Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,386 --> 00:00:02,806
>> I want to show you something kind of creepy.
2
00:00:03,486 --> 00:00:05,876
[laughs] How's that for starting a nugget?
3
00:00:06,126 --> 00:00:10,696
So last, last nugget, we kind of went through
the base configuration of our switch, right.
4
00:00:10,696 --> 00:00:12,166
I'm back on the console port now.
5
00:00:12,476 --> 00:00:14,936
We set it up with a management IP address.
6
00:00:15,766 --> 00:00:18,376
All right, that's it, I'm changing the password.
7
00:00:18,906 --> 00:00:22,606
I can't talk and type CBT
nuggets at the same time.
8
00:00:22,606 --> 00:00:27,546
I'm going in, enable secret, Cisco, there we go.
9
00:00:27,546 --> 00:00:28,846
Something I can brainlessly type.
10
00:00:28,846 --> 00:00:30,386
Oh, there is a fun message.
11
00:00:30,656 --> 00:00:33,256
[laughs] Well it sounds like-- I
want to show you something now,
12
00:00:33,256 --> 00:00:35,696
something totally different
than what I planned to show you.
13
00:00:35,696 --> 00:00:39,066
It says, the enable secret you've chosen
is the same as your enable password,
14
00:00:39,066 --> 00:00:41,806
this is not recommended, please
reenter the enable secret.
15
00:00:42,046 --> 00:00:45,886
Remember, we talked about in the last
nugget, actually two nuggets ago,
16
00:00:46,176 --> 00:00:48,676
difference between enable
password and enable secret.
17
00:00:48,766 --> 00:00:54,296
Now, when I said enable secret is Cisco,
what the Cisco device is saying is, "Well,
18
00:00:54,296 --> 00:00:56,906
that's the same thing as your
clear text version," or, you know,
19
00:00:56,906 --> 00:00:59,506
the cracker jacks encrypted version right here.
20
00:00:59,506 --> 00:01:00,556
They're like, this is not recommended.
21
00:01:00,756 --> 00:01:08,486
Now, let me ask you this, in that message
anywhere, does it say, I didn't take that?
22
00:01:08,996 --> 00:01:09,586
No it didn't.
23
00:01:09,586 --> 00:01:11,486
It actually will take it just fine.
24
00:01:11,486 --> 00:01:16,996
The enable secret is indeed, Cisco, Cisco
just wants to try and sway you as much
25
00:01:16,996 --> 00:01:20,546
as they possibly plan not to do
that or at least, to go in here
26
00:01:20,666 --> 00:01:25,526
and do a no enable password, which I
think I did in the last couple of nuggets,
27
00:01:25,526 --> 00:01:28,636
but I obviously didn't save my
configuration so I'll do that now.
28
00:01:28,746 --> 00:01:35,956
So anyway, back to what I wanted to show you, we
assign an IP address to this switch right here
29
00:01:36,506 --> 00:01:38,106
so that I can manage it remotely.
30
00:01:38,106 --> 00:01:43,086
And then, as kind of the culmination of that
configuration piece, I said, well let's do this.
31
00:01:43,276 --> 00:01:45,396
I've got my computer, let me grab my pen.
32
00:01:45,396 --> 00:01:50,096
I've got my computer plugged
into that switch at 10.1.1.--
33
00:01:50,096 --> 00:01:55,636
I think I gave it 100, and here's the
switch, it is assigned 10.1.1.10 and that's--
34
00:01:55,636 --> 00:01:59,306
by the way, the only thing this IP address
is used for is management purposes.
35
00:01:59,346 --> 00:02:02,526
So I was like, "Hey, well let's Telnet in."
36
00:02:02,526 --> 00:02:03,346
This is what I wanna show you.
37
00:02:03,706 --> 00:02:07,716
Remember early on in the series, I
opened our good friend WIRESHARK.
38
00:02:07,716 --> 00:02:11,046
And I know early on, you're probably
like, "Okay, that was intense."
39
00:02:11,156 --> 00:02:15,416
WIRESHARK is intense for most people that
are just getting started in the Cisco world.
40
00:02:15,416 --> 00:02:19,876
So I'm going to get you familiar with it,
'cause it is a huge troubleshooting tool
41
00:02:19,876 --> 00:02:23,206
to where you can see information
at every layer of the OSI model.
42
00:02:23,206 --> 00:02:25,876
And here's what I want to show
you, I'm going to open a capture.
43
00:02:26,436 --> 00:02:32,856
All right here, and I have the-- a network
adapter, that I have connected to the switch,
44
00:02:32,856 --> 00:02:36,936
is actually this little USB
2.0 Fast Ethernet Adapter.
45
00:02:36,936 --> 00:02:39,316
And now you can see, there's
not much going on in my network.
46
00:02:39,316 --> 00:02:42,536
I had some stuff, maybe some, I
don't know, something going on there.
47
00:02:42,536 --> 00:02:45,196
But not much going on because
I'm not really doing anything.
48
00:02:45,196 --> 00:02:49,156
So I will say, "This is the one I
want to capture, let's do a start."
49
00:02:49,156 --> 00:02:52,616
So WIRESHARK is now monitoring the
app where it's seeing some, you know,
50
00:02:52,616 --> 00:02:56,506
occasional spanning three messages which we're
going to discuss that a little bit later.
51
00:02:56,736 --> 00:02:59,116
But I'm going to open up a Telnet session.
52
00:02:59,686 --> 00:03:02,536
Wait a second, not like that.
53
00:03:02,736 --> 00:03:11,176
I'm going to do a-- there we go,
Telnet 10.1.1.10 behind the scenes.
54
00:03:11,396 --> 00:03:16,386
And I should see, there we go, you know,
I've got to change that login message.
55
00:03:16,576 --> 00:03:21,076
Behind the scenes, notice WIRESHARK is
like, "Oh, I see Telnet data, Telnet data."
56
00:03:21,076 --> 00:03:24,556
Now down here, it's like, okay
that's all just kind of gobbledygook.
57
00:03:24,556 --> 00:03:26,156
So, just kind of ignore that for now.
58
00:03:26,156 --> 00:03:31,346
So I'm going to login and I'm going to say,
"Okay, my password is Cisco," because, you know,
59
00:03:31,876 --> 00:03:33,226
that's my Telnet password [phonetic].
60
00:03:33,226 --> 00:03:36,986
Again, behind the scenes, WIRESHARK
is like, "Munchy, Telnet data."
61
00:03:37,356 --> 00:03:38,396
I'm going to go, "Okay.
62
00:03:38,396 --> 00:03:40,076
Well, let's get into publish mode."
63
00:03:40,076 --> 00:03:44,386
Cisco, type that in and hit the enter
key, and okay, I think that's enough.
64
00:03:45,046 --> 00:03:46,296
Let's go in and stop that capture.
65
00:03:46,296 --> 00:03:49,686
Now, in here, WIRESHARK is like,
"Okay, I've captured all these data."
66
00:03:49,686 --> 00:03:52,786
Now, if I really want to say, "Well,
what was that data that you captured?"
67
00:03:53,046 --> 00:03:55,346
Now, this is layer 2 of the OSI style model.
68
00:03:55,346 --> 00:03:55,856
It's saying, "Okay.
69
00:03:55,856 --> 00:03:59,206
Well, it was from this source MAC address,"
70
00:03:59,206 --> 00:04:03,736
my little Apple USB adapter going
to this destination MAC address.
71
00:04:03,796 --> 00:04:08,716
I'm using these IP addresses, you can see the
source IP and then there was a lot more stuff
72
00:04:08,716 --> 00:04:13,786
in the header than source and destination IP,
but source is 10.1.1.100, destination, I mean--
73
00:04:13,786 --> 00:04:16,606
so all of that-- we saw this
previously, I can go through every layer.
74
00:04:16,806 --> 00:04:20,506
But really, at the application layer
of the OSI style model, it's saying,
75
00:04:20,586 --> 00:04:25,696
"I captured SC [phonetic],
and then I captured O."
76
00:04:26,376 --> 00:04:28,116
Oh wait a second, that sounds a little familiar.
77
00:04:28,296 --> 00:04:30,826
I captured I, let's see, where did that come in?
78
00:04:31,056 --> 00:04:33,646
I captured slash R-- oh, what is this?
79
00:04:33,646 --> 00:04:37,126
Well, there's a little feature in WIRESHARK
80
00:04:38,486 --> 00:04:42,816
where you can actually analyze
and follow the TCP stream.
