314 Chapter 6: IP Management Plane Security new port number. If web-based administration is not required, be sure to disable the standard HTTP server using the no ip http server command in IOS global configuration mode if it has previously been enabled. IOS also supports HTTPS, as described in the earlier “Remote Terminal Access Security” section. • Maintenance Operation Protocol (MOP): MOP is enabled on Ethernet interfaces and disabled on all other interface types by default within IOS. To disable MOP, use the no mop enabled IOS command within interface configuration mode. The no mop enabled command is widely available within IOS. • Network Time Protocol (NTP): To disable the NTP server, use the no ntp command in IOS global configuration mode. NTP is enabled by default within Cisco IOS. The ntp disable IOS command may be used to disable NTP processing on specific interfaces such as external interfaces. NTP is very effective and widely deployed for correlating network events, including security incidents. NTP is discussed further in the “Network Telemetry & Security” section below and should be disabled only if it is not specifically used. • Packet assembler/disassembler (PAD): All PAD commands associated with assembly and disassembly of data packets between an X.25 packet switching network and a group of terminal connections are enabled by default within IOS. To disable PAD services, use the no service pad IOS command in global configuration mode. The no service pad command is widely available within IOS. • Small TCP servers: Within IOS Software Releases prior to 11.3, the TCP servers for Echo, Discard, Chargen, and Daytime services were enabled by default. To disable these services, use the no service tcp-small-servers command in IOS global configuration mode. When the minor TCP servers are disabled, access to the Echo, Discard, Chargen, and Daytime ports causes the IOS router to discard the initial incoming packet (TCP SYN request) and send a TCP RST packet to the source. Within IOS Software Releases 11.3 and later, these TCP servers are disabled by default. • Small UDP servers: Within IOS Software Releases prior to 11.3, the UDP servers for Echo, Discard, and Chargen services were enabled by default. To disable these services, use the no service udp-small-servers command in IOS global configuration mode. When the minor UDP servers are disabled, access to the Echo, Discard, and Chargen ports causes the IOS router to discard the initial incoming packet and send an ICMP Port Unreachable message (Type 3, Code 3) to the source. Within IOS Software Releases 11.3 and later, these UDP servers are disabled by default. Most other management plane services and protocols are disabled by default within Cisco IOS. Nevertheless, you should verify against your specific IOS Software Releases and platforms that all unnecessary services and protocols are disabled either by default or explicitly through the router configuration. You may also display detailed information about open IP sockets within your IOS device by using the show ip sockets detail command as Disabling Idle User Sessions 315 well as display the status of TCP connections by using the show tcp brief all command, both from EXEC mode. IOS 12.4(11)T also introduced support for the show udp command to display IP socket information about UDP processes. To minimize the risk of a configuration error that could leave a router vulnerable, certain versions of IOS provide a one touch security lockdown configuration process known as AutoSecure, which is described further later in the chapter in the section “AutoSecure.” Disabling Idle User Sessions Idle logged-in user sessions might be susceptible to unauthorized access and hijacking attacks. The following techniques are available to mitigate the risk associated with idle user sessions: • exec-timeout: To disconnect incoming user sessions after a specific period of idle time, set the idle timeout interval that the EXEC command interpreter will wait by using the exec-timeout {minutes} [seconds] command in line configuration mode. Once the configured idle timeout interval is reached, IOS will terminate the session. This requires the user to log in again to gain access. By default, IOS disconnects idle user sessions after 10 minutes. The configuration illustrated in Example 6-5 sets a time interval of 5 minutes. This capability is widely available within IOS. • ip http timeout-policy idle: To disconnect idle HTTP (or HTTPS) client connections after a specific period of idle time, set the idle timeout interval that the IOS HTTP server will wait by using the ip http timeout-policy idle command in global configuration mode. Once the configured idle timeout interval is reached, IOS will terminate the HTTP connection. This requires the web user to log in again to gain access. When using the ip http timeout-policy idle command, you must also specify the total lifetime of a connection since first established and irrespective of whether it is active or idle, using the life {seconds} argument. By default, Cisco routers do not continually test whether the remote host associated with a previously connected TCP session