This chapter covers the following Cisco-specific objectives for the “Implement a small switched network” section of the 640-822 ICND1 exam:
<objective>Implement and verify basic security for a switch (port security, deactivate ports)
</objective> <objective>Verify network status and switch operation using basic utilities (including: ping, traceroute, telnet, SSH, arp, ipconfig), SHOW & DEBUG commands
</objective> </feature><feature><title>Outline</title>458 | |||
458 | |||
458 | |||
460 | |||
461 | |||
461 | |||
462 | |||
463 | |||
463 | |||
464 | |||
466 | |||
466 | |||
467 | |||
467 | |||
469 | |||
469 | |||
471 | |||
472 | |||
472 | |||
Part of being thorough in securing your switched network is to think like an attacker. With that in mind, try to consider ways in which your network is vulnerable and how you would go about gaining access if you were the attacker.
Many of the topics discussed in this chapter can also be applied to securing your router. Keep that in mind when reading these topics as a refresher on how to secure your Cisco devices.
Read the information presented in this chapter, paying special attention to tables, Notes, and Exam Alerts.
Complete the Challenge and the Exercises at the end of the chapter. The exercises will solidify the concepts that you have learned in the previous sections.
Complete the Exam Questions at the end of the chapter. They are designed to simulate the types of questions you will be asked on the ICND1 exam.
Securing a network is an endless task. Every day there are new scripts and exploits, new vulnerabilities, and new methods to gain access to your network. Our job as Cisco administrators is to stay ahead of the game as much as possible and make it as difficult as possible to gain access.
As discussed in Chapter 4, “General Network Security,” the basis of any good security implementation is a thorough security policy. Switched networks must be a pivotal piece of that security policy; however, they are typically the most overlooked. The fact that the LAN is tucked away inside your network provides a false sense of security, especially because some of your biggest threats might be the users attached to the switched network. This chapter examines how to secure access to the Cisco devices in your LAN as well as the traffic that flows through it.
Similar to troubleshooting, our first layer of defense for securing the switched network should start at the Physical layer. Specifically, we need to secure access to the physical switch itself and the cables that are connected to it. It doesn’t take a skilled attacker to physically destroy a switched network to which he or she has complete access.
With that being said, the first and probably most critical step of securing your network is to ensure that the switches themselves are secured in a cool room in which only you or those authorized have access. If users have physical access to the switches, they can easily console into the switch and perform a password-recovery exercise (easily found on the Internet) just by repowering the switch and holding down a button during power-up. Even unintentional attacks such as custodial staff unplugging your switches to run the vacuum can occur easily if not secured correctly. If you can, also make sure that the Ethernet cabling between the switches and end devices is not in plain sight and therefore can’t be easily damaged. You don’t want the last act by a fired employee to be taking down your entire network by ripping out your existing wiring.
After we have ensured that the switch is physically secured, the next layer of defense to implement is securing terminal access to the switch so that attackers cannot perform reconnaissance or manipulate configurations. Because there are several ways to gain access to the Cisco IOS, due diligence is required to ensure that all terminal connections are secured.
To start, the first logical terminal access to secure is the console and auxiliary port. Many might ask why, because we already physically secured the switch. To answer a question with a question, would you have an account at a bank that leaves your money out on a table because they have an alert security guard standing at the door? A layered defensive approach entails having security measures at each step of the way so that attackers will have many obstacles in their way in achieving their objective.
