Advanced Networking Services
SAFE Corporate Internet Module
Configuration Guide:
Catalyst Switch
June 9, 2004
Dwight Kinney & Greg Wallin
Network Consulting Engineer
Copyright (c) 2001 Cisco Systems, Inc. All rights reserved.
ALL CONTENTS IN THIS DOCUMENT ARE PROTECTED BY COPYRIGHT EXCEPT AS SPECIFICALLY PERMITTED HEREIN, NO PORTION OF THE INFORMATION IN THIS DOCUMENT MAY BE REPRODUCED IN ANY FORM, OR BY ANY MEANS, WITHOUT PRIOR WRITTEN PERMISSION FROM CISCO.
Table of Contents
Catalyst Switch Configuration Details and Discussion..................................... 6
Authentication, Authorization, and Accounting................................................. 8
Configuring TACACS+ on the Catalyst Switch................................................. 9
Catalyst 6000 Intrusion Detection System Module....................................... 17
Scope
The Corporate Internet Module is a component of “Cisco SAFE: A Security Blueprint for Enterprise Networks”. The Corporate Internet Module provides internal users with connectivity to Internet services and Internet users access to information on publicly available corporate servers. The Catalyst Switches depicted in the module are vital aggregations points ensuring connectivity for all devices. Therefore hardening the Catalyst Switches should be a consideration for your overall security policy.
SAFE Threats Mitigated
Threat definitions as well as a complete discussion are available in Appendix B: Network Security Primer of “Cisco SAFE: A Security Blueprint for Enterprise Networks”.
- Trust-based attacking
- Packet Sniffing
Configuration Goals
Common to all switches
- Switching devices should be resilient.
- Do not use VLANs as the sole method of securing access between two subnets. VLANs are not a security feature.
- Non-trunk ports should have trunk settings set to off, not auto.
- Ensure trunk ports use a VLAN number not used anywhere else in the switch.
- Set all unused ports to a VLAN that has no layer 3 connectivity or disable them.
- Consider implementing port security for devices on this segment
Specific to the 6509 switches on the Public Services Segment (PSS)
- Private VLANs should be deployed to limit communications between segment network devices.
- Server ports should be set to “ISOLATED”.
- Firewall ports should be set to “PROMISCUOUS”
Design Diagram
Assumptions and Limitations
This configuration contains the Catalyst Switch configuration commands necessary to support the SAFE Corporate Internet Module as shown in the diagram above. Site-specific security policies, attached devices, and required services may require the modification of these configuration statements. The following assumptions and limitations apply:
- · SNMP is configured on each switch managed by an NMS station.
- · TACACS+ is configured on each device
- Catalyst Platforms consists of 2912s and 6509s with 6.1(x) release. The PSS switches are 6509. All other switches are 2912.
- Buffered and Syslog logging is enabled on all switches
- All switches communicate with the Management Network for device management and syslogging.
- The OUTSIDE switches communicate to the Management network via eIOS-23 and eIOS-24.
- The PSS switches communicate via a direct connection between the switches and the Management segment.
- The URL switches communicate via the firewalls ePIX-31 and ePIX-33.
- eIDS-82,83,85, and 86 are connected to a single SPAN port on each switch. They SPAN the switch ports that are connected to the firewall.
- eIDS-81 and eIDS-84 are IDS Modules for the 6509 switch. They also SPAN the firewall ports on that segment.
- To enhance readability, the Management network is not reflected on the diagram above.
- · Local authentication
- · TACACS+(Preferred) or RADIUS authentication
- TACACS+ works with many authentication types, including fixed password, one-time password, and challenge-response authentication. TACACS+ authentication usually occurs in these instances: When you first log onto a machine
- When you send a service request that requires privileged access
- · A promiscuous port communicates with all other private VLAN ports and is the port used to communicate with devices such as routers, LocalDirector, backup servers, and administrative workstations.
- · An isolated port has complete Layer 2 separation from other ports on the switch with the exception of the promiscuous port.
- · Community ports communicate among themselves and with the promiscuous ports. These ports are isolated at Layer 2 from all other ports in other communities or isolated ports.
