ITP4111 Open Standards Networking: Network Security and Network Monitoring

Chapter 5:
Network Security and

Network Monitoring
ITP4111
Open Standards Networking
© VTC 2013 ILO 5

Packet Filtering
© VTC 2013 ILO 5

ACL Overview
• An ACL is used primarily to identify traffic flow.

• ACLs are widely used in applications including:
Packet filtering firewall
Network Address Translation (NAT)
Data Classification in Quality of Service (QoS)
Routing policy and filtering
Dial on Demand (ISDN)
© VTC 2013 ILO 5 3

ACL-Based Packet Filtering
• Filtering inbound and outbound packets one by one to decide whether
to drop or permit the packet.
• An ACL is applied in the inbound or/and outbound direction of an
interface.
• When an interface receives/sends a packet, the inbound/outbound ACL
applied on the interface will filter the packet.
Inbound filtering Outbound filtering
Route
Interface forwarding Interface
process
Outbound filtering Inbound filtering
© VTC 2013 ILO 5 4

Wildcard Mask
•An IP address and a wildcard mask together determine an address range.
•A wildcard is similar to a subnet mask in format, but different in
meaning:
A 0 bit in the wildcard mask means that the corresponding bit in the IP
address must match exactly.
An 1 bit in the wildcard mask means that the bit does not have to
match and can be ignored.
Wildcard Mask Meaning

0.0.0.255 Match the first 24 bits of the address
0.0.3.255 Match the first 22 bits of the address
0.255.255.255 Match the first eight bits of the address
© VTC 2013 ILO 5 5

ACL Identification
•An ACL is identified by a sequence number
Type ACL Number

Basic ACL 2000 ～ 2999
Advanced ACL 3000 ～ 3999
Ethernet frame header ACL 4000 ～ 4999
User-defined ACL 5000 ～ 5999
•You can also specify a name for an ACL to facilitate maintenance.
© VTC 2013 ILO 5 6

Basic ACL
• A basic ACL defines filtering criteria based on source IP
address only Packets from 1.1.1.0/24
cannot pass while packets from
2.2.2.0/28 can pass
Packet
DA=3.3.3.3 SA=1.1.1.1
DA=3.3.3.3 SA=2.2.2.1 Interface Interface

Packet
© VTC 2013 ILO 5 7

Advanced ACL
An advanced ACL matches packets based on source IP
address, destination IP address, protocol carried over IP,
and other Layer 3 and Layer 4 protocol header information.
Packets from 1.1.1.0/24 to 3.3.3.1 with TCP port being 80 cannot pass;
Packets from 1.1.1.0/24 to 2.2.2.1 with TCP port being 23 can pass.
Packet
DA=3.3.3.1, SA=1.1.1.1
TCP, DP=80, SP=2032
DA=2.2.2.1, SA=1.1.1.1 Interface Interface

TCP, DP=23, SP=3176
Packet
© VTC 2013 ILO 5 8

Ethernet Frame Header ACL and
User-defined ACL
• An Ethernet frame header ACL matches packets

based on Layer 2 protocol header fields such as
source MAC address, destination MAC address,
802.1p priority (VLAN priority), and link layer
protocol type.
• A user-defined ACL allows you to specify the string
and field to match ip packets flexibly.
© VTC 2013 ILO 5 9

ACL Packet Filtering Configuration Tasks
1. Enable the packet filtering firewall function and set the

default filtering action of the firewall
2. Select the proper ACL type
3. Create proper ACL rules
 Specify the match criteria
 Set the filtering action (permit/deny)
4. Apply the ACL to an interface of the router and specify the
filtering direction (inbound/outbound)
© VTC 2013 ILO 5 10

Enabling Packet Filtering Firewall
[sysname] firewall enable
• Enable the firewall function on the router
[sysname] firewall default { permit | deny }

• Specify the default filtering action of the firewall
 By default, the default filtering action of the firewall is permit.
© VTC 2013 ILO 5 11

Configuring a Basic ACL
• Configure a basic ACL and specify the ACL number

The ACL number of a basic ACL ranges from
2000 to 2999.
[sysname] acl number acl-number
• Create a rule
 Specify the source IP address range to match
 Specify the filtering action as permit or deny
[sysname-acl-basic-2000] rule [ rule-id ] { deny | permit }

[ fragment | logging | source { sour-addr sour-wildcard | any } |
time-range time-name ]
© VTC 2013 ILO 5 12

Applying an ACL to an Interface
• Only after the ACL is applied to an interface, can the ACL-

based packet filtering firewall take effect on the interface.
• Specify the filtering direction on the interface, Outbound
or/and Inbound.
[sysname-Serial2/0 ] firewall packet-filter { acl-

number | name acl-name } { inbound | outbound }
© VTC 2013 ILO 5 13

Basic ACL Deployment Example
• It is required to forbid PC A to access Network A and
Network B but allow it to access other networks
NetworkB NetworkC NetworkD
192.168.1.0/2 192.168.2.0/2 192.168.3.0/2
4 4 4
NetworkA E0/0 E0/1 E0/1 E0/0

