Posts Tagged ‘Sisco’

Port-security is a feature in Cisco switches to restrict access on a particular port. Mac addresses are used to filter and maintain access. I believe that the main two objectives achieved with this technique are:

• Dynamically control the number of connected nods which is important to stop Mac-address table poisoning attacks. This attack occurs when the mac-address table is full, this will force the switch to act as a hub in the sense it will start flooding traffic to all connected ports. Hence, an attacker connected to a single port will then be able to sniff traffic from all other ports too. To secure the switch against this attack, port-security is used to set a maximum number of accepted Mac-addresses. If the number is acceded, the port can be programmed to either shut down or reject new Mac-addresses.
• Accept predefined devices. This will restrict port access to a predefined number of nods based on their Mac-addresses.

First, I will demonstrate how to protect the switch against Mac-address poisoning attacks. Assuming the port I want to secure is Fa 0/2. Change the mode of the port to ‘access’ because port-security can not be activated with the mode being set to trunk to dynamic.

Switch(config)#interface fa 0/2
Switch(config-if)#switchport mode access

Activate port-security using
Read the rest of this entry »

The aim of this post is to demonstrate the establishment and configuration of two sub-networks serving across two buildings connected by a Fiber Optic cable. To maintain a more readable article to serve an educational objective, I will break my work down into multiple posts. For now, I will only cover a simplified logical map of the network and the necessary router’s configuration to build a working solution. I will consequently use this post as a base towards further development.

The solution will include two routers, one in each building interconnected by a fiber optic cable. Copper cables are used for the subnets to interconnect switches and computers. The following diagram illustrates the solution followed by more detail. Also please note that I have built and tested this design using Packet Tracer, Version: 5.3.2.0027.

Initial Basic Network Diagram for the two buildings

Now, further information about the nods used.

• Two Cisco 2811 routers, one for each subnet. I called them Gilgamesh and Enkidu!
  Cisco official website described the 2800 routers as an award-winning and ‘ideal for small to medium-sized businesses and enterprise branch offices, are designed for wire-speed delivery of highly secure concurrent services and can accommodate multiple T1/E1 connections for services including: Data, Security, Voice, Video and Wireless’.
• NM-1FE-FX Module, I have had to add this module to the router to serve as a Fast-Ethernet interface for use with fiber media. The routers -by default- do not have a port to connect fiber optic. In Cisco Packet Tracer, you can add this module from the Physical Device View.
• Two switches from the 2900 series, described by Cisco as ‘Ideal for mid-range deployments requiring business agility, WAN flexibility, and secure collaboration’. Hence, it sounds ideal for our solution.
• Copper Straight-Through to connect switches to computer’s and routers.
• Copper Cross-Over to connect devices of the same type, but we do not have any at this stage of the deployment.

After physically connecting the devices as illustrated so far, I decided to assign IP addresses based on the following plan
Read the rest of this entry »

Configuring remote access to your Cisco devices can be mandatory from a usable point of view. However, and as discussed in my previous two posts, this has a critical security concern if user authentication and data integrity/confidentiality are not maintained with a proper solution such as SSH.

I will extend what I demonstrated earlier to stop telnet and exclusively enable SSH. This required the configuration of VTY lines and user accounts, please refer to the following posts if you need elaboration of how to have these in place:

• Configure and test Telnet on a Cisco router or switch
• Creating multiple user-accounts to access a Cisco IOS device

Further to my Gilgamesh(IP: 192.168.0.254) router, I have another Cisco router called Enkidu (IP:192.168.1.254). To enable remote SSH to my Gilgamesh, I must first give it a domain name (required for the naming process of the RSA keys) and then generate the RSA keys used to encrypt the traffic. The following lines demonstrate how I did it

Gilgamesh(config)#ip domain-name network.local
Gilgamesh(config)#crypto key generate rsa
The name for the keys will be: Gilgamesh.network.local
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable…[OK]
Gilgamesh(config)#
Read the rest of this entry »

Recently, I have published a post titled ‘Configure and test Telnet on a Cisco router or switch‘. However, two security flaws can be easily recognised. These are:

• Telnet sessions are not encrypted. As such, my next post will cover setting up an SSH solution to replace telnet.
• Authentication is too generic with a single password to be shared among technicians. Hence, this post aims to demonstrate the setting of user accounts to access telnet!

Lets assume telnet is already set, something similar to the post I referenced earlier!
I may access my router (hostname set as ‘Gilgamesh’) and set two user account with the following information:

Username: haider, Password: hai321
Username: Ali, Password: sword32

Now, in the configuration line of my router I write

Gilgamesh#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Gilgamesh>(config)#username haider secret hai321
Gilgamesh>(config)#username ali priv 15 secret sword32
Gilgamesh(config)#aaa new-model
Read the rest of this entry »

Telnet is a remote connection protocol known to be active on port 23. It can be used to administrate a Cisco IOS powered device over the network. This article will demonstrate the necessary commands to configure Telnet.

For testing, I have built a basic network in Cisco Packet Tracer with a router called:
Gilgamesh (IP: 192.168.0.254)
and a remote PC (IP: 192.168.1.1)

To enable telnet, we start configuring VTY ports on Lines. ‘Lines’ on Cisco routers are physical or visual serial ports while VTY ports are specifically visual ports used for remote access using Telnet or SSH. To do that, I typed the following in my router

Gilgamesh>enable
Gilgamesh#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Gilgamesh(config)#line vty 0 4

the 0 4 numbers refer to configuring 5 visual sessions. Now, leave the router’s CLI as it is (do not close it) and lets try to connect to the router from our PC’s command prompts.

PC>telnet 192.168.0.254
Trying 192.168.0.254 …Open
[Connection to 192.168.0.254 closed by foreign host]

The lines above shows that the connection was refused. This is because, login is disabled on all the five telnet sessions we created until a password is set. To set ‘ciscopass’ as a password, go back to the router and type
Read the rest of this entry »

You can remotely access a Sisco IOS (Internetworking Operating System) in what is knows as an EXEC session to control a router using its CLI (Command Line Interface).

EXEC sessions are separated into a basic user EXEC level and a privileged EXEC level to run configuration and other critical commands.

Critical Cisco Router configuration commands
‘————’ is used to prefix comments in this small tutorial

Router>enable ———— enable is used to change into privileged level
Password: —————— if passwords is enabled
Router# ———————- # means we are in privileged level
Router#disable ———– switch to user EXEC level
Router>

Router>ping xxx.xxx.xxx.xxx ———— ping is supported

The show command is used to troubleshoot your Cisco router
Read the rest of this entry »