Networking Chapter 4
SSH Configuration Before establishing an SSH session, several items need to be configured, as follows:
• Change the default hostname. • Create a user account. • Set the enable password. • Configure a domain name. • Set a security message. • Enable VTY lines and limit protocol access. • Enable Layer 3 connectivity. • Generate SSH keys.
SSH Prerequisites Several initial settings must be configured before enabling SSH on the device.
1. Set the device name. 2. Create a local account. 3. Secure the privileged mode. 4. Set an appropriate security message (optional). 5. Set a domain name.
Port Security Requirements
Access Mode Access ports are responsible for traffic flow. Access mode should only be defined on ports connected to endpoint devices, such as PCs. You can configure port security on interfaces that you configured as access ports with access mode activated. Enable Port Security Enabling port security is done in the interface configuration mode, which is set using interface [interface-id]. Then, Access mode needs to be set with switchport mode access. Note: For port security to operate correctly, the interface must be configured as an Access port. Finally, Port Security can be enabled on the interface using the command: switchport port-security
SSH Connection
Accessing the device remotely using SSH can be done using a CLI, such as PuTTY or the device's terminal. The universal command for creating an SSH session is: ssh -l <username> <target-ip> In the following example, the command is executed in Windows CMD.
Max Allowed MAC Addresses
Although the number of default MAC addresses allowed in Port Security is one, the number can be changed within the range of 1 to 3072.
Asymmetric Encryption
Asymmetric encryption is when two different keys are used to encrypt and decrypt messages. The keys are mathematically related in a way that messages encrypted with one key, usually the public key, cannot be decrypted by it. The decryption can be done only using the corresponding private key in the key pair. This method is considered more complex and slower than symmetric encryption which uses one key for both encryption and decryption.
CAM Table Overflow
CAM Table Overflow is an attack that targets a switch's MAC table. The idea is to flood the table with a large number of fake addresses. When the list of addresses exceeds the maximum size of the table, the switch will initiate its fallback mode and begin to act as a hub, meaning every frame will be forwarded to every host on the network.
Common Reasons for err-disable
Err-disabled may be triggered due to reasons other than Port Security, such as: • Duplex Mismatch - This state occurs when two parties, set for point-to-point communication, are configured to use different duplex modes. • Bad NIC - A faulty network interface card with software problems or hardware problems may trigger the Err-disabled state. • Broadcast Storm - When there is a broadcast volume too large for processing in the broadcast domain, the switches may be overwhelmed and trigger err-disabled mode on its ports.
Address Learning - Manual vs. Sticky
MAC address learning can be performed in one of two ways: Manual or Sticky. Manual - The manual method requires a static configuration of each allowed MAC address and its assignment to an interface. This is the most secure method, but it is very time consuming and open to faulty configuration. Sticky - In the sticky method, allowed MAC addresses are learned dynamically and are limited to the maximum number configured for the interface. The switch learns the source address of the first few devices associated with the interface, providing a fast and scalable method of operation.
MAC Spoofing
MAC spoofing is when attackers change their own physical PC address to conceal their true identity and pose as someone else. For example, an attacker may spoof a MAC address with a legitimate address to bypass an access control mechanism, such as port security.
SSH Encryption
Modern encryption relies heavily on the RSA algorithm since most methods use public and private encryption keys. The public and private encryption key method, also known as asymmetric cryptography, uses two different, but mathematically linked keys. The public key is shared with everyone, while the private key is only given to specific persons. RSA ensures implementation of the CIA triangle, and avoids authentication rejection. Protocols like SSH and SSL/TLS use RSA to encrypt communication and digital signatures. Although RSA works through the computational difficulty of factoring large integers, computational complexity grows exponentially every day, and larger and larger numbers are required to maintain secure communication. RSA is dependent on a powerful computational system. More complex keys require more computation. Recently, ECC (Elliptic Curve Cryptography) is becoming popular, since it can create faster, smaller, and more efficient cryptographic keys.
Remote Access
Remote access allows administrators to manage and monitor their network devices from anywhere in the network. This is important since some switches may be located in physically inaccessible areas.
