AAA Authentication Login Methods

The table lists AAA authentication login methods. Uses the enable password for authentication. Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. Uses the line password for authentication. Uses the local username database for authentication. Uses case-sensitive local username authentication. Uses a cache server group for authentication. Uses the list of all RADIUS servers for authentication. Uses the list of all TACACS+ servers for authentication. Uses a...

Access Policy

The Cisco Secure ACS Access Policy feature affects access to the Cisco Secure ACS HTML interface. You can limit access by IP address and by the TCP port range used for administrative sessions. You can also enable Secure Sockets Layer (SSL) for access to the HTML interface. The IP address options include the following Allow All IP Addresses to Connect Allow Only Listed IP Addresses to Connect Reject Connections from Listed IP Addresses Note The IP addresses entered to define a range must differ...

Accounting

Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-9 Accounting provides the ability to collect and send security server information to be used for billing, auditing, and reporting purposes. Accounting collects information such as user identities, start...

Additional Features in Cisco Secure ACS 40 for Windows

Cisco Secure ACS 4.0 for Windows provides the following additional features Cisco NAC support Cisco Secure ACS 4.0 for Windows acts as a policy decision point in NAC deployments. Using configurable policies, it evaluates and validates the credentials received from the Cisco Trust Agent (posture), determines the state of the host, and sends a per-user authorization to the NAD ACLs, a policy-based ACL, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific...

Adjusting the Switchto Client Retransmission Time

When the switch does not receive an EAP Response Identity from the client, it waits a specific amount of time and then resends the request. The default time is 30 seconds. Use the dot1x timeout tx-period command to adjust the retransmission time. switch(config) dot1x timeout tx-period seconds Note You should change the default value of this command only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Adjusting Timers for DHCP

The following example shows how to enable a VLAN as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client. You will set 3 as the quiet time on the switch, and set 15 as the number of seconds that the switch waits for a response to an EAP Request Identity frame from the client before resending the request. Switch(config-if) dot1x timeout quiet-period 3 Switch(config-if) dot1x timeout tx-period 15 Switch(config-if) dot1x guest-vlan 20 2007 Cisco Systems, Inc. Trust and...

Administration Control

The Administration Control section is where you configure all aspects of Cisco Secure ACS for administrative access. Here you have the ability to add administrators and configure access policy. Information, such as which IP addresses are allowed or not allowed to access Cisco Secure ACS, and HTTP port allocation, can be configured here. Remember that Cisco Secure ACS uses port 2002 as the listening port, but after a connection is made to that port, you are redirected to a random port number....

Administrator Interface

R Add Ed it users in these groups r Setup of these groups 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-22 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-22 If you plan to administer the Cisco Secure ACS from the network, you will have to create and enable an administrator first. An administrative account is not created by default. To create an administrative account, follow these steps Step 1 Click Administration Control. Step 17 Click Add Administrator. Step 18 Complete...

Advanced Filtering

Advanced filtering is based on a Boolean AND expression of RADIUS attributes. Advanced filtering is used to create rules based on specific RADIUS attributes and values (including Cisco attribute-value pairs). Multiple-rule elements are allowed, which are treated as a Boolean AND expression. The operators contains, start with, and regular expression apply only to string-type attribute values. The rule elements table is used to dictate the rule elements that make up a rule based on a RADIUS...

Applying a CoPP Service Policy to the Host Subinterface

This task allows you to apply a CoPP service policy to the control plane host subinterface. Note Before you attach an existing QoS policy to the control plane, you must first create the policy by using MQC to define a class map and policy map for control plane traffic. Perform these steps to apply a CoPP service policy to a control plane interface Step 1 Attach a policy map to a control plane for aggregate control plane services. router(config-cp) service-policy input output policy-map-name...

Applying a Port Filter Service Policy to the Host Subinterface

You are now ready to apply the port-filter policy to the host subinterface. Follow these steps Step 1 Attach a QoS policy that manages traffic to the control plane host subinterface, and enter the control plane configuration mode. router(config) control-plane host Syntax Description Enters the control plane host subinterface configuration mode Note Port-filter can only be applied to the host subinterface. 3-28 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems,...

Applying a Queue Threshold Policy to the Host Subinterface

Before you can attach a queue-threshold service policy to the control plane host subinterface, you must first create the policy that defines a class map and policy map for the required control plane traffic. Follow these steps to apply queue-threshold service policies to the control plane host subinterface Step 1 Enter global configuration mode. Step 2 Attach a queue-threshold policy to the host subinterface and enter control plane configuration mode. Note Queue thresholding can only be applied...

Applying a Service Policy to an Interface

Router(config) interface FastEthernet 0 1 router(config-if) service-policy type access-control input fpm-policy 2007 Cisco Systems, Inc. All rights After the traffic policy is created, you have to apply the policy to an interface. Complete these steps to apply the traffic policy to an interface Step 1 Enter interface configuration mode. router(config) interface FastEthernet 0 1 Step 2 Specify the type and the name of the traffic policy to be attached to the input or router(config-if)...

