The Network Monitor

• Downloads Overview
• Free NetMRI Trial
• Product Updates
• Software Tools
• Educational Resources
• Case Studies
• Network Monitor Newsletter
• ROI Study and Calculator
• Tech Tips
• Top Network Problems Poster
• Webinars
• Whitepapers
• Video Tutorials

The Network Monitor, Volume 5 Number 3

Articles

• Securing Access to the Catalyst 5000-6000
• Case Study
• Consulting and Training Services
• Cisco Career Certification

Securing Access to the Catalyst 5000-6000

Catalyst administrators devote much attention to VLAN administration, but do not expend enough attention to managing their Catalysts. Specifically, they neglect how to secure their Catalysts. Securing the Catalyst means taking all reasonable precautionary measures to ensure that unauthorized individuals cannot invoke changes to the Catalyst configuration. Reasonable measures are ones that are effective, yet allows your users to perform their duty and  you to perform yours. For example, it is effective to secure a Catalyst by removing power. Power removal clearly prevents any configuration changes. However, this is unreasonable as an employment termination notice may appear on your desk if you do. Further, users cannot perform their duties without electrons flowing through the box. This is a secondary unreasonable aspect.

To secure your Catalyst, you must first recognize all possible ways configurations may be changed. Some configuration modes create temporary modifications to the Catalyst configuration.  For example, you might enable the VLAN membership protocol server (VMPS) to automatically, but temporarily, assign a port to a VLAN based upon the workstation's MAC address. You, as a network administrator, create a VMPS database which defines what VLANs specific MAC addresses belong to. When the user attaches his station to a Catalyst port and transmits, the Catalyst learns the MAC address, checks the VMPS database and assigns the port to the correct VLAN. If the Catalyst does not find a match for the MAC address, then the Catalyst may disable the port, preventing any transmissions from the workstation. If you later detach the workstation and replace it with another one, then the Catalyst repeats the process and may configure the port to a different VLAN than the first, depending upon what you defined in the VMPS database. You may obtain more details regarding VMPS through Cisco's documentation or through Catalyst publications such as the Cisco Press book, Cisco LAN Switching.

Other configuration modes create permanent changes which cannot be altered by simple user actions such as attaching or removing a workstation. What modes allow you to enter permanent configurations?

To make permanent changes to the Catalyst, you must access the supervisor module. You can access the Supervisor module directly through the external physical console interface. This requires you to attach a terminal or workstation with terminal emulation software to the supervisor console port. If you have a Supervisor I or II, then your terminal attaches to a 25 pin EIA-232 connector. If you have a Supervisor III module, then the connector is an RJ-45 style. Alternatively, you may also access the logical interface sc0 indirectly through the network via Telnet or SNMP.

For any mode capable of creating permanent changes to the Catalyst configuration, you should consider tightening access beyond the norm, such as simple passwords for login and enable modes. Tools to restrict Catalyst supervisor module access include the command ip permit and TACACS+. Using ip permit allows you to define the equivalent of a router access list, and access-class configuration defines the set of  IP addresses authorized to configure the Catalyst through Telnet or SNMP.  TACACS+, on the other hand, presents an authentication challenge to anyone attempting console or Telnet access by demanding a username and password combination rather than just a password. You can use these two resources together to limit access by exercising a more sophisticated authentication procedure than a simple password, and by explicitly defining the set of workstation addresses from which the supervisor accepts a Telnet or SNMP connection.

For example, suppose that Fred, an unauthorized user (attacker) desires to make a configuration change on a Catalyst. The attacker knows that Joe, the network administrator, always makes changes from his workstation in room 101. Fred waits until Joe leaves the room and no one is around. Fred then attempts to login to the Catalyst from Joe's machine. The ip permit list observes that it can accept connections from Joe's machine. The Catalyst then prompts the user at Joe's machine for a username/password combination. But Fred does not know this combination, so the Catalyst rejects Fred's login attempts.

On the other hand, suppose that Fred discovers Joe's username/password through some means.  But because Joe's machine is always under observation in a public area, Fred cannot get to Joe's machine. So, Fred attempts to login as Joe, but from Fred's own machine. Fortunately, Fred's workstation is not in the ip permit list, and the Catalyst rejects Fred's connection attempts. The Catalyst never even presents Fred with an opportunity to enter the username/password.

