Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,386 --> 00:00:02,806 >> I want to show you something kind of creepy. 2 00:00:03,486 --> 00:00:05,876 [laughs] How's that for starting a nugget? 3 00:00:06,126 --> 00:00:10,696 So last, last nugget, we kind of went through the base configuration of our switch, right. 4 00:00:10,696 --> 00:00:12,166 I'm back on the console port now. 5 00:00:12,476 --> 00:00:14,936 We set it up with a management IP address. 6 00:00:15,766 --> 00:00:18,376 All right, that's it, I'm changing the password. 7 00:00:18,906 --> 00:00:22,606 I can't talk and type CBT nuggets at the same time. 8 00:00:22,606 --> 00:00:27,546 I'm going in, enable secret, Cisco, there we go. 9 00:00:27,546 --> 00:00:28,846 Something I can brainlessly type. 10 00:00:28,846 --> 00:00:30,386 Oh, there is a fun message. 11 00:00:30,656 --> 00:00:33,256 [laughs] Well it sounds like-- I want to show you something now, 12 00:00:33,256 --> 00:00:35,696 something totally different than what I planned to show you. 13 00:00:35,696 --> 00:00:39,066 It says, the enable secret you've chosen is the same as your enable password, 14 00:00:39,066 --> 00:00:41,806 this is not recommended, please reenter the enable secret. 15 00:00:42,046 --> 00:00:45,886 Remember, we talked about in the last nugget, actually two nuggets ago, 16 00:00:46,176 --> 00:00:48,676 difference between enable password and enable secret. 17 00:00:48,766 --> 00:00:54,296 Now, when I said enable secret is Cisco, what the Cisco device is saying is, "Well, 18 00:00:54,296 --> 00:00:56,906 that's the same thing as your clear text version," or, you know, 19 00:00:56,906 --> 00:00:59,506 the cracker jacks encrypted version right here. 20 00:00:59,506 --> 00:01:00,556 They're like, this is not recommended. 21 00:01:00,756 --> 00:01:08,486 Now, let me ask you this, in that message anywhere, does it say, I didn't take that? 22 00:01:08,996 --> 00:01:09,586 No it didn't. 23 00:01:09,586 --> 00:01:11,486 It actually will take it just fine. 24 00:01:11,486 --> 00:01:16,996 The enable secret is indeed, Cisco, Cisco just wants to try and sway you as much 25 00:01:16,996 --> 00:01:20,546 as they possibly plan not to do that or at least, to go in here 26 00:01:20,666 --> 00:01:25,526 and do a no enable password, which I think I did in the last couple of nuggets, 27 00:01:25,526 --> 00:01:28,636 but I obviously didn't save my configuration so I'll do that now. 28 00:01:28,746 --> 00:01:35,956 So anyway, back to what I wanted to show you, we assign an IP address to this switch right here 29 00:01:36,506 --> 00:01:38,106 so that I can manage it remotely. 30 00:01:38,106 --> 00:01:43,086 And then, as kind of the culmination of that configuration piece, I said, well let's do this. 31 00:01:43,276 --> 00:01:45,396 I've got my computer, let me grab my pen. 32 00:01:45,396 --> 00:01:50,096 I've got my computer plugged into that switch at 10.1.1.-- 33 00:01:50,096 --> 00:01:55,636 I think I gave it 100, and here's the switch, it is assigned 10.1.1.10 and that's-- 34 00:01:55,636 --> 00:01:59,306 by the way, the only thing this IP address is used for is management purposes. 35 00:01:59,346 --> 00:02:02,526 So I was like, "Hey, well let's Telnet in." 36 00:02:02,526 --> 00:02:03,346 This is what I wanna show you. 37 00:02:03,706 --> 00:02:07,716 Remember early on in the series, I opened our good friend WIRESHARK. 38 00:02:07,716 --> 00:02:11,046 And I know early on, you're probably like, "Okay, that was intense." 39 00:02:11,156 --> 00:02:15,416 WIRESHARK is intense for most people that are just getting started in the Cisco world. 40 00:02:15,416 --> 00:02:19,876 So I'm going to get you familiar with it, 'cause it is a huge troubleshooting tool 41 00:02:19,876 --> 00:02:23,206 to where you can see information at every layer of the OSI model. 42 00:02:23,206 --> 00:02:25,876 And here's what I want to show you, I'm going to open a capture. 43 00:02:26,436 --> 00:02:32,856 All right here, and I have the-- a network adapter, that I have connected to the switch, 44 00:02:32,856 --> 00:02:36,936 is actually this little USB 2.0 Fast Ethernet Adapter. 45 00:02:36,936 --> 00:02:39,316 And now you can see, there's not much going on in my network. 46 00:02:39,316 --> 00:02:42,536 I had some stuff, maybe some, I don't know, something going on there. 47 00:02:42,536 --> 00:02:45,196 But not much going on because I'm not really doing anything. 48 00:02:45,196 --> 00:02:49,156 So I will say, "This is the one I want to capture, let's do a start." 49 00:02:49,156 --> 00:02:52,616 So WIRESHARK is now monitoring the app where it's seeing some, you know, 50 00:02:52,616 --> 00:02:56,506 occasional spanning three messages which we're going to discuss that a little bit later. 51 00:02:56,736 --> 00:02:59,116 But I'm going to open up a Telnet session. 52 00:02:59,686 --> 00:03:02,536 Wait a second, not like that. 53 00:03:02,736 --> 00:03:11,176 I'm going to do a-- there we go, Telnet 10.1.1.10 behind the scenes. 54 00:03:11,396 --> 00:03:16,386 And I should see, there we go, you know, I've got to change that login message. 55 00:03:16,576 --> 00:03:21,076 Behind the scenes, notice WIRESHARK is like, "Oh, I see Telnet data, Telnet data." 56 00:03:21,076 --> 00:03:24,556 Now down here, it's like, okay that's all just kind of gobbledygook. 57 00:03:24,556 --> 00:03:26,156 So, just kind of ignore that for now. 58 00:03:26,156 --> 00:03:31,346 So I'm going to login and I'm going to say, "Okay, my password is Cisco," because, you know, 59 00:03:31,876 --> 00:03:33,226 that's my Telnet password [phonetic]. 60 00:03:33,226 --> 00:03:36,986 Again, behind the scenes, WIRESHARK is like, "Munchy, Telnet data." 61 00:03:37,356 --> 00:03:38,396 I'm going to go, "Okay. 62 00:03:38,396 --> 00:03:40,076 Well, let's get into publish mode." 63 00:03:40,076 --> 00:03:44,386 Cisco, type that in and hit the enter key, and okay, I think that's enough. 64 00:03:45,046 --> 00:03:46,296 Let's go in and stop that capture. 65 00:03:46,296 --> 00:03:49,686 Now, in here, WIRESHARK is like, "Okay, I've captured all these data." 66 00:03:49,686 --> 00:03:52,786 Now, if I really want to say, "Well, what was that data that you captured?" 67 00:03:53,046 --> 00:03:55,346 Now, this is layer 2 of the OSI style model. 68 00:03:55,346 --> 00:03:55,856 It's saying, "Okay. 69 00:03:55,856 --> 00:03:59,206 Well, it was from this source MAC address," 70 00:03:59,206 --> 00:04:03,736 my little Apple USB adapter going to this destination MAC address. 71 00:04:03,796 --> 00:04:08,716 I'm using these IP addresses, you can see the source IP and then there was a lot more stuff 72 00:04:08,716 --> 00:04:13,786 in the header than source and destination IP, but source is 10.1.1.100, destination, I mean-- 73 00:04:13,786 --> 00:04:16,606 so all of that-- we saw this previously, I can go through every layer. 74 00:04:16,806 --> 00:04:20,506 But really, at the application layer of the OSI style model, it's saying, 75 00:04:20,586 --> 00:04:25,696 "I captured SC [phonetic], and then I captured O." 76 00:04:26,376 --> 00:04:28,116 Oh wait a second, that sounds a little familiar. 77 00:04:28,296 --> 00:04:30,826 I captured I, let's see, where did that come in? 78 00:04:31,056 --> 00:04:33,646 I captured slash R-- oh, what is this? 79 00:04:33,646 --> 00:04:37,126 Well, there's a little feature in WIRESHARK 80 00:04:38,486 --> 00:04:42,816 where you can actually analyze and follow the TCP stream. 81 00:04:43,026 --> 00:04:47,346 What that does is it tells WIRESHARK, you know what, this is one stream. 82 00:04:47,556 --> 00:04:49,776 I've highlighted one stream of data right here. 83 00:04:49,956 --> 00:04:57,506 How about-- can you just kind of follow that and put that all back together? 