Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,

Similar presentations


Presentation on theme: "© 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,"— Presentation transcript:

1 © 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems, Inc. 10-1

2 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-2 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Control user access to network devices Regulate user access within the switch block Limit user access outside of the switch block

3 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-3 Controlling Access in the Campus Network In this chapter, we discuss the following topics : Definition of an access policy Managing network devices Access layer policy Distribution layer policy Core layer policy

4 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-4 Controlling Access in the Campus Network In this section, we discuss the following topics : Definition of an Access Policy –What is an access policy? –Policies in the Hierarchical Model Managing Network Devices Access Layer Policy Distribution Layer Policy Core Layer Policy

5 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-5 What Is an Access Policy? An access policy is a corporation’s documented standard of network access Access to Devices Access to the Network Prevent Specific Traffic from Crossing the Core Prevent Routing and Service Updates to the Core or Other SWBs Prevent Routing and Service Updates to the Core or Other SWBs

6 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-6 Applying Policies to the Hierarchical Model Server Block Mainframe Block Switch Block Access Layer Policy Distribution Layer Policy Core Block No Policy

7 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-7 Controlling Access in the Campus Network In this section, we discuss the following topics : Definition of an Access Policy Managing Network Devices –Physical Security –Passwords –Privilege levels –Virtual Terminal Access Access Layer Policy Distribution Layer Policy Core Layer Policy

8 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-8 Controlling Access to Network Devices Physical security Passwords Privilege levels Limiting Telnet access

9 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-9 Controlling Physical Access Physical access to a device equals total control of that device

10 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-10 Assigning Passwords Auxiliary Console Virtual Terminal Passwords should be assigned to each point of entry to a device

11 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-11 Password Configuration ASW41(config)#enable password level 1 Cisco 1=User Level 15=Privilege Exec Level Cisco IOS Command-Based Switch Set Command-Based Switch DSW141 (enable) set password Enter old password: Enter new password: Cisco Retype new password:Cisco Password changed. Passwords should be set on every network device dsw141 (enable) set enablepass Enter old password: Enter new password: san-fran Retype new password:san-fran Password changed. Cisco IOS Command-Based Router RSM143(config)#line console 0 RSM143(config-line)#login RSM143(config-line)#password cisco RSM143(config)#enable password san-fran

12 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-12 Controlling Session Timeouts Session timeouts provide an additional level of security by timing out an unattended console RSM143(config)#line console 0 RSM143(config-line)#exec-timeout 5 30 RSM143(config)#line vty 0 4 RSM143(config-line)#exec-timeout 5 3 DSW141 (enable) set logout 5 ASW41(config)#line console ASW41(config-line)#time-out 300 Cisco IOS Command-Based Switch Set Command-Based Switch IOS Command-Based Router

13 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-13 privilege configure level 3 username privilege exec level 3 copy run start privilege exec level 3 ping privilege exec level 3 show run privilege exec level 3 show enable secret level 3 cisco privilege configure level 3 username privilege exec level 3 copy run start privilege exec level 3 ping privilege exec level 3 show run privilege exec level 3 show enable secret level 3 cisco Modifying Privilege Levels Modifying privilege levels gives you the ability to assign more granular rights to users Cisco IOS command-based router

14 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-14 Banner Messages Unauthorized access will be prosecuted. Create a banner message that indicates how serious security breaches are to you DSW141(enable)set banner motd 'Unauthorized access will be prosecuted' RSM143(config)#banner login 'unauthorized access will be prosecuted'

15 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-15 Virtual Ports (vty 0 through 4) Controlling Virtual Terminal Access RSM143(config)#access-list 1 permit 172.16.41.3 RSM143(config)#line vty 0 4 RSM143(config-line)#access-class 1 in RSM143(config)#access-list 1 permit 172.16.41.3 RSM143(config)#line vty 0 4 RSM143(config-line)#access-class 1 in Telnet 172.16.41.143 172.16.41.3 172.16.41.143 To ensure consistency, set identical restrictions on all vty lines

16 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-16 Controlling HTTP Access RSM143(config)#access-list 1 permit 172.16.41.3 RSM143(config)#ip http server RSM143(config)#ip http access-class 1 RSM143(config)#ip http authentication local RSM143(config)#username student password cisco RSM143(config)#access-list 1 permit 172.16.41.3 RSM143(config)#ip http server RSM143(config)#ip http access-class 1 RSM143(config)#ip http authentication local RSM143(config)#username student password cisco 172.16.41.3 172.16.41.143 HTTP Management Station To ensure consistency, set identical restrictions on all vty lines

17 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-17 Access Layer Policy In this section, we discuss the following topics : Definition of an Access Policy Managing Network Devices Access Layer Policy – Port Security Distribution Layer Policy Core Layer Policy

18 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-18 Access Layer Policy Box Tampering Device Management Hackers The access layer is the entry point for users to the network. Security policy should prevent unauthorized access to the network.

