Cisco Router password security basics

In the below screenshot we have created two simple passwords for two different modes. The highlighted yellow is a password for user mode whereas the password in green is for privileged mode. Following on from creating the passwords good practice is to encrypt the passwords

Now when we run the show running-config command we don't see the passwords in plain text but in an encrypted format.

Here are a couple of video walkthroughs configuring what was previously mentioned. 

Video1

Video2

VLAN Hopping

In today's world, where network security is crucial, VLAN hopping is one of the most common and dangerous threats to network infrastructure. VLAN hopping is a network security vulnerability that occurs when an attacker gains unauthorized access to a network by exploiting VLAN tagging protocols.

VLANs or Virtual Local Area Networks are a type of network that allows the creation of multiple logical networks within a single physical network. Each VLAN is identified by a unique VLAN ID, which is used to tag and separate traffic from different VLANs. VLAN tagging is done at the data link layer of the OSI model and is used to allow network administrators to create separate broadcast domains within a single physical network.

VLAN hopping occurs when an attacker gains unauthorized access to a VLAN by exploiting the vulnerabilities in the VLAN tagging protocol. There are several ways that an attacker can carry out a VLAN hopping attack, including Double Tagging, Switch Spoofing, and VLAN Injection.

Double Tagging:

In this type of VLAN hopping attack, the attacker sends a frame with two VLAN tags to the switch. The first tag is the attacker's VLAN ID, and the second tag is the target VLAN ID. The switch reads the first tag and places the frame in the attacker's VLAN. However, the switch also reads the second tag and forwards the frame to the target VLAN, giving the attacker access to the target VLAN.

Switch Spoofing:

In a switch spoofing attack, the attacker sends a frame with a spoofed MAC address of the switch to the target VLAN. The target VLAN receives the frame and forwards it to the switch, which reads the MAC address and places the frame in the appropriate VLAN. However, the switch does not realize that the frame has been spoofed, and it sends the frame to the attacker's VLAN as well, giving the attacker access to the target VLAN.

VLAN Injection:

In a VLAN injection attack, the attacker sends a frame to the switch with a VLAN tag that does not exist on the network. The switch reads the VLAN tag and creates a new VLAN for the frame. The attacker can then use this VLAN to gain unauthorized access to the network.

To prevent VLAN hopping attacks, network administrators should implement VLAN security best practices. These best practices include:

1. Implementing Port Security: Port security can be used to restrict the number of MAC addresses that can be learned on a port. This prevents attackers from spoofing MAC addresses and gaining access to other VLANs.

2. VLAN Access Control Lists (ACLs): VLAN ACLs can be used to restrict traffic between VLANs, preventing attackers from moving between VLANs.

3. VLAN Trunking Protocol (VTP) Security: VTP is a protocol used to manage VLANs on a network. Implementing VTP security prevents unauthorized changes to VLAN configurations.

4. Regular Security Audits: Regular security audits can help network administrators identify vulnerabilities and implement security measures to prevent VLAN hopping attacks.

In conclusion, VLAN hopping is a serious threat to network security that can be exploited by attackers to gain unauthorized access to a network. By implementing VLAN security best practices, network administrators can prevent VLAN hopping attacks and keep their networks secure.

AAA - Authentication, Authorisation, Accounting

802.1X authentication

802.1X authentication involves ensuring something is what its saying it is.

Features

Supplicant - (client-end user) - Devices that are trying to connect to an 802.1X need to have software installed on them and this is known as a supplicant. The supplicant initiates the connection by activating EAP (Extensible Authentication Protocol) between the device and switch

Authenticator - A device on a network that connects a client to a network. It blocks and allows traffic. A switch is an example of an authenticator.

Authentication Server - deals with requests for access to the network. The server tells the authenticator to allow or deny the traffic. Authentication servers usually run on the RADIUS protocol.

AAA

AAA is a requirement of network security. It is a process from start to finish of network access and monitoring

Authentication: uses challenge and response methodology for granting access. This identifies users by username and password

Authorisation: After initial authentication, authorisation uses the RADIUS protocol to allow access to resources based on permission levels

Accounting: After access users can be be monitoring for billing, reporting and auditing. You can observe what users do after they have been authenticated and authorised for example when they log in and when they log out.

The next steps are to look at a practical scenario using the AAA methodology.

Topology addressing:

Server: 192.168.2.2

G/0/0/1: 192.168.2.1

G/0/0/0: 192.168.1.1

PC0: 192.168.1.2 (Default Gateway 192.168.1.1)

Configure IP addressing on the router:

Assign a valid IP address to your Radius Server:

Turn on AAA on the services tab, add the the router details for the network the server is on ands specify a passkey - here I have used "hello"

Configuring AAA on the router, specify the server address and the passkey you used. (note the passkey I used is not very secure so something with multiple characters, number etc may be better)

Enable remote login:

Assign an IP address for your PC:

Test the telnet connection:

Note here: To use the more secure SSH connection you would need to add the ssh configurations into the router and it is also good practice to enable passwords on your router which was discussed in previous posts. 

The CIA triad: A cornerstone of information security

The CIA Triad: Understanding the Fundamentals of Information Security

In the world of information security, the CIA triad is a critical concept to understand. This model provides a framework for ensuring the confidentiality, integrity, and availability (CIA) of information and is widely used in the field of information security. In this blog post, we will discuss the basics of the CIA triad, why it is important, and how it can be applied in real-world scenarios.

Confidentiality

Confidentiality refers to the protection of sensitive information from unauthorized disclosure. In other words, confidentiality ensures that only authorized individuals can access sensitive information. This is achieved through the use of encryption, access control systems, and other security measures.