84 00:04:57,506 --> 00:05:00,226 Panic. Heart attack, what? 85 00:05:00,426 --> 00:05:01,846 What? What's the deal here? 86 00:05:01,846 --> 00:05:04,296 And then everything that I just typed in. 87 00:05:04,566 --> 00:05:07,066 I Telneted the switch and immediately, it's like, 88 00:05:07,066 --> 00:05:10,986 I saw a logon banner come across, user identification password. 89 00:05:10,986 --> 00:05:14,196 All of a sudden, it's in red, Cisco. 90 00:05:14,926 --> 00:05:20,406 And then all of the sudden, I see this enable, you know, it's kind of like, okay what's this? 91 00:05:20,406 --> 00:05:22,256 And then, it's in red, Cisco. 92 00:05:22,256 --> 00:05:24,456 You know, what's the colors represent? 93 00:05:24,456 --> 00:05:26,306 Can anyone figure that out just by looking at it? 94 00:05:26,496 --> 00:05:27,736 What's the colors represent? 95 00:05:28,236 --> 00:05:29,876 It's the send and receive. 96 00:05:30,256 --> 00:05:34,496 So essentially, the blue is what my computer has received from the other side, 97 00:05:34,736 --> 00:05:37,846 the red is what I've sent to the other side. 98 00:05:37,946 --> 00:05:41,046 Now you know, when I was-- you saw it, when I Telneted into the switch, 99 00:05:41,226 --> 00:05:42,816 I couldn't actually see the password. 100 00:05:43,136 --> 00:05:46,116 And that's because the device did not echo it back to me. 101 00:05:46,416 --> 00:05:49,686 Everything that you typed in Telnet is actually echoed back. 102 00:05:49,686 --> 00:05:56,056 You see, I typed in enable which my computer actually sent, you can the red E N-- 103 00:05:56,056 --> 00:06:00,056 well it's hard to highlight just-- you get it, you see the red, right? 104 00:06:00,146 --> 00:06:01,196 That's what I sent. 105 00:06:01,196 --> 00:06:04,206 And the switch actually echoed that back to me. 106 00:06:04,206 --> 00:06:06,456 It's like, "Okay, you sent an e-- let me echo it back." 107 00:06:06,456 --> 00:06:08,616 And that's how my terminal displays it. 108 00:06:08,616 --> 00:06:11,446 And that's really the only difference is when I typed in the passwords, 109 00:06:11,786 --> 00:06:14,086 the switch turned off the echo back. 110 00:06:14,166 --> 00:06:16,936 So it's like, "Okay, you've sent it to me but I'm not echoing it back." 111 00:06:16,936 --> 00:06:20,336 But is there-- did anyone see a problem with this picture? 112 00:06:21,266 --> 00:06:27,136 [laughs] I mean all of my-- what I thought was a secure password is now exposed. 113 00:06:27,256 --> 00:06:31,706 And if somebody in your environment knows what they're doing with WIRESHARK, 114 00:06:31,856 --> 00:06:36,576 it's going to expose the passwords that you're typing as you're logging into the switch. 115 00:06:36,576 --> 00:06:40,536 So I do this little let-me-show-you demonstration to demonstrate 116 00:06:40,536 --> 00:06:42,816 that Telnet, not a good protocol. 117 00:06:43,416 --> 00:06:49,946 Not-- I mean, good, it's functional but not a secure protocol because if anybody has eyes 118 00:06:50,086 --> 00:06:54,496 to see that communication that's going between you and the device, 119 00:06:54,746 --> 00:06:57,306 they will be able to decrypt-- well, decrypt is not even encrypted, 120 00:06:57,306 --> 00:07:01,136 they will be able to see everything that you're typing because Telnet is in clear text. 121 00:07:01,136 --> 00:07:08,256 Now, I don't even know if I should say this but I want to because I want to tell you the truth. 122 00:07:08,416 --> 00:07:13,706 So let's say you are sitting at your desk and you Telnet your device. 123 00:07:14,046 --> 00:07:16,356 Does that mean you're totally doomed? 124 00:07:16,556 --> 00:07:18,816 Like, somebody, you know, somebody just grabbed your password 125 00:07:18,996 --> 00:07:21,436 and they are now going to hack your network? 126 00:07:21,436 --> 00:07:26,196 Or, you know, worse yeah, let's say you're sitting on that beach in Hawaii or at home 127 00:07:26,416 --> 00:07:32,196 and you Telnet across the internet to a firewall that you have over here. 128 00:07:32,196 --> 00:07:34,016 And so, you're actually Telneting, you're sending all 129 00:07:34,016 --> 00:07:36,176 of that in clear text over the internet. 130 00:07:36,176 --> 00:07:41,696 Does that mean that the evil beings out on the internet immediately see that communication 131 00:07:41,696 --> 00:07:44,986 and will now hack your firewall because they have all the passwords necessary? 132 00:07:46,426 --> 00:07:49,346 Chances are good that that won't happen. 133 00:07:49,586 --> 00:07:53,936 First off, and so-- now, I don't want to give you a false sense of confidence 134 00:07:53,936 --> 00:07:57,026 because it is still true, still valid that Telnet is not good to use. 135 00:07:57,026 --> 00:08:00,406 But first off, in your environment, one of the things that switches do, 136 00:08:01,566 --> 00:08:09,736 and let me bring up my drawing a little bit more, one of the things that switches do is-- 137 00:08:10,046 --> 00:08:13,816 wait a minute, my brain just shaked out. 138 00:08:13,816 --> 00:08:16,976 Okay, switches separate into separate collision domains. 139 00:08:17,006 --> 00:08:21,356 So let's say that your router is right here, and your computer is plugged 140 00:08:21,356 --> 00:08:25,716 in right here, and I Telnet from here to here. 141 00:08:25,886 --> 00:08:30,666 Well, that communication only goes between your computer and that router. 142 00:08:30,666 --> 00:08:31,496 It's not like a hub. 143 00:08:31,496 --> 00:08:34,766 In the hub days, I would say, there's much more of a chance of you being doomed 144 00:08:34,986 --> 00:08:40,386 because anybody-- if this were a hub, anybody could open WIRESHARK if that wanted to 145 00:08:40,386 --> 00:08:42,176 and see all communication on the network. 146 00:08:42,366 --> 00:08:46,356 But if I'm directly Telneting from my device to that router, that firewall, well, 147 00:08:46,356 --> 00:08:49,306 it's only coming in my port and coming out at this port. 148 00:08:49,306 --> 00:08:53,376 So if somebody over here, you know, here's evil person X that has opened WIRESHARK 149 00:08:53,376 --> 00:08:59,006 and they're sniffing packets, they actually won't see my communication unless they start 150 00:08:59,006 --> 00:09:00,516 sabotaging your switch. 151 00:09:00,956 --> 00:09:05,396 There's a little program that anybody can download, it's free called Can and Able. 152 00:09:06,716 --> 00:09:12,196 It is like a Swiss Army Knife of hacking tools that are kind of like point and click, like, 153 00:09:12,196 --> 00:09:14,486 you click a few buttons and you unleash a hacking attack. 154 00:09:14,796 --> 00:09:19,256 One of the things that they can do is unleash what's called a CAM Table Overflow. 155 00:09:19,566 --> 00:09:22,596 See, CAM stands for Content-Accessible Memory, right? 156 00:09:22,856 --> 00:09:27,236 It's where your switch stores all the MAC addresses that it knows about. 157 00:09:27,436 --> 00:09:31,596 So that if they do this successfully, what will happen is their computer will send thousands, 158 00:09:31,596 --> 00:09:36,596 and thousands, and thousands of packets into the switch sourced from different MAC addresses. 159 00:09:36,636 --> 00:09:39,326 So the switch is like, "Okay, I've learned about this, and this, 160 00:09:39,326 --> 00:09:40,216 and this, and this, and this, and this." 161 00:09:40,216 --> 00:09:43,936 And their goal by doing that is to fill up the CAM table to where there are 162 00:09:43,936 --> 00:09:46,686 so many MAC addresses stored in there that switches like, 163 00:09:46,686 --> 00:09:49,616 "I'm out of memory, I can't store anymore." 164 00:09:49,986 --> 00:09:53,406 And what the switch does at that point is turn itself into a hub. 165 00:09:53,406 --> 00:09:57,056 It's like, "Well, if can't store anything, if my CAM table is full, then I'm just going 166 00:09:57,056 --> 00:10:01,836 to forward everything everywhere because I don't want communication not to be received." 