Securing network devices is an important topic in the world of internetworking and will remain so as long as the threat of intrusion, espionage, theft, or hacking exists. Barely a single day passes without a story breaking about a major company that has suffered from an embarrassing hacking, industrial espionage, or internal security breach by a careless or disgruntled employee.
While the CCNA is not a security course, you will be tested on some areas of network security. You should be able to configure routers and switches to allow only certain people to access them and allow only certain traffic to pass through them from your network to the Internet, or vice versa. You should also be able to restrict access to certain applications and services within the network.
If you really enjoy learning about network security, then consider studying for the Cisco CCNA Cyber Ops exam after passing the CCNA exam.
Network Security Devices
As well as the security measures mentioned here, you should have the following devices and services operational on your network:
- Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) – IDS and IPS devices function by performing traffic inspection to detect unauthorized traffic that tries to enter the enterprise network. Their main role is to monitor networks for intrusions or other malicious activity. The actions taken by a device in a promiscuous mode include sending alerts, alarms, log messages, or SNMP traps. The major difference between IPS and IDS is that IPS devices operate in line with the traffic (meaning they are placed in the middle of the traffic flow and all the packets pass through the inspection device), while IDS devices only retrieve a copy of the traffic so they can analyze it.
- Firewall – A firewall is a hardware- or software-based security device that filters traffic that is not allowed in the organization (while allowing legitimate traffic). Firewalls are positioned at the entry point in an organization or between critical network modules to create various security access policies. Most firewalls filter at layer 4 based on the source or destination address and TCP or UDP port number.
- Antivirus – These programs were originally developed to remove malicious computer code, and today they can protect you from browser hijacking, worms, Trojans, adware, and spyware. Big players in this field include AVG and Symantec.
- Antispyware – These programs are similar to the antivirus programs inasmuch as they help to block and prevent spyware and other malware types on computers. This type of software can be used to capture sensitive data and transmit it to a target device. Antispyware programs such as Ad-Aware and Spybot monitor incoming data from e-mail, websites, or file downloads and prevent spyware from taking root in your operating system.
Firewalls
Configuring firewalls is NOT a CCNA exam requirement. This subject is in the CCNA Cyber Ops and other security exams. However, the CCNA exam does require an understanding of the impact of a firewall in an enterprise network.
It would be prudent to understand the role of a firewall and some common associated terms both for the exam and to converse with customers and fellow network engineers. It is common for the network team to be on a call with the security team in order to jointly determine which part of the network is at fault.
Firewalls in Action
Firewalls filter traffic into and out of the network, and they are usually positioned at the network entry point or between critical modules. Most firewalls work at Layer 4, which is based on TCP or UDP port numbers (usually called traditional or legacy firewalls), although some can operate at Layer 7 (usually called next-generation firewalls). Firewalls often perform NAT, which will be covered later. Some encrypted traffic also passes in tunnels between sites (other firewalls).
First generation firewalls provided basic filtering capabilities at Layer 3 and Layer 4 of the OSI Model. Second-generation monitored traffic at Layer 3, Layer 4, and Layer 5 of the OSI Model. Third-generation firewalls provided firewalling capabilities at Layer 3, Layer 4, Layer 5, and Layer 7 of the OSI Model. And, finally, fourth-generation firewalls operate at Layer 3, Layer 4, Layer 5, and Layer 7 of the OSI Model and use a concept referred to as Stateful inspection.
Firewalls usually operate in either routed or transparent mode. Routed mode means that it functions like a layer 3 device, with IP addresses on the interface and running routing protocols or static routes. Transparent mode means that the firewall functions like a layer 2 device, passing traffic transparently to the end-user. This is illustrated in Figure 23.1 below:
FIG 23.1 – Firewalls in action
Software firewalls are available from companies such as AVG and Microsoft, with AVG offering both free and paid versions. Software firewalls are installed on users’ PCs and smartphones and offer OS-level protection (see Figure 23.2 below). Their role is to block traffic from leaving or entering the system. Because they are designed for end-device-level protection, they are not suitable for protecting enterprise networks.
FIG 23.2 – Software firewall
A virtual firewall (VF) is a network firewall service or appliance that runs within a virtualized environment and that provides the packet filtering and monitoring services which would normally be provided via a hardware firewall (see Figure 23.3 below).
FIG 23.3 – Virtual firewall
The advantage of this is that multiple firewalls can be run without high costs. The VF is used to partition the physical firewall into multiple logical devices. Assigned interfaces are allocated separate security policies, NAT rules, and access control lists (which will be covered later). Virtual firewalls do not usually support IPSec VPNs, SSL VPNs, or dynamic routing.
Cisco has coined the term “security contexts”. These allow a single physical device to act as multiple independent firewalls. Each security context defines a single virtual firewall, which includes a unique configuration. Cisco has warned that, just as with physical devices, each security context must be carefully configured to ensure that overall network security is never compromised.
 |
Since Cisco has a real virtual firewall product (i.e., ASAv) that supports all these features, virtual firewalls should not be referred to as security contexts. Regarding security contexts, this applies to OS version 8.x and earlier. In OS 9.x., some of these features are supported (e.g., site-to-site VPNs) while some are (still) not (e.g., dynamic routing and remote access VPN). |
Stateful Inspection and Packet Filtering
Firewalls operate in two modes, stateful or stateless. The legacy firewall operating mode is stateless, which is also known as packet filtering. In stateless mode, the network administrator will configure firewall rules to permit or deny certain data to certain ports or ranges of ports, and the incoming and outgoing data have no relationship with each other. Stateless firewalls are typically faster than stateful ones.
 |
Nowadays, the term “legacy” (although I prefer “old” or “back in the past”) is used for all firewalls that are working up to layer 4. |
Figure 23.4 below shows firewall rules configured on a device:
FIG 23.4 – Firewall rules example (Image © Bullguard.com)
Stateful inspection means that all data flows are recorded, and associated flows of data are then permitted or denied. A stateful firewall determines the state of a TCP connection (e.g., open, open sent, synchronized, etc.) and can tell whether changes have been made, such as the Maximum Transmission Unit (MTU) or whether the packets are fragmented.
