The following slides were a presentation that i've made as part of an exercise in my undergraduate course of Network Security. These slides present an overview on network secuirity and how we can apply it on cisco networking devices.
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Student's Network Security Document on TCP/IP Protocols and Cisco Devices
1. Student: Alexandros Britzolakis
Department: Informatics Engineering
Institute: Hellenic Mediterranean University
Location: Heraklion, Greece
Alexandros Britzolakis (2981)CISCO Security
Network security on Cisco
routers and switches
2. TCP/IP PROTOCOL SUITE
Alexandros Britzolakis (2981)CISCO Security2
Communications between computers on a network is done through protocol suits. The most
widely used and most widely available protocol suite is TCP/IP protocol suite.
A protocol suit consists of a layered architecture where each layer depicts some
functionality which can be carried out by a protocol.
Each layer usually has more than one protocol options to carry out the responsibility that the
layer adheres to. TCP/IP is normally considered to be a 4 layer system. The 4 layers are
application layer, transport layer, network layer, network access layer (Physical interfaces)
3. Alexandros Britzolakis (2981)CISCO Security3
All layers of TCP/IP model:
TCP/IP
L4 Application layer
L3 Transport layer
L2 Network layer
L1 Network interface
layer
TCP/IP PROTOCOL SUITE
4. Application layer (Layer 4)
Alexandros Britzolakis (2981)CISCO Security4
This is the top layer of TCP/IP protocol suite. This layer includes applications or processes
that use transport layer protocols to deliver the data to destination computers.
At each layer there are certain protocol options to carry out the task designated to that
particular layer. So, application layer also has various protocols that applications use to
communicate with the second layer, the transport layer. Some of the popular application
layer protocols are:
◼ HTTP (Hypertext transfer protocol)
◼ FTP (File transfer protocol)
◼ SMTP (Simple mail transfer protocol)
◼ SNMP (Simple network management protocol) etc
5. Alexandros Britzolakis (2981)CISCO Security5
This layer provides backbone to data flow between two hosts. This layer receives data from
the application layer above it.
There are many protocols that work at this layer but the two most commonly used protocols
at transport layer are TCP and UDP.
TCP is used where a reliable connection is required while UDP is used in case of unreliable
connections.
Transport Layer (Layer 3)
6. Alexandros Britzolakis (2981)CISCO Security6
TCP divides the data (coming from the application layer) into proper sized chunks and then
passes these chunks onto the network. It acknowledges received packets, waits for the
acknowledgments of the packets it sent and sets timeout to resend the packets if
acknowledgements are not received in time.
The term ‘reliable connection’ is used where it is not desired to lose any information that is
being transferred over the network through this connection.
So, the protocol used for this type of connection must provide the mechanism to achieve
this desired characteristic. For example, while downloading a file, it is not desired to lose
any information (bytes) as it may lead to corruption of downloaded content.
Transport Layer (Layer 3)
7. Alexandros Britzolakis (2981)CISCO Security7
UDP provides a comparatively simpler but unreliable service by sending packets from one
host to another. UDP does not take any extra measures to ensure that the data sent is
received by the target host or not.
The term ‘unreliable connection’ are used where loss of some information does not hamper
the task being fulfilled through this connection.
For example while streaming a video, loss of few bytes of information due to some reason
is acceptable as this does not harm the user experience much.
Transport Layer (Layer 3)
8. Network Layer (Layer 2)
Alexandros Britzolakis (2981)CISCO Security8
This layer is also known as Internet layer. The main purpose of this layer is to organize or
handle the movement of data on network.
By movement of data, we generally mean routing of data over the network.
The main protocol used at this layer is IP.
While ICMP(used by popular ‘ping’ command) and IGMP are also used at this layer.
9. Alexandros Britzolakis (2981)CISCO Security9
This layer normally consists of device drivers in the OS and the network interface card
attached to the system.
Both the device drivers and the network interface card take care of the communication
details with the media being used to transfer the data over the network. In most of the cases,
this media is in the form of cables.
Some of the famous protocols that are used at this layer include ARP (Address resolution
protocol), PPP(Point to point protocol) etc.
