AAA used for RBAC and centralized management.
A uthentication
A uthorization
A ccounting
TACACS+ mainly used for amangement and administration
RADIUS for end users
Example Configuration:
Enable AAA new model
set up methods lists for AAA
Apply the method lists for AAA
Set the default method list by using the keyword 'default'
aaa authentication login default group tacacs+ local enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
'if-authenticated' means in the case where the router can not communicate with the TACACS server the router will authenticate the user and then the router will say the user is authorized (because he was previously authenticated) and the user login is successful.
Monday, January 9, 2017
Friday, January 6, 2017
NAT and PAT
NAT and PAT used as a security mechanism to hide host behind another device.
Options are:
NAT one to one dynamic - source internal IP address translated to pool of publicly routeable IP address
PAT one to one dynamic - source internal IP address translated to a single source publicly routable IP but different tcp/udp ports.
NAT one to one static - source internal IP address translated to a static single source publicly routable IP
PAT port forwarding static - static single source publicly routable translated to a internal resource using different ports.
Example of one to one dynamic NAT. Access rule created to match IP addresses 10.1.0;0 to translate.
G1/0 as outside interface/ G2/0 as inside interface.
Use a IP pool 10.123.0.33 with prefix length of 27.
Example of one to one dynamic PAT. Translate multiple internal client to single publicly routable IP address.
Example of static one to one NAT. The internal IP address 10.1.0.25 is statically mapped to global IP address 10.123.0.25.
Example of port forwarding static PAT. Static IP 10.1.0.50 translate to 10.123.0.25 to the port 80.
Command used is
IP NAT INSIDE SOURCE 10.1.0.50 80 10.123.0.25 80 EXTENSIBLE
Options are:
NAT one to one dynamic - source internal IP address translated to pool of publicly routeable IP address
PAT one to one dynamic - source internal IP address translated to a single source publicly routable IP but different tcp/udp ports.
NAT one to one static - source internal IP address translated to a static single source publicly routable IP
PAT port forwarding static - static single source publicly routable translated to a internal resource using different ports.
Example of one to one dynamic NAT. Access rule created to match IP addresses 10.1.0;0 to translate.
G1/0 as outside interface/ G2/0 as inside interface.
Use a IP pool 10.123.0.33 with prefix length of 27.
Example of one to one dynamic PAT. Translate multiple internal client to single publicly routable IP address.
Example of static one to one NAT. The internal IP address 10.1.0.25 is statically mapped to global IP address 10.123.0.25.
Example of port forwarding static PAT. Static IP 10.1.0.50 translate to 10.123.0.25 to the port 80.
Command used is
IP NAT INSIDE SOURCE 10.1.0.50 80 10.123.0.25 80 EXTENSIBLE
Netflow
Netflow allows discovery of traffic on the network and see trends and history of network performance.
Compenets of Netflow:
Monitor _ identify what to collect. Applied to an interface.
Exporter - caches network flow then ships it to a network management system for analysis
Collector - Network management software running a collector
Optional sampler - percentage of flow is collected and not everything to reduce overhead of monitoring process.
Exporter configuration requires:
Name
destination IP
UDP port
version of netflow
source IP (defaults to closest IP of interface connected to NMS)
Monitor configuration requires:
Name
Type of information to collect (IPv4, IPv6)
Which Exporter to use
Apply the monitor to the interface inbound or outbound flow
Example of exporter named EXPORT-1 sending network traffic information to collector at IP 192.168.1.23. Using UDP port 9996. Netflow version 9, and source is interface g1/0 IP address.
Then, monitor named MONITOR-1 applied to g1/0 on R1
To reduce of overhead caused by netflow use a sampler
Example of configuring a sampler named OUR-SAMPLER applied to a monitor 1 out 10 packets deterministically
Compenets of Netflow:
Monitor _ identify what to collect. Applied to an interface.
Exporter - caches network flow then ships it to a network management system for analysis
Collector - Network management software running a collector
Optional sampler - percentage of flow is collected and not everything to reduce overhead of monitoring process.