is still active and reachable. If one side of the TCP session terminates abnormally, the host at the opposite end of the session may still believe the session is active. Orphaned TCP sessions consume router resources. Attackers have been known to take advantage of this weakness to attack TCP hosts, including IOS routers as described in Chapter 2. To mitigate the risk of orphaned TCP sessions, IOS routers can be configured to send periodic keepalive messages to verify whether the TCP peer is still available. If the TCP peer fails to respond to (that is, ACK) the keepalive message, the local router will disconnect the session and release the Example 6-5 Configuring the EXEC Mode Idle Timeout Interval Router(config)# line console Router(config-line)# exec-timeout 5 0 316 Chapter 6: IP Management Plane Security associated router resources. The following techniques are available to verify whether a remote host associated with a previously connected TCP session is still active and reachable: • service tcp-keepalives-in: To generate keepalive packets on inactive incoming network connections (initiated by the remote host), use the service tcp-keepalives-in command in global configuration mode. This capability is widely available within IOS and is disabled by default. • service tcp-keepalives-out: To generate keepalive packets on inactive outgoing network connections (initiated by a local user), use the service tcp-keepalives-out command in global configuration mode. This capability is widely available within IOS and is disabled by default. System Banners IOS enables you to define a variety of display banners that you may customize. A banner serves as a legal notice, such as “no trespassing” or a “warning” statement. A proper legal notice protects you such that it enables you to pursue legal actions against unauthorized users. Consult your legal staff for suitable language to use in your banner. The types of display banners available within IOS include but are not limited to the following: • EXEC banner: To specify a message (or EXEC banner) to be displayed when an EXEC process is created, use the banner exec command in global configuration mode. If password checking is enabled, an EXEC process is created after password authentication. By default, no EXEC banner is defined or displayed when an EXEC process is created. The banner exec command is used simply to specify the EXEC banner message itself. To enable the display of the EXEC banner message specified by the banner exec command, use the exec-banner command in line configuration mode. Lines configured with the exec-banner command then display the message specified by the banner exec command when an EXEC session associated with the line is created. By default, exec-banner is enabled on all lines. However, because banner exec is disabled by default, no EXEC banner is displayed. Conversely, because exec-banner is enabled by default, specifying an EXEC banner using the banner exec command automatically results in EXEC banner messages being displayed when an EXEC process is created. This applies to all EXEC processes except for those associated with reverse Telnet sessions. Use the banner incoming command described later in the list to enable a display banner for reverse Telnet sessions. To disable the display of EXEC banner messages, you may use either the no banner exec or no exec-banner command. • MOTD (message-of-the-day) banner: To specify a MOTD to be displayed immediately to all user sessions and when new users first connect to the router, use the banner motd command in global configuration mode. If password checking is enabled, the MOTD banner is displayed before the login prompt for new user System Banners 317 sessions. By default, no MOTD banner is defined or displayed. The banner motd command is used simply to specify the MOTD banner message itself. To enable the display of the MOTD banner message specified by the banner motd command, use the exec-banner command in line configuration mode. Lines configured with the exec-banner command then display the message specified by the banner motd command immediately to all user sessions and when new users first connect to the router. By default, exec-banner is enabled on all lines. However, because banner motd is disabled, no MOTD banner is displayed by default. Conversely, because exec-banner is enabled by default, specifying an MOTD banner using the banner motd command automatically results in MOTD banner messages being displayed immediately to all user sessions and when new users first connect to the router. To disable the display of MOTD banner messages, you may use the no banner motd, no motd-banner, or no exec-banner command. • Incoming banner: To specify an incoming banner to be displayed for incoming reverse Telnet sessions, use the banner incoming command in global configuration mode. If password checking is enabled, the incoming banner is displayed after password authentication of the reverse Telnet session. By default, no incoming banner is displayed for reverse Telnet sessions because no banner incoming is the IOS default configuration. Unlike the banner exec and banner motd commands described