192.168.0.0/2
4 RTA RTB RTC PCA
172.16.0.1
[RTA] firewall enable

[RTA] acl number 2000
[RTA-acl-basic-2000] rule deny source 172.16.0.1 0
[RTA-acl-basic-2000] quit
[RTA] interface Ethernet 0/1
[RTA-Ethernet0/1] firewall packet-filter 2000 inbound
© VTC 2013 ILO 5 14
Configuring an Advanced ACL
• Configure an advanced ACL and specify the ACL number
– The ACL number of an advanced ACL ranges
from 3000 to 3999.
[sysname] acl number acl-number
• Create rule
– Specify the source IP address, destination IP
address, protocol carried by IP, port number to
match
[sysname-acl-adv-3000] rule [ rule-id ] { deny | permit } protocol
– Specify{ dest-addr
[ destination the filtering action
dest-wildcard as} permit
| any or deny
| destination-port
operator port1 [ port2 ] established | fragment | source { sour-addr
sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range
time-name]
© VTC 2013 ILO 5 15
Advanced ACL Deployment Example
• It is required to forbid PC A to access network A and
network B but allow it to access other networks.
192.168.1.0/2 192.168.2.0/2 192.168.3.0/2
4 4 4

192.168.0.0/2
4 RTA RTB RTC PCA
172.16.0.1
[RTC] firewall enable

[RTC] acl number 3000
[RTC-acl-adv-3000] rule deny ip source 172.16.0.1 0 destination
192.168.0.0 0.0.1.255
[RTC-Ethernet0/0] firewall packet-filter 3000 inbound

© VTC 2013 ILO 5 16
Displaying and Debugging ACL Packet Filtering
To do Command
Display statistical information about display firewall-statistics { all | interface

the firewall interface-type interface-number}
display firewall ethernet-frame-filter { all

Display filtering information about
| dlsw | interface interface-type interface-
Ethernet frame
number }
reset firewall-statistics { all | interface

Clear the firewall statistics
interface-type interface-number}
Display information about one or all

display acl { acl-number | all}
IPV4 ACLs
Clear ACL statistics reset acl counter { acl-number | all |}
© VTC 2013 ILO 5 17

Match Order of ACL Rules
• Match order indicates the priorities of rules in an ACL
• Two rule orders are available for ACLS:
• config: ACL rules are sorted in ascending
order of rule ID. That is, a rule with a smaller ID
number has as higher priority.
• auto: ACL rules are sorted in depth-first order,
that is, the system will take the rule with the
smallest IP address range in precedence of other
rules.
• Configure ACL rule order:
[sysname] acl number acl-number [ match-order
{ auto | config } ]
© VTC 2013 ILO 5 19
Different Rule Orders Result in Different Results
acl number 2000 match-order config
rule permit source 1.1.1.0 0.0.0.255
rule deny source 1.1.1.1 0
Packet
DA=3.3.3.3 SA=1.1.1.1
Interface Interface
acl number 2000 match-order auto

rule permit source 1.1.1.0 0.0.0.255
rule deny source 1.1.1.1 0
Packet
DA=3.3.3.3 SA=1.1.1.1
Interface Interface
© VTC 2013 ILO 5 20

Configuring ACL Packet Filtering at a Proper Position
• Apply the ACL on the router as near to the source as possible to reduce
unnecessary traffic forwarding
• Advanced ACL
Deploy the advanced ACL to the interface near the source to be
filtered to stop unnecessary traffic
• Basic ACL
Deploy a basic ACL at a position too near to the source to be
denied may stop legal accesses of the source to some networks
Deploy the basic ACL at a position as near to the source as
possible in the guarantee of not impacting legal accesses of the
source
© VTC 2013 ILO 5 21

Basic ACL Deployment Example
• It is required to forbid PC A to access Network A and
Network B but allow it to access other networks
192.168.1.0/2 192.168.2.0/2 192.168.3.0/2
4 4 4

192.168.0.0/2
4 RTA RTB RTC PCA
172.16.0.1
[RTA] firewall enable

[RTA-acl-basic-2000] rule deny source 172.16.0.1 0
[RTA] quit
[RTA] interface Ethernet 0/1
[RTA-Ethernet0/1] firewall packet-filter 2000 inbound
© VTC 2013 ILO 5 22
Advanced ACL Deployment Example
• It is required to forbid PC A to access network A and
network B but allow it to access other networks.
192.168.1.0/2 192.168.2.0/2 192.168.3.0/2
4 4 4

192.168.0.0/2
4 RTA RTB RTC PCA
172.16.0.1
[RTC] firewall enable

[RTC] acl number 3000
[RTC-acl-adv-3000] rule deny ip source 172.16.0.1 0 destination
192.168.0.0 0.0.1.255
[RTC] interface Ethernet0/0
[RTC-Ethernet0/0] firewall packet-filter 3000 inbound
© VTC 2013 ILO 5 23
Limitation of ACL Packet Filtering
• An ACL-based packet firewall filters packets according to the