Attacks

Attacks are generally broken into types DoS attacks DoS attacks cause an interruption of access to a system or the network, usually by overloading network resources or infrastructure devices. DDoS attacks DDoS attacks also cause an interruption of access to a system or the network by overloading network resources or infrastructure devices, but this time, the attack is executed from several different networks working in conjunction with each other. Reconnaissance attacks These types of attacks...

Attacks and Vulnerabilities

This topic describes some of the network attacks and the vulnerabilities that are being exploited. 2006 Cisco Systems, Inc. All rights reserved. 2006 Cisco Systems, Inc. All rights reserved. Because of either software- or network-related vulnerabilities, the network is exposed to several types of attacks. For an attack to take place, there must be some weakness to exploit. Here are some of these Missing network security policies No written policies Usually results in little to no security...

Authentication

Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-5 Authentication is used to identify users before they gain access to the network and network services. This can include a login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select,...

Authentication Authorization and Accounting

All rights reserveO. AAA is a compilation of network security services that provides the framework through which you set up NAC. AAA provides a modular way of performing authentication, authorization, and accounting services. These services will be discussed further. AAA uses protocols such as RADIUS, TACACS+, or Kerberos for its security functions. From the view of a network access server (NAS), AAA is the means through which the NAS establishes communication between...

Authentication Rules

From here, you can do the following Specify authentication protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft CHAP version 1 (MS-CHAPv1) Microsoft CHAP version 2 (MS-CHAPv2) EAP-FAST (using Protected Access Credentials PACs ) EAP-MD5 (MD5 CHAP over EAP) EAP-generic token card (EAP-GTC) (one-time password OTP tokens) For NAC, you can do the following EAP- Type, Length, Value (TLV) (posture credentials, attribute-value pairs, posture...

Authorization

Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0-2-7 To set parameters that restrict user access to a network, use the aaa authorization command. Authorization provides the method for remote access control, including one-time authorization or authorization for each service,...

Authorization Rules

M tS 1 Search SlFavorites Media 3 E- < 1 Users (2 users) j J Any < 2 Contractors (2 users) jJ Any < 13 Guest (2 users) jJ Any j J condition is not defined or there is no r Include RADIUS attributes from user's group 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-32 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-32

Before You Begin

To set up authorization rules for a profile, it is assumed that some other elements of Cisco Secure ACS have been set up, including the following RADIUS authorization components (RACs) 2007 Cisco Systems, Inc. Trust and Identity 2-59 2007 Cisco Systems, Inc. All rights reserv. 2007 Cisco Systems, Inc. All rights reserv.

Benefits

Extends protection against DoS attacks at infrastructure routers by providing a mechanism for finer policing granularity for control plane traffic that allows you to rate-limit each type individually Provides a mechanism for early dropping of packets that are directed to closed or nonlistened Cisco IOS TCP or UDP ports Provides the ability to limit protocol queue usage such that no single protocol flood can overwhelm the input interface Provides QoS control for packets that are destined to the...

Cisco ACS Features

A centralized identity networking solution Manage and administer user access for many Cisco and other devices 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-2 Cisco Secure ACS for Windows provides a centralized identity networking solution and simplified user management experience across all Cisco devices and security management applications. Cisco Secure ACS helps to ensure enforcement of assigned policies by allowing network administrators to control who can log into the network,...

Cisco IBNS Port Based Access Control

Authentication Server (Cisco Secure ACS RADIUS) Authentication Server (Cisco Secure ACS RADIUS) Check with policy database Policy database informs switch Policy database confirms ID and grants access 2007 Cisco Systems, Inc. All rights re In compliance with the IEEE 802.1x standard, Cisco Catalyst switches can perform basic port-based authentication and Network Access Control (NAC). Once the IEEE 802.1x-compliant client software is configured on the end device (client), the Cisco Catalyst...

Cisco IOS Debug

Cisco IOS Software includes several debugging commands that can be used to provide detailed information about the processing of AAA requests by the AAA client. For general information about AAA processing, including which protocol is being used, use one of these commands For details about TACACS or RADIUS in particular, use one of these commands Securing Networks with Cisco Routers and Switches (SNRS) v2.0

Cisco Secure ACS

PSTN public switched telephone network 2007 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS functions as the AAA server from the perspective of the NAD. You must configure the device, which functions as a AAA client from the Cisco Secure ACS perspective, to direct all end-user host access requests to Cisco Secure ACS, via the TACACS+ or RADIUS protocols. Basically, the NAD serves as the network gatekeeper and sends an access request to Cisco Secure ACS on behalf of the user. Cisco...

