© 1999, Cisco Systems, Inc Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems, Inc. 10-1
© 1999, Cisco Systems, Inc. BCMSN—11-2 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Control user access to network devices Regulate user access within the switch block Limit user access outside of the switch block
© 1999, Cisco Systems, Inc. BCMSN—11-3 Controlling Access in the Campus Network In this chapter, we discuss the following topics : Definition of an access policy Managing network devices Access layer policy Distribution layer policy Core layer policy
© 1999, Cisco Systems, Inc. BCMSN—11-4 Controlling Access in the Campus Network In this section, we discuss the following topics : Definition of an Access Policy –What is an access policy? –Policies in the Hierarchical Model Managing Network Devices Access Layer Policy Distribution Layer Policy Core Layer Policy
© 1999, Cisco Systems, Inc. BCMSN—11-5 What Is an Access Policy? An access policy is a corporation’s documented standard of network access Access to Devices Access to the Network Prevent Specific Traffic from Crossing the Core Prevent Routing and Service Updates to the Core or Other SWBs Prevent Routing and Service Updates to the Core or Other SWBs
© 1999, Cisco Systems, Inc. BCMSN—11-6 Applying Policies to the Hierarchical Model Server Block Mainframe Block Switch Block Access Layer Policy Distribution Layer Policy Core Block No Policy
© 1999, Cisco Systems, Inc. BCMSN—11-7 Controlling Access in the Campus Network In this section, we discuss the following topics : Definition of an Access Policy Managing Network Devices –Physical Security –Passwords –Privilege levels –Virtual Terminal Access Access Layer Policy Distribution Layer Policy Core Layer Policy
© 1999, Cisco Systems, Inc. BCMSN—11-8 Controlling Access to Network Devices Physical security Passwords Privilege levels Limiting Telnet access
© 1999, Cisco Systems, Inc. BCMSN—11-9 Controlling Physical Access Physical access to a device equals total control of that device
© 1999, Cisco Systems, Inc. BCMSN—11-10 Assigning Passwords Auxiliary Console Virtual Terminal Passwords should be assigned to each point of entry to a device
© 1999, Cisco Systems, Inc. BCMSN—11-11 Password Configuration ASW41(config)#enable password level 1 Cisco 1=User Level 15=Privilege Exec Level Cisco IOS Command-Based Switch Set Command-Based Switch DSW141 (enable) set password Enter old password: Enter new password: Cisco Retype new password:Cisco Password changed. Passwords should be set on every network device dsw141 (enable) set enablepass Enter old password: Enter new password: san-fran Retype new password:san-fran Password changed. Cisco IOS Command-Based Router RSM143(config)#line console 0 RSM143(config-line)#login RSM143(config-line)#password cisco RSM143(config)#enable password san-fran
© 1999, Cisco Systems, Inc. BCMSN—11-12 Controlling Session Timeouts Session timeouts provide an additional level of security by timing out an unattended console RSM143(config)#line console 0 RSM143(config-line)#exec-timeout 5 30 RSM143(config)#line vty 0 4 RSM143(config-line)#exec-timeout 5 3 DSW141 (enable) set logout 5 ASW41(config)#line console ASW41(config-line)#time-out 300 Cisco IOS Command-Based Switch Set Command-Based Switch IOS Command-Based Router
© 1999, Cisco Systems, Inc. BCMSN—11-13 privilege configure level 3 username privilege exec level 3 copy run start privilege exec level 3 ping privilege exec level 3 show run privilege exec level 3 show enable secret level 3 cisco privilege configure level 3 username privilege exec level 3 copy run start privilege exec level 3 ping privilege exec level 3 show run privilege exec level 3 show enable secret level 3 cisco Modifying Privilege Levels Modifying privilege levels gives you the ability to assign more granular rights to users Cisco IOS command-based router
© 1999, Cisco Systems, Inc. BCMSN—11-14 Banner Messages Unauthorized access will be prosecuted. Create a banner message that indicates how serious security breaches are to you DSW141(enable)set banner motd 'Unauthorized access will be prosecuted' RSM143(config)#banner login 'unauthorized access will be prosecuted'
© 1999, Cisco Systems, Inc. BCMSN—11-15 Virtual Ports (vty 0 through 4) Controlling Virtual Terminal Access RSM143(config)#access-list 1 permit RSM143(config)#line vty 0 4 RSM143(config-line)#access-class 1 in RSM143(config)#access-list 1 permit RSM143(config)#line vty 0 4 RSM143(config-line)#access-class 1 in Telnet To ensure consistency, set identical restrictions on all vty lines
© 1999, Cisco Systems, Inc. BCMSN—11-16 Controlling HTTP Access RSM143(config)#access-list 1 permit RSM143(config)#ip http server RSM143(config)#ip http access-class 1 RSM143(config)#ip http authentication local RSM143(config)#username student password cisco RSM143(config)#access-list 1 permit RSM143(config)#ip http server RSM143(config)#ip http access-class 1 RSM143(config)#ip http authentication local RSM143(config)#username student password cisco HTTP Management Station To ensure consistency, set identical restrictions on all vty lines
© 1999, Cisco Systems, Inc. BCMSN—11-17 Access Layer Policy In this section, we discuss the following topics : Definition of an Access Policy Managing Network Devices Access Layer Policy – Port Security Distribution Layer Policy Core Layer Policy
© 1999, Cisco Systems, Inc. BCMSN—11-18 Access Layer Policy Box Tampering Device Management Hackers The access layer is the entry point for users to the network. Security policy should prevent unauthorized access to the network.