above, the banner incoming command alone determines whether an incoming banner is displayed for reverse Telnet sessions. If an incoming banner is defined using the banner incoming command, an incoming banner message is displayed for all reverse Telnet sessions. If an incoming banner is not defined (in other words, no banner incoming), an incoming banner is not displayed for reverse Telnet sessions. Consequently, to disable the display of incoming banner messages, use the no banner incoming command. • Login banner: To specify a login banner to be displayed before username and password prompts, use the banner login command in global configuration mode. When a user connects to the router, the MOTD banner (if configured) appears first, followed by the login banner and prompts. After the user successfully logs in to the router, the EXEC banner or incoming banner is displayed, depending on the type of connection. (SSHv1 connections are the only exception to these rules, in which case the user is prompted for a username and password prior to any banner displays. SSHv2 works according to the normal banner processes described previously.) For a reverse Telnet login, the incoming banner is displayed. For all other connections, the router displays the EXEC banner. By default, no login banner is displayed because no banner login is the IOS default configuration. Similar to the banner incoming command described above, the banner login command alone determines whether a login banner is displayed. If a login banner is defined using the banner login command, a login banner message is displayed before username and password prompts. If a login banner is not defined (in other words, no banner login), a login banner is not displayed in any way. Consequently, to disable the display of login banner messages, use the no banner login command. 318 Chapter 6: IP Management Plane Security A banner may also be displayed when a Serial Line IP (SLIP) or PPP connection is made using the banner slip-ppp command. Example 6-6 illustrates the sequence of banner messages displayed based on the configuration shown in Example 6-7. Example 6-6 Sample Banner Output of Console Session Router con0 is now available Press RETURN to get started. Message of the Day banner displayed here. Login banner displayed here. User Access Verification Password: { password } EXEC banner displayed here. Router> Example 6-7 Sample Console and Banner Configuration banner exec ^C EXEC banner displayed here. ^C banner login ^C Login banner displayed here. ^C banner motd ^C Message of the Day banner displayed here ^C ! line con 0 password { password } login Secure IOS File Systems 319 Secure IOS File Systems Certain versions of IOS support features to mitigate the risk of malicious attempts to erase the contents of persistent storage (NVRAM and flash) and features to prevent corrupted IOS images from being loaded. These features are known as Cisco IOS Resilient Configuration and Cisco IOS Image Verification, respectively. The IOS Resilient Configuration feature enables a router to securely archive copies of the running IOS image and configuration files. In this way, if the running files are tampered with or erased, you can restore them quickly using the secure copies and, as a result, minimize downtime. The IOS Image Verification feature allows you to automatically verify the integrity of IOS images. This was traditionally an optional user process. IOS Image Verification is now automated such that the integrity of any IOS image file downloaded is automatically verified. The following IOS commands are associated with these two features: • secure boot-config (IOS Resilient Configuration): To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config command in global configuration mode. This command is supported only on routers configured with a PCMCIA Advanced Technology Attachment (ATA) disk. The archived configuration is hidden and cannot be viewed, copied, modified, or removed using EXEC mode commands (although it may be viewed in ROMMON mode). The archived configuration will even survive a disk format operation. Only the show secure bootset command can be used to display the archived filename. To restore the archived configuration, use the secure boot-config restore {filename} command in global configuration mode. The filename argument represents the restored copy of the archived configuration, which can then be loaded into the running or startup system configuration. If changes are made to the running configuration, you should disable and then reenter this command to archive a snapshot of the new configuration. This command can be disabled only through the console port of the router. Conversely, with the exception of the configuration upgrade scenario, enabling this command does not require console access. • secure boot-image (IOS Resilient Configuration): To enable IOS image resilience, use the secure boot-image command in global configuration mode. When first enabled, the running IOS image (as displayed in the show version command output) is securely archived in persistent storage. This command is supported only on routers configured with a PCMCIA ATA disk. Images booted from a TFTP server cannot be secured using this command. The archived image is hidden and cannot be viewed, copied, modified, or removed from EXEC mode commands. The archived image will even survive a disk format operation. Only the show secure bootset command can be used to display the archived filename. The no form of this command releases the archived image so that it can be viewed or removed using EXEC mode commands. If secure boot-image is enabled at bootup by the startup system configuration and a different running IOS image is detected, a message similar to the one shown in Example 6-8 is generated. 