If however, Fred gets both the username/password and access to an authorized machine, then Fred is in.  Make sure that you do not distribute your username/password and that your workstation is physically secured from unauthorized users. Also, do not leave your workstation logged into the Catalyst when it is unattended. This is an open invitation to hacker disaster.

The balance of this article focuses on configuring the Catalyst's TACACS+ authentication feature for users attempting to access the supervisor module either through a directly attached console device or via Telnet to the sc0 logical interface.

When discussing TACACS+, you may at times hear the term AAA.  AAA refers to three basic security processes/questions:

* Authentication-Can you prove you are who you say you are? Can you provide the correct username and password?
* Authorization-What are you allowed to do? The device checks a database to determine the actions you are allowed to perform once you are authenticated.
* Accounting-What did you do or attempt to do? By enabling this piece of AAA, a database keeps track of the commands entered by the user.

NOTE:  The Catalyst supports only the Authentication aspect of AAA.

Usually the device where you enable AAA (such as the Catalyst) communicates with a security server.  The server runs software such as CiscoSecure to maintain a database of valid usernames and passwords. TACACS+ provides the protocol for the device to communicate with the security server. Figure 1 shows the network relationship between the Catalyst, CiscoSecure and TACACS+.  As a user attempts to access the Catalyst supervisor module when TACACS+ is enabled to authenticate a user, then the Catalyst communicates with the security server. The messages passed between the Catalyst and the security server include prompt strings from the server to present to the user for username/password input, the username and password from the user to the server, and an accept or reject message from the server to the Catalyst. Other discussions on TACACS+ were presented in earlier issues of The Network Monitor which can be found at Chesapeake's web site, www.ccci.com. Additional articles authored by Dr. Pete Welcher may be found at the same web site.

Table 1 shows the various authentication methods available for the Catalyst and the default values for each.

As an alternative to using a security server, you can also implement authentication by using locally configured passwords. This is called local authentication, the Catalyst default configuration.  You should set up a login password and an enable password whenever you use local authentication. Otherwise, the default password for both the login and enable mode is <ENTER> which provides an easy path to the enable mode for the casual hacker. The Catalyst stores these passwords in its local configuration file. However, when you enable TACACS+, you specify that the password database resides in a remote server, not locally, and that a username will be required in addition to a password. 
Configuring TACACS+ on the Catalyst requires you to:
 
1. Configure at least one TACACS+ server address.
 2. Enable TACACS+ authentication.
 3. Optionally specify a TACACS+ authentication key.
 4. Configure other options, if desired.

Configure a TACACS+ Server Address
One of your configuration tasks requires you to inform the Catalyst of the TACACS+ server's IP address. The Catalyst uses this information to establish a TCP/IP connection to the server whenever the Catalyst needs to authenticate a user. To use TACACS+, you must have at least one server in the network that the Catalyst can connect to. Test your connectivity between the Catalyst and the server with ping and/or traceroute to ensure that a working network path exists between the two devices. 

Configure the server address with the set tacacs server ip_address command.  For example, suppose that your TACACS+ server has an IP address of 144.254.100.10. Then you can set the address as shown in Example 1.

You may want more than one TACACS+ server in your network to provide resiliency. Otherwise, if you enable TACACS+, but no path exists between the Catalyst and the server, or if the server is disabled, then you might lock yourself out of the Catalyst and you might need to perform password recovery procedures. You can list more than one TACACS+ server in your configuration file, but you should select which one is the primary server. You can specify the primary server from the list by adding the primary keyword to the list.  Example 2 shows a configuration with three TACACS+ servers, but with one defined as the primary

The Catalyst will first attempt to communicate with the TACACS+ server using the address 144.254.100.11. If it fails to establish a connection to the server, then it will use the backup servers starting at the top of the list. By default, the Catalyst waits 5 seconds for a response from the TACACS+ server. If it does not receive one in that time frame, then the Catalyst tries the next server on the list. You may want to modify the default timeout value to something other than 5 seconds. Use the set tacacs timeout seconds command to modify the value.

Enable TACACS+ Authentication
After you configure the IP address of the TACACS+ server, you can enable TACACS+ authentication in the Catalyst. You must decide for what login processes you want to use TACACS+ authentication. You may activate TACACS+ for users logging in to the console, to Telnet, or both. Further, you can specify whether to use TACACS+ for authentication for the login or for the enable login. Use the command:
set authentication login tacacs login [console | telnet | both] [primary] to define TACACS+ as the authentication method for the login mode and use: set authentication login tacacs enable [console | telnet | both] [primary] to enable TACACS+ authentication for the enabled mode.  Example 3 illustrates enabling TACACS+ for both the login and enable modes.