167 00:10:02,056 --> 00:10:06,496 So as soon as that happens, now this evil person can capture your Telnet session. 168 00:10:06,496 --> 00:10:11,766 But my point is that, it's going to take a little bit of work for them to do that, okay? 169 00:10:11,916 --> 00:10:16,266 So it's not as easy-- I mean like, obviously, it's easy for me because I'm actually 170 00:10:16,266 --> 00:10:19,086 on the computer that's doing the Telneting, you know? 171 00:10:19,086 --> 00:10:23,186 And if I'm on that computer then, you know, for sure I can capture that. 172 00:10:23,426 --> 00:10:28,566 Or if somehow this computer is compromised, as in there's a worm 173 00:10:28,566 --> 00:10:31,676 or some creepy thing that's installed on it, a keystroke logger. 174 00:10:31,676 --> 00:10:34,216 I mean there's all kinds of way to hack a computer. 175 00:10:34,676 --> 00:10:38,966 But that's-- it's not just as easy as opening WIRESHARK anywhere 176 00:10:38,966 --> 00:10:40,436 in the network and capturing passwords. 177 00:10:40,596 --> 00:10:41,826 And the same thing on the internet. 178 00:10:41,826 --> 00:10:45,816 If I Telnet across the internet, that's really not a good practice, 179 00:10:46,106 --> 00:10:48,486 but does that mean we are destroyed immediately? 180 00:10:48,846 --> 00:10:57,506 Well, I would say no simple because there is so much data going around the internet 181 00:10:57,926 --> 00:11:04,166 that you're almost secure in obfuscation towards-- it's just like, by the sheer quantity, 182 00:11:04,166 --> 00:11:08,146 you know, terabytes and terabytes of data every minute are being transferred all 183 00:11:08,146 --> 00:11:12,736 around the internet, you know, who's to say that somebody is going to grab your Telnet session 184 00:11:13,166 --> 00:11:17,856 in there and it would also mean that someone in the middle of your communication is going 185 00:11:17,856 --> 00:11:22,516 to be doing the grabbing, as in you, you know, maybe came in through your Cox or Quest, 186 00:11:22,516 --> 00:11:23,456 you know, what-- or some kind 187 00:11:23,456 --> 00:11:26,146 of service provider that's giving you your internet connection. 188 00:11:26,146 --> 00:11:30,546 So there would be an evil person sitting there that could capture it, or, you know, 189 00:11:30,546 --> 00:11:35,106 they pass it to, you know, level three or Time Warner, you know, these big service providers. 190 00:11:35,346 --> 00:11:39,696 You know, and so there somebody evil, they're so-- so for those things to happen, 191 00:11:39,696 --> 00:11:46,316 for somebody capture your Telnet session, there would have to be a shady person existing at one 192 00:11:46,316 --> 00:11:49,746 of the service writers that you're going through and they would have 193 00:11:49,746 --> 00:11:52,796 to find your conversation among trillions of conversations 194 00:11:52,796 --> 00:11:54,516 that are happening across the internet. 195 00:11:54,906 --> 00:11:59,306 So what I'm saying is, there's different levels of paranoia, right? 196 00:11:59,306 --> 00:12:03,916 There are some people that are like, you know, I type my credit into a website and it's gone, 197 00:12:03,916 --> 00:12:07,306 I know, somebody is going to sell that, and steal it, and I'm defrauded. 198 00:12:07,306 --> 00:12:10,116 I mean, there's people they're like agent [inaudible] is standing outside my door 199 00:12:10,116 --> 00:12:13,546 or waiting for me to use my computer because then they will know everything that I'm trying 200 00:12:13,546 --> 00:12:16,306 to do, so there's different level. 201 00:12:16,306 --> 00:12:19,416 And then there's people that, you know, that are kind of like, hey, you know what, 202 00:12:20,296 --> 00:12:24,076 the world is happy place, there are no hackers, you know, it's all-- you know, it's-- 203 00:12:24,076 --> 00:12:26,906 there are totally different levels of paranoia. 204 00:12:26,906 --> 00:12:31,006 The best thing to be, I would say, it's probably better to be over paranoid than less 205 00:12:31,006 --> 00:12:33,316 because it's less chance of something bad happening. 206 00:12:33,666 --> 00:12:38,916 But just to put into a reality, the world isn't waiting to hack your Telnet session, 207 00:12:39,516 --> 00:12:41,076 there are certain people that wish they could, 208 00:12:41,266 --> 00:12:43,926 but it's going to be very difficult for them to get that. 209 00:12:44,316 --> 00:12:51,416 All of that is a precursor to managing your Cisco the right way, using SSH. 210 00:12:52,596 --> 00:12:56,596 Now I know some of you might be thinking-- well, that was kind of a long precursor, right? 211 00:12:56,776 --> 00:13:00,626 Well, yeah, but there is so much meet in there, you know, I have seen how to use WIRESHARK 212 00:13:00,626 --> 00:13:04,676 to follow a TCP stream and reassemble data, you can do that with anything, outlook e-mails, 213 00:13:04,676 --> 00:13:06,366 Excel spreadsheets, anything that are being sent. 214 00:13:06,706 --> 00:13:09,446 At the time, you can capture and reassemble and put it back together. 215 00:13:09,636 --> 00:13:15,156 We saw how clear text to Telnet was by design, that's just how the protocol what was written 216 00:13:15,156 --> 00:13:19,156 and that-- but at the same time, how using it, doesn't mean that big brother suddenly comes 217 00:13:19,156 --> 00:13:21,116 down and says, I have the keys to your network. 218 00:13:21,436 --> 00:13:24,636 But it-- you know, as point number four, why risk it? 219 00:13:24,636 --> 00:13:28,376 I mean what's the chance that somebody is going to grab your data and hack you, one and ten, 220 00:13:28,596 --> 00:13:33,036 one and a hundred, one and a million, it depends on where you are in the world and what kind 221 00:13:33,036 --> 00:13:34,826 of malicious person would want your data. 222 00:13:35,176 --> 00:13:37,466 But the point is, why take that chance, 223 00:13:37,466 --> 00:13:40,066 why add that to one more thing that you have to worry about. 224 00:13:40,066 --> 00:13:46,446 Instead, go with Cisco's recommendation, use Secure Shell, or SSH to manage your network. 225 00:13:46,896 --> 00:13:50,976 Now before I show you how to set it up, I want to show you how it works 226 00:13:50,976 --> 00:13:54,056 because when you understand this, you understand how-- 227 00:13:54,186 --> 00:13:58,096 almost all major security algorithms worked across the public internet, 228 00:13:58,096 --> 00:14:02,256 you'll be able to explain how VPNs work, how secure web surfing works 229 00:14:02,256 --> 00:14:04,246 because they all use the same method as SSH. 230 00:14:04,246 --> 00:14:09,056 Essentially, you have a client that wants to have some kind of secure session 231 00:14:09,056 --> 00:14:12,836 with his server, or, you know, a router, or a switch, or whatever you want to do 232 00:14:13,026 --> 00:14:18,186 over some untrusted network and, you know, just about any network unless, you know, 233 00:14:18,186 --> 00:14:20,776 I can own every single piece of cable in there 234 00:14:20,776 --> 00:14:23,786 and know exactly what's on it, is an untrust medium. 235 00:14:23,786 --> 00:14:25,366 So, let's just say we've got the internet. 236 00:14:25,366 --> 00:14:26,646 I'm going to show you how it works for, you know, 237 00:14:26,646 --> 00:14:29,766 secure web surfing and then, I'll apply it to SSH. 238 00:14:30,116 --> 00:14:35,936 Now let's say we go to HTTPS, you know bank.com, whatever online bank we decide to use. 239 00:14:36,986 --> 00:14:45,426 Now the big question is, how do I know that this is secure, I mean, HTTPS by the way uses, SSL, 240 00:14:45,756 --> 00:14:49,936 Secure Socket Layer or it's the same concept as SSH. 241 00:14:50,306 --> 00:14:54,916 How do I know that this is secure, I mean, if you think about it in order for security 242 00:14:54,916 --> 00:14:59,766 to happen, the server or the client has to send an encryption key 243 00:15:00,596 --> 00:15:04,836 which is essentially a mathematical formula that says, here's how I'm going to encrypt my data, 244 00:15:05,056 --> 00:15:07,736 that's kind of like a secret key that only those two can have. 245 00:15:07,736 --> 00:15:12,226 Well the problem is if there's eyes on this network, if this is untrusted network, 246 00:15:12,616 --> 00:15:15,416 then that's the problem, because if I send the key, 247 00:15:15,416 --> 00:15:18,176 then anybody can grab the key and we're doomed. 