19 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-19 Access-Layer Port Security Unauthorized MAC Address. Access Denied Port security is a MAC address lockdown that disables the port if the MAC address is not valid 0010.f6b3.d000

20 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-20 Enable Port Security DSW111 (enable) set port security enable 2/4 00.00.0c.12.34 DSW111 (enable) show port 2/4 Port Security Secure Src-address Last Src-address Shutdown Trap IF-index ----- -------- ------------------- ---------------- -------- ---- -------- 2/4 enabled 00.00.0c.12.34 00.00.0c.12.34 no 270

21 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-21 Controlling Access in the Campus Network In this section, we discuss the following topics : Definition of an Access Policy Access Layer Policy Distribution Layer Policy –Controlling routing update traffic –Route filtering –Controlling resource information Core Layer Policy

22 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-22 Distribution-Layer Policy What traffic is allowed out of the switch block? What traffic is allowed out of the switch block? What resources/ routes are sent to the core? What resources/ routes are sent to the core? A good policy at the distribution layer ensures that other blocks are not burdened with traffic that has not been explicitly permitted

23 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-23 Controlling Information with Filters Access control lists (ACL) are used to control router traffic –Routing updates – User traffic EIGRP

24 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-24 IP Standard Access Lists Overview Use source address only Access list range: 1 to 99 172.16.43.0 172.16.41.3 Destination Address Source Address 172.16.43.17 Router(config)#access-list 1 permit 172.16.41.3 Router(config)#access-list 1 deny any router(config)#interface fastethernet 1/0 router(config-if)#ip access-group 1 out Router(config)#access-list 1 permit 172.16.41.3 Router(config)#access-list 1 deny any router(config)#interface fastethernet 1/0 router(config-if)#ip access-group 1 out

25 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-25 IP Extended Access List Overview access-list 104 permit tcp any 172.16.2.0 0.255.255.255 access-list 104 permit tcp any host 172.16.1.2 eq smtp access-list 104 permit udp any eq domain any access-list 104 permit icmp any any echo access-list 104 permit icmp any any echo-reply ! interface gigabit0/0 ip access-group 104 out

26 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-26 Controlling Routing Update Traffic How can we prevent routing update traffic from crossing some of these links?

27 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-27 Use a standard access list to permit or deny routes Access list can be applied to transmitted (outbound) or received (inbound) routing updates Configuring Route Filtering Router(config-router)# distribute-list access-list-number | name in [ type number] Router(config-router)# distribute-list access-list-number | name in [ type number] For Outbound Updates For Inbound Updates Router(config)#distribute-list access-list-number | name out [ interface-name l routing-process | autonomous-system number

28 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-28 Hides network 172.16.41.0 using interface filtering IP Route Filtering Configuration Example router eigrp 1 network 172.16.0.0 distribute-list 7 out g0/0 ! access-list 7 permit 172.16.2.0 0.0.0.255 B 172.16.42.0 172.16.41.0 G0/0

29 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-29 Controlling Access in the Campus Network In this section, we discuss the following topics: Definition of an Access Policy Access Layer Policy Distribution Layer Policy Core Layer Policy

30 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-30 Policy at the Core Block Building A Switch Block Building BBuilding C Core Block Server Block WAN Block Mainframe Block

31 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-31 Route Filter Laboratory Exercise: Visual Objective Switch Block X Privilege Level 3 show ip route show ip protocols show ip interface Privilege Level 3 show ip route show ip protocols show ip interface Privilege Level 3 show ip route show ip protocols show ip interface Privilege Level 3 show ip route show ip protocols show ip interface

32 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-32 Summary Control physical devices with passwords, login, and privilege levels Network administrators can prevent unauthorized users from accessing the network through Port Security Access Control Lists are used for a variety of access control processes including: –Route Management –Traffic Management –Virtual Terminal Management

33 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-33 Review Questions List and define the different methods of login. Define and list the steps to assign security to a virtual terminal port. What types of polices exist at the Distribution Layer? At the core? What are the different uses of access control lists at the Distribution Layer?

34 © 1999, Cisco Systems, Inc. www.cisco.com BCMSN—11-34 Do not delete


Download ppt "© 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,"

Similar presentations


Ads by Google