Introduction
Below are some simple security practices that may seem to be trivial, but can have significant positive effects on the network environment and even avoid business interruptions.
Enforcing strong password
Password that are too simple or too common may be exploited by a brute force attack where an attacker tries a large number of passwords in order to gain access to the system.
In AW+ command security-password minimum-categories determines how complicated the password must be.
This command specifies the minimum number of categories that the password must contain in order to be considered valid.
The password categories are:
• Uppercase letters: A to Z
• Lowercase letters: a to z
• Digits: 0 to 9
• Special symbols: all printable ASCII characters not included in the previous three categories. The question mark (?) cannot be used as it is reserved for help functionality.
Example:
awplus# configure terminal
awplus(config)# security-password minimum-categories 4
Enforcing a maximum failed attempts and retry timer
A brute Force attack can be stopped by retry timer that limits the number of failed attempts in a time period. Thus the attacker cannot try large amount of random passwords in a short amount of time, rendering it unfeasible.
In AW+ command aaa local authentication attempts lockout-time determine how long the lockouts would be.
Example:
The example below configure the lockout period to 10 minutes (600 seconds) if login fails 4 times in a row.
awplus# configure terminal
awplus(config)# aaa local authentication attempts lockout-time 600
awplus(config)# aaa local authentication attempts max-fail 4
Enforcing a log out timer
A log out timer will automatically terminate a user's session when the user stop responding for a period of time. This can prevent sessions accumulating and eventually locking the admin out of remote sessions, or accidentally allowing access to system when not intended.
In AW+ command exec-timeout determines how long the logout timer would be.
Example:
The example below set VTY connections to timeout after 2 minutes, 30 seconds if there is no response from the user
awplus# configure terminal
awplus(config)# line vty 0 4
awplus(config-line)# exec-timeout 2 30
Enforcing password life time
Password need to be changed periodically since the longer a password is remain unchanged, the higher the risk of this password has being leaked. The password life time helps mitigate this risk.
In AW+ command security-password lifetime determine how long till password expires.
Example:
The example below set the password lifetime to 10 days.
awplus# configure terminal
awplus(config)# security-password lifetime 10
Limiting user access level
The user should be provided sufficient access to perform their duty, but nothing more. An over privileged user can some time be the perfect starting point for an cyber attack.
In AW+ use option privilege with command username to set privilege level of a user.
Example:
The example below create a user “junior_admin” with a privilege level of 7, which will have intermediate CLI security level access for most show commands, and the password “show_only”,:
awplus# configure terminal
awplus(config)# username junior_admin privilege 7 password show_only
Implementing backup
Unforeseen events can happen out of any one's control. What can be controlled is how to prepare for such event. Backing up important data is very important. In event of hardware failure, A spare device and backed up configuration can minimize the down time of the network.
In AW+ the backup can be done through USB, SD card, TFTP or AMF.
Command copy can be used to copy configurations and software files to the designated location.
Example:
The example below copy file bob.key to tftp server at 10.0.0.1
awplus# copy tftp://10.0.0.1/bob.key bob.key
Implementing Banner
Login banner can serve as a warning sign for the potential attacker to notify that they are liable for their actions and indicate that the system is off limit to unauthorized access, Attacker can sometime avoid legal consequences by claiming they have no knowledge what they did was prohibited.
In AW+ command banner login allows the message to be configured.
Example:
The example below configures message "Authorised users only" before login.
awplus#configure terminal
awplus(config)#banner login
Type CNTL/D to finish.
Authorised users only
awplus(config)#exit
awplus#exit
Authorised users only
awplus login: manager
Password:
AlliedWare Plus (TM) 5.5.0 04/05/20 12:00:00
awplus>
Job rotation
Job rotation is the process of a different individual taking over a role previously held by another employee, this serves as an opportunity for cross training, more importantly it can serve as deterrent of unethical or even illegal activities that may require daily activity to cover up. This also eliminates the individual as single point of failure.
Mandatory vacation
Mandatory vacation is similar to job rotation in the sense of temporally relieve an individual from daily duties. It can still expose activities requires daily cover up, what different is it does not have cross training and the individual does not assume additional duty during this period of time.
Real life example:
There was a network administrator for San Francisco City and was the only person who knows the password to maintain the system. When he is relieved from his position, he refused to give the password to his superiors and caused outage in the system. The above 2 procedural would avoid this incident if City of San Francisco had those implemented at the time.