Académique Documents
Professionnel Documents
Culture Documents
www.paktraining.com
maybeccie.paktraining.com
mateenamc@gmail.com
Lecture#2
Introduction to Security Device Manager
Following are the Commands that we have to apply before accessing
Router through Security Device Manager (SDM):
Config t
ip http server
ip http secure-server
username idrees password Raaziqg10
username idrees privilege 15
ip http authentication local
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no shutdown
Lecture#3
AAA (Authentication Authorization & Accounting)
Authentication :
Authentication decides who can get in and who can't.
Note:
The most common usage for AAA Authentication is for login
authentication, but it can also be used as the enable password
itself (#enable view)or to authenticate PPP connections.
Authorization :
Authorization decides what users can do once they get authenticated.
Accounting :
Accounting tracks the resources used by the authorized user. This
tracking can be used for security purposes(detecting users doing
things they shouldn't be doing), or for tracking network usage in
order to bill other departments in your company.
Here's a brief look at each category and what accounting information
can be recorded.
SLIP sessions.
Practical Labs:
(config)#aaa new-model
(config)#aaa authentication login default none
(config)#login vty 0 4
(config-line)#login authentication default
#Show privilege
3
(config)#aaa new-model
(config)#tacacs-server host 172.13.13.3 key CCNP
(config)#radius-server host 172.13.13.2 key CCNP
(config)#aaa authentication login default group
Lecture#4
Layer 2 Security
All passwords appear in the configuration in clear text by default
except the enable secret.
The command service password-encryption
will encrypt the remaining passwords.Cisco switches have more VTY
lines than routers.Routers allow up to five simultaneous Telnet
sessions, and obviously switches allow more! The default behavior is
the same, however.
Any user who telnets in to the switch will be
placed into user exec mode, and will then be prompted for the proper
enable mode password.
If neither the enable secret nor the enable password has been set, the
user will not be able to enter enable mode.
(config)#line vty 0 15
(config)#password valentine
(config)#service password-encryption
How to make Privilege level 15 user and Only user with password
(config)#Switchport port-security
OR
(config-if)#switchport port-security violation shutdown
o Its the default of violation. In this switch put interface
in err-disable state and genereate SNMP trap. We can see
this through following command. When you enable that feature
by default it will allow only and only 1 mac address.
7
EAP is more of a framework than a specific protocol, there are over 40
different types(Methods)of EAP. some of them are following:
A. Cisco LEAP(Lightweight Extensible Authentication Protocol):
LEAP is cisco-Proprietry, but 3rd party vendors can support it via
the cisco Compatible Extensions Program. RADIUS server will
authenticate the client, then the client will authenticate the
RADIUS server, resulting in strong 2-way authentication.
B. EAP-FAST (Extensible Authentication Protocol-flexible
Authentication via Secure Tunneling):
It builds a tunnel through which the mutual authentication will
take place. Where LEAP is really wide open to attack and
compromise. FAST makes secure tunnel without the bother of
using secure certificates. You do have the option of configuring
certificates with EAP-FAST.EAP-FAST is a 3 phase process.
1. First phase is officially named phase zero. In this phase an
encrypted tunnel is created. We need to get a protected access
credential(PAC)on the client. Its an optional phase, since PAC
can be manually configured on the client, but generally the
PAC will be dynamically assigned.
If the PAC is dynamically assigned, it could be intercepted en
route to the client. If you are concerned about this,you can do
following 2 things.
A. Configure the PAC manually on the client.
B. Introduce secure certificates to the EAP-FAST Process.
2. In phase 2,credentials are exchanged and mutual authentication
is performed.
C. Protected EAP (PEAP):
It is strong open-standard security scheme(Microsoft & RSA
security made it). It has following 2 different versions:
1. PEAPv0/EAP-MSCHAPv2
2. PEAPv1/EAP-GTC (Generic Token Card)
With either flavor, there is secure digital certificate involved.
the clients will not have a certificate, but the authentication
server will.
D. EAP-TLS (Extensible Authentication Protocol-Transport
Layer Security )
EAP-TLS is an open-standard protocol. It's also a bit
controversial because it requires the clients to have a secure
certificate as well as the authentication server.