Note also the show authentication command in Example 3. When you enter this command, the Catalyst displays the current configurations. This output informs you that TACACS+ is the primary authentication method for both console and Telnet access, and for both the login and enable modes. The locally configured passwords provide an alternative authentication method. The Catalyst uses the local passwords in this case only if the Catalyst fails to reach any of the TACACS+ servers configured in the server list. The Catalyst does not use the locally configured passwords if the TACACS+ server responds with a REJECT decision for access. If the server responds with REJECT, then the Catalyst accepts that as an authoritative decision and does not use the local password. 

TACACS+ Key
TACACS+ has the ability to encrypt the transactions between the TACACS+ client (the Catalyst) and the TACACS+ server (the authentication database).  The encryption prevents hackers from sniffing the transfers and promiscuously obtaining the username/password authentication process. But note that this is an optional feature. If you trust the users inside of your network (you shouldn't), then you may elect to not encrypt the TACACS+ messages. Not encrypting the messages simplifies your administrative aspects of not having to configure an encryption key, and it may speed up the authentication process by eliminating a time consuming step (encrypting the message). However, neither of these points produces any significant advantages in practice in a Catalyst environment where few users need to be authenticated at the same time.
Enable encryption with the set tacacs key key command. The value you use for key becomes the encryption key.  You need to ensure that both the Catalyst and the authentication server use the same key. Otherwise, the two will not communicate properly. They will agree to not let you enter the Catalyst.

If you do not want to use encryption, then do not enter this command at all. Then the Catalyst and server transmit all messages unencrypted.

Example 4 illustrates the show tacacs command. Note that the output displays the TACACS+ key used by the Catalyst to communicate with the authentication server.

Other Authentication Choices
Cisco recently released supervisor module software version 5.1. This release includes the option to enable Radius rather than TACACS+. Radius behaves somewhat differently than TACACS+, though the end objective remains the same. Configuring Radius is very similar to the TACACS+ configuration described above. Reference the Cisco documentation pages for any variances.

Back to Issue Index

Case Study

Customer: A Large Wall Street Financial Firm

Problem: A major Wall Street financial firm needed to implement a security system for their corporate network. They had chosen Check Point software, the market leading FireWall security product, as their firewall platform based on corporate requirements and product capabilities. However, the financial firm knew that the proper installation and configuration of a firewall could be tricky. So, they sought professional assistance with their project.

Solution: Chesapeake is a Check Point Training and Consulting Partner, ideally qualified to install and configure the Check Point software for the customer. Chesapeake began by assisting the customer in assessing their security risks and determining their exact security requirements. Chesapeake then installed and configured Check Point’s Firewall-1 System on a Sun Solaris platform. As an added value, Chesapeake trained the customer’s staff on configuration procedures and provided them with a detailed configuration document for future use.

Benefits: The financial firm has successfully introduced their security solution based on the proper implementation of their firewall by Chesapeake. They have assured security for their network by taking full advantage of Chesapeake’s Check Point Training and Consulting Partnership and their capabilities in security risk assessment. Additionally, the customer has gained a valuable and permanent working knowledge of the configuration process through the written documentation provided by Chesapeake to the customer’s in-house staff.

Back to Issue Index

Consulting and Training Services

Throughout the internetworking industry, Chesapeake Computer Consultants is recognized as the world-wide quality leader of advanced network training. Equally true, but not as widely known, is that Chesapeake’s cadre of Instructor/Consultants have also assisted customers around the world in overcoming their most formidable operational challenges. From advanced design services to network health evaluations, troubleshooting to security audits, installation and configuration to network management, Chesapeake’s unique team of instructor/consultants has a proven track record of delivering compelling, "knowledge-based" solutions.

Our goal is to assist you in meeting the challenges of maintaining, managing and growing one of your most valuable strategic resources — your network. Chesapeake’s world class internetworking experts combine superb technical knowledge, problem solving skills, and a desire to teach. The result is a unique approach to consulting that provides you with immediate solutions to problems coupled with the long-term benefit of knowledge transfer to internal staff to reduce your dependence on outside resources.

