Week4.pptx
Document Details
Uploaded by RefreshingViolet
Full Transcript
Week 4: Week 4: Security Concepts (Basic Security and Backups) NTWK8031 – Configuring Routers and Switches Welcome to Week 4! You should be familiar with a number of basics now, but we’ll go over a few more this week. • You should understand basic IOS commands • The various levels (enable, conf t...
Week 4: Week 4: Security Concepts (Basic Security and Backups) NTWK8031 – Configuring Routers and Switches Welcome to Week 4! You should be familiar with a number of basics now, but we’ll go over a few more this week. • You should understand basic IOS commands • The various levels (enable, conf t, interface) of configuration • The importance of security Discussion! What do you believe to be important security items in Cisco Networking Hardware? Part 0 HOUSEKEEPING Any questions from our first Graded Lab? The first graded lab was how our practical assignments will run in this class. While worth 5%, it important to understand that this course requires you to practice – hence why sufficient time is given to you after each lecture. You can also practice by using Cisco PacketTracer. Required Reading • You were required to read Chapter 12/Appendix C in our textbook (at least to comprehend the principles – more to be discussed in Week 5) • Any questions that you have pertaining to the content can be addressed at the end of this lecture Part 1 SECURITY BASICS - MOTD Let’s start with the basics • One of the first things you can do to combat unwanted access to your equipment is to ensure proper notices and policies • MOTDs (Message-of-the-day) is an effective mechanism that allows you to warn users that the equipment they are accessing is restricted, and to ‘turn back’ • MOTDs are applicable on routers and switches How to configure an MOTD In the Configure Terminal mode, simply enter the following: banner motd # This is private equipment If you don’t belong here, you must leave Be warned! # MOTD – configuration explained banner motd is the command, we enter a hashtag (#) after the ‘motd’ part to specify the termination character. It can be any character (letter, number, or most ASCII symbols) banner motd # We begin our message, it can be one or many lines. As you can see below, the message is 3 lines here This is private equipment If you don’t belong here, you must leave Be warned! When finished, simply enter the termination character and hit enter, this will finish the banner configuration mode MOTD - Example Part 2 SECURITY BASICS PASSWORDS Passwords • Passwords are the most fundamental security mechanisms • There are multiple passwords that can be used and multiple secure login mechanisms that can be used • Advanced password mechanisms will be discussed as well Console / Line passwords The Cisco “Console” or “Line” passwords are passwords that are seen when you try to configure the router or switch from the Console Port. By default, you do not see anything. It is advisable to enable Console/Line passwords as your first line of defence from any access to the switch Enable-mode passwords • These passwords restrict access to the enable mode • Enable-mode is where you handle most of the the configurations for the switch, including all the critical configurations • This is where you will spend most of your time as a network admin configuring switches/routers What can you do with Console/Line access? Console / Line access is basically ‘user-level’ commands. They are limited in nature, but allow you access to some crucial information: • • • • Viewing configuration – (show running-config) Other system status (routing tables, vlans, etc) Pretty much all show commands The above assumes that the enable-mode has a password Discussion Point • Discussion: What dangers can be done by having access to the running config? • If a malicious party accesses your infrastructure and is able to get a copy of running-config, what can they see? • What possible follow-up attacks can they launch using the information from runningconfig? Before we move on to configuration • It is important to understand that Cisco device passwords are stored as plaintext in the configuration files by default – The Enable Password IS encrypted (if you use Enable Secret, not Enable Password) • Password encryption is not enabled by default • It must be enabled to ensure that users cannot see them in the configuration files • This is done through the command (enable>conf t) – service password-encryption Plaintext passwords (and enable password) Encrypted passwords (and enable secret) Type 7 vs 5 Passwords You may see that the passwords (Enable Secret and the Line Con 0 Passwords) have a 7 or 5 in front • These indicate the level of encryption • 7 is a legacy cypher – Vigenere • 5 is not actually encryption – it’s hashing – MD5 to be precise – Hashing is one-way and non-reversable Password Commands and Configuration Before we go to the actual commands, let’s discuss a few final things about passwords • Line/console passwords are plaintext by default • Enable passwords which are