6(A). Switch Security Ccnacookbook .C Om
Total Page:16
File Type:pdf, Size:1020Kb
Rev. 20190510.114602 6(A). Switch Security ccnacookbook .c om 8 0 2 . 1 X 802.1x forces devices that connect to a switchport to authenticate prior to wider use of the net. AAA (Authentication Authorization and Accounting) Server—Perfor s centra!ized authentication. "o!ds the user na es and passwords. Provides a #es$no response when an authenticator as%s if a userna e$password co &ination is !egiti ate. Supp!icant—802.1x software on the c!ient device that hand!es authentication fro the user Authenticator—'e switch. (serna es and passwords fro the supp!icant are passed to the ))) server for verification &efore the switch is authenticated and non-802.1x fra es are a!!owed. EAP (Extensib!e Authentication Protoco!)—Protoco! used for authentication essages fro the supp!icant to the authenticator (switch) and on to the AAA server. EAP essages are encapsu!ated either in ,-Po. or /A01(S2 depending on which !eg of the 3ourne# the#'re in. /A01(S—An ))) co unication protoco! over 56 and 786 &etween the switch and the ))) server. EAPo. (EAP over .)9)—an encapsu!ation that a!!ows :)6 pac%ets to trave! directl# in an Ethernet fra e fro the supp!icant to the switch. ;ra<c &etween the authenticator (switch) and the authentication server ()))) is encapsu!ated in ordinar# 56 pac%ets2 3ust !ike an# other =)857> essage. AAA AUTHENTICATION As entioned a&ove2 ))) servers can centra!ize authentication. ?or exa p!e2 the @!ogin !oca!" userna e and password entries on hundreds of routers and switches cou!d &e rep!aced &# a ))) server2 ensuring consistenc#. Ahen presented with a userna e and password2 the router or switch wou!d as% the ))) server if the !ogin is correct. Bisco ABS (Access Bontro! Server)—An exa p!e of ))) software that can &e insta!!ed on a server. ;ABABS+—A Bisco ))) protoco!2 !i%e =)857>2 which operates over DE6 instead of 786 &etween the Bisco device and the authentication server. Authorization and accounting can a!so &e provided &# a D)E)E>C server2 for exa p!e on!# giving a user access to certain 5F> co ands. Bon*guring this on one ))) server instead of ever# device can &e a huge savings over /)857>. AAA Server Feature RADIUS TACACS+ Primary Use Users Network Devices Transport Protoco UDP TCP TCP"UDP Port N#mbers (%or a#t&entication' 1645, 1812 49 *ncryption +#st Passwor, *ntire Packet !-I Comman, S#bset A#t&ori1ation 2 Define, by RF! 2865 !isco EE9) (GHH+IHJ) >K5DEL >:E7=5DM NGHIH+IO P:9 >D::Q R(A) + 1 AAA Bon*guration—'e test on!# as%s on!# that #ou "describe device securit# using ))) with D)E)E>C and =)857>." 'erefore2 co ands are simp!# a narrative device. • ;urn on ))) authentication—this changes which 5F> co ands are availa&!e R5(config)# aaa new-model Default is "no aaa …" • 0e*ne each ))) server R5(config)# tacacs server myServer R5(config-server-tacacs)# address ipv4 10.0.1.5 R5(config-server-tacacs)# key mySharedSecretKey R5(config-server-tacacs)# port 49 • 0e*ne a group of ))) servers—man# co ands wil! reference the entire group rather than an individua! server R5(config)# aaa group server tacacs+ myTacacsGroup R5(config-sg-tacacs+)# server name myServer R5(config-sg-tacacs+)# server name myOtherServer • Set up a defau!t !ist of authentication ethods to &e used for the conso!e port, the aux port, and vt# !ines. If 5F> can't get an authentication answer fro the *rst ethod on the !ist it'l! tr# the second2 etc. 'is cou!d happen if the networ% is down and the ))) server is unreacha&!e. R5(config)# aaa authentication login default group myTacacsGroup local line The first option "group myTacacsGroup" refers to the list of Tacacs servers we created The second option"local" refers to username/password combinations on the router The third option "line" refers to passwords without usernames that can be define on the console port, vty lines, etc DHCP SNOOPING 'is is an .G switch feature2 not an .S router feature. T1;T (Tan In 'e Tidd!e) Attac%—An attac%er with a spurious (fa%e) 8LE6 server can cause hosts to con*gure the se!ves with the attac%er as their defau!t gatewa#. ;rusted Ports—;hose fro which !egitimate 8LE6 server tra<c (oUer and ac% essages) can &e expected. (ntrusted ports—;hose where an attac%er can easil# connect. Here2 8LE6 snooping wil! • 0iscard server essages • Taintain state infor ation &ased on o&served 8LE6 tra<c in a 8LE6 &inding ta&!e (interface2 V)E2 56) to identify the tra<c fro a a!icious c!ient • Prevent a c!ient on another port fro using the sa e V)E or 56 address • Wptiona!!# rate+!imit 8LE6 essages to prevent 0oS attac%s R(A) + 2 NGHIH+IO P:9 >D::Q >K5DEL >:E7=5DM EE9) (GHH+IHJ).