Network Interface Layer (Layer 1)
10. TCP/IP Protocols
Alexandros Britzolakis (2981)CISCO Security10
❑ UDP, User Datagram Protocol
❑ ICMP, Internet Control Message Protocol
❑ Telnet , Telecommunication Network
❑ FTP, File Transfer Protocol
❑ SMTP, Simple Mail Transfer Protocol
❑ TFTP, Trivial File Transfer Protocol
Layers Applications
Application (Telnet, FTP,SMTP) (TFTP)
Transport TCP UDP
Network IP/ICMP
11. TCP/IP CONCEPT EXAMPLE
Alexandros Britzolakis (2981)CISCO Security11
One thing which is worth taking note is that the interaction between two computers over the
network through TCP/IP protocol suite takes place in the form of a client server
architecture.
Client requests for a service while the server processes the request for client.
Now, since we have discussed the underlying layers which help that data flow from host to
target over a network. Lets take a very simple example to make the concept more clear.
Consider the data flow when you open a website.
13. Alexandros Britzolakis (2981)CISCO Security13
❖ As seen in the above figure, the information flows downward through each layer on the host machine.
At the first layer, since http protocol is being used, so an HTTP request is formed and sent to the
transport layer.
❖ Here the protocol TCP assigns some more information(like sequence number, source port number,
destination port number etc) to the data coming from upper layer so that the communication remains
reliable i.e, a track of sent data and received data could be maintained.
❖ At the next lower layer, IP adds its own information over the data coming from transport layer. This
information would help in packet travelling over the network.
❖ Lastly, the data link layer makes sure that the data transfer to/from the physical media is done
properly. Here again the communication done at the data link layer can be reliable or unreliable.
TCP/IP CONCEPT EXAMPLE
14. Alexandros Britzolakis (2981)CISCO Security14
❖ This information travels on the physical media (like Ethernet) and reaches the target machine.
❖ Now, at the target machine (which in our case is the machine at which the website is hosted) the
same series of interactions happen, but in reverse order.
❖ The packet is first received at the data link layer. At this layer the information (that was stuffed by the
data link layer protocol of the host machine) is read and rest of the data is passed to the upper layer.
❖ Similarly at the Network layer, the information set by the Network layer protocol of host machine is
read and rest of the information is passed on the next upper layer. Same happens at the transport
layer and finally the HTTP request sent by the host application(your browser) is received by the
target application (Website server).
TCP/IP CONCEPT EXAMPLE
15. Alexandros Britzolakis (2981)CISCO Security15
❖ One would wonder what happens when information particular to each layer is read by the
corresponding protocols at target machine or why is it required? Well, lets understand this by an
example of TCP protocol present at transport layer. At the host machine this protocol adds information
like sequence number to each packet sent by this layer.
❖ At the target machine, when packet reaches at this layer, the TCP at this layer makes note of the
sequence number of the packet and sends an acknowledgement (which is received seq number + 1).
❖ Now, if the host TCP does not receive the acknowledgement within some specified time, it re sends
the same packet.
❖ So this way TCP makes sure that no packet gets lost. So we see that protocol at every layer reads the
information set by its counterpart to achieve the functionality of the layer it represents.
TCP/IP CONCEPT EXAMPLE
16. Short introduction to OSI model
Alexandros Britzolakis (2981)CISCO Security16
❖ Before we make our reference on communication devices of which a network is consisted we also must
make a short reference in OSI model. The reason is that OSI model offers better clarity to the last layer
of TCP/IP model (Network interface layer) something which will help us understand better the function
of each communication device.
❖ OSI model is consisted of 7 layers and it was the “ancestor” of TCP/IP model. These layers are the
application layer, the presentation layer, the session layer, the transport layer, the network layer, the
data-link layer and last the physical layer.
❖ OSI model is not in use nowadays because it was replaced by TCP/IP model and its main usage is for
educational purposes. We will focus on the last three layers of OSI which are the network layer, the
data-link layer and the physical layer.
❖ The network layer handles the addressing and routing of the data. The data-link layer sets up links
across the physical network, putting packets into network frames and the physical layer conveys the bit
stream through the network at the electrical, optical or radio level.
18. What is a switch device
Alexandros Britzolakis (2981)CISCO Security18
❖ A switch is a communication device that channels incoming data from any of its multiple input ports to
the specific output port that will take the data toward its intended destination.
❖ On an Ethernet local area network (LAN), a switch determines from the physical device (Media
Access Control or MAC) address in each incoming message frame which output port to forward it to
and out of.
❖ In a wide area packet-switched network such as the Internet, a switch determines from the IP
address in each packet which output port to use for the next part of its trip to the intended destination.
19. What is a switch device
Alexandros Britzolakis (2981)CISCO Security19
❖ Every switch has a MAC address table which stores all the MAC addresses of each node in a
network.