To secure access to the console and aux port, the simplest defense you can use is securing them with a password. Just as in router configurations, this is achieved in the line configuration using the password command. It is also a good idea to make sure that your passwords are strong passwords containing at least eight characters and that they have a combination of numbers, symbols, and lower and uppercase letters:
Switch(config)# line console 0 Switch(config-line)# login Switch(config-line)# password EggsAmKr@m Switch(config-line)# exit Switch(config)# line auxiliary 0 Switch(config-line)# login Switch(config-line)# password EggsAmPr3p
What’s more, you can create a local username and password combination that is stored in the configuration. This username and password will be required to be entered when someone attaches to the console and gets an EXEC prompt. The only difference in the configuration is that you no longer need to specify a password in the line configuration, because you achieved that in defining the username and password combination, and you also must use the keyword local in the login command. This keyword tells the IOS to use the local username and password combination that can be found in the configuration:
Switch(config)# username jchambers password Sysco-Prez Switch(config)# line console 0 Switch(config-line)# login local Switch(config-line)# exit Switch(config)# line auxiliary 0 Switch(config-line)# login local
Now, when someone attaches to the console or aux port, he or she is prompted for a username and password, such as the following:
Press RETURN to get started.
User Access Verification
Username:jchambers
Password:
Switch>Note
If you configure the console and aux login to use the username and password using the login local command and a password configuration is present on the line as well, the IOS uses the username and password over the password line configuration.
Tip
You can use a special username and password command that encrypts the password similarly to the enable secret command. Conveniently enough, the command is username username secret password. This applies an MD5 hash of the password so that it cannot be easily acquired if the configuration is accessed.
Recall that although Telnet is a convenient way to gain EXEC access to the Cisco device, it also is extremely dangerous, because everything that is sent using Telnet is in clear text and can be intercepted by anyone eavesdropping on the session. With that being said, whenever possible, use SSH for remote terminal connectivity to the Cisco device. Recall that the configuration for enabling SSH on a Cisco device is as follows:
Change the default hostname of the Cisco device.
Configure a domain name with the
ip domain-namecommand.Generate the RSA key with at least a 1024-bit key with the
crypto key generate rsacommand.Create a username and password.
A recommended third step in this process, however, is to limit the vty lines on the Cisco device to accept only SSH as an input protocol. In other words, this step entails disallowing Telnet into the vty lines. The command to limit the terminal input on the vty lines is transport input SSH on the vty line configuration:
Switch(config)# line vty 0 15 Switch(config-line)# transport input SSH
When you exclude the keyword telnet in the transport input command, only SSH is allowed as a terminal input protocol on all the vty lines.
Whether you are using SSH or are only left with using Telnet, make sure you have properly secured user EXEC access through the vty lines using the same methods as the aux and console. Specifically, configure a password on the vty lines or use the login local command to prompt for a username and password.
In addition to securing access to Cisco IOS, it is also a good idea to secure the contents of the configuration using some practical and simple configuration steps that we have discussed. This list is not exhaustive by any means, but it is a good beginning point:
Encrypt your enable password to privileged EXEC using the
enable secretcommand.Encrypt all other clear-text passwords in the configuration using
service password-encryption.Create a login banner that warns against unauthorized access attempts to the EXEC prompt.
Disable EXEC access on unused terminal access ports (such as aux ports) using the
no execcommand in the line configuration.Limit how long the terminal session stays idle to not exceed one minute with the
exec-timeoutcommand (exec-timeout 1 0).
Feeling satisfied with securing access to the physical switch and cables as well as access to the Catalyst switch IOS, our next step on our secure ladder is to get to the core of our switching functions and secure the possible vulnerabilities that occur at the Data Link layer.
The transparent functions that our switches perform, such as MAC address learning and forwarding, are taken for granted because they are just that: transparent. Consequently, these are the most overlooked aspects of switch security today, because we naturally assume that the default behavior of the switch’s design is how it should be. Any thought of securing that behavior goes against the switch’s basic operations. In the following sections, you will see that although the extra configuration steps might involve slightly more work, the end result is that you won’t lose sleep wondering when the next attack might cause your cell phone to go off.
