|
Security management controls access to network resources using local guidelines so that sensitive information cannot be accessed without appropriate authorization. For example, a security management subsystem can monitor users logging onto a network resource and refuse access to those who enter inappropriate access codes.
Security management partitions network resources into authorized and unauthorized areas. Certain users can be denied access to all network resources. Other users can be granted access to a network resource, such as a particular system, but can be denied access to areas on that system that contain sensitive information. Security management identifies sensitive network resources, determines mappings between sensitive network resources and user sets, monitors access points to sensitive network resources, and logs inappropriate access to sensitive network resources.
The Catalyst 5000 series switch features the following network security tools:
Media Access Control (MAC) address security allows the Catalyst 5000 series switch to block input to an Ethernet or Fast Ethernet port when the MAC address of a station attempting to access the port is different from the configured MAC address. When a port receives a packet, the module compares the source address of that packet to the secure source address learned by the port. When a source address change occurs, the port is disabled, and the LED for that port turns orange. When the port is reenabled, the port LED turns green.
Secure port filtering does not apply to trunk ports where the source addresses change frequently.
To enable secure port filtering, perform this task:
Task | Command |
---|---|
Enable port security. | set port security mod_num/port_num(s) enable [mac_addr] |
The set port security command allows you to set a specified port's MAC address as the given address. If the MAC address is not given, the address is learned. Once the address is learned, it remains unchanged until the system relearns it when you reenter the command. The MAC address is stored in nonvolatile random-access memory (NVRAM) and maintained even after the reset. When a packet's source address does not match the allowed address, the port through which the packet came is disabled, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) Manager. After entering the set port security command, you see the following example display:
Console> set port security Usage:set port security modNum/portNum(s) <enable|disable> [mac_addr] Console> set port security 3/1 enable Port 3/1 port security enabled with the learned mac address. Console> set port security 3/1 enable 01-02-03-04-05-06 Port 3/1 port security enabled with 01-02-03-04-05-06 as the secure mac address. Console>(enable)
To disable secure port filtering, enter the set port security mod_num/port_num(s) disable [mac_addr] command.
The show port command displays all security information, such as MAC addresses, the port counter values, and whether security is enabled or disabled. When the port is in learning mode, or if the security is disabled, MAC addresses are not displayed. After entering the show port command with the MAC address enabled on port 3/1, port 3/3, and port 3/4, you see this display:
Console> show port help
Usage: show port
show port <mod_num>
show port <mod_num/port_num>
Console> show port 3
Port Name Status Vlan Level Duplex Speed Type
---- -------------------- -------- ---------- ------ ------ ----- ------------
3/1 connect 1 normal half 10 10 BASE-T
3/2 connect 1 normal half 10 10 BASE-T
3/3 connect 1 normal half 10 10 BASE-T
3/4 shutdown 1 normal half 10 10 BASE-T
3/5 shutdown 1 normal half 10 10 BASE-T
3/6 shutdown 1 normal half 10 10 BASE-T
3/7 shutdown 1 normal half 10 10 BASE-T
3/8 shutdown 1 normal half 10 10 BASE-T
3/9 shutdown 1 normal half 10 10 BASE-T
3/10 shutdown 1 normal half 10 10 BASE-T
3/11 shutdown 1 normal half 10 10 BASE-T
3/12 shutdown 1 normal half 10 10 BASE-T
3/13 connect 3 normal half 10 10 BASE-T
3/14 connect 3 normal half 10 10 BASE-T
3/15 connect 3 normal half 10 10 BASE-T
3/16 connect 3 normal half 10 10 BASE-T
3/17 connect 3 normal half 10 10 BASE-T
3/18 connect 3 normal half 10 10 BASE-T
3/19 connect 3 normal half 10 10 BASE-T
.
.
.
3/44 connect 3 normal half 10 10 BASE-T
3/45 connect 3 normal half 10 10 BASE-T
3/46 connect 3 normal half 10 10 BASE-T
3/47 connect 3 normal half 10 10 BASE-T
3/48 shutdown 3 normal half 10 10 BASE-T
Port Security Secure-Src-Addr Last-Src-Addr Shutdown
---- -------- ----------------- ----------------- --------
3/1 enabled 01-02-03-04-05-06 01-02-03-04-05-06 No
3/2 disabled No
3/3 enabled No
3/4 enabled 05-06-07-08-09-10 10-11-12-13-14-15 Yes
...
...
3/48 enabled 16-17-18-19-20-21 22-23-24-25-26-27 Yes
Port Auto-Parts Fr-toolong Datarate- crc-errors Runt-pkt Good-Pkts Src-addr-
Mismatch Changes
---- ---------- ---------- ---------- ---------- ---------- ---------- -----------
3/1 0 0 0 0 0 0 0
3/2 0 0 0 0 0 0 0
3/3 0 0 0 0 0 0 0
3/4 0 0 0 0 0 0 0
3/5 0 0 0 0 0 0 0
...
