Welcome to this Security series which will cover basic security topics in the CCNA exam. Let’s begin by giving a brief overview of Security.
CCNA Training – Resources (Intense)
There are three main aspects of Security: Confidentiality, Integrity, and Availability, commonly referred to as the CIA Triad. It’s easy to remember this because when you think of CIA, as in Central Intelligence Agency, you think of Security.
What do these three aspects really mean? Let’s use a story to illustrate the concept:
John is a spy and he’s meeting with a contact who is bringing a top secret document to him. They choose to meet at a secluded place in the basement of an old building far from any settlements so that no one can eavesdrop on their conversation. This is Confidentiality. Confidentiality ensures that no unauthorised party has access to information or resources.
The contact hands John the document in a sealed envelope with a seal proof. John checks that the envelope has not been tampered with. This is Integrity. Integrity ensures that information is not altered in storage or while in transit.
John takes the document back to HQ, scans it and uploads it on multiple secure servers so that if one of the servers goes down, the document is still available. This is Availability. Availability ensures that resources or information are available to authorised parties when needed.
So what do all these have to do with Security? Well, every security mechanism targets one or more of these areas.
In these series of posts, we will focus only on security mechanisms implemented on networks and network devices. It is going to be VERY practical, so get your simulation tools out.
WARNING: If you are practicing these things with real network gear, be careful not to lock yourself out.
As you may know, the CCNA Routing and Switching exam is changing, from 640-802 CCNA to 200-120 CCNA. The topics that we will cover in these series will try to highlight all possible security topics in CCNA regardless of what version you may be looking to write. Listed here are the topics for discussion:
Network Device Security: Password management, Telnet, SSH
Port security on switches
Turning off insecure and unnecessary services on Network Devices
Network filtering using Access Control Lists (ACLs)
Troubleshooting security settings
We will not cover NAT because there is already a post on NAT on this site.
Are you ready? Let’s go!
I hope the diagrams are clear enough to understand. Both represent the same network but from different views (Layer 3 and Layer 2). You can look at the table below for more clarification.
I have set up basic connectivity and all devices can ping themselves as shown below:
Now that we have basic connectivity, let’s take the first lesson on Network Device Security.
NETWORK DEVICE SECURITY
Before you log in to your email, you have to sign in with your username and password. This is done so that not just any one can access your information and resources. The same principle applies for our network devices – not everyone should have access to it. For example, staff members working in the Finance department of your company have no reason to log in to your router; only Network Administrators should have this access.
There are three basic ways to secure the Privileged EXEC mode on Cisco Network devices. Notice the word “basic” because there are other more advanced methods:
Enable password: This requires a password to be typed before access is granted to the Privileged EXEC mode of a Cisco Network device. Let’s configure Router_UK with enable password cisco123.
Now notice what happens when we logout and want to login again:
It asks for a password (which I typed but Cisco IOS doesn’t show it when you type a password) before it allowed me to enter the Privileged EXEC mode.
But what is the problem with this approach? Let’s take a look at the running configuration:
Wow! Our password is showing in plain text. This means that anyone who sees this configuration (maybe someone looking over our shoulder?) knows our password. Not so secure is it?
Well, Cisco came up with something called “Service Password Encryption.” What this basically does is it encrypts all our plain-text passwords (not just enable password) with an encryption algorithm called the Vigenère cipher.
To enable this, you enter the following command in Global configuration mode: service password-encryption. Let’s see what happens in our running configuration now:
*Whew.* Our password is now encrypted! Notice the “7” after “password”? That tells us that the password is encrypted with the Vigenère cipher.
Don’t rejoice yet, as the Vigenère cipher is not a strong encryption algorithm and there are tools that can easily break the key (e.g. http://www.ifm.net.nz/cookbooks/passwordcracker.html). Cisco advises against using this old 7 style password. That brings us to the second method.
Enable Secret: This does the same thing as enable password but uses a stronger password hashing algorithm – MD5 (Message Digest 5). Let’s see how it looks on Router_US:
While the MD5 encryption is more resistant to attack, it is still susceptible. The morale of the story: Keep your network devices in secure locations with adequate access control.
Username/Password combination: With the two previous methods, everyone who needs to manage the network device logs in with the same password. However, it is possible to specify usernames with corresponding passwords so that different users can log in with different usernames. When this is used with privilege levels (between 0 and 15), it can be very effective. We will cover this password management technique later on in this series.
We will stop here for now and look at Telnet, SSH, port security and turning off unnecessary services in the next article. Remember to save your network since that is what we would use throughout this series.
Now, it’s time for a quick quiz. Don’t scroll up to answer these questions. No cheating! 🙂
What are the three aspects that make up Security?
What algorithm is implemented in Cisco’s service password encryption?
What aspect of the security triad do encryption algorithms handle?
Answers will be given just before the next article when adequate responses have been received.
Cisco IOS Security Configuration Guide- Configuring Security with Passwords Privileges and Logins: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/12-4t/sec-cfg-sec-4cli.html