8
We've secured the ports, but there will also come a time when we
want to connect a network analyzer to a switch port. A common
situation is illustrated below, where we want to analyze traffic
sourced from the three PCs. To properly analyze the traffic, the
network analyzer needs a copy of every frame the hosts are
sending - but how are we going to get it there?
SPAN allows the switch to mirror the traffic from the source
port(s) to the destination port to which the network analyzer is
attached. (In some Cisco documentation, the destination port is
referred to as the monitor port.)
It's the location of the source ports that determines the SPAN
version that needs to run on the switch. The sessions are totally
separate operations, but the number of simultaneous sessions you
can run differs from one switch platform to another. More
powerful switches can run as many as 64 sessions at once. SPAN
had 3 types :
1. Local SPAN:
In this the destination (Where Network Analyzer is
attached)and source ports are all on the same switch.
A. Configuration of Local SPAN :
(config)#monitor session 1 source interface f 1/0/1 - 9
(config)#monitor session 1 destination interface f 1/0/10
#show monitor
2. Remote SPAN (RSPAN):
What if the traffic to be
monitored is on one switch, but the only vacant
port available is on another switch? RSPAN is the solution.
Both switches will need to be configured for RSPAN, since the
switch connected to the PCs will need to send mirrored frames
across the trunk.A separate VLAN will be created that will
carry only the mirrored frames.There are some factors you need
to consider when configuring RSPAN,which are as follow:
If there were intermediate switches between the two they
would all need to be RSPAN-capable.
VTP treats the RSPAN VLAN like any other VLAN. It will
be propagated throughout the VTP domain if configured on
a VTP server. Otherwise, it's got to be manually
configured on every switch along the intermediate path.
VTP Pruning will also prune the RSPAN VLAN under the same
circumstances that it would prune a "normal" VLAN.
MAC address learning is disabled for the RSPAN VLAN.
The source and destination must be defined on both the
switch with the source port and the switch connected to
the network analyzer, but the commands are not the same
on each.
9
ports, VLAN-based SPAN (VSPAN) would be in effect.
B. Configuration of VSPAN
Create the VLAN first, and identify it as the RSPAN VLAN with
the remote-span command.
SW1(config)#vlan 30
SW1(config-vlan)#remote-span
o SW1 is the source switch, and the traffic from ports 0/1 0/5 will be monitored and frames mirrored to SW2 via RSPAN
VLAN 30.
SW1(config)#monitor session 1 source interface fast 0/1 - 5
SW1(config)#monitor session 1 desti remote vlan 30
reflector-port fast 0/12
o Reflector port is a port that will be copying the SPAN
traffic onto the VLAN.
o
#show Monitor
Source Port
Destination port
10
Notice that even though the three source addresses named in the
ACL are the ones that will not be allowed to communicate with
other hosts in the VLAN, the ACL statement is permit, not deny.
The deny part is coming!
Now the VLAN access-map will be written, with any traffic
matching the ACL to be dropped and all other traffic to be
forwarded. Note that the second access-map clause has no match
clause, meaning that any traffic that isn't affect by clause 10
will be forwarded. That is the VACL equivalent of ending an ACL
with "permit any".
If you configure a VACL without a final "action forward" clause,
all traffic that does not match a specific clause in the VACL
will be dropped.
(config)# vlan access-map NO_123 10
(config-access-map)# match ip address NO_123_CONTACT
(config-access-map)# action drop
(config-access-map)# vlan access-map NO_123 20
(config-access-map)# action forward
Finally, we've to apply the VACL in global configuration mode.
The VLAN to be filtered is specified at the end of the command
with the vlan-list option.
11
Private VLAN :
This may well be the ultimate in filtering VLAN traffic! Hosts can
be placed into a secondary VLAN, which is going to have one of two
results:
The host will be able to communicate with other hosts in the
secondary VLAN and with the primary VLAN, but not with hosts in
other secondary VLANs - this is a community private VLAN
The host can communicate with the primary VLAN, but with no other
hosts, including other hosts in its own secondary VLAN -- this is
an isolated private VLAN. In the following example, the router is
located off a switch port that has been configured as a private
VLAN port. There are options here as well:
The device connected to the private VLAN port can communicate
with any device connected to any primary or secondary VLAN this is promiscuous mode. This is the recommended mode for
ports connected to gateway devices, such as the router seen
below.
