Security

Cisco can be configure to prompt for a password with the //**#login**// line subcommandtoc The //**#password**// command defines the password

Passwords are usually stored in plain text, but can be encrypted with the //**#service password-encryption**//

A better solution is to use #enable secret. If both a secret and password are used, only secret is accepted.

=AAA Authentication=

The strongest method to protect the CLI is to used TACACS+ or a Radius server.



AAA defines a set of authentication methods. Each are tried in order.



Up to four methods are supported for a single command. Authentication logic is as follows:


 * Use the answer from the first method that responds. Move on to next method if one doesnt respond.
 * Same logic follows for multiple servers
 * If no responses are given, reject

Server groups
When RADIUS and TACACS+ servers are defined with //**#radius-server host**// and //**#tacacs-server host**// commands, they are automatically put into groups. They groups can be referred to by the //**#aaa authentication**// command's **group radius** or **group tacacs** options. While these groups are by default named radius and tacacs, you can specify a group name with //**#aaa group server **//.

You can override the default authentication for lines with the //**#login authentication**// line subcommand.

=PPP Security=

PPP provides the ability to use PAP and CHAP for authentication. The default authentication for these methods is to use locally configured sets of //**#username password **// commands. You can also use AAA authentication for PPP, which is configured as follows:


 * 1) Enabled AAA authentication with //**#aaa new-model**//
 * 2) Define PPP to use a set of authentication methods with //**#aaa authentication ppp default**//
 * 3) Define a set of methods with //**#aaa authentication ppp method1 method2**//
 * 4) Set the list as a method with //**#ppp authentication **//

=Layer 2 security=

A set of best practices are defined for switches with user or unused ports:


 * Disable unused protocols such as CDP and DTP
 * Specifically configure ports as access
 * Enabled BPDU guard and root guard
 * Use DAI or private vlans to prevent frame sniffing
 * Enable port security
 * Use 802.1x
 * Use DHCP snooping and IP source guard

General guidelines are as follows:


 * Configure VTP authentication
 * Disable unused ports and place into an unused VLAN
 * Avoid using VLAN 1
 * Do not use native vlan for trunks

Port Security
Port security provides the following benefits


 * Limit the number of MAC addresses per port
 * Limit the ports a MAC address can use by:
 * Statically defining what is allowed
 * Dynamically learning up to a max numer, with older entires being rotated
 * Dynamically learning the MAC and having the switch save it into configuration


 * Note that restrict sends SNMP traps, protect is to do nothing. Shutdown places the port into err-disable

Dynamic ARP inspection
A gratuitous ARP (One sent without a ARP request) can cause devices to add false information to their MAC tables. DAI classifies ports into trusted or untrusted (default). ARP messages on untrusted ports are examined by DAI and filtered if they are deemed invalid. The logic works as follows:


 * 1) If the ARP reply lists a IP address that was not assigned to by DHCP to that port, the message is filtered.
 * 2) A static comparison is used to check for IP/MAC pairings. ARP is filtered if invalid
 * 3) The source MAC in the ethernet header is compared to the source MAC in the ARP message. If different the ARP is filtered.
 * 4) Same as step 3, but with the destination
 * 5) ARP messages with invalid IP addresses are filtered (255.255.255.255, 0.0.0.0 etc.)

By default, 15 ARP messages per second are limited on ports.



=DHCP Snooping=

Similar to DAI, DHCP snooping examines DHCP messages and filters those it sees an inappropriate. It places information gleaned from these messages into the DHCP snooping binding table. The most common DHCP attack is sending fake leases listing a man-in-the-middle default gateway. Ports are also classified into trusted and untrusted, with all DHCP messages being allowed on trusted ports. For untrusted port, its assume that only DHCP client exists there, so any server-specific messages are filtered. The following logic is used for untrusted ports:


 * 1) All messages only sent by servers are filtered
 * 2) IPs list in DHCP release and decline messages are checked against the snooping table and non-matches are filtered.
 * 3) Optionally the DHCP client hardware address is compared to the source MAC address in the ethernet frame



=IP Source Guard=

IP Source guard checks the source IP address of packets against the DHCP snooping DB. It can also check the source MAC address.

