Expl sw chapter_02_switches_part_2
Upcoming SlideShare
Loading in...5
×
 

Expl sw chapter_02_switches_part_2

on

  • 225 views

 

Statistics

Views

Total Views
225
Slideshare-icon Views on SlideShare
184
Embed Views
41

Actions

Likes
0
Downloads
3
Comments
0

1 Embed 41

http://mylovelynotepad.blogspot.com 41

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Expl sw chapter_02_switches_part_2 Expl sw chapter_02_switches_part_2 Presentation Transcript

    • CCNA3-1 Chapter 2-2 Switch Concepts and ConfigurationSwitch Concepts and Configuration Configuring Switch SecurityConfiguring Switch Security PasswordsPasswordsPasswordsPasswords EncryptionEncryptionEncryptionEncryption ConsoleConsoleConsoleConsole Telnet / SSHTelnet / SSHTelnet / SSHTelnet / SSH Password RecoveryPassword RecoveryPassword RecoveryPassword Recovery MAC Address FloodingMAC Address FloodingMAC Address FloodingMAC Address Flooding Spoofing AttacksSpoofing AttacksSpoofing AttacksSpoofing Attacks CDP AttacksCDP AttacksCDP AttacksCDP Attacks Telnet AttacksTelnet AttacksTelnet AttacksTelnet Attacks Security ToolsSecurity ToolsSecurity ToolsSecurity Tools Port SecurityPort SecurityPort SecurityPort Security
    • CCNA3-2 Chapter 2-2 • HostnameHostname:: Pemberian Nama SwitchPemberian Nama Switch Switch#configure terminalSwitch#configure terminal Switch(config)#hostname SW1Switch(config)#hostname SW1 SW1(config)#endSW1(config)#end • Securing Console AccessSecuring Console Access:: Agar saat mengakses routerAgar saat mengakses router melalui console lebih aman dengan adanya password.melalui console lebih aman dengan adanya password. SW1#configure terminalSW1#configure terminal SW1(config)#line console 0SW1(config)#line console 0 SW1(config-line)#password webmediaSW1(config-line)#password webmedia SW1(config-line)#loginSW1(config-line)#login SW1(config-line)#endSW1(config-line)#end Configuring Basic & Password OptionsConfiguring Basic & Password Options
    • CCNA3-3 Chapter 2-2 • Securing Virtual Terminal Access:Securing Virtual Terminal Access: • There are 16 available default Telnet sessions as set upThere are 16 available default Telnet sessions as set up for a switch.for a switch. SW1#configure terminal SW1(config)#line vty 0 15 SW1(config-line)#password webmedia SW1(config-line)#login SW1(config-line)#end Configuring Password OptionsConfiguring Password Options
    • CCNA3-4 Chapter 2-2 • Securing Privileged EXEC Access:Securing Privileged EXEC Access: • Selalu gunakanSelalu gunakan enable secretenable secret agar password diagar password di encryptions.encryptions. SW1#configure terminalSW1#configure terminal SW1(config)#enable secret webmediaSW1(config)#enable secret webmedia SW1(config-line)#endSW1(config-line)#end • Encrypting Switch Passwords:Encrypting Switch Passwords: Kita dapat meng-encryptKita dapat meng-encrypt semua passwords yang kita buat di switch, dengan commandsemua passwords yang kita buat di switch, dengan command service password-encryptionservice password-encryption.. SW1#configure terminalSW1#configure terminal SW1(config)#service password-encryptionSW1(config)#service password-encryption SW1(config)#endSW1(config)#end Configuring Password OptionsConfiguring Password Options
    • CCNA3-5 Chapter 2-2 • Login Banner:Login Banner: SW1#configure terminalSW1#configure terminal SW1(config)#banner login “Member Only”SW1(config)#banner login “Member Only” SW1(config)#endSW1(config)#end • Message-Of-The-Day (MOTD) Banner:Message-Of-The-Day (MOTD) Banner: SW1#configure terminalSW1#configure terminal SW1(config)#banner motd “Sedang Diperbaiki”SW1(config)#banner motd “Sedang Diperbaiki” SW1(config)#endSW1(config)#end Configuring BannerConfiguring Banner
    • CCNA3-6 Chapter 2-2 • Telnet:Telnet: • Most common method.Most common method. • Virtual Terminal application.Virtual Terminal application. • Send in clear text.Send in clear text. • Not secure.Not secure. • Secure Shell (SSH):Secure Shell (SSH): • Virtual Terminal application.Virtual Terminal application. • Sends an encrypted data stream.Sends an encrypted data stream. • Is secure.Is secure. Configure Telnet and SSHConfigure Telnet and SSH
    • CCNA3-7 Chapter 2-2 • Configuring Telnet:Configuring Telnet: • Telnet is theTelnet is the default transportdefault transport for the vty lines.for the vty lines. • No need to specify it after the initial configuration of theNo need to specify it after the initial configuration of the switch has been performed.switch has been performed. SW1#configure terminalSW1#configure terminal SW1(config)#line vty 0 15SW1(config)#line vty 0 15 SW1(config-line)#passwordSW1(config-line)#password webmediawebmedia SW1(config-line)#loginSW1(config-line)#login SW1(config-line)#transport input telnetSW1(config-line)#transport input telnet SW1(config-line)#endSW1(config-line)#end Configure Telnet and SSHConfigure Telnet and SSH