248 00:15:18,866 --> 00:15:23,706 Well, that's the same problem that a fellow named Martin Hellman 249 00:15:23,866 --> 00:15:28,076 and Whitfield Diffie faced decades and decades ago. 250 00:15:28,336 --> 00:15:32,456 It's how do you have security over a public network when you can't send security keys 251 00:15:32,776 --> 00:15:34,436 in clear text that anybody can grab? 252 00:15:34,796 --> 00:15:38,386 And they came up with a method of public-key cryptography. 253 00:15:38,606 --> 00:15:40,086 So here's how it works. 254 00:15:40,086 --> 00:15:43,716 Essentially, the bank will have what's called a certificate. 255 00:15:43,716 --> 00:15:50,356 And that certificate will have an encryption algorithm on it, it's known as the public-key. 256 00:15:50,856 --> 00:15:56,586 Now, the public-key is half of an encryption formula. 257 00:15:56,956 --> 00:16:02,396 So essentially, anything that is encrypted with the public-key can only be decrypted 258 00:16:02,736 --> 00:16:06,866 by something called the private-key which is kept 259 00:16:06,866 --> 00:16:09,526 on the server never, ever, ever given out to anybody. 260 00:16:09,766 --> 00:16:14,066 Because if I give out that private-key to anybody then this whole algorithm fails, 261 00:16:14,066 --> 00:16:16,486 because now anything can be decrypted. 262 00:16:16,486 --> 00:16:20,586 Now, have you ever going to a website and it comes up and you get that message 263 00:16:20,586 --> 00:16:24,576 in Internet Explorer, or Chrome, or Firefox, whatever, and it comes up and says, 264 00:16:25,006 --> 00:16:27,556 warning this website not trustable, you know, 265 00:16:27,556 --> 00:16:30,526 this website has a certificate that is not trustworthy. 266 00:16:30,886 --> 00:16:34,276 Well, you know, and most of us, if you're like me and like, yeah, whatever, you know, 267 00:16:34,276 --> 00:16:35,846 and continue, I want to get to the website. 268 00:16:36,016 --> 00:16:40,096 Well, that message hid-- it gives you a warning because what it saying is, 269 00:16:40,326 --> 00:16:42,856 this server may have just made up their own certificate. 270 00:16:43,126 --> 00:16:48,486 As in nobody has gone out and really said that this website is secure and this website is 271 00:16:48,486 --> 00:16:52,606 who they say they are, that's why we have this concept of certificate authorities. 272 00:16:52,846 --> 00:16:56,556 Places like VeriSign and all of that kind of stuff. 273 00:16:56,556 --> 00:16:59,196 I'll just throw VeriSign out there is one of them. 274 00:16:59,196 --> 00:17:05,346 So if I was a real company, I would take and apply for a real certificate from VeriSign. 275 00:17:05,546 --> 00:17:08,606 VeriSign would say, okay, let me verify that you are, who you are, 276 00:17:08,606 --> 00:17:10,346 what's your federal tax ID number, what-- 277 00:17:10,346 --> 00:17:12,626 you know, they would make sure that you are the real deal, 278 00:17:12,846 --> 00:17:17,766 and then they would issue a certificate and an encryption or essentially public private-key set 279 00:17:17,986 --> 00:17:21,176 that is trusted by all the browsers of the world. 280 00:17:21,296 --> 00:17:25,636 So Chrome, you know, Internet Explorer, they've all agreed that they will trust the VeriSign 281 00:17:25,846 --> 00:17:31,146 as a authority to give out these certificates and approve the servers on the internet 282 00:17:31,146 --> 00:17:34,576 to really be a valid server, now is that proof, no, no it's not. 283 00:17:34,756 --> 00:17:39,066 But it's definitely a good layer on top of it to make sure 284 00:17:39,066 --> 00:17:42,356 that we don't have these false identities out there. 285 00:17:42,356 --> 00:17:46,526 Now, so this guy gets a certificate, whether it was, they made it up themselves 286 00:17:46,526 --> 00:17:51,246 or see I gave it, and this certificate has half of an encryption algorithm on them. 287 00:17:51,246 --> 00:17:54,556 So the very first time, when you got to bank.com, 288 00:17:54,806 --> 00:17:59,596 they will send over this public-key, half of an encryption algorithm. 289 00:18:00,126 --> 00:18:04,246 And your browser, your Internet explorer, your Chrome, your, whatever you're using will say, 290 00:18:04,246 --> 00:18:11,276 great, I am now going to generate what is called a session key. 291 00:18:11,616 --> 00:18:16,896 Now that session key is only good for this one time use only. 292 00:18:17,436 --> 00:18:22,816 Session key is, you know, once I'm done talking to this website, I'm going to flash it. 293 00:18:22,816 --> 00:18:27,636 It is an encryption algorithm, it is called a single key or I guess the technical word 294 00:18:27,636 --> 00:18:31,076 that you would use for it is asymmetrical encryption algorithm. 295 00:18:31,426 --> 00:18:38,856 One key to rule them all, one key to encrypt one key to decrypt, it's fast, it's efficient, 296 00:18:38,856 --> 00:18:43,206 it's what we want to use because we want to have our communication goes 297 00:18:43,206 --> 00:18:45,766 as fast as possible, but also one key. 298 00:18:45,766 --> 00:18:48,706 So I can't just send that one key to the server across the internet 299 00:18:48,706 --> 00:18:51,036 because someone would get my one key and be able to decrypt it. 300 00:18:51,196 --> 00:18:52,276 So you see where this is going? 301 00:18:52,636 --> 00:18:59,266 So I send half of an encryption formula to the client, that's this piece right here. 302 00:18:59,386 --> 00:19:02,746 And this is also by the way called asymmetric encryption. 303 00:19:02,976 --> 00:19:07,356 Multiple keys are two keys to be specific to rule them all. 304 00:19:07,356 --> 00:19:11,056 But veri-- process are heavy to handle this kind of encryption. 305 00:19:11,056 --> 00:19:13,636 So, he sends me half of an encryption algorithm. 306 00:19:13,886 --> 00:19:21,606 This guy says, I'm going to take that public key and encrypt my session key, gone. 307 00:19:22,106 --> 00:19:28,616 It is now scrambled, it's encrypted, and the only one they can decrypt it is bank.com 308 00:19:28,866 --> 00:19:32,096 because they're the only one that has this private-key behind the scenes. 309 00:19:32,296 --> 00:19:35,296 So, now obviously, I knew what it was before I encrypted it, right? 310 00:19:35,486 --> 00:19:38,226 So I now send an encrypted, encryption key. 311 00:19:39,286 --> 00:19:40,826 You think that one through right. 312 00:19:40,936 --> 00:19:47,056 An encrypted-- encryption key over to bank.com who now decrypts it using their private-key, 313 00:19:47,206 --> 00:19:50,596 and now, it's going to be a new color. 314 00:19:50,716 --> 00:19:59,056 We have the session key successfully transmitted and used on both sides for that session. 315 00:19:59,616 --> 00:20:02,866 A fresh encryption algorithm used for that session. 316 00:20:03,146 --> 00:20:05,316 Once that session is done, I tear it down 317 00:20:05,396 --> 00:20:08,266 and the session key is destroyed, never to be used again. 318 00:20:09,046 --> 00:20:14,936 Now, that is how public-key encryption works which is really amazing, it's really powerful 319 00:20:14,936 --> 00:20:19,496 to have that kind of algorithm on the internet as you surf the websites, it's the same thing 320 00:20:19,496 --> 00:20:24,636 that used for SSH, it's the same thing when I have a VPN tunnel, like I want to connect 321 00:20:24,636 --> 00:20:27,316 to my private network using a tunnel over that. 322 00:20:27,316 --> 00:20:31,266 They all used the same kind of algorithm, this public-key. 323 00:20:31,266 --> 00:20:36,346 Now I know some of you are watching this whole thing and be like, "Okay, okay, come on." 324 00:20:37,196 --> 00:20:41,456 If somebody gets the public-key which is, you know, half of an encryption formula, 325 00:20:41,456 --> 00:20:44,026 can't they figure it out the private-key? 326 00:20:44,026 --> 00:20:49,866 I mean, I grew up, I went into some heavy math, you know, X plus 1 equals 3. 