Integrity

Integrity refers to the accuracy and consistency of information over time. This means that information must not be altered or corrupted in any way without authorization. This is important because if information is altered or corrupted, it can lead to serious consequences such as miscommunication or misinformation. Integrity can be maintained through the use of checksums, hash functions, and digital signatures.

Availability

Availability refers to the ability of authorized individuals to access information when they need it. This is important because if information is not available, it can lead to significant disruption and loss of productivity. Availability is maintained through the use of backups, redundancy, and disaster recovery systems.

Why the CIA triad is important

The CIA triad is important because it provides a comprehensive framework for securing information. By focusing on confidentiality, integrity, and availability, organizations can ensure that their information is protected from unauthorized access, alteration, and loss. The CIA triad is also important because it helps organizations prioritize their security efforts, as different types of information may require different levels of protection.

How to apply the CIA triad in real-world scenarios:

The CIA triad can be applied in a variety of real-world scenarios, including:

Protecting personal information: This may include financial information, personal health information, and other sensitive data. Organizations must implement measures to ensure the confidentiality and integrity of this information, as well as ensure its availability for authorized individuals.

Securing critical infrastructure: This includes power grids, communication networks, and other systems that are critical to the functioning of society. The CIA triad can be applied to ensure that these systems are secure, reliable, and available at all times.

Protecting intellectual property: This includes confidential business information, trade secrets, and other proprietary information. Organizations must implement measures to ensure the confidentiality and integrity of this information, as well as ensure its availability to authorized individuals.

In conclusion, the CIA triad is a critical concept in the field of information security. By focusing on confidentiality, integrity, and availability, organizations can ensure the protection of their information and minimize the risk of data breaches and other security incidents. By understanding and applying the CIA triad, organizations can build a strong and effective security program that will protect their assets and reputation.

Block ICMP (Ping) requests in Windows

ICMP (Internet Control Message Protocol) is a rule that network devices such as routers use to generate error messages. The Internet Control Message Protocol is one of the fundamental systems that make the internet work

Below are some simple steps within the windows environment that block ICMP requests.

1.Open Windows Defender Firewall from the start menu and select advanced settings from the left pane.

2.Select inbound rules from the left pane.

3.Select new rule from the right pane

4.Select custom rule

5.Select customise

6.From the drop down select ICMPv4 (You may also want to create another rule for ICMPv6)

7.Select IP any IP address

8.Select Block the connection

9. Select all network types

10.Give the rule a suitable name

11.The rule should now show in your inbound rules

Critical thinking

What is the threat of ICMP and ping requests? Do all users need access? Why is it an inbound rule and not an outbound?

Prevent users from changing their Windows Passwords with Local Group Policy Editor

Opportunist threats are spontaneous and disruptive. Lets do a simple activity to disable a user or opportunist from changing their password

1. Open the start menu

2. Type gpedit.msc and select local group policy editor.

3. Select the following path: User Configuration > Administrative Templates > System




4. On the right pane double click: Ctrl + Alt + Del Options




5. Select remove change password




6 Select enabled.

Critical thinking

Have you thought about balancing user experience with security? How can this be explained? Would allowing users to change their password, reduce the administrative work load, allowing users to be in control of their own security? 

How to disable Command Prompt through Local Group Policy Editor

 Firstly think why we may want to disable access to cmd? Who needs access? What does cmd do?

1. Open the start menu

2. Type gpedit.msc and select local group policy editor.

3. Select the following path: User Configuration > Administrative Templates > System

4 On the right pane, double-click the Prevent access to the command prompt policy.

5. Then simply click enabled. Note the section "Disable the command prompt scripting also" This may need to be left on if batch files are running on logon or logoff as part of wider system administration

Critical thinking

Have you justified your decision for disabling command prompt? Some users may need access to it? Can the activity you have just done be separated by user types? If so provide details

SSH vs Telnet - Configure both

Knowledge

SSH and Telnet are both protocols for remote access, but there are differences between the two:

Security: SSH provides encrypted communication, while Telnet is insecure and sends data in clear text.

Port numbers: SSH uses port 22, Telnet uses port 23.

Functionality: SSH provides secure terminal emulation and also supports file transfers, while Telnet only provides terminal emulation.

Authentication: SSH uses public key and password-based authentication, Telnet only uses password-based authentication.

In general, SSH is preferred over Telnet for remote access due to its security and additional functionality.

Skill

SSH

Setting the environment

Make a small network environment similar to the below

Configure the interfaces

Below shows the router configuration for interface gigabitEthernet 0/0/0 with an ip address of 172.16.0.1 and the default subnet mask of 255.255.0.0

Configure the ssh encryption keys

Below are the commands to generate encryption keys. The domain name given is FOC, the router name is changed to FOC1 and the bits assigned is 1024. (the greater the number the higher level of encryption but speed is impacted

Configure the password for ssh login

Here the password is set to friends. Line vty simply means that 16 simultaneous connections can be made. 

Testing

On the command prompt of the pc. Type the ssh -l ..... (then the username and the ip address)

You should now have access via ssh (make sure to type an IP address into your PCs configuration that is on the same network ie 172.16.0.2)

Telnet

Similar to the previous example build a small simulation environment like the below.

Secure the Switch

Set the password for the executive mode, this will be used after the remote login password

Configure the VLAN

Configure interface vlan 1 and give it an IP address

Configure remote login with telnet

Configure the number of simultaneous connections and set the remote login password

Testing

Don't forget to give your PC/laptop an IP address within the same subnet. Telnet + the IP address of the switch. Here I will use the remote login password "friend" and after enable the switch config password "friends"

Higher thinking

There are two methods of remote access here, one with a higher level of security than the other. Do they both have a use within organisations, can you think of when and why these may be.