81
00:04:43,026 --> 00:04:47,346
What that does is it tells WIRESHARK,
you know what, this is one stream.
82
00:04:47,556 --> 00:04:49,776
I've highlighted one stream of data right here.
83
00:04:49,956 --> 00:04:57,506
How about-- can you just kind of follow
that and put that all back together?
84
00:04:57,506 --> 00:05:00,226
Panic. Heart attack, what?
85
00:05:00,426 --> 00:05:01,846
What? What's the deal here?
86
00:05:01,846 --> 00:05:04,296
And then everything that I just typed in.
87
00:05:04,566 --> 00:05:07,066
I Telneted the switch and
immediately, it's like,
88
00:05:07,066 --> 00:05:10,986
I saw a logon banner come across,
user identification password.
89
00:05:10,986 --> 00:05:14,196
All of a sudden, it's in red, Cisco.
90
00:05:14,926 --> 00:05:20,406
And then all of the sudden, I see this enable,
you know, it's kind of like, okay what's this?
91
00:05:20,406 --> 00:05:22,256
And then, it's in red, Cisco.
92
00:05:22,256 --> 00:05:24,456
You know, what's the colors represent?
93
00:05:24,456 --> 00:05:26,306
Can anyone figure that out
just by looking at it?
94
00:05:26,496 --> 00:05:27,736
What's the colors represent?
95
00:05:28,236 --> 00:05:29,876
It's the send and receive.
96
00:05:30,256 --> 00:05:34,496
So essentially, the blue is what my
computer has received from the other side,
97
00:05:34,736 --> 00:05:37,846
the red is what I've sent to the other side.
98
00:05:37,946 --> 00:05:41,046
Now you know, when I was-- you saw
it, when I Telneted into the switch,
99
00:05:41,226 --> 00:05:42,816
I couldn't actually see the password.
100
00:05:43,136 --> 00:05:46,116
And that's because the device
did not echo it back to me.
101
00:05:46,416 --> 00:05:49,686
Everything that you typed in
Telnet is actually echoed back.
102
00:05:49,686 --> 00:05:56,056
You see, I typed in enable which my
computer actually sent, you can the red E N--
103
00:05:56,056 --> 00:06:00,056
well it's hard to highlight just--
you get it, you see the red, right?
104
00:06:00,146 --> 00:06:01,196
That's what I sent.
105
00:06:01,196 --> 00:06:04,206
And the switch actually echoed that back to me.
106
00:06:04,206 --> 00:06:06,456
It's like, "Okay, you sent
an e-- let me echo it back."
107
00:06:06,456 --> 00:06:08,616
And that's how my terminal displays it.
108
00:06:08,616 --> 00:06:11,446
And that's really the only difference
is when I typed in the passwords,
109
00:06:11,786 --> 00:06:14,086
the switch turned off the echo back.
110
00:06:14,166 --> 00:06:16,936
So it's like, "Okay, you've sent it
to me but I'm not echoing it back."
111
00:06:16,936 --> 00:06:20,336
But is there-- did anyone see
a problem with this picture?
112
00:06:21,266 --> 00:06:27,136
[laughs] I mean all of my-- what I thought
was a secure password is now exposed.
113
00:06:27,256 --> 00:06:31,706
And if somebody in your environment
knows what they're doing with WIRESHARK,
114
00:06:31,856 --> 00:06:36,576
it's going to expose the passwords that you're
typing as you're logging into the switch.
115
00:06:36,576 --> 00:06:40,536
So I do this little let-me-show-you
demonstration to demonstrate
116
00:06:40,536 --> 00:06:42,816
that Telnet, not a good protocol.
117
00:06:43,416 --> 00:06:49,946
Not-- I mean, good, it's functional but not
a secure protocol because if anybody has eyes
118
00:06:50,086 --> 00:06:54,496
to see that communication that's
going between you and the device,
119
00:06:54,746 --> 00:06:57,306
they will be able to decrypt--
well, decrypt is not even encrypted,
120
00:06:57,306 --> 00:07:01,136
they will be able to see everything that
you're typing because Telnet is in clear text.
121
00:07:01,136 --> 00:07:08,256
Now, I don't even know if I should say this but
I want to because I want to tell you the truth.
122
00:07:08,416 --> 00:07:13,706
So let's say you are sitting at your
desk and you Telnet your device.
123
00:07:14,046 --> 00:07:16,356
Does that mean you're totally doomed?
124
00:07:16,556 --> 00:07:18,816
Like, somebody, you know,
somebody just grabbed your password
125
00:07:18,996 --> 00:07:21,436
and they are now going to hack your network?
126
00:07:21,436 --> 00:07:26,196
Or, you know, worse yeah, let's say you're
sitting on that beach in Hawaii or at home
127
00:07:26,416 --> 00:07:32,196
and you Telnet across the internet to
a firewall that you have over here.
128
00:07:32,196 --> 00:07:34,016
And so, you're actually Telneting,
you're sending all
129
00:07:34,016 --> 00:07:36,176
of that in clear text over the internet.
130
00:07:36,176 --> 00:07:41,696
Does that mean that the evil beings out on the
internet immediately see that communication
131
00:07:41,696 --> 00:07:44,986
and will now hack your firewall because
they have all the passwords necessary?
132
00:07:46,426 --> 00:07:49,346
Chances are good that that won't happen.
133
00:07:49,586 --> 00:07:53,936
First off, and so-- now, I don't want
to give you a false sense of confidence
134
00:07:53,936 --> 00:07:57,026
because it is still true, still
valid that Telnet is not good to use.
135
00:07:57,026 --> 00:08:00,406
But first off, in your environment,
one of the things that switches do,
136
00:08:01,566 --> 00:08:09,736
and let me bring up my drawing a little bit
more, one of the things that switches do is--
137
00:08:10,046 --> 00:08:13,816
wait a minute, my brain just shaked out.
138
00:08:13,816 --> 00:08:16,976
Okay, switches separate into
separate collision domains.
139
00:08:17,006 --> 00:08:21,356
So let's say that your router is right
here, and your computer is plugged
140
00:08:21,356 --> 00:08:25,716
in right here, and I Telnet from here to here.
141
00:08:25,886 --> 00:08:30,666
Well, that communication only goes
between your computer and that router.
142
00:08:30,666 --> 00:08:31,496
It's not like a hub.
143
00:08:31,496 --> 00:08:34,766
In the hub days, I would say, there's
much more of a chance of you being doomed
144
00:08:34,986 --> 00:08:40,386
because anybody-- if this were a hub, anybody
could open WIRESHARK if that wanted to
145
00:08:40,386 --> 00:08:42,176
and see all communication on the network.
146
00:08:42,366 --> 00:08:46,356
But if I'm directly Telneting from my
device to that router, that firewall, well,
147
00:08:46,356 --> 00:08:49,306
it's only coming in my port
and coming out at this port.
148
00:08:49,306 --> 00:08:53,376
So if somebody over here, you know, here's
evil person X that has opened WIRESHARK
149
00:08:53,376 --> 00:08:59,006
and they're sniffing packets, they actually
won't see my communication unless they start
150
00:08:59,006 --> 00:09:00,516
sabotaging your switch.
151
00:09:00,956 --> 00:09:05,396
There's a little program that anybody can
download, it's free called Can and Able.
152
00:09:06,716 --> 00:09:12,196
It is like a Swiss Army Knife of hacking tools
that are kind of like point and click, like,
153
00:09:12,196 --> 00:09:14,486
you click a few buttons and
you unleash a hacking attack.
154
00:09:14,796 --> 00:09:19,256
One of the things that they can do is
unleash what's called a CAM Table Overflow.
155
00:09:19,566 --> 00:09:22,596
See, CAM stands for Content-Accessible
Memory, right?
156
00:09:22,856 --> 00:09:27,236
It's where your switch stores all the
MAC addresses that it knows about.
157
00:09:27,436 --> 00:09:31,596
So that if they do this successfully, what will
happen is their computer will send thousands,
158
00:09:31,596 --> 00:09:36,596
and thousands, and thousands of packets into
the switch sourced from different MAC addresses.
159
00:09:36,636 --> 00:09:39,326
So the switch is like, "Okay,
I've learned about this, and this,
160
00:09:39,326 --> 00:09:40,216
and this, and this, and this, and this."
161
00:09:40,216 --> 00:09:43,936
And their goal by doing that is to fill
up the CAM table to where there are
162
00:09:43,936 --> 00:09:46,686
so many MAC addresses stored
in there that switches like,
163
00:09:46,686 --> 00:09:49,616
"I'm out of memory, I can't store anymore."
