Module 6: SECURING NETWORK DEVICES

Port Security

LinkedIn: https://fr.linkedin.com/in/ccie35565
Blog : http://www.connectic.net/blog
Anyone can connect to the network!
Secure Unused Ports
 You’re in!!
• By default, routers and switches do not
perform security checks against any device
that connects to them.
• By default, routers and switches will forward
any frame/packet received on an interface if:
§ The appropriate protocol is enabled on the ingress
interface
§ The appropriate forwarding tables or trees exist
 Limiting Switch Access
§ The MAC addresses of legitimate devices are allowed access, while
other MAC addresses are denied.
§ Any additional attempts to connect by unknown MAC addresses
generate a security violation.
§ Secure MAC addresses can be configured in a number of ways:
§ Static secure MAC addresses – manually configured and added to
running configuration - switchport port-security mac-
address mac-address
§ Dynamic secure MAC addresses – removed when switch restarts
§ Sticky secure MAC addresses – added to running configuration and
learned dynamically - switchport port-security mac-
address sticky interface configuration mode command
 Port-Security Violations Modes
§ IOS considers a security violation when:
§ The maximum number of secure MAC addresses for that interface have
been added to the CAM, and a station whose MAC address is not in the
address table attempts to access the interface.
§ There are three possible actions to take when a violation is
detected:
§ Protect – no notification received
§ Restrict – notification received of security violation
§ Shutdown
§ switchport port-security
violation {protect | restrict |shutdown} interface
configuration mode command
Port-Security Violations Modes
Port Security: Configuring
Port Security: Verifying
Port Security: Verifying
 Ports in Error Disabled State
§ A port security violation can put a switch in error disabled state.
§ A port in error disabled is effectively shutdown.
§ The switch communicates these events through console messages.
Ports in Error Disabled State

The show interface

command also reveals a
switch port on error disabled
state.

A shutdown or no shutdown
interface configuration mode
command must be issued to re-
enable the port.
Module 6: SECURING NETWORK DEVICES
Switch Security

LinkedIn: https://fr.linkedin.com/in/ccie35565
Blog : http://www.connectic.net/blog
 Vlan Hopping Attack
• A vlan hopping attack can be launched by spoofing DTP
messages from the attacking host to cause the switch
to enter in trunking mode
 Double-Tagging Attack
• Double-tagging attack takes advantage of the way that
hardware on most switches de-encapsulate 802.1Q tags.
• Most switches perform only one level of 802.1Q de-
encapsulation, allowing an attacker to embed a second,
unauthorized attack header in the frame.
• After removing the first and legit 802.1Q header, the switch
forwards the frame to the VLAN specified in the
unauthorized 802.1Q header.
• The best approach to mitigating double-tagging attacks is to
ensure that the native VLAN of the trunk ports is different
from the VLAN of any user ports.
Double-Tagging Attack
 Design Best Practices for VLANs
• Move all ports from VLAN 1 and assign them to a not-in-use VLAN
• Shut down all unused switch ports.
• Separate management and user data traffic.
• Change the management VLAN to a VLAN other than VLAN 1. (The
same goes to the native VLAN.)
• Ensure that only devices in the management VLAN can connect to
the switches.
• The switch should only accept SSH connections.
• Disable auto negotiation on trunk ports.
• Do not use the auto or desirable switch port modes.
Module 6: SECURING NETWORK DEVICES
DHCP SNOOPING

LinkedIn: https://fr.linkedin.com/in/ccie35565
Blog : http://www.connectic.net/blog
DHCP Snooping
DHCP Snooping Terminology
 DHCP Snooping Operation
• DHCP Client messages only allowed from Untrusted to
Trusted ports
§ DHCP Discover
§ DHCP Request / Inform
§ DHCP Decline
§ DHCP Release

• DHCP Server messages only allowed on ingress from

Trusted ports.
§ DHCP Offer
§ DHCP Ack
§ DHCP NACK
 DHCP Snooping
• DHCP Snooping specifies which switch ports can
respond to DHCP requests
Module 6: SECURING NETWORK DEVICES
Authentication, Authorization, &
Accounting
(AAA)

LinkedIn: https://fr.linkedin.com/in/ccie35565
Blog : http://www.connectic.net/blog
 What is AAA?
• Authentication, Authorization, & Accounting

• Client – NAS – Server Architecture

• Typically used when…

§ Client wants CLI access to network device or…

§ Client wants network access (802.1x).

AAA Components
 Authentication
• Verifying credentials of client.
• Authentication does NOT determine WHAT client
is allowed to do/not do.
§ That is done by Authorization

• Many different methods to facilitate

Authentication.
§ Username/Password
§ Digital Certificates
§ MAC Address
 Authorization
• Determining privileges of authenticated clients.

• Determines WHAT the client is allowed to do/not do.

• Many different features that can be authorized.
§ Basic network access
§ CLI availability
§ VLAN Assignment
§ Dynamic QoS Policies
§ Dynamic ACLs
 Accounting
• Gathering of statistics
• Typically a separate/unique process aside from
Authentication/Authorization
• Information gathered may be:
§ Identity of users
§ Type of service(s) delivered
§ When the service(s) began and ended.

