AAA Authentication Login Methods

The table lists AAA authentication login methods. Uses the enable password for authentication. Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. Uses the line password for authentication. Uses the local username database for authentication. Uses case-sensitive local username authentication. Uses a cache server group for authentication. Uses the list of all RADIUS servers for authentication. Uses the list of all TACACS+ servers for authentication. Uses a...

Additional Features in Cisco Secure ACS 40 for Windows

Cisco Secure ACS 4.0 for Windows provides the following additional features Cisco NAC support Cisco Secure ACS 4.0 for Windows acts as a policy decision point in NAC deployments. Using configurable policies, it evaluates and validates the credentials received from the Cisco Trust Agent (posture), determines the state of the host, and sends a per-user authorization to the NAD ACLs, a policy-based ACL, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific...

Adjusting the Switchto Client Retransmission Time

When the switch does not receive an EAP Response Identity from the client, it waits a specific amount of time and then resends the request. The default time is 30 seconds. Use the dot1x timeout tx-period command to adjust the retransmission time. switch(config) dot1x timeout tx-period seconds Note You should change the default value of this command only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Adjusting Timers for DHCP

The following example shows how to enable a VLAN as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client. You will set 3 as the quiet time on the switch, and set 15 as the number of seconds that the switch waits for a response to an EAP Request Identity frame from the client before resending the request. Switch(config-if) dot1x timeout quiet-period 3 Switch(config-if) dot1x timeout tx-period 15 Switch(config-if) dot1x guest-vlan 20 2007 Cisco Systems, Inc. Trust and...

Applying a CoPP Service Policy to the Host Subinterface

This task allows you to apply a CoPP service policy to the control plane host subinterface. Note Before you attach an existing QoS policy to the control plane, you must first create the policy by using MQC to define a class map and policy map for control plane traffic. Perform these steps to apply a CoPP service policy to a control plane interface Step 1 Attach a policy map to a control plane for aggregate control plane services. router(config-cp) service-policy input output policy-map-name...

Applying a Port Filter Service Policy to the Host Subinterface

You are now ready to apply the port-filter policy to the host subinterface. Follow these steps Step 1 Attach a QoS policy that manages traffic to the control plane host subinterface, and enter the control plane configuration mode. router(config) control-plane host Syntax Description Enters the control plane host subinterface configuration mode Note Port-filter can only be applied to the host subinterface. 3-28 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems,...

Applying a Queue Threshold Policy to the Host Subinterface

Before you can attach a queue-threshold service policy to the control plane host subinterface, you must first create the policy that defines a class map and policy map for the required control plane traffic. Follow these steps to apply queue-threshold service policies to the control plane host subinterface Step 1 Enter global configuration mode. Step 2 Attach a queue-threshold policy to the host subinterface and enter control plane configuration mode. Note Queue thresholding can only be applied...

Applying a Service Policy to an Interface

Router(config) interface FastEthernet 0 1 router(config-if) service-policy type access-control input fpm-policy 2007 Cisco Systems, Inc. All rights After the traffic policy is created, you have to apply the policy to an interface. Complete these steps to apply the traffic policy to an interface Step 1 Enter interface configuration mode. router(config) interface FastEthernet 0 1 Step 2 Specify the type and the name of the traffic policy to be attached to the input or router(config-if)...

Attacks and Vulnerabilities

This topic describes some of the network attacks and the vulnerabilities that are being exploited. 2006 Cisco Systems, Inc. All rights reserved. 2006 Cisco Systems, Inc. All rights reserved. Because of either software- or network-related vulnerabilities, the network is exposed to several types of attacks. For an attack to take place, there must be some weakness to exploit. Here are some of these Missing network security policies No written policies Usually results in little to no security...

Before You Begin

To set up authorization rules for a profile, it is assumed that some other elements of Cisco Secure ACS have been set up, including the following RADIUS authorization components (RACs) 2007 Cisco Systems, Inc. Trust and Identity 2-59 2007 Cisco Systems, Inc. All rights reserv. 2007 Cisco Systems, Inc. All rights reserv.

Cisco ACS Features

A centralized identity networking solution Manage and administer user access for many Cisco and other devices 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-2 Cisco Secure ACS for Windows provides a centralized identity networking solution and simplified user management experience across all Cisco devices and security management applications. Cisco Secure ACS helps to ensure enforcement of assigned policies by allowing network administrators to control who can log into the network,...

Cisco IBNS Port Based Access Control

Authentication Server (Cisco Secure ACS RADIUS) Authentication Server (Cisco Secure ACS RADIUS) Check with policy database Policy database informs switch Policy database confirms ID and grants access 2007 Cisco Systems, Inc. All rights re In compliance with the IEEE 802.1x standard, Cisco Catalyst switches can perform basic port-based authentication and Network Access Control (NAC). Once the IEEE 802.1x-compliant client software is configured on the end device (client), the Cisco Catalyst...