164
00:09:49,986 --> 00:09:53,406
And what the switch does at that
point is turn itself into a hub.
165
00:09:53,406 --> 00:09:57,056
It's like, "Well, if can't store anything,
if my CAM table is full, then I'm just going
166
00:09:57,056 --> 00:10:01,836
to forward everything everywhere because I
don't want communication not to be received."
167
00:10:02,056 --> 00:10:06,496
So as soon as that happens, now this evil
person can capture your Telnet session.
168
00:10:06,496 --> 00:10:11,766
But my point is that, it's going to take a
little bit of work for them to do that, okay?
169
00:10:11,916 --> 00:10:16,266
So it's not as easy-- I mean like, obviously,
it's easy for me because I'm actually
170
00:10:16,266 --> 00:10:19,086
on the computer that's doing
the Telneting, you know?
171
00:10:19,086 --> 00:10:23,186
And if I'm on that computer then, you
know, for sure I can capture that.
172
00:10:23,426 --> 00:10:28,566
Or if somehow this computer is
compromised, as in there's a worm
173
00:10:28,566 --> 00:10:31,676
or some creepy thing that's
installed on it, a keystroke logger.
174
00:10:31,676 --> 00:10:34,216
I mean there's all kinds
of way to hack a computer.
175
00:10:34,676 --> 00:10:38,966
But that's-- it's not just as
easy as opening WIRESHARK anywhere
176
00:10:38,966 --> 00:10:40,436
in the network and capturing passwords.
177
00:10:40,596 --> 00:10:41,826
And the same thing on the internet.
178
00:10:41,826 --> 00:10:45,816
If I Telnet across the internet,
that's really not a good practice,
179
00:10:46,106 --> 00:10:48,486
but does that mean we are destroyed immediately?
180
00:10:48,846 --> 00:10:57,506
Well, I would say no simple because there
is so much data going around the internet
181
00:10:57,926 --> 00:11:04,166
that you're almost secure in obfuscation
towards-- it's just like, by the sheer quantity,
182
00:11:04,166 --> 00:11:08,146
you know, terabytes and terabytes of data
every minute are being transferred all
183
00:11:08,146 --> 00:11:12,736
around the internet, you know, who's to say that
somebody is going to grab your Telnet session
184
00:11:13,166 --> 00:11:17,856
in there and it would also mean that someone
in the middle of your communication is going
185
00:11:17,856 --> 00:11:22,516
to be doing the grabbing, as in you, you
know, maybe came in through your Cox or Quest,
186
00:11:22,516 --> 00:11:23,456
you know, what-- or some kind
187
00:11:23,456 --> 00:11:26,146
of service provider that's giving
you your internet connection.
188
00:11:26,146 --> 00:11:30,546
So there would be an evil person sitting
there that could capture it, or, you know,
189
00:11:30,546 --> 00:11:35,106
they pass it to, you know, level three or Time
Warner, you know, these big service providers.
190
00:11:35,346 --> 00:11:39,696
You know, and so there somebody evil,
they're so-- so for those things to happen,
191
00:11:39,696 --> 00:11:46,316
for somebody capture your Telnet session, there
would have to be a shady person existing at one
192
00:11:46,316 --> 00:11:49,746
of the service writers that you're
going through and they would have
193
00:11:49,746 --> 00:11:52,796
to find your conversation among
trillions of conversations
194
00:11:52,796 --> 00:11:54,516
that are happening across the internet.
195
00:11:54,906 --> 00:11:59,306
So what I'm saying is, there's
different levels of paranoia, right?
196
00:11:59,306 --> 00:12:03,916
There are some people that are like, you know,
I type my credit into a website and it's gone,
197
00:12:03,916 --> 00:12:07,306
I know, somebody is going to sell
that, and steal it, and I'm defrauded.
198
00:12:07,306 --> 00:12:10,116
I mean, there's people they're like agent
[inaudible] is standing outside my door
199
00:12:10,116 --> 00:12:13,546
or waiting for me to use my computer because
then they will know everything that I'm trying
200
00:12:13,546 --> 00:12:16,306
to do, so there's different level.
201
00:12:16,306 --> 00:12:19,416
And then there's people that, you know,
that are kind of like, hey, you know what,
202
00:12:20,296 --> 00:12:24,076
the world is happy place, there are no
hackers, you know, it's all-- you know, it's--
203
00:12:24,076 --> 00:12:26,906
there are totally different levels of paranoia.
204
00:12:26,906 --> 00:12:31,006
The best thing to be, I would say, it's
probably better to be over paranoid than less
205
00:12:31,006 --> 00:12:33,316
because it's less chance
of something bad happening.
206
00:12:33,666 --> 00:12:38,916
But just to put into a reality, the world
isn't waiting to hack your Telnet session,
207
00:12:39,516 --> 00:12:41,076
there are certain people that wish they could,
208
00:12:41,266 --> 00:12:43,926
but it's going to be very
difficult for them to get that.
209
00:12:44,316 --> 00:12:51,416
All of that is a precursor to managing
your Cisco the right way, using SSH.
210
00:12:52,596 --> 00:12:56,596
Now I know some of you might be thinking--
well, that was kind of a long precursor, right?
211
00:12:56,776 --> 00:13:00,626
Well, yeah, but there is so much meet in there,
you know, I have seen how to use WIRESHARK
212
00:13:00,626 --> 00:13:04,676
to follow a TCP stream and reassemble data,
you can do that with anything, outlook e-mails,
213
00:13:04,676 --> 00:13:06,366
Excel spreadsheets, anything
that are being sent.
214
00:13:06,706 --> 00:13:09,446
At the time, you can capture and
reassemble and put it back together.
215
00:13:09,636 --> 00:13:15,156
We saw how clear text to Telnet was by design,
that's just how the protocol what was written
216
00:13:15,156 --> 00:13:19,156
and that-- but at the same time, how using it,
doesn't mean that big brother suddenly comes
217
00:13:19,156 --> 00:13:21,116
down and says, I have the keys to your network.
218
00:13:21,436 --> 00:13:24,636
But it-- you know, as point
number four, why risk it?
219
00:13:24,636 --> 00:13:28,376
I mean what's the chance that somebody is going
to grab your data and hack you, one and ten,
220
00:13:28,596 --> 00:13:33,036
one and a hundred, one and a million, it depends
on where you are in the world and what kind
221
00:13:33,036 --> 00:13:34,826
of malicious person would want your data.
222
00:13:35,176 --> 00:13:37,466
But the point is, why take that chance,
223
00:13:37,466 --> 00:13:40,066
why add that to one more thing
that you have to worry about.
224
00:13:40,066 --> 00:13:46,446
Instead, go with Cisco's recommendation, use
Secure Shell, or SSH to manage your network.
225
00:13:46,896 --> 00:13:50,976
Now before I show you how to set it
up, I want to show you how it works
226
00:13:50,976 --> 00:13:54,056
because when you understand
this, you understand how--
227
00:13:54,186 --> 00:13:58,096
almost all major security algorithms
worked across the public internet,
228
00:13:58,096 --> 00:14:02,256
you'll be able to explain how VPNs
work, how secure web surfing works
229
00:14:02,256 --> 00:14:04,246
because they all use the same method as SSH.
230
00:14:04,246 --> 00:14:09,056
Essentially, you have a client that
wants to have some kind of secure session
231
00:14:09,056 --> 00:14:12,836
with his server, or, you know, a router,
or a switch, or whatever you want to do
232
00:14:13,026 --> 00:14:18,186
over some untrusted network and, you know,
just about any network unless, you know,
233
00:14:18,186 --> 00:14:20,776
I can own every single piece of cable in there
234
00:14:20,776 --> 00:14:23,786
and know exactly what's on
it, is an untrust medium.
235
00:14:23,786 --> 00:14:25,366
So, let's just say we've got the internet.
236
00:14:25,366 --> 00:14:26,646
I'm going to show you how
it works for, you know,
237
00:14:26,646 --> 00:14:29,766
secure web surfing and then,
I'll apply it to SSH.
238
00:14:30,116 --> 00:14:35,936
Now let's say we go to HTTPS, you know
bank.com, whatever online bank we decide to use.
239
00:14:36,986 --> 00:14:45,426
Now the big question is, how do I know that this
is secure, I mean, HTTPS by the way uses, SSL,
240
00:14:45,756 --> 00:14:49,936
Secure Socket Layer or it's
the same concept as SSH.
