© 1999, Cisco Systems, Inc. 8-1 Interconnecting Networks with TCP/IP.
© 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling...
-
Upload
matthew-johns -
Category
Documents
-
view
214 -
download
1
Transcript of © 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling...
© 1999, Cisco Systems, Inc. 11-1
Chapter 10
Controlling Campus Device Access
Chapter 11Chapter 11
Controlling Access to the Campus Controlling Access to the Campus NetworkNetwork
Controlling Access to the Campus Controlling Access to the Campus NetworkNetwork
© 1999, Cisco Systems, Inc. 10-1
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-2
ObjectivesObjectives
Upon completion of this chapter, you will be able to perform the following tasks:
• Control user access to network devices
• Regulate user access within the switch block
• Limit user access outside of the switch block
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-3
Controlling Access in the Campus Network
In this chapter, we discuss the following topics:
• Definition of an access policy
• Managing network devices
• Access layer policy
• Distribution layer policy
• Core layer policy
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-4
Controlling Access in the Campus Network
In this section, we discuss the following topics:
• Definition of an Access Policy
–What is an access policy?
–Policies in the Hierarchical Model
• Managing Network Devices
• Access Layer Policy
• Distribution Layer Policy
• Core Layer Policy
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-5
What Is an Access Policy?What Is an Access Policy?
• An access policy is a corporation’s documented standard of network access
Access to DevicesAccess to the Network
Prevent Specific Trafficfrom Crossing the Core
Prevent Routing andService Updates to theCore or Other SWBs
Prevent Routing andService Updates to theCore or Other SWBs
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-6
Applying Policies to the Hierarchical Model
ServerBlock
Mainframe Block
SwitchBlock
Access Layer Policy
Access Layer Policy
Access Layer Policy
Distribution Layer Policy
Distribution Layer Policy
Distribution Layer Policy
CoreBlock
No Policy
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-7
Controlling Access in the Campus Network
In this section, we discuss the following topics:
• Definition of an Access Policy
• Managing Network Devices
–Physical Security
–Passwords
–Privilege levels
–Virtual Terminal Access
• Access Layer Policy
• Distribution Layer Policy
• Core Layer Policy
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-8
Controlling Access to Network Devices
Controlling Access to Network Devices
• Physical security• Passwords• Privilege levels• Limiting Telnet
access
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-9
Controlling Physical AccessControlling Physical Access
• Physical access to a device equals total control of that device
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-10
Assigning PasswordsAssigning Passwords
Auxiliary
Console
Virtual Terminal
• Passwords should be assigned to each point of entry to a device
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-11
Password Configuration
ASW41(config)#enable password level 1 Cisco1=User Level15=Privilege Exec Level
Cisco IOS Command-Based SwitchSet Command-Based SwitchDSW141 (enable) set passwordEnter old password: <cr>Enter new password: CiscoRetype new password:CiscoPassword changed.
• Passwords should be set on every network device
dsw141 (enable) set enablepassEnter old password: <cr>Enter new password: san-franRetype new password:san-franPassword changed.
Cisco IOS Command-Based RouterRSM143(config)#line console 0RSM143(config-line)#loginRSM143(config-line)#password cisco
RSM143(config)#enable password san-fran
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-12
Controlling Session TimeoutsControlling Session Timeouts
• Session timeouts provide an additional level of security by timing out an unattended console
RSM143(config)#line console 0RSM143(config-line)#exec-timeout 5 30RSM143(config)#line vty 0 4RSM143(config-line)#exec-timeout 5 3
DSW141 (enable) set logout 5
ASW41(config)#line consoleASW41(config-line)#time-out 300
Cisco IOS Command-Based Switch
Set Command-Based Switch
IOS Command-Based Router
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-13
privilege configure level 3 username
privilege exec level 3 copy run start
privilege exec level 3 ping
privilege exec level 3 show run
privilege exec level 3 show
enable secret level 3 cisco
privilege configure level 3 username
privilege exec level 3 copy run start
privilege exec level 3 ping
privilege exec level 3 show run
privilege exec level 3 show
enable secret level 3 cisco
Modifying Privilege LevelsModifying Privilege Levels
• Modifying privilege levels gives you the ability to assign more granular rights to users
Cisco IOS command-based router
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-14
Banner Messages
Unauthorized access will be prosecuted.
• Create a banner message that indicates how serious security breaches are to you
DSW141(enable)set banner motd 'Unauthorized access will be prosecuted'
RSM143(config)#banner login 'unauthorized access will be prosecuted'
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-15
Virtual Ports (vty 0 through 4)
Controlling Virtual Terminal Access
RSM143(config)#access-list 1 permit 172.16.41.3
RSM143(config)#line vty 0 4
RSM143(config-line)#access-class 1 in
RSM143(config)#access-list 1 permit 172.16.41.3
RSM143(config)#line vty 0 4
RSM143(config-line)#access-class 1 in
Telnet 172.16.41.143
172.16.41.3
172.16.41.143
• To ensure consistency, set identical restrictions on all vty lines
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-16
Controlling HTTP Access
RSM143(config)#access-list 1 permit 172.16.41.3
RSM143(config)#ip http server
RSM143(config)#ip http access-class 1
RSM143(config)#ip http authentication local
RSM143(config)#username student password cisco
RSM143(config)#access-list 1 permit 172.16.41.3
RSM143(config)#ip http server
RSM143(config)#ip http access-class 1
RSM143(config)#ip http authentication local
RSM143(config)#username student password cisco
172.16.41.3
172.16.41.143
HTTP Management Station
• To ensure consistency, set identical restrictions on all vty lines
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-17
Access Layer Policy
In this section, we discuss the following topics:• Definition of an Access Policy
• Managing Network Devices
• Access Layer Policy
– Port Security
• Distribution Layer Policy
• Core Layer Policy
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-18
Access Layer PolicyAccess Layer Policy
Box Tampering
Device Management Hackers
• The access layer is the entry point for users to the network. Security policy should prevent unauthorized access to the network.
