Cisco Networking/CCENT/Security

This lesson covers security.

Objectives and Skills
Objectives and skills for the security portion of Cisco CCENT certification include:
 * Configure and verify network device security features
 * Device password security
 * Enable secret vs. enable
 * Transport
 * Disable telnet
 * SSH
 * VTYs
 * Physical security
 * Service password
 * Describe external authentication methods
 * Configure and verify switch port security
 * Sticky mac
 * MAC address limitation
 * Static/dynamic
 * Violation modes
 * Err disable
 * Shutdown
 * Protect restrict
 * Shutdown unused ports
 * Err disable recovery
 * Assign unused ports in unused VLANs
 * Putting Native VLAN to other than VLAN 1

Readings

 * 1)  Network security
 * 2)  Access control
 * 3)  MAC filtering
 * 4) Cisco: How to secure your Cisco Catalyst switch
 * 5) Cisco: Security Checklist

Multimedia

 * 1) Cisco: Hardening Cisco IOS Devices
 * 2) Cisco: Securing Cisco LAN Switches

Device Security

 * 1) Review ../IOS Basics
 * 2) Review ../Remote Management
 * 3) Review ../Remote Management
 * 4) Review ../Remote Management

Port Security Configuration
Note: The following commands are not supported by NM-16ESW network modules. See Cisco: EtherSwitch Network Module 802.1x Authentication for an alternative. Port security is included in the Cisco CCENT exam, but 802.1x implementation is not.

switchport port-security
To enable port security on an interface, use the switchport port-security command in interface configuration mode. switchport port-security

switchport port-security mac-address
To add a MAC address to the list of secure MAC addresses, use the switchport port-security mac-address command in interface configuration mode. switchport port-security mac-address {  | sticky [] [ vlan [voice] |  ] } switchport port-security mac-address 1a:6f:7c:8e:2h:3a switchport port-security mac-address default

switchport port-security maximum
To set the maximum number of secure MAC addresses on a port, use the switchport port-security maximum command in interface configuration mode. switchport port-security maximum [ vlan |  ] switchport port-security maximum 1

switchport port-security violation
To set the action to be taken when a security violation is detected, use the switchport port-security violation command in interface configuration mode. switchport port-security violation { shutdown | restrict | protect } switchport port-security violation shutdown switchport port-security violation restrict switchport port-security violation protect

show port-security
To display port-security settings for an interface or for the switch, use the show port-security command in global configuration mode. show port-security [interface interface_id] [address] show port-security show port-security interface fastethernet 1/1 show port-security address

Command Sequence
A command sequence to configure port security might be similar to the following. enable configure terminal

interface range fa1/0 - 15 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation restrict exit exit

