Expert Reference Series of White Papers

Cisco Security
Setup & Configuration:
Part 1 –
a Layered Approach

1-800-COURSES www.globalknowledge.com
Cisco Security Setup & Configuration:
Part 1 – a Layered Approach
Isaac A. Valdez, Global Knowledge Instructor, CCSI, CCSP, CCNP, CCDP

Introduction
This paper is the first in a three-part series of white papers, each of which focuses on a functional area of
securing your network. The three papers work together to create a complete picture of how to configure your
network appliances for complete corporate security. It will discuss a starting point for network security, sug-
gested technology types, ideal points for securing your network using a layered approach, and secure ways to
manage your new or existing network.

This first paper in the series introduces concepts to get started on network security and begin the process of
securing your network at the switch level.

Security Policy: Start at the Beginning

Security is one of the fastest growing branches within the networking industry, and current trends point to a
steady increase in growth over the years to come. This is largely due to the integration of so many critical data
types over a single network and the increased realization by companies as to just how vulnerable their net-
works can be. With security becoming such a focal point of networks, it is increasingly important to understand
how to integrate security into a network.

As with any new project, you must start with some direction. I’m sure you have heard the adage, “If you fail to
plan, then you plan to fail.” This is never more true than when planning network security. Create your security
policy to serve as a starting point and future road map for securing your corporation.

A security policy, originally defined in request for comment (RFC) 2196 and now updated in RFC 3704, con-
tains the whys, whats, and hows of securing your corporate environment.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 2
 Why have a security policy? What should be in a security policy? How would I create a security policy?

To create a baseline of your current Statement of authority and scope. Use the very documents that govern
security configuration. your day-to-day business operation.
For example, your physical site secu-
rity regulations or corporate accept-
able use policy.
To define allowed and not-allowed Identification and authentication Use standards such as SOx, HIPPA,
behaviors. policy. VISA, International Standards
Organization (ISO) 27001, etc.
To help determine necessary tools Internet use policy. Reference web sites for assistance:
and procedures. • www.computersecuritynow.com
• www.sans.org/resources/policies/
#primersecurity.berkeley.edu/pols.html

To help define roles and Campus access policy.

responsibilities.
To state the consequences of Remote access policy.
misuse.
To define how to handle security Incident handling procedure.
incidents (social & technical).
To provide a process for continuing
review.

Keep in mind that your security policy is a document that defines how you will secure your corporation, corpo-
rate resources, and corporate users. As your business grows, or corporate direction changes, this document will
also grow and change.

Security Lifecycle: an Understanding and Review

Take a controlled, metered approach when installing any desktop/network operating system, application, or
appliance. By taking a metered approach, you ensure consistent installation and hardening of each system. The
following recommendations for a secure installation come directly from Cisco Systems.

Step #1: Secure Install

Install each new operating system, application, and appliance in as secure a manner as possible. This may
require you to review the documentation as completely as possible, which I know we all have time to do. Also,
consider staying away from default installations or installation wizards, as they often create the most simple of
configurations, which are not always the most secure.

Step #2: Monitor

Once the new system has been installed, take the time to review the installation logs, operational logs, and
behavior to make sure the system is operating as securely as possible.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 3
Step #3: Test
Perform regularly scheduled tests of your new system. Such tests should be performed by both internal and
external parties. You may chose to perform quarterly or bi-annual internal tests and annual audits by an exter-
nal entity. Of course, no system is perfect, so expect to have areas for improvement discovered as a result of
these tests. These areas of improvement lead us to the final step in the security lifecycle.

Step #4: Improve

From the items found in the testing process of step #3, make improvements in as secure a manner as possible.
Again, look to the product documentation and try to avoid any cookie cutter fixes.

Remember that this process is called a lifecycle. Once you improve upon a system, you should do so in a
secure manner by performing a secure installation (step #1); then monitor all changes made and new behav-
iors that result from your changes (step #2); perform either internal or external tests (step #3) of these
improvements to be sure that they still meet the requirements of your security policy; and, finally, improve
(step #4) any areas as needed.