327 00:20:49,866 --> 00:20:54,856 If I get, you know, half that formula and I'm like, okay, I don't have a piece of that, 328 00:20:54,856 --> 00:20:56,676 can't they, you know, you see, what I mean? 329 00:20:56,676 --> 00:21:00,186 Can't it be like, well, okay, X is really 2 because I can kind 330 00:21:00,186 --> 00:21:04,456 of reverse engineer this, no, theoretically, no. 331 00:21:04,696 --> 00:21:07,576 But that theory has been proved for decades and decades. 332 00:21:07,716 --> 00:21:13,386 Now I will tell you, if somebody came-- by the way, this is called Diffie-Hellman Encryption 333 00:21:14,346 --> 00:21:16,716 because those two guys, well, actually, there's three guy, 334 00:21:16,716 --> 00:21:19,206 but you got cut out of the loop, no royalties for him. 335 00:21:19,486 --> 00:21:23,946 But they are the ones who pioneered this public-key encryption algorithm. 336 00:21:23,946 --> 00:21:27,986 Now it's since then it's been translated into many different forms, you'll hear things 337 00:21:27,986 --> 00:21:30,986 like RSA, there's all kinds of different methods 338 00:21:30,986 --> 00:21:33,976 of doing public-key cryptography, but the concept is all the same. 339 00:21:34,226 --> 00:21:39,966 Now if somebody ever came out and said, hey, I figured out how to reverse this, 340 00:21:40,066 --> 00:21:45,376 I figured out how, you know, if I get a public-key on the internet, how to fix, 341 00:21:45,376 --> 00:21:47,626 you know, to generate the private-key from it. 342 00:21:48,196 --> 00:21:56,206 You would see worldwide chaos, and panic, and freaking out because people would-- 343 00:21:56,206 --> 00:22:00,276 soon they'll realize that the under pending security of everything is now gone, 344 00:22:00,716 --> 00:22:05,096 it cannot be done, I don't know, maybe, I can't do it. 345 00:22:05,196 --> 00:22:07,426 No one is been able to do it so far, the government, well, 346 00:22:07,506 --> 00:22:09,726 as far as we know, Agent Scully can do it. 347 00:22:09,856 --> 00:22:16,196 But the government can't do it, so far it's been proved true, but it's a theory. 348 00:22:16,446 --> 00:22:18,196 The theory is nobody can figure it out how 349 00:22:18,196 --> 00:22:20,376 to generate the private-key if you have a public-key. 350 00:22:20,376 --> 00:22:24,286 But, all that being said I dive into my conspiracy theory side of things. 351 00:22:24,286 --> 00:22:27,076 Now let's talk about how to setup SSH. 352 00:22:27,306 --> 00:22:30,776 I'll clear all of this stuff off. 353 00:22:30,776 --> 00:22:32,336 So that's how it worked. 354 00:22:32,336 --> 00:22:37,356 So instead, you know, instead of having computer A and website B, you know, 355 00:22:37,356 --> 00:22:41,916 we have computer A going to switch A or router A or whatever kind of device, 356 00:22:41,916 --> 00:22:46,276 it's all the same concept, it's just using, you know, different devices. 357 00:22:46,276 --> 00:22:50,866 So the way to configure SSH on a Cisco device is as follows. 358 00:22:51,346 --> 00:22:56,956 First of, we have to have a host name and the reason why is this switch 359 00:22:56,956 --> 00:23:00,346 or this router is going to generate it's own certificate. 360 00:23:00,816 --> 00:23:05,006 Now, it's okay, we don't need a certificate authority because we pay for those. 361 00:23:05,126 --> 00:23:07,966 And as long as we trust our own devices, you know, 362 00:23:07,966 --> 00:23:11,166 we're not going to have a rogue device come in into the play, 363 00:23:11,166 --> 00:23:15,256 it's okay to generate our own little public-key certificate which says who we are. 364 00:23:15,516 --> 00:23:21,226 But we have to have on that certificate the name of our device as well as the domain name like, 365 00:23:21,226 --> 00:23:25,316 you know, jeremy.com or cbtnuggets.com, that's the domain name, 366 00:23:25,576 --> 00:23:27,776 those are two requirements for the certificate. 367 00:23:27,916 --> 00:23:32,366 So not only on that certificate is the key, but also, you know, 368 00:23:32,366 --> 00:23:35,056 your name, who are you, host name. 369 00:23:35,266 --> 00:23:37,046 Also on there is your domain name. 370 00:23:37,506 --> 00:23:42,176 Also on there is the certificate authority that approved the certificate. 371 00:23:42,176 --> 00:23:44,106 And think of this is as like the stamp of approval. 372 00:23:44,336 --> 00:23:49,386 Now in this case, this is called a self-generated certificate that we're creating. 373 00:23:49,386 --> 00:23:51,746 So when it's says, well, who approved me? 374 00:23:52,176 --> 00:23:53,106 I approved me. 375 00:23:53,736 --> 00:23:55,766 And who were you to tell me that I can't do that? 376 00:23:55,766 --> 00:23:59,966 Yeah, that's what the device would say, is, you know, I am on my own certificate authority, 377 00:24:00,126 --> 00:24:02,776 but that means the very first time you connect to this device, 378 00:24:03,106 --> 00:24:06,096 you're going to get a warning say, hey, I'll show you that one, okay? 379 00:24:06,096 --> 00:24:07,766 So here's what we're going to do. 380 00:24:07,766 --> 00:24:11,356 And now, I've already configure the host name for this device, it's CBT Switch. 381 00:24:11,766 --> 00:24:15,486 Now I need to configure a domain name, global config mode 382 00:24:15,486 --> 00:24:22,896 and the command is IP domain name followed by what we want the domain name-- 383 00:24:22,896 --> 00:24:27,856 hey I don't have a-- domain, yeah, sorry, it's IP domain name, that's what it is. 384 00:24:28,096 --> 00:24:32,986 IP domain name or it looks like, we can do a space, either one of those, sometimes Cisco, 385 00:24:33,206 --> 00:24:35,776 Cisco is inconsistent, you'll have two ways of doing the same thing. 386 00:24:35,776 --> 00:24:41,136 So IP domain name, we've got cbtswitch., let's do nuggetlab.com, 387 00:24:41,276 --> 00:24:43,186 will be our domain name that we're going to use, okay? 388 00:24:43,576 --> 00:24:47,856 Now we're going to generate encryption keys, we're going to say, I need to generate, 389 00:24:47,856 --> 00:24:52,056 essentially, the public private-key set for this certificate, the private-key, 390 00:24:52,056 --> 00:24:55,676 I will never give out, the public-key, anybody can have because it's only half of the formula. 391 00:24:56,116 --> 00:25:02,596 So the way I do that is I do crypto key generate RSA. 392 00:25:03,436 --> 00:25:09,566 RSA by the way is the encryption algorithm of choice on Cisco devices, I think, 393 00:25:09,566 --> 00:25:15,536 it stands for Rivest, Shamir, and Adleman, it's three guys that developed-- 394 00:25:15,536 --> 00:25:18,836 it's, you know, think of it as Diffie-Hellman, but just the next flavor, 395 00:25:18,836 --> 00:25:21,146 a little more efficient than Diffie-Hellman's original algorithm. 396 00:25:21,146 --> 00:25:25,976 So now we come to the big question, what is the size of the modulus? 397 00:25:26,306 --> 00:25:30,336 What is this-- how strong do you want this key to be? 398 00:25:30,846 --> 00:25:33,096 Now let me give you just a flyby view. 399 00:25:33,276 --> 00:25:37,506 Symmetric keys that we use normally for-- 400 00:25:37,506 --> 00:25:39,536 remember I said, this is the session key 401 00:25:39,536 --> 00:25:42,506 that our computer generates to communicate without website. 