Catalyst Switch Configuration Details and Discussion
This section details the Catalyst Switch configuration commands most applicable to the Corporate Internet module.
CDP (Cisco Discovery Protocol)
Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. CDP can also be used to show information about the interfaces your router uses. CDP is media- and protocol-independent, and runs on all Cisco-manufactured equipment including routers, bridges, access servers, and switches.
Each device configured for CDP sends periodic messages, known as advertisements, to a multicast address. Each device advertises at least one address at which it can receive SNMP messages. The advertisements also contain time-to-live, or holdtime, information, which indicates the length of time a receiving device should hold CDP information before discarding it. Each device also listens to the periodic CDP messages sent by others in order to learn about neighboring devices and determine when their interfaces to the media go up or down.
This document focuses on securing the Corporate Internet Module and recommends disabling CDP. If a switch in the Corporate Internet Module is compromised CDP will provide vital information for hackers attempting further mischief.
set cdp disable all
Turns off CDP for all ports
!turn off un-needed services
!
set cdp disable
Access control methods
You can configure any combination of these authentication methods to control access to the switch:
When multiple authentication methods are enabled, local authentication is always attempted last if enabled. You can specify the authentication method to use for console and Telnet connections independently. For example, you might use local authentication for console connections and TACACS+ authentication for Telnet connections.
Passwords
Passwords represent the basic level security configuration for Catalyst devices in The Corporate Internal Module.
The set password command sets the concentrator login password. You are prompted for the old password followed by the new password twice if the old password checks. A zero-length password is allowed, but passwords must not exceed 20 characters.
If you forget your password, you have 30 seconds after power up or pressing the reset button to log in without a password and change the password. This requires physical access to the concentrator.
For the purpose of securing the Corporate Internet Module the default password needs to be changed to alphanumeric combinations, special characters with mixed case and minimum of eight characters.
Example:
The following password configuration only works the first time
set password
Enter new password: X)[^j+#T98
Retype new password: X)[^j+#T98
set enablepass
The set enablepass command changes the privileged-level password for the admin. interface. After initializing the set enablepass command, you are prompted for the old password, the new password, and to confirm the new password. A zero-length password is allowed. The default password is no password.
For the purpose of securing the Corporate Internet Module SNMP default password need to be changed to alphanumeric combinations, special characters with mixed case and minimum of eight characters.
set enable
cisco
%Z<)|z9~zq
%Z<)|z9~zq
Login Banner
A login banner should be configured similar to the following example. This banner should be standard per your organizations security policy.
This is a private system operated for and by Cisco VSEC BU.
Authorization from Cisco VSEC management is required to use this system.
Use by unauthorized persons is prohibited.
<c>
!set passwords and access restrictions
!
set banner motd <c>
This is a private system operated for and by Cisco VSEC BU.
Authorization from Cisco VSEC management is required to use this system.
Use by unauthorized persons is prohibited.
<c>
!console password is set by 'set password'
!enter old password followed by new password
!console password = X)[^j+#T98
!
!enable password is set by 'set enable'
!enter old password followed by new password
!enable password = %Z<)|z9~zq
!the following password configuration only works the first time
set password
X)[^j+#T98
X)[^j+#T98
set enable
cisco
%Z<)|z9~zq
%Z<)|z9~zq
Authentication, Authorization, and Accounting
TACACS+ controls access to network devices by exchanging NAS information between a network device and a centralized database to determine the identity of a user or entity. TACACS+ is an enhanced version of TACACS, a UDP-based access-control protocol specified by RFC 1492. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device.
When you request privileged or restricted services, TACACS+ encrypts your user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the packet type being sent (for example, an authentication packet), the packet sequence number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to the TACACS+ server.
A TACACS+ server can provide authentication, authorization, and accounting functions. These services, while all part of TACACS+, are independent of one another, so that a given TACACS+ configuration can use any or all of the three services. On the Catalyst 6000 family switches, only the authentication feature is supported.