© 1999, Cisco Systems, Inc. BCMSN—11-19 Access-Layer Port Security Unauthorized MAC Address. Access Denied Port security is a MAC address lockdown that disables the port if the MAC address is not valid 0010.f6b3.d000
© 1999, Cisco Systems, Inc. BCMSN—11-20 Enable Port Security DSW111 (enable) set port security enable 2/ c DSW111 (enable) show port 2/4 Port Security Secure Src-address Last Src-address Shutdown Trap IF-index /4 enabled c c no 270
© 1999, Cisco Systems, Inc. BCMSN—11-21 Controlling Access in the Campus Network In this section, we discuss the following topics : Definition of an Access Policy Access Layer Policy Distribution Layer Policy –Controlling routing update traffic –Route filtering –Controlling resource information Core Layer Policy
© 1999, Cisco Systems, Inc. BCMSN—11-22 Distribution-Layer Policy What traffic is allowed out of the switch block? What traffic is allowed out of the switch block? What resources/ routes are sent to the core? What resources/ routes are sent to the core? A good policy at the distribution layer ensures that other blocks are not burdened with traffic that has not been explicitly permitted
© 1999, Cisco Systems, Inc. BCMSN—11-23 Controlling Information with Filters Access control lists (ACL) are used to control router traffic –Routing updates – User traffic EIGRP
© 1999, Cisco Systems, Inc. BCMSN—11-24 IP Standard Access Lists Overview Use source address only Access list range: 1 to Destination Address Source Address Router(config)#access-list 1 permit Router(config)#access-list 1 deny any router(config)#interface fastethernet 1/0 router(config-if)#ip access-group 1 out Router(config)#access-list 1 permit Router(config)#access-list 1 deny any router(config)#interface fastethernet 1/0 router(config-if)#ip access-group 1 out
© 1999, Cisco Systems, Inc. BCMSN—11-25 IP Extended Access List Overview access-list 104 permit tcp any access-list 104 permit tcp any host eq smtp access-list 104 permit udp any eq domain any access-list 104 permit icmp any any echo access-list 104 permit icmp any any echo-reply ! interface gigabit0/0 ip access-group 104 out
© 1999, Cisco Systems, Inc. BCMSN—11-26 Controlling Routing Update Traffic How can we prevent routing update traffic from crossing some of these links?
© 1999, Cisco Systems, Inc. BCMSN—11-27 Use a standard access list to permit or deny routes Access list can be applied to transmitted (outbound) or received (inbound) routing updates Configuring Route Filtering Router(config-router)# distribute-list access-list-number | name in [ type number] Router(config-router)# distribute-list access-list-number | name in [ type number] For Outbound Updates For Inbound Updates Router(config)#distribute-list access-list-number | name out [ interface-name l routing-process | autonomous-system number
© 1999, Cisco Systems, Inc. BCMSN—11-28 Hides network using interface filtering IP Route Filtering Configuration Example router eigrp 1 network distribute-list 7 out g0/0 ! access-list 7 permit B G0/0
© 1999, Cisco Systems, Inc. BCMSN—11-29 Controlling Access in the Campus Network In this section, we discuss the following topics: Definition of an Access Policy Access Layer Policy Distribution Layer Policy Core Layer Policy
© 1999, Cisco Systems, Inc. BCMSN—11-30 Policy at the Core Block Building A Switch Block Building BBuilding C Core Block Server Block WAN Block Mainframe Block
© 1999, Cisco Systems, Inc. BCMSN—11-31 Route Filter Laboratory Exercise: Visual Objective Switch Block X Privilege Level 3 show ip route show ip protocols show ip interface Privilege Level 3 show ip route show ip protocols show ip interface Privilege Level 3 show ip route show ip protocols show ip interface Privilege Level 3 show ip route show ip protocols show ip interface
© 1999, Cisco Systems, Inc. BCMSN—11-32 Summary Control physical devices with passwords, login, and privilege levels Network administrators can prevent unauthorized users from accessing the network through Port Security Access Control Lists are used for a variety of access control processes including: –Route Management –Traffic Management –Virtual Terminal Management
© 1999, Cisco Systems, Inc. BCMSN—11-33 Review Questions List and define the different methods of login. Define and list the steps to assign security to a virtual terminal port. What types of polices exist at the Distribution Layer? At the core? What are the different uses of access control lists at the Distribution Layer?
© 1999, Cisco Systems, Inc. BCMSN—11-34 Do not delete