© 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling...

© 1999, Cisco Systems, Inc. 11-1

Chapter 10

Controlling Campus Device Access

Chapter 11Chapter 11

Controlling Access to the Campus Controlling Access to the Campus NetworkNetwork

Controlling Access to the Campus Controlling Access to the Campus NetworkNetwork

© 1999, Cisco Systems, Inc. 10-1

© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-2

ObjectivesObjectives

Upon completion of this chapter, you will be able to perform the following tasks:

• Control user access to network devices

• Regulate user access within the switch block

• Limit user access outside of the switch block


Controlling Access in the Campus Network

In this chapter, we discuss the following topics:

• Definition of an access policy

• Managing network devices

• Access layer policy

• Distribution layer policy

• Core layer policy



In this section, we discuss the following topics:

• Definition of an Access Policy

–What is an access policy?

–Policies in the Hierarchical Model

• Managing Network Devices

• Access Layer Policy

• Distribution Layer Policy

• Core Layer Policy


What Is an Access Policy?What Is an Access Policy?

• An access policy is a corporation’s documented standard of network access

Access to DevicesAccess to the Network

Prevent Specific Trafficfrom Crossing the Core

Prevent Routing andService Updates to theCore or Other SWBs

Prevent Routing andService Updates to theCore or Other SWBs


Applying Policies to the Hierarchical Model

ServerBlock

Mainframe Block

SwitchBlock

Access Layer Policy

Access Layer Policy

Access Layer Policy

Distribution Layer Policy



CoreBlock

No Policy



In this section, we discuss the following topics:

• Definition of an Access Policy


–Physical Security

–Passwords

–Privilege levels

–Virtual Terminal Access





Controlling Access to Network Devices

Controlling Access to Network Devices

• Physical security• Passwords• Privilege levels• Limiting Telnet

access


Controlling Physical AccessControlling Physical Access

• Physical access to a device equals total control of that device


Assigning PasswordsAssigning Passwords

Auxiliary

Console

Virtual Terminal

• Passwords should be assigned to each point of entry to a device


Password Configuration

ASW41(config)#enable password level 1 Cisco1=User Level15=Privilege Exec Level

Cisco IOS Command-Based SwitchSet Command-Based SwitchDSW141 (enable) set passwordEnter old password: <cr>Enter new password: CiscoRetype new password:CiscoPassword changed.

• Passwords should be set on every network device

dsw141 (enable) set enablepassEnter old password: <cr>Enter new password: san-franRetype new password:san-franPassword changed.

Cisco IOS Command-Based RouterRSM143(config)#line console 0RSM143(config-line)#loginRSM143(config-line)#password cisco

RSM143(config)#enable password san-fran


Controlling Session TimeoutsControlling Session Timeouts

• Session timeouts provide an additional level of security by timing out an unattended console

RSM143(config)#line console 0RSM143(config-line)#exec-timeout 5 30RSM143(config)#line vty 0 4RSM143(config-line)#exec-timeout 5 3

DSW141 (enable) set logout 5

ASW41(config)#line consoleASW41(config-line)#time-out 300

Cisco IOS Command-Based Switch

Set Command-Based Switch

IOS Command-Based Router


privilege configure level 3 username

privilege exec level 3 copy run start

privilege exec level 3 ping

privilege exec level 3 show run

privilege exec level 3 show

enable secret level 3 cisco

privilege configure level 3 username

privilege exec level 3 copy run start

privilege exec level 3 ping

privilege exec level 3 show run

privilege exec level 3 show

enable secret level 3 cisco

Modifying Privilege LevelsModifying Privilege Levels

• Modifying privilege levels gives you the ability to assign more granular rights to users

Cisco IOS command-based router


Banner Messages

Unauthorized access will be prosecuted.

• Create a banner message that indicates how serious security breaches are to you

DSW141(enable)set banner motd 'Unauthorized access will be prosecuted'

RSM143(config)#banner login 'unauthorized access will be prosecuted'


Virtual Ports (vty 0 through 4)

