Network-Security

Instructor
K-K-C
CCIE#44634
 Basic-Concept-Of-Network-Security

 Network Mean Inter-Connection Mean When we connect

two or more than two Nodes is called Network

 Now A Days Every-Thing is performing over Internet so it is

Necessary to provide the security for the data which is
Transfer between systems. So here the main concept of
Security is how to provide security to the data over
Network or internet
 Basic-Terminology of Security

 Plain-Text

The name it self indicates its normal text which can be read by user.

 Cipher-Text

The name it self indicates its not normal text which can not be read by user.

Note= To provide the security the user should convert plain text to cipher.
 Encryption
The process converting plain text to cipher text is called encryption. Done by Sender.

 Decryption
The process converting cipher text to plain text is called decryption. Done by Receiver.

 Cryptography
The study of encryption is called cryptography.

 Cryptanalysis
The study of decryption is called cryptanalysis.

 Cryptology
The study of both encryption and decryption is called cryptology.
 What is Key ?

 We can say key is group of bits. which has the major rule in encryption and in
decryption.

 What ever algorithm we choose for encryption and decryption we require a

key. Mean through key we will encrypt and decrypt the data.
 Encryption
 Encryption can be done by two ways

 1 Stream cipher= Mean here the encryption and decryption is done bit by bit. It is
used for short length messages.

 2 Block cipher= Blocks mean group of bits. here encryption and decryption is done
by block by block.
 Mean in Block cipher first process is blocking and the second process is conversion.

 There is size for the block depend upon by algorithm mean first will divide the data or
bits block and then it will be convert to either Plain text and cipher text.
 Encryption
 Encryption can be done by two mechanism.
 1 Symmetric 2 Asymmetric
 What is symmetric encryption?
 In this mechanism the same key will be used for both encryption and decryption
Process.
 The key may be a single key or a group of keys. that key is called (SECERT-KEY) and
it is denoted by Ks.
 What is Asymmetric encryption?
 In this mechanism their will, be used two independent keys. One for Encryption and
Another one for Decryption. And that two independent keys are also called pair.
 1 Public Key 2 Private key
 Public key is denoted by Ku Private key is denoted by Kr

 Every user should have that pair of keys for encryption and decryption.
Process-OF-Encryption&Decryption

         
P E C C D P
L N I I E L
A C P P C A
I R H H R I
N Y E E Y N
  P R R P  
T T     T T
E I T T I E
X O E E O X
T N X X N T
    T T    
         
 Attacks
 What is Attack?
 An attack is gaining the access of data by an unauthorized person or user
 The word gaining mean is Accessing Data Modifying Data Destroying Data
 A useful means of classifying security attacks are classified into two types

 Passive attack and Active attack.

 Passive attack attempts to learn or make use of information from the system

but does not effect system resources.

  Active attack attempts to alter system resources or effect their operation.

 Passive Attacks

  

 Passive attacks are in the nature of eavesdropping(spy) on, or monitoring of

transmissions. The goal of the opponent is to obtain information that is being
transmitted.

 There are Two types of passive attacks

 1=Release of Message Content 2=Traffic Analysis

 Release of Message Attack
 The 'release of message contents' is easily understood. A telephone Conversation,
an electronic mail message, and a transferred file may contain Sensitive or
confidential information. We would like to prevent an opponent From learning the
contents of these transmissions.
 Traffic Analysis Attack
 Here, suppose we had a way of making the contents of messages or other
Information traffic so that opponents, event if they captured the message, could
Not extract the information from the message. The common technique for masking
Contents is encryption. If we had encryption protection in place, an opponent
Could determine the location and identity of communicating hosts and could
Observe the frequency and length of messages being exchanged. This information
Might be useful in guessing the nature of the communication that was taking place.
 Active Attacks

 Active attacks involve some modification of the data stream or the creation of
a false stream and can be subdivided into four categories:

 Masquerade

 Replay

 Modification of Messages

 Denial of Service
 Masquerade Attack
 A 'masquerade' takes place when one entity pretends to be a different entity. A
Masquerade attack usually includes one of the other forms of active attack. For
Example, authentication sequence has taken place, thus enabling few privilege to
Obtain extra privilege by pretending an entity that has those privileges.
 Replay Attack
 Replay involve the passive capture of a data unit and its subsequent retransmission
To produce an authorized effect.
 Modification of Messages Attack
 It simply means that some portion of a authorized message is altered, or that
Messages are delayed or reordered, to produce an unauthorized effect. For example,
A, message meaning "Allow UserA to read confidential file accounts" is changed to
"Allow UserB to read confidential file accounts".
 Denial of Service Attack
 It prevents or inhibits the normal use or management of communication facilities.
This attack may have a specific target; for example, an entity may suppress all
messages directed to a particular destination. Another form of service denial is the
disruption of an entire network, either by disabling the network or by overloading it
with messages so as to degrade performance.
 Security Services

 1 Access-Control
 
 2 Authentication

 3 Confidentiality
 
 4 Integrity
 
 Access-Control

 Access Control means to ensure that access to assets is authorized and

Restricted based on business and security requirements
Authentication
 Authentication verifies a claimed identity and proves that an individual or
Computer system is who or what it claims to be.

Confidentiality
 Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure
Confidentiality are designed to prevent sensitive information from reaching the
Wrong people, while making sure that the right people can in fact get it: Access must be
restricted to those authorized to view the data in question

Integrity
 Integrity involves maintaining the consistency, accuracy, and trustworthiness of Data
over its entire life cycle. Data must not be changed in transit, and steps must Be taken
to ensure that data cannot be altered by unauthorized people
 Don’t Be Confused
 Authorization=> mean what the user wants to do?

 Authentication=> mean who is doing the actual work?

 ATM Example

 Suppose you have an ATM card from a bank

 Authorization=> I am authorized person to get the services

 Authentication=> when I am using ATM it will prompt from me a pin while I am doing
transaction
 Encryption Technique
 Sample Encryption technique and also called conventional Encryption
technique

 There are two Techniques in simple symmetric encryption

 1 Substitution Techniques

 2 Transposition Techniques
 Substitution Technique
 The name it self indicates that it will replace the plain text character into cipher
text character.

 Both plain text character and cipher text character will be in the form of
character mean here the complete plain text character will be replace or
substituted in cipher text.
 We will discussed here the two basic Substitution technique and there is more
Techniques


 Caesar Cipher
 Play-fair Cipher
 Note=>First of all, the main drawback of this type of encryption is that it is used
just for short length messages. And other words its too vulnerable mean its very
easy for a hacker to decrypt the data which is encrypted by these methods.
 Caesar Cipher
 ABCDEFGHIJKLMNOPQRSTUVWXYZ

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
 Suppose we want to find a cipher Text so we should use a key and key can be any numerical number
 Remember here the same key will be used both for Encryption and Decryption
 Key – Numerical (K)
 1< K < 26
 Formula to find the cipher Text of a plain text
 C=(P+K)mod 26
 Suppose we use key 4 for encryption and decryption and our plain text is JAN
 
C(J)= (10+4) mod26 C(A)= (1+4) mod26
C(N)= (14+4) mod26

14mod26 5mod26 18mod26

 Cipher text of JAN is NER
C(A)=18=R 
C(J)=14=N C(A)=5=E
 What is MOD Operator?

 if you want to study security mean encryption and decryption so you should
know about MOD Operator.

 The MOD Operator will result the Reminder of Division.

 Example if we divide 7 into 3 so 1 will be Reminder.

  Example if we divide 9 into 5 so 4 will be Reminder.

 So by using this modular operator we perform the Caesar cipher as it is a
substitution technique.

 The plain text characters will be substituted with cipher characters this will
be done sample adding the value of Palin text character to the given key and
the corresponding character of the result will be the cipher characters

 The main draw back this technique is only we are using 26 keys and there is
an attack by name of brute-force attack which check each and every
possibility and to find out the actual data.
 Play-fair Cipher
 Here first we should consider the key and 5 by 5 table.
 First Fill the 5 by 5 table with the given key with out any repeated Character.
 Second fill all the remaining boxes in the table with the alphabets which are not
available in our key.
 As we know 5X5 table will give 25 boxes so we should write I/J in one box to
complete the 26 alphabets. Mean we will Marge I/J in one box.
 If our Key have Repeated Letters ignore them.
 Divide the plain-text in pair of letters.
 If any Pair Consist of Repeated letters just differentiate those repeated letters
with any dummy letters.
 If pair of Plain-Text letters are in same ROW replace them with right most
letters.
 If the Plain-Text letters are in same COLUMN replace with beneath letters (Down)
 If the Plain-Text Letters are in different ROW&COLUMN change them in Diagonal
Position
 Play-fair Cipher

Suppose We have Key NETWORK and THE Plain-Text is HELLO what will be the
Cipher-Text ?

N E T W O

R K A B C

D F G H I/J

L M P Q S

U V X Y Z
 Transposition Technique

 In Transposition Technique we will just re-arrange the order of bits to provide the
security.

 Remember=> in Substitution technique we would just replace the plain-text

character to cipher text character to provide the security.

 In Transposition Technique no replacing.

 We have Two Basic Types of Transposition
Technique
 1 Rail Fence Cipher
 Example Plain-Text=(Hi how are you) what will be Cipher-Text ?
 First Draw a line.
 Second Write the First Character at the top of line and Write the Second Character at the
below of line and so on…………….
 3rd Write first upper line Character continues and then lower line Character.

 The cipher Text will be (HHWRYUIOAEO)

 Row Transposition Cipher

 Fist Consider The Plain-Text and Key.

 Key Must me a numerical value (0-9) and must be unique.
 Draw a table from the given key.
 Draw a table from your Chosen Key it Can be 5 by 5 Table or 6 by 6 Table.
 And the Write down you Plain-Text and Table.
 IF you have remaining Boxes Fill them with any Dummy Character.
 After this write in Proper order of Key.
Example of Row Transposition Cipher
Suppose our Key is 4 1 3 2 5.

Plain-Text is Hi how are you.

What will be Cipher Text?

4 3 1 2 5

H I H O W

A R E Y O

U X Y Z B

Cipher-Text Will be HEYOYZIRXHAUWOB

To-Provide More Security Consider the above Cipher text as Plain-Text

and then Apply any other Technique which we have learn.
 Block Cipher Feistel Structure
 Most of the Block Cipher Technique Follow the Feistel Structure.
 How Feistel Structure Works ?
 First steps is do. it divide the plain-text into two equal-Half.
 L-Half R-Half
 Second steps is do. It preform a function on the Right-Half
 A Function can be any-thing. Mean any logical function depend-upon Algorithm.
 Each-Function-will be use a Separate Key.
 The output of Function-X will be XOR with Lift-Half.
 The output of Right-Half and Lift-Half will be Swap.
 The Same Process is also Called Round.
 The Process of Encryption will be done in Number of Rounds. Which Depend on
algorithm.
 More Rounds Strong Security.
 Accessing-Any-Console-Device
 If we Want to Access any Console Device. so We use a Dedicated Port Named-By-Console Port which
is Used for Access Device.

 Why We Access A Console device ?

 We Access a device for Configuration to make it operational.

 We have Also some other ways to Access a device for configuration

 Telnet, SSH , HTTP , HTTPS.

 If we want to access any device through Telnet , SSH , HTTP , HTTPS so we should have IP
connectivity and configured any of above protocols properly on that particular device before
accessing.

 Device Should Support any above protocols

 Access-Any-Console-Devices-Through
1st we need a Computer or Laptop.
Console-Cable


 2nd we need Console Cable.

 3rd we need software by name of Putty , Secure-CRT , Tera-Teram etc.

 If you are using Laptop so we need Serial Converter which name is Rs232.

 Because we don’t have comport in Laptop.

 Modes of Router and Switch
 We have Six Modes in Router and in Switch

 1st User-Exec-Mode Router> enable 100% verif

 2nd Privilege-Exec-Mode Router# configure terminal 99% verif 1%config

 3rd Global-Configuration-Mode Router(config)# 100% Configuration

 4th Specific-Configuration-Mode Router(config-x)# 100% Configuration

 5th Setup-Mode

 6th Rommon-Mode
 Securing Console port-Accessing
 Router> enable

 Router# configure terminal

 Router(config)# line console 0

 Router(config-line)# password cisco123?

 Router(config-line)# login

 Router(config-line)# exit

 Router# Show running-config

 Enable Password and Enable Secret
 Router> enable

 Router# configure terminal

 Router(config)# enable password khan123

 Router(config-)# enable secret jan123

 Router(config-line)# exit

 Router# Show running-config

Making Local-Database Mean Username
And Password
 Router> enable
 Router# configure terminal

 Router(config)# username khalid password khan

 Router(config)# username khalid secret khan

 Router(config)# line console 0

 Router(config-line)# login local

 Router# Show running-config

 What is Telnet ?

 Telnet is a protocol used on the Internet or local area network to provide a

bidirectional interactive text-oriented communication facility using a virtual 
terminal connection. User data is interspersed in-band with Telnet control
information in an 8-bit byte oriented data connection over the 
Transmission Control Protocol (TCP).
 Telnet was developed in 1969 beginning and standardized as 
Internet Engineering Task Force (IETF) Internet Standard STD 8, one of the
first Internet standards. The name stands for "teletype network“

 Telnet use port number 23

Telnet-Practical-Lab
 Telnet-Practical-Lab Cont.……………..
 First We should Assign the IP-Address to Router , Switch and PC.

 Assigning IP Address to Router

 Router> enable
 Router# Configure terminal
 Router(Config)# Interface X
 Router(Config-if) ip address [Link] [Link]
 Router(Config-if) no shutdown
Telnet-Practical-Lab Cont.……………..

 Assigning IP Address to Switch

 Switch> enable
 Switch # Configure terminal
 Switch(Config)# Interface vlan 1
 Switch(Config-if) ip address [Link] [Link]
 Switch(Config-if) no shutdown
Telnet-Practical-Lab Cont.……………..
 Second We should Set enable or enable Secret Password in router or switch
 Setting Enable or Enable Secret-Password.

 Router> enable
 Router# Configure terminal
 Router(Config)# enable password nothing
 Router(Config)# enable secret everything

 Switch> enable
 Switch# Configure terminal
 Switch(Config)# enable password nothing
 Switch(Config)# enable secret everything
 Telnet-Practical-Lab Cont.……………..
 3rd We should enable Telnet in Router and switch.
How to enable telnet

 Router> enable
 Router# Configure terminal
 Router(Config)# line vty 0 4
 Router(Config-line)# password saidalam
 Router(Config-line)# login

 Switch> enable
 Switch# Configure terminal
 Switch(Config)# line vty 0 4
 Switch(Config-line)# password saidalam
 Switch(Config-line)# login
 What is SSH ?
 SSH, also known as Secure Shell or Secure Socket Shell, is a
network protocol that gives users, particularly system
administrators, a secure way to access a node over an unsecured
network. SSH also refers to the suite of utilities that implement
the SSH protocol. Secure Shell provides
strong authentication and encrypted  data communications
between two nodes connecting over an open network such as the
internet. SSH is widely used by network administrators for
managing systems and applications remotely, allowing them to
log into another node over a network, execute commands and
move files from one node to another.

 SSH use port number 22

 SSH-Practical-Lab
 1st the proper IP-Connectivity. Which we have discussed in earlier slides.

 2nd we should configure hostname.

 3rd we should configure domain name.

 4th we should generate RSA key for Different versions.

 5th we should configure VTY lines.

 6th Make a User name and password.

 SSH-Practical-Lab Cont.……………..
 Router> enable
 Router# Configure terminal
 Router(Config)# Hostname R1
 Router(Config)# Ip Domain-name [Link]
 Router(Config)# crypto key generate rsa
(The name for the keys will be: [Link] Choose the size of the key modulus
in the range of 360 to 4096 for your General Purpose Keys. Choosing a key
modulus greater than 512 may take a few minutes.)
 If you press the blink enter it will enable SSHv1. which will take 512 bit Key.
 If you want to enable SSHv2 so putt the key above 762. Default-is 768.
 If you putt the key 762 it will automatically sum 6 bits. And will enable SSH
1.9 which also called Key-Append.
 SSH 1.9 mean Router will accept both SSHv1 and SSHv2 packet.
 SSH-Practical-Lab Cont.……………..
 If you want to enable just SSHv2 so fist put the key above from 768.
 2nd put the below command.
 Router(Config)# ip ssh version 2
 This command mean router will accept just SSHv2 packets.

 Router(Config)# line vty 0 4

 Router(Config-line)# transport input ssh
 Router(Config-line)# login local

 Router(Config)# username hate privilege 15 secret love.

Privilege Levels in Cisco Router-and-Switch
 Define multiple customized privilege levels and assign different commands to
each level(Users). Is Called Privilege Level.
 We have 16 Different Privilege Levels in Cisco IOS.
 Pre-Define is 0 , 1 , 15.
 When you log in to a Cisco router under the default configuration, you're in user EXEC
mode (level 1). From this mode, you have access to some information about the
router, such as the status of interfaces, and you can view routes in the routing table.
However, you can't make any changes or view the running configuration file.
 Because of these limitations, most Cisco router users immediately type enable to get
out of user EXEC mode. By default, typing enable takes you to level 15, privileged
EXEC mode. In the Cisco IOS, this level is equivalent to having root privileges in UNIX
or administrator privileges in Windows. In other words, you have full access to the
router.
 Privilege Levels Cont.…………………
 User EXEC mode — privilege level 1.
 Privileged EXEC mode — privilege level 15.
 For networks maintained by just a few people, everyone typically has the password to get
to privileged mode. But at some point, those small and midsize companies may likely
grow, and that's when privileges become more complicated.
 Many times, it starts with having a support group or less senior administrator who needs
less access to something on the router. Perhaps they need to connect to routers to view
the running configuration or reset interfaces.
 In such cases, the person would need some level of access between level 1 and level 15.
Remember the principle of least privilege — only give access to what's necessary and no
more.
 There are so many possible ways to configure IOS users and privileges that I can't possibly
go into detail about each approach in a single article. Instead, let's focus on the basic
commands you need to configure privileges.
 Privilege Levels Cont.…………………

 Show privilege: This command displays the current privilege. Here's an example:
 Router# Show privilege
 Current privilege level is 3
 Enable: Administrators typically use this command to go to privileged EXEC
mode. However, it can also take you to any privileged mode. Here's an example:

 Router# enable 1
 Router>Show privilege
 Current privilege level is 1
 Privilege Levels Cont.…………………
 Router>
 User: While this command configures users, it can also tell the IOS which privilege
level the user will have when logging in. Here's an example:
 Router(config)# username test password test privilege 3
 Privilege: This command configures certain commands to be available only at certain
levels. Here's an example:
 Router(config)# enable secret level 5 level5pass
 Enable secret: By default, this command creates the password to get to privilege
mode 15. However, you can also use it to create passwords to get into other privilege
modes that you create.
 Creating Custom Privilege Level
 Router> enable
 Router# Configure terminal
 Router(Config)# enable secret cisco
 Router(Config)# enable secret level 2 khan
 Router(Config)# enable secret level 3 jan
 Router(Config)# privilege exec level 2 clock set
 Router(Config)# privilege exec level 2 show run
 Router(Config)# privilege exec level 2 configure terminal
 Router(Config)# privilege configure level 2 interface
 Router(Config)# privilege configure level 2 hostname
 Router(Config)# privilege configure level 2 router rip
Creating Custom Privilege Level Cont.……
 Router(Config)# privilege interface level 2 ip address
 Router(Config)# privilege interface level 2 no shutdown
 Router(Config)# privilege router level 2 network
 Router(Config)# privilege router level 2 no-autosummary

 Router(Config)# privilege exec level 3 clock set

 Router(Config)# privilege exec level 3 show run

 Router(Config)# line vty 0 4 , line console 0

 Router(Config-x)# no privilege level 15
 Creating Custom Privilege Level with
Username and Password
 Router(Config)# username khalid privilege 15 password khan
 Router(Config)# username khan privilege 4 password jan

 Router(Config)# privilege exec level 4 show run

 Router(Config)# privilege exec level 4 show clock

 Router(Config)# privilege configure level 4 hostname

 Router(Config)# privilege configure level 4 interface
 Router(Config)# privilege router level 4 router ospf

 Router(Config)# line vty 0 4 , line console 0

 Router(Config-x)# no privilege level 15
 Router(Config-x)# login local
 Parser Views - Roles Based Access Control

 Cisco IOS CLI Parser Views provide much more granular Access Control features than Privilege
Levels. Network administrators can now implement Role-Based CLI Access (simply called as
RBAC, Role-Based Access Control). By Implementing RBAC, using Parser Views, administrators can
limit what commands a user can see or run on the Cisco Routers and Switches.
 Network Administrators can create CLI Parser Views add the Role Based commands to the CLI
Parser View. A CLI Parser View can be tied to a user and when the user logs in using this view, he
will get only the commands which are configured for his view.

 We have Three Types of Parser Views

 1 Root View
 2 Cli View
 3 Super View
 Root View is the view which can configure all commands mean it has full authority on
the box.

 CLI View is the view which can run limited commands which is assigned by Root View and
for all users we create CLI View.

 Suppose We have Two users. User1 and User2 as we know that if User1 login so it can not
see the User2 Commands and User2 Can not See User1 Commands.

 Super-View is the view which can run all CLI view commands but can not run Root View
commands
Following are the pre-requisites for Creating
Parser Views

 Device IOS must support Parser views.

 Enable secret password must be configured on the device. Or privilege level 15

username and password should be configured.

 AAA must be enabled on the router using Cisco IOS "aaa new-model" command
 Configuring CLI View
 Step 01 - Enable AAA globally on Cisco Router/Switch using "aaa new-model" and configure
password for privilege EXEC mode from the Global Configuration Mode.

 R1>enable
 R1#configure terminal
 R1(config)#aaa new-model
 R1(config)#aaa authentication login default local
 R1(config)#aaa authorization exec default local

 R1(config)#enable secret admin

 R1(config)#username admin privilege 15 secret admin
 R1(config)#line console 0
 R1(config-line)# no privilege level 15
 R1(config-line)# login authentication local
 Step 02 - After enabling AAA and configuring the Privilege Level 15 password, you
must move to Root View by using the IOS CLI command "enable view", to configure
other Parser Views. Root View is a CLI Parser View which has all access privileges
similar to Privilege Level 15. Root View is used to create or modify other views. You
have to provide the enable secret password (which we configured in above step) to
move to Root View.
 User Access Verification

 Username: admin
 Password:
 R1>enable view
 Password:
 R1#configure terminal
 R1(config)#username user1 password user123
 R1(config)#username user1 privilege 15 view User1 secret user1
 R1(config)#parser view User1
 R1(config-view)#secret user123
 R1(config-view)#commands exec include configure terminal
 R1(config-view)#commands exec include ping
 R1(config-view)#commands exec include traceroute
 R1(config-view)#commands exec include exit
 R1(config-view)#commands configure include interface Fastethernet 0/0
 R1(config-view)#commands configure include exit
 R1(config-view)#commands interface include ip address
 R1(config-view)#commands interface include no ip address
 R1(config-view)#commands interface include shutdown
 R1(config-view)#commands interface include no shutdown
 R1(config-view)#commands interface include exit
 R1(config-view)#exit
 R1(config)#username user2 password user123
 R1(config)#username user2 privilege 15 view User2 secret user2
 R1(config)#parser view User2
 R1(config-view)#secret user123
 R1(config-view)#commands exec include configure terminal
 R1(config-view)#commands exec include ping
 R1(config-view)#commands exec include traceroute
 R1(config-view)#commands exec include exit
 R1(config-view)#commands configure include interface Fastethernet 0/0
 R1(config-view)#commands configure include exit
 R1(config-view)#commands interface include shutdown
 R1(config-view)#commands interface include no shutdown
 R1(config-view)#commands interface include exit
 R1(config-view)#exit
 Configuring Super View
 First Login From Root-View To create Super View

 R1(config)#parser view super superview

 R1(config-view)#secret super
 R1(config-view)# view user1
 R1(config-view)#view user2
 R1(config-view)#exit

 show parser view

 AAA
 When it comes to network security, AAA is a requirement. Here is what each of these
are used for and why you should care:
 Authentication: Identifies users by login and password using challenge and response
methodology before the user even gains access to the network. Depending on your
security options, it can also support encryption.
 Authorization: After initial authentication, authorization looks at what that
authenticated user has access to do. RADIUS or TACACS+ security servers perform
authorization for specific privileges by defining attribute-value (AV) pairs, which would
be specific to the individual user rights. In the Cisco IOS, you can define AAA
authorization with a named list or authorization method.
 Accounting: The last "A" is for accounting. It provides a way of collecting security
information that you can use for billing, auditing, and reporting. You can use accounting
to see what users do once they are authenticated and authorized. For example, with
accounting, you could get a log of when users logged in and when they logged out.
 RADIUS and TACAS+
 RADIUS (Remote Authentication Dial-in User Service) is all-vendor supported AAA
 protocol. RADIUS was first developed by Livingston Enterprises Inc in 1991, which
later merged with Alcatel Lucent. RADIUS later became an Internet Engineering Task
Force (IETF) standard. Some RADIUS server implementations use UDP port 1812 for
RADIUS authentication and UDP port 1813 for RADIUS accounting. Some other
implementations use UDP port 1645 for RADIUS authentication messages and UDP port
 1646 for RADIUS accounting
 TACACS+ is another AAA protocol. TACACS+ was developed by Cisco from TACACS
(Terminal Access Controller Access-Control System, developed in 1984 for the U.S
Department of Defense). TACACS+ uses TCP and provides separate 
authentication, authorization and accounting services. Port used by TACACS+ is TCP
 49.
 The RADIUS or TACACS+ protocol can provide a central authentication protocol to
authenticate users, routers, switches or servers. If your network is growing and if you
are are managing a large network environment, authentication using local device user
database and authorization using privilege level 15 authorization is not a scalable
solution. AAA (Authentication Authorization Accounting) protocol like RADIUS or
TACACS+ can provide a better centralized authentication solution in a big enterprise
network.
 RADIUS TACACS+

RADIUS uses UDP as Transport Layer Protocol TACACS+ uses TCP as Transport Layer Protocol

RADIUS uses UDP Port 1812 and 1813 / 1645 and 1646 TACACS+ uses TCP port 49

RADIUS encrypts passwords only TACACS+ encrypts the entire communication

RADIUS combines authentication and Authorization TACACS+ treats Authentication, Authorization, and Accountabilitydifferently

RADIUS is an open protocol supported by multiple vendors TACACS+ is Cisco proprietary protocol

RADIUS is a light-weight protocol consuming less resources TACACS+ is a heavy-weight protocol consuming more resources

RADIUS is limited to privilege level TACACS+ supports 15 privilege levels

Mainly used for Network Access Mainly used for Device Administration
 AAA Cont.……
 Why every network admin should care about AAA
 Besides passing certification tests like the Cisco CCNA Security, AAA is a critical
piece of network infrastructure. AAA is what keeps your network secure by
making sure only the right users are authenticated, that those users have access
only to the right network resources, and that those users are logged as they go
about their business.
 How do you configure AAA in the Cisco IOS?
 Here are the steps to configuring AAA:
 Enable AAA
 Configure authentication, using RADIUS or TACACS+
 Define the method lists for authentication
 Apply the method lists per line/ per interface
 AAA Particle Lab in Packet-Tracer

 In packet tracer just the authentication will be supported no authorization or

accounting will be supported.

 For full feature support we will use cisco ACS or ISE.

 1st configure your server with proper services (Tacacs+/Radius).

 2nd configure username and password in server.

AAA Particle Lab in Packet-Tracer Cont.…
 (local-Database)
 1 create a username and pass
 (username cisco password cisco123)

 2 enable AAA
 (aaa new-model)
 (aaa authentication login default local)

 3 Implement
 (line consol 0)
 (login authentication default)

 (line vty 0 4)
 (login authentication default)
AAA Particle Lab in Packet-Tracer Cont.
…
 (Tacacs-Server)
 1 first configure tacacs server
 2 configure the router
 (tacacs-server key cisco)
 (tacacs-server host [Link])
 (aaa new-model)
 (aaa authentication login default group tacacs+local)
 3 Implement
 (line consol 0)
 (login authentication default)
 (line vty 0 4)
 (login authentication default)
AAA Particle Lab in Packet-Tracer Cont.
… (Radius-Server)
 1 first configure tacacs server
 2 configure the router
 (Radius-server key cisco)
 (Radius-server host [Link])
 (aaa new-model)
 (aaa authentication login default group Radius+local)
 3 Implement
 (line consol 0)
 (login authentication default)
 (line vty 0 4)
 (login authentication default)
 Mac-Address Over-Flow Attack
 MAC address flooding attack (CAM table flooding attack) is a type of network
attack where an attacker connected to a switch port floods the switch
interface with very large number of Ethernet frames with different fake
source MAC address.
 This type of attack is also known as CAM table overflow attack. Within a very
short time, the switch's MAC Address table is full with fake MAC address/port
mappings. Switch's MAC address table has only a limited amount of memory.
The switch can not save any more MAC address in its MAC Address table.
 Once the switch's MAC address table is full and it can not save any more MAC
address, its enters into a fail-open mode and start behaving like a 
network Hub. Frames are flooded to all ports, similar to broadcast type of
communicaton.
 Now, what is the benefit of the attacker? The attacker's machine will be
delivered with all the frames between the victim and another machines. The
attacker will be able to capture sensitive data from network.
 macof –i eth0
How to Prevent Mac-over-Flow-Attack

 Cisco switches are packed with in-built security feature against MAC flooding
attacks, called as Port Security. Port Security is a feature of Cisco Switches,
which give protection against MAC flooding attacks.
 
 What is Port security ?
 By default, all interfaces on a Cisco switch are turned on. That
means that an attacker could connect to your network through
a wall socket and potentially threaten your network. If you
know which devices will be connected to which ports, you can
use the Cisco security feature called port security. By using
port security, a network administrator can associate specific
MAC addresses with the interface, which can prevent an
attacker to connect his device. This way you can restrict
access to an interface so that only the authorized devices can
use it. If an unauthorized device is connected, you can decide
what action the switch will take, for example discarding the
traffic and shutting down the port.
 Configuring Port-Security
 To configure port security, three steps are required:

 1. Define the interface as an access interface by using the (switchport mode

access interface subcommand).

 2. Enable port security by using the (switchport port-security) interface subcommand.

 3. Define which MAC addresses are allowed to send frames through this interface by
using the (switchport port-security mac-address MAC_ADDRESS) interface
subcommand or using the (swichport port-security mac-address sticky) interface
subcommand to dynamically learn the MAC address of the currently connected host.
Configuring Port-Security Cont.…………….
 Two steps are optional:
 1. Define what action the switch will take when receiving a frame from an
Unauthorized device by using the (port security violation {protect |
restrict | shutdown) interface subcommand. All three options discards the
traffic from the unauthorized device. The restrict and shutdown options send
a log Messages when a violation occurs. Shut down mode also shuts down the
port.
 2. Define the maximum number of MAC addresses that can be used on the
port by using the (switchport port-security maximum NUMBER) interface
Sub mode command
 The following example shows the configuration of port security on a Cisco
switch:
 Default Violation is Shutdown.
 Default Maximum allowed mac-address is just one
 Port-Security-Practical-Lab
 Suppose we have the below Topology. Now I Want that from port number fa0/1 just PC1
Mac Address should be allowed. If PC2 Plug-in to Fa0/1 PC2 should be not allowed to join
Port-Security-Practical-Lab Cont.……………
 Switch> Enable
 Switch# Configure terminal
 Switch(config)# Interface Fast Ethernet 0/1
 Switch(config-if)#switchport mode access Compulsory
 Switch(config-if)#switchport access vlan X Optional if not provided default will
be in vlan 1.
 Switch(config-if)#switchport portsecurity Compulsory other wise the security
will be not enabled on the port.
 Switch(config-if)#switchport portsecurity maximum 5Optional if not provided default
will be allowed just one mac address.
 Switch(config-if)#switchport portsecurity violation shutdown Optional if not provided
the default will be shutdown
 Switch(config-if)#switchport portsecurity mac-address [Link].1111 Optional if
not provided the first mac address will be allowed.
Port-Security-Practical-Lab Cont.……………
 Switch(config-if)#switchport portsecurity mac-address sticky Optional if you
provided the first this command the switch will automatedly learn mac
address and put them in allowed list.