Objectives:
Implement and verify basic security for a switch (port security, deactivate ports)
Anybody who has physical access to the ports of your switches can easily attach another switch or hub to enable more devices to be on the switched network. If you want to limit the number of MAC addresses that can be dynamically learned on a switch port (for environments such as college campuses and hotels), you can enable the port security feature on your switch ports that are accessible to end users. With the switchport port-security commands, you can define the maximum number of MAC addresses to be learned on an access port. If this maximum number is exceeded, the switch port is put in an error-disabled state (by default) in which you have to reenable the interface by administratively shutting it down (with the shutdown command) and reenabling the port with the no shutdown command. Although this is a bit drastic, it is a surefire way to ensure that switch administrators know where the violation occurred and help identify the users who might be responsible.
To configure this port security functionality, you must enable this port security on each interface, followed by the maximum MAC count allowed on the interface (the default is 1). For example, if you wanted to restrict the number of MAC addresses allowed to 10, you would use the following configuration on the port:
Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 10
Furthermore, you can change the default action when a violation occurs on the secured port with the switchport port-security violation command:
Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}
The default action is shutdown, which puts the port in the error-disabled state, as mentioned earlier. You can also choose to have the port increase a violation counter and alert an administrator using an SNMP trap with the restrict keyword. The protect keyword only allows traffic from the secure port; it drops packets from other MAC addresses until the number of MAC addresses drops below the maximum.
Exam Alert
The switchport port-security maximum command restricts how many MAC addresses can be learned on a switch interface. The switchport port-security violation shutdown command instructs the switch to disable the port when a violation occurs.
The default state of Cisco Catalyst switches is to learn MAC addresses dynamically. For security purposes, you can assign static MAC addresses to an interface to ensure that a MAC address is recognized on only a specific interface. For instance, if you want to make sure that no one tries to connect to your switch and spoof (falsely assume the identity of) your server’s MAC address of FA23.239B.2349, you could use the following port security command to statically assign that MAC address to the Fast Ethernet 0/2 interface:
Switch(config)# interface fastethernet 0/2 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address FA23.239B.2349
This configuration leaves the maximum secure MAC address at its default of 1. If the switch receives another MAC address on Fast Ethernet 0/2, or the MAC address FA23.239B.2349 is seen entering a port other than Fast Ethernet 0/2, the port is disabled.
Port security also can save you some configuration by learning sticky secure MAC addresses. With the command switchport port-security mac-address sticky, the switch automatically configures the addresses already dynamically learned on the interface, as well as any new MAC addresses (up to the maximum) to be secure MAC addresses. These sticky addresses actually get added as sticky secure MAC configuration line entries in the running configuration. If you save the configuration and reboot the switch, those secure MAC addresses won’t need to be relearned.
Objectives:
Verify network status and switch operation using basic utilities (including: ping, traceroute, telnet, SSH, arp, ipconfig), SHOW & DEBUG commands
To verify the port security configuration parameters on the interface, as well as the number of security violations that have occurred on that interface, use the show port-security interface interface command:
Switch# show port-security interface fa0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address : fa23.239b.2349
Security Violation Count : 0Based on this output, you can see that port security is enabled and is not in a disabled state. The default actions for violations (shutdown) and maximum MAC addresses are configured on Fast Ethernet 0/2, with a configured MAC address of fa23.239b.2349.
To verify your configured port security addresses, use the show port-security address command:
Switch# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 fa23.239b.2349 SecureConfigured Fa0/2 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024Here you can see that your statically configured secure MAC address is configured on Fast Ethernet 0/2. Compare that output to a dynamically learned sticky MAC address, which shows the type as SecureDynamic as opposed to SecureConfigured:
Switch# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 fa23.239b.2349 SecureDynamic Fa0/2 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024This might sound like Cisco sacrilege, but you should consider disabling CDP on switch interfaces that do not need it, such as edge ports connected to end devices. If you consider the information someone can learn from CDP, you’ll realize the major security liability it can be. From just a single CDP multicast, an attacker could learn the hostname, the local port on the switch that sent the CDP message, and the switch’s IP address. With this information and strong motivation, it is only a matter of time before your switch and its networks are infiltrated.