Cisco Secure ACS for Windows Server Internal Architecture

Provides Cisco Secure ACS to multiple Cisco authenticating devices Comprises several modular Windows services, operating together on one server Comprises several modular Windows services, operating together on one server 2007 Cisco Systems, Inc. All rights re Authentication service Authorization service 2007 Cisco Systems, Inc. All rights re When you install Cisco Secure ACS, the installation adds several Microsoft Windows services. The services provide the core of Cisco Secure ACS...

Cisco Secure ACS Troubleshooting

- Failed Authentications Report - Passed Authentications Report Cisco Secure ACS command-line utility 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-33 Basically, there are three tools to help with troubleshooting a Cisco Secure ACS environment. These tools can be used to help determine where the problem exists, including a third-party database back-end authentication problem.

Common Cisco Ios Aaa Accounting Configuration

Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis. dev(config) aaa accounting auth-proxy system network exec connection commands level default list-name vrf vrf-name start-stop stop-only none broadcast group group-name 2007 Cisco Systems, Inc. Trust and Identity 2-21 Provides information about all authenticated-proxy user events. Performs accounting for all system-level events not...

Common Cisco Ios Aaa Authentication Configuration

To enable AAA authentication and create a local authentication list, use the aaa authentication login command. dev(config) aaa authentication login default list-name password-expiry methodl method2 Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in. Character string used to name the list of authentication methods activated when a user logs in. Enables password aging on a local authentication list. Identifies the list of methods...

Common Cisco Ios Aaa Configuration

Use the aaa new-model command to enable AAA. router(config) aaa new-model To disable AAA, use this command router(config) no aaa new-model To configure security on a Cisco router or access server using AAA, follow these steps Step 1 Enable AAA by using the aaa new-model global configuration command. Step 2 If you decide to use a separate security server, configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos. Step 3 Define the method lists for authentication by using an...

Common Configurations in Cisco Secure ACS

Several Cisco Secure ACS elements must be configured first to configure a NAP and its policies. Authentication using TACACS+ or RADIUS < vendor> In Advanced Options, allow the following Per-user TACACS+ or RADIUS attributes Group-level shared network access restrictions Group-level downloadable ACLs 2-54 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Group NADs into locations or by other criteria RADIUS authorization components Create ACLs to manage...

Compatibility with Other Features

The table includes other switch features that are compatible with port security configured on a port. Dynamic Trunking Protocol (DTP) port1 1. A port configured with the switchport mode dynamic interface configuration command. 2. A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command. 3. You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. 2007...

Concepts of Cisco IBNS in Action

All rights reserved. Cisco IBNS is an integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. The Cisco IBNS solution enables greater security while simultaneously offering cost-effective management of changes throughout the organization. Cisco IBNS provides the network with the following services and capabilities User or device authentication, or both Mapping the...

Configuration Guidelines

Only on static access ports Not on trunk or dynamic access ports Voice VLAN assigned dynamic secure addresses On port with voice VLAN, set maximum MAC addresses to two plus maximum number of MAC addresses Dynamic port security enabled on voice VLAN when security enables on access VLAN Not configurable on per-VLAN basis No aging of sticky addresses No simultaneous enabling of protect and restrict options 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 1-7 Here are some guidelines to use...

Configure Interface and Enable 8021x

Switchport mode access no switchport Configure port as an access port Enable IEEE 802.1x authentication on the port (Optional) Allow multiple clients on an IEEE 802.1x-authorized port 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-25 Configure the interface using the following commands IEEE 802.1x can only be configured on static Layer 2 access ports. dot1x port-control force-authorized force-unauthorized auto This command enables IEEE 802.1x authentication on the port. The default...

Configure Radius Communications

Radius-server host host name IP address Specify the IP address of the RADIUS server switch(config) radius-server key string Specify the authentication and encryption key radius-server vsa send accounting authentication (Optional) Enable the switch to recognize and use VSAs 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 2-23 Configure RADIUS communications using the following commands radius-server host host name IP address auth-port port acct-port port This command specifies the IP...

Configuring 8021x in Cisco IOS

Configure RADIUS communications. Configure interface and enable 802.1x. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-21 The basic configuration of the Cisco Catalyst switch or Cisco Aironet wireless LAN access point remains constant within any IEEE 802.1x deployment regardless of the EAP method chosen for authentication. The EAP method is agreed upon by the client and authentication server, and the authenticator simply proxies the information...

Configuring a Guest VLAN on a Port

When you configure a guest VLAN, clients that are not IEEE 802.1x-capable are put into the guest VLAN when the server does not receive a response to its EAPOL Request Identity frame. Clients that are IEEE 802.1x-capable but fail authentication are not granted access to the network. The switch supports guest VLANs in single-host or multiple-hosts mode. Perform these tasks to configure a guest VLAN on a switch port Step 1 Enable AAA. Step 2 Enable 802.1x guest VLAN behavior globally. Step 3...