The host connected to the port is on either type of private VLAN
(isolated or community), and can communicate with devices found off
other promiscuous ports. If the host is configured as part of a
community private VLAN, the host can also communicate with other
hosts in that private VLAN.
12
DHCP Snooping:
The potential for trouble starts when a host sends out a DHCP
Discovery packet, it listens for DHCPOffer packets - and as we know,
the host will accept the first Offer it gets!
Part of that DHCPOffer is the address to which the host should set
its default gateway. In this network, there's no problem, because
there's only one DHCP Server. The host will receive the DHCPOffer
and set its default gateway accordingly. What if a DHCP server that
does not belong on our network - a rogue DHCP server - is placed on
that subnet?
Now we've got a real problem, because that host is going to use the
information in the first DHCPOffer packet it receives - and if the
host uses the Offer from the rogue DHCP server, the host will
actually set its default gateway to the rogue server's IP address!
The rogue server could also have the host set its DNS server address
to the rogue server's address as well. This opens the host and the
network to several nasty kinds of attacks.
DHCP Snooping allows the switch to serve as a firewall between hosts
and untrusted DHCP servers. DHCP Snooping classifies interfaces on
the switch into one of two categories - trusted and untrusted. DHCP
messages received on trusted interfaces will be allowed to pass
through the switch. Not only will DHCP messages received on
untrusted interfaces be dropped by the switch, the interface itself
will be placed into err-disabled state.
Now, you're probably asking "How does the switch determine which
ports are trusted and which ports are untrusted?" By default, the
switch considers all ports untrusted - which means we better
remember to configure the switch to trust some ports when we enable
DHCP Snooping!
First, we need to enable DHCP Snooping on the entire switch:
(config)#ip dhcp snooping
o Its must to enable it 1st.
(config)#ip dhcp snooping vlan 4
o It adds vlan 4 in trusted valn
(config)#no ip dhcp snooping vlan 1
o We can remove vlan 1 which by default has been added in
Trusted vlans When we enable dhcp snooping.
(config)#ip dhcp snooping information option
o It enables option 82
(config)#int f1/0/1
13
(config-if)#ip dhcp snooping trust
#show ip dhcp snooping
Note the "rate limit" for the untrusted port is set to
"unlimited". That rate limit refers to the number of DHCP packets
the interface can accept in one second (packets per second).
To change that value and protect the interface against a
concentrated stream of spoofed DHCP messages, use the ip dhcp
snooping limit rate command.
SW1(config-if)#ip dhcp snooping limit rate 5
14
15
16
Src-MAC
Dest-ip
Dest MAC
17
Src-IP
Dest MAC
Src-MAC
Dest-IP
Host B ip Host B
18
o
If you run DAI in your network, most likely you'll run it on all
of your switches. Cisco's recommended trusted/untrusted port
configuration is to have all ports connected to hosts run as
untrusted and all ports connected to switches as trusted. Since
DAI runs only on ingress ports, this configuration scheme ensures
that every ARP packet is checked once, but no more than that.
The DHCP snooping feature dynamically builds a DHCP binding
table, which contains the MAC addresses associated with specic
IP addresses. Additionally, this feature supports static MAC
address to IP address mappings, which might be appropriate for
network devices, such as routers. This DHCP binding table can be
used by the Dynamic ARP Inspection (DAI) feature to help prevent
Address Resolution Protocol (ARP) spoong attacks.
Recall the purpose of ARP requests. When a network device needs
to determine the MAC address that corresponds to an IP address,
the device can send an ARP request. The target device replies to
the requesting device with an ARP reply. The ARP reply contains
the requested MAC address.
Attackers can attempt to launch an attack by sending gratuitous
ARP (GARP) replies. These GARP messages can tell network devices
that the attackers MAC address corresponds to specic IP
addresses.
Extra :
Gratuitous ARP :
o
19
o
o
20
reply is dropped, and the port is disabled.
