Mitigating Security Threats
To mitigate security threats, you need to create a comprehensive network security plan. This plan will include how to mitigate numerous kinds of security threats.
- Hardware threats
- Environmental threats
- Electrical threats
- Maintenance threats
- Reconnaissance attacks
- Access attacks
- Password attacks
- Anti-x
Cisco's Adaptive Security Appliance (ASA) helps you provide an overall, in-depth, security design for your network with a variety of tools that can prevent a lot of the security problems I've listed in this chapter. Since a lot of the individual tool names start with anti, Cisco uses the term anti-x to refer to the whole class of security tools that prevent these problems, including antivirus, antispyware, antispam, and so on.
There are a couple of other security appliances that can be used to help prevent the more sophisticated kinds of attacks. These tools are known as intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). They help prevent threats by watching for trends, particular patterns, and other factors.
IDS An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data-driven attacks on applications, host-based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, Trojan horses, and worms). It is important to remember that intrusion detection systems do not stop any type of attack but instead log them and can send alerts to management stations.
IPS An intrusion prevention system is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass.
Password and hardware attacks are the most important to know for the CCENT exam, and that is what I'll cover in the next section.
Mitigating Password, Router, and Switch Attacks
This section discusses the basics of mitigating password and basic router and switch security attacks.
Here's how to mitigate password attacks:
- Do not allow users to use the same password on multiple systems.
- Disable accounts after a certain number of unsuccessful login attempts.
- Do not use clear-text passwords; for example, use SSH instead of Telnet, and use the enable secret password instead of the clear-text enable password.
- Use strong passwords, such as !@gL0bAlN8t rather than globalnet.
- Passwords should expire on periodic time intervals, set by the administrator, forcing the users to change passwords.
To mitigate router and switch security attacks, apply the principles I just outlined for mitigating password attacks.
First, mitigate any hardware attacks on your router and switches by physically securing network equipment from potential access by unauthorized individuals. Lock your equipment in a computer room, inside locked racks. Then configure SSH, encrypted passwords, and banners. Here is an example of how this is done (I already covered these commands in Chapter 4, “Cisco's Internetworking Operating System (IOS)” and Chapter 7, “Layer 2 Switching,” but a refresher never hurt anyone):
Router#config t Router(config)#hostname R1 R1(config)#enable secret cisco R1(config)#username Todd password Lammle R1(config)#ip domain name lammle.com R1(config)#ip http secure-server R1(config)#service password-encryption R1(config)#line con 0 R1(config-line)#password console R1(config-line)#login R1(config-line)#line aux 0 R1(config-line)#password aux R1(config-line)#login R1(config-line)#exit R1(config)#line vty 0 ? <1-807> Last Line number <cr> R1(config)#line vty 0 807 R1(config-line)#password SSHonly R1(config-line)#login local R1(config-line)#transport input ssh R1(config-line)#exit R1(config)#banner motd # Authorized Access Only! Please enter your username and password. # R1(config)#exit R1#copy run start Destination filename [startup-config]?[enter] Building configuration… [OK] R1#
The preceding commands work on both a router and a switch. It is important to remember how to configure your router to allow Secure Shell instead of the insecure telnet protocol (transport input ssh).
Remember that the service password-encryption command will encrypt all current and future passwords in the plain-text configuration file.
Now, let's add port security on a switch to enable even more security.
Switch Port Security
You can stop someone from simply plugging a host into one of your switch ports—or worse, adding a hub, switch, or access point into the Ethernet jack in their office—by using port security, which prevents unauthorized hosts from accessing the LAN.
Here are your options:
Switch#config t Switch(config)#int f0/1 Switch(config-if)#switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode <cr>
You can see clearly in the preceding output that the switchport port-security command can be used with four options. Personally, I like the port-security command because it allows me to easily control users on my network. You can use the switchport port-security mac-address mac-address command to assign individual MAC addresses to each switch port.
Before I get into more details about the options, you need to understand some simple basics. First, you configure a switch port with port security after you set the port mode to access. Once you make sure the port (or ports) is an access port, then you can configure the options. However, this does not enable port security; you still have to enable this separately, as shown in the following configurations. Here is how I always start my port security configurations:
Switch(config)#int f0/1 Switch(config-if)#switchport mode access Switch(config-if)#switchport port-security
This both sets the mode to access and enables port security. Please remember that setting the port security options on a switch port does not enable port security on the port; you must type that in manually! Now let's go through those options.
If you want to set up a switch port to allow only one host per port and to shut down the port if this rule is violated, use the following commands:
Switch#config t Switch(config)#int f0/1 Switch(config-if)#switchport mode access Switch(config-if)#swithport port-security Switch(config-if)#switchport port-security maximum 1 Switch(config-if)#switchport port-security violation shutdown
These commands are probably the most popular (and most restrictive) because they prevent users from connecting a switch or access point to your network without authorization. The maximum setting of 1 means only one MAC address can be used on that port; if the user tries to add another host on that segment, the switch port will shut down. If that happens, you'd have to manually go into the switch and enable the port with a no shutdown command.
MAC Address Security
You can add a static MAC address on a switch port to provide security, but that seems like a lot of administrative work to add every user's MAC address into the switch configuration! Probably one of my favorite commands is the sticky command. You can find this command under the mac-address command:
Switch(config-if)#switchport port-security mac-address sticky Switch(config-if)#switchport port-security maximum 2 Switch(config-if)#switchport port-security violation shutdown
Basically, what this does is provide static MAC address security without having to type in everyone's MAC address on the network.
In the preceding example, the first two MAC addresses into the port “stick” as static addresses and will stay that way for however long you set the aging command for. Why did I set it to 2? Well, I wanted one for the PC/data and one for telephony/phone.
To verify port security on a Catalyst switch, use the command show port-security. Here's an example:
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
----------------------------------
Fa0/1 2 1 0 Shutdown
----------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
Switch#
You can even get more granular information with the following command:
Switch#show port-security interface fastEthernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 001a.2f52.3bf8
Security Violation Count : 0
Switch#
Notice that the first line in the output shows that port security is enabled! If you didn't type in switchport port-security but only set the options, then the output of the first line would show Disabled.
Now here is where the coolest part of the sticky command comes into play. When a MAC address “sticks” to the interface, it is actually placed in running-config. This allows you to save the MAC address (with a copy running-config startup-config command) and basically have static MAC address mappings for each port—with a lot less administration!
Switch#sh run | begin interface
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001a.2f52.3bf8
!
Securing Unused Ports
Last, you need to secure unused ports on your switch because they can create a security hole. You don't want anyone connecting a host or another switch into your switches and adding devices to the network, right? Shut down any unused ports to disable the interfaces:
Switch(config-if)#shutdown
And remember, you can use the range command to configure multiple ports at the same time:
Switch(config)#interface range f0/1 - 12 Switch(config-if)#shutdown