Scribd
Upload
53 views52 pages

Module 6 Securing Network Devices

Uploaded by

dieyembaye
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views52 pages

Module 6 Securing Network Devices

Uploaded by

dieyembaye
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 52

Module 6: SECURING NETWORK DEVICES

Port Security

LinkedIn: https://fr.linkedin.com/in/ccie35565
Blog : http://www.connectic.net/blog
Anyone can connect to the network!
Secure Unused Ports
You’re in!!
• By default, routers and switches do not
perform security checks against any device
that connects to them.
• By default, routers and switches will forward
any frame/packet received on an interface if:
§ The appropriate protocol is enabled on the ingress
interface
§ The appropriate forwarding tables or trees exist
Limiting Switch Access
§ The MAC addresses of legitimate devices are allowed access, while
other MAC addresses are denied.
§ Any additional attempts to connect by unknown MAC addresses
generate a security violation.
§ Secure MAC addresses can be configured in a number of ways:
§ Static secure MAC addresses – manually configured and added to
running configuration - switchport port-security mac-
address mac-address
§ Dynamic secure MAC addresses – removed when switch restarts
§ Sticky secure MAC addresses – added to running configuration and
learned dynamically - switchport port-security mac-
address sticky interface configuration mode command
Port-Security Violations Modes
§ IOS considers a security violation when:
§ The maximum number of secure MAC addresses for that interface have
been added to the CAM, and a station whose MAC address is not in the
address table attempts to access the interface.
§ There are three possible actions to take when a violation is
detected:
§ Protect – no notification received
§ Restrict – notification received of security violation
§ Shutdown
§ switchport port-security
violation {protect | restrict |shutdown} interface
configuration mode command
Port-Security Violations Modes
Port Security: Configuring
Port Security: Verifying
Port Security: Verifying
Ports in Error Disabled State
§ A port security violation can put a switch in error disabled state.
§ A port in error disabled is effectively shutdown.
§ The switch communicates these events through console messages.
Ports in Error Disabled State

The show interface


command also reveals a
switch port on error disabled
state.

A shutdown or no shutdown
interface configuration mode
command must be issued to re-
enable the port.
Module 6: SECURING NETWORK DEVICES
Switch Security

LinkedIn: https://fr.linkedin.com/in/ccie35565
Blog : http://www.connectic.net/blog
Vlan Hopping Attack
• A vlan hopping attack can be launched by spoofing DTP
messages from the attacking host to cause the switch
to enter in trunking mode
Double-Tagging Attack
• Double-tagging attack takes advantage of the way that
hardware on most switches de-encapsulate 802.1Q tags.
• Most switches perform only one level of 802.1Q de-
encapsulation, allowing an attacker to embed a second,
unauthorized attack header in the frame.
• After removing the first and legit 802.1Q header, the switch
forwards the frame to the VLAN specified in the
unauthorized 802.1Q header.
• The best approach to mitigating double-tagging attacks is to
ensure that the native VLAN of the trunk ports is different
from the VLAN of any user ports.
Double-Tagging Attack
Design Best Practices for VLANs
• Move all ports from VLAN 1 and assign them to a not-in-use VLAN
• Shut down all unused switch ports.
• Separate management and user data traffic.
• Change the management VLAN to a VLAN other than VLAN 1. (The
same goes to the native VLAN.)
• Ensure that only devices in the management VLAN can connect to
the switches.
• The switch should only accept SSH connections.
• Disable auto negotiation on trunk ports.
• Do not use the auto or desirable switch port modes.
Module 6: SECURING NETWORK DEVICES
DHCP SNOOPING

LinkedIn: https://fr.linkedin.com/in/ccie35565
Blog : http://www.connectic.net/blog
DHCP Snooping
DHCP Snooping Terminology
DHCP Snooping Operation
• DHCP Client messages only allowed from Untrusted to
Trusted ports
§ DHCP Discover
§ DHCP Request / Inform
§ DHCP Decline
§ DHCP Release

• DHCP Server messages only allowed on ingress from


Trusted ports.
§ DHCP Offer
§ DHCP Ack
§ DHCP NACK
DHCP Snooping
• DHCP Snooping specifies which switch ports can
respond to DHCP requests
Module 6: SECURING NETWORK DEVICES
Authentication, Authorization, &
Accounting
(AAA)

LinkedIn: https://fr.linkedin.com/in/ccie35565
Blog : http://www.connectic.net/blog
What is AAA?
• Authentication, Authorization, & Accounting

• Client – NAS – Server Architecture

• Typically used when…


§ Client wants CLI access to network device or…

§ Client wants network access (802.1x).


AAA Components
Authentication
• Verifying credentials of client.
• Authentication does NOT determine WHAT client
is allowed to do/not do.
§ That is done by Authorization

• Many different methods to facilitate


Authentication.
§ Username/Password
§ Digital Certificates
§ MAC Address
Authorization
• Determining privileges of authenticated clients.

• Determines WHAT the client is allowed to do/not do.


• Many different features that can be authorized.
§ Basic network access
§ CLI availability
§ VLAN Assignment
§ Dynamic QoS Policies
§ Dynamic ACLs
Accounting
• Gathering of statistics
• Typically a separate/unique process aside from
Authentication/Authorization
• Information gathered may be:
§ Identity of users
§ Type of service(s) delivered
§ When the service(s) began and ended.

