CCNA Security: módulo 2 (parte 2)

Instructor: Ernesto Vilarrasa

 

 

Configuración basada en privilegios:

 

Firewall(config)#enable secret Enable1234

Firewall(config)#username nivel1 privilege 1 secret Cisco12345

Firewall(config)#username soporte privilege 5 secret Cisco12345

Firewall(config)#privilege exec level 5 show

Firewall(config)#username sistemas privilege 10 secret Cisco12345

Firewall(config)#privilege exec level 10 reload

Firewall(config)#privilege exec level 10 show runn

Firewall(config)#privilege exec level 10 copy ru st

Firewall(config)#username admin priv 15 secret Cisco12345

Firewall(config)#int fa 0/0

Firewall(config-if)#ip address 192.168.0.1 255.255.255.0

Firewall(config-if)#end

 

PC>ssh -l nivel1 192.168.0.1

 

Firewall>enable 15

Firewall#sh privilege

Current privilege level is 15

Firewall#disable

Firewall>sh privilege

Current privilege level is 1

 

PC>ssh -l soporte 192.168.0.1

 

Firewall#sh run

            ^

% Invalid input detected at '^' marker.

Firewall#sh ip int

 

PC>ssh -l sistemas 192.168.0.1

 

Firewall#sh privilege

Current privilege level is 10

Firewall#conf t

              ^

% Invalid input detected at '^' marker.

          

Firewall# Firewall#copy ru st

Firewall#sh runn

 

PC>ssh -l admin 192.168.0.1

 

Firewall#sh privilege

Current privilege level is 15

Firewall#copy ru st

Firewall#sh runn

Firewall#conf t

 

 

Configuración basada en roles:

 

Firewall#enable view

Password: Enable1234

Firewall#%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

Firewall#conf t

Firewall(config)#parser view soporte

Firewall(config-view)#secret cisco12345

Firewall(config-view)#commands exec include copy ru st

Firewall(config-view)#commands exec include show ver

Firewall(config-view)#commands exec include show int

Firewall(config-view)#commands exec include show ip route

 

Firewall>ena view soporte

Firewall#show ip ?

  route         IP routing table

Firewall#exit

Firewall#enable view

Firewall#conf t

Firewall(config)#parser view sistemas

Firewall(config-view)#commands exec include copy ru st

% Password not set for the view sistemas

Firewall(config-view)#secret Cisco12345

Firewall(config-view)#commands exec include copy ru st

Firewall(config-view)# commands exec include all sh

Firewall(config-view)# commands exec include reload

Firewall(config-view)#^Z

 

Generar una supervista que incluya vistas anteriores ( no válido para Packet Tracer ):

 

Firewall# parser view superview-name superview

Firewall(config-view)#secret Cisco12345

Firewall(config-view)#view soporte

Firewall(config-view)#view sistemas

 

Locking down the router:

 

Firewall#auto secure

 

                         --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant

to all security attacks **

                                                       

                                                          

 

 

(2010) Ernesto Vilarrasa

Rosario, Argentina