Cisco Secure ACS

PSTN public switched telephone network 2007 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS functions as the AAA server from the perspective of the NAD. You must configure the device, which functions as a AAA client from the Cisco Secure ACS perspective, to direct all end-user host access requests to Cisco Secure ACS, via the TACACS+ or RADIUS protocols. Basically, the NAD serves as the network gatekeeper and sends an access request to Cisco Secure ACS on behalf of the user. Cisco...

Cisco Secure ACS for Windows Server Internal Architecture

Provides Cisco Secure ACS to multiple Cisco authenticating devices Comprises several modular Windows services, operating together on one server Comprises several modular Windows services, operating together on one server 2007 Cisco Systems, Inc. All rights re Authentication service Authorization service 2007 Cisco Systems, Inc. All rights re When you install Cisco Secure ACS, the installation adds several Microsoft Windows services. The services provide the core of Cisco Secure ACS...

Common Cisco Ios Aaa Accounting Configuration

Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis. dev(config) aaa accounting auth-proxy system network exec connection commands level default list-name vrf vrf-name start-stop stop-only none broadcast group group-name 2007 Cisco Systems, Inc. Trust and Identity 2-21 Provides information about all authenticated-proxy user events. Performs accounting for all system-level events not...

Common Cisco Ios Aaa Authentication Configuration

To enable AAA authentication and create a local authentication list, use the aaa authentication login command. dev(config) aaa authentication login default list-name password-expiry methodl method2 Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in. Character string used to name the list of authentication methods activated when a user logs in. Enables password aging on a local authentication list. Identifies the list of methods...

Common Cisco Ios Aaa Configuration

Use the aaa new-model command to enable AAA. router(config) aaa new-model To disable AAA, use this command router(config) no aaa new-model To configure security on a Cisco router or access server using AAA, follow these steps Step 1 Enable AAA by using the aaa new-model global configuration command. Step 2 If you decide to use a separate security server, configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos. Step 3 Define the method lists for authentication by using an...

Common Configurations in Cisco Secure ACS

Several Cisco Secure ACS elements must be configured first to configure a NAP and its policies. Authentication using TACACS+ or RADIUS < vendor> In Advanced Options, allow the following Per-user TACACS+ or RADIUS attributes Group-level shared network access restrictions Group-level downloadable ACLs 2-54 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Group NADs into locations or by other criteria RADIUS authorization components Create ACLs to manage...

Compatibility with Other Features

The table includes other switch features that are compatible with port security configured on a port. Dynamic Trunking Protocol (DTP) port1 1. A port configured with the switchport mode dynamic interface configuration command. 2. A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command. 3. You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. 2007...

Concepts of Cisco IBNS in Action

All rights reserved. Cisco IBNS is an integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. The Cisco IBNS solution enables greater security while simultaneously offering cost-effective management of changes throughout the organization. Cisco IBNS provides the network with the following services and capabilities User or device authentication, or both Mapping the...

Configuration Guidelines

Not active until enabled on a VLAN Configure DHCP server and relay agent first Configure DHCP addresses and options first DHCP option 82 not supported if relay agent is enabled but snooping is disabled 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 1-5 Here are some guidelines to use when configuring DHCP snooping You must globally enable DHCP snooping on the switch. DHCP snooping is not active until DHCP snooping is enabled on a VLAN. Before globally enabling DHCP snooping on the...

Configure Interface and Enable 8021x

Switchport mode access no switchport Configure port as an access port Enable IEEE 802.1x authentication on the port (Optional) Allow multiple clients on an IEEE 802.1x-authorized port 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-25 Configure the interface using the following commands IEEE 802.1x can only be configured on static Layer 2 access ports. dot1x port-control force-authorized force-unauthorized auto This command enables IEEE 802.1x authentication on the port. The default...

Configuring 8021x in Cisco IOS

Configure RADIUS communications. Configure interface and enable 802.1x. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-21 The basic configuration of the Cisco Catalyst switch or Cisco Aironet wireless LAN access point remains constant within any IEEE 802.1x deployment regardless of the EAP method chosen for authentication. The EAP method is agreed upon by the client and authentication server, and the authenticator simply proxies the information...

Configuring AAA Services to work with a AAA Server

Router(config) aaa authentication login default group tacacs+ enable router(config) aaa authorization network default group tacacs+ enable router(config) aaa accounting network myacct start-stop group radius router(config) tacacs-server host 10.0.1.12 router(config) tacacs-server host 10.0.1.14 router(config) tacacs-server key cisco123 OR router(config) tacacs-server host 10.0.1.12 key cisco123 Several steps are required to configure AAA services to work with external AAA servers using TACACS...

Configuring CPPr

(Optional) Configure port-filter policy. (Optional) Configure queue-threshold policy. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 3-6 The CLI for control plane has been extended to allow for CoPP policies to be applied to individual control plane subinterfaces. The command syntax for creating CoPP service policies remains the same. In addition, the MQC class map and policy map CLI was modified to allow for additional types. The port-filter and queue-threshold policy features...