FIG 23.5 – Stateful firewall
A single network firewall represents a single point of failure, so most will feature an active and failover firewall, with the failover acting as the backup (see Figure 23.6 below).
FIG 23.6 – Active and failover firewalls
Using the same vendor and operating system for each firewall is always recommended. Changes should be performed and tested on one firewall before doing the same on the second firewall.
Zone-based Policy Firewalls
Zone-based policy firewall (ZBW) functionality represents an evolution in firewall technology. The objective of ZBWs is to create security zones, with each device interface placed into a zone. Unidirectional zone pairs can be created to define zone relationships by applying a modular flexible policy to zone pairs.
|
Two or more interfaces can be in the same zone, which is often the case (e.g., two LAN/DMZ/Internet interfaces).
|
This concept is illustrated in Figure 23.7 below:
FIG 23.7 – Zone-based policy firewall
Devices in the demilitarized zone (DMZ) need to be accessible from the Internet, so they should be in a zone separate from the internal devices. Zones created include Trusted, Untrusted, and the DMZ. Figure 23.7 shows the interfaces placed into each zone (i.e., Gi0/0 is trusted, Gi0/1 is untrusted, and Gi0/2 is in the DMZ).
The following are the unidirectional zone pairs that can be created:
- Trusted Zone to DMZ
- DMZ to Trusted Zone
- Trusted Zone to Untrusted Zone
- Untrusted Zone to Trusted Zone
- DMZ to Untrusted Zone
- Untrusted Zone to DMZ
Network Device Passwords
Do you want just anybody to access your network devices? Perhaps you want only a handful of people to be able to log on to the router and a few others to be able to remotely connect to the router and administer it. Network device access needs to be protected from internal staff and external intruders.
Passwords on Cisco devices must contain from 1 to 25 uppercase and lowercase alphanumeric characters. Passwords are case sensitive; spaces can be used but not as the first character. Cisco recommends that the best way to handle passwords is to maintain them on a TACACS+ or RADIUS authentication server. Most routers, however, have a locally stored (in the router’s configuration) privilege-level password.
Enable Password
Protecting privileged mode (or enable mode) on your router is very important and the process is very simple. When any person attempts to enter privileged mode from user exec mode, they will be prompted for a password.
Router>enable
Router#config t
Router(config)#enable password cisco – Passwords ARE case sensitive
Router(config)#disable
Router>enable
Password: – The password will not show as you type it
Router#
By default, the enable password command can be seen when any user looks at the running or startup configuration of the router. You probably do not want this to happen (see the service password-encryption command below).
Router#show run
Building configuration…
hostname Router
!
enable password cisco
You can disable the enable password command by entering no in front of the command.
Router(config)#no enable password
You do not need to enter the password again.
Enable Secret
The following output shows the enable secret command:
Router#conf t
Router(config)#enable secret cisco
Router(config)#exit
Router#disable
Router>enable
Password: – The password will not show as you type it
Router#
You can see that when a show running-configuration command is issued, the enable secret command is encrypted. Only the relevant part of the configuration is shown below:
Router#show running-configuration
Building configuration…
hostname Router
!
enable secret 5 $1$F3Dy$w0mwxVmJ79Ug9pK/snpRe/ – Hashed using the MD5 algorithm
The number 5 after enable secret stands for level 5 encryption. This uses a hashed value of the MD5 algorithm, and it is harder to crack than level 7, which uses a weaker algorithm. If you forget your password, you will have to do password recovery using the console port (check Google for “[router model] password recovery” because each router and switch model has a slightly different recovery process).
|
Newer IOS releases also offer the SHA256 encryption algorithm (number 4). |
Service Password Encryption
You can actually encrypt all of the passwords on the router with the service password-encryption command. This command will encrypt all current and future passwords added to the router.
Router(config)#enable password cisco
Router(config)#service password-encryption
Router(config)#exit
Router#show run
!
service password-encryption
hostname Router
enable password 7 070724404206 – Weaker reversible algorithm
The service password-encryption command does not provide a high level of security. Use this command with additional security measures.
Auxiliary Password
In order to protect connections through the AUX port, you will need to assign a password to it. Note that when you configure the AUX port, the router drops into config-line mode, as shown below:
Router#config t
Router(config)#line aux ?
[0-0] First Line number
Router(config)#line aux 0
RouterA(config-line)#password cisco – Config-line mode
Router(config-line)#login
Router(config-line)#^Z
Router#
The login command is very important, as it tells the router to ask the user for a password, while the command login local tells the router to check a username and password you have configured on the router itself (the local database). You can instead put a server in the network, which does the job of authenticating all the users. These servers are known as TACACS or RADIUS servers.
The login and login local commands are covered comprehensively in the labs throughout this book.
Mini-lab – Adding a Telnet Password
In order to connect to your router over the Internet or remotely, you may want to telnet to it. To allow Telnet sessions, you need to have a password set on the VTY line. Terminal lines are logical (i.e., not physically attached to the router), so you will normally telnet via the Serial port or Ethernet port and a virtual terminal (known as VTY) will be opened. The number of available VTY ports depends on your router model; mine below has five. Please configure the IP addressing and hostnames as per Figure 23.8 below. Ping across the link to ensure that the network is working.
