CCNA Security: módulo 2 (parte 2)
Instructor: Ernesto Vilarrasa
Configuración basada en privilegios:
Firewall(config)#enable
secret Enable1234
Firewall(config)#username
nivel1 privilege 1 secret Cisco12345
Firewall(config)#username
soporte privilege 5 secret Cisco12345
Firewall(config)#privilege
exec level 5 show
Firewall(config)#username
sistemas privilege 10 secret Cisco12345
Firewall(config)#privilege
exec level 10 reload
Firewall(config)#privilege
exec level 10 show runn
Firewall(config)#privilege
exec level 10 copy ru st
Firewall(config)#username
admin priv 15 secret Cisco12345
Firewall(config)#int
fa 0/0
Firewall(config-if)#ip
address 192.168.0.1 255.255.255.0
Firewall(config-if)#end
PC>ssh -l nivel1 192.168.0.1
Firewall>enable
15
Firewall#sh
privilege
Current
privilege level is 15
Firewall#disable
Firewall>sh
privilege
Current
privilege level is 1
PC>ssh
-l soporte 192.168.0.1
Firewall#sh
run
^
%
Invalid input detected at '^' marker.
Firewall#sh
ip int
PC>ssh -l sistemas 192.168.0.1
Firewall#sh
privilege
Current
privilege level is 10
Firewall#conf
t
^
%
Invalid input detected at '^' marker.
Firewall#
Firewall#copy ru st
Firewall#sh
runn
PC>ssh
-l admin 192.168.0.1
Firewall#sh
privilege
Current
privilege level is 15
Firewall#copy
ru st
Firewall#sh
runn
Firewall#conf
t
Configuración basada en roles:
Firewall#enable
view
Password:
Enable1234
Firewall#%PARSER-6-VIEW_SWITCH:
successfully set to view 'root'.
Firewall#conf
t
Firewall(config)#parser
view soporte
Firewall(config-view)#secret
cisco12345
Firewall(config-view)#commands
exec include copy ru st
Firewall(config-view)#commands
exec include show ver
Firewall(config-view)#commands
exec include show int
Firewall(config-view)#commands
exec include show ip route
Firewall>ena
view soporte
Firewall#show
ip ?
route IP routing table
Firewall#exit
Firewall#enable
view
Firewall#conf
t
Firewall(config)#parser
view sistemas
Firewall(config-view)#commands
exec include copy ru st
%
Password not set for the view sistemas
Firewall(config-view)#secret
Cisco12345
Firewall(config-view)#commands
exec include copy ru st
Firewall(config-view)#
commands exec include all sh
Firewall(config-view)#
commands exec include reload
Firewall(config-view)#^Z
Generar una supervista que incluya vistas anteriores
( no
válido para Packet Tracer ):
Firewall# parser view superview-name
superview
Firewall(config-view)#secret
Cisco12345
Firewall(config-view)#view
soporte
Firewall(config-view)#view
sistemas
Locking
down the router:
Firewall#auto
secure
--- AutoSecure Configuration ---
***
AutoSecure configuration enhances the security of
the
router, but it will not make it absolutely resistant
to
all security attacks **
(2010) Ernesto Vilarrasa
Rosario, Argentina