Configuring FPM

- Define a protocol stack and specify exact parameters to match - Using class map type stack and access-control Apply the service policy to an interface 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 3-6 FPM allows customers to create their own filtering policies that can immediately detect and block new viruses and attacks. The process for configuring FPM consists of four steps. Step 1 Load a PHDF from flash memory. Once the appropriate PHDFs are loaded, a class-map command with type...

Configuring Guest and Restricted VLANs

' (Optional) Specify active VLAN as an IEEE 802.1x guest VLAN switch(config-if) dotlx auth-fail vlan vlan-id ' (Optional) Specify an active VLAN as an IEEE 802.1x restricted VLAN 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-26 This command specifies an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094. You can configure any active VLAN, except an RSPAN VLAN or a voice VLAN, as an IEEE 802.1x guest VLAN. dot1x auth-fail vlan vlan-id This command specifies an active...

Configuring MPP

3-46 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 When the last configured interface is deleted, the MPP feature turns itself off. Follow these steps to configure a network device Step 1 Enter control plane host configuration mode. Applies policies to host control plane traffic. Step 2 Configure an interface to be a management interface and specify which management protocols are allowed. router(config-cp-host) management-interface interface allow protocols Name of the interface...

Control Plane Architecture with CPPr

All rights reserved. Control Plane Cisco Express Forwarding Subinterface Cisco Express Forwarding Input Feature Control Plane Cisco Express Forwarding Subinterface Cisco Express Forwarding Input Feature This diagram depicts the flow of control traffic through the control plane architecture with the CPPr feature enabled.

Course Goal

To secure a network using existing Cisco IOS security features, including the Cisco IOS classic firewall, Cisco IOS IPS, and Cisco IOS authentication proxy to implement secure tunnels using IPsec technology, and implement switch trust and identity using 802.1x and Cisco Secure Access Control Server (ACS) Upon completing this course, you will be able to meet these objectives Implement Layer 2 security features Implement the Cisco Trust and Identity Management model to control network access...

Course Introduction

Securing Networks with Cisco Routers and Switches (SNRS) v2.0 is a five-day, instructor-led, lab-intensive course that is delivered by Cisco Learning Partners. It is aimed at providing network specialists with the knowledge and skills needed to secure Cisco IOS router and switch networks. Successful graduates will be able to secure the network environment using existing Cisco IOS security features. This includes the ability to configure some of the primary components of the Cisco IOS Firewall...

Creating a Traffic Class

In creating a traffic class, you will create stateless packet classification criteria that, when used in conjunction with an appropriately defined policy, can mitigate network attacks. Once the appropriate PHDFs are loaded, a stack of protocol headers must be defined so that FPM knows which headers are present and in which order. Once the stack of protocols is defined, a class map of type access-control is defined for classifying packets. Step 2 Define the sequence of headers as IP first, then...

Creating an Installation

This topic describes how to perform a Cisco Secure ACS installation using setup.exe on the Cisco Secure ACS CD-ROM. Accept software license agreement Enter database encryption password Finish, start services, and administrator session 2007 Cisco Systems, Inc. All rights reserved. Complete the following steps to install Cisco Secure ACS for the first time. Step 1 Log onto the computer using a local administrator account. Step 5 Click setup.exe, located in the root directory of the CD-ROM. Step 6...

Data Plane Attacks

CPU utilization for five seconds 99 85 one minute 99 five minutes 78 Attacks against networking environments are increasing in frequency and sophistication. Attacks that affect the data forwarding plane include some well-known attacks with very specific signatures (fields within the IP packet that contain certain specific values). Here are some of these attacks All of these attacks are known to overload the CPU of any router or switch in its path. To counter these attacks, features are needed...

Defining Packet Classification Criteria for CoPP

You must first create the policy using MQC to define a class map and policy map for control plane traffic. 3-16 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Follow these steps to define a class map Step 1 Define an access list of trusted hosts using specific protocols to access the router. router(config) ip access list extended access-group-name router(config-ext-nacl) deny tcp host trusted-host any eq protocol router(config-ext-nacl) permit tcp any any...

DHCP Snooping

DHCP snooping allows the configuration of ports as trusted or untrusted. Untrusted ports cannot process DHCP replies. Configure DHCP snooping on uplinks to a DHCP server. Do not configure DHCP snooping on client ports. DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, which is also referred to as a DHCP snooping binding table. DHCP snooping is a Cisco Catalyst switch...

Eapmd5

All rights re EAP-MD5 is a standard, nonproprietary EAP type. It is based on RFC 1994 (CHAP) and RFC 2284 (EAP). An MD5-Challenge within an EAP message is analogous to the PPP CHAP protocol, with MD5 specified as the hash algorithm. Because MD5 support is included in RFC 3748, all EAP deployments should support the MD5-Challenge mechanism. The diagram illustrates the EAP-MD5 message exchange between the supplicant, authenticator, and authentication server. First, a...