❖ Let as assume that we have in our possession a cisco switch model 3548XL and we want to
configure it. If we hit the command show mac-address-table will show the above information's to us.
20. What is a switch device
Alexandros Britzolakis (2981)CISCO Security20
❖ In the image below is the cisco switch model 3548XL.
21. What is a router device
Alexandros Britzolakis (2981)CISCO Security21
❖ A router is a device that determines the next network point to which a packet should be forwarded
toward its destination. It is connected to at least two networks and decides which way to send each
information packet based on its current understanding of the state of the networks it is connected to.
❖ A router is located at any gateway (where one network meets another), including each point-of-
presence on the Internet.
❖ A router may create or maintain a table of the available routes and their conditions and use this
information along with distance and cost algorithms to determine the best route for a given packet.
❖ Typically, a packet may travel through a number of network points with routers before arriving at its
destination. Routing is a function associated with the Network layer (layer 3) in the standard model
of network programming, the Open Systems Interconnection (OSI) model. Also a layer-3 switch is a
switch that can perform routing functions.
22. What is a router device
Alexandros Britzolakis (2981)CISCO Security22
23. What is a router device
Alexandros Britzolakis (2981)CISCO Security23
• In the image below is the cisco router 7201.
24. CISCO Corporation
Alexandros Britzolakis (2981)CISCO Security24
❖ Cisco Systems, Inc. is an American multinational corporation
headquartered in San Jose, California, that designs, manufactures,
and sells networking equipment. For more information you can visit
the link given below:
http://www.cisco.com/
❖ Cisco company has published the well known network simulator “packet tracer” which allows users
to get an experience to Cisco IOS commands.
❖ There are several Cisco certifications like CCNA which focuses on basic routing and switching,
CCNP which focuses to more advanced routing, switching plus security measures and CCIE which is
the final and expert-level certification. For more information you can visit this wiki link below:
http://en.wikipedia.org/wiki/Cisco_Career_Certifications
25. Packet Tracer
Alexandros Britzolakis (2981)CISCO Security25
❖ Cisco Packet Tracer is a powerful network simulation program that allows students to
experiment with network behavior and ask “what if” questions.
❖ As an integral part of the Networking Academy comprehensive learning experience,
Packet Tracer provides simulation, visualization, authoring, assessment, and
collaboration capabilities and facilitates the teaching and learning of complex
technology concepts.
❖ Instructors, students and administrators who are registered NetSpace users.
❖ Packet Tracer supplements physical equipment in the classroom by allowing students to create a network with an
almost unlimited number of devices, encouraging practice, discovery, and troubleshooting. The simulation-based
learning environment helps students develop 21st century skills such as decision making, creative and critical
thinking, and problem solving.
❖ Packet Tracer complements the Networking Academy curricula, allowing instructors to easily teach and
demonstrate complex technical concepts and networking systems design.
❖ The Packet Tracer software is available free of charge to Networking Academy instructors, students, alumni, and
administrators who are registered NetSpace users.
27. GNS3
Alexandros Britzolakis (2981)CISCO Security27
❖ GNS3 provides a graphical user interface to design and configure virtual networks, it runs on traditional PC
hardware and may be used on multiple operating systems, including Windows, Linux, and Mac OS X.
❖ In order to provide complete and accurate simulations, GNS3 actually uses the following emulators to run the very
same operating systems as in real networks:
❖ GNS3 is an alternative free software tool to using real computer labs for
computer network engineers, administrators and people studying for certifications
such as Cisco CCNA, CCNP and CCIE as well as Juniper JNCIA, JNCIS and
JNCIE. You can download it on the link below:
http://www.gns3.com/
✓ Dynamips, the well known Cisco IOS emulator.
✓ VirtualBox, runs desktop and server operating systems as well as Juniper JunOS.
✓ QEMU, a generic open source machine emulator, it runs Cisco ASA, PIX and IPS.
29. Security on switches
Alexandros Britzolakis (2981)CISCO Security29
❖ After looking at the available network simulators, let’s now focus on applying security mechanisms to layer 2 (OSI)
devices, for example, a switch. Switches are internal to an organization, and are designed to allow ease of
connectivity, therefore only limited or no security measures are applied.