Layer 2, 3 and 4 information in the packet header. It cannot
identify the application layer information.
It cannot permit or deny packets of a user by
username.
It cannot authorize users.
• An ACL-based packet filtering firewall is a static firewall. It
cannot detect application layer protocol dynamically.
© VTC 2013 ILO 5 24

Network Address
Translation (NAT)
© VTC 2013 ILO 5

Internet Addresses
Public Addresses
Private Addresses
© VTC 2013 ILO 5 26

Public Internet Addresses
commons.wikimedia.org/wiki/File:Regional_Internet_Registries_world_map.svg
The number of Public Internet addresses are limited

and are regulated by five Regional Internet Registries.
© VTC 2013 ILO 5 27

Private Internet Addresses
• Any organization can use private address freely.

• Packets with private addresses with no special treatment
cannot be routed to the Internet.
• A NAT (Network Address Translation) device needs to be
deployed at the egress to allow private users to access the
Internet.
Company B
10.0.0.0/8
Company A
10.0.0.0/8
NAT
NAT Internet
RFC 1918 Private address ranges ：

10.0.0.0 - 10.255.255.255 Company C
© VTC 2013
172.16.0.0 - 172.31.255.255 ILO 5 10.0.0.0/8 28
NAT
192.168.0.0 - 192.168.255.255
NAT Application
Private Public
Network Network
HostA Address Pool

198.76.28.11
198.76.28.12
…… Server
10.0.0.1 198.76.28.20
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 NAT device 198.76.29.4/24
HostB
© VTC 2013 ILO 5 29

Basic NAT
1 D=198.76.29.4 3 D=198.76.29.4
S=10.0.0.1 S=198.76.28..11
NAT table
HostA Inside Address Global Address
2 10.0.0.1 198.76.28.11 5
10.0.0.2 198.76.28.12
Address Pool Server
10.0.0.1 （ 198.76.28.11 ～
20 ）
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 RTA 198.76.29.4/24
D=10.0.0.1 6 D=198.76.28.11 4
S=198.76.29.4 S=198.76.29.4
© VTC 2013 ILO 5 30

Basic
HostA
NAT Configuration Example
Address Pool
Server
10.0.0.1 （ 198.76.28.11 ～
20 ）
Eth0/1
Internet
Internet
10.0.0.254/24
RTA 198.76.28.1/24
10.0.0.2
198.76.29.4/24
1. Define a rule to permit packets sourced from 10.0.0.0/24

[RTA]acl number 2000
HostB [RTA-acl-basic-2000]rule 0 permit source 10.0.0.0 0.0.0.255
2. Create a NAT address pool with IP address from 198.76.28.11 to 198.76.28.20

[RTA]nat address-group 1 198.76.28.11 198.76.28.20
3. Associate the address pool with ACL 2000 and enable NAT in the outbound direction of
the interface
[RTA]interface Ethernet0/1
[RTA-Ethernet0/1]nat outbound 2000 address-group 1 no-pat
© VTC 2013 ILO 5 31

Configuring Basic NAT
1. Defining an ACL
– To match packets to be translated
– Packets permitted by the ACL will be translated, whereas
packets denied by the ACL will not be translated.
2. Creating an Address Pool

nat address-group group-number start-addr end-addr
3. Configuring NAT
nat outbound acl-number address-group group-number no-pat
© VTC 2013 ILO 5 32

Basic NAT Configuration Question
HostA
Address Pool
Server
192.168.1.11 （ 198.76.28.5 ～ 14 ）
Serial 0/3/0
Internet
Internet
192.168.1.254/24
RTA 198.76.28.1/24
192.168.1.21
198.76.29.4/24
[RTA]acl number
[RTA-acl-basic-2000]rule 0 permit source
HostB
[RTA]nat address-group
[RTA]interface
[RTA-Ethernet0/1]nat outbound address-group no-pat
© VTC 2013 ILO 5 33

Limitation of Basic NAT
• Basic NAT maps ONE internal address to ONE

external address. An external address is assigned
to one user at a time.
• It does not save public addresses.
• Network Address Port Translation (NAPT) translates

both IP address and Port address so that it can be
used to improve utilization of public IP addresses.
© VTC 2013 ILO 5 34

Network Address Port Translation (NAPT)
1 D=198.76.29.4 P=80 3 D=198.76.29.4 P=80

S=10.0.0.1 P=1024 S=198.76.28.11 P=2001
NAT table
Inside Address Global Address
HostA Port Port
2
10.0.0.1:1024 198.76.28.11:2001 5
10.0.0.2:1024 198.76.28.11:3001
Address Pool Server
10.0.0.1 （ 198.76.28.11 ～ 20 ）
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 RTA 198.76.29.4/24
D=10.0.0.1 P=1024
6 D=198.76.28.11 P=2001
4
S=198.76.29.4 P=80 S=198.76.29.4 P=80
HostB
© VTC 2013 ILO 5 35