241
00:14:50,306 --> 00:14:54,916
How do I know that this is secure, I mean,
if you think about it in order for security
242
00:14:54,916 --> 00:14:59,766
to happen, the server or the client
has to send an encryption key
243
00:15:00,596 --> 00:15:04,836
which is essentially a mathematical formula that
says, here's how I'm going to encrypt my data,
244
00:15:05,056 --> 00:15:07,736
that's kind of like a secret key
that only those two can have.
245
00:15:07,736 --> 00:15:12,226
Well the problem is if there's eyes on
this network, if this is untrusted network,
246
00:15:12,616 --> 00:15:15,416
then that's the problem,
because if I send the key,
247
00:15:15,416 --> 00:15:18,176
then anybody can grab the key and we're doomed.
248
00:15:18,866 --> 00:15:23,706
Well, that's the same problem
that a fellow named Martin Hellman
249
00:15:23,866 --> 00:15:28,076
and Whitfield Diffie faced
decades and decades ago.
250
00:15:28,336 --> 00:15:32,456
It's how do you have security over a public
network when you can't send security keys
251
00:15:32,776 --> 00:15:34,436
in clear text that anybody can grab?
252
00:15:34,796 --> 00:15:38,386
And they came up with a method
of public-key cryptography.
253
00:15:38,606 --> 00:15:40,086
So here's how it works.
254
00:15:40,086 --> 00:15:43,716
Essentially, the bank will have
what's called a certificate.
255
00:15:43,716 --> 00:15:50,356
And that certificate will have an encryption
algorithm on it, it's known as the public-key.
256
00:15:50,856 --> 00:15:56,586
Now, the public-key is half
of an encryption formula.
257
00:15:56,956 --> 00:16:02,396
So essentially, anything that is encrypted
with the public-key can only be decrypted
258
00:16:02,736 --> 00:16:06,866
by something called the private-key
which is kept
259
00:16:06,866 --> 00:16:09,526
on the server never, ever,
ever given out to anybody.
260
00:16:09,766 --> 00:16:14,066
Because if I give out that private-key to
anybody then this whole algorithm fails,
261
00:16:14,066 --> 00:16:16,486
because now anything can be decrypted.
262
00:16:16,486 --> 00:16:20,586
Now, have you ever going to a website
and it comes up and you get that message
263
00:16:20,586 --> 00:16:24,576
in Internet Explorer, or Chrome, or
Firefox, whatever, and it comes up and says,
264
00:16:25,006 --> 00:16:27,556
warning this website not trustable, you know,
265
00:16:27,556 --> 00:16:30,526
this website has a certificate
that is not trustworthy.
266
00:16:30,886 --> 00:16:34,276
Well, you know, and most of us, if you're
like me and like, yeah, whatever, you know,
267
00:16:34,276 --> 00:16:35,846
and continue, I want to get to the website.
268
00:16:36,016 --> 00:16:40,096
Well, that message hid-- it gives you
a warning because what it saying is,
269
00:16:40,326 --> 00:16:42,856
this server may have just
made up their own certificate.
270
00:16:43,126 --> 00:16:48,486
As in nobody has gone out and really said that
this website is secure and this website is
271
00:16:48,486 --> 00:16:52,606
who they say they are, that's why we have
this concept of certificate authorities.
272
00:16:52,846 --> 00:16:56,556
Places like VeriSign and
all of that kind of stuff.
273
00:16:56,556 --> 00:16:59,196
I'll just throw VeriSign
out there is one of them.
274
00:16:59,196 --> 00:17:05,346
So if I was a real company, I would take and
apply for a real certificate from VeriSign.
275
00:17:05,546 --> 00:17:08,606
VeriSign would say, okay, let me
verify that you are, who you are,
276
00:17:08,606 --> 00:17:10,346
what's your federal tax ID number, what--
277
00:17:10,346 --> 00:17:12,626
you know, they would make sure
that you are the real deal,
278
00:17:12,846 --> 00:17:17,766
and then they would issue a certificate and an
encryption or essentially public private-key set
279
00:17:17,986 --> 00:17:21,176
that is trusted by all the
browsers of the world.
280
00:17:21,296 --> 00:17:25,636
So Chrome, you know, Internet Explorer, they've
all agreed that they will trust the VeriSign
281
00:17:25,846 --> 00:17:31,146
as a authority to give out these certificates
and approve the servers on the internet
282
00:17:31,146 --> 00:17:34,576
to really be a valid server, now
is that proof, no, no it's not.
283
00:17:34,756 --> 00:17:39,066
But it's definitely a good
layer on top of it to make sure
284
00:17:39,066 --> 00:17:42,356
that we don't have these
false identities out there.
285
00:17:42,356 --> 00:17:46,526
Now, so this guy gets a certificate,
whether it was, they made it up themselves
286
00:17:46,526 --> 00:17:51,246
or see I gave it, and this certificate has
half of an encryption algorithm on them.
287
00:17:51,246 --> 00:17:54,556
So the very first time, when
you got to bank.com,
288
00:17:54,806 --> 00:17:59,596
they will send over this public-key,
half of an encryption algorithm.
289
00:18:00,126 --> 00:18:04,246
And your browser, your Internet explorer, your
Chrome, your, whatever you're using will say,
290
00:18:04,246 --> 00:18:11,276
great, I am now going to generate
what is called a session key.
291
00:18:11,616 --> 00:18:16,896
Now that session key is only
good for this one time use only.
292
00:18:17,436 --> 00:18:22,816
Session key is, you know, once I'm done
talking to this website, I'm going to flash it.
293
00:18:22,816 --> 00:18:27,636
It is an encryption algorithm, it is called
a single key or I guess the technical word
294
00:18:27,636 --> 00:18:31,076
that you would use for it is
asymmetrical encryption algorithm.
295
00:18:31,426 --> 00:18:38,856
One key to rule them all, one key to encrypt
one key to decrypt, it's fast, it's efficient,
296
00:18:38,856 --> 00:18:43,206
it's what we want to use because we
want to have our communication goes
297
00:18:43,206 --> 00:18:45,766
as fast as possible, but also one key.
298
00:18:45,766 --> 00:18:48,706
So I can't just send that one key
to the server across the internet
299
00:18:48,706 --> 00:18:51,036
because someone would get my one
key and be able to decrypt it.
300
00:18:51,196 --> 00:18:52,276
So you see where this is going?
301
00:18:52,636 --> 00:18:59,266
So I send half of an encryption formula to
the client, that's this piece right here.
302
00:18:59,386 --> 00:19:02,746
And this is also by the way
called asymmetric encryption.
303
00:19:02,976 --> 00:19:07,356
Multiple keys are two keys to
be specific to rule them all.
304
00:19:07,356 --> 00:19:11,056
But veri-- process are heavy to
handle this kind of encryption.
305
00:19:11,056 --> 00:19:13,636
So, he sends me half of an encryption algorithm.
306
00:19:13,886 --> 00:19:21,606
This guy says, I'm going to take that
public key and encrypt my session key, gone.
307
00:19:22,106 --> 00:19:28,616
It is now scrambled, it's encrypted, and
the only one they can decrypt it is bank.com
308
00:19:28,866 --> 00:19:32,096
because they're the only one that has
this private-key behind the scenes.
309
00:19:32,296 --> 00:19:35,296
So, now obviously, I knew what it
was before I encrypted it, right?
310
00:19:35,486 --> 00:19:38,226
So I now send an encrypted, encryption key.
311
00:19:39,286 --> 00:19:40,826
You think that one through right.
312
00:19:40,936 --> 00:19:47,056
An encrypted-- encryption key over to bank.com
who now decrypts it using their private-key,
313
00:19:47,206 --> 00:19:50,596
and now, it's going to be a new color.
314
00:19:50,716 --> 00:19:59,056
We have the session key successfully transmitted
and used on both sides for that session.
315
00:19:59,616 --> 00:20:02,866
A fresh encryption algorithm
used for that session.
316
00:20:03,146 --> 00:20:05,316
Once that session is done, I tear it down
317
00:20:05,396 --> 00:20:08,266
and the session key is destroyed,
never to be used again.
318
00:20:09,046 --> 00:20:14,936
Now, that is how public-key encryption works
which is really amazing, it's really powerful
319
00:20:14,936 --> 00:20:19,496
to have that kind of algorithm on the internet
as you surf the websites, it's the same thing
320
00:20:19,496 --> 00:20:24,636
that used for SSH, it's the same thing when
I have a VPN tunnel, like I want to connect
321
00:20:24,636 --> 00:20:27,316
to my private network using a tunnel over that.