Configuring a Queue Threshold Policy

Define queue-threshold packet classification criteria. Define a queue-threshold service policy. Apply the queue-threshold policy to the host subinterface. 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 3-1C You can define a queue-threshold service policy when you want to limit the number of unprocessed packets that a protocol can have at the process level. A new queue-threshold policy feature is included with CPPr that can be applied to the control plane host subinterface. This feature...

Configuring a Restricted VLAN

IEEE 802.1x-compliant clients are moved into the restricted VLAN when the authentication server does not receive a valid username and password from the client. Restricted VLANs are supported only in single-host mode. Perform these tasks to configure a restricted VLAN on a switch port Step 2 Configure the switch port as access. Step 3 Configure dot1x port control as auto. Step 4 Specify an active VLAN as a restricted VLAN. You can configure the maximum number of authentication attempts allowed...

Configuring AAA Services to work with a AAA Server

Router(config) aaa authentication login default group tacacs+ enable router(config) aaa authorization network default group tacacs+ enable router(config) aaa accounting network myacct start-stop group radius router(config) tacacs-server host 10.0.1.12 router(config) tacacs-server host 10.0.1.14 router(config) tacacs-server key cisco123 OR router(config) tacacs-server host 10.0.1.12 key cisco123 Several steps are required to configure AAA services to work with external AAA servers using TACACS...

Configuring CPPr

(Optional) Configure port-filter policy. (Optional) Configure queue-threshold policy. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 3-6 The CLI for control plane has been extended to allow for CoPP policies to be applied to individual control plane subinterfaces. The command syntax for creating CoPP service policies remains the same. In addition, the MQC class map and policy map CLI was modified to allow for additional types. The port-filter and queue-threshold policy features...

Configuring FPM

- Define a protocol stack and specify exact parameters to match - Using class map type stack and access-control Apply the service policy to an interface 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 3-6 FPM allows customers to create their own filtering policies that can immediately detect and block new viruses and attacks. The process for configuring FPM consists of four steps. Step 1 Load a PHDF from flash memory. Once the appropriate PHDFs are loaded, a class-map command with type...

Configuring Guest and Restricted VLANs

' (Optional) Specify active VLAN as an IEEE 802.1x guest VLAN switch(config-if) dotlx auth-fail vlan vlan-id ' (Optional) Specify an active VLAN as an IEEE 802.1x restricted VLAN 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-26 This command specifies an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094. You can configure any active VLAN, except an RSPAN VLAN or a voice VLAN, as an IEEE 802.1x guest VLAN. dot1x auth-fail vlan vlan-id This command specifies an active...

Configuring MPP

3-46 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 When the last configured interface is deleted, the MPP feature turns itself off. Follow these steps to configure a network device Step 1 Enter control plane host configuration mode. Applies policies to host control plane traffic. Step 2 Configure an interface to be a management interface and specify which management protocols are allowed. router(config-cp-host) management-interface interface allow protocols Name of the interface...

Configuring NAPs

Identify network services and locations to control Wireless, VPN, dial-in, internal, headquarters, remote locations 2. Configure NADs as AAA clients Enable authentication by RADIUS or TACACS+ 3. Define shared profile components 4. Create a profile for each service or location. 5. Define policies for each profile. 6. Create a default policy when profile is not matched. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0-2-27 There are several steps required to configure NAPs. One of the...

Configuring Port Filter Policies

Define port-filter packet classification criteria. Define a port-filter service policy. Apply the port-filter service policy to the host subinterface. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 3-8 Apply the port-filter policy feature to the control plane host subinterface to block traffic destined to closed or nonlistened TCP and UDP ports. New class map and service policy types have been created to accommodate the port-filter configuration. However, classification and match...

Configuring Port Security Aging

Switchport port-security aging static time time type absolute inactivity Enable or disable static aging for the secure port, or set the aging time or type 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-10 You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Here are the two types of aging supported per port Absolute The secure addresses on the port are deleted after the specified aging time. Inactivity The secure addresses on the...

Configuring Port Security Cont

Switchport port-security violation protect restrict shutdown Set the violation mode (optional) switchport port-security mac-address mac-address Enter a static secure MAC address for the interface (optional) switchport port-security mac-address sticky Enable sticky learning on the interface (optional) 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 1-9 Step 5 (Optional) Set the violation mode. This is the action to be taken when a security violation is detected switch(config-if)...

Configuring VLAN Assignment

Perform these tasks to configure VLAN assignment 3. Assign vendor-specific tunnel attributes in the RADIUS (Cisco Secure ACS) server. The RADIUS server must return these attributes to the switch 65 Tunnel-Medium-Type IEEE 802 81 Tunnel-Private-Group-ID VLAN name or VLAN ID Note Attribute 64 must contain the value VLAN (type 13). Attribute 65 must contain the value IEEE 802 (type 6). Attribute 81 specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user. Securing Networks...

