Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Network security has been seen as a separate function, but security has evolved to be a pervasive element. Routers are
both potential targets for attacks and platforms that can offer security services.
Network devices have three types of functions and traffic, all of which are affected by security concerns:
n Management plane: The functions involved in management, such as device access, configuration, and telemetry.
n Control plane: The functions spoken between network devices, such as routing protocols.
n Data plane: Packet forwarding functionality.
Security for the management plane means controlling all the means of accessing the device and making configuration
changes. Common security steps for various protocols include
n Console: Physically secure access to the device and set reasonable time-outs. Use password protected modems for
out-of-band access, and control authentication centrally with RADIUS or TACACS+ to regularly change passwords.
n Telnet/SSH: Limit use of telnet because it transmits usernames and passwords in the clear. Limit telnet access using
access-lists to predefined IPs. Use SSH instead.
n HTTP/HTTPS/SNMP: Centralize authentication and limit access to predefined IPs. Disable if not used.
Many control plane protocols, such as EIGRP, OSPF, HSRP, and GLBP, include peer authentication based on MD5
hashing. Vulnerabilities in ARP and DHCP can be addressed with switch capabilities to inspect and deal with maliciousness.
DHCP snooping observes responses to ensure they come from the server, whereas Dynamic ARP Inspection looks
[ 66 ]
© 2010 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 69 for more details.
CCNP TSHOOT 642-832 Quick Reference by Brent Stewart
www.CareerCert.info
CHAPTER 6
Troubleshooting Security Features
for and blocks spoofed ARP responses. Likewise, spanning-tree protection is available based on an understanding of the
topology using technologies such as root guard and BPDU guard. The router can also protect against maliciousness by
performing reverse path checking—making sure that packets arrive on the interface that would be used to route the reply.
The data plane is secured by controlling access, visibility, and flow. Keeping unauthorized users off the network is the
role of network access control and 802.1x. Encryption and VLANs can be used to isolate traffic and prevent interception.
Finally, traffic flows can be limited and inspected using access-list, flexible packet matching, IOS Firewall, and Intrusion
Prevention Systems. IP source tracker allows for an easier, scalable solution to tracking DoS attacks compared to the
traditional ACL. Zone-based security firewalls permit you to get granular in inspection and well-defined interface-based
zone pairings to specify what traffic is permitted.
The IOS Firewall is easy to set up. An access-list is used to block all nonapproved traffic. Context-based access
control(CBAC) is then used to modify the access-list, as replies to all outbound connections are allowed:
Ip access-list extended block
Deny ip any any
Ip inspect name CBACInt f0/0
Ip access-group block in
Ip inspect CBAC out
Troubleshooting Security Features
The key issue with security features is that they limit traffic to create a security policy. This can work against the natural
flow of troubleshooting, where the focus is on allowing communication. The issue is to recognize how the security policy
compares to troubleshooting steps and to always work within the organizations change control system.
[ 67 ]
© 2010 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 69 for more details.
CCNP TSHOOT 642-832 Quick Reference by Brent Stewart
www.CareerCert.info
CHAPTER 6
Troubleshooting Security Features
Troubleshooting the management plane, specifically authentication, can be tricky because it is possible to lock yourself
out. The best approach is to have a backup plan to access the router—out-of-band access, a user to reset power, or a
second authentication method. If no one is onsite, use the reload in 10 command to schedule a reboot in 10 minutes
before beginning work. It is also a good idea to allow local authentication (shown next) so that if access-list changes
block access to RADIUS or TACACS+ there is still a way to login:
Aaa authentication default group tacacs+ local
Username brent password denise
SNMP uses UDP 161, and access-list blocking can be tested using extended traceroute on that port. SNMP can also be
set up with access-lists and authentication to control access. Temporarily lifting these might also provide insight into any
problems.
Troubleshooting the control plane comes down to neighbors. If a routing protocol doesn’t see a directly connected peer,
the problem is either a protocol issue or a firewalling issue. To verify that protocol traffic is passing, consider using
debug to witness hellos (debug ip eigrp packets), or use the router as a protocol analyzer by using debug ip packet
access-list. (The access list limits debug to just the traffic of interest.) The following example shows this done to analyze
BGP traffic:
(config)#Ip access-list 101 permit tcp any any eq 179
Debug ip packet 101
The data plane includes support for user applications. Testing access can be accomplished with traceroute and telnet.
Traffic is usually controlled using access-lists, so another way to troubleshoot connections is to log access-list matches.
Access-list logging forces traffic to be processor switched and should be used in a limited manner. (Matches can be
limited by narrowly crafting permit statements or though the established keyword, for instance.). ACL matches are
forwarded to Syslog with this option, so used sparingly it is a good way to understand which line in the access-list is
disposing of traffic. To set up logging, add the keyword log onto a ACL line. To see the denied traffic at the end of a list,
for instance, add the following line to your ACL:
No comments:
Post a Comment