❖ The following slides describe the application of the following security best practices using Packet Tracer:
✓ Physically secure the device – restrict physical access to the actual devices
✓ Use secure passwords – choose passwords that are difficult to discover and encrypt them
✓ Enable SSH access – use SSH which includes encryption algorithms rather than telnet for remote access
✓ Enable port security – allow only specific end devices to connect to each port
✓ Disable http access – block access to the device on port 80
✓ Disable unused ports – restrict the unauthorized connection of devices to the network
✓ Disable Telnet – disable the clear text remote access protocol
30. Security on switches
Alexandros Britzolakis (2981)CISCO Security30
❖ The network topology that we will be using to demonstrate the security best practice is the
following:
✓ One layer 2 (OSI) switch
✓ Two end devices (PCs) connected to the switch via ethernet UTP
straight through cables.
✓ PC1 has been configured with an IP address of 192.168.1.2
✓ PC2 has been configured with an IP address of 192.168.1.3
✓ The switch is a layer two device and cannot have one of its ports assigned an IP address.
However, we can create a Switched Virtual Interface (SVI) and assign it the IP address
192.168.1.1.
33. Security on switches
Alexandros Britzolakis (2981)CISCO Security33
◼ Now we configure the switch through the CLI of packet tracer. To do this we double click on the
switch device and a new window will emerge. We go on the tab of CLI and we start giving the
commands below:
Switch> enable
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.1.1 255.255.255.0
Switch(config-if)# no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed
state to up
Switch(config-if)# exit
34. Security on switches
Alexandros Britzolakis (2981)CISCO Security34
◼ With the commands below we can go into configure mode of the device and with the command
interface vlan 1 we can create a Switched Virtual Interface (SVI) and assign it the IP address
192.168.1.1 with the subnet mask of 255.255.255.0. Notice the no shutdown command. This
particular command changes the state of the interface from down to up.
Switch> enable
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.1.1 255.255.255.0
Switch(config-if)# no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed
state to up
Switch(config-if)# exit
35. Security on switches
Alexandros Britzolakis (2981)CISCO Security35
◼ After we set the virtual interface we go to back to configure mode to set the enable password. This
password allows us to enter into the Privileged Exec Mode in which we can make changes to the
switch. Notice the command we give is enable secret and the password that we choose is cisco123.
The secret keyword creates an encrypted password using MD5 hash algorithm.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# enable secret cisco123
%SYS-5-CONFIG_I: Configured from console by console
Switch(config)# exit
Switch# exit
Switch con0 is now available
Press RETURN to get started.
36. Security on switches
Alexandros Britzolakis (2981)CISCO Security36
◼ Now we see that we can’t go to user exec mode without entering a password. When we type the
password cisco123 the access to the user exec mode is allowed otherwise we can’t make any
changes to the device.
◼ As we remembered previously we gave the command enable secret to set password. The mode
secret sets an encrypted password. With the command show run we can display the running
configuration which will confirm the encryption of the password. This can be seen on the next slide.
Switch# configure terminal
Switch> enable
Password:
Switch# show run
37. Security on switches
Alexandros Britzolakis (2981)CISCO Security37
◼ As we can see, the output confirms that the password we entered is encrypted. Even if someone
gains access to the configuration (from a backup or a printout for example) they will not be able to
read it and obtain access to our switch.
◼ Even if someone tries to obtain access via brute force, the switch will only allow for three tries and
then requires a 10 second timeout before the next try.
Building configuration...
Current configuration : 514 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$mERr$5.a6P4JqbNiMX01usIfka/
--More--
38. Security on switches
Alexandros Britzolakis (2981)CISCO Security38
◼ With the commands below we secure the access to the switch via console port and via remote
access. The line console 0 command and the subsequent two commands configure a password for
access via the console cable.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# line console 0
Switch(config-line)# password cisco123
Switch(config-line)# login
Switch(config-line)# line vty 0 15
Switch(config-line)# password cisco123
Switch(config-line)# login
Switch(config-line)# transport input ssh
Switch(config-line)# exit
Switch(config)# service password-encryption
Switch(config)# exit
39. Security on switches
Alexandros Britzolakis (2981)CISCO Security39
◼ The line vty 0 15 command and the subsequent two commands configure a password for use with
remote access to the switch. The transport input ssh command enables the use of ssh rather than
telnet allowing for encrypted remote access using public-private key encryption. Finally, the service
password-encryption command encrypts the console and remote access passwords using a weak
reversible scheme.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# line console 0
Switch(config-line)# password cisco123
Switch(config-line)# login
Switch(config-line)# line vty 0 15
Switch(config-line)# password cisco123
Switch(config-line)# login
Switch(config-line)# transport input ssh
Switch(config-line)# exit
Switch(config)# service password-encryption
Switch(config)# exit
40. Security on switches
Alexandros Britzolakis (2981)CISCO Security40
◼ With the command show run we can display the running configuration which will confirm the encryption
of the console and remote access (vty) passwords. This can be seen on the next slide.