320 Chapter 6: IP Management Plane Security To upgrade the IOS image archive to the new running IOS image, reenter this command from EXEC mode. The former archived IOS image is then released and can be viewed or removed using EXEC mode commands. • file verify auto (IOS Image Verification): To enable automatic image verification, use the file verify auto command in IOS global configuration mode. Image verification is disabled by default within IOS. With this command enabled, each IOS image that is copied or reloaded will be automatically verified. This includes computing a local MD5 hash of the image and comparing it to the MD5 hash embedded within the image. (Note that when this verification process is run, the Cisco.com MD5 hash is also displayed, which you can manually compare against the MD5 digest posted on Cisco.com.) If the MD5 hashes do not match, image verification fails and the image will not be loaded or copied. This helps to reduce the risk of images that are accidentally or maliciously corrupted from being loaded into a router. Image verification is supported only for IOS image files and is available in IOS Software Releases 12.2(18)S, 12.0(26)S, 12.3(4)T, and later releases. You may also use the /verify command and optional arguments within the copy and reload commands to perform image verification on individual IOS images. • ip scp server enable: The IOS Secure Copy (SCP) feature provides a secure and authenticated method for copying router configuration and IOS image files to and from an IOS router. SCP relies on SSH, which, as described in the “Remote Terminal Access Security” section above, provides encrypted remote terminal access to a network device. Hence, prior to enabling SCP using the ip scp server enable command in global configuration mode, you must correctly configure SSH, including its RSA key pair, in addition to AAA authentication and authorization services. AAA, as described later in the chapter, is required by SCP to verify whether the user has proper EXEC privilege levels. Authorized users can then copy any file that exists in the IOS File System (IFS) by using the copy command. For more information on IOS Resilient Configuration and IOS Image Verification, refer to the Cisco IOS Configuration Guides and Command References available on Cisco.com. For more information on AAA, refer to the “Authentication, Authorization, and Accounting” section later in this chapter. Role-Based CLI Access IOS EXEC mode provides for 16 different privilege levels to restrict user access to EXEC mode commands, as described earlier in the “Management Interfaces” section. The Example 6-8 IOS Resilient Configuration File Mismatch Message ios resilience :Archived image and configuration version 12.2 differs from running version 12.3. Run secure boot-config and image commands to upgrade archives to running version. Role-Based CLI Access 321 flexibility and level of detail available within the EXEC mode privilege levels, however, is somewhat limited given the following behavior: • Commands available at lower privilege levels are executable at higher levels, because a privilege level inherits the privileges of all lower privilege levels. Therefore, a user authorized for privilege level 8, for example, is granted access not only to those commands allowed at privilege level 8 but also those commands allowed within privilege levels 0 through 7 (if also defined). A user authorized for privilege level 15 can execute all IOS commands. • Assigning a command with multiple keywords to a specific privilege level also assigns the command associated with the first keyword to the specified privilege level. For example, if you assign the show ip route command to privilege level 8, for example, both the show command and the show ip command are automatically set to privilege level 8 unless you set them individually to a lower level or level 8. This is necessary because you cannot execute, for example, the show ip route command unless you have access to the show and show ip commands. Subcommands coming under show ip route are also automatically assigned to privilege level 8 within the preceding example. • Most commands are automatically assigned level 15 privileges by default. If you want to create a user account that has access to most but not all commands, you must configure privilege exec statements for every command you want to make capable of being executed at a lower privilege level. Although this can be centralized through the use of TACACS+ (Terminal Access Controller