...
3/48 0 0 0 0 0 0 0
Port Rcv-Multi Xmit-Multi Good-Bytes Align-Errs Short-Evnt Late-Colls Excess-Col
---- ---------- ---------- ---------- ---------- ---------- ---------- ----------
3/1 0 0 0 0 0 0 0
3/2 0 0 0 0 0 0 0
3/3 0 0 0 0 0 0 0
3/4 0 0 0 0 0 0 0
3/5 0 0 0 0 0 0 0
...
...
3/48 0 0 0 0 0 0 0
Last-Time-Cleared
--------------------------
Wed Feb 22 1995, 18:28:46
Console>
TACACS+ protocol exchanges Network Access Server (NAS) information between a network device and a centralized database. TACACS+ is a new version of TACACS, a User Datagram Protocol (UDP)-based, access-control protocol referenced by RFC 1492.
TACACS+ allows a separate access server (the TACACS+ server) to provide authentication, authorization, and accounting (AAA). These services, while all part of TACACS+, are independent of one another, so that a given TACACS+ configuration can use any or all of the three services.
Each service can be tied to its own database or can use the other services available on the TACACS+ server or on the network, as shown in Figure 12-1. TACACS+ uses Transmission Control Protocol (TCP) as its transport protocol to ensure reliable delivery and encrypt all traffic between the NAS and the TACACS+ daemon.
TACACS+ is an independent feature that is enabled or disabled at the user's discretion. If TACACS+ is not enabled, the current Catalyst 5000 series switch login interface is enabled by default.
TACACS+ allows you to perform these authentication tasks:
You must configure a TACACS+ server before enabling TACACS+ on the Catalyst 5000 series switch.
To configure TACACS+, perform these steps in privileged mode:
Task | Command |
---|---|
Step 1 Enable TACACS+ authentication for login. | set authentication login tacacs enable |
Step 2 Enable TACACS+ authentication for enable. | set authentication enable tacacs enable |
Step 3 Configure the key used to encrypt packets. | set tacacs key key |
Step 4 Configure the server on which the TACACS+ server daemon resides. | set tacacs server ip_addr primary
|
Step 5 Configure the number of login attempts allowed to the TACACS+ server. | set tacacs attempts N
|
Step 6 Set the timeout interval in which the server daemon must respond. | set tacacs timeout N |
To verify the TACACS+ configuration settings, use the show tacacs command. After entering the command, you see this display:
Console>
show tacacs
Login authentication tacacs: enabled Login authentication local: disabled Enable authentication tacacs: enabled Enable authentication local: disabled Tacacs key: Stand and Deliver Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled
Tacacs-Server Status --------------- ------- 192.20.22.7 primary 192.20.22.8
This section shows how to configure TACACS+ by entering the set authentication and set tacacs commands. The last command in the example, show tacacs, displays the configuration. For more information, refer to the Catalyst 5000 Series Command Reference publication.
Console>
set authentication login tacacs enable
Console>
set tacacs key Stand and Deliver
Console>
set tacacs server 192.20.22.7 primary
Console>
set tacacs attempts 3
The attempts value must be between 1 through 10.
Console>
set tacacs timeout 5
The timeout value must be between 1 through 255.
Console>
show tacacs
Authentication controls access to network devices by determining the identity of a user or an entity. TACACS+ works with many types of authentication, such as fixed password, one-time password, and challenge-response authentication. TACACS+ authentication usually takes place in these instances:
When you first attempt to log on, TACACS+ takes your user password information, encrypts the information using the MD5 encryption algorithm, and adds a TACACS+ packet header. This header information identifies the type of packet being sent (for example, an authentication packet), the packet's sequence number, the type of encryption used, and the total length of the packet. The TACACS+ protocol then forwards the packet to the TACACS+ server.
When the TACACS+ server receives the packet, it does the following:
When you send a request for privileged or restricted services, TACACS+ asks you to provide the information necessary to access the privileged service.
If local password authentication is enabled and TACACS+ password authentication fails, the local password authentication is invoked. By default, only local authentication is enabled.
Disabling TACACS+ authentication automatically reenables local authentication.
A TACACS+ key can be configured on the Catalyst 5000 series switch. This key is used to encrypt the packets transmitted to the server and must be the same as the one configured on the server daemon. If a TACACS+ key is not configured, the packets will not be encrypted.
Multiple TACACS+ servers can be configured. One of the servers can be specified as the primary server. The primary server is tried first.