Switch# configure terminal
Switch# show run
Building configuration...
Current configuration : 611 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname Switch
!
enable secret 5 $1$mERr$5.a6P4JqbNiMX01usIfka/
.
41. Security on switches
Alexandros Britzolakis (2981)CISCO Security41
◼ The output below confirms that the console and remote access passwords have been encrypted.
The 7 after the word password in each case indicates that a weak reversible scheme has been used.
However, MD5 encryption could have been used in which case a 5 would be seen after the keyword
password.
.
line con 0
password 7 0822455D0A16544541
login
!
line vty 0 4
password 7 0822455D0A16544541
login
line vty 5 15
password 7 0822455D0A16544541
login
transport input ssh
42. Security on switches
Alexandros Britzolakis (2981)CISCO Security42
◼ After completing the above security commands, we must discourage the potential hacker from
proceeding with a proper warning message. Discouraging potential hackers is one of the
fundamental elements in implementing a successful network security strategy. The command
banner motd allows us to send a message to anyone who arrives at the login prompt of the console
or remote access.
Switch# config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# banner motd @
Enter TEXT message. End with the character '@'.
######################Authorized access#######################
@
Switch(config)# exit
Switch# exit
Password:
43. Security on switches
Alexandros Britzolakis (2981)CISCO Security43
◼ Arriving at the login screen, we see below the “scary” message that is displayed ☺
####################Authorized access########################
User Access Verification
Password:
Switch> enable
Password:
44. Security on switches
Alexandros Britzolakis (2981)CISCO Security44
◼ The following set of commands applies port security to the specific ports of the switch. This allows
the switch to provide network resources only to the device with the preconfigured MAC address. We
confirm that the port is in access mode (not a trunk) and enable port security with the switchport
mode access command.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastEthernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation shutdown
45. Security on switches
Alexandros Britzolakis (2981)CISCO Security45
◼ The next command allows only one preconfigured MAC address on the port while the following
command records the current MAC address and makes it “stick” even if it is removed. Finally, the
last command configures what the port will do in case a device with another MAC address is
connected to the port. In this case, the port will shutdown.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastEthernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation shutdown
46. Security on switches
Alexandros Britzolakis (2981)CISCO Security46
◼ The same commands are issued for interface fastEthernet 1/1. Finally, we exit into Privileged Exec
Mode and issue the command write to save the configuration.
Switch(config)# interface fastEthernet 1/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# exit
Switch(config)# exit
Switch# write
Building configuration...
[OK]
47. Security on Routers
Alexandros Britzolakis (2981)CISCO Security47
◼ In the following example we will use GNS3 which is more proficient at simulating routers. With
GNS3, we can load real Cisco IOS files and take advantage of all of their features. One drawback
that GNS3 has is that it is unable as of yet to simulate switches. This is why Packet Tracer was used
in the first example.
48. Security on Routers
Alexandros Britzolakis (2981)CISCO Security48
◼ With the following commands we configure a crypto policy which allows us to create a pre-shared
key authentication scheme. The final command sets the key as cisco123 and is in plain text. We
can confirm this with the output from the show run command on the next slide.
R1> enable
R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# crypto isakmp key cisco123 address 10.1.1.1
49. Security on Routers
Alexandros Britzolakis (2981)CISCO Security49
◼ As we can see, the password is in clear text.
R1# show running-config
Building configuration...
.
.crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 10.1.1.1
50. Security on Routers
Alexandros Britzolakis (2981)CISCO Security50
◼ With the following commands we create a master key with which all pre-shared keys will be
encrypted using Advanced Encryption Standard (AES).
R1# show running-config
R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# key config-key password-encrypt testkey123
R1(config)# password encryption aes
R1(config)# exit
51. Security on Routers
Alexandros Britzolakis (2981)CISCO Security51
◼ By issuing the show running-config command we can see that the password encryption mode is set
to aes and that the pre-shared key is now encrypted.
R1# show running-config
Building configuration...
.
.
password encryption aes
.
.
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 6 FLgBaJHXdYY_AcHZZMgQ_RhTDJXHUBAAB address 10.1.1.1
.
.
end