FIG 23.8 – Mini-lab: Adding a Telnet password
R1#config t
R1(config)#enable secret howtonetwork
R1(config)#line vty 0 4 – Use ? to see your available VTY port numbers
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#^Z
Now you can telnet to R1 from R2:
R2#telnet 192.168.1.1
Trying 192.168.1.1 … Open
User Access Verification
Password:
R1>enable
Password:
R1# – You are now connected to Router A from Router B
R1#exit – You can use Ctrl+Shift+6 and x to exit
[Connection to 192.168.1.1 closed by foreign host]
R2#
[END OF MINI-LAB]Configuring the router for Telnet access alone is not sufficient. The enable or enable secret command must also be configured to allow for privileged access after Telnet access has been allowed. Try it for yourself with and without an enable command on the device you are telnetting to. Remember also that you can protect the VTY lines with an ACL, but you must apply it using the access-class command. We covered this in the ACL sections and hands-on labs earlier.
Your ACL may permit a certain IP address only, so in this case you can source the telnet from that interface.
R1#telnet 192.168.1.1 /source-interface loopback0
If there is no VTY password on the remote router, you will see:
R2#telnet 192.168.1.1
Trying 192.168.1.1 … Open
Password required, but none set
[Connection to 192.168.1.1 closed by foreign host]
R2#
You can test this yourself by adding the command below to the R1 VTY lines:
R1(config-line)#no password
There must be either a login local password or a username and password configured on the router and the login local command issued under the VTY lines. If a VTY password is set but there is no enable command, you will still be able to telnet across, but once you try to enter privileged mode, will you see:
R2#telnet 192.168.1.1
Trying 192.168.1.1 … Open
User Access Verification
Password:
R1>enable
% No password set
R1>
If you are connected to R1, you can see other connections to the router with the show line command:
R1#show line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 CTY – – – – – 0 0 0/0 –
1 AUX 9600/9600 – – – – – 0 0 0/0 –
* 2 VTY – – – – – 2 0 0/0 –
3 VTY – – – – – 0 0 0/0 –
4 VTY – – – – – 0 0 0/0 –
5 VTY – – – – – 0 0 0/0 –
6 VTY – – – – – 0 0 0/0 –
The * indicates that there is an active connection on that line. The CTY is the console port, and as you can see the console connection is active. The AUX is for connections to the auxiliary port. Finally, the VTY is for the virtual terminal lines that are used for inbound Telnet connections.
You may want to clear a Telnet session coming into your router either to throw the user off or to free up a VTY line that should have cleared but has not. To do this, you would use the clear line # command:
R1#clear line 2
[confirm]
[OK]
In the output below, on my own network I have created the username paul and have allowed incoming Telnet sessions. When a user telnets to my router, I can check the connection that is in use with the show users command.
R2#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
98 vty 0 paul idle 00:00:17 192.168.1.1
Interface User Mode Idle Peer Address
I have VTY lines 0 to 933 available on this router because I’m using GNS3. You would think that the lines would be used in ascending order from 0 upward but that is not so. I’ve found that a random number is used from the range available. In the output above, it’s 98. You could technically protect your VTY lines by allowing only one incoming connection with the configuration below. Test it for yourself; however, I couldn’t find a way to control which line you actually telnetted on. Also, note that the incoming session below came in on VTY 194.
R2(config)#line vty 0
R2(config-line)#login local
R2(config-line)#end
Now I will telnet in from R1 (IP address 192.168.1.1):
R2#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
194 vty 0 paul idle 00:00:14 192.168.1.1
Interface User Mode Idle Peer Address
R2#show line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY – – – – – 0 0 0/0 –
1 1 AUX 9600/9600 – – – – – 0 0 0/0 –
* 194 194 VTY – – – – – 1 0 0/0 –
195 195 VTY – – – – – 0 0 0/0 –
196 196 VTY – – – – – 0 0 0/0 –
197 197 VTY – – – – – 0 0 0/0 –
198 198 VTY – – – – – 0 0 0/0 –
The show users command will display incoming connections to your router and the show sessions command will display outgoing connections from your router to another device. There is a fourth type of connection known as a TTY. These are asynchronous lines used for modem and terminal connections.
Console Password
It is very important to protect your console port on the router. If you do not, any person who can get physical access to the router will be able to reconfigure and reboot it.
Router#config t
Router(config)#line console ?
[0-0] First Line number
Router(config)#line console 0
Router(config-line)#password hello
Router(config-line)#login
Router(config-line)#exit
Router(config)#exit
For added security, you can specify a timeout value to lock the console connection if there is no activity for a specified number of minutes. This will also work on the VTY and AUX ports.
Router(config)#line console 0
Router(config-line)#exec-timeout 5 – Sets timeout for 5 minutes
Timeout values can be set on AUX, console, and VTY lines. The default timeout value is 10 minutes. If you want to set it to never timeout, then the value must be 0. This does represent a security issue though as the lines will always be open.
Configuring Local Usernames and User-Specific Passwords
You may not want to have a generic password on your connections to the router. You can configure specific username and password combinations on a per-user basis.
RouterA#config term
RouterA(config)#username paul password cisco
RouterA(config)#username stuart password ccna
RouterA(config)#username davie password rugby
RouterA(config)#line vty 0 4
RouterA(config-line)#login local
RouterA(config-line)#exit
RouterA(config)#exit
I can now telnet from Router B to Router A, providing I know my username and password:
RouterB#telnet 192.168.1.1
Trying 192.168.1.1 … Open
User Access Verification
Username: paul
Password:
Securing Network Devices
Privilege Levels
You can assign different levels of access to different users based on their local user accounts on the router. For example, you might restrict junior members of the network team to use only basic show commands. This is done using privilege levels. Cisco has 16 privilege levels ranging from 0 to 15, where 15 is full access.
