Section 5

Security Fundamentals
What is security?
 Security is a technique which allow the network administrator to protect network
resources from unwanted access
 Confidentiality
 Security maintain data integrity- That is sending data from one point to another
point no one can add or remove some data (data change by un authorize person)
etc.
Password Length Configuration:
 Minimum password length: Sets the minimum length of the password (LAB)
Router>enable
Router#configure terminal
Router(config)#security passwords min-length 8
Router(config)#enable password 456
123% Password too short - must be at least 8 characters. Password not configured.

Describe remote access and site-to-site VPNs (Virtual Private Network):

 It helps to establish a secure connection over insecure network, such as internet
 It is a great alternative to private WAN connection since internet access is cheaper and is
available everywhere
 VPN create tunnels that allows users or systems to connect securely
 VPN using network security protocols like IPSec to provide privacy and Data integrity
VPN provides the following features as given below:
 Confidentiality: Preventing anyone to read our data-with encryption
 Authentication: Verifying that the router or firewall or remote user that sending VPN
traffic is authorized
 Integrity: Verifying that VPN packet was not changed somehow during transit
 AntiReply: Preventing someone from capturing traffic and resending it
Common VPN types are:
 Site to Site VPN
 Remote user VPN (Client to site)
Site to Site VPN:
 In site to site VPN we have network devices at each site, between this network devices
we can build a VPN tunnel
  Each end of the VPN tunnel will be encrypted with original IP packet to the other end of
the tunnel
Remote user VPN:
 It is also known as client to site VPN
 In this user installs a VPN client on his computer and VPN Tunnel is established between
the users device and the remote network device
VPN Protocols:
There are some VPN protocols used as given below:
 IPSec (Internet Protocol Security): A Framework that provides security on layer three of
the OSI Model
 L2TP (Layer two traffic): A VPN protocol that tunnels layer two traffic does not offer
any encryption, so should be used together with IPSec
 SSL (Secure Socket Layer): Uses SSL (HTTP) to create a secure connection with the web
browser
 PPTP (Point to Point Tunneling Protocol): An old VPN Protocol that uses PPP and GRE,
insecure and should not be used any more.
Advantages of VPNs:
 Cost saving
 Security
 Confidentiality
 Better performance
 Flexible and reliable
TFTP Server
TFTP Server is used for simple file transfer (typically for boot-loading remote devices). Trivial
File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP
machines. TFTP servers allow connections from a TFTP Client for sending and receiving files.
Router#copy running-config tftp:
Router#copy flash: tftp:
Router#copy tftp: running-config
NTP Overview
 NTP stands for Network Time Protocol
 By default networking devices have their own mechanism or clock to read and use the
time.
 If devices are connected with each other with different time settings, applications or
services which depends on time for functionality will not work or deliver unexpected
results.
  NTP is a dedicated protocol for time synchronization. It allows us to use a centralized
time for all our network devices.
NTP Client configuration commands:
Router(config)#ntp server 193.168.1.2
Router# show ntp association
Router# show clock

Syslog features including facilities and levels

Router logs are very important for Network Administrators, logs can be used for fault
notification, network forensics and security auditing.
Cisco routers log messages can handle in five different ways:
Console logging: By default the router sends all log messages to its console port. Hence only the
users that are physically connected to the router port can view these messages
Terminal logging: It is similar to console logging, but it displays log messages to the router’s
VTY lines instead.
Buffered logging: This type of logging uses router’s RAM for storing log messages, buffer has a
fixed size to ensure that the log delete valuable system memory. The router accomplishes this by
deleting old messages from the buffer as new messages are arrived.
Syslog Server logging: The router can use syslog to forward log messages to external syslog
servers for storage. This type of loggings are not enabled by default.
SNMP trap logging: The router is able to use SNMP traps to send log messages to an external
SNMP server

Syslog configuration commands:

Router(config)#logging host 192.168.1.2
Router(config)#logging buffered 7000
Router(config)#service timestamps log datetimemsec
Router(config)#no logging console

Role of DNS and DHCP server in networking

The main function of DNS is to translate domain names into IP Addresses, which computers can
understand. It also provides a list of mail servers which accept Emails for each domain name.
A DHCP Server is a network server that automatically provides and assigns IP addresses, default
gateways and other network parameters to client devices. It relies on the standard protocol known as
Dynamic Host Configuration Protocol or DHCP to respond to broadcast queries by clients.

DHCP Snooping:
DHCP snooping is a technique where we configure switch to listen in on DHCP traffic and stop
any malicious DHCP packets
Commands for DHCP snooping:
Ip dhcp snooping
Ip dhcp snooping vlan 1
No ip dhcp snooping information option

Interface fastethernet 0/0

Ip dhcp snooping trust
To chek
Show ip dhcp snooping
Show ip dhcp snooping binding

Differentiate authentication, authorization and accounting concepts

Authentication: Verify the identity of the user, who are you.
Authorization: What is the user allowed to do, Example what resource he can access etc. (How
much you can spend)
Accounting: It is like all record what is done by that user it will keep all record. Example used
for billing and auditing (What did you spend it on record)
 AAA stands for Authentication, Authorization and Accounting
 It is a Centralized Management of users to access the network devices
 AAA server allow setting up access control on cisco routers and switches
 Like if we have 300 switches and 10 Router in our organization then it will be very
difficult to create all user in that all devices and delete when they leave organization etc.
And it will take log of memory device also to overcome with this type of issues we use
AAA server
 AAA server also control connections passing through router or switch for access network
  When every user try to connect to router or switch, these network devices verifies by
AAA server (AAA database)
 User management is done with AAA server without need to reconfigure to individual
router or switch
 When any new user came we need to configure only in AAA server no need to add that
user in router or switch
 AAA server use two main type or protocol to configure this
1. Radius Protocol (Remote Authentication Dial-in User Service)
It is open standard
It uses UDP and users ports numbers 1812/1645 and 1813/1646
It encrypts password only
It is light weight protocol (consume less resources)
2. TACACS+ (Terminal Access Controller Access-Control System Plus)
It is CISCO proprietary protocol
It uses TCP and port number 49
It encrypts entire communication
It is heavy weight protocol consuming more resources
AAA Configuration:
1. Configure tacacs+ server & create tacacs+ user credentials

2. Enable AAA model on Router

New-Router(config)#aaa new-model
3. Create local user, you can use this user when tacacs+ server is down
New-Router(config)#username admin privilege 15 secret 123
4. Enable AAA model login authentication via tacacs+ & local authentication
New-Router(config)#aaa authentication login default group tacacs+ local
5. Enable AAA model enable authentication via tacacs+ & local authentication
New-Router(config)#aaa authentication enable default group tacacs+ local
 6. Connect with tacacs+ server
New-Router(config)#tacacs-server host 201.168.1.4 key cisco123
7. Verify Tacacs+ user
8. Down Tacacs+ server and verify local user
9. Active Telnet on Router and verify Tacacs+ user
New-Router(config)#line vty 0 4
New-Router(config-line)#login authentication default