This lifecycle, as well as security as a whole, is a continuous process that will evolve and grow with your net-
work. As your network changes, so will your security policy and the means by which you install, monitor, test,
and improve each new system.

Device Roles & Definitions

Let’s start with a simple review of six key network security components. We will define each device and make
suggestions on its placement and use.

Router: A junction between two networks to transfer data packets between them.

Sample uses: Perimeter security via Access Control Lists ACLs, Committed Access Rate
Ex. Cisco 1841, (CAR), routing protocol security and protocol tunneling.
3845, 7206

Switch: A layer 2, sometimes multilayer, networking device that provides physical con-
nectivity to end stations and redirects a frame between physical ports on that same
switch.

Sample uses: Physical port security to control a devices initial access to the network.
Ex. Cisco Catalyst
3750, 4506, 6513

Firewall: A piece of hardware and/or software that exists to prevent specific communica-
tions forbidden by the security policy.

Ex. Cisco PIX 525, Sample uses: Stateful inspection, Virtual Private Network (VPN) tunnel termination,
ASA 5540 advanced protocol handling, deep packet inspection and Network Address Translation
(NATting).

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 4
 VPN Concentrator: A security device used to connect (terminate) VPN sessions from
Remote Access, Web Clients, and Site-to-Site locations.

Sample uses: High volume termination of Remote Access and Clientless VPN sessions.
Offering extensive control over the VPN sessions of the connecting device.
Ex. Cisco 3015, 3030,
3060

Intrusion Detection or Prevention System (IDS/IPS) Sensor: A device that gener-

ally detects unwanted manipulations to communication systems (individual and streams
of packets) and is required to detect all types of malicious network traffic.

Ex. NM-CIDS, 4240, Sample uses: As a device that inspects traffic/communications on all critical entry and
4250XL exit points to a corporate network.

Host-based Intrusion Prevention System (HIPS): An agent CSA installed on host

stations that provides security against malicious activity between applications on the
host and communications from the host.

Used to enforce a company’s security policy at the end-station level.

Ex. Cisco Security Sample uses: Install on critical end-stations and servers to protect them from access to
Agent local or network resources that do not follow the security policy.

Device Use and Placement

Now that we’ve completed a cursory review and defined the more common security devices, we will explore
sample topology types and device placement.

2-Leg Security, Single-Perimeter Device

Figure 1 shows a single-perimeter device controlling access to a corporate network. This security device may
be a router with firewall capabilities or a true firewall. Such a topology is ideal for remote offices or small
branch sites. It offers not only a low-cost approach to security, but also significantly limits an administrator’s
security options.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 5
Note: Keep in mind that all security services are offered by this single perimeter device. Even though this is a
very affordable approach, it is also very limiting. It is like using a screw driver for all home repairs: it may work
most of the time, but you’ll just tear things up on those finer jobs.

Perimeter Router with Internal Firewall

Figure 2 shows a dual-layered approach to securing your external connection. This approach is ideal for medi-
um-to-large enterprise networks because you can leverage the services of each device to provide a more com-
plete security configuration.

The router, for example, could be used for ACL filtering, protocol tunneling, high-level routing and peer routing
authentication. The firewall can be used for deep packet inspection, NATting and stateful inspection.

For added security, you can add a 3rd interface off of your firewall device to serve as a Demilitarized Zone
(DMZ) for external access to secure services. An example is clients who need to access your corporate web site
for order processing.

Note: This offers a significant increase in security options and flexibility at a negligible increase in price.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 6
Firewall Sandwich
Figure 3 illustrates a very flexible topology that has two routers protecting either side of a firewall device. This
approach is ideal for large-to-enterprise-size corporate networks. The interaction between the perimeter router
and internal router offers protection from both externally and internally originating attacks. The outer routers
off-load functions from the firewall device, which allows each device to process and secure even more traffic.
Again, you can leverage the abilities of each device to offer a complete security configuration.

Note: This topology brings additional costs in hardware and complexity to the administrator, but the security
benefits and options are among the highest available by any other configuration.

