Posts Tagged ‘Security’

CCSA Home Lab

March 20, 2012 8 comments

As most of you may already know by now, I recently relocated to the beautiful Island of Bermuda and started a new gig. Part of my job role will be to deploy and support Checkpoint firewalls. This means that I would need to get up to speed on how these firewalls work pretty quickly. Given this, I figured it would be a good idea to blog about my experiences with these devices as a way to both understand and store my thoughts for future references.

Building a home lab for my studies turned out to be a whole lot easier than I had first  anticipated. Everything I needed to be able to study for the exams and also practice deploying the devices could be virtualized. Below you can find my home lab blue print.

  • Lenovo ThinkPad with 8GB of RAM and lots of disk space.
  • VMware Workstation 7
  • Two Windows Server 2003 VMs
  • One Windows 7 (host install on my laptop)
  • Two Security Gateways
  • One Security Management Server
  • Checkpoint SecurePlatform R75.20

One of the 2K3 VMs was configured with the RRAS role to act as a router while the other was used just as a general client sitting behind the firewall. Any client OS such as Windows XP/Vista/7 can work but  I was too lazy to install another OS, so I copied the VM for the server 2K3 🙂 . I also used my windows 7 host OS as a client sitting behind one of the gateways; this way I was able to do ping tests to the remote site when testing my VPN configurations.

As you can see, it’s a very basic setup, but should allow me to test most of the stuff relevant to the exams.

Why and how to configure Secure Shell (SSH) on a Cisco router

January 17, 2010 Leave a comment

This was taken from one of my posts I did for TrainSignal. From time to time you’ll see me post articles here that I wrote for TraingSignal.

Security continues to dominate the IT industry and is one of the most important factors to consider when designing and deploying networks. It is, therefore, imperative that we are able to ascertain and prevent most, if not all, vulnerabilities that may exist. One such weakness is Telnet to which SSH is the alternative. We will be taking a deeper look at how you would enable and configure your Cisco Router to use SSH and why we should always use SSH where possible as opposed to using Telnet.

We all know that when it comes to security within the networking universe, Cisco is one of the biggest players. However, just having a Cisco device doesn’t mean that you are secured. The onus is on you to ensure that you’ve configured that device properly to prevent most, if not all, loopholes.

Secure Shell (SSH)

Secure Shell (SSH) improves network security by providing a means of establishing secure connections to networking devices for management, thereby preventing hackers gaining access. Using Digital Certificates, in a Public/Private Key Cryptography,
SSH is able to authenticate clients or servers, thereby ensuring that the device or server you are about to connect to is exactly who they claim to be.

Ok, so now that we have a very brief idea of how SSH secures network traffic, the next step is figuring out where to get this thing we call a digital certificate. Do we have to go into a store to purchase it? Digital Certificates can be acquired in generally three different ways. The most secure (and expensive), requesting it from a trusted company called a CA – Certificate Authorities. An example of one such company is VeriSign, which is highly popular within the CA Industry for their role in providing worldwide trusted certificates; these certificates can cost quite a bit. There are two other ways of requesting a certificate. One is by using an internally trusted CA (trusted within a company) also called an enterprise CA or by generating a self sign certificate on the device itself. The last one is the lease secure form but provides more than enough security to lock down your average network device. This self signed certificate can be generated using the built in commands on your Cisco router.

Like SSH, Telnet can also be used to connect to your router but, the main disadvantage of using Telnet is that it does not encrypt its connections. This means that if a hacker is able to capture packets from a Telnet session, he or she would be able to view information contained within those packets, such as a client’s username and password, and can, therefore, gain access to your router. The diagram below will give you an idea of how this works.

Router Configuration

Now that we’ve gotten an understanding of how SSH works and why we should use SSH as opposed to using Telnet, the next step is actually getting down to configuring the device, which is always my favorite part.

For this exercise I will be using a Cisco 871 series SOHO router with IOS ver. 12.4 software. Depending on whether your router is brand new or currently in a production environment, you’re going to have to either connect via a Console session or through a Telnet session. Have a look at my article on “Configuring a Cisco router to use RADIUS for authentication –
INSERT LINK″ for the steps needed to connect via a Console session or you can check this article on Cisco’s website “INSERT LINK”

  1. Configure a hostname for the router using these commands.


    yourname#configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.

    yourname (config)#hostname LabRouter



  1. Configure a domain name with the ip domain-name command followed by whatever you would like your domain name to be. I used


    LabRouter(config)#ip domain-name


  1. We generate a certificate that will be used to encrypt the SSH packets using the crypto key generate rsa command. Take note of the message that is displayed right after we enter this command. “The name for the keys will be:”. It combines the hostname of the router along with the domain name we configured to get the name of the encryption key generated; this is why it was important for us to, first of all, configure a hostname then a domain name before we generated the keys. Notice also that it asks us to choose a size of modulus for the key we’re about to generate. The higher the modulus, the stronger the encryption of the key. For our example, we’ll use a modulus of 1024.



  1. Now that we’ve generated the key, our next step would be to configure our vty lines for SSH access and specify which database we are going to use to provide authentication to the device. The local database on the router will do just fine for this example.


    LabRouter(config)#line vty 0 4

    LabRouter(config-line)#login local

    LabRouter(config-line)#transport input ssh

  2. You will need to create an account on the local router’s database to be used for authenticating to the device. This can be accomplished with these commands.


    LabRouter(config)#username XXXX privilege 15
    secret XXXX


Fine Tuning your Configuration.

We’ve pretty much completed all the steps needed to configure and use SSH on your router; however, there are some other configurations that can be made to further secure your device. For one, I would highly recommend you enabling an exec time-out on your router to prevent anyone from gaining access to the device in cases where you forgot to logout or got distracted because of an emergency. This way, the router will automatically log you out after the session has been idle for a set time. You must configure this command on the line interface as depicted below.

LabRouter(config)#line vty 0 4

exec-timeout 5


This means that if the session has been idle for 5 minutes, the router will automatically disconnect the session.


Use Access Control Lists (ACL) as an added layer of security; this will ensure that only devices with certain IP address are able to connect to the router. Let’s say the IP Subnet for your LAN is, you would create an acl to permit only traffic from that subnet and apply this acl to the vty lines.

LabRouter(config)#access-list 1 permit

LabRouter(config)#line vty 0 4

LabRouter(config-line)#access-class 1 in


Another crucial point to note is the use of SSH2 as opposed to using SSH1. SSH2 improves on a lot of the weaknesses that existed within SSH1 and for this reason I recommend always using SSH2 where possible. Enable SSH version 2 with this command:

LabRouter(config)#line vty 0 4

LabRouter(config)#ip ssh versopn 2


Detailed reading on SSH can be done at RFC 4251 “INSERT LINK

Categories: Cisco Tags: , , ,