Securing Your Switch

The last half of this chapter discusses how to secure your switch as well as the additional security features that the switch supports to secure your network. This section is by no means an all-inclusive discussion of all the Catalyst switches' security features, but it does describe some of the major ones.

What to Secure

With a basic security setup, you'll want to secure access to the EXEC modes on the Catalyst switch. Listing 10.4 shows the basic commands to do so.

Listing 10.4 Basic Security Setup
 Switch(config)# line console 0 Switch(config-line)# password password Switch(config-line)# exit Switch(config)# line vty 0 4 Switch(config-line)# login Switch(config-line)# password password Switch(config-line)# access-class standard_ACL_# in Switch(config-line)# exit Switch(config-line)# access-list 1-99 permit source_address [wildcard_mask] Switch(config)# enable secret Privilege_EXEC_password 

By default, the switch has no preconfigured passwords. To assign a password to console access, go into the console line (line console 0) and use the password command. To restrict Telnet access, access your VTYs (line vty 0 4), enable password authentication with the login command, and assign a password with the password command. Optionally, create a standard ACL (access-list) that defines management stations and activate it on your VTYs with the access-class command. To restrict Privilege EXEC access, assign a password with the enable secret command. You should already be familiar with these commands from preparing for your CCNA exam.

graphics/alert_icon.gif

Remember how to configure these commands on a switch, including how to restrict Telnet access.


Table 10.1 lists some other things you should do to secure your switch.

Table 10.1. Securing Your Switch

Security Component

Explanation

Login Warnings

When someone tries to access the switch, he should be greeted by a login banner explaining ownership, usage policies, and punishment to violators.

Unnecessary Services

Disable all unnecessary services, such as unused TCP and UDP services (no service tcp-small-servers, no service udp-small-servers, no finger). If you aren't using the integrated HTTP server for management functions, disable it.

SNMP

Don't use SNMPv1 or v2 because passwords are sent in clear text; use SNMPv3 instead.

SSH

Telnet access sends usernames and passwords in clear text. Use SSH, which encrypts information between the administrator and the switch.

Cisco Discovery Protocol (CDP)

CDP is used to help troubleshoot Layer 2 problems. Disable it completely or at least on interfaces connected to non-Cisco devices.

Logging

When problems occur, you can record them with the switch's logging feature, which also enables you to log information to a remote server using syslog. This is an extremely useful troubleshooting tool.

Trunking

Trunking is set to auto-detection, by default, which can create security issues by allowing a third-party device to set up trunk connections to your switch. Disable trunking on all nontrunk ports (hard-code them as access link connections).

STP

Configure STP to tune it to your network: set the priorities on the root and backup root. Also use the BPDU Guard feature. Use the PortFast feature on all nonswitch ports. Doing so prevents third-party switches from creating malicious BPDU broadcast storms.

Authentication, Authorization, and Accounting

One of the problems with authentication in the previous section is that no matter who accesses your switch, that person uses the same password based on the type of EXEC access she is attempting. For example, all administrators accessing Privilege EXEC mode must use the same password. First, this creates accountability problems: You never know who made what changes on the switch because you don't know specifically who logged in to the switch. Second, you can't limit what an administrator does on the switch. Privilege EXEC access is an all-or-nothing proposition. Third, it's difficult to manage your passwords. If you need to change the Privilege EXEC password for administrator access, you probably need to do it on all of your switches, which is cumbersome.

Overview of AAA

AAA centralizes authentication, authorization, and accounting functions and solves the three problems just discussed. AAA breaks up security into three components:

  • Authentication Provides a means for identifying an individual and validating that person's access to a device

  • Authorization Verifies what specific tasks a user can perform on a device

  • Accounting Keeps a record of what users did on a device

Enable AAA

Before I begin a discussion of how to implement AAA, I must mention that the configuration information is a brief overview of setting up AAA. For a more thorough discussion, review Cisco's SECUR materials (formerly MCNS). The configuration of AAA on an IOS-based switch is actually the same as configuring it on an IOS-based router. Please see the "Need to Know More?" section at the end of this book for more information regarding AAA.

The very first thing you need to do is to activate AAA on your switch:

 Switch(config)# aaa new-model 

graphics/alert_icon.gif

Use the aaa new-model command to enable AAA.


There are two basic ways that you can use AAA on your switch: have the switch itself act as a security server or use an external security server, such as Cisco Secure ACS. To configure the switch to hold usernames and passwords, use the username command:

 Switch(config)# username user's_name password password 

The username command creates a user's name and password that will be used to authenticate access to the switch.

One major disadvantage of using the switch as a server is that, unfortunately, it can only perform AAA functions for itself it can't act as a server for other devices. To use an external AAA server, you'll have to specify a security protocol to use, the AAA server itself, and a key used to authenticate access to the server. There are two security protocols: TACACS+ (Cisco-proprietary) and RADIUS (open-standard). The following commands accomplish this:

 Switch(config)# aaa new-model Switch(config)# tacacs-server host AAA_server's_IP_address key string Switch(config)# radius-server host AAA_server's_IP_address key string 

The aaa new-model command enables AAA. The tacacs-server command specifies access to a TACACS+ server, and the radius-server command specifies access to a RADIUS server.