Dual-Layered
Figure 4 shows a configuration where there are two layers of firewall devices protected by a perimeter router.
This approach offers the highest level of security as well as a high degree of configuration difficulty. Such a
topology would be ideal for environments where different departments (IT and Special Projects) control securi-
ty for different portions of the network. However, you must have a high degree of communication between
these departments for traffic that is to pass through both levels of security devices. For added security, you
could even incorporate different vendors at each layer.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 7
Note: This approach does bring the highest level of cost and complexity, but it offers, in return, the greatest
level of secure flexibility.

VPN Concentrator
Figure 5 illustrates a topology where a VPN Concentrator has been integrated to offer high-level Remote
Access tunnel termination. The figure shows a VPN Concentrator that is NOT in parallel but, instead, terminates
into a firewall device.

Caution: So as not to contradict anyone or any other publication that may have come before this one, I will
simply say that I do not place a VPN Concentrator in parallel with any other device offering security services.
Technically put, a VPN Concentrator does not offer stateful inspection, deep packet inspection or network-
based IDS/IPS functionality. As a result, the VPN Concentrator should not be placed in parallel and used to
bypass any of those services.

This topology has the following benefits: it offers filterable control of the Internet Protocol Security (IPSec) pro-
tected traffic at the perimeter router, stateful firewalling of the post IPSec-protected traffic as the client data
passes through the firewall, and conservation of firewall interfaces by using only a single firewall interface to
offer security services. If you wanted to increase the level of security offered, you could connect both VPN
Concentrator interfaces (public and private) to separate interfaces on the firewall. Again, this approach offers
increased security but will require additional firewall interfaces which, depending on the number of interfaces
and operating system currently in use, may require additional funds in the form of a licensing upgrade.

Note: Again, it is NOT recommended to place a VPN Concentrator in parallel with your network’s firewall
device (router or firewall). Although a concentrator can perform some security services, it does not offer state-
ful inspection, deep packet inspection, or IDS/IPS functionality.

IDS/IPS Sensors
Incorporating an external sensor, as shown in Figure 6, is ideal for medium-to-large corporate environments.
Sensor placement is one of the first and most important questions to answer during network design. It is rec-

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 8
ommended that you sense all entry/exit points to your network, as well as subnets containing critical corpo-
rate resources, such as server farms. The number of sensors used is determined by the number of points
sensed, and whether you chose IDS or Intrusion Prevention (IPS).

For IDS/IPS functionality at a small to medium-size remote office, consider using the integrated IDS/IPS services
of your router and firewall operating system or a network module that can be installed in your routers (NM-
CIDS in the 2611XM & above) and firewall (AIP-SSM in the ASA5500 series). The installed modules perform
and are configured just as a true external sensor.

The topology will change considerably, based on the use of IDS versus IPS.

Note: The term “firewall device” was used instead of “firewall” simply to illustrate how a router with the
proper software can be used as a firewall just the same as a dedicated firewall.

Device Hardening:Taking a Layered Approach

When it comes to securing your network, taking a layered approach offers the most comprehensive level of
security. This approach uses the Open Systems Interconnection Reference Model OSI as guidance and simply
incorporates security at as many layers of the network as possible. Just as the Physical and Data Link layers
start the OSI Model, so should you protect your network using Physical and Data Link technologies. For that,
there is no better device to offer initial protection to your network than a LAN Switch.

Switch
A LAN switch is typically a user’s first point of connectivity to your corporate network. As a result, it should be
the first point of security for your network. Incorporate the following methods of network security, as they are
available on your model of switch:

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 9
Disable un-used ports
These would be all ports that are not run to a location within your organization, or are leading to offices and
cubicles that are not currently used. Here is sample syntax for disabling a range of access ports:

AccSw01#conf t
AccSw01(config)#int range fast0/13 - 20
AccSw01(config-if-range)#shutdown