Control Plane Architecture with CPPr

All rights reserved. Control Plane Cisco Express Forwarding Subinterface Cisco Express Forwarding Input Feature Control Plane Cisco Express Forwarding Subinterface Cisco Express Forwarding Input Feature This diagram depicts the flow of control traffic through the control plane architecture with the CPPr feature enabled.

Course Flow

Lab 2-1 Configure Cisco Secure ACS as a AAA Server Lab 4-1 Configure a Site-to-Site VPN Using Pre-Shared Keys Lab 4-5 Configure a Cisco IOS SSL VPN (WebVPN) Lab 5-3 Configure a Cisco IOS Zone-Based Policy Firewall Lab 5-4 Configure a Cisco IOS Firewall Authentication Proxy on a Cisco Router Lab 2-2 Configure 802.1x Port-Based Authentication Lab 4-2 Configure a Site-to-Site VPN Using Certificates Lab 4-3 Configure a GRE Tunnel to a Remote Site Lab 4-6 Configure Cisco Easy VPN Remote Access Lab...

Course Goal

To secure a network using existing Cisco IOS security features, including the Cisco IOS classic firewall, Cisco IOS IPS, and Cisco IOS authentication proxy to implement secure tunnels using IPsec technology, and implement switch trust and identity using 802.1x and Cisco Secure Access Control Server (ACS) Upon completing this course, you will be able to meet these objectives Implement Layer 2 security features Implement the Cisco Trust and Identity Management model to control network access...

Course Introduction

Securing Networks with Cisco Routers and Switches (SNRS) v2.0 is a five-day, instructor-led, lab-intensive course that is delivered by Cisco Learning Partners. It is aimed at providing network specialists with the knowledge and skills needed to secure Cisco IOS router and switch networks. Successful graduates will be able to secure the network environment using existing Cisco IOS security features. This includes the ability to configure some of the primary components of the Cisco IOS Firewall...

Creating a Traffic Class

In creating a traffic class, you will create stateless packet classification criteria that, when used in conjunction with an appropriately defined policy, can mitigate network attacks. Once the appropriate PHDFs are loaded, a stack of protocol headers must be defined so that FPM knows which headers are present and in which order. Once the stack of protocols is defined, a class map of type access-control is defined for classifying packets. Step 2 Define the sequence of headers as IP first, then...

Creating an Installation

This topic describes how to perform a Cisco Secure ACS installation using setup.exe on the Cisco Secure ACS CD-ROM. Accept software license agreement Enter database encryption password Finish, start services, and administrator session 2007 Cisco Systems, Inc. All rights reserved. Complete the following steps to install Cisco Secure ACS for the first time. Step 1 Log onto the computer using a local administrator account. Step 5 Click setup.exe, located in the root directory of the CD-ROM. Step 6...

Data Plane Attacks

CPU utilization for five seconds 99 85 one minute 99 five minutes 78 Attacks against networking environments are increasing in frequency and sophistication. Attacks that affect the data forwarding plane include some well-known attacks with very specific signatures (fields within the IP packet that contain certain specific values). Here are some of these attacks All of these attacks are known to overload the CPU of any router or switch in its path. To counter these attacks, features are needed...

Default Settings

Maximum MAC addresses Violation mode Sticky address learning Port security aging Disabled. Aging time is 0. When enabled, the default type is absolute. The default port security interface configuration settings are as follows Ports security is disabled. Maximum MAC addresses setting is 1. Violation mode is shutdown. Sticky address learning is disabled. Port security aging is disabled. Aging time is 0 and the default type is absolute. 2007 Cisco Systems, Inc. Layer 2 Security 1-17

Defining a Port Filter Service Policy

You can define a port-filter service policy that provides additional CPPr. Defining this policy supports early dropping of packets that are directed toward closed on nonlistened TCP UDP ports on the router. Complete these steps to configure a port-filter service policy. The port-filter traffic class is associated with the service policy when the class command is used. The class command must be issued after entering policy map configuration mode. After entering the class command, you are...

Defining a Queue Threshold Service Policy

Use the new policy-map type queue-threshold global configuration command to configure a queue-threshold service policy. Use this command to specify the queue-threshold service policy name, and use other configuration commands to associate a queue-threshold traffic class that was configured with the class-map type queue-threshold command, with the queue-threshold queue-limit action command. The class command must be issued after entering policy map configuration mode. After entering the class...

Defining Packet Classification Criteria for CoPP

You must first create the policy using MQC to define a class map and policy map for control plane traffic. 3-16 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Follow these steps to define a class map Step 1 Define an access list of trusted hosts using specific protocols to access the router. router(config) ip access list extended access-group-name router(config-ext-nacl) deny tcp host trusted-host any eq protocol router(config-ext-nacl) permit tcp any any...

Deployment

FPM may be deployed anywhere that the ability to perform classification upon unique bit or byte patterns within IP packets can provide an effective attack mitigation strategy. FPM is not intended to replace an effective IDS IPS deployment strategy. However, under circumstances where a unique packet classification scheme can be developed, and an intrusion prevention system (IPS) signature is not available (or an IPS is not deployed) and ACLs or firewalls (or both) cannot provide the appropriate...