set via enable password are plaintext by default • Enable passwords which are set via enable secret are MD5 (type 5) passwords by default • Using the service password-encryption will convert all plaintext passwords to type 7 (Vigenere) – You CANNOT force type 5 encryption with this command. All plaintext passwords will be using Vigenere • Vigenere is a weak method of encryption and has already been cracked! Vigenere Vulnerabilities • The cypher is old – the first description of it dates back to 1553 • Uses well-known key • Decryption is trivial with today's technology • If configuration files are compromised (…which means you have serious issues) – the Password for the console can be exposed (which may also be the same enable password…) Password Configurations - Console As discussed, Console secures your physical connection (the console port) The first command (line console 0) selects the first console port (most Cisco devices have only one console port, but in rare cases, there may be more – i.e. supervisor modules, etc) line console 0 The second command sets a password. The command ‘password’ is followed by the password of our choosing – in this case Password123 password Password123 Lastly – the ‘login’ command enables the login process. Without this, the password will not be applied and the user will not see a login prompt login Final notes on Console Configurations • You may know that there are multiple methods to log into Cisco equipment – Console (Serial / Rollover cable) • Some newer switches use a USB-Serial interface, bypassing the legacy Serial Port (or USB adapter dongle and rollover cable) – SSH and Telnet • All methods use their own authentication method and the console/terminal does not apply to SSH and Telnet • Again – worth mentioning is that passwords, even with service password-encryption are still decryptable quite easily (provided you have the running config, or startup config) Enable-mode passwords • Enable-mode passwords are simple to enable • There are two types – a plaintext (with optional Vigenere-cipher encryption • Or – the preferred – MD5-based Password enable password {password} enable secret {password} Part 3 SECURITY BASICS – REMOTE MANAGEMENT Remote Management It is rare for network administrators to be configuring a router or switch through the console. This usually only happens during recovery/initial setup • There are two primary methods of remote management, done using VTY • VTY is a term that means “Virtual Terminal Lines”, although it’s more historically correct to say “Virtual Teletype” Remote Management Methods In this lecture, we will be discussing three methods of remote management and authentication. Telnet and SSH are the ‘means’ of access, RADIUS is used for AAA/Authentication. • Telnet • SSH • RADIUS Telnet • Telnet is a very dated protocol that is supported on nearly every networking device, making it ubiquitous. • Unfortunately, Telnet lacks security. All information transmitted across Telnet is in plain text, even if you are encrypting passwords on a device. • Telnet has largely been deprecated in favour of SSH, which is natively encrypted. SSH • SSH is the Secure Socket Shell, it is a protocol that largely replaced Telnet. • While not as widespread as Telnet, it is supported on nearly every device. • SSH, like Telnet, is not a proprietary protocol. It is supported on switches, routers, servers, and many other non-networking devices. • SSH is secure and supports multiple authentication methods – certificates and username/password (either locally or through an authentication provider, such as AAA/RADIUS) Remote Authentication Note – this is outside the scope of this course, but it is important to understand these concepts exist, as they may prove useful for your capstone course • Administrators may not want to use locally stored credentials to authenticate • AAA allows for Authentication, Authorization and Accounting – ensuring that access is granted to authorized users, and keeps track of it • RADIUS – or Remote Access Dial In Services – is a way to authenticate users against a certain dataset • LDAP – a directory query protocol that queries data from a directory, such as Active Directory Remote Authentication - Continued • Remote Authentication allows you to use credentials stored in directories – such as Active Directory • Removes the need for password sharing • Keeps a record of who accessed what and when • Best practice security in enterprise networks with multiple network admins • You should always keep a backup ‘breakglass’ account (local admin) in a safe place – Breakglass accounts are emergency access accounts which allow for access if the network authentication server is not reachable Sample Configuration - Notes • This assumes that you are connected to an interface with an IP Address set • For a switch, you would need to be on a VLAN – i.e. VLAN 1, and set an IP address to that VLAN – – – – – interface vlan 1 ip address 192.168.1.2 255.255.255.0 interface fastethernet 0/1 switchport mode access switchport access vlan 1 • Routers