Cisco Networking/CCENT/Security

Objectives and skills for the security portion of Cisco CCENT certification include:^[1]

• Configure and verify network device security features
  • Device password security
  • Enable secret vs. enable
  • Transport
    • Disable telnet
    • SSH
  • VTYs
  • Physical security
  • Service password
  • Describe external authentication methods
• Configure and verify switch port security
  • Sticky mac
  • MAC address limitation
  • Static/dynamic
  • Violation modes
    • Err disable
    • Shutdown
    • Protect restrict
  • Shutdown unused ports
  • Err disable recovery
  • Assign unused ports in unused VLANs
  • Putting Native VLAN to other than VLAN 1

1. Wikipedia: Network security
2. Wikipedia: Access control
3. Wikipedia: MAC filtering
4. Cisco: How to secure your Cisco Catalyst switch
5. Cisco: Security Checklist

1. Cisco: Hardening Cisco IOS Devices
2. Cisco: Securing Cisco LAN Switches

1. Review Cisco Networking/CCENT/IOS Basics#Password Configuration
2. Review Cisco Networking/CCENT/Remote Management#Line Configuration
3. Review Cisco Networking/CCENT/Remote Management#Interface Configuration
4. Review Cisco Networking/CCENT/Remote Management#SSH Configuration

Note: The following commands are not supported by NM-16ESW network modules. See Cisco: EtherSwitch Network Module 802.1x Authentication for an alternative. Port security is included in the Cisco CCENT exam, but 802.1x implementation is not.

To enable port security on an interface, use the switchport port-security command in interface configuration mode.^[2]

switchport port-security

To add a MAC address to the list of secure MAC addresses, use the switchport port-security mac-address command in interface configuration mode.^[3]

switchport port-security mac-address { <mac-addr> | sticky [<mac-addr>] [ vlan <vlan> [voice] | <vlan-list> ] }
switchport port-security mac-address 1a:6f:7c:8e:2h:3a
switchport port-security mac-address default

To set the maximum number of secure MAC addresses on a port, use the switchport port-security maximum command in interface configuration mode.^[4]

switchport port-security maximum <maximum> [ vlan <vlan> | <vlan-list> ]
switchport port-security maximum 1 

To set the action to be taken when a security violation is detected, use the switchport port-security violation command in interface configuration mode.^[5]

switchport port-security violation { shutdown | restrict | protect }
switchport port-security violation shutdown
switchport port-security violation restrict
switchport port-security violation protect

To display port-security settings for an interface or for the switch, use the show port-security command in global configuration mode.^[6]

show port-security [interface interface_id] [address]
show port-security
show port-security interface fastethernet 1/1
show port-security address

A command sequence to configure port security might be similar to the following.

enable
configure terminal

interface range fa1/0 - 15
switchport port-security mac-address sticky
switchport port-security maximum 1
switchport port-security violation restrict
exit
exit

show port-security
show port-security address
exit

1. Configure and verify device security.

    

   1. Add a router, an EtherSwitch router, and four VPCS PCs to a new GNS3 project and start the devices.
   2. Add links to connect the following.
      • R1 FastEthernet0/0 <-> ESW1 FastEthernet1/0
      • PC1 Ethernet0 <-> ESW1 FastEthernet1/1
      • PC2 Ethernet0 <-> ESW1 FastEthernet1/2
      • PC3 Ethernet0 <-> ESW1 FastEthernet1/3
      • PC4 Ethernet0 <-> ESW1 FastEthernet1/4
   3. Set the following IP addresses, subnet masks, and default gateways for the switch and PCs.
      • R1 FastEthernet0/0: 192.168.1.1 255.255.255.0
      • ESW1 VLAN1: 192.168.1.10 255.255.255.0 192.168.1.1
      • PC1 Ethernet0: 192.168.1.11 255.255.255.0 192.168.1.1
      • PC2 Ethernet0: 192.168.1.12 255.255.255.0 192.168.1.1
      • PC3 Ethernet0: 192.168.1.13 255.255.255.0 192.168.1.1
      • PC4 Ethernet0: 192.168.1.14 255.255.255.0 192.168.1.1
   4. Add username and password security to the console, aux, and vty lines, add a password to protect global configuration mode, and encrypt all passwords on both routers using the following commands.
      • enable
      • configure terminal
      • username
      • line
      • login local
      • enable secret
      • service password-encryption
   5. Allow only SSH connections to the vty lines of both routers using the following commands.
      • hostname
      • ip domain-name
      • crypto key generate rsa
      • ip ssh version 2
      • line vty 0 4
      • transport input ssh
   6. Verify the configuration on both routers using the following command.
      • show running-config
   7. Exit the router console session and open the console again to test the configuration.
   8. Exit the router console session and open a console on the aux line to test the configuration.
   9. Test vty configuration using the following command to verify that telnet access is no longer supported.
      • telnet
   10. Test vty configuration using the following command to remotely manage one router from the other.
       • ssh
2. Configure and verify switch port security. Note: EtherSwitch routers do not support the switchport port-security command. Use a Cisco switch, if available, or review CiscoSkills.net: Configuring Port Security.