This feature is enabled with //**#ip verify-source [port-security]**// with the last option enabling MAC address checking. Static entires can be added for additional checking with #ip source binding vlan  interface

=802.1x Using EAP=



EAP messages are encapsulated inside an ethernet frame when sent between the user and switch. These frames are called EAP over LAN or EAPoL. The radius sever expects these messages to be formatted as a radius attribute, sitting inside a normal radius message. The switch performs this translation. Configuration resembles AAA:


 * 1) Enable aaa with the #aaa new-model command
 * 2) Define the radius info with //**#radius-server host**// and //**#radius-server key**//
 * 3) Define the 802.1x auth method //**#aaa authentication dot1x default**//
 * 4) Enable dot1x globally with //**#dot1x system auth-control**//
 * 5) Set each port to a role with //**#dot1x port-control [auto|force-authorized|force-unauthorized]**//
 * 6) The last two options dont use 802.1x but detail if the port is authorized

=Storm Control=

This is used to rate limit packets at layer 2. It can be configured to set rising and falling thresholds for unicast, broadcast or multicast. Each limit can be configured on a per-port basis. If no falling threshold is specified the switch will being forwarding packets once the rate drops below the rising threshold.

Three actions can be taken against violating packets. The default is to discard all excess traffic. The others are the shutdown the port or send a SNMP trap.

It is configured with the //**#storm-control  level**// command. Actions are configured with **#storm-control action**.

=Layer 3 Security=

The following layer 3 security precautions are recommended:


 * 1) Enable secure telnet or use SSH
 * 2) Enable SNMP security, specifically SNMPv3
 * 3) Turn off all unnecessary services
 * 4) Turn on logging to provide an audit trail
 * 5) Enable routing protocol authentication
 * 6) Enable CEF to avoid flow based paths

Some additional precautions are recommended in RFCs:


 * 1) If a company has registered a specific prefix, packets with a source IP in that prefect should not be sent into that AS
 * 2) Packets should always have a valid IP
 * 3) Directed broadcasts should not be allowed (//**#no ip directed-broadcast**//)
 * 4) RPF checks should be performed on incoming packets (//**if#ip verify unicast source reachable-via {rx|any} [allow-default] [allow-self-ping]**//)
 * 5) Strict RPF: The rx command checks that the interface the packet came in on matches the interface for the route
 * 6) Loose RPF: The any keyword just checks for any matching route
 * 7) By default, default routes are not checked



Context based access control
CBAC can inspect layer3 traffic and dynamically alter firewall rules accordingly. It works on top of UDP and TCP. Some caveats apply:


 * CBAC is used after ACLs. So if an interface ACL blocks traffic, CBAC will not be able to inspect it.
 * Canot protect against attacks that originate inside the network
 * ONLY looks at TCP and UDP traffic
 * Does not look at traffic destined to the firewall itself. Only inspects traffic that traverses
 * Has restrictions for handling encrypted traffic

Steps to configure:


 * 1) Choose and interface and direction
 * 2) Configure an ACL for that interface
 * 3) Configure global timeouts and thresholds using the #ip inspect command
 * 4) Configure an inspect rule with #ip inspect name
 * 5) Apply the inspection rule to an interface with #ip inspect in

Dynamic Multipoint VPN
DMVPN makes IPSec scale better in Hub and Spoke environments. With this solution, the hub router is configure with a single mGRE tunnel interface and a set of profiles that apply to the spoke routers. It also supports multicast traffic. The benefits of DMVPN include:


 * Simpler hub router configuration
 * The hub does not require configuration when a new spoke router is brought up
 * Automatic IPSec encryption, facilitated by next-hop resolution protocol
 * Dynamic addressing for spoke routers, in that the hub learns them
 * Spoke routers can learn about each other and establish tunnels to avoid decryption at the hub
 * VRF integration for MPLS environments

A dynamic routing protocol is required between the hub and spokes. The next-hop for spoke routers is the IP of the tunnel interface for that spoke.

When a spoke router needs to talk to another spoke, it queries the NHRP on the hub for the outside IP address of the destination spoke and establishes a dynamic IPSec tunnel, over the mGRE Tunnel. After the communication is complete, the IPSec tunnel is torn down.