just need an interface IP address set and you to be connected to that interface (VLAN and ACLs permitting) • Telnet is the default remote access protocol when configuring VTY – SSH must be specified explicitly Telnet Configuration - Example line vty 0 15 This command selects the Virtal Teletype 0 through 15, and goes into configuration mode for this range password [your_password] This configuration sets a password. Remember, passwords are plaintext without service password-encryption motd-banner This sets a MOTD on the interface which is globally configured (in the banner motd #... Command we discussed earlier login Finally, the login command states that you are enabling the login mechanism Telnet Connection SSH Configuration – Example 1 hostname {custom_name} This first step is important – you need a hostname that is not-default, so you cannot use “Switch” or “Router” – set this to something that is unique to you ip domain-name {domain_name} You need to specify a domain for the RSA (cryptographic protocol) to successfully generate a key – this is a suffix for your internal network crypto key generate rsa This command generates a unique SSH key that is randomly generated on the device. After issuing the command, you are prompted for a key bit length. If you press enter, the default – denoted in square brackets – of 512 – will be used username {ssh_user} secret {ssh_pass} This command will add a user and a secret (encrypted by default) password to the local authentication database SSH Configuration 2 line vty 0 15 Select the lines that you wish transport input ssh Force the remote authentication method to ssh login local State that we want to use the local database for authentication. The local database is the one we create using the username {user} secret {password} command. You can create multiple users or update passwords using the same command. If you wish to delete a user – simply use no username {user} Console output – SSH 1 SSH Notes • In SSH, the MOTD banner can only show up AFTER authentication – unlike telnet, MOTD banners will not show up at the start • By default, SSH and Telnet cannot coexist – You can switch to telnet-only by using transport input telnet on the vty interface configuration – If you wish to use both Telnet and SSH, you can use the transport input all to enable both SSH Connection Privileges From this point, we will be discussing SSH concepts. • The local user database allows creation of privileges – basically an implementation of RBAC. • There are 16 levels, 0 through 15 • 0,1,15 are predefined – 0 is no access – 1 is general access – the same as you get when you connect to the device, enable is still accessible, but behind the enable-authentication (password or secret) – 15 is full admin access • When you specify username {user} secret {password} – the user is created with a privilege level of 1 • Levels 2-14 are user-definable Example – User with full access • A user with full access is known to have Privileged EXEC mode – level 15 • Does not need the enable secret password • Can access and run everything username {admin} privilege 15 secret {password} Example – Level 15 User • Notice the > has changed to a #? • We logged in as our “admin” user • We did not need to enter an enable secret password Example – Custom Role User • We can create custom ‘roles’ • In this scenario, we will create a Privilege Level 2 which can restart the switch and show running config The command to create levels follows a set structure: privilege exec level {level} {allowed_command} Example – Custom Role User 2 privilege exec level 2 reload privilege exec level 2 show running-config In the command above, we create privilege level 2, and assign the reload command to it, followed by the show running-config command. username tech privilege 2 secret Password123 We then create a new user – “tech” which is assigned the role of 2, which can perform the select actions Warning • All Cisco commands have privilege levels. They are set by • privilege {mode} level {level} {allowed_command} • Where mode is the type of mode you are in (config) (exec) etc. Level and Command have defaults. All commands inherit the levels below it. • You may need to reassign all commands you DO NOT want a select user to access to a higher mode • Essentially, RBAC in Cisco Switches and Routers is a difficult concept to manage due to the granularity and requirements. Housekeeping commands You can move privilege levels for users with the username {existing_username} privilege {new_level} command You can check the privilege level of the current user with the show privilege Part 4 SECURITY BASICS – PORT SECURITY What is Port Security? • Port security is a mechanism that allows you to restrict certain ports based on criteria – Number of connected devices – Restrict access to a specific device only • Port security allows both static and dynamic configuration of learned devices • Devices are learned based on MAC addresses • Applicable to switches only Port Security Violations • A violation happens when a set condition for Port