Port Security Configuration
Port Security is configured by setting up each component individually using the same structure. Violation defines the type of violation rule to be applied to the port. The commands mac-address and maximum define sticky learning, up to a maximum of five addresses. Command: switchport port-security [configuration] [value]
Port Security Show Commands
Presenting the authorized MAC addresses associated with a port and the type (sticky or manually) is done with the command show port-security address. If only an overview is needed, show port-security can be run for a quick overview of the configuration. To view a specific interface, the command show port-security interface [interface] should be used, since it provides more information.
Violation Modes
The port security feature includes three protection modes to handle incidents in which it receives an Ethernet frame with an unauthorized MAC address. Shutdown - This is the default violation mode. When a violation occurs, the port will be shut down, and the violation will be logged automatically. The port must then be reset manually to become operational again. Page 82 Restrict - In case of a violation, Ethernet frames with unauthorized source MAC addresses are dropped. The switch provides notification of security violations and keeps count of the number of violations. Protect - In case of a violation, Ethernet frames with unauthorized source MAC addresses are dropped. In this violation mode, the switch does not provide notification regarding the event.
Verify SSH Configuration
Show ssh command presents the active SSH sessions on the network device. Show ip ssh displays the version definition, authentication timeout, and retries.
SSH Configuration Commands Allow Remote Access
Step 1 - Enter the VTY configuration mode. Select the number of maximum sessions. Step 2 - Enable authentication using a username and password. Step 3 - Telnet is enabled by default; the transport command prevents using Telnet and only uses SSH for remote connections. The options are none, all, Telnet, or SSH. Command: line vty <id-range> & login local
SVI (Switched Virtual Interface)
The primary purpose of creating a computer network is to share resources and enable communication within the network. Layer 2 switches create VLANs (Virtual LANs) that form a single broadcast domain. If a broadcast message is sent within the same VLAN, all devices connected to that VLAN will receive the message. Hosts can communicate on the same VLAN without a Layer 3 device (router). Devices on a different VLAN, on the other hand, cannot communicate with each other without proper routing. A router or Layer 3 switch can handle network segmentation and inter-VLAN communication. A router can segment a network and create separate broadcast domains, with each network segment using a different sub-interface of a physical interface on the router. Layer 3 switches require the creation of multiple VLANs on the switch, which form multiple broadcast domains. Then, for each VLAN, a corresponding Layer 3 interface needs to be created on the switch, to handle the routing. This Layer 3 interface is the SVI. The difference is that the SVI Layer 3 interface is virtual.
Telnet vs. SSH
Telnet and SSH are the two most widely used CLI-based remote access protocols. Telnet - Telnet was developed many years ago to allow users to manage devices from anywhere, via a simple and minimal configuration. However, using Telnet involves a potential security risk because usernames and passwords are sent in plain text on TCP port 23. SSH - SSH is similar to Telnet, but with a significant difference: SSH encrypts all data transferred between the user and end device. SSH uses RSA encryption, a robust and reliable encryption type. It operates on TCP port 22.
Generate RSA Keys
The crypto key command generates the Private and Public RSA keys on the network device. The switch or router needs those keys to secure the SSH session. Set the key length. The default is 512, but it is recommended to set the number of bits to higher than 1024. The maximum value is 2048. Command: crypto key generate rsa
IP Switch Settings
The default SVI is VLAN 1. Setting an address and enabling the interface is crucial if we want to communicate directly with the switch. If the switch needs to send data to other networks, the default gateway is also required. Command: Interface vlan 1 & ip address <ip-address> < subnet-mast>
Err-Disabled
When a switch port is in Err-disabled mode, the port may have been disabled automatically by the switch operating system, due to port security shutdown mode violation. To determine if Err-disabled was turned off for a port, run the command: show interfaces [interface] status
Virtual Teletype (VTY) is a
command-line interface (CLI) in network devices used to create remote access connections. VTY is virtual and does not require any hardware. Switches have 16 VTY lines (0-15), routers have 5 VTY lines (0-4).
The Port Security feature is used to
restrict input to an interface by limiting MAC addresses of workstations that are allowed to access a specific port. When secure MAC addresses are assigned to a port, the port will not forward packets with source addresses outside the defined group. By default, port security is not defined on switches and requires configuration.
Port Security Commands:
switchport mode access switchport port-security