You can assign a specific privilege level to a user and assign some commands to that level. This is shown in the output below:
RouterA#conf t
RouterA(config)#username juniortech privilege 4 password support
RouterA(config)#privilege exec level 4 ping
RouterA(config)#privilege exec level 4 traceroute
RouterA(config)#privilege exec level 4 show ip interface brief
RouterA(config)#line console 0
RouterA(config-line)#password basketball
RouterA(config-line)#login local – Password is needed
RouterA(config-line)#^z
If a junior technician tries to log in using the juniortech username, and then tries to make a configuration change, access is denied because the command is not allowed in privilege level 4.
RouterA con0 is now available
Press RETURN to get started.
User Access Verification
Username: juniortech
Password:
RouterA#config t – Not allowed to use this command
^
% Invalid input detected at “^” marker.
Login
The login local password on the console, AUX, or VTY line overrides the console, AUX, or VTY password so that any person who telnets to Router A will be asked for his/her username and password from the local database.
You can use the enable secret [level] password command to define a password for a specific level of access and then give the password only to those who you want to have that level of access. You would then use the privilege exec level command to specify the commands available at the various access levels.
Logging Router Access
As a network administrator, it is very likely that you will want to be aware of who is attempting to log in to your network, as well as aware of any other network events.
Local Logging
There are several features included in the Cisco IOS to monitor events locally on the router:
- logging console [level] – This command monitors connections via the console port. Levels can be from 0 to 7. You can use the no logging console command to turn off console output if you do not want it to appear on your screen constantly.
Table 23-1: Logging levels
| Level | Logging Message |
| 0 | Emergencies |
| 1 | Alerts |
| 2 | Critical |
| 3 | Errors |
| 4 | Warnings |
| 5 | Notifications |
| 6 | Informational |
| 7 | Debugging |
- terminal monitor – This command will allow debug and system messages to appear on your terminal connection to a router. If you are telnetting to a remote router (via SSH or Telnet) you will need to use this command if you want to see the debug commands. The console connection already monitors the terminal.
- logging buffered [size in bytes | level] – This command will allow log messages to be kept in the router’s memory.
- access list [specify action] log – This command enables the logging of packets that match the ACL configuration line criteria (e.g., access list 10 permit 192.168.1.1 log).
- service timestamps – This command allows the router to timestamp logging or debug messages.
- logging host address – This command will send logging messages to a syslog server (e.g., Router(config)#logging 172.16.1.5).
You can view the current logging levels with the show logging command:
RouterB#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 20 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 20 messages logged
Trap logging: level informational, 24 message lines logged
Log Buffer (4096 bytes):
00:00:09: %LINK-3-UPDOWN: Interface Serial0, changed state to down
00:00:09: %LINK-3-UPDOWN: Interface Serial1, changed state to down
00:01:43: %LINK-5-CHANGED: Interface BRI0, changed state to administratively down
In summary, logging options include:
- logging buffered – logs messages to the router buffer
- logging host – logs messages to a syslog server
- logging console – logs messages to the console (you need to enable the terminal monitor command to see the logs on non-console connections)
You can have logging and/or debug messages timestamped with the service timestamps debug datetime msec localtime and/or service timestamps log datetime msec localtime commands. If you want, you can clear the logging buffer with the clear logging command. If you have requested assistance from a Cisco TAC, they may ask you to enable timestamps on your debug messages to assist them with troubleshooting your issue. Below are two debug outputs, the first without and the second with a timestamp:
%LINK-3-UPDOWN: Interface Serial0, changed state to down
00:00:09: %LINK-3-UPDOWN: Interface Serial0, changed state to down
Please do type the commands above onto a router so that they stick in your mind. We will look at syslog again later in this guide.
Prevent Telnet Access
All traffic sent using Telnet (including network configuration commands and passwords) are sent in clear text, which means that the configuration commands being sent over a Telnet session can easily be captured by a network sniffer if it is attached to the network. This makes Telnet inherently insecure.
Figure 23.9 below is a packet capture of an incoming Telnet session. You can clearly see that the sent password is “cisco”.
FIG 23.9 – Telnet password sent in clear text
Telnet is disabled by default because you need to set a password (and an optional username) to enable it. For secure remote management access to the router or switch, you can enable SSH (Secure Shell), which is described below. Later, we will cover how to use ACLs to protect Telnet access if you need to enable it.
Enable SSH
It is highly recommended that you use SSH rather than Telnet to access your network devices whenever possible. Unlike Telnet, which sends traffic in clear text, SSH creates a secure encryption channel where all traffic sent to the switch is encrypted. This secures the traffic from packet sniffing attacks.
SSH requires Cisco IOS versions that support cryptography. These are the security versions of the IOS. An easy way to check whether your IOS supports cryptography is using the show version command. Security IOS versions usually have “K9” or “security” in their names.
Switch#sh version
Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICES K9-M), Version
15.2(35)SE1, RELEASE SOFTWARE (fc1)
[output truncated]System image file is flash:/c3560-advipservicesk9-mz.152-35.SE1.bin
If you do not have a security version of IOS, you must purchase a license for it.
A public/private key pair is used for SSH encryption. Traffic sent to a device is encrypted using a public key, and the encrypted traffic is decoded using the private key when it gets to the device. Users are authenticated through a username/password combination. Before generating the keys on a device, you need to set the hostname and password of the switch because the keys are identified using Fully Qualified Domain Name (hostname.domainname).