The rst step in conguring DAI is to enable DAI for one or more
VLANs. For example, to enable DAI for VLAN 100, enter the
following global conguration mode command:
SW3550(config)# ip arp inspection vlan 100
By default, the DAI feature considers all switch ports to be
untrusted ports. Therefore, trusted ports must be explicitly
congured. These trusted ports are the ports on which ARP replies
are expected. For example, to congure port Gigabit 0/6 to be a
DAI trusted port, use the following syntax:
SW3550(config)# interface gigabitethernet 0/6
SW3550(config-if)# ip arp inspection trust
IP Source Guard
21
OR
The IP Source Guard feature is enabled in combination with the DHCP
snooping feature on untrusted Layer 2 interfaces. It builds and
maintains an IP source binding table that is learned by DHCP
snooping or manually configured (static IP source bindings). An
entry in the IP source binding table contains the IP address and the
associated MAC and VLAN numbers. The IP Source Guard is supported on
Layer 2 ports only, including access and trunk ports.
Configuration example:
Interface gigabitEthernet1/0/1
Ip verify source port-security
22
destination. e.g this traffic would simply be dropped as opposed
to flooding.
switchport block unicast is actually switchport block broadcast
The other item worth mentioning is that I didn't think you could
do a "switchport block broadcast". Broadcast, by definition,
should be flooded. Therefore, I would be very careful and
understand the consequences if you can and do block broadcasts.
The FF:FF:FF:FF:FF:FF will not be learned by the mac-address
table and therefore always flooded. There is no concept of
learning this address, since nothing should be sourced from this
address. There is, however, a "switchport block multicast" that
can look for multicast association requests. With "switchport
block multicast", frames with a multicast destination should only
be forwarded to the appropriate port(s) as opposed to flooded to
the entire vlan
If we added the command switchport block unicast, then the switch
would not forward unicasts frames, unless it knew which port to
forward it to.
So an initial frame destined for 0200.2222.2222,
if the switch didn't yet have it in the mac address table, would
drop it for that vlan.
If the switch does know that the MAC
address lives on the same port, based on adding the source
address to the table, it would not forward it to any other
ports.
I believe this would defeat the attack.
So as opposed to preventing flooding, there is also a need to
protect the mac-address table. Since this is a type of forged
source mac address attack, we can use "port-security" to restrict
a port to a number (possibly one) source mac address. Once this
number is exceeded, the switch can trap, shutdown the port, or
discard the incoming frames. I just wanted to point this out in
case a similar question arises.
Through dot1x we can protect our MAC table from rogue entries in
it.
23
o Trunk Mode :
Trunk mode uses tagged and untagged frames. The fact that it uses 802.1q tagged frames
implies that it is connected to a device which is capable of dealing with 802.1q frames.
But very often Ethernet cards in server machines can be configured for 802.1q as well,
i.e. you can run a trunk mode port to a server connecting it directly into multiple VLANs.
The "tag" contains the number of the VLAN to which this particular frame belongs to.
Due to that, the receiving side is able to correctly assign each received frame to the
correct VLAN. If the switch send a VLAN 5 tagged frame through a trunk port the
receiving side knows that this frame belongs to VLAN 5 and thus can forward it correctly
to the next hop maintaining separation of VLANs etc.
Trunking is generally related to switches, but routers, firewalls, and all manner of devices
can connect with trunks as well.
o ip default-gateway (when IP routing is disabled)
When your switch is configured to route with IP, it does not need to have a default
gateway set.
o ip default-network (when IP routing is enabled)
o ip route 0.0.0.0 0.0.0.0 (when IP routing is enabled
VLAN Hopping :
VLAN hopping can be accomplished by switch spoofing or double
tagging.
24
o In this attack, the attacking computer generates frames with two 802.1Q tags. The
first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and
the second matches the VLAN of a host it wants to attack (VLAN 20).
o When the packet from the attacker reaches Switch A, Switch A only sees the first
VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed.
Switch A forwards the frame. Switch B receives the frame with tag of VLAN 20
so it removes this tag and forwards out to the Victim computer.
o Switch Spoofing (gaining Access to All vlans):
Switch spoofing is another variation of VLAN Hopping that is even
worse than double tagging, because this version allows the rogue
to pretend to be a member of *all* VLANs in your network. Many
Cisco switch ports now run in dynamic desirable mode by default,
which means that a port is sending out Dynamic Trunking Protocol
frames in an aggressive effort to form a trunk. A potential
problem exists, since the switch doesn't really know what kind of
device is receiving the DTP frames.