322
00:20:27,316 --> 00:20:31,266
They all used the same kind
of algorithm, this public-key.
323
00:20:31,266 --> 00:20:36,346
Now I know some of you are watching this whole
thing and be like, "Okay, okay, come on."
324
00:20:37,196 --> 00:20:41,456
If somebody gets the public-key which is,
you know, half of an encryption formula,
325
00:20:41,456 --> 00:20:44,026
can't they figure it out the private-key?
326
00:20:44,026 --> 00:20:49,866
I mean, I grew up, I went into some
heavy math, you know, X plus 1 equals 3.
327
00:20:49,866 --> 00:20:54,856
If I get, you know, half that formula and
I'm like, okay, I don't have a piece of that,
328
00:20:54,856 --> 00:20:56,676
can't they, you know, you see, what I mean?
329
00:20:56,676 --> 00:21:00,186
Can't it be like, well, okay, X
is really 2 because I can kind
330
00:21:00,186 --> 00:21:04,456
of reverse engineer this, no, theoretically, no.
331
00:21:04,696 --> 00:21:07,576
But that theory has been
proved for decades and decades.
332
00:21:07,716 --> 00:21:13,386
Now I will tell you, if somebody came-- by the
way, this is called Diffie-Hellman Encryption
333
00:21:14,346 --> 00:21:16,716
because those two guys, well,
actually, there's three guy,
334
00:21:16,716 --> 00:21:19,206
but you got cut out of the
loop, no royalties for him.
335
00:21:19,486 --> 00:21:23,946
But they are the ones who pioneered
this public-key encryption algorithm.
336
00:21:23,946 --> 00:21:27,986
Now it's since then it's been translated
into many different forms, you'll hear things
337
00:21:27,986 --> 00:21:30,986
like RSA, there's all kinds of different methods
338
00:21:30,986 --> 00:21:33,976
of doing public-key cryptography,
but the concept is all the same.
339
00:21:34,226 --> 00:21:39,966
Now if somebody ever came out and said,
hey, I figured out how to reverse this,
340
00:21:40,066 --> 00:21:45,376
I figured out how, you know, if I get a
public-key on the internet, how to fix,
341
00:21:45,376 --> 00:21:47,626
you know, to generate the private-key from it.
342
00:21:48,196 --> 00:21:56,206
You would see worldwide chaos, and panic,
and freaking out because people would--
343
00:21:56,206 --> 00:22:00,276
soon they'll realize that the under
pending security of everything is now gone,
344
00:22:00,716 --> 00:22:05,096
it cannot be done, I don't
know, maybe, I can't do it.
345
00:22:05,196 --> 00:22:07,426
No one is been able to do it
so far, the government, well,
346
00:22:07,506 --> 00:22:09,726
as far as we know, Agent Scully can do it.
347
00:22:09,856 --> 00:22:16,196
But the government can't do it, so far
it's been proved true, but it's a theory.
348
00:22:16,446 --> 00:22:18,196
The theory is nobody can figure it out how
349
00:22:18,196 --> 00:22:20,376
to generate the private-key
if you have a public-key.
350
00:22:20,376 --> 00:22:24,286
But, all that being said I dive into
my conspiracy theory side of things.
351
00:22:24,286 --> 00:22:27,076
Now let's talk about how to setup SSH.
352
00:22:27,306 --> 00:22:30,776
I'll clear all of this stuff off.
353
00:22:30,776 --> 00:22:32,336
So that's how it worked.
354
00:22:32,336 --> 00:22:37,356
So instead, you know, instead of having
computer A and website B, you know,
355
00:22:37,356 --> 00:22:41,916
we have computer A going to switch A
or router A or whatever kind of device,
356
00:22:41,916 --> 00:22:46,276
it's all the same concept, it's just
using, you know, different devices.
357
00:22:46,276 --> 00:22:50,866
So the way to configure SSH on
a Cisco device is as follows.
358
00:22:51,346 --> 00:22:56,956
First of, we have to have a host name
and the reason why is this switch
359
00:22:56,956 --> 00:23:00,346
or this router is going to
generate it's own certificate.
360
00:23:00,816 --> 00:23:05,006
Now, it's okay, we don't need a certificate
authority because we pay for those.
361
00:23:05,126 --> 00:23:07,966
And as long as we trust our
own devices, you know,
362
00:23:07,966 --> 00:23:11,166
we're not going to have a rogue
device come in into the play,
363
00:23:11,166 --> 00:23:15,256
it's okay to generate our own little
public-key certificate which says who we are.
364
00:23:15,516 --> 00:23:21,226
But we have to have on that certificate the name
of our device as well as the domain name like,
365
00:23:21,226 --> 00:23:25,316
you know, jeremy.com or cbtnuggets.com,
that's the domain name,
366
00:23:25,576 --> 00:23:27,776
those are two requirements for the certificate.
367
00:23:27,916 --> 00:23:32,366
So not only on that certificate
is the key, but also, you know,
368
00:23:32,366 --> 00:23:35,056
your name, who are you, host name.
369
00:23:35,266 --> 00:23:37,046
Also on there is your domain name.
370
00:23:37,506 --> 00:23:42,176
Also on there is the certificate
authority that approved the certificate.
371
00:23:42,176 --> 00:23:44,106
And think of this is as like
the stamp of approval.
372
00:23:44,336 --> 00:23:49,386
Now in this case, this is called a
self-generated certificate that we're creating.
373
00:23:49,386 --> 00:23:51,746
So when it's says, well, who approved me?
374
00:23:52,176 --> 00:23:53,106
I approved me.
375
00:23:53,736 --> 00:23:55,766
And who were you to tell
me that I can't do that?
376
00:23:55,766 --> 00:23:59,966
Yeah, that's what the device would say, is,
you know, I am on my own certificate authority,
377
00:24:00,126 --> 00:24:02,776
but that means the very first
time you connect to this device,
378
00:24:03,106 --> 00:24:06,096
you're going to get a warning say,
hey, I'll show you that one, okay?
379
00:24:06,096 --> 00:24:07,766
So here's what we're going to do.
380
00:24:07,766 --> 00:24:11,356
And now, I've already configure the host
name for this device, it's CBT Switch.
381
00:24:11,766 --> 00:24:15,486
Now I need to configure a
domain name, global config mode
382
00:24:15,486 --> 00:24:22,896
and the command is IP domain name
followed by what we want the domain name--
383
00:24:22,896 --> 00:24:27,856
hey I don't have a-- domain, yeah, sorry,
it's IP domain name, that's what it is.
384
00:24:28,096 --> 00:24:32,986
IP domain name or it looks like, we can do a
space, either one of those, sometimes Cisco,
385
00:24:33,206 --> 00:24:35,776
Cisco is inconsistent, you'll have
two ways of doing the same thing.
386
00:24:35,776 --> 00:24:41,136
So IP domain name, we've got
cbtswitch., let's do nuggetlab.com,
387
00:24:41,276 --> 00:24:43,186
will be our domain name that
we're going to use, okay?
388
00:24:43,576 --> 00:24:47,856
Now we're going to generate encryption keys,
we're going to say, I need to generate,
389
00:24:47,856 --> 00:24:52,056
essentially, the public private-key set
for this certificate, the private-key,
390
00:24:52,056 --> 00:24:55,676
I will never give out, the public-key, anybody
can have because it's only half of the formula.
391
00:24:56,116 --> 00:25:02,596
So the way I do that is I
do crypto key generate RSA.
392
00:25:03,436 --> 00:25:09,566
RSA by the way is the encryption algorithm
of choice on Cisco devices, I think,
393
00:25:09,566 --> 00:25:15,536
it stands for Rivest, Shamir, and
Adleman, it's three guys that developed--
394
00:25:15,536 --> 00:25:18,836
it's, you know, think of it as
Diffie-Hellman, but just the next flavor,
395
00:25:18,836 --> 00:25:21,146
a little more efficient than
Diffie-Hellman's original algorithm.
396
00:25:21,146 --> 00:25:25,976
So now we come to the big question,
what is the size of the modulus?
397
00:25:26,306 --> 00:25:30,336
What is this-- how strong
do you want this key to be?
398
00:25:30,846 --> 00:25:33,096
Now let me give you just a flyby view.
399
00:25:33,276 --> 00:25:37,506
Symmetric keys that we use normally for--
400
00:25:37,506 --> 00:25:39,536
remember I said, this is the session key
401
00:25:39,536 --> 00:25:42,506
that our computer generates to
communicate without website.