Here's a simple example of using 192.168.1.5 as a security server:

 Switch(config)# aaa new-model Switch(config)# tacacs-server host 192.168.1.5 key ThisPasswordIsSecret 
Authentication Configuration

When you've enabled AAA and either defined a local username database or an external security server, you're ready to configure login authentication and how it should be performed. This is accomplished with the aaa authentication login command:

 Switch(config)# aaa authentication login default|list_name method1 method2... 

There are actually many things AAA can authenticate, but this book focuses only on login authentication using the aaa authentication login command. If you specify the default parameter, this command is used for all login authentication processes on the switch. You can override this by specifying a list name and then, for specific type of access, referencing the list for authentication, like this:

 Switch(config)# aaa authentication login telnet tacacs+ Switch(config)# line vty 0 4 Switch(config-line)# login authentication telnet 

In this example, I'm overriding the default authentication process for VTY access and specifying the aaa authentication login command with the list name of telnet.

The last thing you specify with the aaa authentication login command is how login authentication can be checked. There are actually many ways you can check authentication, but I'm only going to cover three of them: local, group tacacs+, and group radius. If you specify local for a method, the username commands are used to verify authentication. If you use group tacacs+ or group radius, the appropriate external AAA server is used.

Please note that you can list more than one method. If more than one method is listed, the switch processes them in the order that you specified them. The switch tries the first method, and if it cannot access or find the information, it tries the second method. For example, you might list group tacacs+ and then local to specify that if the TACACS+ server isn't reachable, username commands on the switch should be used as a backup. Listing 10.5 shows a simple example.

Listing 10.5 AAA Authentication Example
 Switch(config)# username administrator password cisco Switch(config)# aaa authentication login telnet group tacacs+ Switch(config)# aaa authentication login default group tacacs+ local Switch(config)# line vty 0 4 Switch(config-line)# login authentication telnet 

In this example, the VTYs use TACACS+ to perform authentication. Any other form of access (such as the console) uses the default method: try the TACACS+ server first, and if that fails, use the local username database.

Authorization

Authorization is used to restrict what tasks a user can perform after he is authenticated. The aaa authorization command is used. You can again enable authorization for many functions of the switch and router. However, I'm going to discuss only three of them. Here's the command you should use to enable authorization:

 Switch(config)# aaa authorization exec|commands command_level|configuration                         default|list_name method1 method2... 

Specifying the exec parameter has the switch verify authorization as to whether the user is allowed to access an EXEC level, such as Privilege EXEC. The commands parameter enables you to specify which levels of commands users are allowed to execute. These numbers can range from 0 15, where 1 is User EXEC and 15 is Privilege EXEC. You can assign commands to different levels than their defaults with the privilege command, but doing so is beyond the scope of this book. The configuration parameter authorizes access to Configuration mode. The remainder of the command is the same as the aaa authentication login command.

Here's a simple authorization example:

 Switch(config)# aaa authorization configuration default group tacacs+ 

In this example, anyone attempting to configure the switch must first be authorized via the configured TACACS+ server.

Accounting

AAA's accounting is used to keep track of what a user has done. Unlike authentication and authorization, to keep track of AAA events, you must have an external AAA security server. You can't record AAA events local to the switch itself. Use the aaa accounting command to set up accounting:

 Switch(config)# aaa accounting event_type record_method       default group tacacs+|group radius 

Table 10.2 lists the types of events that you can capture accounting information for. Please note that there are more events in addition to those listed, but Table 10.2 covers the most common ones.

Table 10.2. AAA Accounting Events

Event Name

Description

commands command_level

Record accounting information whenever someone executes a command at the specified level

connection

Record an accounting event when someone tries to telnet from the switch to another device

exec

Record an accounting event when someone gains a specific EXEC level access

system

Record an accounting event for system events, such as a reboot or an interface change

There are three ways the event can be recorded, as shown in Table 10.3. After specifying the recording method, you need to specify the type of AAA server: RADIUS or TACACS+.

Table 10.3. Accounting Recording Methods

Method

Action

stop-only

Create a record upon finishing the event.

start-stop

Create a record at the beginning and ending of the event.

wait-start

If the AAA server is not reachable, don't allow the user to perform the action; otherwise, act like start-stop.

Here's a simple example of setting up accounting that records a single record to a TACACS+ server whenever a system event takes place:

 Switch(config)# aaa accounting system stop-only default group tacacs+ 

graphics/note_icon.gif

Please note that the AAA information in this book provides a crash course on implementing AAA on an IOS-based switch. There are many more features and functions to AAA in addition to those discussed here.




BCMSN Exam Cram 2 (Exam Cram 642-811)
CCNP BCMSN Exam Cram 2 (Exam Cram 642-811)
ISBN: 0789729911
EAN: 2147483647
Year: 2003
Pages: 171
Authors: Richard Deal

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net