Set the ports type

This would be either setting a port to be an access or trunk port. By default, switch ports dynamically negoti-
ate with their connected peer to become either an access or trunk port. This could lead to access layer attacks
by roguely connected switches negotiating a trunk connection with your corporate network. Now all traffic
travels down the newly established trunk and to the roguely connected switch:

AccSw01(config-if-range)#int range fast0/1 - 20

AccSw01(config-if-range)#switchport mode access

Use physical device authentication

This can ensure only controlled stations will communicate on your corporate network, and can be performed
using IEEEs 802.1x. This standard, which was originally defined for the LAN, can also be used on wireless
access points to authenticate wireless clients before they connect to an access point. Here is a sample of how
to configure the switch to be an 802.1x authenticator using RADIUS as the authentication protocol:

AccSw01(config)#aaa new-model
AccSw01(config)#radius-server host 10.1.1.1
AccSw01(config)#radius-server key RADk3y01
AccSw01(config)#aaa authentication dot1x default group radius
AccSw01(config)#int range f0/1 - 20
AccSw01(config-if-range)#dot1x port-control auto

Enable port security

This is a great way to define how many and exactly which devices can connect to your switch ports. This is
ideal to prevent the connection of unauthorized hubs, switches, and access points throughout your network.
Here, we enable port security and define the number of MAC addresses permitted on each port:

AccSw01(config)#int range fast0/1 - 20

AccSw01(config-if-range)#switchport port-security maximum 1
AccSw01(config-if-range)#switchport port-security violation restrict

Secure Spanning Tree Protocol (STP)

This is an often overlooked point of control in a LAN environment. Keep in mind two key points about STP: STP
operates automatically, converges on its own, and will re-converge each time a new switch is connected; and
the direction for all traffic that flows throughout your layer 2 network is determined by STP. This means that a
compromised STP configuration can be used to create a Denial of Service (DoS) by way of constant conver-
gence and cause slow performance by directing traffic through less-than-optimal points in your network.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 10
In English, an attacker can configure your STP network so a wiring closet switch acts as the root bridge. Now
all traffic for your layer 2 network (VLANs) will pass through this access layer, low-bandwidth edge device.

Figure 7 illustrates a collection of switches commonly seen in an enterprise campus. Each wiring closet access
switch is connected redundantly to each building’s distribution switch. Notice how the distribution switches
are the logical center of this building’s network.

Here, we configure the logical center of our layer 2 network to be the STP root but only for the VLANs config-
ured and operating on this switch:

AccSw01(config)#spanning-tree vlan 1,10,20-25 root ?

primary Configure this switch as primary root for this spanning tree
secondary Configure switch as secondary root
AccSw01(config)#spanning-tree vlan 1,10,20-25 root primary

Next, we disable STP and ensure there are no STP-configured devices (switches) connected to our access inter-
faces (int f0/1 – 20). These are interfaces that lead to end stations and interfaces that should not communicate
in your STP network:

AccSw01(config)#int range f0/1 - 20

AccSw01(config-if-range)#spanning-tree portfast
AccSw01(config-if-range)#spanning-tree bpdufilter enable

Continue by ensuring there are no other switches claiming to be the root of the STP network (int f0/21 – 24):

AccSw01(config-if-range)#int range f0/21 - 24

AccSw01(config-if-range)#spanning-tree guard root

Just as we configured our user ports to be access ports, ensuring that only end-stations will connect, we will
configure our infrastructure ports as trunk ports. This is ideally configured on a switch-to-switch connection. By

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 11
default, these ports will dynamically negotiate to this state, but this process takes time and may not always
work. To ensure our desired setting are used and agreed upon as quickly as possible, we will set (hard code)
these ports as trunks:

AccSw01(config-if-range)#switchport mode trunk

AccSw01(config-if-range)#switchport trunk encapsulation dot1q
AccSw01(config-if-range)#switchport trunk allowed vlan 1,10,20-25

Notice how the last command also defines the VLANs we want to allow across the trunk. This process is
known as manual pruning and is an added security feature available on your trunk links.

