Wednesday, March 16, 2016

Lab 3-2 Device Hardening

Lab pre-requisites:

Lab 2-1 Packet Tracer Topology Download.

Topology Diagram

This is continuation of the previous lab related to basic security.
Task 1: Managing unused ports on a Switch.
Task 2: Using Switchport port-security.
Task 3: Disable unused services.

Since all the switch ports are 'up' by default, this means that creating any connection to a port (connecting a device to a port), will cause the port to go up. This can create a problem for an administrator, as the users have access to the access switch ports through sockets in a wall or a floor. It is in the best interest of administrator to control who can plug new devices into the network. 

Task 1: Managing unused ports on a Switch.

As an example let's disable the following ports on SW1:
Fas0/2, Fas0/4-12, Fas0/14-24.

In order to do it in 'one shot' we are going to use the range command. It allows us to access the range of ports. If ports are contiguous, the range command uses a hyphen as separator, if not a comma is used as shown below:

SW1(config)#interface range fas0/2,fas0/4-12,fas0/14-24

SW1(config-if-range)#description UNUSED


I have thrown in the 'description', just to make sure that the ports are disabled for a reason.

Verification in Packet Tracer would be to type in:

SW1#show run

If you are using a real equipment I suggest that you used the following command:

SW1#show interface status | include disabled

This will display all the ports you have disabled filtering the ones that have not been disabled.

Task 2: Using Switchport port-security.

Now, let's fool around with port security. Suppose we want to ensure that port fas0/13 currently servicing our Branch router (fas0/0), will only allow its mac address as the source mac address. Port security can be applied.

Try to remember the few things realated to port security:
  • In order to enable port security, 'switchport mode access' is required on the port as by default all ports are running 'dynamic' mode (Dynamic Trunking Protocol). Only ports in truly 'access mode' can be enabled for port security by default.
  • If you apply port-security the following security template will be applied: (only 1 mac address can be serviced on the port, the first mac address learned becomes the secure one, this mac address is NOT copied to the port configuration, the violation action is shutdown.
 More information on the options in another post.

Let's configure the following on the port fas0/13 (connection to Branch):
  • Only 1 mac address allowed (Branch fas0/0)
  • Upon violation: shutdown the port (err-disable)
SW1(config)#int f0/13
SW1(config-if)#switchport mode access

SW1(config-if)#switchport port-security



Based on the test we can say the following:

Port fas0/13 is currently in secure mode (Secure Port).

Only 1 mac address is allowed (MaxSecureAddr Count).

The first learned mac address has become secure (CurrentAddr Count).

There was no violation reported (SecurityViolation Count).

If there is transmission hitting the port fas0/13 with the illegitimate mac address, the port is going to be 'shutdown' (put in error-disable state).

Another way of checking this:

If the port is err-disabled, there are only two ways to bring it up:
  1. Disable the port (shutdown), and re-enable manually (no shutdown).
  2. Use errordisable recovery (not taught in CCNA courses).
Display the current secure mac address:

Packet Tracer does not have this feature fully implemented (it does not behave like it would on a real switch).

In case you have a real equipment, you can do the following:

Configure Branch fas0/0 with a new mac:

Branch(config)#int f0/0

Branch(config-if)#mac-address 0008.eeee.eeee


In a few seconds, the router Branch will send 'gratuitous arp' message. Its source mac-address changed and will cause the violation.

The port of the SW1 (fas0/13) will go 'down' and be placed in error-disabled mode. 

You could then check this by issuing one of the two commands:

SW1#show interface status | i err


SW1#show int fas0/13

Also, SW1 shows the message that causes the violation etc.

Task 3: Disable unused services.

The last task relates to disabling certain services that might create security problem for us.

If you want to disable CDP protocol, you can do this on all interfaces of a switch/router at the same time:

SW1#conf t
SW1(config)#no cdp run

or on per interface basis:

SW1#conf t
SW1(config)#interface fas0/1
SW1(config-if)#no cdp enable


SW1#show cdp interface

You will see that Fas0/1 is no listed anymore.

The below commands are NOT supported in Packet Tracer
On some routers (especially older ones), check the following command for open ports:
show control-plane host open-ports

You might see that HTTP port is open (port 80). Then best practice is to disable it:

Branch#conf t
Branch(config)#no ip http server

Also, a good practice would be to disable the following services (enabled by default on older routers):

Branch(config)#no service tcp-small-servers
Branch(config)#no service udp-small-servers
Branch(config)#no service finger
Branch(config)#no ip bootp server

If you want to learn more on those all sevices check Cisco documentation.