• Not covered in any detail for CCNA/CCNP


TACACS+
• Terminal Access Controller Access Control
System
• Protocol designed to carry Authentication,
Authorization and Accounting information.
• Cisco Proprietary
• Considers Authentication, Authorization and
Accounting as separate processes.
§ i.e. For Authentication, one could use something other than
TACACS+ (like Kerberos) and still use TACACS+ for
Authorization and Accounting.
Radius
• Remote Authentication Dial-In-User Service

• Protocol designed to carry Authentication,


Authorization and Accounting information.
• IETF Standard Protocol
§ Originally defined in RFC 2058. Updated multiple times
since then.

• Bundles Authentication/Authorization
AAA IOS Configuration Guidelines
• AAA is not enabled by default for any Cisco IOS
features.
• NAS (router, switch, AP) is considered as a
Client of the AAA Server
§ Password (key) used to validate NAS to AAA Server

§ NAS and AAA Server must have IP connectivity to each


other.
NAS-to-Server: Initial IOS Configuration

NAS(config)#aaa new-model
NAS(config)#tacacs-server host 5.5.5.5 key XXX
or…
NAS(config)#radius-server host 5.5.5.5 key XXX

NAS(config)#aaa new-model
NAS(config)#radius-server host 5.5.5.5
NAS(config)#radius-server host 7.7.7.7
NAS(config)#radius-server key XXX
NAS-to-Server: Initial IOS Configuration

Switch(config)#username john password cisco


Switch(config)#username test password test123
Switch(config)#
Switch(config)#aaa authentication login default local
OR
Switch(config)#aaa authentication login default group radius
group tacacs+ local
Module 6: SECURING NETWORK DEVICES
Access Control Lists (ACL)

LinkedIn: https://fr.linkedin.com/in/ccie35565
Blog : http://www.connectic.net/blog
Access-List Overview
• Packet identification mechanism

• Can identify packets on the basis of Layer 3 and


Layer 4 header
• Each Access-List (ACL) is composed of one-or-
more Access-Control Entries (ACEs).
§ Each ACE assigned a sequence number.
§ ACEs processed in sequential order until a match is found.

• Should have at least one permit statement (ACE)


What can be matched by ACLs?
• Each ACE within an ACL can match one-or-more fields
in L3 and/or L4 headers.
• Some fields must be matched entirely…bit-for-bit.
• Other fields can optionally, be partially matched.
What is “Wildcarding”?
• Ability to tell a router/switch, “I don’t care
about all the bits in this field. THESE are the
bits I want you to look at.”
• A Wildcard Mask is the tool to accomplish
this.
• A Wildcard Mask is compared against the
value to be inspected.
General Guidelines for Creating ACLS
Where to Place ACLs
Types of IPv4 ACLs
• Standard ACL

• Extended ACL

• Named ACL
§ Standard Named

§ Extended Named
Standard ACL
• Identifies traffic based on Layer-3 header

• Source IP address is checked

• ACL numbers range from 1 through 99

• Should be applied nearest to destination

• No method to check destination address or


port numbers
Where can a Standard ACL Look?
Configuring and Verifying Standard ACL
• Configuration command
§ Router(config)#access-list <#> <permit |
deny> <source address> <wild card mask>

• Verification commands
§ Router# show ip access-list
§ Router# show run | inc access-list
Pairing ACLs with IP Access-Groups
• IP Access-Group
§ Interface-level Security feature

§ Like a Primitive Firewall (forward traffic or drop traffic)

§ Directional (must specify inbound or outbound traffic)

§ References Access-Lists for classification/identification

• Configuration command
§ Router(config-if)# ip access-group <ACL id> <in | out>
Extended ACL
• Filters traffic based on Layer-3 and 4 header

• Source and destination IP, and port numbers


can be checked
§ Ideally, implemented closest to source of traffic to be
matched.

• ACL numbers range from 100 through 199

• Capable of transport header inspection


Where can an Extended ACL Look?
Configuring and Verifying Extended ACL
• Configuration command
§ Router(config)# access-list <ACL no> <permit |
deny> < protocol> <source address> <wildcard
mask> < destination address> <wildcard mask> <
port numbers>

• Verification commands
§ Router# show ip access-list
§ Router# show run | inc access-list
Named ACL
• Individual statements can be edited, unlike
numbered ACLs
• Can be used with naming convention

• Use of name instead of number makes


management easier
• More flexible than numbered ACLs
Configuring Standard Named ACL
• Configuration command
§ Router(config)# ip access-list standard <name>
§ Router(config-std-acl)# <permit | deny> <source address>

• Applying configuration
§ Router(config-if)# ip access-group <name> <in | out>
Configuring Extended Named ACL
• Configuration commands
§ Router(config)# ip access-list extended
<name>
§ Router(config-ext-acl)#<permit | deny>
<protocol> source-address> <wildcard mask>
<destination-address> wildcard mask>

• Applying configuration
§ Router(config-if)# ip access-group <name>
<in | out>
IPv6 Access-Lists
• When used for traffic filtering, IPv6 Access
Control Lists (ACL) offers the following
functions:
§ Can filter traffic based on source and destination
address.
§ Can filter traffic inbound or outbound on a specific
interface.
§ Can re-order sequences of ACEs

§ Implicit "deny all" at the end of access list.


IPv6 Access Lists
• No concept of numbered IPv6 ACLs, just named ACLs.

• No concept of “standard” or “extended”.


• All IPv6 ACLs are “extended” in that they require
defining of sources and destinations.
• Example of IPv6 ACL:
ipv6 access-list TEST
permit tcp any 2001:AAAA::/64 eq telnet

You might also like