Enable 8021x Globally

Enable IEEE 802.1x authentication globally on the switch (Optional) Enable the optional guest VLAN behavior globally on the switch 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 2-24 Enable 802.1x globally on the switch using the following commands This command globally enables IEEE 802.1x authentication on the switch. (Optional) dotlx guest-vlan supplicant Before Cisco IOS Release 12.1(22)EA2, the switch did not maintain the EAPOL packet history and allowed clients that failed...

Example of Authentication

Username myuser password secure_password ppp default group radius group tacacs+ local 2007 Cisco Systems, Inc. All rights reserved. This example shows a security solution where some interfaces will use the same authentication methods to authenticate PPP connections but the vty will use a named method list. For PPP connections, the RADIUS servers are contacted first for authentication information, then if there is no response, the TACACS+ group is contacted. If all designated servers fail to...

Example of Authorization

Aaa authentication login admin local aaa authentication ppp dialins group radius local aaa authorization network myauth group radius local username myuser password secure_password radius-server host 10.0.1.12 key radiuskey interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization myauth line 1 16 autoselect ppp autoselect during-login login authentication admin modem dialin 2007 Cisco Systems, Inc. All rights rese ed. SNRS v2.0 2-8 This example...

Example of CoPP

Router(config) ip access-list extended CP-acl router(config-ext-nacl) deny tcp host 10.10.10.2 any eq telnet router(config-ext-nacl) deny tcp host 10.10.10.2 any eq www router(config-ext-nacl) permit tcp any any eq telnet router(config-ext-nacl) permit tcp any any eq www router(config-ext-nacl) exit router(config) class-map match-any CP-class router(config-cmap) match access-group name CP-acl router(config-cmap) exit router(config) policy-map CP-policy router(config-pmap) class CP-class...

Example of Port Filtering

Router(config) class-map type port-filter match-all PF router(config-cmap) match closed-ports router(config) policy-map type port-filter PF-policy router(config-cp-host) service-policy type port-filter This example shows how to configure a port-filter policy to drop all traffic destined to closed or nonlistened TCP or UDP ports. Note that the PF-class class map matches all closed ports. In addition, the PF-policy policy map points to the class map and defines the action. The control plane host...

Examples Cont

Client-ID Lease expiration Hardware address User name 0063.6973.636f.2d64. Mar 29 2003 04 36 AM 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-9 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-9 This example displays the DHCP bindings by IP address and subnet. The example shows the DHCP binding address parameters, including an IP address, an associated MAC address, a lease expiration date, and the type of address assignment that have occurred. The table describes the...

Hardware and Software Requirements

Pentium 4 processor, 1.8 GHz or faster At least 1 GB of free disk space Minimum graphics resolution of 256 colors at 800x600 pixels 100Base-T or faster connection Software Microsoft Windows 2000 Server, with SP4 installed Windows 2000 Advanced Server, with the following conditions - Without Microsoft Windows 2000 Cluster Service installed - Without other features specific to Microsoft Windows 2000 Advanced Server enabled Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server...

How 8021x Works

Cisco Catalyst 2950 Series Switch (NAD) Authentication Server (Cisco Secure ACS) Cisco Catalyst 2950 Series Switch (NAD) Authentication Server (Cisco Secure ACS) The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity, but it is just an intermediary. 2007 Cisco Systems, Inc. All rights The switch or the client can initiate authentication. If you enable authentication on a port by using the dotlx...

Identity Based Networking Services

Intelligent adaptability offering greater flexibility and mobility for users Combines authentication, access control, and user policies to secure network connectivity and resources User productivity gains and reduced operating costs Strengthens security for network connectivity, services, and applications 2006 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-4 The Cisco IBNS solution provides the following benefits Intelligent adaptability for offering greater flexibility and mobility to...

Cisco Career Certifications

You are encouraged to join the Cisco Certification Community, a discussion forum open to anyone holding a valid Cisco Career Certification (such as Cisco CCIE , CCNA , CCDA , CCNP , CCDP , CCIP , CCVP , or CCSP ). It provides a gathering place for Cisco certified professionals to share questions, suggestions, and information about Cisco Career Certification programs and other certification-related topics. For more information, visit www.cisco.com go certifications. Securing Networks with Cisco...

MAC Spoofing ManintheMiddle Attacks

All rights re MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker. By sending a single frame with the source Ethernet address of the other host, the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic, it will not receive any traffic....

Method Lists and Server Groups

A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists. Using server groups, you can specify a subset of the configured server hosts and use them for a particular service. For example, server groups allow you to define Radius_1 and Radius_2 as a server group, and define TACACS+_1 and TACACS+_2 as a separate server group. For example, you can specify Radius_1 and TACACS+_1 in the method list for authentication login, while specifying Radius_2 and...

Mitigating DHCP Attacks

Here are two ways to mitigate DHCP spoofing and starvation attacks 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0-1-i In this lesson, the following two ways to mitigate DHCP spoofing and starvation attacks are discussed. Port security The techniques that mitigate CAM table flooding also mitigate DHCP starvation by limiting the number of MAC addresses on a switch port. You would use the port-security command to set the MAC address of a valid DHCP server on a switch port to prevent any...

