ISCW10S05L03路由器安全与访问管理.ppt

Cisco Device Hardening Securing Cisco Router Installations and Administrative Access Configuring Router Passwords A console is a terminal connected to a router console port. The terminal can be a dumb terminal or a PC with terminal emulation software. Password Creation Rules Passwords can be 1 to 25 characters in length. Passwords can include: Alphanumeric characters Uppercase and lowercase characters Symbols and spaces Passwords cannot have a number as the first character. Password-leading spaces are ignored, but any spaces after the first character are not ignored. Change passwords. Initial Configuration Dialog Configure the Line-Level Password Password Minimum Length Enforcement Encrypting Passwords Using theservice password-encryption Command Enhanced Username Password Security Securing ROMMON with theno password-recovery Command Authentication Failure Rate with Login Setting a Login Failure Blocking Period Excluding Addresses from Login Blocking Setting a Login Delay Verifying Login Setting Timeouts for Router Lines Setting Multiple Privilege Levels Configuring Banner Messages Role-Based CLI Overview Traditional approach of limiting CLI access based on privilege levels and enable passwords provided too little control: No access control to specific interfaces Commands placed on a higher privilege level could not be reused for lower-privileged users CLI views provide more granular control. CLI views include accessible commands and interfaces. Access to a view is protected with a secret. Views can be grouped to superviews to create large sets of accessible commands and interfaces. Role-Based CLI Details Root view is the highest administrative view. Creating and modifying a view or superview is possible only from root view. The difference between root view and privilege 15 is that only a rootview user can create or modify views and superviews. CLI views require AAA new-model: Necessary even with local view authentication View authentication can be offloaded t