Beruflich Dokumente
Kultur Dokumente
Week #4
Ch2. Wayne Lewis
Ali Nezhad
Outline
Password Protection Securing Remote Access Security Risks Security Tools Configuring Port Security
Ali Nezhad CNET 311 Routing and Switching
Password Protection
no login
5
Commands:
enable password
Stores password in startup-config and running-config as cleartext.
enable secret
Stores the password in an encrypted format. If configured, replaces the enable password. Cannot be the same as the enable password.
Ali Nezhad CNET 311 Routing and Switching
Password Recovery
Different for different devices. Requires physical access. May not be able to recover passwords:
Specially if encrypted. Can reset them to a new value.
10
MOTD Banner
Appears before the login banner. (config)# banner motd Device Maintenance!
11
12
Telnet and SSH SSH is secure and newer than telnet. SSH encrypts messages.
13
Configuring Telnet
Default on all Cisco switches If the transport protocol has been switched to only support SSH, telnet can be restored:
(config-line)# transport input telnet or (config-line)# transport input all
14
SSH Characteristics
Switch supports SSHv1 or SSHv2 for server. Switch supports only SSHv1 for client. Supports DES & 3DES encryption algorithms. Supports password-based authentication. Uses public key cryptography based on RSA.
Ali Nezhad CNET 311 Routing and Switching
15
Configuring SSH
1.
2.
Configure a host domain for the switch. (config)# ip domain-name mydomain.com Generate an encrypted RSA key pair (config)# crypto key generate rsa
A modulus size of 1024 is recommended. Enables SSH server for local and remote access. To delete the keys, use crypto key zeroize rsa After deletion, SSH server is automatically disabled.
16
17
18
To prevent non-SSH connections (config-line)# transport input ssh Telnet sessions will be refused.
19
20
Security Risks
Common L2 Security Attacks
21
22
23
24
25
Untrusted Ports
Can only send DHCP requests.
Ali Nezhad CNET 311 Routing and Switching
26
27
2.
3.
4.
Enable Snooping. (config)# ip dhcp snooping Enable DHCP snooping for a VLAN. (config)# ip dhcp snooping vlan number <no.> Define a port as trusted. (config-if)# ip dhcp snooping trust Do Rate Limiting. (Optional)- see next slide.
Ali Nezhad CNET 311 Routing and Switching
28
29
CDP Attack
Cisco Discovery Protocol is targeted. CDP is a Cisco proprietary L2 protocol.
It discovers other directly connected Cisco devices. Simplifies network configuration.
CDP messages are not encrypted. They are broadcasted periodically. These messages contain info. such as SW version, IP_add, platform, capabilities,
Ali Nezhad CNET 311 Routing and Switching
30
CDP Attack
This info. can be used by an attacker for attacks such as DoS. Prevention
Disable CDP on devices that do not use it.
31
Telnet Attacks
Password Attacks
vty password is not enough.
They can be disabled using brute force.
Prevention:
strong frequently changed passwords.
Still the attacker may use MAC address flooding and a packet capture software to obtain the passwords.
DoS Attacks
Exploiting flaws in the telnet SW to render it unavailable.
Ali Nezhad CNET 311 Routing and Switching
32
Security Tools
33
34
Penetration Tests
Identify weaknesses within the configuration of networking devices.
Ali Nezhad CNET 311 Routing and Switching
35
Destructive Testing
Pressure testing. Done occasionally.
Non-destructive Testing
Done routinely. Little impact on network performance.
36
Port Security
37
38
39
Sticky: learned dynamically, added to the address table and saved to the running config.
Ali Nezhad CNET 311 Routing and Switching
40
Enables sticky learning on an interface. The port converts all dynamic secure MAC addresses, including those learned before, to sticky and adds all of them to the running config. If disabled, the sticky addresses remain in the running config but are removed from the table. Addresses that were removed can be dynamically learned again and added to the address table dynamically.
Ali Nezhad CNET 311 Routing and Switching
41
Configures a sticky secure MAC address. Addresses are added to the address table and the running config. If port security is disabled, the sticky MAC addresses remain in the running config.
42
43
An error message appears. The sticky MAC address is not added to the running config.
44
Security Violations
The max. number of secure MAC addresses have been added to the address table and:
A station whose address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
Ali Nezhad CNET 311 Routing and Switching
45
Violation Modes
The action that a port is configured to perform if a violation occurs. 3 Modes
Protect Restrict Shutdown
Ali Nezhad CNET 311 Routing and Switching
46
Violation Modes
Protect
When the number of secure addresses reaches the limit allowed on the port:
Packets with unknown SRC addresses are dropped until a sufficient number of secure MACs are removed or the limit is increased. No violation notification is generated.
47
Violation Modes
Restrict
When the number of secure addresses reaches the limit allowed on the port:
Packets with unknown SRC addresses are dropped until a sufficient number of secure MACs are removed or the limit is increased. A violation notification is generated. An SNMP trap is sent, a syslog message is logged and the violation counter is incremented.
Ali Nezhad CNET 311 Routing and Switching
48
Violation Modes
Shutdown
Default mode on Cisco switches. A violation causes the port to immediately shut down.
The port becomes err-disabled. LED turns off. Notification and logging similar to Restrict. To resolve: shutdown and no shutdown.
Ali Nezhad CNET 311 Routing and Switching
49
Violation Modes
50
51
52
53
54
55
56
Questions?
57