    

   1. Add dynamic port security and limit connections to only 1 allowed device per port in restricted mode using the following commands.
      • switchport port-security mac-address
      • switchport port-security maximum
      • switchport port-security violation
   2. Shutdown unused ports.
   3. Verify the configuration using the following commands.
      • show port-security
      • show port-security address
   4. Test the configuration by pinging all four PCs. The test should be successful for all devices.
   5. Remove and add links to connect the following.
      • PC3 Ethernet0 <-> ESW1 FastEthernet1/4
      • PC4 Ethernet0 <-> ESW1 FastEthernet1/3
   6. Test the configuration by pinging all four PCs. The test should be successful for PC1 and PC2, and unsuccessful for PC3 and PC4.
   7. Verify the configuration using the following commands.
      • show port-security
      • show port-security address
   8. Remove and add links to connect the following.
      • PC3 Ethernet0 <-> ESW1 FastEthernet1/3
      • PC4 Ethernet0 <-> ESW1 FastEthernet1/4
   9. Test the configuration by pinging all four PCs. The test should be successful for all devices.
3. Configure VLAN security.

    

   1. Use the configuration from above. Change the native VLAN to VLAN 10, put existing devices in VLAN 10, and assign unused ports to VLAN 99 using the following commands on the EtherSwitch router.
      • enable
      • vlan database
      • vlan
      • exit
      • configure terminal
      • interface range
      • switchport access
   2. Test the configuration by pinging all four PCs. The test should be successful for all devices.
   3. Remove and add links to connect the following.
      • PC4 Ethernet0 <-> ESW1 FastEthernet1/5
   4. Test the configuration by pinging all four PCs. The test should be successful for PC1, PC2, and PC3, and unsuccessful for PC4.
   5. Configure the router to access the EtherSwitch router on VLAN 10 using the following commands.
      • enable
      • configure terminal
      • interface
      • encapsulation
      • exit
   6. Test the configuration by pinging the switch from the router. The test should be successful.

• Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources.^[7]
• Network security requires physical security, access control, authentication, and authorization.^[8]
• Cisco IOS supports Authentication, Authorization, and Accounting (AAA) using either RADIUS or TACACS+ protocols.^[9]
• MAC filtering is a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.^[10]
• MAC filtering can be circumvented by identifying a valid MAC through observation and then spoofing one's own MAC into a validated one.^[11]
• MAC spoofing may done in the Windows Registry or by using command-line tools on a Linux platform.^[12]
• Cisco Catalyst switches support MAC filtering on a port-by-port basis using port security.^[13]
• Port security may be configured statically with a list, dynamically based on the first given number of addresses detected, or a combination of these two methods.^[14]
• When port security is configured, the default settings are to allow only one MAC address per port, and to shut down the port if the allowed number of addresses is exceeded.^[15]
• Rather than shutting down the port, the port security violation mode may be set to restrict access and send an SNMP alert.^[16]
• Port security shutdown ports may also be set to recover automatically using the errdisable recovery cause psecure-violation command in global configuration mode.^[17]
• The default erridsable recovery time is 300 seconds. This may be altered using the errdisable recovery interval command.^[18]
• Port security dynamic MAC addresses are not remembered by default. They may be added to the running configuration by enabling sticky mode.^[19]
• To enable port security on an interface, use the switchport port-security command in interface configuration mode.^[20]
• To add a MAC address to the list of secure MAC addresses, use the switchport port-security mac-address command in interface configuration mode.^[21]
• To set the maximum number of secure MAC addresses on a port, use the switchport port-security maximum command in interface configuration mode.^[22]
• To set the action to be taken when a security violation is detected, use the switchport port-security violation command in interface configuration mode.^[23]
• To display port-security settings for an interface or for the switch, use the show port-security command in global configuration mode.^[24]
• Additional switch security options include shutting down unused ports, assigning unused ports to unused VLANs, and setting the native VLAN to a VLAN other than 1.^[25]

