In This Lesson We Will:
- Configure device access control using local passwords
- Configure network devices for remote access using SSH
- Differentiate authentication, authorization, and accounting concepts
- Configure L2 security features (DHCP Snooping, dynamic ARP Inspection, and port security.)
A user device, endpoint device, and host device are the same thing and the terms are interchangeable, they are typically laptops, PCs, IP phones, or any BYOD (bring your own device.) As endpoints are more susceptible to malware attack, cisco uses a software called Advanced Malware Protection (AMP.) Cisco also has content security appliances: Cisco Email Security Appliance (ESA,) and Cisco Web Security Appliance (WSA.)
ESA will do the following if implemented:
- Block known threats
- Remediate stealth malware that makes it past initial detection
- Discard any emails with bad links
- Block access to newly infected sites
- Encrypt outgoing email data
ESA sits behind the firewall, so that firewall will forward all email traffic to the ESA.
WSA acts as a web app filter. Think of this as Cisco’s parental guidance feature; can enable and disable apps such as chat, video, messaging, and audio.
Network Device Access Control
Access control is the process of setting login credentials (usernames/passwords) to access and modify network devices either locally or Telnet/SSH.
This is the simplest method of remote access authentication. This is the process of configuring a login and password on console, VTY lines, and aux ports. This method provides no accountability and the password is stored in plaintext. The command to enable Telnet/SSH is below:
‘line vty 0 4’
User is then prompted to input a plaintext password
‘login’ to finalize command
VTY enables inbound Telnet/SSH connections. ‘0 4’ specifies a total of 5 simultaneous virtual connections will be allowed. Remember ‘0’ counts as a valid integer.
Using command ‘username (username) secret (password)’ will allow you to set a username and a password that is not stored or sent in plaintext. When typing the secret password, it is hidden in the terminal. To require a username/password pair, use ‘login local’ command. Use ‘no password’ to remove any previously configured passwords.
SSH, secure shell, is a security best practice recommended over Telnet as it is a secure form of remote access. Telnet provides no encryption, and uses plaintext transmission of login and data across connections. SSH requires a username and password, both of which are encrypted in transmission. Both the username and password can be authenticated using local database, and it records any username that is logged in to.
To configure SSH on a switch, follow below steps:
- ‘show ip ssh’ command to verify if SSH is supported on this switch. If the command is not recognized, SSH is not support.
- ‘ip domain-name’ in the global configuration command will configure a DNS domain name.
- ‘crypto key generate rsa’ command generates and RSA key pair and auto-enables SSH. When an RSA key is being generated, a modulus length is required. Cisco recommends a minimum modulus size of 1024 bits. (The modulus is essentially the size of the encryption.)
- Change vty lines to use usernames with either locally configured usernames or an AAA server. ‘Login local’ vty subcommand defines the use of local usernames, replacing the ‘login’ vty subcommand.
- ‘transport input ssh vty’ subcommand configures the switch to accept only SSH connections
- Add additional ‘username password’ global config commands
- Verify using ‘show ip ssh’
Switch Port Best Security Practices
While Router interfaces require a ‘no shutdown’ command to begin operations, the opposite is true for Cisco Switches. Cisco switches are on and begin forwarding as soon as they are powered on and connected. This means they will automatically configure speed and duplex, as well as be assigned to the default VLAN 1.
However, because they are automatically configured out of the box, this does expose the switches to some security threats. To get around some of these, it is best practice to disable unused ports by using the ‘shutdown’ interface subcommand. You should also prevent Trunking by disabling trunking in the ‘switchport access’ mode interface subcommand and assign the unused port to an unused VLAN using ‘switchport access vlan (number)’. Additionally, set the native VLAN to an unused VLAN and make it a Black Hole VLAN.
Set your interface range ‘int range [fa0/20 – 24]
Authentication, Authorization, Accounting (AAA)
While the above notes focus on implementing a username and password and each individual network device, this isn’t a viable option on larger or enterprise sized networks. For this, you would employ the use of an AAA server. This is an external server that centralizes and secures all username/password data and pairs. There are two AAA protocols:
RADIUS – Remote Authentication Dial-In User Service
TACACS+ – Terminal Access Controller Access Control System Plus
- Uses TCP
- Uses port 49
- Encrypts the entire packet
Which one an engineer may choose to employ depends on the structure and needs of the enterprise. For example, TACACS+ is best for various user groups because it requires authorization policies to be applied per user or per group. RADIUS supports detailed accounting.
Both protocols use a client/server model where an authenticating device is talking to an AAA server.
IEEE standard 802.1X is a port-based access control and authentication protocol. This is used for restricting access to publicly available switches and WAPs. 802.1x defines three roles for network devices described below:
Supplicant (client device) – Kind of in the name. Client device, PC, Laptop, that is responding to requests from the switch.
Authenticator (Switch) – The switch acts as the authenticator, controlling access to the network based on the authentication status of the client. The switch will request identifying information from the client, verifies this information with the authentication server, and relays that response to the client.