Controlling Virtual Terminal Access

RSM143(config)#access-list 1 permit 172.16.41.3

RSM143(config)#line vty 0 4

RSM143(config-line)#access-class 1 in


RSM143(config)#line vty 0 4

RSM143(config-line)#access-class 1 in

Telnet 172.16.41.143

172.16.41.3

172.16.41.143

• To ensure consistency, set identical restrictions on all vty lines


Controlling HTTP Access


RSM143(config)#ip http server

RSM143(config)#ip http access-class 1

RSM143(config)#ip http authentication local

RSM143(config)#username student password cisco


RSM143(config)#ip http server

RSM143(config)#ip http access-class 1

RSM143(config)#ip http authentication local

RSM143(config)#username student password cisco

172.16.41.3

172.16.41.143

HTTP Management Station

• To ensure consistency, set identical restrictions on all vty lines


Access Layer Policy

In this section, we discuss the following topics:• Definition of an Access Policy



– Port Security




Access Layer PolicyAccess Layer Policy

Box Tampering

Device Management Hackers

• The access layer is the entry point for users to the network. Security policy should prevent unauthorized access to the network.


Access-Layer Port Security

Unauthorized MAC Address. Access Denied

• Port security is a MAC address lockdown that disables the port if the MAC address is not valid

0010.f6b3.d000


Enable Port SecurityEnable Port Security

DSW111 (enable) set port security enable 2/4 00.00.0c.12.34

DSW111 (enable) show port 2/4Port Security Secure Src-address Last Src-address Shutdown Trap IF-index----- -------- ------------------- ---------------- -------- ---- -------- 2/4 enabled 00.00.0c.12.34 00.00.0c.12.34 no 270






–Controlling routing update traffic

–Route filtering

–Controlling resource information



Distribution-Layer PolicyDistribution-Layer Policy

What traffic is allowed outof the switch

block?

What traffic is allowed outof the switch

block?

What resources/What resources/routes are sentroutes are sentto the core?to the core?

What resources/What resources/routes are sentroutes are sentto the core?to the core?

• A good policy at the distribution layer ensures that other blocks are not burdened with traffic that has not been explicitly permitted


Controlling Information with Filters

• Access control lists (ACL) are used to control router traffic– Routing updates– User traffic

EIGRP


IP Standard Access Lists Overview

• Use source address only

• Access list range: 1 to 99

172.16.43.0 172.16.41.3

DestinationAddress

Source Address

172.16.43.17

Router(config)#access-list 1 permit 172.16.41.3

Router(config)#access-list 1 deny any

router(config)#interface fastethernet 1/0

router(config-if)#ip access-group 1 out

Router(config)#access-list 1 permit 172.16.41.3

Router(config)#access-list 1 deny any

router(config)#interface fastethernet 1/0

router(config-if)#ip access-group 1 out


IP Extended Access List Overview

IP Extended Access List Overview

access-list 104 permit tcp any 172.16.2.0 0.255.255.255 access-list 104 permit tcp any host 172.16.1.2 eq smtpaccess-list 104 permit udp any eq domain anyaccess-list 104 permit icmp any any echoaccess-list 104 permit icmp any any echo-reply!interface gigabit0/0ip access-group 104 out


Controlling Routing Update Traffic

How can we preventrouting update traffic from crossing some of these links?


• Use a standard access list to permit or deny routes

• Access list can be applied to transmitted (outbound) or received (inbound) routing updates

Configuring Route Filtering

Router(config-router)# distribute-list access-list-number | name in [ type number]Router(config-router)# distribute-list access-list-number | name in [ type number]

For Outbound Updates

For Inbound Updates

Router(config)#distribute-list access-list-number | name out [ interface-name l routing-process | autonomous-system number


• Hides network 172.16.41.0 using interface filtering

IP Route Filtering Configuration Example

router eigrp 1network 172.16.0.0

distribute-list 7 out g0/0 !access-list 7 permit 172.16.2.0 0.0.0.255

B

172.16.42.0 172.16.41.0

G0/0


Policy at the Core Block

Building A

SwitchBlock

Building B Building C

CoreBlock

ServerBlock

WAN BlockMainframe Block

TokenRing


Route FilterRoute Filter

Laboratory Exercise: Visual Objective

Switch Block X

Privilege Level 3show ip routeshow ip protocolsshow ip interface





Summary

• Control physical devices with passwords, login, and privilege levels

• Network administrators can prevent unauthorized users from accessing the network through Port Security

• Access Control Lists are used for a variety of access control processes including:

–Route Management

–Traffic Management

–Virtual Terminal Management


Review Questions

• List and define the different methods of login.

• Define and list the steps to assign security to a virtual terminal port.

• What types of polices exist at the Distribution Layer? At the core?

• What are the different uses of access control lists at the Distribution Layer?

© 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling...

Documents

Transcript of © 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling...