Securing Network Devices

Overview

One of the first things a security minded networker or administrator needs to do is secure administrative access to the network devices meaning routers, firewalls, switches, servers, etc. The CCNA Security curriculum goes much farther than the CCNA Exploration in explaining the different methods of securing access to network devices. In addition to the command line interface (CLI) it also covers other GUI management tools like Cisco Security Device Manager (SDM).

Video Tutorials

Packet Tracer is a fantastic tool provided to Cisco Academy students to learn how to configure and troubleshoot network devices. The following video tutorials cover the initial router configuration and how to secure access to both the local and remote management interfaces.

How to configure the console port (local access) and an IP address on the ethernet interface for remote access

How to configure the VTY ports for remote telnet access and configure the enable password for privileged user mode

How to enhance security by encrypting passwords with type 7 and md5 encryption

Begin AAA security protocols, by configuring usernames and passwords with md5 encryption

Configure minimum password lengths, exec login timeout time, and login block-for commands

Configure a Switch for SSH Secure Access

SSH Overview

The ability to remotely manage your Cisco switch or router is very important. Network administrators are usually not sitting next to the switch or router with a laptop and a console interface connection. There are various methods of managing a network device like a switch or router, remotely over the network. Remote management can be accomplished through a browser based interface (web browser) or more commonly through a terminal interface (CLI). Cisco switches and routers can be configured to use Telnet or SSH for remote terminal access. Telnet is not desirable because it is an unencrypted protocol that sends messages in clear text over the network. SSH is preferred to Telnet because it uses strong key based, encryption techniques to secure data transmission.

Video Tutorials

In the tutorial below, I use Packet Tracer to demonstrate how to configure a Cisco switch to accept SSH terminal connections.  The tutorial covers creating a management VLAN, assigning switchports to VLANs, configuring an IP address for the switch on a virtual interfaces, generating a public and private key pair, configuring the SSH server, and connecting from two different SSH clients.

Click here to download the starter file: CLI-SSHaccess-begin.zip

Background on Network Security

Network Security Overview

The Internet and the computer protocols that make it function were not created with security in mind. There was a lot of opportunity for computer criminals often called hackers, to take advantage of network and software insecurities. Today, cyber security which includes internet, network, and software security is one of the fastest growing fields in computer technology. Network professionals have to play catch up to raise their level of knowledge to counteract the advanced level of exploitation tools available to even novice hackers called Script Kiddies. Some of the things a computer network security administrator needs to know today are:

• How to implement an intrusion detection system (IDS)

• How to implement an intrusion prevention system (IPS)

• How to configure standalone and integrated services Firewall devices. This should include packet filtering firewalls, stateful firewalls, and a zone-based firewalls

• How to keep aware of current trends and security threats through Professional Security Organizations

• How to create a Network Security Policy which will define how company and organization employees will access, protect and ensure company data

• How to protect important data through encryption and cryptography

• The characteristics of viruses, worms, and trojan horses and how to defend against them

• The various types of network attacks including reconnaissance, access, and denial of service and how to defend against them

• How to implement a network monitoring system

• How to implement a network backup or accountability system

Security Organizations

Today there are a growing number of security organizations dedicated to advancing network security and fighting computer crime. These organizations have attempted to create a structure for cyber security by creating guiding principles and best practices for computer network security administrators and organizations to follow. Many of these security organizations have also created security certifications, websites, classes and traveling seminars to allow security professionals the ability to share information and network with each other. Here is a list of well known security organizations:

  • SANS Institute,  www.sans.org – an educational security organization offering security certification, training, and classes. Their website has free tools and information, including security related news, and research articles related to network security. Their classes and seminars are offered in a variety of delivery methods in-person, online, etc. and are generally very expensive.
  • CERT,  www.cert.org – Software Engineering Institute (SEI) at Carnegie Mellon University. Is a federally funded organization dedicated to research and education related to computer network and software security. CERT offers computer security classes to military, government, academic, and industry professionals. The classes are generally very expensive.
  • ISC2www.isc2.org – an educational security organization offering security related certifications. ISC2 sponsors well known security certifications including the highly acknowledged Certified Information Systems Security Professional (CISSP) certification.

Domains of Network Security

The CCNA Security curriculum mentions the 12 domains of network information security as published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission  ISO/IEC 27002. The domains are a code of best practices for information security management. The 12 domains are like questions that every network administrator and IT department should be able to answer:

  1. Risk assessment – step one analyze what information is at risk.
  2. Security policy – create a company security policy that defines the rules and expectations for the employees behaviors and access of information.
  3. Organization of information security – how will the security policy be governed?
  4. Asset management – how will information assets be inventoried and classified?
  5. Human resources security – security rules for employees joining, moving or separating from the organization.
  6. Physical and environmental security – how will the technology be physically protected?
  7. Communications and operations management – who and what, will manage security controls with regards to the network and information system.
  8. Access control – who will have access and what will they have access to?
  9. Information systems acquisition, development and maintenance – how software applications and systems will be integrated into the network with a focus on security?
  10. Information security incident management – the protocols for anticipating and responding to information security breaches.
  11. Business continuity management – backup and recovery plans for computer information systems.
  12. Compliance – how does the company comply with current information security policies, standards, laws and regulations?

Viruses, Worms, and Trojans

  • Virus – a computer virus is a malicious program that attaches or embeds itself to a legitimate program, executable file or system file. Once infected the virus attempts to execute and replicate itself across multiple files and even hosts. Viruses variously damage, alter and destroy computer files. Viruses are typically spread by USB thumb drives, and most commonly through email attachments. See: http://en.wikipedia.org/wiki/Computer_virus
  • Worm – a computer worm is a malicious program that, when accessed, immediately installs itself in memory and spreads itself across a computer network. Worms do not need to attach themselves to legitimate programs like viruses in order to run. Although a worm does not alter computer files like a virus, they can deliver executable payloads, often back-doors, Trojan horses or simply drain system resources and bandwidth. See: http://en.wikipedia.org/wiki/Computer_worm
  • Trojan Horse – a Trojan horse is a computer program that masquerades as a legitimate program, but in actuality does something far different. A common form of Trojan horse is software or malware, that claims to be a legitimate antivirus program, but once downloaded, actually downloads viruses onto a user’s computer. Though Trojan horses do not replicate themselves as a virus does they are often piggy-backed with computer worms in order to spread. See: http://en.wikipedia.org/wiki/Trojan_horse_(computing)

There are five distinct stages in a virus or worm attack. The 5 stages are:

  • Probe –  involves scanning network hosts for operating system or software vulnerabilities.
  • Penetrate –  launch an attack or exploit through an attack vector like program buffer overflow, email attachment or malicious webpage code injection.
  • Persist – the code may attempt to maintain a level of control over the target system by installing a backdoor or creating additional executable system files that will launch on startup.
  • Propagate – in this stage the virus or worm attempts to target additional computer systems in order to expand the number of infected systems.
  • Paralyze – viruses will criple or shutdown computer systems by corrupting system files, launching denial of service (DoS) and distributed denial of service (DDoS) attacks, and/or draining system and network resources like CPU time and available bandwidth.

So how does a network administrator defend against viruses, worms and Trojans?

Client or Network based Antivirus Software

The main method of defense against viruses is having up-to-date antivirus software. There are many antivirus providers and some even provide free versions of their software for the home user. Three popular antivirus programs with free versions are AVG, Malwarebytes, and Avast.

Stateful Firewall and Access Lists

Worms attempt to spread across the network, this can happen very quickly, so it makes sense that a good defense against this would be a network firewall device with both inbound and outbound access lists (ACLs).

Host Based Intrusion Prevention System (HIPS)

A network administrator might also look into a Host Based Intrusion Prevention System (HIPS) sometimes called a Host Based Intrusion Detection System (HIDS) to help prevent worms, viruses and various forms of network attack. A host based intrusion detections system is installed on a host or client computer and dynamically monitors the computer for signs of malicious activity, like changes in files size, memory usage, registry changes etc. HIDS  can be integrated to work with network antivirus software as well as centralized management and monitoring tools. Cisco Security Agent is a host based intrusion prevention system.