show port-security show port-security address exit

Activities

 * 1) Configure and verify device security.Cisco CCENT Router Switch 4 PCs.png
 * 2) Add a router, an EtherSwitch router, and four VPCS PCs to a new GNS3 project and start the devices.
 * 3) Add links to connect the following.
 * 4) * R1 FastEthernet0/0 <-> ESW1 FastEthernet1/0
 * 5) * PC1 Ethernet0 <-> ESW1 FastEthernet1/1
 * 6) * PC2 Ethernet0 <-> ESW1 FastEthernet1/2
 * 7) * PC3 Ethernet0 <-> ESW1 FastEthernet1/3
 * 8) * PC4 Ethernet0 <-> ESW1 FastEthernet1/4
 * 9) Set the following IP addresses, subnet masks, and default gateways for the switch and PCs.
 * 10) * R1 FastEthernet0/0: 192.168.1.1 255.255.255.0
 * 11) * ESW1 VLAN1: 192.168.1.10 255.255.255.0 192.168.1.1
 * 12) * PC1 Ethernet0: 192.168.1.11 255.255.255.0 192.168.1.1
 * 13) * PC2 Ethernet0: 192.168.1.12 255.255.255.0 192.168.1.1
 * 14) * PC3 Ethernet0: 192.168.1.13 255.255.255.0 192.168.1.1
 * 15) * PC4 Ethernet0: 192.168.1.14 255.255.255.0 192.168.1.1
 * 16) Add username and password security to the console, aux, and vty lines, add a password to protect global configuration mode, and encrypt all passwords on both routers using the following commands.
 * 17) Allow only SSH connections to the vty lines of both routers using the following commands.
 * 18) Verify the configuration on both routers using the following command.
 * 19) Exit the router console session and open the console again to test the configuration.
 * 20) Exit the router console session and open a console on the aux line to test the configuration.
 * 21) Test vty configuration using the following command to verify that telnet access is no longer supported.
 * 22) Test vty configuration using the following command to remotely manage one router from the other.
 * 23) Configure and verify switch port security.  Note: EtherSwitch routers do not support the switchport port-security command.  Use a Cisco switch, if available, or review CiscoSkills.net: Configuring Port Security.  Cisco CCENT Router Switch 4 PCs.png
 * 24) Add dynamic port security and limit connections to only 1 allowed device per port in restricted mode using the following commands.
 * 25) Shutdown unused ports.
 * 26) Verify the configuration using the following commands.
 * 27) Test the configuration by pinging all four PCs.  The test should be successful for all devices.
 * 28) Remove and add links to connect the following.
 * 29) * PC3 Ethernet0 <-> ESW1 FastEthernet1/4
 * 30) * PC4 Ethernet0 <-> ESW1 FastEthernet1/3
 * 31) Test the configuration by pinging all four PCs.  The test should be successful for PC1 and PC2, and unsuccessful for PC3 and PC4.
 * 32) Verify the configuration using the following commands.
 * 33) Remove and add links to connect the following.
 * 34) * PC3 Ethernet0 <-> ESW1 FastEthernet1/3
 * 35) * PC4 Ethernet0 <-> ESW1 FastEthernet1/4
 * 36) Test the configuration by pinging all four PCs.  The test should be successful for all devices.
 * 37) Configure VLAN security.Cisco CCENT Router Switch 4 PCs.png
 * 38) Use the configuration from above.  Change the native VLAN to VLAN 10, put existing devices in VLAN 10, and assign unused ports to VLAN 99 using the following commands on the EtherSwitch router.
 * 39) Test the configuration by pinging all four PCs.  The test should be successful for all devices.
 * 40) Remove and add links to connect the following.
 * 41) * PC4 Ethernet0 <-> ESW1 FastEthernet1/5
 * 42) Test the configuration by pinging all four PCs.  The test should be successful for PC1, PC2, and PC3, and unsuccessful for PC4.
 * 43) Configure the router to access the EtherSwitch router on VLAN 10 using the following commands.
 * 44) Test the configuration by pinging the switch from the router.  The test should be successful.
 * 1) Verify the configuration using the following commands.
 * 2) Test the configuration by pinging all four PCs.  The test should be successful for all devices.
 * 3) Remove and add links to connect the following.
 * 4) * PC3 Ethernet0 <-> ESW1 FastEthernet1/4
 * 5) * PC4 Ethernet0 <-> ESW1 FastEthernet1/3
 * 6) Test the configuration by pinging all four PCs.  The test should be successful for PC1 and PC2, and unsuccessful for PC3 and PC4.
 * 7) Verify the configuration using the following commands.
 * 8) Remove and add links to connect the following.
 * 9) * PC3 Ethernet0 <-> ESW1 FastEthernet1/3
 * 10) * PC4 Ethernet0 <-> ESW1 FastEthernet1/4
 * 11) Test the configuration by pinging all four PCs.  The test should be successful for all devices.
 * 12) Configure VLAN security.Cisco CCENT Router Switch 4 PCs.png
 * 13) Use the configuration from above.  Change the native VLAN to VLAN 10, put existing devices in VLAN 10, and assign unused ports to VLAN 99 using the following commands on the EtherSwitch router.
 * 14) Test the configuration by pinging all four PCs.  The test should be successful for all devices.
 * 15) Remove and add links to connect the following.
 * 16) * PC4 Ethernet0 <-> ESW1 FastEthernet1/5
 * 17) Test the configuration by pinging all four PCs.  The test should be successful for PC1, PC2, and PC3, and unsuccessful for PC4.
 * 18) Configure the router to access the EtherSwitch router on VLAN 10 using the following commands.
 * 19) Test the configuration by pinging the switch from the router.  The test should be successful.
 * 1) Test the configuration by pinging all four PCs.  The test should be successful for all devices.
 * 2) Remove and add links to connect the following.
 * 3) * PC4 Ethernet0 <-> ESW1 FastEthernet1/5
 * 4) Test the configuration by pinging all four PCs.  The test should be successful for PC1, PC2, and PC3, and unsuccessful for PC4.
 * 5) Configure the router to access the EtherSwitch router on VLAN 10 using the following commands.
 * 6) Test the configuration by pinging the switch from the router.  The test should be successful.
 * 1) Remove and add links to connect the following.
 * 2) * PC4 Ethernet0 <-> ESW1 FastEthernet1/5
 * 3) Test the configuration by pinging all four PCs.  The test should be successful for PC1, PC2, and PC3, and unsuccessful for PC4.
 * 4) Configure the router to access the EtherSwitch router on VLAN 10 using the following commands.
 * 5) Test the configuration by pinging the switch from the router.  The test should be successful.
 * 1) Test the configuration by pinging the switch from the router.  The test should be successful.
 * 1) Test the configuration by pinging the switch from the router.  The test should be successful.
 * 1) Test the configuration by pinging the switch from the router.  The test should be successful.
 * 1) Test the configuration by pinging the switch from the router.  The test should be successful.
 * 1) Test the configuration by pinging the switch from the router.  The test should be successful.

