Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
To mitigate security threats, you need to create a comprehensive network security plan. This
plan will include how to mitigate numerous kinds of security threats:
Hardware threats
Environmental threats
Electrical threats
Maintenance threats
Reconnaissance attacks
Access attacks
Password attacks
Anti-x
Cisco’s Adaptive Security Appliance (ASA) helps you provide an overall, in-depth, security
design for your network with a variety of tools that can prevent a lot of the security problems
I’ve listed in this chapter. Since a lot of the individual tool names start with
anti
, Cisco uses the
term
anti-x
to refer to the whole class of security tools that prevent these problems, including
antivirus, antispyware, antispam, and so on.
There are a couple of other security appliances that that can be used to help prevent the more
sophisticated kinds of attacks. These tools are known as intrusion detection systems (IDSs) and
intrusion prevention systems (IPSs). They help prevent threats by watching for trends, particular
patterns, and other factors.
Password and hardware attacks are the most important to know for the CCENT exam and
that is what I’ll cover in the next section.
Mitigating Password, Router and Switch Attacks
This section discusses the basics of mitigating password and basic router and switch
security attacks.
Here’s how to mitigate password attacks:
Do not allow users to use the same password on multiple systems.
Disable accounts after a certain number of unsuccessful login attempts.
Mitigating Security Threats
491
Do not use clear text passwords, for example use SSH instead of Telnet and using the
enable secret password instead of the clear text enable password.
Use strong passwords, Such as, for example, !@gL0bAlN8t rather than globalnet.
To mitigate router and switch security attacks, apply the principles I just outlined for
mitigating password attacks.
First, mitigate any hardware attacks on your router and switches by physically securing
network equipment from potential access by unauthorized individuals. Then configure SSH,
encrypted passwords, and banners. Here is how this is done (I already covered these commands
in Chapter 4, “Introduction to the Cisco IOS and SDM,” and Chapter 7, “Layer 2
Switching,” but a refresher never hurt anyone):
Router#
config t
Router(config)#
hostname R1
R1(config)#
enable secret cisco
R1(config)#
username Todd password Lammle
R1(config)#
ip domain name lammle.com
R1(config)#
ip http secure-server
R1(config)#
service password-encryption
R1(config)#
line con 0
R1(config-line)#
password console
R1(config-line)#
login
R1(config-line)#
line aux 0
R1(config-line)#
password aux
R1(config-line)#
login
R1(config-line)#
exit
R1(config)#
line vty 0 ?
<1-807> Last Line number
<cr>
R1(config)#
line vty 0 807
R1(config-line)#
password SSHonly
R1(config-line)#
login local
R1(config-line)#
transport input ssh
R1(config-line)#exit
R1(config)#banner motd # Authorized Access Only! Please enter
your username and password. #
R1(config)#exit
R1#copy run start
Destination filename [startup-config]?[enter]
Building configuration...
[OK]
R1#
492 Chapter 9 Security
The preceding commands work on both a router and a switch. It is important to remember
how to configure your router to allow Secure Shell instead of the insecure telnet protocol
(transport input ssh). Now, let’s add port security on a switch to enable even more security.
Switch Port Security
You can stop someone from simply plugging a host into one of your switch ports—or worse,
adding a hub, switch, or access point into the Ethernet jack in their office—by using port
security,which prevents unauthorized hosts from accessing the LAN.
Here are your options:
Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
You can see clearly in the preceding output that the switchport port-security command
can be used with four options. Personally, I like the port-security command because it allows
me to easily control users on my network. You can use the switchport port-security macaddress
mac-address command to assign individual MAC addresses to each switch port, but
if you choose to go there, you’d better have a lot of time on your hands!
If you want to set up a switch port to allow only one host per port, and to shut down the
port if this rule is violated, use the following commands:
Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport mode access
Switch(config-if)#swithport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
These commands are probably the most popular because they prevent users from connecting
to a switch or access point that’s in their office. The maximum setting of 1 means only one
MAC address can be used on that port; if the user tries to add another host on that segment,
the switch port will shut down. If that happens, you’d have to manually go into the switch and
enable the port with a no shutdown command.
MAC-Address Security
You can add a static MAC address on a switch port to provide security, but that seems like a lot
of administrative work to add every users MAC address into the switch configuration! Probably
Mitigating Security Threats 493
one of my favorite commands is the sticky command. Not only does it perform a cool function,
it’s got a cool name! You can find this command under the mac-address command:
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security violation shutdown
Basically, what this does is provide static MAC address security without having to type in
everyone’s MAC address on the network. As I said—cool!
In the preceding example, the first two MAC addresses into the port “stick” as static
addresses and will stay that way for however long you set the aging command for. Why did
I set it to 2? Well, I wanted one for the PC/data and one for telephony/phone.
To verify port security on a Catalyst switch, use the command show port-security.
Here’s an example:
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
-------------------------------------------------------------------
Fa0/1 2 1 0 Shutdown
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
Switch#
You can even get more granular information with the following command:
Switch#show port-security interface fastEthernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 001a.2f52.3bf8
Security Violation Count : 0
Switch#
Okay, now here is where the coolest part of the sticky command comes into play. When a
MAC address “sticks” to the interface, it is actually placed in running-config. This allows you
494 Chapter 9 Security
to save the MAC address (with a copy running-config startup-config) and basically
have static MAC address mappings for each port—with a lot less administration!
Switch#sh run | begin interface
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001a.2f52.3bf8
!
Securing Unused Ports
Last, you need to secure unused ports on your switch because they can create a security hole.
You don’t want anyone connecting a host or another switch into your switches and adding
devices to the network, right? Shut down any unused ports to disable the interfaces:
Switch(config-if)#shutdown
And remember, you can use the range command to configure multiple ports at that same time:
Switch(config)#interface range f0/1 - 12
Switch(config-if)#shutdown
Now, this sounds easy, doesn’t it? But what if someone were able to get into the switch and
enable the ports? Then you’d be back to square one. So, in addition to shutting down the ports,
you should prevent VLAN trunking and VTP by using the switchport mode access command,
meaning the port won’t become a trunk port, nor will it pass VTP information (both
VLANs and VTP are covered in CCNA: Cisco Certified Network Associate Study Guide,
Sixth Edition).
No comments:
Post a Comment