Intrusion Prevention System (IPS)

Inspects packets for crossing the network and compares them against a preloaded database of threat signatures. Can examine packets up to layer 7.

Web and Email Filtering Devices

A proxy web filter compares webpage requests against a database of blacklisted websites and domains and a proxy email filter scans emails for spam and attachment viruses.

Welcome to CCNA Security

Introduction

The Cisco CCNA Security certification is a one of the newest certifications and courses of study offered by Cisco and the Cisco Academy. The curriculum is well written and informative.

As a Cisco Networking Academy instructor I have taught the Cisco CCNA curriculum for over 8 years. The Cisco CCNA Security course is offered either in person as an SDL class, or as an online class. We have a computer networking lab in GMB133 at our disposal for the SDL classes or for the online students who want to drop in in-person. All Cisco Academy students will have access to the curriculum materials, the Packet Tracer network simulation software, and lab access to routers and switches.

Materials

All of the course materials including online text, the Packet Tracer program for setting up virtual routers, switches and networks are available through the Cisco Networking Academy website. If you prefer a paper copy of the text you can purchase one online from the Cisco Press or Amazon. Make sure you order a current version of the text. I have provided a link to the text at Cisco Press and the ISBN number:
http://www.ciscopress.com/bookstore/product.asp?isbn=1587058154: ISBN-10: 1-58705-815-4 / ISBN-13: 978-1-58705-815-8

Class Schedule and Policies

This class is offered either as Self Directed Learning-SDL, or Online. SDL students are required to be in the Lab – GMB133, a minimum of 2.5 hours per week you will log your hours in the lab. Here are some questions you will want answered:

  • When can I come to the Lab?
    You are welcome to come to the lab at all times that it is open. I am personally in the lab to answer your questions and help you with your projects, for my exact lab times click on Lab/Classroom Hours.
  • Can I work in the Lab when you are not there?
    Yes, if the door is open you are welcome to come in and work. If the door is locked try coming into the lab through GMB130 the Flex Lab. The Flex Lab opens Mon-Sat at 9am and is open late Tuesday until 9pm.
  • Can I work with the Cisco routers and switches in the lab?.
    Yes, we have Cisco routers and switches in the lab for your use. We will also have access to a Cisco NetLab available online. Most of the labs will need to be done with the NetLab.
  • What if I am an online student, and I can’t work with the routers in person in the lab?
    Online students will use the Cisco NetLab and Packet Tracer to accomplish the class labs.
  • When should I come to class?
    I recommend CCNA Security students who live in the area to come to the GMB133 Lab Monday through Thursday from 5 to 6pm. This is not mandatory meeting times but I will lecture,discuss and demonstrate chapter topics. For the online and SDL students who cannot come to the lab, I regularly create video tutorials and post articles on the topics covered in the class, so visit the website regularly.
  • How can I assure that I will be successful?
    You will be successful if you take the time to read the assigned Cisco curriculum and do the labs. You will be successful if you attend regularly by coming to the lab Mondays through Thursdays, and logging-in daily to the Cisco Academy and to DansCourses.com. I recommend you plan for your own success by creating scheduled times set aside to work on the Cisco curriculum and its assignments.
  • Is there a syllabus?
    The syllabus outlines the course, please download it and save it for your records:
  • How will I turn in assignments?
    All assignments, Packet Tracer labs, and NetLab configuration files will need to be submitted as email attachments to dan.alberghetti@gmail.com
  • How will I be graded?
    I grade on a point system. Every week you will have the opportunity to earn points. Points will be awarded for the following activities:

    • Chapter Exams – Almost all of chapters in the Cisco curriculum have a multiple choice test at the end of the chapter. The tests measure your knowledge of the chapter content and your ability to logically analyze network diagrams, configuration files, and debugging output and messaging
    • Chapter Labs – You will be given a “skills” grade based on your participation in class and submitted Packet Tracer Labs and NetLabs.
    • A Final NetLab – An online Cisco NetLab exam
    • Final Exam – An online Cisco Academy exam

    Your final grade is based on scale of total points earned to total points possible.