security is violated • Modes available for a violation are – Protect – will just drop the packets – the destination will not receive them – Restrict – the above, but also generate a syslog message (log to an external log) – Shutdown – will shutdown the port (put it into an errordisable) as well as generate a syslog message. Dealing with violations • Depending on the type of violation – you may not need immediate intervention (restrict and protect) • Restrict and protect will only drop packets from anything that exceeds the limit – Still require a manual reset, but won’t really affect functionality for existing clients Dealing with violations - 2 • Shutdown violations will halt the port operation and require a reset of the port • This is done with the shutdown followed by the no shutdown commands on the specific interface Finding Violations • If syslog is configured – you can check the syslog server for notifications • You can also use the show port-security and show port-security interface {interface_name} Port Details Clearing the Port Security Counters • There is no way to reset the port security counters unless you reset the port security (no switchport port-security followed by enabling it again) Enabling Port Security There are a few steps you need to take in order to configure portsecurity Interface {interface_name} This selects the interface name – such as FastEthernet0/1 Switchport mode {type} You can enable port security on trunk links as well, but the preferred and easiest configuration revolves around access ports Switchport port-security This command enables port-security for the interface Configuring Port Security If you recall from the screenshot a few slides ago, port-security has a number of options that can be configured switchport port-security maximum {number} Ports have a maximum number of allowed MAC addresses at any one time, usually just one. switchport port-security mac-address {mac_address} You may wish to statically assign a MAC address to a port. The assigned MAC address will count against the maximum defined above. You can add multiple MAC addresses by repeating this command. MACs can be removed using the “no” prefix (you should be familiar by now). MACs are added in the format of AAAA.BBBB.CCCC (not delimited in the conventional : format Configuring Port Security - 2 switchport port-security violation {violation_type} This is where you define what the violation does. Remember, you have restrict, protect and shutdown switchport port-security aging time {minutes} By default, if MAC addresses are not statically assigned – they are dynamically learned, up to a maximum. Any devices past the maximum violate port-security and are either blocked (restrict, protect) or shutdown the port immediately (for all users). If you wish to allow a ‘maximum rolling count’ – you can add an aging time, which clears dynamic MAC addresses after X minutes. By default, this is disabled, and devices are never discarded Configuring Port Security - 3 switchport port-security mac-address sticky By default, dynamic addresses are in memory, and will be removed when the switch resets, regardless of if you save the running config. Mac-address sticky allows you to ‘save’ the learned MAC addresses to the running config – allowing you to ‘learn’ MAC addresses, and save them to the startup config. This essentially allows you to build a list of authorized clients, up-to a maximum, that are persistent, after switch restarts. Configuring Port Security - 4 • Remember, as with all ports – you can issue commands with ranges • interface range fastEthernet 0/1 – 13 • Also worth noting – shut down any unused port – this is a major easy win when it comes to security. A shutdown port is a secure port • This is easy to do (shutdown) and can be done to a range Part 5 SECURITY BASICS – SYSLOG What is syslog? • It is a standardized system for messaging • Is a fairly simple protocol (in comparison to SNMP) • Logs events (such as port-security violations, configuration changes, etc) • Configurable ‘trap’ levels 0 – 7 – these are events that are logged Trap Levels Level Keyword Level Syslog Description Definition emergencie 0 s System unstable LOG_EMERG alerts 1 Immediate action needed LOG_ALERT critical 2 Critical conditions LOG_CRIT errors 3 Error conditions LOG_ERR warnings 4 Warning conditions LOG_WARNIN G notification 5 s Normal but significant condition LOG_NOTICE information 6 al Informational LOG_INFO messages only debugging Debugging messages 7 LOG_DEBUG https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html Syslog configuration steps - 1 Firstly – we need a syslog server • There are many servers on offer, some with extensive functionality • Enterprise systems include Solarwinds • Free option: – https://www.solarwinds.com/free-tools/kiwi-free-syslog -server • Setup is straightforward, but requires opening port UDP 514 (protocol-dependant, or TCP 514, or TCP 6514 IF secure syslog) Setting up Syslog - 1 • We need to ensure that the switch/router can connect to the syslog server, this involves network