NAPT Configuration Example
HostA
Address Pool Server
10.0.0.1 （ 198.76.28.11 ）
Eth0/1
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 RTA
198.76.29.4/24
1. Define a rule to permit packets sourced from 10.0.0.0/24.
[RTA-acl-basic-2000] rule 0 permit source 10.0.0.0 0.0.0.255
HostB 2. Configure a NAT address pool containing IP address 198.76.28.11 only.
[RTA] nat address-group 1 198.76.28.11
3. Associate the address pool with ACL 2000 and enable NAT in the outbound direction of
the interface
[RTA-Ethernet0/1] nat outbound 2000 address-group 1 no-pat
© VTC 2013 ILO 5 36

How to deal with when we have only ONE
public IP address and it is obtained
dynamically?
© VTC 2013 ILO 5 37

Easy IP
• The NAT device uses the IP address of the

outbound interface as the translated source IP
address.
• No address pool needs to be configured.
• Easy IP operates in the same way as NAPT, and
is NAPT application.
• Applicable to scenarios where IP addresses
are obtained dynamically.
© VTC 2013 ILO 5 38
Easy IP Configuration Example
HostA
Server
10.0.0.1
Eth0/1
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 RTA
198.76.29.4/24
1. Define a rule to permit packets sourced from 10.0.0.0/24

HostB
[RTA-acl-basic-2000] rule 0 permit source 10.0.0.0 0.0.0.255
2. Associate the address pool with ACL 2000 and enable NAT in the outbound direction of the
interface
[RTA-Ethernet0/1] nat outbound 2000
© VTC 2013 ILO 5 39

Constraint of Basic NAT, NAPT (I)
Web Server
External
10.0.0.1
Host
RTA
E0/0
Internet
Internet
198.76.28.1/24
198.76.29.4/24
• Internal hosts such as a Web server or an FTP

server may need to be accessed by external hosts.
• But Basic NAT, NAPT nor Easy IP allow active access
from a public host to a private host because an
existing NAT session does not occur.
© VTC 2013 ILO 5 40

Internal Server
5 D=198.76.29.4 P=1033 6 D=198.76.29.4 P=1033
S=10.0.0.1 P=8080 S=198.76.28.11 P=80
Web Server NAT Server

Port Port
2
10.0.0.1:8080 198.76.28.11:80 1 External
Host
10.0.0.1 RTA
E0/0
Internet
Internet
198.76.28.1/24
198.76.29.4/24
D=10.0.0.1 P=8080
4 D=198.76.28.11 P=80
3
S=198.76.29.4 P=1033 S=198.76.29.4 P=1033
© VTC 2013 ILO 5 41

Internal
Telnet Server
Server Configuration Example
HostC
10.0.0.1 (inside) 198.76.28.11 (global)
Eth0/1
Internet
Internet
198.76.28.1/24
RTA
198.76.29.4/24
#Map the private address and port to the public address and port for the internal server
[RTA-Ethernet0/1] nat server protocol tcp global 198.76.28.11
telnet inside 10.0.0.1 telnet
© VTC 2013 ILO 5 42

Configuring Internal Server
• To configure an internal server, use this

command:
nat server protocol pro-type global global-addr [ global-port ] inside host-
addr [ host-port ]
© VTC 2013 ILO 5 43

Constraint of Basic NAT, NAPT (II)
• Basic NAT and NAPT cannot translate the IP

address and port information carried in
protocol messages such as FTP, MSN, QQ,
H.323 and SIP
• NAT ALG (Application Layer Gateway) is an
enhanced feature that can identify and
translate the IP address and port information
imbedded in application protocol messages.
© VTC 2013 ILO 5 44
NAT ALG FTP Control Channel
1 D=198.76.29.4 P=21 3 D=198.76.29.4 P=21

S=10.0.0.1 P=1024 S=198.76.28.11 P=2001
PORT “S=10.0.0.1 P=5001” PORT “S=198.76.28.11 P=2002”
NAT table
HostA Port Port
2
10.0.0.1:1024 198.76.28.11:2001 5
10.0.0.1:5001 198.76.28.11:2002
Address Pool FTP Server
10.0.0.1 （ 198.76.28.11 ～ 20 ）
Internet
Internet
10.0.0.254/24
198.76.28.1/24
10.0.0.2 RTA 198.76.29.4/24
D=10.0.0.1 P=5001
6 D=198.76.28.11 P=2002
4
S=198.76.29.4 P=21 S=198.76.29.4 P=21
HostB FTP Data Channel

© VTC 2013 ILO 5 45
Displaying and Debugging NAT
• To display address translation status, use this command:
display nat { address-group | aging-time | all | outbound | server |

statistics | session | [ slot slot-number ] | [ source global global-addr |
source inside inside-addr ] | [ destionation ip-addr ] }
• To enable NAT debugging, use this command:
debugging nat { alg | event | packet [ interface interface-type interface-

number ] } nat aging-time { tcp | udp | icmp} seconds
• To clear NAT connections, use this command:
reset nat session

