Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

CCIE chapter 18 secu..

advertisement 
CCIE chapter 18 secuirty:
Resources used:
CCIE Routing and Switching Exam Certification Guide 3rd Edition
I have left a lot of this out because I know it like the back of my hand.
line con 0
login
password fred
!
line vty 0 15
login
password barney
service password-encryption command will put all ascii passwords in the running
config into 7 (cisco encryption).
no service password-encryption will not decrypt the passwords they must be changed.
Layer 2 Security
Cisco safe defines 3 types of ports:
Unused ports
User ports, that connects to a user device or in a unsecured area
Trusted/trunk ports
Good security of unused and user ports:
Disable unneeded dynamic protocols like CDP and DTP.
Disable trunking by configuring these ports as access ports.
Enable BPDU Guard and Root Guard to prevent STP attacks and keep a stable STP
topology.
Use either Dynamic ARP Inspection (DAI) or private VLANs to prevent frame sniffing.
Enable port security to at least limit the number of allowed MAC addresses, and possibly
restrict the port to use only specific MAC addresses. Use 802.1X user authentication.
Use DHCP snooping and IP Source Guard to prevent DHCP DoS and man-in-the-middle
attacks.
Other security recommendations:
Configure VTP authentication globally on each switch to prevent DoS attacks.
Disable unused switch ports and place them in an unused VLAN.
Avoid using VLAN 1.
For trunks, do not use the native VLAN.
Port security can:
Limiting the number of MACs that can be associated with the port
Limiting the actual MAC addresses associated with the port, based on three methods:
Static configuration of the allowed MAC addresses
Dynamic learning of MAC addresses, up to the defined maximum, where
dynamic entries are lost upon reload
Dynamically learning but with the switch saving those entries in the configuration
(called sticky learning)
Three things can be done to a port in violation:
Protect: uses port security ( wont allow any mac addresses over maximum etc)
Restrict: uses port security will log to syslog when in violation
Shutdown: will put port into err-disable and send a message to syslog when in violation.
Dynamic ARP inspection (DAI)
An attacker can form a man-in-the-middle attack in a LAN by creative use of gratuitous
ARPs. A gratuitous ARP occurs when a host sends an ARP reply, without even seeing an
ARP request.
With DAI ports are configured as trusted or untrusted. On a untrusted port the following
occours.
DAI rate limits ARP messages on untrusted ports to 15 a second.
1. If an ARP reply lists a source IP address that was not DHCP-assigned to a device off
that port, DAI filters the ARP reply.
2. DAI uses additional logic like Step 1, but uses a list of statically defined IP/MAC
address combinations for comparison.
3. For a received ARP reply, DAI compares the source MAC address in the Ethernet
header to the source MAC address in the ARP message. These MACs should be equal in
normal ARP replies; if they are not, DAI filters the ARP message.
4. Like Step 3, but DAI compares the destination Ethernet MAC and the target MAC
listed in the ARP body.
5. DAI checks for unexpected IP addresses listed in the ARP message, such as 0.0.0.0,
255.255.255.255, multicasts, and so on.
DHCP Snooping
The DHCP snooping binding table can then be used by DAI and by the IP Source Guard
feature.
DHCP snooping doe sthe following:
It filters all messages sent exclusively by DHCP servers.
The switch checks DHCP release and decline messages against the DHCP snooping
binding table; if the IP address in those messages is not listed with the port in the DHCP
snooping binding table, the messages are filtered.
Optionally, it compares a DHCP request’s client hardware address value with the source
MAC address inside the Ethernet frame.
IP Source Guard
The Cisco IOS switch IP Source Guard feature adds one more check to the DHCP
snooping logic. When enabled along with DHCP snooping, IP Source Guard checks the
source IP address of received packets against the DHCP snooping binding database.
Alternatively, it checks both the source IP and source MAC addresses against that same
database. If the entries do not match, the frame is filtered.
ip verify source interface subcommand
ip verify source port-security checking of both the source IP and MAC addresses
ip source binding mac-address vlan vlan-id ip-address interface interface-id
global command to create static entries
802.1X Authentication Using EAP
Only EAP, STP and CDP packets allowed out an un authenticated interface.