There are two defenses for VLAN Hopping attacks; the one you
choose depends on the port type:
o Every port on your switch that does not lead to another
known switch should be placed into access mode. That
disables the port's ability to create a trunk, and in turn
disables the rogue host's ability to spoof being a switch!
25
o
The attacker can connect an unauthorized Cisco switch to a Company switch port. The
unauthorized switch can send DTP frames and form a trunk with the Company Switch. If
the attacker can establish a trunk link to the Company switch, it receives traffic to all
VLANs through the trunk because all VLANs are allowed on a trunk by default.(Instead
of using a Cisco Switch, the attacker can use a software to create and send DTP frames).
To mitigate VLAN Hopping, the following things should be done:
1) If no trunking is required, configure port as an access port, this also disables trunking o
n that interface:
Switch(config-if)# switchport mode access
2) If trunking is required, try to configure the port to Nonegotiate to prevent DTP frames
from being sent.
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate
3) Set the native VLAN to an unused VLAN and dont use this VLAN for any other
purpose:
Switch(config-if)# switchport trunk native vlan VLAN-ID
4) Force the switch to tag the native VLAN on all its 802.1Q trunks:
Switch(config)# vlan dot1q tag native
26
A. Root Guard :
If a switch is not under your administrative control, a rogue
switch, becomes the root switch of your network, it can lead to
all kinds of trouble. Remember our discussion of SPAN (Switch
Port Analyser) earlier in this section? If an intruder managed to
introduce a rogue switch into your network, he could simply
configure SPAN on the switch to obtain a copy of all data
crossing the switch!
STP has no default behavior to prevent this from happening; the
spanning-tree vlan root command helps you determine which
switches become the root and secondary root, but does nothing to
disqualify a switch from becoming the root.
We will take following Example:
27
28
o Configuration :
(config)#int f0/1
(config-if)#spanning guard root
B. BPDU Guard :
there is a chance - just a chance - that someone is going to
manage to connect a switch to a port running Portfast. That could
lead to two major problems:
A.
29
B.
Configuration:
Port based :
30
PortFast enabled port can immediately transition to the blocking
state if necessary (this could happen on receipt of a superior
BPDU). PortFast can be enabled on trunk ports for-example router,
where you're doing router on a stick. if the link flaps, it will
go into forwarding immediately, rather than going through the
full listening/learning stages.
o BPDU Guard :
BPDU Filtering & BPDU Guard both provide protection against
spanning-tree loops being created on ports where PortFast has
been enabled. A device attached to a PortFast interface is not
supposed to send BPDUs but should this happen BPDU Filtering and
BPDU Guard provide protection.
If any BPDUs (superior to the current root or not) are received
on port configured with BPDU Guard that port is put immediately
in err-disable state.
BPDU guard should be configured on all switches ports where STP
PortFast is enabled. This prevents any possibility that a switch
will be added to the port either intentionally or by mistake
BPDU Guard and BPDU Filtering can be configured in 2 different
ways, from global configuration mode or in interface
configuration mode. In global configuration mode the feature
(either BPDU guard or BPDU Filtering) will have effect on all
Port fast enabled ports only.
o BPDU Filtering :
BPDU Filtering enabled port allows to stop sending or receiving
BPDUs.
As soon as a BPDU is received the port will lose its PortFast
status and BPDU filtering will be disabled. The port is then
taking back to normal STP operation and send/receive BPDUs.
31
If it is configured from global configuration mode BPDU Filtering
will be enabled on all configured PortFast ports.
Note:
If you enable BPDU Guard on the same interface as BPDU Filtering, BPDU
Guard
has no effect because BPDU Filtering takes precedence over BPDU
Guard. Reason is Explained below: BPDU Filter configured on a port prevents
this ports from sending and receiving BPDUs completely. The BPDU Guard on
the same port is therefore useless because received BPDUs will be dropped
rather than they can hit the Guard.
Lecture#8
Site To Site VPN
R1(config)#int f0/0
R1(config-if)#ip add 10.10.10.1 255.255.255.0
R1(config)#int f1/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#router eigrp 100
R1(config-router)#network 10.10.10.0 0.0.0.255
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#no auto-summary
********* Site to Site VPN Configurations On R1 *************
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#group 2
R1(config-isakmp)#hash md5
R1(config-isakmp)#lifetime 86400
32