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-19
Access-Layer Port Security
Unauthorized MAC Address. Access Denied
• Port security is a MAC address lockdown that disables the port if the MAC address is not valid
0010.f6b3.d000
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-20
Enable Port SecurityEnable Port Security
DSW111 (enable) set port security enable 2/4 00.00.0c.12.34
DSW111 (enable) show port 2/4Port Security Secure Src-address Last Src-address Shutdown Trap IF-index----- -------- ------------------- ---------------- -------- ---- -------- 2/4 enabled 00.00.0c.12.34 00.00.0c.12.34 no 270
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-21
Controlling Access in the Campus Network
In this section, we discuss the following topics:• Definition of an Access Policy
• Access Layer Policy
• Distribution Layer Policy
–Controlling routing update traffic
–Route filtering
–Controlling resource information
• Core Layer Policy
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-22
Distribution-Layer PolicyDistribution-Layer Policy
What traffic is allowed outof the switch
block?
What traffic is allowed outof the switch
block?
What resources/What resources/routes are sentroutes are sentto the core?to the core?
What resources/What resources/routes are sentroutes are sentto the core?to the core?
• A good policy at the distribution layer ensures that other blocks are not burdened with traffic that has not been explicitly permitted
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-23
Controlling Information with Filters
• Access control lists (ACL) are used to control router traffic– Routing updates– User traffic
EIGRP
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-24
IP Standard Access Lists Overview
• Use source address only
• Access list range: 1 to 99
172.16.43.0 172.16.41.3
DestinationAddress
Source Address
172.16.43.17
Router(config)#access-list 1 permit 172.16.41.3
Router(config)#access-list 1 deny any
router(config)#interface fastethernet 1/0
router(config-if)#ip access-group 1 out
Router(config)#access-list 1 permit 172.16.41.3
Router(config)#access-list 1 deny any
router(config)#interface fastethernet 1/0
router(config-if)#ip access-group 1 out
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-25
IP Extended Access List Overview
IP Extended Access List Overview
access-list 104 permit tcp any 172.16.2.0 0.255.255.255 access-list 104 permit tcp any host 172.16.1.2 eq smtpaccess-list 104 permit udp any eq domain anyaccess-list 104 permit icmp any any echoaccess-list 104 permit icmp any any echo-reply!interface gigabit0/0ip access-group 104 out
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-26
Controlling Routing Update Traffic
How can we preventrouting update traffic from crossing some of these links?
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-27
• Use a standard access list to permit or deny routes
• Access list can be applied to transmitted (outbound) or received (inbound) routing updates
Configuring Route Filtering
Router(config-router)# distribute-list access-list-number | name in [ type number]Router(config-router)# distribute-list access-list-number | name in [ type number]
For Outbound Updates
For Inbound Updates
Router(config)#distribute-list access-list-number | name out [ interface-name l routing-process | autonomous-system number
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-28
• Hides network 172.16.41.0 using interface filtering
IP Route Filtering Configuration Example
router eigrp 1network 172.16.0.0
distribute-list 7 out g0/0 !access-list 7 permit 172.16.2.0 0.0.0.255
B
172.16.42.0 172.16.41.0
G0/0
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-29
Controlling Access in the Campus Network
In this section, we discuss the following topics:• Definition of an Access Policy
• Access Layer Policy
• Distribution Layer Policy
• Core Layer Policy
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-30
Policy at the Core Block
Building A
SwitchBlock
Building B Building C
CoreBlock
ServerBlock
WAN BlockMainframe Block
TokenRing
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-31
Route FilterRoute Filter
Laboratory Exercise: Visual Objective
Switch Block X
Privilege Level 3show ip routeshow ip protocolsshow ip interface
Privilege Level 3show ip routeshow ip protocolsshow ip interface
Privilege Level 3show ip routeshow ip protocolsshow ip interface
Privilege Level 3show ip routeshow ip protocolsshow ip interface
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-32
Summary
• Control physical devices with passwords, login, and privilege levels
• Network administrators can prevent unauthorized users from accessing the network through Port Security
• Access Control Lists are used for a variety of access control processes including:
–Route Management
–Traffic Management
–Virtual Terminal Management
© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-33
Review Questions
• List and define the different methods of login.
• Define and list the steps to assign security to a virtual terminal port.
• What types of polices exist at the Distribution Layer? At the core?
• What are the different uses of access control lists at the Distribution Layer?