© VTC 2013 ILO 5 46
Authentication, Authorization
and Accounting with IEEE802.1x
© VTC 2013 ILO 5

AAA protocol
• AAA stands for Authentication, Authorization and

Accounting.
• It refers to a security architecture which enables control
over which users are allowed access to which services,
and how much of the resources they have used.
• Two network protocols providing this functionality are
particularly popular: the RADIUS protocol and its newer
Diameter protocol.
• There is another protocol, TACACS+, though less popular
but is supported in most Cisco devices.
© VTC 2013 ILO 5 48

AAA protocol (Con’t)
• Authentication refers to the process where an

entity's identity is authenticated.
• Authorization determines whether a particular
entity is authorized to perform a given activity.
• Accounting refers to the tracking of network
resource consumption by users for the
purpose of capacity and trend analysis, cost
allocation, billing.
© VTC 2013 ILO 5 49

Two Access Methods
• AAA can be used to authenticate users for

administrative access or it can be used to authenticate
users for remote network access. These two access
methods use different modes to request AAA services:
– Character mode - A user sends a request to establish an
EXEC mode process with the router for administrative
purposes.
– Packet mode - A user sends a request to establish a
connection through the router with a device on the
network.
© VTC 2013 ILO 5 50

© VTC 2013 ILO 5 51
Example of Character Mode
© VTC 2013 ILO 5 52

Example of Packet Mode
with Ethernet
Directory Service
RADIUS (E.g. AD)
TLS RADIUS Server
Authenticator (E.g. Microsoft NPS)
Authentication
Server
802.1X/EAP
TLS
EAP Peer
© VTC 2013 ILO 5 53

Example of Packet Mode with PPP
Authentication
Server
PPP
RADIUS
Network
Access Server
(NAS)
© VTC 2013 ILO 5 54

Local AAA
© VTC 2013 ILO 5 55

Local AAA in Character Mode
© VTC 2013 ILO 5 56

Format of AAA Authentication
• The authentication methods in the default method list are
used on all lines, unless a custom authentication method list
is created.
© VTC 2013 ILO 5 57

AAA Method Types
© VTC 2013 ILO 5 58

Custom Authentication Method
© VTC 2013 ILO 5 59

Server-based AAA
© VTC 2013 ILO 5 60

AAA Transaction Protocols
• For server-based AAA, Cisco devices support

TACACS+ (Cisco proprietary) and RADIUS (RFC 2865
& RFC 2866) protocols for the AAA transactions
between network devices and AAA servers.
However, most of the other vendors support
RADIUS only.
• There is a new and more powerful protocol called
Diameter (RFC 6733) which was designed to replace
RADIUS but it has not been widely used yet.
© VTC 2013 ILO 5 61

© VTC 2013 ILO 5 62
© VTC 2013 ILO 5 63
802.1x Port-based AAA
© VTC 2013 ILO 5 64

IEEE 802.1X
• IEEE 802.1X is an IEEE Standard for port-

based Network Access Control. It provides
an authentication mechanism to devices
wishing to attach to a LAN or WLAN.
• It defines the encapsulation of the Extensible
Authentication Protocol (EAP) over IEEE 802
which is known as "EAP over LAN“.
Ethernet EAP
© VTC 2013 ILO 5 65

Extensible Authentication Protocol
• The Extensible Authentication Protocol (EAP),

defined in RFC 3748, enables extensible network
access authentication.
• It provides a framework for the transport and usage
of keying material and parameters generated by
EAP authentication algorithms.
• EAP is widely used in wireless network. For
example, in WiFi the WPA and WPA2 standards have
adopted IEEE 802.1X with eight EAP method types.
© VTC 2013 ILO 5 66

• EAP is an authentication framework, not a specific
authentication mechanism. It provides some
common functions and negotiation of
authentication methods called EAP methods.
• There are about 40 different methods defined.
Methods defined in IETF RFCs include EAP-MD5,
EAP-POTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIM,
EAP-AKA. Additionally a number of vendor-specific
methods and new proposals exist.
• Commonly used methods capable of operating in
wireless networks include EAP-TLS, EAP-SIM, EAP-
AKA, LEAP, EAP-TTLS, and etc.
© VTC 2013 ILO 5 67

Lightweight Extensible Authentication
Protocol (LEAP)
LEAP is a Cisco proprietary EAP method adopted in Cisco wireless APs,

routers, NICs and even 3rd party devices. But it is highly susceptible to
© VTC 2013 dictionary attack and is not included
ILO 5 in WPA/WPA2 Enterprise. 68
EAP-Transport Layer Security (EAP-TLS)
Originally defined in RFC 2716 and updated in RFC 5216, EAP-TLS is widely
supported and offers excellent security. The downside of EAP-TLS is the client-
side certificate requirement, making for a more labor intensive deployment,
© VTC 2013 ILO 5 69
especially on a large scale.
Protected Extensible Authentication
Protocol (PEAP)
• PEAP is a joint proposal by Cisco, Microsoft and RSA Security,