Chesapeake’s instructor/consultants are backed by our proprietary knowledge base of training materials, industry experience, and proven solutions second to none in the internetworking industry.

Professional Service Offerings

Network Consulting Services

Network Strategy & Planning: This "front-end" service is designed to assess the organization’s current network capabilities in relation to its overall business strategy and to define the optimal network architecture to meet these strategic objectives.

Network Design: Once a network strategy has been defined, Chesapeake’s Network Design consultants define the scope and specifications for the technical design of your network.

Network Health Evaluation: This periodic service by our consultants includes a detailed examination of your network using sophisticated network protocol analysis tools. The result of this engagement is a comprehensive assessment including recommendations for performance improvement.

Network Security Services: This service includes the evaluation and/or development of security policies, the installation/configuration of various network firewall products, and a network security assessment which identifies possible network vulnerabilities and the recommended counter measures to mitigate the threats.

Network Implementation Services

Project Management: Chesapeake’s project management services include program and technical team leadership, project implementation plans, staffing plans and project schedules. These services allow you to depend on our technical experts to insure a smooth and timely implementation of network projects.

Installation and System Configuration: Chesapeake’s substantial expertise in complex, multi-vendor environments ensures the necessary capabilities to effect a smooth migration to a new platform and/or technologies.

Network Operational Services

Network Performance Management: With the use of the latest in network performance management tools, Chesapeake has a unique suite of capabilities to optimize your network’s performance. These tools include network simulation and modeling, remote monitoring and data capture and configuration management.

Network Troubleshooting: This time-sensitive service includes fault detection and isolation followed by quick remediation to ensure maximum network availability.

Back to Issue Index

Cisco Career Certification

Cisco’s Career Certifications now allow a greater number of individuals the capacity to become qualified and improve their career opportunities. The Career Tracks are divided into two principle avenues: network design and network support. An expanded series of supervised testing has also been instituted which allows the individual both independent and aggregated test tracks from which to choose.

The foundational programs for the Routing and Switching track begin with the Cisco Certified Network Associate (CCNA) certification. The primary skills embodied in the CCNA certification are the installation, configuration, and operation of simple-routed LANs, WANs, and switched LAN networks. The CCNA can be built upon and foster additional certifications.

In the Network Design path, supplementary coursework and testing lead to the Cisco Certified Design Associate (CCDA) and Cisco Certified Design Professional (CCDP) certifications. The CCDA candidate must be able to design routed LANs, routed WANs, and switched LAN networks. The CCDP candidate can build on his/her CCDA and CCNA certifications and must be able to perform complex routed LAN, WAN, and switched LAN design.

In the Network Support Path, supplementary coursework and testing lead to the Cisco Certified Network Professional (CCNP) and Cisco Certified Internetwork Expert (CCIE) certifications. The CCNP certification is designed to reflect expertise in the areas of installing, configuring, operating, and troubleshooting complex routed LANs, WANs, switched LANs, and Dial Access Services. The network support certifications build upon each other: CCNP requires CCNA and CCIE requires CCNP.

The CCIE program is divided into two relevant areas of concentration: Routing and Switching (R/S) and ISP-Dial Technology. The CCIE-Routing and Switching expert builds on the skills of the CCNP certification with the addition of network default diagnosis and resolution, packet/frame analysis and Cisco debugging tools, and problem-solving process reporting and documentation. The CCIE-ISP Dial specialist must demonstrate expertise in implementing all forms of dial-on-demand routing and transmission protocols, router/access server configuration, dial firewall and security implementation, access-lists, and authentication. Cisco recommends that all CCIE candidates not only leverage instructor-led training to prepare for the obligatory certification examinations, but that at least two years of on-the-job experience have also been completed.

The Chesapeake team is confident that we offer the finest training available in the market-place today, but don’t just take if from us! Cisco has found Chesapeake to be the nation’s highest rated quality training partner through their independent student survey program. We have also been selected to deliver custom training to Cisco’s Systems Engineers nationwide. Lastly, we count twenty-one Cisco Certified Internetworking Experts (CCIEs) among our staff of elite internetworking authorities who provide consultative education through Instructor-led training and consulting support.

Back to Issue Index

Back to The Network Monitor Archive

Copyright © 1997 Chesapeake Computer Consultants, Inc. All rights reserved.

• Legal Notice
• Privacy Policy
• Site Map
• Contact Us