Configuring TACACS+ on the Catalyst Switch
set tacacs server 192.168.253.54 primary
Use the set tacacs server command to define a TACACS+ server
set tacacs attempts 2
Use the set tacacs attempts command to configure the maximum number of login attempts allowed to the TACACS+ server
set tacacs directedrequest enable
Use the set tacacs directedrequest command to enable or disable the TACACS+ directed-request option. When enabled, you can direct a request to any of the configured TACACS+ servers and only the username is sent to the specified server
set tacacs key SJj)j~t]6-
Use the set tacacs key command to set the key for TACACS+ authentication and encryption
set tacacs timeout 10
Use the set tacacs timeout command to set the response timeout interval for the TACACS+ server daemon. The TACACS+ server must respond to a TACACS+ authentication request before this interval expires or the next configured server is queried
Authentication
set authentication login tacacs enable console primary
TACACS+ login authentication set to enable for the console sessions as primary authentication method
set authentication login tacacs enable telnet primary
TACACS+ login authentication set to enable for the telnet sessions as primary authentication method server
set authentication enable tacacs enable console primary
set authentication enable command set to enable using TACACS+ to determine if you have privileged access permission for console sessions as the primary method.
set authentication enable tacacs enable telnet primary
set authentication enable command set to enable authentication using the TACACS+ to determine if you have privileged access permission for telnet sessions
set authentication login local enable console
local login authentication set to enable for the console sessions as secondary authentication method
set authentication login local enable telnet
local login authentication set to enable for the telnet sessions as secondary authentication method
set authentication enable local enable console
set authentication enable command set to enable using local authentication to determine if you have privileged access permission for console sessions as the secondary method.
set authentication enable local enable telnet
set authentication enable command set to enable using local authentication to determine if you have privileged access permission for telnet sessions as the secondary method.
Authorization
set authorization exec enable tacacs+ deny both
Use the set authorization exec command set to enable authorization of exec, normal login mode, session events on the switch.
Accounting
set accounting connect enable stop-only tacacs+
Use the set accounting connect command set to enable accounting of outbound connection events on the switch.
set accounting exec enable stop-only tacacs+
Use the set accounting exec command set to enable accounting of normal login sessions on the switch
set accounting system enable stop-only tacacs+
Use the set accounting system command set to enable accounting of system events on the switch
set accounting system commands enable all stop-only tacacs+
Use the set accounting system command set to enable accounting of system events on the switch.
set accounting update periodic 60
Use the set accounting update command to configure the frequency of accounting updates.
!Turn on AAA
!
set tacacs server 192.168.253.54 primary
set tacacs attempts 2
set tacacs directedrequest enable
set tacacs key SJj)j~t]6-
set tacacs timeout 10
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication enable tacacs enable console primary
set authorization exec enable tacacs+ deny telnet
set accounting exec enable start-stop tacacs+
set accounting connect enable start-stop tacacs+
set accounting system enable stop-only tacacs+
set accounting system commands enable all stop-only tacacs+
set accounting update periodic 60
Additional Configuration needed for Management LAN Connectivity
For the OUTSIDE switches we need to configure an IP address for Sc0 (use 172.16.226.6 and .7) and default gateway that points to 172.16.226.3 so that the OUTSIDE switches can get to the management segment.
For the URL switches we need to configure an IP address for Sc0 (use 172.16.227.6 and .7) and default gateway that points to 172.16.227.1 so that the URL switches can get to the management segment.
For the PSS switches we need to configure an IP address for Sc0 (use 172.16.225.6 and .7) and add support for a VLAN connection to 192.168.254.0 255.255.255.0. We will also need a route to 192.168.253.0 using 192.168.254.3 as the gateway.
For the INSIDE switches we need to configure an IP address for Sc0 (use 172.16.224.6 and .7) and default gateway that points to 172.16.224.3 so that the INSIDE switches can get to the management segment.
SNMP
SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. In the Corporate Internet Module the Catalyst Switch is an SNMP agent that contains MIB variables whose values the SNMP manager can request or change. A manager can get a value from an agent or store a value into that agent. The agent gathers data from the MIB, the repository for information about device parameters and network data. The agent can also respond to a manager's requests to get or set data.
