Network security on Cisco routers and switches

Student: Alexandros Britzolakis
Department: Informatics Engineering
Institute: Hellenic Mediterranean University
Location: Heraklion, Greece
Alexandros Britzolakis (2981)CISCO Security
Network security on Cisco
routers and switches

TCP/IP PROTOCOL SUITE
Alexandros Britzolakis (2981)CISCO Security2
 Communications between computers on a network is done through protocol suits. The most
widely used and most widely available protocol suite is TCP/IP protocol suite.
 A protocol suit consists of a layered architecture where each layer depicts some
functionality which can be carried out by a protocol.
 Each layer usually has more than one protocol options to carry out the responsibility that the
layer adheres to. TCP/IP is normally considered to be a 4 layer system. The 4 layers are
application layer, transport layer, network layer, network access layer (Physical interfaces)

 All layers of TCP/IP model:
TCP/IP
L4 Application layer
L3 Transport layer
L2 Network layer
L1 Network interface
layer
TCP/IP PROTOCOL SUITE

Application layer (Layer 4)
 This is the top layer of TCP/IP protocol suite. This layer includes applications or processes
that use transport layer protocols to deliver the data to destination computers.
 At each layer there are certain protocol options to carry out the task designated to that
particular layer. So, application layer also has various protocols that applications use to
communicate with the second layer, the transport layer. Some of the popular application
layer protocols are:
◼ HTTP (Hypertext transfer protocol)
◼ FTP (File transfer protocol)
◼ SMTP (Simple mail transfer protocol)
◼ SNMP (Simple network management protocol) etc

 This layer provides backbone to data flow between two hosts. This layer receives data from
the application layer above it.
 There are many protocols that work at this layer but the two most commonly used protocols
at transport layer are TCP and UDP.
 TCP is used where a reliable connection is required while UDP is used in case of unreliable
connections.
Transport Layer (Layer 3)

 TCP divides the data (coming from the application layer) into proper sized chunks and then
passes these chunks onto the network. It acknowledges received packets, waits for the
acknowledgments of the packets it sent and sets timeout to resend the packets if
acknowledgements are not received in time.
 The term ‘reliable connection’ is used where it is not desired to lose any information that is
being transferred over the network through this connection.
 So, the protocol used for this type of connection must provide the mechanism to achieve
this desired characteristic. For example, while downloading a file, it is not desired to lose
any information (bytes) as it may lead to corruption of downloaded content.

 UDP provides a comparatively simpler but unreliable service by sending packets from one
host to another. UDP does not take any extra measures to ensure that the data sent is
received by the target host or not.
 The term ‘unreliable connection’ are used where loss of some information does not hamper
the task being fulfilled through this connection.
 For example while streaming a video, loss of few bytes of information due to some reason
is acceptable as this does not harm the user experience much.

Network Layer (Layer 2)
 This layer is also known as Internet layer. The main purpose of this layer is to organize or
handle the movement of data on network.
 By movement of data, we generally mean routing of data over the network.
 The main protocol used at this layer is IP.
 While ICMP(used by popular ‘ping’ command) and IGMP are also used at this layer.

 This layer normally consists of device drivers in the OS and the network interface card
attached to the system.
 Both the device drivers and the network interface card take care of the communication
details with the media being used to transfer the data over the network. In most of the cases,
this media is in the form of cables.
 Some of the famous protocols that are used at this layer include ARP (Address resolution
protocol), PPP(Point to point protocol) etc.
Network Interface Layer (Layer 1)

TCP/IP Protocols
❑ UDP, User Datagram Protocol
❑ ICMP, Internet Control Message Protocol
❑ Telnet , Telecommunication Network
❑ FTP, File Transfer Protocol
❑ SMTP, Simple Mail Transfer Protocol
❑ TFTP, Trivial File Transfer Protocol
Layers Applications
Application (Telnet, FTP,SMTP) (TFTP)
Transport TCP UDP
Network IP/ICMP

TCP/IP CONCEPT EXAMPLE
 One thing which is worth taking note is that the interaction between two computers over the
network through TCP/IP protocol suite takes place in the form of a client server
architecture.
 Client requests for a service while the server processes the request for client.
 Now, since we have discussed the underlying layers which help that data flow from host to
target over a network. Lets take a very simple example to make the concept more clear.
 Consider the data flow when you open a website.

❖ As seen in the above figure, the information flows downward through each layer on the host machine.
At the first layer, since http protocol is being used, so an HTTP request is formed and sent to the
transport layer.
❖ Here the protocol TCP assigns some more information(like sequence number, source port number,
destination port number etc) to the data coming from upper layer so that the communication remains
reliable i.e, a track of sent data and received data could be maintained.
❖ At the next lower layer, IP adds its own information over the data coming from transport layer. This
information would help in packet travelling over the network.
❖ Lastly, the data link layer makes sure that the data transfer to/from the physical media is done
properly. Here again the communication done at the data link layer can be reliable or unreliable.

