Understand the basics

In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port's disabled for security reasons.

Of course, implementing any security solution always involves a trade-off—most often, you trade increased security for less convenience. When using port security, you can prevent devices from accessing the network, which increases security.

However, as you know, there's usually a downside. In this case, it's that the network administrator is the only one who can "unlock" the port, which can cause problems when there are legitimate reasons to change out devices.

Configure port security

Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-securityInterface Mode command. Here's an example:

Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
  aging           Port-security aging commands
  mac-address     Secure mac address
  maximum         Max secure addresses
  violation       Security violation mode
  

Switch(config-if)# switchport port-security 
Switch(config-if)#^Z

By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don't have to accept the defaults.

Know your options

As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options:

• switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses—one for each device. The maximum number of secure MAC addresses per port is 132.
• switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).
• switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Of course, you can also configure port security on a range of ports. Here's an example:

Switch)# config t
Switch(config)# int range fastEthernet 0/1 - 24  
Switch(config-if)# switchport port-security 

However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

View the status of port security

Once you've configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command's output:

Switch# show port-security address         
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)    
----    -----------       ----                -----   -------------
   1    0004.00d5.285d    SecureDynamic       Fa0/18       -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Switch# show port-security interface fa0/18
Port Security                        : Enabled
Port Status                          : Secure-up
Violation Mode                       : Shutdown
Aging Time                           : 0 mins
Aging Type                           : Absolute
SecureStatic Address Aging           : Disabled
Maximum MAC Addresses                : 1
Total MAC Addresses                  : 1
Configured MAC Addresses             : 0
Sticky MAC Addresses                 : 0
Last Source Address                  : 0004.00d5.285d
Security Violation Count             : 0

Switch#

Article courtesy of Techrepublic.com

The Basics of the Cisco PIX Firewall

The Six Basic Commands

The six basic commands to configure a Cisco PIX firewall are well known: nameif, interface, ip address, global, nat, and route. The nameif, interface, and ip address commands are the necessary minimum to get the PIX to communicate with other devices.

nameif

The nameif command has two big jobs to perform. It names the interface and assigns a security level. The syntax of the command follows:

nameif hardware_id if_name security_level

The hardware_id is the type of hardware that is being used for the interface. Examples are Gigabit Ethernet, Ethernet, Token Ring, and FDDI. It is important to note that both Token Ring and FDDI have reached end-of-sale status at Cisco. The last date that the Token Ring interface was available for sale was August 25, 2001. The last date that the FDDI interface was available for sale was June 23, 2001.

The if_name is the name of the interface. The name can be up to 48 characters in length and can be uppercase or lowercase. Default names appear in the configuration of the PIX. By default, the E0 interface is named the outside interface and is considered the least secure interface. The E1 interface is named inside, by default, and is considered the most secure. If the PIX has more than two interfaces, the default names of the additional interfaces are intf2 for E2, intf3 for E3, and so on.

The third variable parameter is security_level. The security level is used to define how to configure the PIX to permit traffic to be passed. The inside interface has a default security level of 100. The outside interface has a default security level of 0. 100 is the maximum permitted, and 0 is the minimum. An interface with a higher security level number assigned is considered more secure. If the PIX has more than two interfaces, the default security level of the additional interfaces is 10 for E2 and 15 for E3; each additional interface security level increments by 5.

An interface with a higher security level (assigned to the interface) is considered to be more trusted than an interface with a lower security level. This is an important distinction to understand when configuring data flow. By default, with no configuration parameters input, no data can pass through the PIX. When utilizing the six basic commands that are discussed here, you may configure the PIX to pass data from a more trusted side of the PIX to a less trusted side of the PIX.

An example of a three-interface configuration using nameif might look like this:

pixfirewall# write terminal
Building configuration…
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security 50
.
.
.

interface

The interface command is used to identify the network interface type, the hardware speed, and the duplex setting (if applicable); it also enables the interface. Network interface types are Ethernet, Gigabit Ethernet, Token Ring, and FDDI. The interface command can be used to shut down an interface, just as an administrator can do on a Cisco router. An interface that is shut down is one that is disabled and is passing no data due to the configuration. The interface command syntax is shown here:

Interface hardware_id [hardware_speed] [shutdown]

If an interface is shut down, configuring that interface and leaving off the variable shutdown will enable the interface. This is an example of configuring the interface command on a three-interface PIX using the auto option (which will set the Ethernet speed automatically) for hardware_speed:

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto

ip address

Assigning an IP address to an interface is accomplished with the ip address command. Each interface that is to be used to pass data must be configured with an IP address. When configuring the ip address command, the IP address is bound to the interface name that was created with the nameif command:

ip address if_name ip_address [netmask]

When the nameif, interface, and ip address commands are configured, it is possible to learn the status of the interfaces. Issuing the show interface command will let you know whether the interfaced is up or down. If the interface is up, you may also test connectivity to the PIX. You may issue a ping command to find out whether the PIX is communicating with a neighbor device on the same network.

route

When passing data to a destination network that is not directly connected to the PIX, the destination network must be specified. The destination network is specified using the route command. The PIX is not a router, although it sometimes behaves in a routerlike fashion. The PIX cannot make the same kinds of dynamic routing decisions that a router makes; it must be configured statically.

Route if_name ip_address netmask gateway_ip [metric]

Here, if_name is the name of the interface that the data will pass through when exiting the PIX. The gateway_ip is the IP address of the device (usually a router) that is the next-hop device to the destination network.

It is common to use a default route to the untrusted side of the PIX (the outside interface). The following is an example of how the route commands might be configured if the outside interface were connected to the Internet and the inside interface were connected to your company intranet, which consists of three subnets. The inside interface is directly connected to the 10.2.0.0 255.255.0.0 subnet. The 10.3.0.0 and 10.4.0.0 subnets are reached via a router with a local interface of 10.2.1.4.

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 10.3.0.0 255.255.0.0 10.2.1.4 1
route inside 10.4.0.0 255.255.0.0 10.2.1.4 1

With the default route, any traffic that is permitted to pass through the PIX that has a destination network other than 10.2.0.0, 10.3.0.0, and 10.4.0.0 will be passed through the outside interface to 192.168.1.1 for routing.

global and nat

Now it's time to configure the PIX to allow data to pass through. One of the jobs that the PIX performs very well is address translation. The IP address that enters the PIX through a more trusted interface (this is referred to as a local address) is translated to a different IP address when it exits the PIX through a less trusted interface (this is referred to as the global address).

To pass this data, it is necessary to input some configuration parameters. One way to configure the PIX to permit this data is to use the global and nat statements.

The nat command enables network address translation. nat also defines the local IP addresses that are to be translated to the global IP addresses defined in the global statement. The syntax for the nat and global commands follows:

nat (if_name) nat_id local_ip [netmask]

Data enters the PIX via the interface defined with the if_name variable. The nat_id is an arbitrary, administrator-assigned number between zero and two billion (0 is reserved for a specific purpose, but that is a discussion for another article). The nat_id number used here must match the one used with the corresponding global command. The nat_id number is what binds the nat and global statements together. The local_ip is the more trusted local network that is to be translated to the address or addresses defined in the global command.

global (if_name) nat_id global_ip [-global_ip] [netmask global_mask]

Data exits the PIX via the interface defined with the if_name variable of the global command. The nat_id number used here must match the one used with the corresponding nat command. The global_ip defines the global IP address or global network number.

An example of a two-interface PIX configuration using each of the six basic commands follows:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 auto
interface ethernet1 auto
ip address outside 192.168.1.2 255.255.255.0
ip address inside 10.2.1.1 255.255.0.0
global (outside) 1 192.168.1.20-192.168.1.254
nat (inside) 1 10.0.0.0 255.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 10.3.0.0 255.255.0.0 10.2.1.4 1
route inside 10.4.0.0 255.255.0.0 10.2.1.4 1

Article is provided courtesy of Cisco Press.Date: Feb 15, 2002.

Firewall Services Module

FWSM is a firewall module integrated by Cisco into his Catalyst 6500 Switches and 7600 Series Routers. Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Internet Router, the FWSM allows any port on the device to operate as a firewall port and integrates firewall security inside the network infrastructure. The FWSM is based on Cisco PIX technology and uses the same time-tested Cisco PIX Operating System, a secure, real-time operating system. The Cisco FWSM enables organizations to manage multiple firewalls from the same management platform. Features: Resource manager helps organizations limit the resources allocated to any security context at any time thus ensuring that one security context does not interfere with another. The transparent firewall feature configures the FWSM to act as a Layer 2 bridging firewall resulting in minimal changes to network topology.