Finally, we will configure our VLAN Trunking Protocol (VTP) options. VTP is a management protocol designed to
ensure consistent VLAN creation across multiple switches in the same layer 2 VTP domain. While this protocol
works well, it can also be used to compromise the security of your network either by deleting needed/used
VLANs or by creating VLANs that are not under corporate administrative control. Here, we start by defining a
VTP domain name, setting the source interface for all VTP updates, and creating a unique password for all VTP
updates:

AccSw01(config)#vtp mode server

AccSw01(config)#vtp domain VTPDom01
AccSw01(config)#vtp interface loopback0
AccSw01(config)#vtp password VTPp@55w0rd

Note: Even though the “vtp mode server” command is included, this command is not necessary. All switches
are in VTP server mode by default.

As you can see, there are several options available for switch security. Each of these allows you to integrate
security as close to the end device as possible.

Summary
As with any project, you must start with a set of objectives in mind. From those objectives, you create a set of
requirements to guide your progress to completion. In network security, your objectives and requirements are
laid out in your Corporate Security Policy. This security policy defines what you need and how you would like to
secure your network. Create your security policy by using the very regulations and requirements that govern
your business communications (e.g., HIPPA, SOX, VISA, FBI, etc.) Be sure to refer to your security policy often to
ensure that current and future systems are installed correctly.

Once you are ready to install any new system, be sure to manage the installation using the 4-step Security
Lifecycle: Secure, Monitor, Test, and Improve. This is a continuous process that, once followed through to com-
pletion, loops back on itself in a constant cycle of protection. Focus on hardening a device during the installa-
tion and configuration of each new service.

When securing your network, it is important to implement security at every layer possible and available by
your networking device. Start your security configuration where the network starts—at the physical layer.
Leverage devices’ built-in services. For example, use switch security features to control layer 1 & 2. The exam-
ples covered here center around setting the port types (access versus trunk), configuring your STP configura-

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 12
tion and protecting switches from rogue STP updates, and controlling VLAN update information by defining
secure VTP parameters.

In the second installment of this series, you will learn the suggested steps for hardening your routers, firewalls,
and VPN Concentrators.

Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge.
Check out the following Global Knowledge courses:
SND (Securing Cisco® Network Devices)
SNRS (Securing Networks with Cisco® Routers and Switches)
SNPA (Securing Networks with PIX and ASA)
CSVPN (Cisco® Secure Virtual Private Networks)
SNPA/CSVPN Mini Camp

For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a
sales representative.

Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use.
Our expert instructors draw upon their experiences to help you understand key concepts and how to apply
them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms,
e-Learning, and On-site sessions, to meet your IT and management training needs.

About the Author

Isaac A. Valdez is President and Owner of IV Consulting Services, Inc., a contract consulting and training firm
based in Tampa, Florida.

In addition to a B.S. in Computer Engineering, Isaac has 15 years of experience in hardware design, network
design, network administration, and certification training. Fresh out of college, he was hired as an in-house
hardware technician where he learned the ins and outs of hardware troubleshooting and repair. After a few
years in hardware, Isaac made his move to Network Administration for the big players at the time: Novell,
Microsoft, and Cisco Systems.

His consulting and training experience ranges from Novell NetWare & GroupWise, Microsoft Windows NT,
Windows 2000 and Windows 2003, Cisco Routing, Switching, LAN/WAN, Wireless and Security, plus a list of
Enterprise applications for Messaging, Front and Back Office, Management and Remote Access.

In the Cisco certification track, Isaac teaches a total of 15 courses toward the CCNA, CCDA, CCNP, CCDP, CCIP
and CCSP certifications. These courses include INTRO, ICND, ARCH, DESGN, BSCI, BCMSN, BCRAN, CIT, BGP,
QoS, SND, SNRS, SNPA, CSVPN and CSIDS.

Now that all that boring technical stuff is over, Isaac really prides himself on being a very curious individual.
When he’s done with work (and even instead of work at times), he likes to get away from the keyboard and
books to enjoy the finer things in life. Balance is key! If you have any questions feel free to contact him at
ivaldez@ivconsulting.com.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 13