Recall that to disable CDP on individual interfaces, you must configure no cdp enable on each interface. If you have no need for CDP, disable it globally on the switch with the no cdp run command.
Securing a switched network entails trying to protect all Layer 1 aspects of the switch, including access to the IOS itself. In addition, it is imperative to secure the switch’s Layer 2 operations so that an attacker doesn’t interrupt or damage the switched network.
Securing the Physical layer entails ensuring that the switch and its cables are in a secure environment where users cannot inflict damage on them. This step also gives added protection from users gaining console access to the switch to gain information to attack the network or attack or manipulate the switch itself. Leveraging the IOS’s internal security measures such as logins and passwords for terminal access is also ideal in building a layered defense. When possible, it is also recommended that you use SSH instead of Telnet for remote access to the IOS, because the communications between the management computer and the switch are secured.
Data Link layer security involves securing individual ports using port security. Port security protects ports by defining a maximum number of MAC addresses that are allowed to be dynamically learned on an individual port. You can also manually specify the MAC address(es) that are allowed to be present in the source address of the Ethernet frame when entering that port. This can be a single static configured MAC address, or you can configure sticky learning, and the addresses will be dynamically added to the configuration. When a port security violation occurs, the default action is to disable the interface. When this occurs, you have to shut down the interface and administratively bring it back up. You can configure the switch port to just report the violation (restrict), or you can reject frames from nonsecure MAC addresses until the number of MAC addresses falls under the limit (protect).
In addition, CDP reveals potentially dangerous information in its multicasts; thus, it is recommended that you disable CDP globally or on interfaces that do not require it.
Now it is time to take the security features you learned about in this chapter and apply them to our switch. To start, we will walk through an exercise of securing access to the IOS and the passwords in the configuration.
Estimated Time: 15 minutes
Console into your switch.
Configure a username and password. If supported, make the password secured with an MD5 hash.
Change the default hostname, and configure a domain name for the switch.
Generate a 1024-bit RSA key.
Configure the console’s login to prompt for the username and password.
Disable the auxiliary port from getting EXEC access.
Configure the login of the vty lines to prompt for a username and password.
Allow SSH only on the vty lines (remove Telnet).
Limit the timeout for EXEC sessions to 45 seconds.
Assign an MD5 hashed enable password.
Encrypt all clear-text passwords.
Your configuration should be similar to the following:
! Step 2 Switch(config)# username artvandelay secret Imp0rt3xp0rt ! Step 3 Switch(config)# ip domain-name examprep.com Switch(config)# hostname Swtch2950 ! Step 4 Swtch2950(config)# crypto key generate rsa The name for the keys will be: Swtch2950.examprep.com Choose the size of the key modulus in the range of 360 to 2048 for your General PurposeKeys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating RSA keys ... [OK] 7w1d: %SSH-5-ENABLED: SSH 1.99 has been enabled ! Step 5 Swtch2950(config)# line console 0 Swtch2950(config-line)# login local Swtch2950(config-line)# exit ! Step 6 Swtch2950(config)# line auxiliary 0 Swtch2950(config-line)# no exec Swtch2950(config-line)# exit ! Step 7 Swtch2950(config)# line vty 0 15 Swtch2950(config-line)# login local ! Step 8 Swtch2950(config-line)# transport input ssh ! Step 9 Switch(config-line)# exec-timeout 0 45 Switch(config-line)# exit ! Step 10 Swtch2950(config)# enable secret MD5p@ssw0rd ! Step 11 Swtch2950(config)# service password-encryption
With our switch secured, it is time to secure the switch’s Layer 2 operations.
Estimated Time: 10 minutes
Enable port security on ports 1 through 5 using the
interface rangecommand.Set the maximum number of dynamically learned MAC addresses to 10.
Change the default action of violations to disallow traffic from any newly learned MAC addresses over our maximum.
Configure the sixth interface to have only a single MAC address of 1234.5678.ABCD.