❖ This information travels on the physical media (like Ethernet) and reaches the target machine.
❖ Now, at the target machine (which in our case is the machine at which the website is hosted) the
same series of interactions happen, but in reverse order.
❖ The packet is first received at the data link layer. At this layer the information (that was stuffed by the
data link layer protocol of the host machine) is read and rest of the data is passed to the upper layer.
❖ Similarly at the Network layer, the information set by the Network layer protocol of host machine is
read and rest of the information is passed on the next upper layer. Same happens at the transport
layer and finally the HTTP request sent by the host application(your browser) is received by the
target application (Website server).

❖ One would wonder what happens when information particular to each layer is read by the
corresponding protocols at target machine or why is it required? Well, lets understand this by an
example of TCP protocol present at transport layer. At the host machine this protocol adds information
like sequence number to each packet sent by this layer.
❖ At the target machine, when packet reaches at this layer, the TCP at this layer makes note of the
sequence number of the packet and sends an acknowledgement (which is received seq number + 1).
❖ Now, if the host TCP does not receive the acknowledgement within some specified time, it re sends
the same packet.
❖ So this way TCP makes sure that no packet gets lost. So we see that protocol at every layer reads the
information set by its counterpart to achieve the functionality of the layer it represents.

Short introduction to OSI model
❖ Before we make our reference on communication devices of which a network is consisted we also must
make a short reference in OSI model. The reason is that OSI model offers better clarity to the last layer
of TCP/IP model (Network interface layer) something which will help us understand better the function
of each communication device.
❖ OSI model is consisted of 7 layers and it was the “ancestor” of TCP/IP model. These layers are the
application layer, the presentation layer, the session layer, the transport layer, the network layer, the
data-link layer and last the physical layer.
❖ OSI model is not in use nowadays because it was replaced by TCP/IP model and its main usage is for
educational purposes. We will focus on the last three layers of OSI which are the network layer, the
data-link layer and the physical layer.
❖ The network layer handles the addressing and routing of the data. The data-link layer sets up links
across the physical network, putting packets into network frames and the physical layer conveys the bit
stream through the network at the electrical, optical or radio level.

❖ The 7 layers of OSI model:
Short introduction to OSI model

What is a switch device
❖ A switch is a communication device that channels incoming data from any of its multiple input ports to
the specific output port that will take the data toward its intended destination.
❖ On an Ethernet local area network (LAN), a switch determines from the physical device (Media
Access Control or MAC) address in each incoming message frame which output port to forward it to
and out of.
❖ In a wide area packet-switched network such as the Internet, a switch determines from the IP
address in each packet which output port to use for the next part of its trip to the intended destination.

❖ Every switch has a MAC address table which stores all the MAC addresses of each node in a
network.
❖ Let as assume that we have in our possession a cisco switch model 3548XL and we want to
configure it. If we hit the command show mac-address-table will show the above information's to us.

❖ In the image below is the cisco switch model 3548XL.

What is a router device
❖ A router is a device that determines the next network point to which a packet should be forwarded
toward its destination. It is connected to at least two networks and decides which way to send each
information packet based on its current understanding of the state of the networks it is connected to.
❖ A router is located at any gateway (where one network meets another), including each point-of-
presence on the Internet.
❖ A router may create or maintain a table of the available routes and their conditions and use this
information along with distance and cost algorithms to determine the best route for a given packet.
❖ Typically, a packet may travel through a number of network points with routers before arriving at its
destination. Routing is a function associated with the Network layer (layer 3) in the standard model
of network programming, the Open Systems Interconnection (OSI) model. Also a layer-3 switch is a
switch that can perform routing functions.

• In the image below is the cisco router 7201.

CISCO Corporation
❖ Cisco Systems, Inc. is an American multinational corporation
headquartered in San Jose, California, that designs, manufactures,
and sells networking equipment. For more information you can visit
the link given below:
http://www.cisco.com/
❖ Cisco company has published the well known network simulator “packet tracer” which allows users
to get an experience to Cisco IOS commands.
❖ There are several Cisco certifications like CCNA which focuses on basic routing and switching,
CCNP which focuses to more advanced routing, switching plus security measures and CCIE which is
the final and expert-level certification. For more information you can visit this wiki link below:
http://en.wikipedia.org/wiki/Cisco_Career_Certifications

Packet Tracer
❖ Cisco Packet Tracer is a powerful network simulation program that allows students to
experiment with network behavior and ask “what if” questions.
❖ As an integral part of the Networking Academy comprehensive learning experience,
Packet Tracer provides simulation, visualization, authoring, assessment, and
collaboration capabilities and facilitates the teaching and learning of complex
technology concepts.
❖ Instructors, students and administrators who are registered NetSpace users.
❖ Packet Tracer supplements physical equipment in the classroom by allowing students to create a network with an
almost unlimited number of devices, encouraging practice, discovery, and troubleshooting. The simulation-based
learning environment helps students develop 21st century skills such as decision making, creative and critical
thinking, and problem solving.
❖ Packet Tracer complements the Networking Academy curricula, allowing instructors to easily teach and
demonstrate complex technical concepts and networking systems design.
❖ The Packet Tracer software is available free of charge to Networking Academy instructors, students, alumni, and
administrators who are registered NetSpace users.