Mitigating Spanning Tree Manipulation

Spanning-tree portfast bpduguard default Globally enable BPDU guard on all ports switch(config-if) spanning-tree guard root Enable root guard on an interface 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 1- To mitigate STP manipulation, use the root guard and the bpdu-guard enhancement commands to enforce the placement of the root bridge in the network and enforce the STP domain borders. The root guard feature is designed to provide a way to enforce the root-bridge placement in the...

Network Access Profiles

Authentication Posture Validation Authorization Authentication Posture Validation Authorization Authentication Posture Validation Authorization Cisco Secure ACS 4.0 for Windows introduces the concept of NAPs. NAPs provide the ability to process network access requests differently depending on the characteristics of the request. Most organizations have various kinds of users who access the network in different ways and for different purposes. Correspondingly, you must apply different security...

Port Filtering

This feature enhances control plane protection by providing for early dropping of packets directed toward closed or nonlistened Cisco IOS TCP and UDP ports on the router. Note The port-filter policy feature can be applied only to the control plane host subinterface. The port filter maintains a global database of all open TCP and UDP ports on the router, including random ephemeral ports created by applications. The port database is dynamically populated with entries provided by the registered...

Ports in Authorized and Unauthorized States

The switch port state determines whether the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1x packets. When a client is successfully authenticated, the port transitions to the authorized state, allowing all traffic for the client to flow normally. If a client that does not support 802.1x is connected to an unauthorized 802.1x port, the switch requests the identity of the...

Protocol Header Definition File

Protocol headers are defined in separate files called PHDFs. You define the packet filters using the field names that are defined within the PHDFs. A PHDF is a file that allows the user to leverage the flexibility of XML to describe almost any protocol header. The important components of the PHDF are the version, the XML file schema location, and the protocol field definitions. The protocol field definitions name the appropriate field in the protocol header, allow for a comment describing the...

Protocols of the Management Plane

All rights reserved. SNRS v2.0 3-2 The management plane performs management functions for a network and coordinates functions among all the planes (management, control, and data) in a network device. The management plane is also the logical path of all traffic related to the management of a routing platform and is used to manage a device through its network connection. Examples of protocols processed in the management plane are as follows Simple Network Management...

PVLAN Proxy Attack

All rights reserved Even though PVLANs are a common mechanism to restrict communications between systems on the same logical IP subnet, they are not always 100 percent secure. PVLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports...

Queue Thresholding

The queue-thresholding feature provides the ability to limit the number of unprocessed packets that a protocol can have at the process level. Note The queue-thresholding feature can only be applied to the control plane host subinterface. This feature is designed to prevent the input queue from being overwhelmed by any single protocol traffic. Per-protocol thresholding follows a protocol charge model. The queue usage of each protocol is limited such that no single misbehaving protocol process...

Reports and Activity

The Reports and Activity section provides a wealth of tools for both troubleshooting and monitoring the network. Caution Logging consumes resources, and the log files should be checked periodically for content and size. The available logs that Cisco Secure ACS keeps are as follows TACACS+ Accounting The information that is included in these reports is configurable by the administrator in the System Configuration section under Logging. TACACS+ Administration These reports include all of the...

Returning to Default Configuration

Use the no switchport port-security interface configuration command to return the interface to the default condition as being not a secure port. The sticky secure addresses remain part of the running configuration. Use the no switchport port-security maximum value interface configuration command to return the interface to the default number of secure MAC addresses. Use the no switchport port-security violation protect restrict interface configuration command to return the violation mode to the...

Secure Network Foundation

Data Forwarding Protection Data Plane Protection Lock Down Services and Routing Protocols Control Plane Protection Management Management Plane Protection The network environment of today is complex, while networking devices offer a feature-rich set of services to cater to different business needs. Because connecting to the Internet is imperative, network devices and infrastructure are exposed to many risks and threats. To meet the business needs of IP services such as network availability and...

Securing the Management Plane

Router(config-cp-host) management-interface FastEthernet 0 0 allow ssh snmp 2007 Cisco Systems, Inc. All rights By default, the MPP feature is disabled. When you enable the feature, you must follow these steps Step 1 Enter control plane host configuration mode. Step 2 Designate one or more interfaces as management interfaces. Step 3 Configure the management protocols that will be allowed on the management The configuration in this example shows MPP configured to allow SSH and SNMP to access the...

Security Violations

A security violation occurs in these situations The maximum number of secure MAC addresses have been added to the MAC address table and a station whose MAC address is not in the MAC address table attempts to access the interface An address learned or configured on one secure interface is seen on another secure interface in the same VLAN Protect When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a...

Shared Profile Components

This button allows an administrator to specify shell command authorization sets. By creating these command authorization sets, an administrator can control the commands that a user can execute on a device by applying the command authorization set to the user profile in the TACACS+ settings or at the group level. This is where you also configure downloadable ACLs and RADIUS Authorization Components. For these options to be visible, you must choose them in the Interface 2-46 Securing Networks...