402 00:25:42,666 --> 00:25:47,276 Symmetric keys common strengths are, you know, on the low and 64 bit. 403 00:25:48,126 --> 00:25:53,706 Normally, nowadays is 128 bit or if you're beefy, 404 00:25:54,016 --> 00:25:58,766 nowadays you'll use 256 bit encryption for your symmetric keys. 405 00:25:59,046 --> 00:26:04,696 And that's just how strong the key is, how complex is that mathematical formula 406 00:26:04,696 --> 00:26:07,226 in that shell, that's really what it means. 407 00:26:07,286 --> 00:26:12,446 So those are common methods to communicate, now look at this, this is coming off 408 00:26:12,446 --> 00:26:16,276 and starting off with a modulus of 500 and twelve bits. 409 00:26:16,546 --> 00:26:20,496 These are much stronger than our normal day-to-day communications, 410 00:26:20,496 --> 00:26:23,986 it's much more complex because the device knows it's not going to use them for long. 411 00:26:24,216 --> 00:26:28,386 The only thing it's going to use this for is to encrypt that session key for the communication. 412 00:26:28,386 --> 00:26:31,016 So they're like, you know, we can take the processor, 413 00:26:31,016 --> 00:26:32,836 just to do a tiny amount of encryption. 414 00:26:33,066 --> 00:26:37,946 If we were to actually use these keys for all communication, our devices would die, 415 00:26:38,106 --> 00:26:43,546 there's no way they can keep up because with the strength of keys, every bit that you add 416 00:26:43,546 --> 00:26:46,136 to it effectively doubles the strength. 417 00:26:46,136 --> 00:26:49,596 It's not like 128 bit is twice as strong as 64 bit, 418 00:26:50,016 --> 00:26:53,366 no it's 65 bit is twice as strong as 64 bit. 419 00:26:53,786 --> 00:26:56,816 Sixty-six bit is four times as strong as 64 bit. 420 00:26:56,876 --> 00:26:59,326 But also four times as complex to process, so do you see what I mean. 421 00:26:59,326 --> 00:27:04,286 So when you're talking 128 bit versus 64 bit is like you can't even compare that, 422 00:27:04,356 --> 00:27:07,066 it's out of the part and same thing when you come down here, 423 00:27:07,066 --> 00:27:08,946 you're infinite at least stronger. 424 00:27:09,286 --> 00:27:12,546 The-- so as our processors get bigger and bigger and bigger, 425 00:27:12,546 --> 00:27:17,816 we're able to create this more improved algorithms because as the processor get bigger 426 00:27:17,816 --> 00:27:23,056 and bigger, it's easier to brute force attack this 64 bit keys, you know, we can generate, 427 00:27:23,306 --> 00:27:25,836 you know, millions of passwords every seconds and try 428 00:27:25,836 --> 00:27:29,356 and see if that's the secret key that's being used. 429 00:27:29,356 --> 00:27:34,596 So that's-- when we come to this question, the modulus, what do you want to use? 430 00:27:34,646 --> 00:27:38,926 A common strength is 1024 bit, 512 is considered, 431 00:27:39,036 --> 00:27:44,146 I would say weak for an asymmetric key set, 1024 or if you're feeling really beefy, you know, 432 00:27:44,146 --> 00:27:46,846 I can go with the 2048 bit, go to the maximum 433 00:27:47,016 --> 00:27:49,546 that at least this device support some device or sport more. 434 00:27:50,616 --> 00:27:53,096 But it's actually generating it, it's going to take a little bit 435 00:27:53,336 --> 00:27:58,236 because my little processor is going, trying to generate the super strong encryption key 436 00:27:58,506 --> 00:28:03,566 that is going to be used for communication from here and out. 437 00:28:03,706 --> 00:28:06,276 Just so, you know, I paused the nugget, I'm still waiting, 438 00:28:06,366 --> 00:28:08,866 this was 30 seconds ago, okay, I'm pausing again. 439 00:28:10,586 --> 00:28:12,146 Okay, about 15 seconds later. 440 00:28:12,146 --> 00:28:15,016 So it took about, I would say, a total of 60 seconds 441 00:28:15,016 --> 00:28:17,956 to generate those keys just because they're so beefy. 442 00:28:18,406 --> 00:28:22,496 So now I've got the encryption keys, I've generated this certificate, 443 00:28:22,496 --> 00:28:24,816 I've generated the public-key, I've generated the private-key. 444 00:28:25,116 --> 00:28:29,926 Now we need to enable it, so I'm going to, oops, I'm going to go on my device 445 00:28:29,926 --> 00:28:34,456 and do IP SSH, we're going to say version 2. 446 00:28:35,606 --> 00:28:40,866 Version 1 is old and I would say, nowadays considered, you know, bad form, 447 00:28:40,866 --> 00:28:44,686 it's not like somebody can hack it, it's just they've come out with improvements since the. 448 00:28:44,686 --> 00:28:46,736 So version 2 is the one that we want to use. 449 00:28:46,736 --> 00:28:51,686 Think of that is like a light switch behind the scenes, I just turned on SSH version 2. 450 00:28:52,146 --> 00:28:55,766 Now we create our local user accounts, what's this? 451 00:28:56,206 --> 00:29:00,786 Well, SSH unlike Telnet relies on a user name and a password. 452 00:29:01,066 --> 00:29:06,136 Now you remember so far when we've been managing our device, I Telnet in, I hit Telnet, 453 00:29:06,136 --> 00:29:12,416 it just says, what's your password, I type in Cisco and I'm in, I'm able to access the device. 454 00:29:12,496 --> 00:29:16,426 Well, SSH requires a user name and a password or at least in the Cisco world does. 455 00:29:16,426 --> 00:29:22,226 So what I need to do is in global configuration mode create a user account 456 00:29:22,226 --> 00:29:24,636 that I can use for SSH. 457 00:29:25,226 --> 00:29:31,226 So what I'll do is I'll type in, username and whatever username I want to use. 458 00:29:31,226 --> 00:29:39,046 Now bad usernames are things like admin, route, administrator because if you're a hacker, 459 00:29:39,046 --> 00:29:41,726 those were always the accounts you're going to try it first, you're going to say, 460 00:29:41,726 --> 00:29:43,816 I'm going to brute force something name [phonetic], I mean, 461 00:29:43,816 --> 00:29:47,826 try and come up with something unique, it doesn't have to be your name, it could be, 462 00:29:47,826 --> 00:29:52,316 you know, company admin or it maybe the name of your company ADM, or such-- 463 00:29:52,316 --> 00:29:57,256 just something that wouldn't be so normal for people to use as the administrator. 464 00:29:58,006 --> 00:30:03,416 Jeremy would definitely classify as a non-normal administrator username or maybe, you know, 465 00:30:03,416 --> 00:30:05,916 if I want to be even more secure, I could do jeremeny$, 466 00:30:06,406 --> 00:30:07,856 there's nothing to keep you from doing that. 467 00:30:08,046 --> 00:30:10,616 So I'll do Jeremy-- host name Jeremy. 468 00:30:10,916 --> 00:30:14,356 And then from there, I can type in either password 469 00:30:14,356 --> 00:30:18,536 to specify the password or secret to specify the secret. 470 00:30:18,936 --> 00:30:21,846 Now just like the enable password or enable secret, 471 00:30:21,846 --> 00:30:27,156 it's much better if your device supports it to use the secret because now the username 472 00:30:27,156 --> 00:30:30,166 and password will not be stored as clear text in the running config. 473 00:30:30,166 --> 00:30:36,246 So I'll say username Jeremy secret Cisco, just so I don't forget the password. 474 00:30:36,246 --> 00:30:43,236 So now I've got this user account I created and if I do a show running config, by the way, 475 00:30:43,236 --> 00:30:46,556 this do command, again, we saw this in the last nugget, 476 00:30:46,556 --> 00:30:48,946 it allows you to execute the show command from any mode. 477 00:30:49,256 --> 00:30:53,956 The only drawback of it is, the question mark doesn't work, so if I'm, you know, testing it, 478 00:30:53,956 --> 00:30:55,476 it's like, you know, I don't know. 479 00:30:55,476 --> 00:30:59,606 So the context sensitive help doesn't work, it just says line, as well as the tab key. 480 00:30:59,776 --> 00:31:01,916 So I can do show run, it's going to say-- 481 00:31:01,916 --> 00:31:04,976 I'm not complaining because I don't know what command you're trying to type, 482 00:31:04,976 --> 00:31:06,856 this is kind of a shortcut if you will. 483 00:31:06,856 --> 00:31:12,506 So do show run, I hit the space bar or right there, I see username Jeremy secret-- 484 00:31:12,506 --> 00:31:16,236 you know, it's just like my enable secret, it's this nice gobbledygook 485 00:31:16,236 --> 00:31:19,956 that is encrypted there or hashed up on the screen. 