SNMP community strings---SNMP community strings authenticate access to MIB objects and function as embedded passwords:
set snmp community read-only public
Read-only---Gives read access to all objects in the MIB except the community strings, but does not allow write access
set snmp community read-write private
Read-write---Gives read and write access to all objects in the MIB, but does not allow access to the community strings. This string should be disabled.
set snmp community read-write-all secret
Read-write-all---Gives read and write access to all objects in the MIB, including the community strings. This string should be disabled.
For the purpose of securing the Corporate Internet Module SNMP the default community must to be changed to mixed case alpha and numeric and special characters with a minimum eight character string.
Example:
set snmp community read-only Txo~QbW3XM
set snmp community read-only Txo~QbW3XM
set ip permit enable snmp
!
Access-lists
Access-lists should be used with telnet access and SNMP access providing access only by specific hosts. Below are the switch configurations for telnet access-lists and SNMP access-lists.
IP permit prevents inbound Telnet and SNMP access to the switch from unauthorized source IP addresses. All other TCP/IP services (such as IP traceroute and IP ping) continue to work normally when you enable the IP permit list. Outbound Telnet, TFTP, and other IP-based services are unaffected by the IP permit list.
Telnet attempts from unauthorized source IP addresses are denied a connection. SNMP requests from unauthorized IP addresses receive no response; the request times out. Multiple access attempts from the same unauthorized host only trigger notifications every ten minutes.
You can configure up to 100 entries in the permit list. Each entry consists of an IP address and subnet mask pair in dotted decimal format and information on whether the IP address is part of the SNMP permit list, Telnet permit list, or both lists.
Example:
set ip permit enable
enable access lists
set ip permit 192.168.253.10 telnet
set range of hosts allowed to telnet to the switch.
set ip permit 192.168.253.10 snmp
sets one snmp host to communicate with the switch.
set ip permit enable telnet
set ip permit 192.168.253.10 255.255.255.255 telnet
set ip permit enable snmp
set ip permit 192.168.253.10 255.255.255.255 snmp
Private VLANs
A private VLAN is a set of ports that you configure to have the features of normal VLANs and also provide some Layer 2 isolation from other ports on the Catalyst switches running the appropriate CATOS. Ports belonging to a private VLAN are associated with a common set of supporting VLANs used to create the private VLAN structure. Private VLANs and normal VLANs can be configured from the same Catalyst 6000 family switch running 6.1x or higher. Before implementing private VLANs careful consideration must be given to planning.
There are three types of private VLAN ports: promiscuous, isolated, and community.
Privacy is granted at the Layer 2 level by blocking outgoing traffic to all isolated ports. All isolated ports are assigned to an isolated VLAN where this hardware function occurs. Traffic received from an isolated port is forwarded to all promiscuous ports only.
A private VLAN comprises pairs of VLANs that share a primary VLAN. Within a private VLAN, there are three distinct classifications of VLANs: a single primary VLAN, a single isolated VLAN, and a series of community VLANs. You must define each supporting VLAN within a private VLAN structure before you can configure the private VLAN.
The primary VLAN conveys incoming traffic from the promiscuous port to all other promiscuous, isolated, and community ports.
The isolated VLAN is used by isolated ports to communicate to the promiscuous ports. The traffic from an isolated port is blocked on all adjacent ports and can only be received by promiscuous ports.
The community VLAN is used by a group of community ports to communicate among themselves and transmit traffic to outside the group via the designated promiscuous port.
To create a private VLAN, you assign two or more normal VLANs in the normal VLAN range: one VLAN is designated as a primary VLAN, a second VLAN is designated as an isolated VLAN, and potentially, additional VLANs are designated as community VLANs. After designating the VLANs, you must bind them together and associate them to the promiscuous port.
Private VLANs can be extended across multiple Ethernet switches by trunking the primary, isolated, and any community VLANs to other switches that support private VLANs.
set vlan vlan_num pvlan-type primary
Create the primary VLAN.
set vlan vlan_num pvlan-type {isolated | community}
Set the isolated or community VLAN(s).
set pvlan primary_vlan_num {isolated_vlan_num | community_vlan_num}
Bind the isolated or community VLAN(s) to the primary VLAN.
set pvlan primary_vlan_num {isolated_vlan_num | community_vlan_num} mod/ports
Associate the isolated or community port(s) to the private VLAN.
set pvlan mapping primary_vlan_num {isolated_vlan_num | community_vlan_num} mod/ports
Map the isolated/community VLAN to the primary VLAN on the promiscuous port.