Show flashphdf Command

36356096 bytes available (27656192 bytes used) 36356096 bytes available (27656192 bytes used) 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 3-12 The show flash command shows a listing of the user-defined PHDFs stored locally on the router. Securing Networks with Cisco Routers and Switches (SNRS) v2.0 Class Map type stack match-all ip-udp (id 4) Description match UDP over IP packets Match field IP protocol eq 0x11 next UDP router show class-map type access-control Class Map type...

Show policymap Command Cont

Router show policy-map type access-control interface FastEthernet 0 1 FastEthernet0 1 Service-policy access-control input fpm-policy Class-map ip-udp (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match field IP vers ion eq 4 Match field IP ihl eq 5 Match field IP protocol eq 0x11 next UDP Service-policy access-control fpm-udp-policy Class-map slammer (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match field UDP dest-port eq 0x59A Match field IP length...

Show protocols phdf Command

Router show protocols phdf ip Protocol ID 1 Protocol name IP Description Definition-for-the-IP-protocol Field id 2, tos, IP-Type-of-Service Field id 3, length, IP-Total-Length Field id 4, identification, IP-Identification Fixed offset. offset 32 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 3-1C These are examples of the show protocols command. The show protocols phdf loaded-protocol command shows runtime classification information for the loaded FPM classes and policies. 2007 Cisco...

Spanning Tree Manipulation

The diagram illustrates how a network attacker can use STP to change the topology of a network so that it appears that the network attacker host is a root bridge with a higher priority. One attack against switches involves intercepting traffic by attacking the STP. This protocol is used in switched networks to prevent the creation of bridging loops in an Ethernet network topology. Upon bootup, the switches begin a process of determining a loop-free topology. The switches identify one switch as...

Tacacs Overview

Supports AAA Encrypts entire body LAN and WAN security PPP, ARA, and NASI Router command authorization Blocks specific ports Supports AAA Encrypts entire body LAN and WAN security PPP, ARA, and NASI Router command authorization Blocks specific ports TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or NAS. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Microsoft Windows NT...

Tools Used to Secure the Management Plane

Cisco MPP feature for Cisco IOS Release 12.4(6)T Cisco IOS Software login enhancement 2007 Cisco Systems, Inc. All rights reseived. SNRS v2.0 3-3 A network administrator needs more than one tool to help secure the network infrastructure. There are several tools available to secure the management plane, including the following Cisco MPP feature Cisco IOS Release 12.4(6)T SSH access only to the device (covered in Securing Cisco Network Devices SND course) Access control lists (ACLs) on the vty...

Types of Layer 2 Attacks

This topic describes various types of Layer 2 attacks. This topic describes various types of Layer 2 attacks. 2007 Cisco Systems, Inc. All rights reserved. Like routers, both Layer 2 and Layer 3 switches have their own sets of network security requirements. However, not as much public information is available about the network security risks in switches and what can be done to mitigate those risks. Switches are susceptible to many of the same Layer 3 attacks as routers. Switches, and Layer 2 of...

Verify 8021x Operation Cont

Show dot1x statistics interface interface View IEEE 802.1x statistics for a specific port View the status and operational information for all configured AAA servers 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-28 The following commands are also used to verify 802.1x operation on the switch show dot1x statistics interface interface This command displays IEEE 802.1x statistics for a specific port. This command displays the status and operational information for all configured AAA...

Verifying Port Security

Sw-class show port-security Secure Port MaxSecureAddr CurrentAddr (Count) (Count) Total Addresses in System (excluding one Max Addresses limit in System (excluding 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-11 Use the show port-security command to view port security settings for the switch including violation count, configured interfaces, and security violation actions. Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Total Addresses...

Verifying Port Security Cont

All rights reserved SNRS V2.0 1-12 Use the show port-security interface interface-id command to view port security settings for the specified interface, including the maximum allowed number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode. sw-class show port-security interface fa0 12 SecureStatic Address Aging Maximum MAC Addresses Total MAC...

VLAN Assignment Guest VLANs and Restricted VLANs

Here are some points to keep in mind when configuring IEEE 802.1x with VLAN assignment and with guest and restricted VLANs Authentication with the VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic access port assignment through a VMPS. Guest VLANs are supported only on access ports. You can configure any VLAN as a guest VLAN except an RSPAN VLAN or a voice VLAN. You can configure any VLAN as a restricted VLAN except an RSPAN VLAN or a voice VLAN. Restricted...

And Guest VLANs

This topic describes the use of 802.1x with guest VLANs. I do not know A, I do know B, and B gets VLAN 10. I do not know A, I do know B, and B gets VLAN 10. 2007 Cisco Systems, Inc. All rights r It is possible to configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to clients, such as Internet access or downloading the IEEE 802.1x client. Some clients might be upgrading their system for IEEE 802.1x authentication, while others, such as Microsoft Windows 98...

