© 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,

Slides:



Advertisements
Similar presentations
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Advertisements

DMZ (De-Militarized Zone)
CCNA2-1 Chapter 1 Introduction to Routing and Packet Forwarding CLI Configuration and Addressing.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
Cisco Router. Overview Understanding and configuring the Cisco Internetwork Operating System (IOS) Connecting to a router Bringing up a router Logging.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
CCNA 2 v3.1 Module 11.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
© 1999, Cisco Systems, Inc. 3-1 Chapter 10 Controlling Campus Device Access Chapter 3 Connecting the Switch Block © 1999, Cisco Systems, Inc. 3-1.
InterVLAN Routing Chapter 6
Network Certification Preparation. Module - 5 Basic troubleshooting of IP addressing issues Basic troubleshooting of RIP and IGRP Basic troubleshooting.
© 2002, Cisco Systems, Inc. All rights reserved..
TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.
Chapter 2: Basic Router Configuration
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
Access Control Lists (ACLs)
Sybex CCNA Chapter 12: Security Instructor & Todd Lammle.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Access Control List (ACL)
User Access to Router Securing Access.
Instructor & Todd Lammle
Access-Lists Securing Your Router and Protecting Your Network.
Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006.
Access Control List ACL’s 5/26/ What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer.
1 What Are Access Lists? –Standard –Checks Source address –Generally permits or denies entire protocol suite –Extended –Checks Source and Destination address.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
© 1999, Cisco Systems, Inc. 1-1 Chapter 2 Overview of a Campus Network © 1999, Cisco Systems, Inc.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 10 Security. A typical secured network Recognizing Security Threats 1- Application-layer attacks Ex: companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Module 3 Configuring a Router.
1  Access Policy 는 Network Access 에 대한 회사의 문서화된 표준이다. Device 접근 Network 에의 접근 Definition of Access Policy Core 나 다른 Switch Block 에 대한 루트나 서비스 업데이트를 금지.
Sem 3 Access Control Lists. Summary of Access Lists Access lists perform serveral functions within a Cisco router, including: ** Implement security /
Managing Networks and Network Devices
Restricting Access in the network
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
ACCESS CONTROL LIST.
Chapter 3 Managing IP Traffic. Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access.
Access Control Lists (ACL). Access-List Overview 4 A Filter through which all traffic must pass 4 Used to Permit or Deny Access to Network 4 Provides.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
In 60 Days – ICND2 Configuring Access Lists Standard IP ACLs Source network or Source host IP Source: Destination: Port 80.
Sybex CCNA Chapter 10: Security Instructor & Todd Lammle.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
Configuring a Router Module 3 Semester 2. Router Configuration Tasks Name a router Set passwords Examine show commands Configure a serial interface Configure.
What are the two types of routes used by network administrators? Static Dynamic.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
What are the two types of routes used by network administrators?
Instructor Materials Chapter 4: Access Control Lists
Chapter 4: Access Control Lists (ACLs)
Access Control Lists CCNA 2 v3 – Module 11
Presentation transcript:

© 1999, Cisco Systems, Inc Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems, Inc. 10-1

© 1999, Cisco Systems, Inc. BCMSN—11-2 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Control user access to network devices Regulate user access within the switch block Limit user access outside of the switch block

© 1999, Cisco Systems, Inc. BCMSN—11-3 Controlling Access in the Campus Network In this chapter, we discuss the following topics : Definition of an access policy Managing network devices Access layer policy Distribution layer policy Core layer policy

© 1999, Cisco Systems, Inc. BCMSN—11-4 Controlling Access in the Campus Network In this section, we discuss the following topics : Definition of an Access Policy –What is an access policy? –Policies in the Hierarchical Model Managing Network Devices Access Layer Policy Distribution Layer Policy Core Layer Policy

© 1999, Cisco Systems, Inc. BCMSN—11-5 What Is an Access Policy? An access policy is a corporation’s documented standard of network access Access to Devices Access to the Network Prevent Specific Traffic from Crossing the Core Prevent Routing and Service Updates to the Core or Other SWBs Prevent Routing and Service Updates to the Core or Other SWBs

© 1999, Cisco Systems, Inc. BCMSN—11-6 Applying Policies to the Hierarchical Model Server Block Mainframe Block Switch Block Access Layer Policy Distribution Layer Policy Core Block No Policy

