icnd110s04l09路由器的安全特征.pptxVIP

理解CISCO路由器的安全特征 局域网互联 物理安装中常见的威胁硬件威胁环境威胁电气威胁维护威胁Configuring a Router PasswordConfiguring the Login BannerRouterX# banner login Access for authorized users only. Please enter your username and password. Defines and enables a customized banner to be displayed before the username and password login promptsTelnet vs. SSH AccessTelnetMost common access methodInsecureSSH EncryptedIP domain must be defined key must be generated!--- The username command create the username and password for the SSH sessionusername cisco password 0 ciscoip domain-namecrypto key generate rsa ip ssh version 2 line vty 0 4 login local transport input sshSummaryThe first level of security is physical.Passwords can be used to restrict access.The login banner can be used to display a message before the user is prompted for a username.Telnet sends the session traffic in cleartext; SSH encrypts the traffic. Layer 2 of 2Emphasize: The router has one enable password. Remember that this is your only protection. Whoever owns this password can do anything with the router, so be careful about communicating this password to others. To provide an additional layer of security, particularly for passwords that cross the network or are stored on a TFTP server, you can use either the enable password or enable secret commands. Both commands accomplish the same thing; that is, they allow you to establish an encrypted password that users must enter to access enable mode (the default), or any privilege level you specify. Cisco recommends that you use the enable secret command because it uses an improved encryption algorithm. Use the enable password command only if you boot an older image of the Cisco IOS software, or if you boot older boot ROMs that do not recognize the enable secret command. If you configure the enable secret password, it is used instead of the enable password, not in addition to it. Cisco supports password encryption. Turn on password encryption using the service password-encryption command. Then