PEAP provides most of the security of EAP-TLS without the
need for a client-side certificate.
• PEAP requires a server-side PKI certificate to create a secure
TLS tunnel to protect user authentication, and uses server-
side public key certificates to authenticate the server. It then
creates an encrypted TLS tunnel between the client and the
authentication server. The keys for this encryption are
transported using the server's public key. The authentication
information is exchanged inside the encrypted tunnel.
© VTC 2013 ILO 5 70

PEAP
© VTC 2013 ILO 5 71

Configuration of Switch
SW2950(config)#aaa new-model
SW2950(config)#aaa authentication dot1x default group radius
SW2950(config)#aaa authorization network default group radius
SW2950(config)# radius-server host 172.18.124.200 auth-port 1812 acct-port 1813
timeout 3
SW2950(config)# radius-server retransmit 3
SW2950(config)# radius-server key cisco1234
SW2950(config)# dot1x system-auth-control
SW2950(config)#interface FastEthernet0/1
SW2950(config-if)# switchport mode access
SW2950(config-if)# dot1x port-control auto
SW2950(config-if)# spanning-tree portfast
SW2950(config-if)# end
© VTC 2013 ILO 5 72

Install CA Certificate
© VTC 2013 ILO 5 73

© VTC 2013 ILO 5 74
Install Server Certificate
© VTC 2013 ILO 5 75

© VTC 2013 ILO 5 76
Install CA Certificate in Client &
Validate Server Certificate
© VTC 2013 ILO 5 77

Basic network monitoring
with SNMP
© VTC 2013 ILO 5

Simple Network Management Protocol
(SNMP)
• SNMP is used by network management systems to

monitor network-attached devices for conditions
that warrant administrative attention.
• It consists of a set of standards for network
management, including an Application Layer
protocol, a database schema, and a set of data
objects.
• The current version is SNMPv3
–SNMPv1 and v2 are considered obsolete, and are
extremely insecure. It is recommended they NOT be
used on a publicly attached network
© VTC 2013 ILO 5 79

SNMP Components
An SNMP-managed network consists of Four key

components:
1. A managed device is a network node that contains an SNMP agent
and that resides on a managed network. Managed devices collect
and store management information and make this information
available to NMSs using SNMP.
2. A Management Information Base (MIB) is a virtual information
storage area for network management information and consists
of collections of managed objects.
3. An agent is a network-management software module that resides
in a managed device. An agent has local knowledge of
management information and translates that information into a
form compatible with SNMP.
4. An Network Management System (NMS) executes applications
that monitor (and possibly control) managed devices.
© VTC 2013 ILO 5 80

SNMPv1 and SNMPv2 Architecture
SNMP asks agents embedded in network devices for
information or tells the agents to do something.
© VTC 2013 ILO 5 81

SNMP Actions
• Typically, SNMP uses UDP ports 161 for the agent

and 162 for the manager. The Manager may send
Requests from any available ports (source port) to
port 161 in the agent (destination port).
• The agent response will be given back to the source
port. The Manager will receive traps on port 162.
• The agent may generate traps from any available
port.
© VTC 2013 ILO 5 82

Polling vs Trap
© VTC 2013 ILO 5 83

Traps and Informs
• Unsolicited notifications can be generated as traps or inform requests

(informs).
• Traps are messages alerting the SNMP manager to a condition on the
network.
• Informs are traps that include a request for confirmation of receipt from
the SNMP manager.
© VTC 2013 ILO 5 84

Community Strings
• SNMPv1 and SNMPv2 use a community string to access
SNMP agents
• SNMP community strings act like passwords
• An SNMP community string is a text string used to
authenticate messages between a management station and
an SNMP engine. It is sent in clear text in the network.
• If the manager sends one of the correct read-only
community strings, the manager can get information but
NOT set information in an agent
• If the manager uses one of the correct read-write
community strings, the manager can get or set information
in the agent
© VTC 2013 ILO 5 85
Community Strings
• In effect, having read-write access is equivalent to having the

enable password!
• By default, most SNMP systems use a community string of
“public”.
• If a SNMP agent is configured to use this commonly known
community string, anyone with an SNMP system is able to
read the router MIB.
• Router MIB variables can point to entities like routing tables
and other security-critical components of a router
configuration, so it is very important that custom SNMP
community strings are created.
© VTC 2013 ILO 5 86

SNMPv1 / v2 Configuration
interface Vlan1
ip address 192.168.19.1 255.255.255.0
no shut
!
snmp-server community public RO
© VTC 2013 ILO 5 87

Gathering Information with SNMP
• A Simple SNMP Configuration for Cisco Device
© VTC 2013 ILO 5 88

Enabling Network Event Notification –
SNMP
• Enabling SNMP trap notification
© VTC 2013 ILO 5 89

• A Simple SNMP Configuration for H3C Devices
[switch]snmp-agent
[switch]snmp sys ver v1
[switch]snmp community write private
[switch]snmp community read public
[switch]snmp trap enable
[switch]snmp target-host trap address udp-domain
192.168.1.201 params securityname public
//192.168.1.201 is the SNMP Management server’s IP address
© VTC 2013 ILO 5 90

SNMPv3 Features and Benefits
It is strongly recommend that all network management systems use
SNMPv3 rather than SNMPv1 or SNMPv2
Features – Message integrity: Ensures that a packet has not

been tampered with in transit
– Authentication: Determines that the message is
from a valid source
– Encryption: Scrambles the contents of a packet to
prevent the packet from being seen by an
unauthorised source
Benefits – Data can be collected securely from SNMP devices
without fear of the data being tampered with or
corrupted
– Confidential information, such as SNMP Set
command packets that change a router
configuration, can be encrypted to prevent the
contents from being exposed on the network
© VTC 2013 ILO 5 91
SNMP Security Models and Levels
Definitions:
• Security model is a security strategy used by the SNMP agent.
• Security level is the permitted level of security within a security model.
Model Level Authentication Encryption What Happens

v1 noAuthNoPriv Community No – Authenticates with a community string
String match
v2 noAuthNoPriv Community No – Authenticates with a community string
String match
v3 noAuthNoPriv Username No – Authenticates with a username
authNoPriv MD5 or SHA No – Provides HMAC MD5 or SHA
algorithms for authentication
authPriv MD5 or SHA DES – Provides HMAC MD5 or SHA
algorithms for authentication
– Provides DES 56-bit encryption in
addition to authentication based on the
CBC-DES (DES-56) standard
© VTC 2013 ILO 5 92

SNMPv3 Configuration Example
Trap_sender(config)#snmp-server group snmpgroup v3 auth

Trap_sender(config)#snmp-server group snmpgroup v3 priv
Trap_sender(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv
des encryptpassword
Trap_sender(config)#snmp-server enable traps cpu
Trap_sender(config)#snmp-server enable traps config
Trap_sender(config)#snmp-server enable traps snmp
Trap_sender(config)#snmp-server host 172.16.1.1 traps version 3 priv snmpuser
Trap_sender(config)#snmp-server source-interface traps loopback 0
Walked_device(config)#snmp-server group snmpgroup v3 auth

Walked_device(config)#snmp-server group snmpgroup v3 priv
Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword
priv des encryptpassword
© VTC 2013 ILO 5 93

SNMPv3 Configuration
• The router Trap_sender is configured to send traps to the NMS host

with the IP address 172.16.1.1. The traps are encrypted using the
credentials that are configured for the local user snmpuser who belongs
to the group snmpgroup. The Trap_sender router sends traps that are
related to CPU, configuration, and SNMP. The trap packets are sourced
from the router loopback 0 interface
• The router Walked_device is configured so that the NMS host can read
the MIBs on the local device. The NMS server needs to use the
username credentials that are configured on the Walked_device
(snmpuser with respective authentication and encryption passwords) to
gain access to the SNMP information of the router
© VTC 2013 ILO 5 94

Configuring the SNMP-Server Group Names
Router(config)#
•snmp-server group groupname {v1 | v2c | v3 {auth |
noauth | priv}} [read readview] [write writeview]
[notify notifyview] [access access-list]
• Configures a new SNMP group or a table that maps SNMP

users to SNMP views
PR1(config)#snmp-server group johngroup v3 auth
PR1(config)#snmp-server group billgroup v3 auth
PR1(config)#snmp-server group billgroup v3 priv
• The top example shows how to define a group johngroup for SNMP v3
using authentication but not privacy (encryption)
• The bottom example shows how to define a group billgroup for SNMP
v3 using both authentication and privacy
© VTC 2013 ILO 5 95

Configuring the SNMP-Server Users
• Configure a new user to an SNMP group
Router(config)#
•snmp-server user username groupname [remote ip-

address [udp-port port]] {v1 | v2c | v3
[encrypted] [auth {md5 | sha} auth-password [priv
des56 priv-password]]} [access access-list]
 The first example (below) shows how to define a user John belonging to
the group johngroup. Authentication uses the password john2passwd
and no privacy (no encryption) is applied. The second example shows
how user Bill, belonging to the group billgroup, is defined using the
password bill3passwd and privacy (encryption) is applied
PR1(config)#snmp-server user John johngroup v3 auth md5 john2passwd
PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56
password2
PR1(config)#snmp-server group johngroup v3 auth
PR1(config)#snmp-server group billgroup v3 auth
PR1(config)#snmp-server group billgroup v3 priv
© VTC 2013 ILO 5 96
SNMP-Server Engine ID
Walked_device(config)#snmp-server group snmpgroup v3 auth
Walked_device(config)#snmp-server group snmpgroup v3 priv
Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv
des encryptpassword
Walked_device#show snmp engineID

Local SNMP engineID: 8000000903000015638F3610
Remote Engine ID IP-addr Port
The SNMP engine ID is a unique string used to identify the device for
administration purposes. Local engine ID is generated automatically once
a snmp user is created but local and remote engine ID may be configured
with the snmp-server engineID global configuration command.
© VTC 2013 ILO 5 97