486 00:31:19,956 --> 00:31:25,056 So now, I've created the local user accounts, now I need to chose 487 00:31:25,056 --> 00:31:28,556 to allow Telnet and I should put or SSH. 488 00:31:29,116 --> 00:31:35,746 Now, from the last nugget, what ports are Telnet ports? 489 00:31:35,746 --> 00:31:39,746 As in where do I go to configure a Telnet password, do you remember? 490 00:31:41,176 --> 00:31:46,896 Line VTY and then whatever line numbers I want to configure. 491 00:31:46,896 --> 00:31:50,356 Well, in my case, I want to configure all of them, all of them will support this. 492 00:31:50,356 --> 00:31:51,816 Now there's a command under it. 493 00:31:51,816 --> 00:31:58,966 Now notice that we've got under this VTY line, we have a password, 494 00:31:59,016 --> 00:32:02,916 we did that in the last nugget, that's what allowed me to Telnet in right here as I typed 495 00:32:02,916 --> 00:32:05,506 in the password of Cisco on the device. 496 00:32:05,806 --> 00:32:10,596 So there is a password under there, but I'm going to change the story a little bit by typing 497 00:32:10,596 --> 00:32:16,216 in the command, transport input as in the kinds of protocols that are allowed 498 00:32:16,216 --> 00:32:22,276 in that the transports, the ways that you can communicate with this VTY lines are going to be 499 00:32:22,646 --> 00:32:27,376 and now I can specify, SSH or Telnet, and you can say none, 500 00:32:27,376 --> 00:32:30,386 and that totally disables all remote access, I don't want to do that. 501 00:32:30,646 --> 00:32:35,936 Or we'd do both of them or you could type in for instance, if I wanted to still allow both Telnet 502 00:32:35,936 --> 00:32:42,046 and SSH, I could type in Telnet and SSH, and that says, I will allow both of them, 503 00:32:42,046 --> 00:32:45,406 so watch this, I'll go back here to my-- my command prompt. 504 00:32:45,756 --> 00:32:48,306 Let's put this up over here, has the up URL. 505 00:32:48,446 --> 00:32:50,696 And I see I can still Telnet into the device, right? 506 00:32:50,976 --> 00:32:59,166 Now if I go here and I do transport input and I just do SSH, now I've disabled Telnet 507 00:32:59,166 --> 00:33:05,246 and I come back here, and hit the up URL, it's like, oh, I'm sorry, no soup for you, 508 00:33:05,716 --> 00:33:08,646 I cannot connect to the host on port 23 connection failed 509 00:33:08,646 --> 00:33:11,066 because I'm no longer allowing the Telnet protocol. 510 00:33:11,416 --> 00:33:17,316 Now let me get back to when I first said this, I said, why do you take the risk of using Telnet, 511 00:33:17,316 --> 00:33:22,196 why do that, and I said, if SSH is just as easy to use, and I said, asteric [phonetic], codes, 512 00:33:22,356 --> 00:33:26,716 and [inaudible], just as easy is not-- again, so that's probably why Telnet is still around, 513 00:33:26,906 --> 00:33:31,426 is Microsoft never included a command line SSH client. 514 00:33:31,856 --> 00:33:36,756 Shame on you Microsoft for not doing that, they've always allowed Telnet, Unix, Linux, 515 00:33:36,756 --> 00:33:40,946 they've always supported SSH from a command line but not Microsoft. 516 00:33:40,946 --> 00:33:47,076 So in order to use SSH, we have to download a different program like PuTTY, 517 00:33:47,336 --> 00:33:51,836 like TeraTerm, like-- does this support it? 518 00:33:52,526 --> 00:33:53,716 TCP, no, no. 519 00:33:53,716 --> 00:33:59,856 So TeraTerm by itself does not support SSH, it does Telnet only. 520 00:33:59,856 --> 00:34:04,256 However, you can download SSH version of TeraTerm. 521 00:34:04,256 --> 00:34:07,596 So let's actually go with the PuTTY, that one is nice and easy. 522 00:34:07,916 --> 00:34:09,256 TeraTerm I have to install. 523 00:34:09,716 --> 00:34:13,536 Now watch this, I'm going to do PuTTY just on Google, here's my download page. 524 00:34:14,036 --> 00:34:16,046 Notice right here, legal warning. 525 00:34:17,196 --> 00:34:25,296 There are countries out there that don't allow you to encrypt your data beyond a certain level. 526 00:34:25,726 --> 00:34:29,406 Essentially, there's government entities out there that say, 527 00:34:29,816 --> 00:34:32,006 we want to be able to know what you're doing. 528 00:34:32,006 --> 00:34:35,926 Now, the United States is not one of those, Canada is not one of those, Mexico is not one-- 529 00:34:35,926 --> 00:34:39,966 I mean, but I would definitely make sure that you know before you do this, 530 00:34:40,256 --> 00:34:43,836 what your country supports because a lot of these countries will monitor. 531 00:34:44,076 --> 00:34:47,286 And they'll see what algorithms your using for encryption. 532 00:34:47,396 --> 00:34:52,106 And if it's something that is beyond to what they can decrypt, you're going to get a knock 533 00:34:52,106 --> 00:34:56,756 on a door or I'm in United States, I don't know what other countries do, 534 00:34:56,756 --> 00:34:59,926 I don't know of doors being kicked down, you know, the explosions, 535 00:34:59,926 --> 00:35:01,716 I don't know, it's a weird world out there. 536 00:35:01,956 --> 00:35:06,696 So the point is, be careful with what kind of encryption you used in your country. 537 00:35:06,986 --> 00:35:11,586 Here we can use whatever we want, I'm going to go download PuTTY which this is, you know, 538 00:35:11,586 --> 00:35:13,526 just-- actually, looks like I've download it before 539 00:35:13,526 --> 00:35:15,246 because it's saying I'm downloading PuTTY one. 540 00:35:15,596 --> 00:35:19,866 So I open PuTTY and it says, okay, what do you want to do 541 00:35:19,866 --> 00:35:23,256 and you've got Telnet, Rlogin, SSH, Serial port. 542 00:35:23,256 --> 00:35:26,816 So I'm going to ask SSH and we type in 10.1.1.10 543 00:35:26,816 --> 00:35:29,446 which is the IP address of my switch, click on open. 544 00:35:29,726 --> 00:35:36,086 Now check this out, it's says, this server's host key is not cached in the registry. 545 00:35:36,306 --> 00:35:41,146 You have no guarantee that this server is the computer you think it is. 546 00:35:41,266 --> 00:35:44,316 What's that mean, that kind of creeps me out. 547 00:35:44,496 --> 00:35:50,866 What it means is PuTTY just recognized this switch is using a certificate, 548 00:35:50,866 --> 00:35:54,406 it's using encryption keys that it just made up itself. 549 00:35:54,406 --> 00:35:56,736 So it's saying, you know what, this is your first time connecting here, 550 00:35:56,996 --> 00:36:00,936 it's saying that I approved my own certificate, you have no guarantee 551 00:36:00,936 --> 00:36:04,186 that this server really is the device that you think it is. 552 00:36:04,736 --> 00:36:07,326 If you're okay with that, go and hit yes. 553 00:36:07,616 --> 00:36:12,316 Now I will say almost always we're okay with that, we-- you know, in our organizations, well, 554 00:36:12,316 --> 00:36:14,876 typically generate our own server certificates. 555 00:36:14,876 --> 00:36:20,766 Now PuTTY memorizes that certificate, it says okay, then from here on out, this device, 556 00:36:20,766 --> 00:36:24,496 this MAC addresses, this IP addresses, you know, everything is now bound to that key, 557 00:36:24,496 --> 00:36:27,486 it's not going to ask you that again, it said, you said, I trusted-- 558 00:36:27,586 --> 00:36:33,006 and the only way, it will plug that message again if maybe another device gives you 559 00:36:33,006 --> 00:36:35,886 that same certificate, you know, some other device out there, says, oh, 560 00:36:35,886 --> 00:36:40,126 I've got the same encryption keys, the other guys can be like, whoa, sabotage. 