DHCP Snooping

DHCP snooping allows the configuration of ports as trusted or untrusted. Untrusted ports cannot process DHCP replies. Configure DHCP snooping on uplinks to a DHCP server. Do not configure DHCP snooping on client ports. DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, which is also referred to as a DHCP snooping binding table. DHCP snooping is a Cisco Catalyst switch...

EAP Methods

This section describes various EAP methods. 2007 Cisco Systems, Inc. All rights reserved. IEEE 802.1x supports several different EAP methods for providing identity-based NAC. This section covers these four types of EAP methods The next sections examine each method further. 2007 Cisco Systems, Inc. Trust and Identity 2-85

Eapfast

EAP-FAST TLS Client Hello Client_random, PAC-Opaque EAP-Fast TLS Server Hello Server_random , Change_Cipher_Spec, TLS Finished EAP-FAST TLS Change_Ciph_Spec, TLS Finished EAP-Fast TLS Server Hello Server_random , Change_Cipher_Spec, TLS Finished EAP-FAST TLS Change_Ciph_Spec, TLS Finished This diagram illustrates the EAP-FAST message exchange between the supplicant, authenticator, and authentication server using EAP-GTC as the inner method. First, a client running the IEEE 802.1x supplicant...

Eapmd5

All rights re EAP-MD5 is a standard, nonproprietary EAP type. It is based on RFC 1994 (CHAP) and RFC 2284 (EAP). An MD5-Challenge within an EAP message is analogous to the PPP CHAP protocol, with MD5 specified as the hash algorithm. Because MD5 support is included in RFC 3748, all EAP deployments should support the MD5-Challenge mechanism. The diagram illustrates the EAP-MD5 message exchange between the supplicant, authenticator, and authentication server. First, a...

Eaptls

EAP Response Identity EAP Request TLS start EAP Response TLS client hello EAP Response Identity EAP Request TLS start EAP Response TLS Client Hello EAP Response TLS Server Hello, Server Cert, Server Key Exchange, Cert Request, Server Hello Done EAP Response TLS ClientCert, Client Key Exchange, Cert Verify, Change Ciph Spec, TLS Finished EAP Request TLS Change_Ciph_Spec,TLS Finished EAP-TLS was developed by Microsoft Corporation to enable the use of EAP as an extension of PPP to provide...

Enable 8021x Globally

Enable IEEE 802.1x authentication globally on the switch (Optional) Enable the optional guest VLAN behavior globally on the switch 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 2-24 Enable 802.1x globally on the switch using the following commands This command globally enables IEEE 802.1x authentication on the switch. (Optional) dotlx guest-vlan supplicant Before Cisco IOS Release 12.1(22)EA2, the switch did not maintain the EAPOL packet history and allowed clients that failed...

Example of Accounting

Aaa authentication login admin local aaa authentication ppp dialins group radius local aaa authorization network myauth group radius local aaa accounting network myacct start-stop group radius username myuser password secure_password radius-server host 10.0.1.12 key radiuskey interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization scoobee ppp accounting myacct 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-10 In this example, the...

Example of Authentication

Username myuser password secure_password ppp default group radius group tacacs+ local 2007 Cisco Systems, Inc. All rights reserved. This example shows a security solution where some interfaces will use the same authentication methods to authenticate PPP connections but the vty will use a named method list. For PPP connections, the RADIUS servers are contacted first for authentication information, then if there is no response, the TACACS+ group is contacted. If all designated servers fail to...

Example of Authorization

Aaa authentication login admin local aaa authentication ppp dialins group radius local aaa authorization network myauth group radius local username myuser password secure_password radius-server host 10.0.1.12 key radiuskey interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization myauth line 1 16 autoselect ppp autoselect during-login login authentication admin modem dialin 2007 Cisco Systems, Inc. All rights rese ed. SNRS v2.0 2-8 This example...

Example of CoPP

Router(config) ip access-list extended CP-acl router(config-ext-nacl) deny tcp host 10.10.10.2 any eq telnet router(config-ext-nacl) deny tcp host 10.10.10.2 any eq www router(config-ext-nacl) permit tcp any any eq telnet router(config-ext-nacl) permit tcp any any eq www router(config-ext-nacl) exit router(config) class-map match-any CP-class router(config-cmap) match access-group name CP-acl router(config-cmap) exit router(config) policy-map CP-policy router(config-pmap) class CP-class...

Example of Port Filtering

Router(config) class-map type port-filter match-all PF router(config-cmap) match closed-ports router(config) policy-map type port-filter PF-policy router(config-cp-host) service-policy type port-filter This example shows how to configure a port-filter policy to drop all traffic destined to closed or nonlistened TCP or UDP ports. Note that the PF-class class map matches all closed ports. In addition, the PF-policy policy map points to the class map and defines the action. The control plane host...