402
00:25:42,666 --> 00:25:47,276
Symmetric keys common strengths are,
you know, on the low and 64 bit.
403
00:25:48,126 --> 00:25:53,706
Normally, nowadays is 128
bit or if you're beefy,
404
00:25:54,016 --> 00:25:58,766
nowadays you'll use 256 bit
encryption for your symmetric keys.
405
00:25:59,046 --> 00:26:04,696
And that's just how strong the key is,
how complex is that mathematical formula
406
00:26:04,696 --> 00:26:07,226
in that shell, that's really what it means.
407
00:26:07,286 --> 00:26:12,446
So those are common methods to communicate,
now look at this, this is coming off
408
00:26:12,446 --> 00:26:16,276
and starting off with a modulus
of 500 and twelve bits.
409
00:26:16,546 --> 00:26:20,496
These are much stronger than our
normal day-to-day communications,
410
00:26:20,496 --> 00:26:23,986
it's much more complex because the device
knows it's not going to use them for long.
411
00:26:24,216 --> 00:26:28,386
The only thing it's going to use this for is to
encrypt that session key for the communication.
412
00:26:28,386 --> 00:26:31,016
So they're like, you know,
we can take the processor,
413
00:26:31,016 --> 00:26:32,836
just to do a tiny amount of encryption.
414
00:26:33,066 --> 00:26:37,946
If we were to actually use these keys for
all communication, our devices would die,
415
00:26:38,106 --> 00:26:43,546
there's no way they can keep up because with
the strength of keys, every bit that you add
416
00:26:43,546 --> 00:26:46,136
to it effectively doubles the strength.
417
00:26:46,136 --> 00:26:49,596
It's not like 128 bit is
twice as strong as 64 bit,
418
00:26:50,016 --> 00:26:53,366
no it's 65 bit is twice as strong as 64 bit.
419
00:26:53,786 --> 00:26:56,816
Sixty-six bit is four times as strong as 64 bit.
420
00:26:56,876 --> 00:26:59,326
But also four times as complex to
process, so do you see what I mean.
421
00:26:59,326 --> 00:27:04,286
So when you're talking 128 bit versus 64
bit is like you can't even compare that,
422
00:27:04,356 --> 00:27:07,066
it's out of the part and same
thing when you come down here,
423
00:27:07,066 --> 00:27:08,946
you're infinite at least stronger.
424
00:27:09,286 --> 00:27:12,546
The-- so as our processors get
bigger and bigger and bigger,
425
00:27:12,546 --> 00:27:17,816
we're able to create this more improved
algorithms because as the processor get bigger
426
00:27:17,816 --> 00:27:23,056
and bigger, it's easier to brute force attack
this 64 bit keys, you know, we can generate,
427
00:27:23,306 --> 00:27:25,836
you know, millions of passwords
every seconds and try
428
00:27:25,836 --> 00:27:29,356
and see if that's the secret
key that's being used.
429
00:27:29,356 --> 00:27:34,596
So that's-- when we come to this question,
the modulus, what do you want to use?
430
00:27:34,646 --> 00:27:38,926
A common strength is 1024
bit, 512 is considered,
431
00:27:39,036 --> 00:27:44,146
I would say weak for an asymmetric key set, 1024
or if you're feeling really beefy, you know,
432
00:27:44,146 --> 00:27:46,846
I can go with the 2048 bit, go to the maximum
433
00:27:47,016 --> 00:27:49,546
that at least this device
support some device or sport more.
434
00:27:50,616 --> 00:27:53,096
But it's actually generating it,
it's going to take a little bit
435
00:27:53,336 --> 00:27:58,236
because my little processor is going, trying
to generate the super strong encryption key
436
00:27:58,506 --> 00:28:03,566
that is going to be used for
communication from here and out.
437
00:28:03,706 --> 00:28:06,276
Just so, you know, I paused
the nugget, I'm still waiting,
438
00:28:06,366 --> 00:28:08,866
this was 30 seconds ago,
okay, I'm pausing again.
439
00:28:10,586 --> 00:28:12,146
Okay, about 15 seconds later.
440
00:28:12,146 --> 00:28:15,016
So it took about, I would
say, a total of 60 seconds
441
00:28:15,016 --> 00:28:17,956
to generate those keys just
because they're so beefy.
442
00:28:18,406 --> 00:28:22,496
So now I've got the encryption keys,
I've generated this certificate,
443
00:28:22,496 --> 00:28:24,816
I've generated the public-key,
I've generated the private-key.
444
00:28:25,116 --> 00:28:29,926
Now we need to enable it, so I'm going
to, oops, I'm going to go on my device
445
00:28:29,926 --> 00:28:34,456
and do IP SSH, we're going to say version 2.
446
00:28:35,606 --> 00:28:40,866
Version 1 is old and I would say,
nowadays considered, you know, bad form,
447
00:28:40,866 --> 00:28:44,686
it's not like somebody can hack it, it's just
they've come out with improvements since the.
448
00:28:44,686 --> 00:28:46,736
So version 2 is the one that we want to use.
449
00:28:46,736 --> 00:28:51,686
Think of that is like a light switch behind
the scenes, I just turned on SSH version 2.
450
00:28:52,146 --> 00:28:55,766
Now we create our local user
accounts, what's this?
451
00:28:56,206 --> 00:29:00,786
Well, SSH unlike Telnet relies
on a user name and a password.
452
00:29:01,066 --> 00:29:06,136
Now you remember so far when we've been
managing our device, I Telnet in, I hit Telnet,
453
00:29:06,136 --> 00:29:12,416
it just says, what's your password, I type in
Cisco and I'm in, I'm able to access the device.
454
00:29:12,496 --> 00:29:16,426
Well, SSH requires a user name and a
password or at least in the Cisco world does.
455
00:29:16,426 --> 00:29:22,226
So what I need to do is in global
configuration mode create a user account
456
00:29:22,226 --> 00:29:24,636
that I can use for SSH.
457
00:29:25,226 --> 00:29:31,226
So what I'll do is I'll type in, username
and whatever username I want to use.
458
00:29:31,226 --> 00:29:39,046
Now bad usernames are things like admin, route,
administrator because if you're a hacker,
459
00:29:39,046 --> 00:29:41,726
those were always the accounts you're
going to try it first, you're going to say,
460
00:29:41,726 --> 00:29:43,816
I'm going to brute force
something name [phonetic], I mean,
461
00:29:43,816 --> 00:29:47,826
try and come up with something unique, it
doesn't have to be your name, it could be,
462
00:29:47,826 --> 00:29:52,316
you know, company admin or it maybe
the name of your company ADM, or such--
463
00:29:52,316 --> 00:29:57,256
just something that wouldn't be so normal
for people to use as the administrator.
464
00:29:58,006 --> 00:30:03,416
Jeremy would definitely classify as a non-normal
administrator username or maybe, you know,
465
00:30:03,416 --> 00:30:05,916
if I want to be even more
secure, I could do jeremeny$,
466
00:30:06,406 --> 00:30:07,856
there's nothing to keep you from doing that.
467
00:30:08,046 --> 00:30:10,616
So I'll do Jeremy-- host name Jeremy.
468
00:30:10,916 --> 00:30:14,356
And then from there, I can
type in either password
469
00:30:14,356 --> 00:30:18,536
to specify the password or
secret to specify the secret.
470
00:30:18,936 --> 00:30:21,846
Now just like the enable
password or enable secret,
471
00:30:21,846 --> 00:30:27,156
it's much better if your device supports it
to use the secret because now the username
472
00:30:27,156 --> 00:30:30,166
and password will not be stored as
clear text in the running config.
473
00:30:30,166 --> 00:30:36,246
So I'll say username Jeremy secret Cisco,
just so I don't forget the password.
474
00:30:36,246 --> 00:30:43,236
So now I've got this user account I created
and if I do a show running config, by the way,
475
00:30:43,236 --> 00:30:46,556
this do command, again, we
saw this in the last nugget,
476
00:30:46,556 --> 00:30:48,946
it allows you to execute the
show command from any mode.
477
00:30:49,256 --> 00:30:53,956
The only drawback of it is, the question mark
doesn't work, so if I'm, you know, testing it,
478
00:30:53,956 --> 00:30:55,476
it's like, you know, I don't know.
479
00:30:55,476 --> 00:30:59,606
So the context sensitive help doesn't work,
it just says line, as well as the tab key.
480
00:30:59,776 --> 00:31:01,916
So I can do show run, it's going to say--
481
00:31:01,916 --> 00:31:04,976
I'm not complaining because I don't
know what command you're trying to type,
482
00:31:04,976 --> 00:31:06,856
this is kind of a shortcut if you will.