The steps to enable SSH are as follows:
- Set the hostname and domain name
- Generate crypto keys for encryption; SSH is enabled at this point
- Set other SSH parameters such as idle timeout and authentication-retries (optional)
Mini-lab – Enabling SSH Access
You already know how to add an IP address and default gateway on a switch. Take a router and add the IP address below to the Fast Ethernet interface and connect it to a switch via a straight-through cable. Add an IP address to the management VLAN and ping from the router to the switch.
Router(config)#interface f0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Switch(config)#ip default-gateway 192.168.1.1
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.1.2 255.255.255.0
Switch(config-if)#no shut
FIG 23.10 – Mini-lab: Enabling SSH access
An example is shown below:
Switch(config)#hostname SwitchOne
SwitchOne(config)#ip domain-name howtonetwork.com
SwitchOne(config)#crypto key generate rsa
The name for the keys will be: SwitchOne.howtonetwork.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
SwitchOne(config)#ip ssh time-out 60
SwitchOne(config)#ip ssh authentication-retries 2
SwitchOne(config)#line vty 0 15
SwitchOne(config-line)#transport input ssh
SwitchOne(config-line)#password cisco
You can specify the SSH version using the ip ssh version [1|2] command (version 2 is the default in modern IOS versions).
To verify that SSH is enabled, as well as the version of SSH that is enabled on a switch, use the show ip ssh command:
SwitchOne#show ip ssh
SSH Enabled – version 2.0
Authentication timeout: 60 secs; Authentication retries: 2
Now you can attempt to connect from the router to the switch. Cisco documentation on how to do this is somewhat light.
Router#ssh -l paul 192.168.1.2
Open
Password:
SwitchOne>
If you try to telnet from the router to the switch, the connection will be rejected.
Router#telnet 192.168.1.2
Trying 192.168.1.2 …
% Connection refused by remote host Router#
[END OF MINI-LAB]The output below displays how to permit both Telnet and SSH.
Router(config-line)#line vty 0 15
Router(config-line)#transport input ssh telnet
Disable HTTP
You can disable HTTP access using the no ip http server command. Routers can be accessed, managed, and configured via a web page using HTTP, so unless you need to run it, you should disable it.
Switch(config)#no ip http server
To view the status of the HTTP server on the switch:
Switch#show ip http server status
HTTP server status: Disabled
HTTP server port: 80
[output truncated]Disable CDP
Cisco Discovery Protocol is a Cisco proprietary data link layer protocol used to discover the Cisco devices that are attached to a particular device. Although CDP can be a really useful troubleshooting protocol, it can pose security flaws because the device information might be available to anyone who connects to it. Because it runs at layer 2 of the OSI model, it doesn’t require an IP address to be configured to exchange information with connected devices.
You can disable CDP in your network or, at least, on devices that are at the edge of your network that connect to other devices that you do not trust.
An example of a CDP output on a switch is shown below:
Router#show cdp neighbor detail
Device ID: Switch
Entry address(es):
Platform: Cisco 2960, Capabilities: Switch
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/2
Holdtime: 176
Version:
Cisco Internetwork Operating System Software
IOS ™ C2960 Software (C2960-I6Q4L2-M), Version 15.1(22)EA4, RELEASE SOFTWARE(fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 18-May-05 22:31 by jharirba
advertisement version: 2
Duplex full
The output above demonstrates why CDP is a very useful troubleshooting tool. To turn off CDP on an entire device, use the no cdp run command:
Switch(config)#no cdp run
To turn off CDP on an interface, use the no cdp enable interface configuration command. You must know the difference between these two commands for the CCNA exam.
Switch(config)#int fast0/2
Switch(config-if)#no cdp enable
Add a Banner Message
Banner messages are displayed when a user connects to a device. Although these messages do not provide any actual security, they can be used to display warning messages and company policies, which can be very useful legally.
When configuring a banner, a delimiting character is selected to tell the router when the banner message is complete. In the example below, the delimiting character is Y:
Switch(config)#banner motd Y
Enter TEXT message. End with the character “Y”.
KEEP OUT OR YOU WILL REGRET IT Y
Switch(config)#
Referring to the output below, when telnetting to the router and the MOTD banner appears, notice that the banner message is truncated. This is because Y was chosen as the delimiting character. To avoid this, always select a delimiting character that is not used in your banner message.
Router#telnet 192.168.1.3
Trying 192.168.1.3 …Open
KEEP OUT OR Y
The banner in the example above is a message of the day (MOTD) banner, which is shown before the user sees the login prompt. Other types of banner messages include:
- Login – shown before the user sees the login prompt
- Exec – shown to user after login prompt; used when you want to hide the banner message from unauthorized users
There are banner inputs as part of the labs at the end of the chapter. I suggest that you learn to configure all three types and test them by logging in to the router. You will have different choices depending on your platform and IOS:
Router(config)#banner ?
LINE c banner-text c, where “c” is a delimiting character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
Shut Down Unused Ports
Any switch ports that are not being used should be both shut down and placed into an unused VLAN.