© 1999, Cisco Systems, Inc. BCMSN—11-7 Controlling Access in the Campus Network In this section, we discuss the following topics : Definition of an Access Policy Managing Network Devices –Physical Security –Passwords –Privilege levels –Virtual Terminal Access Access Layer Policy Distribution Layer Policy Core Layer Policy

© 1999, Cisco Systems, Inc. BCMSN—11-8 Controlling Access to Network Devices Physical security Passwords Privilege levels Limiting Telnet access

© 1999, Cisco Systems, Inc. BCMSN—11-9 Controlling Physical Access Physical access to a device equals total control of that device

© 1999, Cisco Systems, Inc. BCMSN—11-10 Assigning Passwords Auxiliary Console Virtual Terminal Passwords should be assigned to each point of entry to a device

© 1999, Cisco Systems, Inc. BCMSN—11-11 Password Configuration ASW41(config)#enable password level 1 Cisco 1=User Level 15=Privilege Exec Level Cisco IOS Command-Based Switch Set Command-Based Switch DSW141 (enable) set password Enter old password: Enter new password: Cisco Retype new password:Cisco Password changed. Passwords should be set on every network device dsw141 (enable) set enablepass Enter old password: Enter new password: san-fran Retype new password:san-fran Password changed. Cisco IOS Command-Based Router RSM143(config)#line console 0 RSM143(config-line)#login RSM143(config-line)#password cisco RSM143(config)#enable password san-fran

© 1999, Cisco Systems, Inc. BCMSN—11-12 Controlling Session Timeouts Session timeouts provide an additional level of security by timing out an unattended console RSM143(config)#line console 0 RSM143(config-line)#exec-timeout 5 30 RSM143(config)#line vty 0 4 RSM143(config-line)#exec-timeout 5 3 DSW141 (enable) set logout 5 ASW41(config)#line console ASW41(config-line)#time-out 300 Cisco IOS Command-Based Switch Set Command-Based Switch IOS Command-Based Router

© 1999, Cisco Systems, Inc. BCMSN—11-13 privilege configure level 3 username privilege exec level 3 copy run start privilege exec level 3 ping privilege exec level 3 show run privilege exec level 3 show enable secret level 3 cisco privilege configure level 3 username privilege exec level 3 copy run start privilege exec level 3 ping privilege exec level 3 show run privilege exec level 3 show enable secret level 3 cisco Modifying Privilege Levels Modifying privilege levels gives you the ability to assign more granular rights to users Cisco IOS command-based router

© 1999, Cisco Systems, Inc. BCMSN—11-14 Banner Messages Unauthorized access will be prosecuted. Create a banner message that indicates how serious security breaches are to you DSW141(enable)set banner motd 'Unauthorized access will be prosecuted' RSM143(config)#banner login 'unauthorized access will be prosecuted'

© 1999, Cisco Systems, Inc. BCMSN—11-15 Virtual Ports (vty 0 through 4) Controlling Virtual Terminal Access RSM143(config)#access-list 1 permit RSM143(config)#line vty 0 4 RSM143(config-line)#access-class 1 in RSM143(config)#access-list 1 permit RSM143(config)#line vty 0 4 RSM143(config-line)#access-class 1 in Telnet To ensure consistency, set identical restrictions on all vty lines

© 1999, Cisco Systems, Inc. BCMSN—11-16 Controlling HTTP Access RSM143(config)#access-list 1 permit RSM143(config)#ip http server RSM143(config)#ip http access-class 1 RSM143(config)#ip http authentication local RSM143(config)#username student password cisco RSM143(config)#access-list 1 permit RSM143(config)#ip http server RSM143(config)#ip http access-class 1 RSM143(config)#ip http authentication local RSM143(config)#username student password cisco HTTP Management Station To ensure consistency, set identical restrictions on all vty lines

© 1999, Cisco Systems, Inc. BCMSN—11-17 Access Layer Policy In this section, we discuss the following topics : Definition of an Access Policy Managing Network Devices Access Layer Policy – Port Security Distribution Layer Policy Core Layer Policy

© 1999, Cisco Systems, Inc. BCMSN—11-18 Access Layer Policy Box Tampering Device Management Hackers The access layer is the entry point for users to the network. Security policy should prevent unauthorized access to the network.

