CCIE chapter 18 secuirty: Resources used: CCIE Routing and Switching Exam Certification Guide 3rd Edition I have left a lot of this out because I know it like the back of my hand. line con 0 login password fred ! line vty 0 15 login password barney service password-encryption command will put all ascii passwords in the running config into 7 (cisco encryption). no service password-encryption will not decrypt the passwords they must be changed. Layer 2 Security Cisco safe defines 3 types of ports: Unused ports User ports, that connects to a user device or in a unsecured area Trusted/trunk ports Good security of unused and user ports: Disable unneeded dynamic protocols like CDP and DTP. Disable trunking by configuring these ports as access ports. Enable BPDU Guard and Root Guard to prevent STP attacks and keep a stable STP topology. Use either Dynamic ARP Inspection (DAI) or private VLANs to prevent frame sniffing. Enable port security to at least limit the number of allowed MAC addresses, and possibly restrict the port to use only specific MAC addresses. Use 802.1X user authentication. Use DHCP snooping and IP Source Guard to prevent DHCP DoS and man-in-the-middle attacks. Other security recommendations: Configure VTP authentication globally on each switch to prevent DoS attacks. Disable unused switch ports and place them in an unused VLAN. Avoid using VLAN 1. For trunks, do not use the native VLAN. Port security can: Limiting the number of MACs that can be associated with the port Limiting the actual MAC addresses associated with the port, based on three methods: Static configuration of the allowed MAC addresses Dynamic learning of MAC addresses, up to the defined maximum, where dynamic entries are lost upon reload Dynamically learning but with the switch saving those entries in the configuration (called sticky learning) Three things can be done to a port in violation: Protect: uses port security ( wont allow any mac addresses over maximum etc) Restrict: uses port security will log to syslog when in violation Shutdown: will put port into err-disable and send a message to syslog when in violation. Dynamic ARP inspection (DAI) An attacker can form a man-in-the-middle attack in a LAN by creative use of gratuitous ARPs. A gratuitous ARP occurs when a host sends an ARP reply, without even seeing an ARP request. With DAI ports are configured as trusted or untrusted. On a untrusted port the following occours. DAI rate limits ARP messages on untrusted ports to 15 a second. 1. If an ARP reply lists a source IP address that was not DHCP-assigned to a device off that port, DAI filters the ARP reply. 2. DAI uses additional logic like Step 1, but uses a list of statically defined IP/MAC address combinations for comparison. 3. For a received ARP reply, DAI compares the source MAC address in the Ethernet header to the source MAC address in the ARP message. These MACs should be equal in normal ARP replies; if they are not, DAI filters the ARP message. 4. Like Step 3, but DAI compares the destination Ethernet MAC and the target MAC listed in the ARP body. 5. DAI checks for unexpected IP addresses listed in the ARP message, such as 0.0.0.0, 255.255.255.255, multicasts, and so on. DHCP Snooping The DHCP snooping binding table can then be used by DAI and by the IP Source Guard feature. DHCP snooping doe sthe following: It filters all messages sent exclusively by DHCP servers. The switch checks DHCP release and decline messages against the DHCP snooping binding table; if the IP address in those messages is not listed with the port in the DHCP snooping binding table, the messages are filtered. Optionally, it compares a DHCP request’s client hardware address value with the source MAC address inside the Ethernet frame. IP Source Guard The Cisco IOS switch IP Source Guard feature adds one more check to the DHCP snooping logic. When enabled along with DHCP snooping, IP Source Guard checks the source IP address of received packets against the DHCP snooping binding database. Alternatively, it checks both the source IP and source MAC addresses against that same database. If the entries do not match, the frame is filtered. ip verify source interface subcommand ip verify source port-security checking of both the source IP and MAC addresses ip source binding mac-address vlan vlan-id ip-address interface interface-id global command to create static entries 802.1X Authentication Using EAP Only EAP, STP and CDP packets allowed out an un authenticated interface. Supplicant The 802.1X driver that supplies a username/password prompt to the user and sends/receives the EAPoL messages Authenticator—Translates between EAPoL and RADIUS messages in both directions, and enables/disables ports based on the success/failure of authentication Authentication server—Stores usernames/passwords and verifies that the correct values were submitted before authenticating the user Storm Control Storm control rate limits layer 2 traffic. Each type of traffic ( unicast, broadcast , multicast) can be rate limited. Can be done on amount of packets or bandwidth percent. With each an upper and a lower limit can be set: Upper , point is rate limits the traffic type Lower , point it starts allowing traffic to flow again after being limited Private Vlans Easy oversight PC1 could send a frame with R1’s destination MAC address, but with PC2’s destination IP address (10.1.1.2). The switch forwards the frame to R1 because R1’s port is promiscuous. R1 then routes the packet to PC2, effectively getting around the private VLAN intent. To solve such a problem, the router simply needs an inbound ACL on its LAN interface that denies traffic whose source and destination IP addresses are in the same local connected subnet. In this example, an access-list 101 deny ip 10.1.1.0. 0.0.0.255 10.1.1.0 0.0.0.255 command would prevent this attack. Layer 3 security steps 1.Enable secure Telnet access to a router user interface, and consider using Secure Shell (SSH) instead of Telnet. 2. Enable SNMP security, particularly adding SNMPv3 support. 3. Turn off all unnecessary services on the router platform. 4. Turn on logging to provide an audit trail. 5. Enable routing protocol authentication. 6. Enable the CEF forwarding path to avoid using flow-based paths like fast switching. Layer 3 routing security 1. If a company has registered a particular IP prefix, packets with a source address inside that prefix should not be sent into that autonomous system from the Internet. 2. Packets should never have anything but a valid unicast source IP address, so packets with source IP addresses of loopback (127.0.0.1), 127.x.x.x, broadcast addresses, multicast addresses, and so on, should be filtered. 3. Directed (subnet) broadcasts should not be allowed unless a specific need exists. 4. Packets for which no return route exists to the source IP address of the packet should be discarded (reverse-path-forwarding [RPF] check). ACL’s Only include stuff I didn’t know ip access-list resequence access-list-name startingsequence-number increment to resequence a ACL that is crowded. CBAC CBAC comes after access-list filters are applied to an interface. If an access list blocks a particular type of traffic on an interface where you are using CBAC to inspect inbound traffic,that traffic will be denied before CBAC sees it. CBAC cannot protect against attacks that originate inside your network, where most attacks originate. CBAC works only on protocols that you specify it should inspect, leaving all other filtering to access lists and other filtering methods. CBAC inspects only TCP- and UDP-transported traffic. It does not inspect any other protocol, including ICMP. CBAC does not inspect traffic destined to or originated from the firewall router itself, only traffic that traverses the firewall router. CBAC has restrictions on handling encrypted traffic.