• Not covered in any detail for CCNA/CCNP

 TACACS+
• Terminal Access Controller Access Control
System
• Protocol designed to carry Authentication,
Authorization and Accounting information.
• Cisco Proprietary
• Considers Authentication, Authorization and
Accounting as separate processes.
§ i.e. For Authentication, one could use something other than
TACACS+ (like Kerberos) and still use TACACS+ for
Authorization and Accounting.
 Radius
• Remote Authentication Dial-In-User Service

• Protocol designed to carry Authentication,

Authorization and Accounting information.
• IETF Standard Protocol
§ Originally defined in RFC 2058. Updated multiple times
since then.

• Bundles Authentication/Authorization
 AAA IOS Configuration Guidelines
• AAA is not enabled by default for any Cisco IOS
features.
• NAS (router, switch, AP) is considered as a
Client of the AAA Server
§ Password (key) used to validate NAS to AAA Server

§ NAS and AAA Server must have IP connectivity to each

other.
NAS-to-Server: Initial IOS Configuration

NAS(config)#aaa new-model
NAS(config)#tacacs-server host 5.5.5.5 key XXX
or…
NAS(config)#radius-server host 5.5.5.5 key XXX

NAS(config)#aaa new-model
NAS(config)#radius-server host 5.5.5.5
NAS(config)#radius-server host 7.7.7.7
NAS(config)#radius-server key XXX
 NAS-to-Server: Initial IOS Configuration

Switch(config)#username john password cisco

Switch(config)#username test password test123
Switch(config)#
Switch(config)#aaa authentication login default local
OR
Switch(config)#aaa authentication login default group radius
group tacacs+ local
Module 6: SECURING NETWORK DEVICES
Access Control Lists (ACL)

LinkedIn: https://fr.linkedin.com/in/ccie35565
Blog : http://www.connectic.net/blog
 Access-List Overview
• Packet identification mechanism

• Can identify packets on the basis of Layer 3 and

Layer 4 header
• Each Access-List (ACL) is composed of one-or-
more Access-Control Entries (ACEs).
§ Each ACE assigned a sequence number.
§ ACEs processed in sequential order until a match is found.

• Should have at least one permit statement (ACE)

 What can be matched by ACLs?
• Each ACE within an ACL can match one-or-more fields
in L3 and/or L4 headers.
• Some fields must be matched entirely…bit-for-bit.
• Other fields can optionally, be partially matched.
 What is “Wildcarding”?
• Ability to tell a router/switch, “I don’t care
about all the bits in this field. THESE are the
bits I want you to look at.”
• A Wildcard Mask is the tool to accomplish
this.
• A Wildcard Mask is compared against the
value to be inspected.
General Guidelines for Creating ACLS
Where to Place ACLs
 Types of IPv4 ACLs
• Standard ACL

• Extended ACL

• Named ACL
§ Standard Named

§ Extended Named
 Standard ACL
• Identifies traffic based on Layer-3 header

• Source IP address is checked

• ACL numbers range from 1 through 99

• Should be applied nearest to destination

• No method to check destination address or

port numbers
Where can a Standard ACL Look?
 Configuring and Verifying Standard ACL
• Configuration command
§ Router(config)#access-list <#> <permit |
deny> <source address> <wild card mask>

• Verification commands
§ Router# show ip access-list
§ Router# show run | inc access-list
 Pairing ACLs with IP Access-Groups
• IP Access-Group
§ Interface-level Security feature

§ Like a Primitive Firewall (forward traffic or drop traffic)

§ Directional (must specify inbound or outbound traffic)

§ References Access-Lists for classification/identification

• Configuration command
§ Router(config-if)# ip access-group <ACL id> <in | out>
 Extended ACL
• Filters traffic based on Layer-3 and 4 header

• Source and destination IP, and port numbers

can be checked
§ Ideally, implemented closest to source of traffic to be
matched.

• ACL numbers range from 100 through 199

• Capable of transport header inspection

Where can an Extended ACL Look?
 Configuring and Verifying Extended ACL
• Configuration command
§ Router(config)# access-list <ACL no> <permit |
deny> < protocol> <source address> <wildcard
mask> < destination address> <wildcard mask> <
port numbers>

• Verification commands
§ Router# show ip access-list
§ Router# show run | inc access-list
 Named ACL
• Individual statements can be edited, unlike
numbered ACLs
• Can be used with naming convention

• Use of name instead of number makes

management easier
• More flexible than numbered ACLs
 Configuring Standard Named ACL
• Configuration command
§ Router(config)# ip access-list standard <name>
§ Router(config-std-acl)# <permit | deny> <source address>

• Applying configuration
§ Router(config-if)# ip access-group <name> <in | out>
 Configuring Extended Named ACL
• Configuration commands
§ Router(config)# ip access-list extended
<name>
§ Router(config-ext-acl)#<permit | deny>
<protocol> source-address> <wildcard mask>
<destination-address> wildcard mask>

• Applying configuration
§ Router(config-if)# ip access-group <name>
<in | out>
 IPv6 Access-Lists
• When used for traffic filtering, IPv6 Access
Control Lists (ACL) offers the following
functions:
§ Can filter traffic based on source and destination
address.
§ Can filter traffic inbound or outbound on a specific
interface.
§ Can re-order sequences of ACEs

§ Implicit "deny all" at the end of access list.

 IPv6 Access Lists
• No concept of numbered IPv6 ACLs, just named ACLs.

• No concept of “standard” or “extended”.

• All IPv6 ACLs are “extended” in that they require
defining of sources and destinations.
• Example of IPv6 ACL:
ipv6 access-list TEST
permit tcp any 2001:AAAA::/64 eq telnet