's best to use a method to update the time value. Configure network time protocols, so all devices have synchronized and accurate time values.
Because time is so important, it's best to use Network Time Protocol authentication so devices do not get rogue time values. For many years, network administrators would use Trivial File Transfer Protocol, an unauthenticated, unsecured plain text file transfer method. The method of choice is Secure Copy Protocol, which uses Secure Shell for data transport, and it's just as easy to use. We can also configure advanced security methods, such as authentication, authorization, and accounting, using either RADIUS or TACACS+, but at the very least, start with basic security configurations, and use password protection.
- Packet Tracer
- Compare in-band and out-of-band management
- Configuring SNMP
- Securing Copy Protocol
- AAA security: authentication, authorization, and accounting
- RADIUS and TACACS+
- BYOD architecture
- MDM and IoT security