Network Security 2

Techniques of Network Security 3

1. VLAN 3
1. Create 3 VLANs on the Multilayer switch 3
2. Assign static IP addresses to the devices which fall under VLANs. 3
3. Assign switch ports to the VLANs. 3
4. Configure routing on the router and switches 4
2. Port security 5
3. Password Security 6
4. Disable unused ports 7
5. Exec-timeout 9
Network Security
Network Security protects your network and data from breaches, intrusions and other threats.
Network Security is vital in protecting client data and information, keeping shared data
secure, ensuring reliable access and network performance, and protecting from cyber threats.
We created a network topology in Cisco Packet Tracer as below:-

In this network topology, we have given two different networks in those two routers. At first,
we shall Configure the routers and switches with the following commands:-

1. configure terminal

2. interface gigabitethernet <slot/port>

3. IP address <ip-address mask>

4. no shutdown

5. exit

But in the case of a multilayer switch, we have to type the no switch port command (mainly
used to configure routed ports). By issuing the no switchport command, we can assign IP
addresses.
1. configure terminal

2. interface gigabitethernet <slot/port>

3. No switchport
 4. IP address <ip-address mask> Subnet mask <Subnet mask>

4. no shutdown

5. exit

Techniques of Network Security

1. VLAN
VLAN is a custom network created from one or more local area networks which enable a
group of devices available in multiple networks to be combined into one logical network. In a
secure VLAN, each computer is connected to one switch access port. Each computer can only
send traffic to its specific connected port by accessing a single VLAN. Here, We created 3
VLANs on the multilayer switches and switches named VLAN 5, VLAN 10, and VLAN 20.
The next step was assigning the switch ports in the VLANs. Switch ports could be either
access or trunk. We set a trunk port to connect with another switch or router. On the other
hand, an access port is assigned to communicate with devices.

1. Create 3 VLANs on the Multilayer switch

We created 3 VLANs in the switch and assign the IP address to them.
➔ configure terminal
➔ VLAN <No.>
➔ Exit
2. Assign static IP addresses to the devices which fall under VLANs.

Then, let's determine the IP addresses we want to assign to the VLAN interface on the switch.
For the switch to route between the VLANs, We must configure the VLAN interfaces with an
IP address.
➔ Interface VLAN <No.>
➔ IP address <ip-address mask> Subnet mask <Subnet mask>
➔ Exit

3. Assign switch ports to the VLANs.

We'll configure switch interfaces as trunk and access ports to connect to our routers and
devices. Switches will use a trunk port to carry traffic between the two VLANs via the route.

➔ interface FastEthernet <slot/port>

 ➔ switchport trunk encapsulation dot1q
➔ switchport mode trunk

For the devices, configure access ports in them.

➔ interface FastEthernet <slot/port>

➔ switchport access VLAN <no.>
➔ switchport mode access

4. Configure routing on the router and switches

We'll configure the router and switches so that they will enable communication between the
two VLANs via a single physical interface. Routing is necessary, but We shall enable IP
routing with the IP Routing command. When IP routing is enabled on your switch, it behaves
like any other IP router and enables IP routing. We can do either static routing or Dynamic
routing(OSPF, eigrp) with the following commands:-

➔ Router eigrp 1
➔ Network <network mask> <wildcard mask>
➔ No auto-summary

At last, ping PC1 from VLAN 1 from PC2 from VLAN 2 to check the connectivity.
 2. Port security
Port Security helps secure the network by preventing unknown devices from forwarding
packets. Using port security, users can limit the number of MAC addresses that can be
learned to a port, set static MAC addresses, and set penalties for that port if an unauthorized
user uses it. Users can either use restrict, shut down or protect port-security commands. To
control the switch ports, the user can use port security. The port security will work on access
ports only; i.e. to enable port security, the user first has to make it an access port.

In port security, we can either provide a static Mac address to the port or type sticky
command along with the mac address, and through this, switches learn mac-address. Without
typing the absolute Mac address. Defining the maximum number of MAC addresses we can
use on the port and Setting penalties for the unauthorized port are optional. We can set
penalties for unauthorized users using the port security violation {protect | restrict |
shutdown} interface subcommand. All three options discard the traffic from the unauthorized
device. The restrict and shutdown options send log messages when a violation occurs, and
shutdown mode also shuts down the port.

The security violation will occur if we connect another host to the same port. We can see
many things using the show port-security interface fa0/1, even violation count-down.
 3. Password security
Password security and password protection are practices for establishing and verifying
identity and restricting access to devices, files, and accounts. They help ensure that only those
who can provide a correct password in response to a prompt are given access.

For security, we can enable passwords, but Passwords( Type 0) are NOT encrypted or
hashed. They are stored in plaintext within the configuration file. So, it's better to use Type 5
passwords stored as hashes within the configuration file. However, We can also encrypt
passwords after applying them using the service password-encryption command, but they are
relatively weaker and can be cracked easily.

The "line console 0" command connects a switch/router through a medium console. If there is
only one console port, you can only choose "line console 0". However, if you have more than
the number goes as 1,2,3,4 ... You can set a different or the same password for all your
console ports. We can even set a requirement for all user/enable passwords to be a minimum
of _ characters in length.

Next, Login Block is another feature that allows users to enhance the security of a router by
configuring options to automatically block further login attempts when a possible DoS attack
is detected.
 4. Disable unused ports
Many administrators use a simple method to help secure the network from unauthorized
access: disable all unused ports on a switch. Cisco routers and switches start with a list of
active services that may or may not be required in your network, like port interfaces from
0/1-24. Unused open router interfaces invite unauthorized access to the router and the web.
We can limit this attack by disabling the unused interfaces on all routers.
However, the attacker can enable them as all ports are under VLAN 1 by default. So, we can
create an anonymous VLAN, access all those port interfaces and shut them down.

In this way, Attackers could only access all ports through VLAN 20, which remains shut
down.
 5. Exec-timeout
The devices might not know your absence and cannot identify other persons who could be
using your devices on cisco. It is a critical security risk, and it is vulnerable to exploitation.
An IOS device will default disconnect a console or VTY user after 10 minutes of inactivity.
We can specify a different inactivity timer using the exec-timeout MINUTES SECONDS
line mode command.
The Cisco 'exec-timeout' command sets a specific time to disconnect idle EXEC sessions. We
can also specify a particular time by indicating how many minutes and seconds the inactive
EXEC session would run before it will timeout. The session will be closed if there is no user
input within the indicated time. The command is entered in the line configuration mode.