connectivity set up (as we have done before) • A good way to test is to use the ping X.X.X.X command to see if you can ping the server Setting up Syslog - 2 To disable syslog server logging, you can use the standard no-prefix command no logging {syslog_server_ip} You may also wish to disable messages to the console (the interface you see when accessing the network device) no logging console Setting up Syslog - 3 Please install Kiwi Syslog on your laptop You may need it for testing and for a future assignment This software has also been uploaded to our week 4 content. Please install it this week, so that you can get help if you need it! It is recommended that you try it as well! SNMP • We discussed SNMP before, while mostly outside the scope of this course, it is important that you understand what it is, and what it can do • You should also be able to compare and contrast this against Syslog What is SNMP • Simple Network Management Protocol • Allows for ACTIVE monitoring – Devices can be polled for details, whereas syslog pushes notifications • Syslog also allows for configuration changes remotely, which allow you to configure networking equipment using third party tools • Allows for metric collection – which can show statistics such as utilization, bandwidth, etc Part 6 BACKUP AND RECOVERY – TFTP Why backup? • Cisco equipment typically stores configuration onto either internal memory, or an external storage card – The card varies by model, but can be CF (compact flash), SD Card, or in some cases USB drives • Both IOS (Internetworking Operating System the OS) and the startup config are stored there • You can backup the configuration and the IOS files to an external source, or a TFTP server TFTP • TFTP is a simple and easy to use service – Trivial File Transfer Protocol • It allows writing and reading files from a centralized location • No authentication – This means that ANYONE with access to the server can upload and download files – secure access to this location using ACLs! • Very old technology – from 1981 – But is on every Cisco IOS device • New technologies exist – FTP (File Transfer Protocol) and SCP (Secure Copy Protocol – based on SSH) – most newer Cisco protocols support them TFTP prerequisites • You need port 69 open • You need a tftp server installed (free) – https://www.solarwinds.com/free-tools/free-tft p-server – Also in our course shell • Connectivity from your device to the tftp server Using TFTP – Backup Let’s say we want to backup our configuration to a server on 192.168.0.10 Once the TFTP service is configured the process is simple: copy startup-config tftp: This command copies the startup-config (or a file that you designate) to the location tftp: (yes, the colon : is important) Address or name of remote host []? 192.168.0.10 This is a prompt – you will be asked to enter the IP of the TFTP server. The square brackets contain a default value, or a past-used one Destination filename [startup-config]? startup-config The last prompt is the filename that we wish to save to. Square brackets contain a default value. If a server already has a file of the same name, it will be overwritten without prompting you. Example Using TFTP – Restore Restoring is easy, it’s basically the reverse! Once the TFTP service is configured the process is simple: copy tftp: startup-config This command copies the startup-config (or a file that you designate) FROM the location tftp: (yes, the colon : is important) Address or name of remote host []? 192.168.0.10 This is a prompt – you will be asked to enter the IP of the TFTP server. The square brackets contain a default value, or a past-used one Source filename [startup-config]? startup-config The last prompt is the filename that we wish to restore from. Square brackets contain a default value. The file must be present on the server. Destination filename [startup-config]? startup-config The last prompt is the filename that we wish to save to. Square brackets contain a default value. If a device already has a file of the same name, it will be overwritten without prompting you. Setting up TFTP Please install Solarwinds TFTP on your laptop You may need it for testing and for a future assignment This software has also been uploaded to our week 4 content. Please install it this week, so that you can get help if you need it! It is recommended that you try it as well! Example Part 3 PRACTICAL WORK – UNGRADED LAB Labs We do not have assigned labs this week, but you should practice a number of concepts, including, but not limited to: • Configure connectivity using SSH rather than Console/Telnet • Implement a TFTP server and perform a backup and restore • Implement Syslog and configure trap logging • Focus on various other concepts discussed • Everything we cover is subject for exams/practical evaluations Next Week • • • • Disabling unused services ACLs NAT Assistance with setting up TFTP and Syslog server IMPORTANT: Your MUST have TFTP and Syslog installed before next week. Ensure you test them and that they are functional! Q/A – End of Lecture Any Questions?