And Port Security

This topic describes the use of 802.1x with port security. 2007 Cisco Systems, Inc. All rights r 2007 Cisco Systems, Inc. All rights r You can configure an IEEE 802.1x port with port security in either single-host or multiple-hosts mode. (You must also configure port security on the port by using the switchport port-security interface configuration command.) When you enable port security and IEEE 802.1x on a port, IEEE 802.1x authenticates the port, and port security manages network access for...

And Restricted VLANs

This topic describes the use of 802.1x with restricted VLANs. I do not know A, I do know B, and B gets VLAN 10. I do not know A, I do know B, and B gets VLAN 10. 2007 Cisco Systems, Inc. All rights r Another security feature allows you to configure a restricted VLAN for each IEEE 802.1x port to provide limited services to clients that cannot access the guest VLAN. Clients that are IEEE 802.1x-compliant and cannot access another VLAN because they fail the authentication process will be put in...

And VLAN Assignment

This topic describes the use of 802.1x with VLAN assignment. I do not know A I do know B, and B gets VLAN 10. I do not know A I do know B, and B gets VLAN 10. 2007 Cisco Systems, Inc. All rights r A common security policy is to limit network access for certain users by using VLAN assignment. You will accomplish this using the aaa authorization network default group radius After successful IEEE 802.1x authentication of a port, the RADIUS server sends the VLAN assignment to configure the switch...

Example of Queue Thresholding

Class-map type queue-threshold match-all QT-class match protocol bgp policy-map type queue-threshold QT-policy class QT-class queue-limit 100 control-plane host service-policy type queue-threshold input QT-policy This example shows how to configure a queue-threshold policy to set the queue limit for BGP protocol traffic to 100. The QT-class class map matches protocol bgp. The QT-policy policy map points to the class map and sets the queue limit. The control plane host subinterface has an input...

Overview of CPPr

This topic describes the basic function and benefits of the Cisco IOS CPPr feature. This topic describes the basic function and benefits of the Cisco IOS CPPr feature. Provides for all policing and protection 2007 Cisco Systems, Inc. All rights reserved. One tool mentioned in the previous section is CPPr, which includes CoPP, port filtering, and queue thresholding. CPPr is a framework that encompasses all policing and protection features in the control plane. The CPPr feature extends the...

Common Cisco Ios Aaa Authorization Configuration

To enable AAA authorization and create an authorization method list for a particular authorization type, use the aaa authorization command. dev(config) aaa authorization auth-proxy network exec commands level reverse-access configuration default listname methodl method2 Applies specific security policies on a per-user basis. Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Programs (NCPs), and AppleTalk Remote...

Defining Port Filter Packet Classification Criteria

Before you can attach a port-filter service policy to the control plane host subinterface, you must first create the policy to define a port-filter class map and policy map type for control plane traffic. A new class map type called port-filter was created for the port-filter feature. You must first create one or more port-filter class maps before you can create your port-filter service policy. Your port-filter class maps will separate your traffic into classes of traffic. Then, your service...

Enable AAA

Aaa authentication dotlx < list name> default group radius Create an IEEE 802.1X authentication method list aaa authorization network default group radius (Optional ) Configure the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment 2007 Cisco Systems, Inc. All rights re Complete these steps to enable AAA services on the switch. Specify one or more authentication, authorization, and accounting (AAA) methods for use on interfaces running...

DHCP Starvation and Spoofing Attacks

This topic describes the DHCP spoofing and starvation attacks. Attacker attempting to set up rogue DHCP server DHCP requests with spoofed MAC addresses Attacker attempting to set up rogue DHCP server Attacker attempting to starve DHCP server DHCP requests with spoofed MAC addresses Attacker attempting to starve DHCP server 2007 Cisco Systems, Inc. All rights re A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with attack tools such...

Flexible Packet Matching

All rights re 2007 Cisco Systems, Inc. All rights re Many of the tools available today are not designed with deep packet inspection as a requirement instead, they are designed to provide matching for predefined fields in well-known protocol headers. If an attack uses a field outside the limited range of inspection of these features, you are left without a defense against the attack. FPM provides the means to configure match criteria for any or all fields in a packet...

Data Plane Protection

This topic describes some strategies for protecting the data plane. 2007 Cisco Systems, Inc. All rights reserved. Cisco IOS Software includes various tools for dealing with attacks that may affect the data plane. Some of these security features include the following Access control lists (ACLs) Filter traffic through network devices Flexible Packet Matching Provides a flexible Layer 2 to Layer 7 stateless classification mechanism. Unicast Reverse Path Forwarding (uRPF) Helps mitigate problems...

CAM Table Overflow Attack

Attacker sees traffic to servers B and D 2007 Cisco Systems, Inc. All rights re This diagram illustrates a CAM table overflow attack. In this figure, the attacker is sending out multiple packets with various source MAC addresses. Over a short period of time, the CAM table in the switch fills up until it cannot accept new entries. As long as the flood is left running, the CAM table on the switch will remain full. When this happens, the switch begins to broadcast all packets that it receives out...