561 00:36:40,396 --> 00:36:44,396 So now it's asking me,, who do you want to login as? 562 00:36:44,396 --> 00:36:49,526 Jeremy, this is the user account that I created, what is Jeremy's password, Cisco. 563 00:36:52,396 --> 00:36:56,606 Not what I expected, it was Cisco, right, Cisco. 564 00:36:58,746 --> 00:37:04,296 Okay, troubleshooting, actually, I think I know what it is. 565 00:37:04,296 --> 00:37:05,606 There's a command I forgot to show you. 566 00:37:06,686 --> 00:37:13,956 So a show run I'm going to begin with, oh, it's saying, oops, "Sorry, you timed out." 567 00:37:13,956 --> 00:37:16,236 So let's begin with at lines. 568 00:37:16,236 --> 00:37:20,106 We'll just zoom into those VTY lines, yeah, there's the problem. 569 00:37:20,836 --> 00:37:24,446 So one more command under those VTY lines, let's go into global config mode, 570 00:37:24,516 --> 00:37:28,476 I'm going to do line VTY 0 space 15, get back under there. 571 00:37:28,806 --> 00:37:34,906 See right here that it says, login, right, login, I know, it seems like okay, well, 572 00:37:34,906 --> 00:37:38,586 that's simple enough, right, isn't that-- oh there's to it. 573 00:37:38,756 --> 00:37:45,696 Login says, okay, log people into these ports, but use the password that's under here. 574 00:37:46,166 --> 00:37:51,516 Now that's the problem because we already trying to use username and password. 575 00:37:51,516 --> 00:37:54,266 And under the ports, there's only a password. 576 00:37:54,356 --> 00:37:58,066 So essentially, login is used for Telnet to say, you know, 577 00:37:58,066 --> 00:38:01,076 Telnet in and you can use this password, they link together. 578 00:38:01,346 --> 00:38:05,206 But and this sound little funny to do this, but instead we actually go 579 00:38:05,206 --> 00:38:09,056 to the VTY lines and type in login local. 580 00:38:09,906 --> 00:38:16,526 What that says to the device is use the local user database for your logins. 581 00:38:16,756 --> 00:38:20,476 Don't just try and login people and only require the password 582 00:38:20,476 --> 00:38:24,556 because frankly SSH doesn't even support that, it needs a username and a password. 583 00:38:24,846 --> 00:38:28,146 Instead, login using the local database on here. 584 00:38:28,436 --> 00:38:34,096 Now this is as an alternative to login using the TACACS server, what's over that? 585 00:38:34,096 --> 00:38:39,196 So when we get big enough, we can setup our switches to where, you know, 586 00:38:39,196 --> 00:38:43,246 I don't want the user accounts on the switches because I have hundreds of them 587 00:38:43,246 --> 00:38:44,896 and routers and all these kind of stuff. 588 00:38:44,896 --> 00:38:49,856 And I don't want to have to have usernames and passwords that I change on a regular basis 589 00:38:50,066 --> 00:38:55,646 where I Telnet into or SSH into 50 or hundred different devices on a monthly basis 590 00:38:55,646 --> 00:38:58,586 and change everybody's password because that's a good security practice. 591 00:38:58,586 --> 00:39:04,226 Instead, what you can use is something called a TACACS server, Cisco makes them. 592 00:39:04,626 --> 00:39:08,736 And all the devices say, well, I get my user accounts from TACACS. 593 00:39:08,786 --> 00:39:14,706 So when I say on the port login space TACACS, that says, when somebody tries to login 594 00:39:14,706 --> 00:39:19,556 to this VTY lines, check their credentials against the TACACS server and that's 595 00:39:19,556 --> 00:39:21,226 where you create your user accounts. 596 00:39:21,226 --> 00:39:26,626 So then, I change my password in one place and all the devices say, oops, 597 00:39:26,626 --> 00:39:30,596 looks like there's a password change, you know, because, you know, they all just report 598 00:39:30,596 --> 00:39:33,416 to that centralize server, so that's the piece. 599 00:39:33,416 --> 00:39:37,466 So we can either login using TACACS which is a server, login using a local 600 00:39:37,466 --> 00:39:41,056 which is the local user database on that device it's going to be what we do here 601 00:39:41,056 --> 00:39:43,596 or we can just type and login which says, use the password. 602 00:39:43,596 --> 00:39:46,986 So I'll type it again just for grants, login local. 603 00:39:46,986 --> 00:39:50,906 And now, I'll go back to PuTTY, give me my error. 604 00:39:51,376 --> 00:39:54,816 Let's go to restart session. 605 00:39:55,176 --> 00:39:59,416 There we go, login as Jeremy and this time password of Cisco. 606 00:40:00,496 --> 00:40:01,976 There we go, that's what I want to see. 607 00:40:02,056 --> 00:40:03,596 So it was the login local. 608 00:40:03,596 --> 00:40:05,316 Men, I can't believe I forgot that. 609 00:40:05,316 --> 00:40:11,096 So create the user, so choose to allow Telnet and SSH, that was the transport input. 610 00:40:11,096 --> 00:40:18,956 And then also seven, enable local login. 611 00:40:20,276 --> 00:40:23,636 I guess I could just group under that one statement. 612 00:40:23,696 --> 00:40:28,126 So transport input, Telnet/SSH, if you want to do that. 613 00:40:28,126 --> 00:40:33,086 And then, enable the local login so that it uses the local user database. 614 00:40:34,296 --> 00:40:34,876 All right. 615 00:40:34,876 --> 00:40:37,256 So there is SSH and all it's glory. 616 00:40:37,356 --> 00:40:40,146 And I know some of you are like, wait, summary, there's two more bullets on there. 617 00:40:40,356 --> 00:40:45,436 Well, yes, but those are really focused on what we did while we enabled SSH. 618 00:40:45,436 --> 00:40:49,636 Even though, the goal of this was to enable SSH, we also learned how 619 00:40:49,636 --> 00:40:54,066 to manage existing user accounts or it manage user accounts on Cisco devices. 620 00:40:54,066 --> 00:40:59,176 That was what we did when I went to global configuration mode and created username Jeremy, 621 00:40:59,366 --> 00:41:03,036 password or secret Cisco to create user accounts. 622 00:41:03,036 --> 00:41:07,946 So that's-- you can do that not only for SSH, but also for all kinds of other stuff. 623 00:41:07,946 --> 00:41:09,756 A matter of fact, let me show this to you. 624 00:41:10,076 --> 00:41:14,706 I know we disabled Telnet by using transport input SSH, 625 00:41:14,706 --> 00:41:18,956 but if I do transport input Telnet and SSH now, watch what happens. 626 00:41:19,356 --> 00:41:25,326 I open my command prompt and type in Telnet 10.1.1.10 and notice, 627 00:41:25,326 --> 00:41:30,766 now Telnet even is prompting me for a username, Jeremy and the password of Cisco, 628 00:41:30,766 --> 00:41:34,416 it's just not secured to do it that way because that's all transmitted in clear text. 629 00:41:34,686 --> 00:41:41,136 So this login local and these user accounts that we create, impact both SSH and Telnet not 630 00:41:41,136 --> 00:41:45,726 when we do it, but also as you go down the road when you set a VPN connections, 631 00:41:45,726 --> 00:41:49,356 if you want to use web management, there's all kinds of things these user accounts to use for, 632 00:41:49,676 --> 00:41:52,096 you now know how to create them on Cisco devices. 633 00:41:52,096 --> 00:41:55,346 And then finally, encrypting passwords through using secret. 634 00:41:55,346 --> 00:42:03,006 So we create our user accounts using username, you know, jer secret cisco, 635 00:42:03,186 --> 00:42:08,286 instead of username jer password Cisco because password stores in clear text. 636 00:42:08,286 --> 00:42:16,486 And so passwords store in clear text which is not secure, you can encrypt it using 637 00:42:16,486 --> 00:42:20,426 that service password encryption we saw in the last nugget which uses 638 00:42:20,426 --> 00:42:24,806 that crackerjack encryption but noting bits that secret encryption level. 639 00:42:24,806 --> 00:42:25,806 All right. 640 00:42:25,806 --> 00:42:30,526 Good. I hope this been informative for you and I like to thank you for viewing. 66976