AAA

An acronym for authentication, authorization, and accounting, which generically refers to a protocol used for this purpose.^[26]

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.^[27]

TACACS+ (Terminal Access Controller Access-Control System Plus

A protocol developed by Cisco and released as an open standard that handles authentication, authorization, and accounting (AAA) services.^[28]

1. Network security consists of _____.

   Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources.
2. Network security requires _____.

   Network security requires physical security, access control, authentication, and authorization.
3. Cisco IOS supports Authentication, Authorization, and Accounting (AAA) using _____.

   Cisco IOS supports Authentication, Authorization, and Accounting (AAA) using either RADIUS or TACACS+ protocols.
4. MAC filtering is _____.

   MAC filtering is a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.
5. MAC filtering can be circumvented by _____.

   MAC filtering can be circumvented by identifying a valid MAC through observation and then spoofing one's own MAC into a validated one.
6. MAC spoofing may done _____.

   MAC spoofing may done in the Windows Registry or by using command-line tools on a Linux platform.
7. Cisco Catalyst switches support MAC filtering on a port-by-port basis using _____.

   Cisco Catalyst switches support MAC filtering on a port-by-port basis using port security.
8. Port security may be configured _____.

   Port security may be configured statically with a list, dynamically based on the first given number of addresses detected, or a combination of these two methods.
9. When port security is configured, the default settings are _____.

   When port security is configured, the default settings are to allow only one MAC address per port, and to shut down the port if the allowed number of addresses is exceeded.
10. Rather than shutting down the port, the port security violation mode may be set to _____.

    Rather than shutting down the port, the port security violation mode may be set to restrict access and send an SNMP alert.
11. Port security shutdown ports may also be set to _____.

    Port security shutdown ports may also be set to recover automatically using the errdisable recovery cause psecure-violation command in global configuration mode.
12. The default errdisable recovery time is _____ seconds. This may be altered using the _____ command.

    The default errdisable recovery time is 300 seconds. This may be altered using the errdisable recovery interval command.
13. Dynamic addresses are not remembered by default. They may be added to the running configuration by enabling _____ mode.

    Dynamic addresses are not remembered by default. They may be added to the running configuration by enabling sticky mode.
14. To enable port security on an interface, use the _____ command in interface configuration mode.

    To enable port security on an interface, use the switchport port-security command in interface configuration mode.
15. To add a MAC address to the list of secure MAC addresses, use the _____ command in interface configuration mode.

    To add a MAC address to the list of secure MAC addresses, use the _____ command in interface configuration mode.
16. To set the maximum number of secure MAC addresses on a port, use the _____ command in interface configuration mode.

    To set the maximum number of secure MAC addresses on a port, use the switchport port-security maximum command in interface configuration mode.
17. To set the action to be taken when a security violation is detected, use the _____ command in interface configuration mode.

    To set the action to be taken when a security violation is detected, use the switchport port-security violation command in interface configuration mode.
18. To display port-security settings for an interface or for the switch, use the _____ command in global configuration mode.

    To display port-security settings for an interface or for the switch, use the show port-security command in global configuration mode.
19. Additional switch security options include _____, _____, and _____.

    Additional switch security options include shutting down unused ports, assigning unused ports to unused VLANs, and setting the native VLAN to a VLAN other than 1.

• Flashcards: Quizlet: CCENT - Security
• Quiz: Quizlet: CCENT - Security

• Computer Networks/Security
• Cisco Press: Switchport Security Concepts and Configuration
• Cisco Press: Design Best Practices for VLANs
• Cisco: Errdisable Port State Recovery