Switch(config)#interface range f0/10-20
Switch(config-if-range)#switchport access vlan 500
% Access VLAN does not exist. Creating vlan 500
Switch(config-if-range)#shutdown
Network Device Clock and NTP
For incident management and logging, it is important for a network device to have accurate timestamps with its logging messages. You can view the time on a device using the show clock command:
Switch#show clock
*23:09:45.773 UTC Tue Mar 2 1993
To set the time, use the clock command in privileged mode. The commands shown below show how to set the time zone and recurring summer time on a switch:
clock timezone CST -6
clock summer-time CDT recurring
clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
The output below shows how you can set the clock on a Cisco device:
Switch#clock set 14:55:05 March 29 2016
1d23h: %SYS-6-CLOCKUPDATE: System clock updated from 17:26:01 CST
Switch#show clock
*14:55:7.953 UTC Tue Mar 29 2016
Another option for updating the time on a network device is using the Network Time Protocol (NTP), which was discussed earlier. You will need to be able to configure your router as an NTP client for the CCNA exam.
Routers sync with an NTP server over TCP port 123. NTP is now included in the CCNA syllabus, and it is quite useful in ensuring that all the network devices in the same environment have the same time. A router can be configured to sync with an NTP server using the ntp server command:
Switch(config)#ntp server 134.84.84.84 prefer
Switch(config)#ntp server 209.184.112.199
Update the IOS
One of the easiest ways to ensure that your switch/router is secure is to maintain the software on your Cisco switch and router. IOS updates not only fix bugs, they also provide feature enhancements. Most of Cisco’s stackable switches offer lifetime warranties (which includes software updates), so there are no excuses. You can request that Cisco TAC do a bug sweep if you are concerned about any possible issues before an upgrade.
Disable Unused Services
A recommended best practice for increasing security is to disable unused services. An easy way to check the services running on a router is to use the service command in global configuration mode. Just use a question mark (?) to list the services, as shown below (output truncated):
Router(config)#service ?
compress-config Compress the configuration file
config TFTP load config files
counters Control aging of interface counters
dhcp Enable DHCP server and relay agent
tcp-keepalives-in Generate keepalives on idle incoming network
tcp-small-servers Enable small TCP servers (e.g., ECHO)
telnet-zeroidle Set TCP window 0 when connection is idle
timestamps Timestamp debug/log messages
udp-small-servers Enable small UDP servers (e.g., ECHO)
Here is a list of common services that should be disabled (or enabled), along with a brief description of each service:
- no service pad – rarely used; assembles/disassembles packets in asynchronous networking
- no service config – prevents the switch from getting its configuration file from a TFTP server in the network
- no service finger – rarely used; disables the finger protocol
- no ip icmp redirect – prevents the router from sending ICMP redirects, which can help attackers learn about the network topology
- no ip finger – another way to disable the finger service
- no ip gratuitous-arps – disables unsolicited ARP responses, which can lead to man-in-the-middle attacks
- no ip source-route – disables user-specified hop-by-hop routing to destination
- service sequence-numbers – enables clarity in logs by giving each log entry a number, which increases sequentially
- service tcp-keepalives-in – prevents the router from keeping hung management sessions open
- service tcp-keepalives-out – prevents the router from keeping hung management sessions open
- no service udp-small-servers – disables echo, chargen, discard, and daytime, which are rarely used
- no service tcp-small-servers – disables echo, chargen, and discard, which are rarely used
- service timestamps debug datetime localtime show-timezone – timestamps each log entry packet (in debug mode) with the date and time, using local time, and shows the time zone
- service password-encryption – encrypts all clear text passwords in the configuration file with type 7 encryption
- service timestamps log datetime localtime show-timezone – timestamps each logged packet (not in debug mode) with the date and time, using local time, and shows the time zone
Using ACLs to Limit Telnet and SSH Access
You can use an ACL to determine who can access the VTY lines. First, create the access list, and then assign it to the VTY lines. I’ve added some other security-related commands also.
Switch(config)#access-list 11 permit 10.10.9.23
Switch(config)#access-list 11 permit 10.10.10.7
Switch(config)#line vty 0 15
Switch(config-line)#access-class 11 in
Switch(config-line)#transport input ssh
Switch(config-line)#transport output telnet ssh
Switch(config-line)#exec-timout 5 0
Being able to configure the output above is a key CCNA exam topic, so make sure that you have it down cold. Let’s do a show run and take a look at the configuration; I also set SSH-only access, which you’ve seen how to do already. I displayed only the relevant part of the output below:
line vty 0 15
access-class 11 in
exec-timeout 5 0
transport input ssh
transport output telnet ssh
With that configuration, only host 10.10.9.23 and 10.10.10.7 are allowed to connect, and they must use a local-defined username and password and connect using SSH. If any one of those conditions fails, they will not be able to establish a session with the switch. It’s very important to note that you will be applying an access class to a port, NOT an access group or list. If there is no activity on the line for five minutes, it will terminate the session.
Restrict VLAN Information
All VLANs are permitted across a trunk link by default. To further lock down security, you can specify the VLANs that are permitted across a trunk link, as shown in the output below:
Switch(config)#int fast0/4
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
Switch(config-if)#switchport trunk allowed vlan 7-12
Switch(config-if)#^Z
Switch#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/4 7-12
Change the Native VLAN
As discussed earlier, the native VLAN is used to carry untagged traffic on a trunk link. The default native VLAN on a trunk port is VLAN 1. This creates a degree of predictability. You can improve the security of the network by changing the native VLAN (any valid VLAN number from 2 to 4095 can be used).
The native VLAN can be verified using the show interfaces [int] switchport command, as shown below:
Switch#show interfaces FastEthernet0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
The native VLAN can be changed using the switchport trunk native vlan interface-level command. Remember that both sides of the connection must have the same native VLAN.
Switch(config-if)#switchport trunk native vlan 888
Switch#show interfaces FastEthernet0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 888
Voice VLAN: none
This is one of the key objectives in the CCNA syllabus, so bear it in mind and ensure that you can issue the show and configuration commands above. Native VLANs must match on either side of a trunk link and they must also be manually configured if you want them to be a number other than 1. There is no autodetect feature for native VLANs, so you can’t rely on the other side of your trunk link setting itself to match the configured side.