Exporter configuration requires:
Name
destination IP
UDP port
version of netflow
source IP (defaults to closest IP of interface connected to NMS)
Monitor configuration requires:
Name
Type of information to collect (IPv4, IPv6)
Which Exporter to use
Apply the monitor to the interface inbound or outbound flow
Example of exporter named EXPORT-1 sending network traffic information to collector at IP 192.168.1.23. Using UDP port 9996. Netflow version 9, and source is interface g1/0 IP address.
Then, monitor named MONITOR-1 applied to g1/0 on R1
To reduce of overhead caused by netflow use a sampler
Example of configuring a sampler named OUR-SAMPLER applied to a monitor 1 out 10 packets deterministically
Unicast Reverse Path Forwarding
uRPF allows dynamic spoof prevention based on the routing table
uRPF modes:
Strict - if packet enters through an interface then it should exit thought the same interface.
except when there are equal paths.
Loose - allow traffic enter and exit on different interfaces as in a asymmetric routing (undesirable)
As long as a valid destination route in routing table it is allowed
uRPF options:
Allow self ping
Allow default route
ACL to allow failed checks.
(ip deny any any log to use to test if uRPF check is working)
Example of uRPF
A loopback with internal IP address on an edge R1 router is pinged from an external provider router.
uRPF will fail the ping due to unavailable return path in the route table.
Show IP Interface command shows the packet drop count.
uRPF modes:
Strict - if packet enters through an interface then it should exit thought the same interface.
except when there are equal paths.
Loose - allow traffic enter and exit on different interfaces as in a asymmetric routing (undesirable)
As long as a valid destination route in routing table it is allowed
uRPF options:
Allow self ping
Allow default route
ACL to allow failed checks.
(ip deny any any log to use to test if uRPF check is working)
Example of uRPF
A loopback with internal IP address on an edge R1 router is pinged from an external provider router.
uRPF will fail the ping due to unavailable return path in the route table.
Show IP Interface command shows the packet drop count.
Wednesday, January 4, 2017
securing using Control Plane
Traffic destined to the router is processed by the control plane host a subsection of the router.
Control plane use
class maps to classsify traffic
policy map to police the traffic to a specific rate
service policies to apply it to the control plane's logical interface (sub category) host
Example, LIMIT-ACL to permit snmp and ssh traffic.
class map LIMIT-Class to classify the traffic defined by the ACL. Policy map to slow the traffic to 64000 bps when traffic is matched. All other traffic that is matched is policed to 512000 bps.
Apply the control plane host.
securing using SNMP v3
snmp server engine ID can be manually created but is auto created. When engineID is changed, enmp users needs to be recreated.
SNMP v3 has several security levels and more secure than v1 and v2:
AUTH - authentication and no encryption
NoAuth - no authentication and no encryption
PRIV - authentication and encryptuon
Example of using SNMP v3 with ACL 5, SNMP user U1 is created with authentication SHA and its passworrd "a-pass" and encryption AES 128 with password "e-pass" User U1 is memner of group G1
U1 user account is not show in running configuration. Show snmp user command shows SNMP users
Send traps to SNMP server 192.168.1.164 using U1 user account. specify the authentication and encryption methods its passwords.
SNMP v3 has several security levels and more secure than v1 and v2:
AUTH - authentication and no encryption
NoAuth - no authentication and no encryption
PRIV - authentication and encryptuon
Example of using SNMP v3 with ACL 5, SNMP user U1 is created with authentication SHA and its passworrd "a-pass" and encryption AES 128 with password "e-pass" User U1 is memner of group G1
U1 user account is not show in running configuration. Show snmp user command shows SNMP users
Send traps to SNMP server 192.168.1.164 using U1 user account. specify the authentication and encryption methods its passwords.
logging messages
Logging to buffer and host and syslog logging level configured.
Example of logging to a syslog host 192.168.1.23. sets buffer logging to informational .
send logging level of debugging to syslog server.
show logging command shows contents of buffer and the logging settings.
Example of logging to a syslog host 192.168.1.23. sets buffer logging to informational .
send logging level of debugging to syslog server.
show logging command shows contents of buffer and the logging settings.
Subscribe to:
Posts (Atom)