Control Plane Interface and Subinterface

The concept of early rate-limiting protocol specific traffic destined to the processor by applying QoS policies to the aggregate control plane interface was introduced with CoPP. CPPr extends this control plane functionality by providing three additional control plane subinterfaces under the top-level (aggregate) control plane interface. Each subinterface receives and processes a specific type of control plane traffic. The three sub interfaces are as follows Control plane host subinterface...

Entering Aggregate Control Plane Configuration Mode

After you create a class of traffic and define the service policy for the control plane, you need to apply the policy to either the aggregate control plane interface or one of the subinterfaces. After you enter the control-plane command, you can define aggregate CoPP policies for the RP. You can configure a service policy to police all traffic destined to the control plane from all line cards on the router (aggregate control plane services). Note Aggregate control plane services manage traffic...

Mitigating Pvlan Proxy Attacks

Router(config) access-list 101 deny ip 172.30.1.0 0.0.0.255 172.30.1.0 0.0.0.255 router(config) access-list 101 permit ip any any router(config-if) ip access-group 101 in Build ACL for subnet and apply ACL to interface 2007 Cisco Systems, Inc. All rights reseived. SNRS v2.0 1-20 Configure access control lists (ACLs) on the router port to mitigate PVLAN attacks. An example of using ACLs on the router port is if a server farm segment existed on subnet 172.30.1.0 24 and target C was in the server...

What Is EAP

EAP the Extensible Authentication Protocol A flexible transport protocol used to carry arbitrary authentication information not the authentication method itself Typically runs directly over data-link layers such as PPP or IEEE 802 media Originally specified in RFC 2284, obsolete by RFC 3748 Supports multiple authentication types 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 2-10 EAP, based on IETF 802.1x, is an end-to-end framework that allows the creation of authentication types...

Cisco Certified Security Professional

Expand Your Professional Options and Advance Your Career Professional level recognition in Cisco Certified Security Professional Cisco Certified Security Professional Cisco Certified Security Professional 2007 Cisco Systems, Inc. All rights re Recommended Training Through Cisco Learning Partners Securing Cisco Network Devices (SND) Securing Networks with Cisco Routers and Switches (SNRS) Securing Networks with PIX and ASA (SNPA) Implementing Cisco Intrusion Prevention Systems (IPS) Securing...

Configuring Port Security

Switch(config-if) switchport mode access Set the interface mode as access switch(config-if) switchport port-security Enable port security on the interface switchport port-security maximum value Set the maximum number of secure MAC addresses for the interface (optional) 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 1-8 Complete these steps to configure port security on an interface. Step 1 Enter interface configuration mode. switch(config) interface FastEthernet 0 8 Step 2 Configure...

TACACS and Radius Comparison

Authentication Authorization 1645 and 1812 Encrypts only passwords up to 16 bytes Separate control of each AAA service 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-15 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-15 Cisco Secure ACS conforms to the TACACS+ protocol as defined by Cisco Systems. Cisco Secure ACS conforms to the RADIUS protocol as defined in these RFCs RFC 2138, Remote Authentication Dial In User Service (RADIUS) RFC 2139, RADIUS Accounting RFC 2284, PPP...

Defining a CoPP Service Policy

Use the policy-map global configuration command to specify the service policy name, and use the configuration commands to associate a traffic class that was configured with the class-map command. The traffic class is associated with the service policy when you use the class command. You must then issue the class command after entering policy map configuration mode. After entering the class command, you are automatically in policy map class configuration mode. Follow these steps to define a...

PEAP with MSCHAPv2

EAP Request TLS start EAP Response TLS client hello EAP Request TLS start EAP Response TLS client hello EAP Response TLS Server Hello, Server Cert, Server Key Exchange, Server Hello Done EAP Response Cert Verify, Change Ciph Spec EAP Request TLS Change_Ciph_Spec Identity Request EAP-MS-CHAPv2 Challenge EAP-MS-CHAPV2 Response Identity response EAP-MS-CHAPv2 Challenge This diagram illustrates PEAP with MS-CHAPv2 message exchange between the supplicant, authenticator, and authentication server....

Web Interface

2 S Kh ffiFjvunte Medu 0 G- S Select Log Off to end the administration session. r CiscoSecure ACS v4.0 offers support for multiple AAA Clients and advanced TACACS+ and RADIUS features. It also supports several methods of authorization, authentication, and accounting (AAA) including several one-time-password cards. For more information on CiscoSecure products and upgrades, please visit http www.cisco.com. Copyright 2005 Cisco Systems, Inc. Copyright 1991-1992 RSA Data Security, Inc. MD5...

Working in Cisco Secure ACS

3 11 t3 Search 111 Favorites Media S Select Log Off to end the administration session. r CiscoSecure ACS v4.0 offers support for multiple AAA Clients and advanced TACACS+ and RADIUS features. It also supports several methods of authorization, authentication, and accounting (AAA) including several one-time-password cards. For more information on CiscoSecure products and upgrades, please visit http www.cisco.com. Copyright 2005 Cisco Systems, Inc. Copyright 1991-1992 RSA Data Security, Inc. MD5...