 The below command is used for checking and troubleshooting port-security.

 Switch# show port-security address

 Switch# show port-security interface fastEthernet 1/0/21
 Error-Disable-Recovery
 When ever violation occur switch will put the port in error-disable state.

 If a switch port goes in error-Disable state the port will no longer send and receive
data from that particular port.

 When a port goes in error-disable-state?

 1 when we apply the port-security-violation-to shutdown.

 We can recover a port from error disable state by two ways

 1 Manually 2 Automatic
Error-Disable-Recovery Cont.………………….
 1 Manually

 Switch> Enable

 Switch# Configure terminal

 Switch(config)# Interface Fast Ethernet 0/1

 Switch(config-if)#shutdown

 Switch(config-if)#no shutdown
 Error-Disable-Recovery Cont.………………….
 2 Automictically

 Switch> Enable

 Switch# Configure terminal

 Switch(config)# errdisable recovery cause psecure-violation

 Switch(config-if)#errdisable recovery interval 60

 Switch# show errdisable recovery

 Access-Control-List
ACL
 ACL is a set Rule which allow or deny the specific traffic moving through the
Router.

 It is Layer 3 security which Control The flow of traffic from one router to
Another.

 It is also called as Packet Filtering Firewall.

Types of Access-List
Differences Between Standard and Extended
Standard ACL Extended ACL

The Access-List Number Range is 1-99. The Access-List Number Range is 100-199.

Can block a network ,host ,subnet. We can allow or deny A network, host,
Subnet, and services.
All services are blocked. Select services can be blocked.

Implemented to closest to the destination. Implemented to closest to the source.

Filtering is done based on only source IP Filtering is done based on source IP ,

address. Destination IP , Protocol Port number.
Standard ACL LAB
 Standard ACL LAB Cont.……
 1st Assign The IP-Addresses To routers and Switches.
 2nd Configure Routing Between Routers.
 3rd Configure The Proper Services in Servers.

 Configuring Routing in Routers

 R1(config)# ip route [Link] [Link] [Link]

 R1(config)# ip route [Link] [Link] [Link]

 R2(config)# ip route [Link] [Link] [Link]

 R2(config)# ip route [Link] [Link] [Link]

 R3(config)# ip route [Link] [Link] [Link]

 R3(config)# ip route [Link] [Link] [Link]
 Standard ACL LAB Cont.……
Task: Configure the Appropriate router as per the rules given.

1=> Deny the host [Link] communicating with [Link]

2=> Deny the host [Link] communicating with [Link]
3=> Deny the network [Link] communicating with [Link]

Note= The Above ACL rules should not affect the other communication.

Creating Standard Number Access-list

Router(config)# access-list <acl-nu> <permit/deny> <source address> <source WCM>

 Creating Standard Number ACL
 R2>enable
 R2#configure terminal

 R2(config)# access-list 15 deny [Link] [Link]

 R2(config)# access-list 15 deny host [Link]
 R2(config)# access-list 15 deny [Link] [Link]
 R2(config)# access-list 15 permit any

 R2(config)# interface fast Ethernet 0/0

 R2(config-if)# ip access-group 15 out

 R2# Show access-list

 Standard ACL LAB Cont.……
 To Write ACL Statement.

 On Which router to Implement ACL.

 Identify Source and Destination.
 In/out

 Ensure that the router you are implementing ACL must be transit router.
 Think your router as destination (incoming as source )
 Wild Card Mask
 Tells the router which portion of bits to match or ignore.
 0=must match 1=ignore

 Wild card mask for network will be inverse mask.

 Wild card mask for host will be always [Link]
Understanding in/out
 Access-list Rules
 Works in Sequential order.
 All deny statements have to be given first (preferable most cases).
 There should be at least one permit statement (mandatory).
 An implicit deny blocks all traffic by default when there is no match (an invisible
statement).
 Can have one access-list per interface per direction.
 Two access-list per interface per one in inbound direction and one in inbound
direction.
 Any time a new entry is added to access-list it will be placed at the bottom of the list.
 Using a text editor for access lists is highly suggested.
 You cannot remove one line from an access list.