Change the Management VLAN
As you know, a Switched Virtual Interface (SVI) can be created on the switch so that you can access it via Telnet/SSH for management purposes. By default, this is VLAN 1. A good security practice is to change this VLAN number. This can be done by creating another VLAN and SVI, as shown below:
Switch(config)#vlan 3
Switch(config-vlan)#interface vlan 3
%LINK-5-CHANGED: Interface Vlan3, changed state to up
Switch(config-if)#ip address 192.168.1.1 255.255.255.0
Simple Network Management Protocol
SNMP allows for the management of your network via one or more network management stations. SNMP uses a system of trap messages to notify the SNMP management station about events in the network. The SNMP management station can also poll the network device to determine its state. Finally, SNMP can also be used to remotely manage your network devices. SNMP is disabled by default. However, you can verify that with the following command:
Switch#show snmp
%SNMP agent not enabled
Let’s configure SNMP for read-only access (use write access only if it is absolutely necessary) and with an ACL:
Switch(config)#snmp-server community HoWtOnEtWoRk ro 15
Switch(config)#access-list 15 permit 10.10.10.15
Switch(config)#access-list 15 permit 10.10.10.16
In the first line, SNMP was configured using the community string HoWtOnEtWoRk; it has read-only access (that is the ro), and only the two addresses in access list 15 are permitted. It is pretty easy to secure SNMP, you just need to map out what you want to do. SNMPv3 offers authentication and encryption for additional security. We will discuss SNMP again later in this guide.
Securing VTP
If you use VTP in your network, you will certainly want to configure a password. This will ensure that only authorized switches are installed into your VTP domain.
Switch#show vtp password
The VTP password is not configured.
Let’s configure the password:
Switch(config)#vtp password IwAnTmYcCnA
Setting device VLAN database password to IwAnTmYcCnA
Switch(config)#end
Switch#show vtp password
VTP Password: IwAnTmYcCnA
You will have to configure the password on each switch in your VTP domain. If a switch does not have the password, it will not participate in VTP.
External Authentication Methods
We have explored how to configure local usernames on the router. Although the method is easy, it is not scalable because it can become very difficult to manage many usernames on a router or a switch. A better alternative is to use external authentication methods. External authentication can be provided using either the TACACS+ or RADIUS protocol which we briefly discussed earlier.
- TACACS+ (Terminal Access Controller Access Control System Plus) is a Cisco proprietary protocol that operates on TCP port 49. It is used to provide access control to network devices.
- RADIUS (Remote Authentication Dial-In User Service) is an open standard protocol used to provide secure remote access to the network. It operates on UDP ports 1812 and 1813.
To set up a router or a switch to use RADIUS/TACACS+, you need to set up AAA on the device. If you are interested in finding out how to go about this, it’s covered later.
AAA
AAA has been featured in the CCNA syllabus for a few years now, and you can expect to see at least a question about what it does. Cisco has now expanded on this, specifically addressing managing devices with AAA through TACACS+ and RADIUS.
AAA stands for Authentication, Authorization, and Accounting and each serves a different purpose:
- Authentication – verifies identity (e.g., username and password)
- Authorization – what is a person allowed to do (after authentication)?
- Accounting – what did the person do?
An example of AAA would be online banking, which requires customers to log in using their username, password, and possibly some sort of PIN verification. Once logged in, customers are authorized to view their account balance but are not authorized to change it (unfortunately). The accounting part of AAA logs customers’ activities.
On Cisco devices, AAA serves two purposes, network access (e.g., what VLAN to place a user in) and device management (e.g., username/password to configure the device or just view privileges).
AAA Servers
You can use the local database of a device to perform some functions, such as check incoming connections against a list of permitted users, but if you want to use AAA to full effect, then it is recommended that you use external AAA servers. This service will usually go hand in hand with either RADIUS (Remote Authentication Dial-in User Service) or TACACS+ (Terminal Access Controller Access-Control System Plus) protocols, which are used to connect to and communicate with external AAA servers. Some AAA servers support either or both of these protocols.
Cisco Secure ACS (Access Control Server) supports both, whereas Cisco ISE (Identity Service Engine) used to support only RADIUS but now supports both.
TACACS+ provides a centralized method to validate network access for users (routers or network access servers). The TACACS+ application runs on a router and sends encrypted login information when a user attempts to authenticate into the network. This requires a login ID and password, and once verified, can load configurations restricting what the user can and cannot do.
RADIUS (as the name suggests) is designed to authenticate dial-in access to a network. The RADIUS client software resides on the router or Network Access Server (NAS) and communicates with the RADIUS server. Unlike TACACS+, it cannot control which commands an authenticated user can execute.
Figure 23.11 below demonstrates a user being authenticated using RADIUS, with the credentials username iinsuser and the password s3cur!ty. The NAS triggers the RADIUS process when the remote user attempts to authenticate after dialing in. The steps are outlined in more detail if you study for the CCNA Cyber Ops exam.
