December, 2007

What is Cisco TrustSec?

I recently read a NetworkWorld article where learned about a new Cisco security framework called “TrustSec”. TrustSec is a new Cisco Security Framework (I know, you are saying “another one???”). The new TrustSec framework is an add-on to the Cisco Self-defending network.

TrustSec is “intended to determine, through policies, the role of users and devices in the network before granting access to resources.”

Bob Gleichauf, CTO of Cisco’s Security Technology Group, says “We’re getting this threat defense thing down pretty good; now let’s start worrying about where we can go in the network.” And that is exactly what TrustSec does.

So what that means is that, not only are the devices connecting to the network authorized by NAC, that “authorization” stays with them as they conduct their business on the network. Once their “businesss” is done, they must be reauthorized to perform another “transaction” on the network. And, as they use this authorization, every switch and router is aware of who they are and their credentials.

Although I know they aren’t the same, this reminds me of Kerberos security because of the concepts of the “ticket” and the “ticket granting server”, etc.

TrustSec is set to be available for Cisco Catalyst 6500 switches in early 2008 and, over the next 18 months, it is supposed to be available for the entire switch lineup.

What do you think of this concept? Please post your comments here!
-David
Personal Website: HappyRouter.com - home of Cisco how-to articles & videos
David Recommends:
HappyRouter Cisco VMware Workstation & Server Video Training Series
HappyRouter Cisco CCNA & CCNP Video Training Series

FREE VIDEO: How to Configure VLAN s in the Cisco IOS

Recently, I created a short video that shows you how to configure and use VLAN s on a Cisco IOS Router & Switch. It is a step-by-step 15 minute video. It was originally published over at SearchNetworking.com.

In this video, you will learn how to configure a VLAN in this step-by-step, automated, 15-minute demo. As a CCIE Cisco networking expert, I will walk you through the steps you’ll need to configure your routers and switches, set up and assign the trunk ports, and perform the necessary tests to get traffic moving across your VLAN successfully. You can view the configuration commands I used in the video at the bottom of this page.

This video is published in two places:

• HappyRouter.com
• SearchNetworking.com

ENJOY!

-David
Personal Website: HappyRouter.com - home of Cisco how-to articles & videos
David Recommends:
HappyRouter Cisco VMware Workstation & Server Video Training Series
HappyRouter Cisco CCNA & CCNP Video Training Series

Tracking Configuration Changes with the Cisco IOS - Built in! - using the Archive command

As a semi-paranoid admin like me, perhaps you have used (or have wanted to use) applications like Tripwire and Kiwi CatTools to log all Cisco IOS configuration changes.

However, maybe we don’t need external tools. Have you seen the Configuraton Change Notification and Logging features?

It has been available since IOS 12.3(4)T/12.2(25)S (it has really gone mainstream in 12.4).

For each configuration command that is executed, the following information will be logged:

• The command that was executed
• The configuration mode in which the command was executed
• The name of the user that executed the command
• The time at which the command was executed
• A configuration change sequence number
• Parser return codes for the command

Here is a sample of how you configure it:

Router(config)# archive
Router(config-archive)# log config (enters config logging mode)
Router(config-archive-log-config)# logging enable (turns on running config change logging)
Router(config-archive-log-config)# logging size 500 (remembers the last 500 commands entered - 100 are default)
Router(config-archive-log-config)# hidekeys (hides passwords from being shown / logged)
Router(config-archive-log-config)# notify syslog (optional - exports changes to syslog server)

Watch this: this is an example of what the logging looks like in action:
CH_NAME_RTR# show archive log config all
idx sess user@line Logged command
1 1 david@vty0 | logging enable
2 1 david@vty0 | logging size 200
3 2 david@vty0 |hostname CH_NAME_RTR
4 2 david@vty0 |enable secret ***** (this is hidden because of hidekeys command)
5 2 david@vty0 |interface FastEthernet0/0
6 2 david@vty0 | bandwidth 100000

-David
Personal Website: HappyRouter.com - home of Cisco how-to articles & videos
David Recommends:
HappyRouter Cisco VMware Workstation & Server Video Training Series
HappyRouter Cisco CCNA & CCNP Video Training Series

Before you blame “the users”, check yourself first for that security hole

I was reading a recent article entitled “IT departments biggest source of data leaks, says research”. In this article, where the results of a study, published about the source of security holes and leaks at most companies. What the study found was that about 30% of all security leaks.

My takeaway from this article was that before we blame “the users” for causing security issues or getting into things that they shouldn’t have been in, we need to “check ourselves first”.

Let me ask you this-

• Do you have a security policy?
• When was the last time you did a security audit of all network and server devices?
• How about Windows shares and who has access to what?
• Are there any rootkits installed on your PCs or Servers?

When it comes to Cisco security, I recommend:

• Check who can login to the routers, switches & firewalls
• Change the admin/root password on routers
• Implement password complexity requirements or use RADIUS from Windows AD
• Check your IOS for old versions that need to be upgraded

And, as much as it hurts and really doesn’t sound fun at all, don’t forget to “Audit IT First”

-David
Personal Website: HappyRouter.com - home of Cisco how-to articles & videos
David Recommends:
HappyRouter Cisco VMware Workstation & Server Video Training Series
HappyRouter Cisco CCNA & CCNP Video Training Series