Access-Control System Plus), it remains nonetheless somewhat tedious. As an alternative, IOS introduced the Role-based CLI Access feature to provide more flexibility and command control than is possible with the EXEC mode privilege levels. Role-based CLI Access was introduced in IOS Software Release 12.3(7)T and allows you to define CLI views, which provide selective access and visibility to EXEC commands and configuration information. Similar to EXEC privilege levels, CLI views restrict user access to EXEC mode commands and limit visibility of router configuration information. Conversely, unlike EXEC privilege levels: • CLI views are independent of one another. CLI views do not inherit the privileges (or authorized commands) associated with another CLI view. Thereby, CLI views limit the commands visible within the router configuration to only those that are specifically allowed within the view. • Multiple keyword commands can be assigned to a CLI view without the view being automatically assigned the command associated with the first keyword. In this way, a user within a configured CLI view is allowed to use only those multiple keyword commands explicitly allowed within the CLI view. CLI views also support an optional wildcard keyword all that allows subcommands that begin with the same allowed keyword command to be allowed within the view. • As of Cisco IOS Software Release 12.3(11)T, you can also specify an interface or a group of interfaces to a CLI view, thereby allowing command access on the basis of specified interfaces. 322 Chapter 6: IP Management Plane Security • CLI views also operate completely independently of EXEC mode privileges. That is, the list of commands allowed within a CLI view can span multiple privilege levels and, further, you can restrict the allowed commands regardless of the EXEC privilege level associated with a command. Given the flexibility and detailed command control of CLI views, you may configure distinct and independent CLI views for different users and user groups, including but not limited to, for example, network management administrators, routing protocol administrators, services plane administrators (for example, IPSec VPNs), QoS policy administrators, and so on. To configure a CLI view, use the parser view command in IOS configuration mode. Note, the aaa new-model global configuration command must be enabled prior to configuring a CLI view. You must also enter root view using the enable view command in order to configure a CLI view. The root view is password protected using the privilege level 15 enable password. The maximum number of CLI views that can be configured is 15, excluding the root view. To associate EXEC mode commands and a password to the CLI view, use the commands and secret 5 commands, respectively, in view configuration mode. To bind a username to a CLI view, use the username view command in global configuration mode. Users assigned to a CLI view are placed into the CLI view after password authentication. From there they can only enter EXEC commands or view configuration information allowed within the assigned view. Alternatively, to gain access to a CLI view, you may also use the enable view command from EXEC mode. CLI views are enabled for password protection when first configured. Example 6-9 illustrates sample CLI view configurations for both a routing protocol administrator and a line administrator. Example 6-9 Sample CLI View Configuration Router# sh run | begin parser parser view routing-admin secret 5 $1$s.U2$HCSJnzfUefaMLpQqjCWYt1 commands configure include-exclusive router commands configure include all interface commands exec include configure terminal commands exec include configure commands exec include show running-config commands exec include show ! parser view line-admin secret 5 $1$.3Pu$rd7FFoI.Jr5TPxPOzto/T0 commands configure include-exclusive line commands configure exclude interface commands exec include configure terminal commands exec include configure commands exec include show running-config commands exec include show ! ! end Role-Based CLI Access 323 Example 6-10 illustrates the commands available within the routing protocol administrator and line administrator CLI views. Notice that within the line administrator CLI view, you can only configure router lines. Conversely, within the routing protocol administrator CLI view, you can only configure router protocols and interfaces. Example 6-10 Sample CLI View-Specific Commands Router# enable view line-admin Password: {password} Router# ? Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system information Router# show ? disk0: display information about disk0: file system disk1: display information about disk1: file system running-config Current operating configuration unix: display information about unix: file system Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# Router(config)# ? Configure commands: do To run exec commands in config mode exit Exit from configure mode line Configure a terminal line Router(config)# exit Router# Router# enable view routing-admin Password: {password} Router# ? Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system information Router# show ? disk0: display information about disk0: file system disk1: display information about disk1: file system running-config Current operating configuration unix: display information about unix: file system Router# config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ? Configure commands: continues [...]... configuration_guide_chapter09186a008045 561 c.html#wp10 360 56 Cisco AAA Case Study Overview.” Cisco AAA Implementation Case Study http://www .cisco. com/en/US/products/hw/univgate/ps501/ products_case_study_chapter09186a00800ee06a.html Cisco AutoSecure White Paper.” Cisco white paper http://www .cisco. com/en/US/ products/ps 664 2/products_white_paper09186a00801dbf61.shtml Cisco IOS Firewall Overview.” Cisco IOS Security Configuration... MPE router bgp 65 001 bgp router- id 192. 168 .1.3 neighbor 192. 168 .1.2 remote-as 65 001 neighbor 192. 168 .1.2 update-source Loopback0 ! address-family vpnv4 neighbor 192. 168 .1.2 activate neighbor 192. 168 .1.2 send-community both exit-address-family ! address-family ipv4 vrf VRFB redistribute connected neighbor 209. 165 .202.1 46 remote-as 65 004 neighbor 209. 165 .202.1 46 update-source Serial0/0 neighbor 209. 165 .202.1 46. .. export, and so on Summary Figure 6- 7 341 MPLS VPN-Specific Management Platform All PE Routers Running M-BGP All PE and Core P Routers Running LDP VPN Customer B VPN Customer A SP IP/MPLS Core Network VRFB MPE/PE1 Router CE Router CE Router P Router MCE Router OSS VRFA Management VPN Interface (MGMT-VPN VRF) SP NOC2 P Router PE3 MPLS VPN Services P Router VRFB CE Router CE Router VRFA PE2 VPN Customer A... distribution of MPLS VPN prefixes between PEs and the MPE router bgp 65 001 bgp router- id 192. 168 .1.1 continues 340 Chapter 6: IP Management Plane Security Example 6- 13 Management VPN Sample Configurations (Continued) neighbor 192. 168 .1.2 remote-as 65 001 neighbor 192. 168 .1.2 update-source Loopback0 ! address-family vpnv4 neighbor 192. 168 .1.2 activate neighbor 192. 168 .1.2 send-community both exit-address-family... http:/ /cisco. com/en/US/products/ps6350/products_configuration_ guide_chapter09186a0080455ae3.html Cisco IOS Login Enhancements (Login Block).” Cisco Documentation http://www .cisco. com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/ part30/h_login.htm Cisco IOS NetFlow.” Cisco Documentation http://www .cisco. com/en/US/products/ ps 660 1/products_ios_protocol_group_home.html 344 Chapter 6: IP... MGMT-VPN ip address 192. 168 .253.2 255.255.255.252 ! ! The routing protocol for MPE-MCE Management VPN link is eBGP ! M-iBGP is used for distribution of MPLS VPN prefixes between PEs and the MPE router bgp 65 001 bgp router- id 192. 168 .1 .6 neighbor 192. 168 .1.2 remote-as 65 001 neighbor 192. 168 .1.2 update-source Loopback0 ! address-family vpnv4 neighbor 192. 168 .1.2 activate neighbor 192. 168 .1.2 send-community... 1.” Cisco Documentation http://www .cisco. com/univercd/cc/td/doc/product/software/ios124/ 124cg/hsec_c/part05/index.htm “AutoSecure.” Cisco IOS Software Releases 12.2 SB Feature Guide http://www .cisco. com/en/US/products/ps6 566 /products_feature_ guide09186a0080525232.html “BGP Policy Accounting.” Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4 http://www .cisco. com/en/US/products/ps6350/products_... conventional IP routing using the global routing table, as illustrated in Figure 6- 5 Figure 6- 5 MPLS VPN Architecture All PE Routers Running M-BGP All PE and Core P Routers Running LDP VPN Customer B VPN Customer A SP IP/MPLS Core Network VRFB CE Router CE Router P Router VRFA PE1 P Router PE3 P Router VRFB CE Router CE Router VRFA PE2 VPN Customer A Native IP Interface (No VRF) VPN Customer B OSS SP... SP NOC 338 Chapter 6: IP Management Plane Security Example 6- 13 Management VPN Sample Configurations ! MPE router Management VPN related configuration ! ! The Management VPN uses route-target 65 001:20 as a hub and 65 001:30 as a spoke ! Managed CPE routers are considered spokes ip vrf MGMT-VPN rd 65 001:20 route-target export 65 001:20 route-target import 65 001:20 route-target import 65 001:30 ! interface... http://www .cisco. com/en/US/products/sw/iosswrel/ps1829/ products_feature_guide09186a00800e9d38.html “IP Traffic Export.” Cisco IOS Security Configuration Guide, Release 12.4 http://www .cisco. com/en/US/products/ps6350/ products_configuration_guide_chapter09186a0080455b94.html “Management Plane Protection.” Cisco IOS Software Releases 12.4T Feature Guide http://www .cisco. com/en/US/products/ps6441/ products_feature_guide09186a008 061 7022.html “MPLS LSP Ping/Traceroute . router will disconnect the session and release the Example 6- 5 Configuring the EXEC Mode Idle Timeout Interval Router( config)# line console Router( config-line)# exec-timeout 5 0 3 16 Chapter 6: . displayed based on the configuration shown in Example 6- 7. Example 6- 6 Sample Banner Output of Console Session Router con0 is now available Press RETURN to get started. Message of the Day. resistance of the router from attack. • Securing remote management and terminal access to the router. • Enabling appropriate security- related logging. 330 Chapter 6: IP Management Plane Security AutoSecure