Examples

DHCP snooping is configured on following 2007 Cisco Systems, Inc. All rights rese ed. SNRS v2.0-1-8 This example displays DHCP snooping configuration information on the switch. The next example shows the output of the show ip dhcp binding command. Securing Networks with Cisco Routers and Switches (SNRS) v2.0

Examples Cont

Client-ID Lease expiration Hardware address User name 0063.6973.636f.2d64. Mar 29 2003 04 36 AM 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-9 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-9 This example displays the DHCP bindings by IP address and subnet. The example shows the DHCP binding address parameters, including an IP address, an associated MAC address, a lease expiration date, and the type of address assignment that have occurred. The table describes the...

External User Databases

The External User Databases section consists of three subsections. In addition to configuring the parameters to communicate with the external databases, you can configure how Cisco Secure ACS handles requests from users that are not in the local Cisco Secure ACS database (Unknown User Policy), and a mapping from the external database group to the local Cisco Secure ACS database group. In this section, you configure an unknown user policy. You also configure database group mappings to external...

Guidelines

The next figures will cover the commands required to complete these steps. But first, these are some configuration guidelines When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2 features are enabled. The IEEE 802.1x protocol is supported on Layer 2 static access ports and voice VLAN ports, but it is not supported on the following port types Switched Port Analyzer (SPAN) and RSPAN destination ports Cisco Long-Reach Ethernet (LRE) switch ports Remove the...

Hardware and Software Requirements

Pentium 4 processor, 1.8 GHz or faster At least 1 GB of free disk space Minimum graphics resolution of 256 colors at 800x600 pixels 100Base-T or faster connection Software Microsoft Windows 2000 Server, with SP4 installed Windows 2000 Advanced Server, with the following conditions - Without Microsoft Windows 2000 Cluster Service installed - Without other features specific to Microsoft Windows 2000 Advanced Server enabled Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server...

How 8021x Works

Cisco Catalyst 2950 Series Switch (NAD) Authentication Server (Cisco Secure ACS) Cisco Catalyst 2950 Series Switch (NAD) Authentication Server (Cisco Secure ACS) The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity, but it is just an intermediary. 2007 Cisco Systems, Inc. All rights The switch or the client can initiate authentication. If you enable authentication on a port by using the dotlx...

How 8021x Works Cont

Authentication Server (Cisco Secure ACS) EAP Request Identity EAP Response Identity Authentication Server (Cisco Secure ACS) EAP-method dependent Auth Exchange with AAA Server 2007 Cisco Systems, Inc. All rights re You control the port authorization state by using the dotlx port-control interface configuration command and these keywords force-authorized This keyword disables 802.1x and causes the port to transition to the authorized state without any authentication exchange required. The port...

Identity Based Networking Services

Intelligent adaptability offering greater flexibility and mobility for users Combines authentication, access control, and user policies to secure network connectivity and resources User productivity gains and reduced operating costs Strengthens security for network connectivity, services, and applications 2006 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-4 The Cisco IBNS solution provides the following benefits Intelligent adaptability for offering greater flexibility and mobility to...

IEEE 8021x

Standard set by the IEEE 802.1 working group A framework designed to address and provide port-based access control using authentication Primarily an encapsulation definition for EAP over IEEE 802 media (EAPOL is the key protocol.) Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user PC) and authenticator (switch or access point) Assumes a secure connection Actual enforcement is via MAC-based filtering and port-state monitoring 2007 Cisco Systems, Inc. All...

IEEE 8021x Host Mode

IEEE 802.1x ports can be configured for single-host or multiple-host mode. Only one client can be connected to the IEEE 802.1x-enabled switch port. The switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state. Multiple hosts may be attached to a single IEEE 802.1x-enabled port. Only one of the attached...

Cisco Career Certifications

You are encouraged to join the Cisco Certification Community, a discussion forum open to anyone holding a valid Cisco Career Certification (such as Cisco CCIE , CCNA , CCDA , CCNP , CCDP , CCIP , CCVP , or CCSP ). It provides a gathering place for Cisco certified professionals to share questions, suggestions, and information about Cisco Career Certification programs and other certification-related topics. For more information, visit www.cisco.com go certifications. Securing Networks with Cisco...

Module Objectives

Upon completing this module, you will be able to implement Layer 2 security features using Cisco IOS commands. This ability includes being able to meet these objectives Describe the network of Company ABC and examine the vulnerabilities and attacks that the company network experiences Describe the types of Layer 2 attacks and the strategies to mitigate them Implement port security on a Cisco Catalyst switch Implement DHCP snooping on a Cisco Catalyst switch Securing Networks with Cisco Routers...

If

All rights reserved.SNRS v2.0-1-i You can use the port security feature to restrict input to an interface by limiting and identifying the MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. Port security allows you to specify MAC addresses for each port or to permit a limited number of MAC addresses. When a secure...