Packet Tracer
❖ Graphical environment of packet tracer.

GNS3
❖ GNS3 provides a graphical user interface to design and configure virtual networks, it runs on traditional PC
hardware and may be used on multiple operating systems, including Windows, Linux, and Mac OS X.
❖ In order to provide complete and accurate simulations, GNS3 actually uses the following emulators to run the very
same operating systems as in real networks:
❖ GNS3 is an alternative free software tool to using real computer labs for
computer network engineers, administrators and people studying for certifications
such as Cisco CCNA, CCNP and CCIE as well as Juniper JNCIA, JNCIS and
JNCIE. You can download it on the link below:
http://www.gns3.com/
✓ Dynamips, the well known Cisco IOS emulator.
✓ VirtualBox, runs desktop and server operating systems as well as Juniper JunOS.
✓ QEMU, a generic open source machine emulator, it runs Cisco ASA, PIX and IPS.

GNS3
❖ Graphical environment of GNS3.

Security on switches
❖ After looking at the available network simulators, let’s now focus on applying security mechanisms to layer 2 (OSI)
devices, for example, a switch. Switches are internal to an organization, and are designed to allow ease of
connectivity, therefore only limited or no security measures are applied.
❖ The following slides describe the application of the following security best practices using Packet Tracer:
✓ Physically secure the device – restrict physical access to the actual devices
✓ Use secure passwords – choose passwords that are difficult to discover and encrypt them
✓ Enable SSH access – use SSH which includes encryption algorithms rather than telnet for remote access
✓ Enable port security – allow only specific end devices to connect to each port
✓ Disable http access – block access to the device on port 80
✓ Disable unused ports – restrict the unauthorized connection of devices to the network
✓ Disable Telnet – disable the clear text remote access protocol

❖ The network topology that we will be using to demonstrate the security best practice is the
following:
✓ One layer 2 (OSI) switch
✓ Two end devices (PCs) connected to the switch via ethernet UTP
straight through cables.
✓ PC1 has been configured with an IP address of 192.168.1.2
✓ PC2 has been configured with an IP address of 192.168.1.3
✓ The switch is a layer two device and cannot have one of its ports assigned an IP address.
However, we can create a Switched Virtual Interface (SVI) and assign it the IP address
192.168.1.1.

CISCO IOS mode hierarchical structure

CISCO IOS mode hierarchical structure
Description of operation
modes
Symbolism
USER EXEC MODE
>
PRIVILEGED EXEC MODE
#
GLOBAL CONFIGURATION MODE (config)#
CONFIG MODE
Config-if #
Config- router #
Config-line #

◼ Now we configure the switch through the CLI of packet tracer. To do this we double click on the
switch device and a new window will emerge. We go on the tab of CLI and we start giving the
commands below:
Switch> enable
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.1.1 255.255.255.0
Switch(config-if)# no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed
state to up
Switch(config-if)# exit

◼ With the commands below we can go into configure mode of the device and with the command
interface vlan 1 we can create a Switched Virtual Interface (SVI) and assign it the IP address
192.168.1.1 with the subnet mask of 255.255.255.0. Notice the no shutdown command. This
particular command changes the state of the interface from down to up.
Switch> enable
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.1.1 255.255.255.0
Switch(config-if)# no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed
state to up

◼ After we set the virtual interface we go to back to configure mode to set the enable password. This
password allows us to enter into the Privileged Exec Mode in which we can make changes to the
switch. Notice the command we give is enable secret and the password that we choose is cisco123.
The secret keyword creates an encrypted password using MD5 hash algorithm.
Switch(config)# enable secret cisco123
%SYS-5-CONFIG_I: Configured from console by console
Switch(config)# exit
Switch# exit
Switch con0 is now available
Press RETURN to get started.