483
00:31:06,856 --> 00:31:12,506
So do show run, I hit the space bar or
right there, I see username Jeremy secret--
484
00:31:12,506 --> 00:31:16,236
you know, it's just like my enable
secret, it's this nice gobbledygook
485
00:31:16,236 --> 00:31:19,956
that is encrypted there or
hashed up on the screen.
486
00:31:19,956 --> 00:31:25,056
So now, I've created the local
user accounts, now I need to chose
487
00:31:25,056 --> 00:31:28,556
to allow Telnet and I should put or SSH.
488
00:31:29,116 --> 00:31:35,746
Now, from the last nugget,
what ports are Telnet ports?
489
00:31:35,746 --> 00:31:39,746
As in where do I go to configure a
Telnet password, do you remember?
490
00:31:41,176 --> 00:31:46,896
Line VTY and then whatever line
numbers I want to configure.
491
00:31:46,896 --> 00:31:50,356
Well, in my case, I want to configure all
of them, all of them will support this.
492
00:31:50,356 --> 00:31:51,816
Now there's a command under it.
493
00:31:51,816 --> 00:31:58,966
Now notice that we've got under
this VTY line, we have a password,
494
00:31:59,016 --> 00:32:02,916
we did that in the last nugget, that's what
allowed me to Telnet in right here as I typed
495
00:32:02,916 --> 00:32:05,506
in the password of Cisco on the device.
496
00:32:05,806 --> 00:32:10,596
So there is a password under there, but I'm
going to change the story a little bit by typing
497
00:32:10,596 --> 00:32:16,216
in the command, transport input as in
the kinds of protocols that are allowed
498
00:32:16,216 --> 00:32:22,276
in that the transports, the ways that you can
communicate with this VTY lines are going to be
499
00:32:22,646 --> 00:32:27,376
and now I can specify, SSH or
Telnet, and you can say none,
500
00:32:27,376 --> 00:32:30,386
and that totally disables all remote
access, I don't want to do that.
501
00:32:30,646 --> 00:32:35,936
Or we'd do both of them or you could type in for
instance, if I wanted to still allow both Telnet
502
00:32:35,936 --> 00:32:42,046
and SSH, I could type in Telnet and SSH,
and that says, I will allow both of them,
503
00:32:42,046 --> 00:32:45,406
so watch this, I'll go back
here to my-- my command prompt.
504
00:32:45,756 --> 00:32:48,306
Let's put this up over here, has the up URL.
505
00:32:48,446 --> 00:32:50,696
And I see I can still Telnet
into the device, right?
506
00:32:50,976 --> 00:32:59,166
Now if I go here and I do transport input
and I just do SSH, now I've disabled Telnet
507
00:32:59,166 --> 00:33:05,246
and I come back here, and hit the up URL,
it's like, oh, I'm sorry, no soup for you,
508
00:33:05,716 --> 00:33:08,646
I cannot connect to the host
on port 23 connection failed
509
00:33:08,646 --> 00:33:11,066
because I'm no longer allowing
the Telnet protocol.
510
00:33:11,416 --> 00:33:17,316
Now let me get back to when I first said this, I
said, why do you take the risk of using Telnet,
511
00:33:17,316 --> 00:33:22,196
why do that, and I said, if SSH is just as easy
to use, and I said, asteric [phonetic], codes,
512
00:33:22,356 --> 00:33:26,716
and [inaudible], just as easy is not-- again,
so that's probably why Telnet is still around,
513
00:33:26,906 --> 00:33:31,426
is Microsoft never included
a command line SSH client.
514
00:33:31,856 --> 00:33:36,756
Shame on you Microsoft for not doing that,
they've always allowed Telnet, Unix, Linux,
515
00:33:36,756 --> 00:33:40,946
they've always supported SSH from
a command line but not Microsoft.
516
00:33:40,946 --> 00:33:47,076
So in order to use SSH, we have to
download a different program like PuTTY,
517
00:33:47,336 --> 00:33:51,836
like TeraTerm, like-- does this support it?
518
00:33:52,526 --> 00:33:53,716
TCP, no, no.
519
00:33:53,716 --> 00:33:59,856
So TeraTerm by itself does not
support SSH, it does Telnet only.
520
00:33:59,856 --> 00:34:04,256
However, you can download
SSH version of TeraTerm.
521
00:34:04,256 --> 00:34:07,596
So let's actually go with the
PuTTY, that one is nice and easy.
522
00:34:07,916 --> 00:34:09,256
TeraTerm I have to install.
523
00:34:09,716 --> 00:34:13,536
Now watch this, I'm going to do PuTTY
just on Google, here's my download page.
524
00:34:14,036 --> 00:34:16,046
Notice right here, legal warning.
525
00:34:17,196 --> 00:34:25,296
There are countries out there that don't allow
you to encrypt your data beyond a certain level.
526
00:34:25,726 --> 00:34:29,406
Essentially, there's government
entities out there that say,
527
00:34:29,816 --> 00:34:32,006
we want to be able to know what you're doing.
528
00:34:32,006 --> 00:34:35,926
Now, the United States is not one of those,
Canada is not one of those, Mexico is not one--
529
00:34:35,926 --> 00:34:39,966
I mean, but I would definitely make
sure that you know before you do this,
530
00:34:40,256 --> 00:34:43,836
what your country supports because a
lot of these countries will monitor.
531
00:34:44,076 --> 00:34:47,286
And they'll see what algorithms
your using for encryption.
532
00:34:47,396 --> 00:34:52,106
And if it's something that is beyond to what
they can decrypt, you're going to get a knock
533
00:34:52,106 --> 00:34:56,756
on a door or I'm in United States, I
don't know what other countries do,
534
00:34:56,756 --> 00:34:59,926
I don't know of doors being kicked
down, you know, the explosions,
535
00:34:59,926 --> 00:35:01,716
I don't know, it's a weird world out there.
536
00:35:01,956 --> 00:35:06,696
So the point is, be careful with what kind
of encryption you used in your country.
537
00:35:06,986 --> 00:35:11,586
Here we can use whatever we want, I'm going
to go download PuTTY which this is, you know,
538
00:35:11,586 --> 00:35:13,526
just-- actually, looks like
I've download it before
539
00:35:13,526 --> 00:35:15,246
because it's saying I'm downloading PuTTY one.
540
00:35:15,596 --> 00:35:19,866
So I open PuTTY and it says,
okay, what do you want to do
541
00:35:19,866 --> 00:35:23,256
and you've got Telnet, Rlogin, SSH, Serial port.
542
00:35:23,256 --> 00:35:26,816
So I'm going to ask SSH and we type in 10.1.1.10
543
00:35:26,816 --> 00:35:29,446
which is the IP address of
my switch, click on open.
544
00:35:29,726 --> 00:35:36,086
Now check this out, it's says, this server's
host key is not cached in the registry.
545
00:35:36,306 --> 00:35:41,146
You have no guarantee that this server
is the computer you think it is.
546
00:35:41,266 --> 00:35:44,316
What's that mean, that kind of creeps me out.
547
00:35:44,496 --> 00:35:50,866
What it means is PuTTY just recognized
this switch is using a certificate,
548
00:35:50,866 --> 00:35:54,406
it's using encryption keys
that it just made up itself.
549
00:35:54,406 --> 00:35:56,736
So it's saying, you know what, this
is your first time connecting here,
550
00:35:56,996 --> 00:36:00,936
it's saying that I approved my own
certificate, you have no guarantee
551
00:36:00,936 --> 00:36:04,186
that this server really is the
device that you think it is.
552
00:36:04,736 --> 00:36:07,326
If you're okay with that, go and hit yes.
553
00:36:07,616 --> 00:36:12,316
Now I will say almost always we're okay with
that, we-- you know, in our organizations, well,
554
00:36:12,316 --> 00:36:14,876
typically generate our own server certificates.
555
00:36:14,876 --> 00:36:20,766
Now PuTTY memorizes that certificate, it says
okay, then from here on out, this device,
556
00:36:20,766 --> 00:36:24,496
this MAC addresses, this IP addresses, you
know, everything is now bound to that key,
557
00:36:24,496 --> 00:36:27,486
it's not going to ask you that
again, it said, you said, I trusted--
558
00:36:27,586 --> 00:36:33,006
and the only way, it will plug that message
again if maybe another device gives you
559
00:36:33,006 --> 00:36:35,886
that same certificate, you know, some
other device out there, says, oh,
560
00:36:35,886 --> 00:36:40,126
I've got the same encryption keys, the
other guys can be like, whoa, sabotage.