© 1999, Cisco Systems, Inc. BCMSN—11-19 Access-Layer Port Security Unauthorized MAC Address. Access Denied Port security is a MAC address lockdown that disables the port if the MAC address is not valid 0010.f6b3.d000

© 1999, Cisco Systems, Inc. BCMSN—11-20 Enable Port Security DSW111 (enable) set port security enable 2/ c DSW111 (enable) show port 2/4 Port Security Secure Src-address Last Src-address Shutdown Trap IF-index /4 enabled c c no 270

© 1999, Cisco Systems, Inc. BCMSN—11-21 Controlling Access in the Campus Network In this section, we discuss the following topics : Definition of an Access Policy Access Layer Policy Distribution Layer Policy –Controlling routing update traffic –Route filtering –Controlling resource information Core Layer Policy

© 1999, Cisco Systems, Inc. BCMSN—11-22 Distribution-Layer Policy What traffic is allowed out of the switch block? What traffic is allowed out of the switch block? What resources/ routes are sent to the core? What resources/ routes are sent to the core? A good policy at the distribution layer ensures that other blocks are not burdened with traffic that has not been explicitly permitted

© 1999, Cisco Systems, Inc. BCMSN—11-23 Controlling Information with Filters Access control lists (ACL) are used to control router traffic –Routing updates – User traffic EIGRP

© 1999, Cisco Systems, Inc. BCMSN—11-24 IP Standard Access Lists Overview Use source address only Access list range: 1 to Destination Address Source Address Router(config)#access-list 1 permit Router(config)#access-list 1 deny any router(config)#interface fastethernet 1/0 router(config-if)#ip access-group 1 out Router(config)#access-list 1 permit Router(config)#access-list 1 deny any router(config)#interface fastethernet 1/0 router(config-if)#ip access-group 1 out

© 1999, Cisco Systems, Inc. BCMSN—11-25 IP Extended Access List Overview access-list 104 permit tcp any access-list 104 permit tcp any host eq smtp access-list 104 permit udp any eq domain any access-list 104 permit icmp any any echo access-list 104 permit icmp any any echo-reply ! interface gigabit0/0 ip access-group 104 out

© 1999, Cisco Systems, Inc. BCMSN—11-26 Controlling Routing Update Traffic How can we prevent routing update traffic from crossing some of these links?

© 1999, Cisco Systems, Inc. BCMSN—11-27 Use a standard access list to permit or deny routes Access list can be applied to transmitted (outbound) or received (inbound) routing updates Configuring Route Filtering Router(config-router)# distribute-list access-list-number | name in [ type number] Router(config-router)# distribute-list access-list-number | name in [ type number] For Outbound Updates For Inbound Updates Router(config)#distribute-list access-list-number | name out [ interface-name l routing-process | autonomous-system number

© 1999, Cisco Systems, Inc. BCMSN—11-28 Hides network using interface filtering IP Route Filtering Configuration Example router eigrp 1 network distribute-list 7 out g0/0 ! access-list 7 permit B G0/0

© 1999, Cisco Systems, Inc. BCMSN—11-29 Controlling Access in the Campus Network In this section, we discuss the following topics: Definition of an Access Policy Access Layer Policy Distribution Layer Policy Core Layer Policy

© 1999, Cisco Systems, Inc. BCMSN—11-30 Policy at the Core Block Building A Switch Block Building BBuilding C Core Block Server Block WAN Block Mainframe Block

© 1999, Cisco Systems, Inc. BCMSN—11-31 Route Filter Laboratory Exercise: Visual Objective Switch Block X Privilege Level 3 show ip route show ip protocols show ip interface Privilege Level 3 show ip route show ip protocols show ip interface Privilege Level 3 show ip route show ip protocols show ip interface Privilege Level 3 show ip route show ip protocols show ip interface

© 1999, Cisco Systems, Inc. BCMSN—11-32 Summary Control physical devices with passwords, login, and privilege levels Network administrators can prevent unauthorized users from accessing the network through Port Security Access Control Lists are used for a variety of access control processes including: –Route Management –Traffic Management –Virtual Terminal Management

© 1999, Cisco Systems, Inc. BCMSN—11-33 Review Questions List and define the different methods of login. Define and list the steps to assign security to a virtual terminal port. What types of polices exist at the Distribution Layer? At the core? What are the different uses of access control lists at the Distribution Layer?

© 1999, Cisco Systems, Inc. BCMSN—11-34 Do not delete