Hi everybody and welcome my name is Tyler McMinn with Aruba a Hewlett Packard Enterprise Company. And this is the networking security essentials video of course, part 1 video number 8 where we're going to be introducing a discussion on hardening are switching devices. And we're going to talk about two major concepts of hardening a switch today, which has to do with how do we actually logged into the switch? And how do we get that log in to be carried over to a central server like clear pass or another triple A server in our environment. So without further waiting let's go ahead and jump right in. [MUSIC] Alright so hardening our switches, why harden our devices in the first place? Well, we want to make sure that we are of course following the rules, we talked about this in the last video where we hit on complying with regulations. But we want to protect against our denial of service against our man in the middle, eavesdropping attacks, reconnaissance attacks, all of these threats that we talked about in the last series of videos we don't want to be a victim of those. So here's the best practice quick checklist, one set up all out of band management access so out of band management, we'll talk about today. We'll look at authenticating managers securely, enabling security protocols and disabling insecure ones and then ensuring physical security and implementing other security measures like control plane policing. And if you want more information on this, there are guys that Aruba puts out there if you're using a ruby gear, these are free to download and free to check out so you don't necessarily need to have a switch to play around with them. What we are going to be looking at though is out of band management on a switch. So let me grab this one right here. Okay, So technically this is not really a switch but it kind of is this is a 72-10 mobility controller I happen to work in my lab with and this is in Aruba mobility controller that switches traffic from your wireless access points to your switch network. To get access to this, you would want to be able to get out of band management access and out of band management is what we would use in this idea of a console port. There are other out of band management ports like your management interface port and what we mean by out of band is that it's not taking the normal switch ports that your regular user data would would use. So in our case I've got a bunch of ports on the front that you could just plug in access points or other switches, devices plugging into the core, every network whatever else you like. These are normal layer to layer three interface is this little console ports or management interface, those are out of band. So if my entire network went down I could still console, I could still get a gooey access through the management interface or in this discussion console access, which means I could you command line, I can type little commands right into my terminal window and I would always be connected. So the advantage of out of band, complete separation of management and data planes, you can lose the data plane and you saw the management access, disadvantages it's not quite as flexible. You generally need to be locally right there within a few feet to plug in a cable, plug in a USB cable in this case a type C connector on the 6300 cx switch or on the 72 10 It's a mini USB connector are micro USB mini USB connection to be able to get that console access. So you could set up remote access but it's usually involves other hardware for the management interface, these look like a regular networking port. They take regular category five cat six cable but what they do is they have complete separation from your other data ports, the ports that your users would plug into. So regular data port, you can send web traffic, user traffic, authentication traffic and it's in what we call the default VRF for those of you that do networking is just your default routing table. The management interface on these devices is typically out of band or like on the CX which is are going to be a completely different routing tables and what we call the management BRF. So the advantage of this is it's extremely difficult for someone like Militias Mallory here to be able to get access to that management BRF or to see any of your management traffic where you as an actual administrator can manage your network securely using secure protocols like secure shell or simple network management protocol. Or you could open up the web interface on a CX switch and access the rest APIs for swagger or the network analytics engine and run scripts on these switches. All sorts of cool management under the hood stuff that a manager would want to take advantage of and a hacker would love to take advantage of can be completely separated if you only use the management port under this management routing table or this management virtual route forwarding table VRF. The regular data that hackers have access to and everyone else is in a completely different routing information base so it's completely segmented. It gives us physical segregation by having these separate ports and it gives us still the same flexibility and simplicity where you don't have to be in the same switching closet 6ft away to plug in to access my switch. I could be all the way across the world and as long as this management port is plugged into a separate network, I'm good I can tie into that. So I think we'll stop there before we get into the remote authentication, in this video, we talked about adamant management and we talked about a checklist for hardening our switches. In the next video, we'll talk about centralizing authentication and what the commands would look like, what the management roles would be between an older operating systems switch, like the Aruba OS committed to a new operating system on our switches called the Aruba CX commands are very similar though. So thank you for your time I'll see you guys in the next video.