Lesson Summary

 * Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources.
 * Network security requires physical security, access control, authentication, and authorization.
 * Cisco IOS supports Authentication, Authorization, and Accounting (AAA) using either RADIUS or TACACS+ protocols.
 * MAC filtering is a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.
 * MAC filtering can be circumvented by identifying a valid MAC through observation and then spoofing one's own MAC into a validated one.
 * MAC spoofing may done in the Windows Registry or by using command-line tools on a Linux platform.
 * Cisco Catalyst switches support MAC filtering on a port-by-port basis using port security.
 * Port security may be configured statically with a list, dynamically based on the first given number of addresses detected, or a combination of these two methods.
 * When port security is configured, the default settings are to allow only one MAC address per port, and to shut down the port if the allowed number of addresses is exceeded.
 * Rather than shutting down the port, the port security violation mode may be set to  access and send an SNMP alert.
 * Port security shutdown ports may also be set to recover automatically using the  command in global configuration mode.
 * The default erridsable recovery time is 300 seconds. This may be altered using the   command.
 * Port security dynamic MAC addresses are not remembered by default. They may be added to the running configuration by enabling   mode.
 * To enable port security on an interface, use the  command in interface configuration mode.
 * To add a MAC address to the list of secure MAC addresses, use the  command in interface configuration mode.
 * To set the maximum number of secure MAC addresses on a port, use the  command in interface configuration mode.
 * To set the action to be taken when a security violation is detected, use the  command in interface configuration mode.
 * To display port-security settings for an interface or for the switch, use the  command in global configuration mode.
 * Additional switch security options include shutting down unused ports, assigning unused ports to unused VLANs, and setting the native VLAN to a VLAN other than 1.

Key Terms

 * AAA
 * An acronym for authentication, authorization, and accounting, which generically refers to a protocol used for this purpose.


 * RADIUS (Remote Authentication Dial-In User Service)
 * A networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.


 * TACACS+ (Terminal Access Controller Access-Control System Plus
 * A protocol developed by Cisco and released as an open standard that handles authentication, authorization, and accounting (AAA) services.

Assessments

 * Flashcards: Quizlet: CCENT - Security
 * Quiz: Quizlet: CCENT - Security