Authentication Server – This performs the actual authenticating of the clients. The authentication server confirms the identity of the client and notifies the switch about whether the client is authorized to access the network services. RADIUS is the only supported authentication server.
Port Security Configuration
Implement port security protocols to restrict interfaces so that only expected devices can connect and use ports.
Steps below is typical outline for port security configuration:
- ‘switchport mode access’ to configure static access mode on the interface
- ‘switchport port-security’ enables port security on the interface subcommand
The following are optional commands when implementing Port Security, however, are considered best practice, and most importantly, touched on in the CCNA 200-301.
- ‘switchport port-security maximum (number)‘ overrides the maximum number of MAC address associated with the interface.
- ‘switchport port-security violation [protect/restrict/shutdown]‘ will set a default action if there is a security violation. Protect will discard the offending traffic, but not send a log message or shutdown the interface. Restrict will discard traffic and send a log and SNMP message. Shutdown will do all of the above.
- ‘switchport port-security mac-address (mac address)‘ will allow the engineer to predefine any allowed source MAC addresses for the interface.
- ‘switchport port-security mac-address sticky‘ will configure the interface to dynamically learn and configure the MAC addresses of connected hosts.
To verify your port security settings, use commands ‘show port-security‘ or, for a specific interface, ‘show port-security interface (interface number)’
Port security aging is used to set an ‘aging’ time for static and dynamic secure addresses on a port. The two types of security aging are Absolute (a secure address is deleted after a specified aging time) and Inactivity (a secure address is deleted after being inactive for a specified aging time.)
To set port security aging use command ‘switchport port-security aging’ and configure appropriately.
- switchport port-security aging static time (time) type (absolute/inactivity)
To verify, use command ‘show port-security interface.’
Regardless of the port security setting, when a violation occurs a syslog message is sent to the console and the interface status will read ‘err-disable’. The console message will include the port number and the MAC address which caused the violation.
VLAN Attacks and Threat Mitigation
There are three types of VLAN attacks
- Spoofing DTP messages
- Adding a rogue switch and enabling trunking
- Double tagging or double encapsulated attack
A double encapsulated attack is when a threat inserts a hidden 802.1Q tag inside the frame has already has an 802.1Q tag. This tag is designed to go to a VLAN that the original 802.1Q tag did not specify.
The following steps can be implemented to stave off the above mentioned VLAN attacks:
- Disable DTP (dynamic trunking protocol) on non-trunking port to prevent unwanted trunking
- Disable unused ports and place them in an unused VLAN or Black Hole VLAN
- Manually enable the trunk link on a trunking port
- Disable DTP on trunking ports
- Set the native VLAN to a VLAN other than VLAN 1
DHCP Attacks (Spoofing, Starvation)
Spoofing – Rogue DHCP server is connected to the netowrk and provides false IP configuration parameters to legitimate clients. This would be implemented so that an end-user device would set the rogue DHCP server as the default gateway
Starvation – Used to create a DOS condition for connecting clients. This attacks requires a tool called Gobbler, or something of it’s ilk, to look at the entire scope of leasable IP addresses and tries to lease them all. It creates DHCP discovery messages with fake MAC addresses.
DHCP Snooping – This uses the concept of trusted and untrusted ports. To enable DHCP snooping:
- ‘ip dhcp snooping’ global configuration command
- ‘ip dhcp snooping trust’ to be used on trusted ports in the interface configuration command
- ‘ip dhcp snooping limit rate (number)‘ to limit the number of DHCP discovery messages that are received per second by untrusted ports. This also helps mitigate DHCP starvation attacks.
- ‘ip dhcp snooping vlan‘ to enable on VLANs or range of VLANS in the global configuration command.
ARP, as “addressed” before, is the address resolution protocol. Hosts are allowed to send unsolicited ARP messages in the form of a gratuitous ARP message. This causes all other hosts on the LAN to store the MAC address and IP address in their ARP caches. As you might have guessed, this leaves a switch vulnerable to bogus gratuitous ARP messages that may set and update a spoofed MAC address to the switch’s ARP cache, meaning any host can claim to be the owner of any IP and MAC address combination, This process is called ARP Spoofing and ARP Poisoning.
DAI – Dynamic ARP Inspection
To fight against ARP spoofing and ARP poisoning, a switch must ensure that only valid ARP messages are relayed. DAI does just this in conjunction with (and requiring) DHCP snooping. To enable:
- Enable DHCP snooping globally
- Enable DHCP snooping on selected VLANs
- Enable DAI on selected VLANs
- Configure trusted interfaces for DHCP snooping and ARP inspection
The global commands under global config:
- ip dhcp snooping
- ip dhcp snooping vlan number
- ip arp inspection vlan number
Enter specific interface (ex. fa0/2)
- ip dhcp snooping trust
- ip arp inspection trust
DAI can also be configured to check for both destination or source MAC and IP addresses with the command ‘ip arp inspection validate’.
As always, if this information has been helpful to you, please remember to subscribe to my newsletter for daily study guides, labs, productivity tips, and tech reviews.