◼ Now we see that we can’t go to user exec mode without entering a password. When we type the
password cisco123 the access to the user exec mode is allowed otherwise we can’t make any
changes to the device.
◼ As we remembered previously we gave the command enable secret to set password. The mode
secret sets an encrypted password. With the command show run we can display the running
configuration which will confirm the encryption of the password. This can be seen on the next slide.
Switch> enable
Password:
Switch# show run

◼ As we can see, the output confirms that the password we entered is encrypted. Even if someone
gains access to the configuration (from a backup or a printout for example) they will not be able to
read it and obtain access to our switch.
◼ Even if someone tries to obtain access via brute force, the switch will only allow for three tries and
then requires a 10 second timeout before the next try.
Building configuration...
Current configuration : 514 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$mERr$5.a6P4JqbNiMX01usIfka/
--More--

◼ With the commands below we secure the access to the switch via console port and via remote
access. The line console 0 command and the subsequent two commands configure a password for
access via the console cable.
Switch(config)# line console 0
Switch(config-line)# password cisco123
Switch(config-line)# login
Switch(config-line)# line vty 0 15
Switch(config-line)# transport input ssh
Switch(config-line)# exit
Switch(config)# service password-encryption

◼ The line vty 0 15 command and the subsequent two commands configure a password for use with
remote access to the switch. The transport input ssh command enables the use of ssh rather than
telnet allowing for encrypted remote access using public-private key encryption. Finally, the service
password-encryption command encrypts the console and remote access passwords using a weak
reversible scheme.
Switch(config)# line console 0
Switch(config-line)# line vty 0 15
Switch(config-line)# transport input ssh
Switch(config-line)# exit
Switch(config)# service password-encryption

◼ With the command show run we can display the running configuration which will confirm the encryption
of the console and remote access (vty) passwords. This can be seen on the next slide.
Switch# show run
Current configuration : 611 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname Switch
!
enable secret 5 $1$mERr$5.a6P4JqbNiMX01usIfka/
.

◼ The output below confirms that the console and remote access passwords have been encrypted.
The 7 after the word password in each case indicates that a weak reversible scheme has been used.
However, MD5 encryption could have been used in which case a 5 would be seen after the keyword
password.
.
line con 0
password 7 0822455D0A16544541
login
!
line vty 0 4
password 7 0822455D0A16544541
login
line vty 5 15
password 7 0822455D0A16544541
login
transport input ssh

◼ After completing the above security commands, we must discourage the potential hacker from
proceeding with a proper warning message. Discouraging potential hackers is one of the
fundamental elements in implementing a successful network security strategy. The command
banner motd allows us to send a message to anyone who arrives at the login prompt of the console
or remote access.
Switch# config t
Switch(config)# banner motd @
Enter TEXT message. End with the character '@'.
######################Authorized access#######################
@
Switch# exit
Password:

◼ Arriving at the login screen, we see below the “scary” message that is displayed ☺
####################Authorized access########################
User Access Verification
Password:
Switch> enable
Password:

◼ The following set of commands applies port security to the specific ports of the switch. This allows
the switch to provide network resources only to the device with the preconfigured MAC address. We
confirm that the port is in access mode (not a trunk) and enable port security with the switchport
mode access command.
Switch(config)# interface fastEthernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation shutdown

◼ The next command allows only one preconfigured MAC address on the port while the following
command records the current MAC address and makes it “stick” even if it is removed. Finally, the
last command configures what the port will do in case a device with another MAC address is
connected to the port. In this case, the port will shutdown.

◼ The same commands are issued for interface fastEthernet 1/1. Finally, we exit into Privileged Exec
Mode and issue the command write to save the configuration.
Switch# write
[OK]

Security on Routers
◼ In the following example we will use GNS3 which is more proficient at simulating routers. With
GNS3, we can load real Cisco IOS files and take advantage of all of their features. One drawback
that GNS3 has is that it is unable as of yet to simulate switches. This is why Packet Tracer was used
in the first example.

Security on Routers
◼ With the following commands we configure a crypto policy which allows us to create a pre-shared
key authentication scheme. The final command sets the key as cisco123 and is in plain text. We
can confirm this with the output from the show run command on the next slide.
R1> enable
R1# configure terminal
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# crypto isakmp key cisco123 address 10.1.1.1

Security on Routers
◼ As we can see, the password is in clear text.
R1# show running-config
.
.crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 10.1.1.1

Security on Routers
◼ With the following commands we create a master key with which all pre-shared keys will be
encrypted using Advanced Encryption Standard (AES).
R1# configure terminal
R1(config)# key config-key password-encrypt testkey123
R1(config)# password encryption aes
R1(config)# exit

Security on Routers
◼ By issuing the show running-config command we can see that the password encryption mode is set
to aes and that the pre-shared key is now encrypted.
.
.
password encryption aes
.
.
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 6 FLgBaJHXdYY_AcHZZMgQ_RhTDJXHUBAAB address 10.1.1.1
.
.
end

Network security on Cisco routers and switches

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Network security on Cisco routers and switches

Semelhante a Network security on Cisco routers and switches (20)

Último

Último (20)

Network security on Cisco routers and switches