Configure the seventh interface to have secure MAC addresses sticky-learned.
Disable CDP globally.
Your configuration should be similar to the following:
! Step 1 Swtch2950(config)# interface range fastethernet 0/1-5 Swtch2950(config-if)# switchport port-security ! Step 2 Swtch2950(config-if)# switchport port-security maximum 10 ! Step 3 Swtch2950(config-if)# switchport port-security violation protect Swtch2950(config-if)# exit ! Step 4 Swtch2950(config)# interface fastethernet 0/6 Swtch2950(config-if)# switchport port-security mac-address 1234.5678.ABCD Swtch2950(config-if)# exit ! Step 5 Swtch2950(config)# interface fastethernet 0/7 Swtch2950(config-if)# switchport port-security mac-address sticky Swtch2950(config-if)# exit ! Step 6 Swtch2950(config)# no cdp run
An attacker can maliciously cause physical damage to the switch and/or the cables connected to the switch and ultimately bring down your network. If the attacker wants to covertly attack the network or gain unauthorized access to other devices or networks, he or she can also gain console access to the switch and perform password recovery to reconfigure the switch or discover other devices. For these reasons, it is imperative to ensure that the physical equipment and cables are secured from unauthorized users. | |
The first step to hardening the Cisco IOS is to secure all points of terminal entry to the IOS. This entails assigning passwords (or usernames/password combinations) to the console, aux, and vty lines. Additionally, if any of these services are not being used, you should disable EXEC access. For remote access, you should use SSH over Telnet if possible and allow SSH only on the vty lines. After terminal access is secured, you should ensure that all passwords are encrypted in the configuration, disable CDP on interfaces that do not require it, and decrease the amount of time an EXEC session can remain idle. | |
To ensure that a single device is attached to a switch port, enable port security and allow only one MAC address as the maximum (the default). For additional security, manually or dynamically (using sticky learning) specify the device’s MAC address. | |
CDP advertises pertinent information for discovery and troubleshooting. Information such as CDP-advertising ports, hostname, and IP addresses can be intercepted and used to attack the switch. |
C. Notify is not a valid action of port security. The three actions that can be configured are shut down, protect, and restrict. | |
B. Answer B is not a recommended security implementation because you will always require console access as a failsafe to gain access to Cisco devices. SSH, login/passwords for vty lines, and specifying management IP address(es) of management station(s) are all recommended security implementations. | |
B. Because the output indicates that the MAC address is SecureConfigured, it must have been manually configured using the | |
D. The port status of the output indicates that it is an error-disabled state, which means that a violation has occurred and that the default action (shutdown) has disabled the port. Because the maximum MAC addresses is configured as 1, and it has learned two MAC addresses, it is safe to say that this is the cause of the violation. Answer A is incorrect because the port is not in a Secure-Up (active) state. Answer B is incorrect because the count of configured MAC addresses is 0. Answer C is incorrect as well because the output indicates that the sticky MAC address count is also 0. | |
A. If the number of MAC addresses is exceeded, security violations should increase, and the configured action should take place (in this case, shutdown). Answer B is incorrect because you can have the violation be shutdown on dynamic, sticky-learned, or static MAC addresses. Answer C is incorrect because it is not required (although it might be more practical) to configure sticky addresses when there is more than one secure MAC address. Answer D is incorrect because the maximum MAC addresses can be configured to be more than 1. | |
B. You will still be prompted for a login and password, regardless of whether a password is configured. The switch uses the local username and password (which can be encrypted using the |
Richard Froom, Balaji Sivasubramanian, and Erum Frahim. Building Cisco Multilayer Switched Networks (BCMSN) (Authorized Self-Study Guide), 4th Edition. Cisco Press, 2007.
Wendell Odom. CCNA ICND2 Official Exam Certification Guide (CCNA Exams 640-816 and 640-802), 2nd Edition. Cisco Press, 2007.
“Port Security,” www.cisco.com.