Configuring the SNMP-Server Hosts
• To specify the recipient of an SNMP notification

operation, use the snmp-server host global
configuration command. Notification can be traps or
informs.
• Follow the following steps:
1.Configure a remote engine ID.
2.Configure a remote user.
3.Configure a group on a remote device.
4.Enable traps on the remote device.
5.Enable the SNMP manager.
© VTC 2013 ILO 5 98
Configuring the SNMP-Server Hosts
Router(config)#
snmp-server host host-address [traps | informs] [version

{1 | 2c | 3 [auth | noauth | priv]}] community-string
[udp-port port] [notification-type]
The example (below) shows how to send configuration informs to the

10.1.1.1 remote host
PR1(config)#snmp-server engineID remote 10.1.1.1 1234000000
PR1(config)#snmp-server user bill billgroup remote 10.1.1.1 v3
PR1(config)#snmp-server group billgroup v3 noauth
PR1(config)#snmp-server enable traps
PR1(config)#snmp-server host 10.1.1.1 inform version 3 noauth bill
PR1(config)#snmp-server manager
© VTC 2013 ILO 5 99

H3C SNMPv3 Configuration Example
[H3C] snmp-agent sys-info version v3

[H3C] snmp-agent group v3 testgp
[H3C] snmp-agent group v3 testgp privacy read-view myview
[H3C] snmp-agent usm-user v3 tom testgp authentication-mode md5
mypass privacy-mode aes128 mykey
[H3C]snmp-agent target-host trap address udp-domain 10.0.0.1 params
securityname bill v3
© VTC 2013 ILO 5 100

Reference
• Reference Textbook for the module

– H3C Technologies Co., Ltd., H3CNE Exam Training
Textbook - Building Networks for Small- and
Medium-Sized Businesses (v6.0).
– CCNA Security Course Booklet Version 1.1 (2nd
Edition), Cisco Press.
© VTC 2013 ILO 5 101

ITP4111 Open Standards Networking: Network Security and Network Monitoring

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ITP4111 Open Standards Networking: Network Security and Network Monitoring

Uploaded by

Copyright:

Available Formats

Chapter 5:

Network Security and

© VTC 2013 ILO 5

© VTC 2013 ILO 5

• An ACL is used primarily to identify traffic flow.

© VTC 2013 ILO 5 3

Inbound filtering Outbound filtering

Outbound filtering Inbound filtering

© VTC 2013 ILO 5 4

Wildcard Mask Meaning

© VTC 2013 ILO 5 5

Type ACL Number

© VTC 2013 ILO 5 6

DA=3.3.3.3 SA=2.2.2.1 Interface Interface

© VTC 2013 ILO 5 7

DA=2.2.2.1, SA=1.1.1.1 Interface Interface

© VTC 2013 ILO 5 8

• An Ethernet frame header ACL matches packets

© VTC 2013 ILO 5 9

1. Enable the packet filtering firewall function and set the

© VTC 2013 ILO 5 10

[sysname] firewall default { permit | deny }

© VTC 2013 ILO 5 11

• Configure a basic ACL and specify the ACL number

[sysname-acl-basic-2000] rule [ rule-id ] { deny | permit }

© VTC 2013 ILO 5 12

• Only after the ACL is applied to an interface, can the ACL-

[sysname-Serial2/0 ] firewall packet-filter { acl-

© VTC 2013 ILO 5 13

NetworkA E0/0 E0/1 E0/1 E0/0

[RTA] firewall enable

NetworkA E0/0 E0/1 E0/1 E0/0

[RTC] firewall enable

[RTC-Ethernet0/0] firewall packet-filter 3000 inbound

Display statistical information about display firewall-statistics { all | interface

display firewall ethernet-frame-filter { all

reset firewall-statistics { all | interface

Display information about one or all

© VTC 2013 ILO 5 17

acl number 2000 match-order auto

© VTC 2013 ILO 5 20

© VTC 2013 ILO 5 21

NetworkA E0/0 E0/1 E0/1 E0/0

[RTA] firewall enable

NetworkA E0/0 E0/1 E0/1 E0/0

[RTC] firewall enable

• An ACL-based packet firewall filters packets according to the

© VTC 2013 ILO 5 24

© VTC 2013 ILO 5

© VTC 2013 ILO 5 26

The number of Public Internet addresses are limited

© VTC 2013 ILO 5 27

• Any organization can use private address freely.

RFC 1918 Private address ranges ：

HostA Address Pool

© VTC 2013 ILO 5 29

© VTC 2013 ILO 5 30

1. Define a rule to permit packets sourced from 10.0.0.0/24

2. Create a NAT address pool with IP address from 198.76.28.11 to 198.76.28.20

© VTC 2013 ILO 5 31

2. Creating an Address Pool

© VTC 2013 ILO 5 32

© VTC 2013 ILO 5 33