FIG 23.11 – User authentication
Although TACACS+ and RADIUS provide the same function, they operate in different ways. Table 23-2 below summarizes the main differences:
Table 23-2: TACACS+ versus RADIUS
| TACACS+ | RADIUS |
| TCP port 49 | UDP (1645/1646 or 1812/1813) |
| Encrypts entire packet | Encrypts only password field |
| Separates AAA functions | Combines Authentication and Authorization |
| Most suitable for device management | Most suitable for network access |
| Proprietary | RFC 2865 |
Configuring AAA on Cisco Devices
Cisco does not specify that you must know how to configure AAA; however, configuration commands have been asked about in previous exams. Here are the steps:
- Enable AAA
- Define individual or group AAA servers (if using external AAA servers)
- Define method lists for different AAA functions
- Apply method lists to necessary parts of the device (e.g., VTY lines)
AAA is enabled with the following command:
R1(config)#aaa new-model
The effects of this command are that authentication is removed from the console line and local database authentication is applied to all other lines. This is why you must carefully plan your configurations before enabling AAA. It is recommended that you have a fallback username and password (just in case).
You can define AAA servers with the following commands:
R1(config)#radius-server host 10.0.0.100 key cisco
R1(config)#tacacs-server host 10.0.0.100 key cisco
The commands above are being deprecated, so be sure to Google “Cisco Radius Server Command Line” and the same for TACACS+ for the new commands.
End of Chapter Questions
Please visit https://www.howtonetwork.com/ccnasimplified to take the free Chapter 23 exam.
Chapter 23 Labs
Lab 1: Basic Router Security
The physical topology is shown in Figure 23.12 below:
FIG 23.12 – Basic router security
Lab Exercise
Your task is to configure basic access and security features on a router.
Purpose
Learn some basic steps to take to lock down your router.
Lab Objectives
- Protect enable mode with a password.
- Enable service password encryption.
- Protect the Telnet and console lines.
- Add a banner.
- Turn off CDP.
- Configure router logging.
Lab Walk-through
- Protect enable mode with an enable secret password. Test this by logging out of privileged mode and then logging back in:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable secret cisco
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#exi
Router con0 is now available
Press RETURN to get started.
Router>en
Password:
Router#
- Set an enable password and then add service password-encryption. This is rarely done on live routers because it is not secure.
Router(config)#no enable secret
Router(config)#enable password cisco
Router(config)#service password-encryption
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#show run
Building configuration…
Current configuration: 480 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname Router
!
enable password 7 0822455D0A16
- Protect the Telnet lines. Set a local username and password and have users enter this when connecting to the router. You may have more or less VTY lines depending on your platform.
Router(config)#line vty 0 ?
[1-15] Last Line number
[cr]
Router(config)#line vty 0 15
Router(config-line)#login local
Router(config-line)#exi
Router(config)#username howtonetwork password cisco
You have tested Telnet before, but feel free to add a PC and telnet to the router so that you are prompted for a username and password.
- Protect the console port with a password. Set one directly on the console port.
Router(config)#line console 0
Router(config-line)#password cisco
You can test this by unplugging and plugging your console lead back into the router. You can also protect the auxiliary port on your router if you have one:
Router(config)#line aux 0
Router(config-line)#password cisco
- Protect the Telnet lines by permitting only SSH traffic in. You can also permit only SSH traffic outbound. You will need a security image for this command to work.
Router(config)#line vty 0 15
Router(config-line)#transport input ssh
Router(config-line)#transport output ssh
- Add a banner message of the day (MOTD). Set the character that tells the router you have finished with your message as X (the delimiting character).
Router(config)#banner motd X
Enter TEXT message. End with the character “X”.
Do not use this router without authorization. X
Router(config)#exit
Router#exit
Router con0 is now available
Press RETURN to get started.
Do not use this router without authorization.
Router>
- Turn off CDP on the entire router. You can disable it on an interface only with the no cdp enable interface command.
Router(config)#no cdp run
You can test whether this is working by connecting a switch or router to your router before you turn off CDP and issuing the show cdp neighbor [detail] command.
- Set the router to send logging messages to a host in the network:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging ?
A.B.C.D IP address of the logging host
buffered Set buffered logging parameters
console Set console logging parameters
host Set syslog server IP address and parameters
on Enable logging to all enabled destinations
trap Set syslog server logging level
userinfo Enable logging of user info on privileged mode enabling
Router(config)#logging 10.1.1.1
Lab 2: Switch Security
The physical topology is shown in Figure 23.13 below:
FIG 23.13 – Switch security
Lab Exercise
Your task is to configure basic access and security features on a switch. Please note that your switch will need to have a security image that permits basic security settings.
Purpose
Learn how to apply basic security settings on a Cisco switch.
Lab Objectives
- Set up Telnet access.
- Assign a management IP address to the switch.
- Configure SSH.
Lab Walk-through
- Connect a PC or laptop to your switch. In addition, set up a console connection for your configuration. The port to which you connect your PC will be the one you configure security settings on in this lab. I have chosen Fast Ethernet 0/1 on my switch.
Log in to the VTY lines and set up Telnet access, referring to a local username and password.
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 ?
[1-15] Last Line number
[cr]
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#exit
Switch(config)#username days password cisco
Switch(config)#
- Add an IP address to VLAN 1 on the switch (all ports are in VLAN 1 automatically). Additionally, add the IP address 192.168.1.1 to your PC’s Fast Ethernet interface.
Switch(config)#interface Vlan1
Switch(config-if)#ip address 192.168.1.2 255.255.255.0
Switch(config-if)#no shut
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to up
Switch(config-if)#^Z
Switch#ping 192.168.1.1 – Tests connection from switch to PC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 31/31/32 ms
- Test Telnet by telnetting from your PC to your switch.
- Your IT manager changes his mind and wants only SSH access, so change this on your VTY lines. Only certain models and IOS versions will support the SSH commands.
Switch(config)#line vty 0 15
Switch(config-line)#transport input ssh
- Now telnet from your PC to the switch. Because only SSH is permitted, the connection should fail.
