A malicious user may use a Sniffer tool like Sniffer to perform local monitoring on the Administrator host or an appropriate interface to obtain the Administrator's password for logging on to the Cisoc router. So how can we use SSH to enhance the remote management of Cisco routers?
1. Security Testing
I installed sniffer locally and used Telnet to log on to the Cisco router. Stop sniffing and decode it. 1 shows that the user logs on to the vro in user mode and global mode. The entered passwords are displayed in plain text. Although the password is split into two parts, an experienced attacker may combine them to obtain the logon password of the Cisco router. In fact, more than that, all the commands entered on the router by the sniffer tool administrator will be sniffed. In this way, even if the administrator changes the vro password and encrypts it, it can be sniffed.
2. SSH Security
SSH is called Secure Shell in English, and its default connection port is 22. By using SSH, all transmitted data can be encrypted, which is not possible in the "man-in-the-middle" attack mode above, and can also prevent DNS and IP spoofing. In addition, it also has an additional advantage that the transmitted data is compressed, so it can speed up transmission.
3. SSH deployment
Based on the above tests and SSH security features, it is necessary to use SSH instead of Telnet for security management of Cisco routers. Of course, to implement security management of CISOC over SSH, you also need to set up on the vro. The following describes how to deploy and connect SSH in a virtual environment.
(1). Cisco Configuration
The following are commands and instructions for configuring SSH on Cisco:
Ra # config terminal
Ra (config) # ip domain-name ctocio.com.cn
// Configure a domain name
Ra (config) # crypto key generate rsa general-keys modulus 1024
// Generate an rsa algorithm key with 1024 bits
(Note: In Cisoc, rsa supports 360-2048 bits. The principle of this algorithm is that the host distributes its own public key to the relevant client, when the client accesses the host, it uses the public key of the host to encrypt the data. The host uses its own private key to decrypt the data, so as to implement host key authentication and determine the reliable identity of the client.
Ra (config) # ip, ssh time 120
// Set the ssh time to 120 seconds
Ra (config) # ip ssh authentication 4
// Set the number of ssh authentication retries to 4, which can be selected between 0 and 5.
Ra (config) # line vty 0 4
// Enter vty Mode
Ra (config-line) # transport input ssh
// Set the vty logon mode to ssh. By default, all logon modes are allowed.
Ra (config-line) # login
Ra (config-line) # exit
Ra (config) # aaa authentication login default local
// Enable aaa authentication and set authentication on the local server
Ra (config-line) # username ctocio password ctocio
// Create a ctocio user and set its password to ctocio for SSH client login
In this way, the CISCO configuration for SSH is complete.
(2). SSH Login
After the preceding settings are complete, you cannot Telnet to cisco. You must use a dedicated SSH client for remote logon. To verify the security of SSH logon, we enable network packet capture software for sniffing during logon.
The SSH client used by the author is PuTTY. Start the software and enter the IP address 192.168.2.1 of the vro. Then, a dialog box will pop up for "renew". Let's choose whether to use the SSH key we just set, click "yes" to enter the logon command line, and enter the SSH Login User and its password ctocio set on the vro. You can see that the logon to the vro is successful.
Then, we checked the packet capture result of the sniffer tool, and all the data was encrypted, so we could not see sensitive information such as injection of users and passwords. We can see that using SSH can ensure the security of remote login to the Cisco router.
Conclusion: In fact, SSH can be used not only for security management of routers. We can deploy SSH-based Remote Management in practical applications such as remote system management and remote server maintenance. In addition, the current SSH tools include not only command line tools, but also some GUI tools. Network management, security first, SSH can greatly prevent attacks from "man-in-the-middle". I hope this article will help you improve the security of network management.