561
00:36:40,396 --> 00:36:44,396
So now it's asking me,, who
do you want to login as?
562
00:36:44,396 --> 00:36:49,526
Jeremy, this is the user account that I
created, what is Jeremy's password, Cisco.
563
00:36:52,396 --> 00:36:56,606
Not what I expected, it was Cisco, right, Cisco.
564
00:36:58,746 --> 00:37:04,296
Okay, troubleshooting, actually,
I think I know what it is.
565
00:37:04,296 --> 00:37:05,606
There's a command I forgot to show you.
566
00:37:06,686 --> 00:37:13,956
So a show run I'm going to begin with, oh,
it's saying, oops, "Sorry, you timed out."
567
00:37:13,956 --> 00:37:16,236
So let's begin with at lines.
568
00:37:16,236 --> 00:37:20,106
We'll just zoom into those VTY
lines, yeah, there's the problem.
569
00:37:20,836 --> 00:37:24,446
So one more command under those VTY
lines, let's go into global config mode,
570
00:37:24,516 --> 00:37:28,476
I'm going to do line VTY 0
space 15, get back under there.
571
00:37:28,806 --> 00:37:34,906
See right here that it says, login, right,
login, I know, it seems like okay, well,
572
00:37:34,906 --> 00:37:38,586
that's simple enough, right,
isn't that-- oh there's to it.
573
00:37:38,756 --> 00:37:45,696
Login says, okay, log people into these
ports, but use the password that's under here.
574
00:37:46,166 --> 00:37:51,516
Now that's the problem because we already
trying to use username and password.
575
00:37:51,516 --> 00:37:54,266
And under the ports, there's only a password.
576
00:37:54,356 --> 00:37:58,066
So essentially, login is used
for Telnet to say, you know,
577
00:37:58,066 --> 00:38:01,076
Telnet in and you can use this
password, they link together.
578
00:38:01,346 --> 00:38:05,206
But and this sound little funny to
do this, but instead we actually go
579
00:38:05,206 --> 00:38:09,056
to the VTY lines and type in login local.
580
00:38:09,906 --> 00:38:16,526
What that says to the device is use the
local user database for your logins.
581
00:38:16,756 --> 00:38:20,476
Don't just try and login people
and only require the password
582
00:38:20,476 --> 00:38:24,556
because frankly SSH doesn't even support
that, it needs a username and a password.
583
00:38:24,846 --> 00:38:28,146
Instead, login using the local database on here.
584
00:38:28,436 --> 00:38:34,096
Now this is as an alternative to login
using the TACACS server, what's over that?
585
00:38:34,096 --> 00:38:39,196
So when we get big enough, we can
setup our switches to where, you know,
586
00:38:39,196 --> 00:38:43,246
I don't want the user accounts on the
switches because I have hundreds of them
587
00:38:43,246 --> 00:38:44,896
and routers and all these kind of stuff.
588
00:38:44,896 --> 00:38:49,856
And I don't want to have to have usernames
and passwords that I change on a regular basis
589
00:38:50,066 --> 00:38:55,646
where I Telnet into or SSH into 50 or
hundred different devices on a monthly basis
590
00:38:55,646 --> 00:38:58,586
and change everybody's password because
that's a good security practice.
591
00:38:58,586 --> 00:39:04,226
Instead, what you can use is something
called a TACACS server, Cisco makes them.
592
00:39:04,626 --> 00:39:08,736
And all the devices say, well, I
get my user accounts from TACACS.
593
00:39:08,786 --> 00:39:14,706
So when I say on the port login space TACACS,
that says, when somebody tries to login
594
00:39:14,706 --> 00:39:19,556
to this VTY lines, check their credentials
against the TACACS server and that's
595
00:39:19,556 --> 00:39:21,226
where you create your user accounts.
596
00:39:21,226 --> 00:39:26,626
So then, I change my password in one
place and all the devices say, oops,
597
00:39:26,626 --> 00:39:30,596
looks like there's a password change, you
know, because, you know, they all just report
598
00:39:30,596 --> 00:39:33,416
to that centralize server, so that's the piece.
599
00:39:33,416 --> 00:39:37,466
So we can either login using TACACS
which is a server, login using a local
600
00:39:37,466 --> 00:39:41,056
which is the local user database on that
device it's going to be what we do here
601
00:39:41,056 --> 00:39:43,596
or we can just type and login
which says, use the password.
602
00:39:43,596 --> 00:39:46,986
So I'll type it again just
for grants, login local.
603
00:39:46,986 --> 00:39:50,906
And now, I'll go back to
PuTTY, give me my error.
604
00:39:51,376 --> 00:39:54,816
Let's go to restart session.
605
00:39:55,176 --> 00:39:59,416
There we go, login as Jeremy
and this time password of Cisco.
606
00:40:00,496 --> 00:40:01,976
There we go, that's what I want to see.
607
00:40:02,056 --> 00:40:03,596
So it was the login local.
608
00:40:03,596 --> 00:40:05,316
Men, I can't believe I forgot that.
609
00:40:05,316 --> 00:40:11,096
So create the user, so choose to allow
Telnet and SSH, that was the transport input.
610
00:40:11,096 --> 00:40:18,956
And then also seven, enable local login.
611
00:40:20,276 --> 00:40:23,636
I guess I could just group
under that one statement.
612
00:40:23,696 --> 00:40:28,126
So transport input, Telnet/SSH,
if you want to do that.
613
00:40:28,126 --> 00:40:33,086
And then, enable the local login so
that it uses the local user database.
614
00:40:34,296 --> 00:40:34,876
All right.
615
00:40:34,876 --> 00:40:37,256
So there is SSH and all it's glory.
616
00:40:37,356 --> 00:40:40,146
And I know some of you are like, wait,
summary, there's two more bullets on there.
617
00:40:40,356 --> 00:40:45,436
Well, yes, but those are really focused
on what we did while we enabled SSH.
618
00:40:45,436 --> 00:40:49,636
Even though, the goal of this was
to enable SSH, we also learned how
619
00:40:49,636 --> 00:40:54,066
to manage existing user accounts or it
manage user accounts on Cisco devices.
620
00:40:54,066 --> 00:40:59,176
That was what we did when I went to global
configuration mode and created username Jeremy,
621
00:40:59,366 --> 00:41:03,036
password or secret Cisco
to create user accounts.
622
00:41:03,036 --> 00:41:07,946
So that's-- you can do that not only for
SSH, but also for all kinds of other stuff.
623
00:41:07,946 --> 00:41:09,756
A matter of fact, let me show this to you.
624
00:41:10,076 --> 00:41:14,706
I know we disabled Telnet by
using transport input SSH,
625
00:41:14,706 --> 00:41:18,956
but if I do transport input Telnet
and SSH now, watch what happens.
626
00:41:19,356 --> 00:41:25,326
I open my command prompt and type
in Telnet 10.1.1.10 and notice,
627
00:41:25,326 --> 00:41:30,766
now Telnet even is prompting me for a
username, Jeremy and the password of Cisco,
628
00:41:30,766 --> 00:41:34,416
it's just not secured to do it that way
because that's all transmitted in clear text.
629
00:41:34,686 --> 00:41:41,136
So this login local and these user accounts
that we create, impact both SSH and Telnet not
630
00:41:41,136 --> 00:41:45,726
when we do it, but also as you go down
the road when you set a VPN connections,
631
00:41:45,726 --> 00:41:49,356
if you want to use web management, there's all
kinds of things these user accounts to use for,
632
00:41:49,676 --> 00:41:52,096
you now know how to create
them on Cisco devices.
633
00:41:52,096 --> 00:41:55,346
And then finally, encrypting
passwords through using secret.
634
00:41:55,346 --> 00:42:03,006
So we create our user accounts using
username, you know, jer secret cisco,
635
00:42:03,186 --> 00:42:08,286
instead of username jer password Cisco
because password stores in clear text.
636
00:42:08,286 --> 00:42:16,486
And so passwords store in clear text which
is not secure, you can encrypt it using
637
00:42:16,486 --> 00:42:20,426
that service password encryption we
saw in the last nugget which uses
638
00:42:20,426 --> 00:42:24,806
that crackerjack encryption but noting
bits that secret encryption level.
639
00:42:24,806 --> 00:42:25,806
All right.
640
00:42:25,806 --> 00:42:30,526
Good. I hope this been informative for
you and I like to thank you for viewing.
66976
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.