Interface Configuration

In the Interface Configuration section, you will find a selection from the following subconfiguration links, depending on whether you have chosen TACACS+ or a form of RADIUS when you entered your AAA client TACACS+ (Cisco IOS Software) Caution If you do not see RADIUS options here, you need to add a AAA client that uses the RADIUS protocol. Interface Configuration is directly affected by the settings in Network Configuration. The User Data Configuration link enables you to customize the fields...

Layout

The web interface has three vertical frames Navigation bar The navigation bar is the gray frame on the left side of the browser window that contains the task buttons. Each button changes the configuration area to a unique section of the Cisco Secure ACS application, such as the User Setup section or the Interface Configuration section. This frame does not change it always contains the following buttons User Setup Add and edit user profiles Group Setup Configure network services and protocols...

Learner Skills and Knowledge

Certification as a Cisco CCNA or the equivalent knowledge (optional) Basic knowledge of the Microsoft Windows OS Familiarity with networking and security terms and concepts (The concepts are learned in prerequisite training or by reading industry publications.) Completion of Interconnecting Cisco Network Devices (ICND) course Completion of Securing Cisco Network Devices (SND) course 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 3 2 Securing Networks with Cisco Routers and Switches...

MAC Spoofing ManintheMiddle Attacks

All rights re MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker. By sending a single frame with the source Ethernet address of the other host, the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic, it will not receive any traffic....

Method Lists

A method list is a sequential list that defines the authentication methods used to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. Cisco IOS Software uses the first method listed to authenticate users if that method does not respond, Cisco IOS Software selects the next authentication method in the method list. This process continues until...

Method Lists and Server Groups

A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists. Using server groups, you can specify a subset of the configured server hosts and use them for a particular service. For example, server groups allow you to define Radius_1 and Radius_2 as a server group, and define TACACS+_1 and TACACS+_2 as a separate server group. For example, you can specify Radius_1 and TACACS+_1 in the method list for authentication login, while specifying Radius_2 and...

Mitigating DHCP Attacks

Here are two ways to mitigate DHCP spoofing and starvation attacks 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0-1-i In this lesson, the following two ways to mitigate DHCP spoofing and starvation attacks are discussed. Port security The techniques that mitigate CAM table flooding also mitigate DHCP starvation by limiting the number of MAC addresses on a switch port. You would use the port-security command to set the MAC address of a valid DHCP server on a switch port to prevent any...

Mitigating Spanning Tree Manipulation

Spanning-tree portfast bpduguard default Globally enable BPDU guard on all ports switch(config-if) spanning-tree guard root Enable root guard on an interface 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 1- To mitigate STP manipulation, use the root guard and the bpdu-guard enhancement commands to enforce the placement of the root bridge in the network and enforce the STP domain borders. The root guard feature is designed to provide a way to enforce the root-bridge placement in the...

Mitigating VLAN Hopping

Switch(config-if) switchport mode access Configure port as an access port 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 1-15 You can mitigate VLAN hopping attacks by putting all user ports into access mode using the switchport mode access command. Several other modifications to the VLAN configuration are also recommended. One of the more important elements is to use dedicated VLAN IDs as the active (allowed) VLANs for all trunk ports. Also, disable all unused switch ports and place...

Module Summary

Company ABC is unsecured and vulnerable to attack. There are many types of Layer 2 attacks including MAC spoofing, rogue DHCP servers, and VLAN hopping. Port security is used to mitigate several Layer 2 attacks. DHCP snooping is also used to mitigate certain Layer 2 attacks. 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 1-1 In this module, you were introduced to an unsecured network belonging to Company ABC. Layer 2 attacks were examined and various types of mitigation strategies...

Network Access Profiles

A NAP is a means to classify access requests, according to the IP addresses of AAA clients, membership in an NDG, protocol types, or other specific RADIUS attribute values sent by the network device through which the user connects. The use of NAPs allows the administrator to configure different authentication mechanisms and authorizations depending on the characteristics of the access request, resulting in increased flexibility. The Network Access Profile section is used to create profiles, and...

Network Configuration

This button is where an administrator can add, delete, or modify settings for AAA clients (NADs). The layout of this page changes depending on the settings for interface configuration. If you are using NDGs, after you click Network Configuration in the navigation bar, only the Network Device Groups table and Proxy Distribution Table information appears. If you are not using NDGs, the AAA Clients table and the AAA Servers table appear in place of the Network Device Groups table.

Objectives

Upon completing this lesson, you will be able to describe the network of Company ABC and examine various vulnerabilities and attacks that the company network experiences. This ability includes being able to meet these objectives Describe the network of Company ABC Describe some of the network attacks and the vulnerabilities that are being exploited Examine the attacks to which the network is exposed This topic describes the network of Company ABC. This topic describes the network of Company...