Supplicant The 802.1X driver that supplies a username/password prompt to the user and
sends/receives the EAPoL messages
Authenticator—Translates between EAPoL and RADIUS messages in both directions,
and enables/disables ports based on the success/failure of authentication
Authentication server—Stores usernames/passwords and verifies that the correct values
were submitted before authenticating the user
Storm Control
Storm control rate limits layer 2 traffic. Each type of traffic ( unicast, broadcast ,
multicast) can be rate limited. Can be done on amount of packets or bandwidth percent.
With each an upper and a lower limit can be set:
Upper , point is rate limits the traffic type
Lower , point it starts allowing traffic to flow again after being limited
Private Vlans Easy oversight
PC1 could send a frame with R1’s destination MAC address, but with
PC2’s destination IP address (10.1.1.2). The switch forwards the frame to R1 because
R1’s port is promiscuous. R1 then routes the packet to PC2, effectively getting around the
private VLAN intent. To solve such a problem, the router simply needs an inbound ACL
on its LAN interface that denies traffic whose source and destination IP addresses are in
the same local connected subnet. In this example, an access-list 101 deny ip 10.1.1.0.
0.0.0.255 10.1.1.0 0.0.0.255 command would prevent this attack.
Layer 3 security steps
1.Enable secure Telnet access to a router user interface, and consider using Secure Shell
(SSH) instead of Telnet.
2. Enable SNMP security, particularly adding SNMPv3 support.
3. Turn off all unnecessary services on the router platform.
4. Turn on logging to provide an audit trail.
5. Enable routing protocol authentication.
6. Enable the CEF forwarding path to avoid using flow-based paths like fast switching.
Layer 3 routing security
1. If a company has registered a particular IP prefix, packets with a source address inside
that prefix should not be sent into that autonomous system from the Internet.
2. Packets should never have anything but a valid unicast source IP address, so packets
with source IP addresses of loopback (127.0.0.1), 127.x.x.x, broadcast addresses,
multicast addresses, and so on, should be filtered.
3. Directed (subnet) broadcasts should not be allowed unless a specific need exists.
4. Packets for which no return route exists to the source IP address of the packet should
be discarded (reverse-path-forwarding [RPF] check).
ACL’s
Only include stuff I didn’t know
ip access-list resequence access-list-name startingsequence-number increment
to resequence a ACL that is crowded.
CBAC
CBAC comes after access-list filters are applied to an interface. If an access list blocks a
particular type of traffic on an interface where you are using CBAC to inspect inbound
traffic,that traffic will be denied before CBAC sees it.
CBAC cannot protect against attacks that originate inside your network, where most
attacks originate.
CBAC works only on protocols that you specify it should inspect, leaving all other
filtering to access lists and other filtering methods.
CBAC inspects only TCP- and UDP-transported traffic. It does not inspect any other
protocol, including ICMP.
CBAC does not inspect traffic destined to or originated from the firewall router itself,
only traffic that traverses the firewall router.
CBAC has restrictions on handling encrypted traffic.
Related documents
PresentationTopicARPattack
PresentationTopicARPattack
Lab work 6 - Home - Computer Networks Course
Lab work 6 - Home - Computer Networks Course
Part IV
Part IV
File
File
Resnet Enhancements and Directions
Resnet Enhancements and Directions
Syllabus for monthly test SEPTEMBER
Syllabus for monthly test SEPTEMBER
Cisco certified network associate - joelhill
Cisco certified network associate - joelhill
Mikrotik Basics - MikrotikUniversity
Mikrotik Basics - MikrotikUniversity
NetLab 3
NetLab 3
Layer 2 Security Features on Cisco Catalyst Layer Example Contents
Layer 2 Security Features on Cisco Catalyst Layer Example Contents
Network Security - IIS Windows Server
Network Security - IIS Windows Server
Download
advertisement