More information on the configuration of PVLANs can be found at the following URL:
http://www.cisco.com/warp/public/473/90.shtml
NTP
NTP synchronizes timekeeping among a set of distributed time servers and clients. This synchronization allows events to be correlated when system logs are created and other time-specific events occur.
set ntp server 192.168.254.57 key 1
Specify the IP address of the NTP server and the public key.
set ntp client enable
Enable NTP client mode.
set ntp key 1 trusted md5 -UN&/6[oh6
Define an authentication key pair for NTP and specify whether the key is trusted or untrusted.
set ntp authentication enable
Enable NTP authentication.
!
set timezone PST -8
set summertime PST
set summertime recurring
set ntp authentication enable
set ntp key 1 trusted md5 -UN&/6[oh6
set ntp server 192.168.254.57 key 1
set ntp client enable
Ports
Ports that are not in use in the Corporate Internet Module should be turned off for security purposes. Ports that have end stations connected should have port security turned on.
set port disable mod_num/port_num command to disable a port.
Disable ports that are not in use on the switch.
set port security <mod_num/port_num> <enable|disable> [mac_addr] Assign port security to devices such as workstations and servers of the Corporate Internet Module. A secure port can have from 1 to 132 associated secure addresses. Setting one address in the MAC address table for the port ensures the attached device has the full bandwidth of the port. When you assign secure addresses to a secure port, the switch does not forward any packets with source addresses outside the address defined. If you define the address table of a secure port to contain only one address, the workstation or server attached to that port is guaranteed the full bandwidth of the port. Trunking will be disabled due to ports being in security mode.
set port speed mod/port {10 | 100 | auto}
Port speeds should be hardcoded to 10 or 100 megabit according to the attached device settings.
set port duplex mod/port {full | half | auto}
Port duplex settings should be set to full or half according to the attached device requirements.
Logging
The system message logging software can save messages in a log file or direct the messages to other devices. By default, the switch logs normal but significant system messages to its internal buffer and sends these messages to the system console. You can specify which system messages should be saved based on the type of facility and the severity level. Messages are time-stamped to enhance real-time debugging and management.
set logging server enable
Enable logging to a server
set logging server 192.168.253.51
set logging server 192.168.253.56
Specifies address of logging server
set logging timestamp enable
Enable timestamps
set logging buffer 500
Enable logging buffer size
!turn on logging
!
set logging server 192.168.253.56
set logging server 192.168.253.51
set logging timestamp enable
SPAN (Switch Port Analyzer)
The Switch Port Analyzer allows monitoring of traffic on a given port by forwarding incoming and outgoing traffic on the port to another port in the same VLAN. A SPAN port cannot monitor ports in a different VLAN, and a SPAN port must be a static-access port. Any number of ports can be defined as SPAN ports, and any combination of ports can be monitored.
SPAN is disabled by default and should be enabled on the ports designated for eIDS. Corporate Internet Module.
set span {src_mod/src_ports | src_vlan | sc0} dest_mod/dest_port [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [create]
Configure a SPAN source and a SPAN destination port.
set span 2/23 2/24
This command will span port 2/23 onto port 2/24. In the Corporate Internet Module this should be done for each of the switches connected to an IDS.
Catalyst 6000 Intrusion Detection System Module
The Catalyst 6509’s depicted in the PSS (public service switch) Network are deployed with the Intrusion Detection System Module. The Corporate Internet Module Deployment Guide for Cisco Secure Intrusion Detection describes the configuration for the Catalyst IDS blades and IDS appliances. Additional product information can be found at the following URL.
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/6kids_ds.htm
Appendix A: Reference Documentation
Cisco SAFE Blueprint
http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html
Catalyst 6000 Family Software Documentation Rel. 6.1 Documentation
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sft_6_1/index.htm