Caution Make sure that TACACS+ is enabled and configured correctly before disabling the local login or enable authentication. If TACACS+ is enabled but not configured correctly, or if the TACACS+ server is not online, you may not be able to log in to the Catalyst 5000 series switch. |
The IP permit list is a security mechanism that provides network authentication and authorization. You can use the IP permit list whether or not TACACS is enabled on a network. When TACACS is enabled on a network, the IP permit list provides a first level of checking based on a source IP address. The IP permit list applies only to inbound Telnet and Simple Network Management (SNMP) services.
You can configure up to 10 entries in the permit list. Each entry consists of an IP address and mask pair in dotted decimal format. Zeroes in the mask indicate don't care bits in the address.
When this feature is enabled, Telnet access and SNMP services are authorized only for the IP addresses of the hosts configured on the permit list. Notifications of unauthorized access attempts are available through SNMP traps and syslog options. Attempts from the same unauthorized host may trigger notifications as often as every 10 minutes.
The IP permit list is disabled by default.
Consider the following prerequisite when configuring the IP permit list.
To enable the IP permit list, enter the set ip permit enable command in privileged mode.
Task | Command |
---|---|
Step 1 Specify the IP address to be added to the list. | set ip permit ip_address [mask] |
Step 2 Enable the IP permit list. | set ip permit enable |
Step 3 Enable the IP permit trap to receive traps for unauthorized access. | set snmp trap enable ippermit |
Step 4 Configure the logging level to see the syslog message for unauthorized access. | set logging level ip 4 default |
To verify the configuration of IP permit traps, enter the following commands:
Console> (enable) show ip permit IP permit list feature enabled. Permit List Mask ---------------- --------------- batboy 172.100.101.102 172.101.102.0 255.255.255.0 128.0.103.0 255.255.0.0 Denied IP Address Last Accessed Time Type ----------------- ---------------- ------ 172.100.101.104 01/20/97,07:45:20 SNMP 172.187.206.222 01/21/97,14:23:05 Telnet Console> (enable)
console> (enable) show snmp RMON: Disabled Traps Enabled: ippermit Port Traps Enabled: None Community-Access Community-String ---------------- -------------------- read-only public read-write private read-write-all secret Trap-Rec-Address Trap-Rec-Community ---------------------------------------- -------------------- console> (enable)
The following additional commands apply to the IP permit list feature:
Command | Function |
---|---|
clear ip permit | Removes hosts from IP permit list. |
show ip permit | Shows the IP permit list information. |
set snmp trap | Defines a new trap type for the IP permit list. |
show snmp | Shows the status of IP permit traps. |
This section shows three examples on how to configure the IP permit list feature.
This example shows a host not residing in the IP permit list attempting to Telnet to a Catalyst 5000 series switch. Assume that the IP permit feature is enabled.
unix 190 => telnet cat5k.xyz.com Trying 172.100.110.120 ... Connected to 172.100.110.120 Access not permitted. Closing connection... Connection closed by foreign host. unix 191 =>
This example shows a sample session by entering IP permit list commands.
Console> (enable) set ip permit help Usage: set ip permit <enable|disable> set ip permit <addr> [mask] (mask is in dotted decimal format e.g. 255.255.0.0) Console> (enable) set ip permit enable IP permit list enabled. WARNING!! IP permit list has no entries. Console> (enable) set ip permit 172.100.101.102 172.100.101.102 added to IP permit list. Console> (enable) set ip permit batboy batboy added to IP permit list. Console> (enable) set ip permit 172.160.161.0 255.255.192.0 172.160.128.0 with mask 255.255.192.0 added to IP permit list. Console> (enable) set ip permit enable IP permit list enabled. Console> (enable) set ip permit disable IP permit list disabled.
This display shows the syslog message for a disallowed Telnet access attempt from IP address 172.100.101.102.
01/20/97,07:45:20:IP-4: Unauthorized telnet access attempt from 172.100.101.102
The IP permit list is the first level of security for the Telnet and SNMP protocols. All other TCP/IP services continue to work when the IP permit list is enabled. Outbound Telnet, TFTP, and other IP-based services remain unaffected by the IP permit list.
SNMP from nonpermitted IP addresses have no response, that is, the request times out. IP permit syslog messages and traps do not show up by default.
Each entry in the IP permit list consists of an IP address and a 32-bit mask. The bits set in the mask are checked for a match in the source address of the incoming access, while the zeroed bits are not checked. This process facilitates a means of wildcard address specification.
If you do not specify the mask during configuration, or if you enter a hostname instead of an IP address, the mask has an implicit value of all bits set -255.255.255.255 (0 x ffffffff). This entry has only one matching address.
You can specify the same IP address in more than one entry in the permit list, if the masks are different. The mask is applied to the address before it is stored in NVRAM, so that entries having the same effect (but different addresses) are not stored. The response of the set ip permit command shows the address after the mask is applied.
|