    • CCNA3-8 Chapter 2-2 • Configuring Secure Shell (SSH):Configuring Secure Shell (SSH): • SSH is a cryptographic security feature that is subject to exportSSH is a cryptographic security feature that is subject to export restrictions. To use this feature, a cryptographic image must berestrictions. To use this feature, a cryptographic image must be installed on your switch.installed on your switch. • Perform the following to configurePerform the following to configure SSH ONLYSSH ONLY Access:Access: SW1#configure terminalSW1#configure terminal SW1(config)#usernameSW1(config)#username userwebmediauserwebmedia passwordpassword webmediawebmedia SW1#configure terminalSW1#configure terminal SW1(config)#ip domain-name webmedia.comSW1(config)#ip domain-name webmedia.com SW1(config)#crypto key generate rsaSW1(config)#crypto key generate rsa SW1(config)#ip ssh version 2SW1(config)#ip ssh version 2 SW1(config)#line vty 0 15SW1(config)#line vty 0 15 SW1(config-line)#login localSW1(config-line)#login local SW1(config-line)#transport input sshSW1(config-line)#transport input ssh SW1(config-line)#endSW1(config-line)#end Configure Telnet and SSHConfigure Telnet and SSH
    • CCNA3-9 Chapter 2-2 • MAC Address Flooding: Pada pembahasan sebelumnya, kita sudah mengetahui ; • MAC address table dari switch terdiri dari: • Berisi alamat MAC yang tersedia pada port fisik yang diberikan ke switch. • Berisi VLAN parameter yang terkait untuk masing-masing port. • Dalam pengiriman data akan mencari destination address dari tujuan data frame yang dikirim. • Jika terdapat dalam table mac, akan di forwarded ke port yang dituju. • Jika tidak terdapat dalam table mac, data frame akan di forwarded ke semua ports switch kecuali port sumber frame. Common Security AttacksCommon Security Attacks
    • CCNA3-10 Chapter 2-2 • Contoh MAC Address Flooding: • Karena MAC address table kapasitasnya terbatas/limited in size. (misalnya : switch cisco 2950, max 8000 mac- address) • Maka seorang intruder/penyusup dapat melakukan flooding menggunakan network attack tool yang dapat secara kontiniu mengirim bogus MAC addresses/alamat palsu ke switch. • (e.g. 155,000 MAC addresses per minute) • When a switch MAC table becomes full and stays full, maka switch akan memforward setiap frame yang diterima ke semua port switch – just like a hub. • Sehingga intruder/penyusup dapat melihat semua traffic yang ada pada switch. Common Security AttacksCommon Security Attacks
    • CCNA3-11 Chapter 2-2 • Spoofing Attacks: • Man-In-The-Middle (MITM): • Intercepting/mencegah network traffic. • DHCP or DNS spoofing. • The attacking device responds to DHCP or DNS requests with IP configuration or address information that points the user to the intruder’s destination. • DHCP Starvation: • The attacking device continually requests IP addresses from a real DHCP server with continually changing MAC addresses. • Eventually the pool of addresses is used up and actual users cannot access the network. Common Security AttacksCommon Security Attacks
    • CCNA3-12 Chapter 2-2 • CDP Attacks:CDP Attacks: • Cisco Discovery Protocol (CDP) is a proprietary protocolCisco Discovery Protocol (CDP) is a proprietary protocol that exchanges information among Cisco devices.that exchanges information among Cisco devices. • IP addressIP address • Software versionSoftware version • PlatformPlatform • CapabilitiesCapabilities • Native VLANNative VLAN (Trunk Links – Chapter 3)(Trunk Links – Chapter 3).. • With a free network sniffer (Wireshark) an intruder couldWith a free network sniffer (Wireshark) an intruder could obtain this information.obtain this information. • It can be used to find ways to perform Denial Of ServiceIt can be used to find ways to perform Denial Of Service (DoS) attacks and others.(DoS) attacks and others. Common Security AttacksCommon Security Attacks Usually on by default.Usually on by default. If you don’t need it, turn it off.If you don’t need it, turn it off. Usually on by default.Usually on by default. If you don’t need it, turn it off.If you don’t need it, turn it off.
    • CCNA3-13 Chapter 2-2 • Telnet Attacks:Telnet Attacks: • Recall that Telnet transmits in plain text and is notRecall that Telnet transmits in plain text and is not secure. While you may have set passwords, thesecure. While you may have set passwords, the following types of attacks are possible.following types of attacks are possible. • Brute force (password guessing)Brute force (password guessing) • DoS (Denial of Service)DoS (Denial of Service) • With a free network sniffer (Wireshark) an intruderWith a free network sniffer (Wireshark) an intruder could obtain this information.could obtain this information. • Use strong passwords and change them frequently.Use strong passwords and change them frequently. • Use SSH.Use SSH. Common Security AttacksCommon Security Attacks
    • CCNA3-14 Chapter 2-2 • MembantuMembantu aandanda untukuntuk menguji jaringanmenguji jaringan aandanda daridari berbagaiberbagai kelemahan.kelemahan. Dengan cara menggunakan toolsDengan cara menggunakan tools yang memungkinkanyang memungkinkan aanda untuk memainkan peran seorang hacker dan seorang analisnda untuk memainkan peran seorang hacker dan seorang analis keamanan jaringankeamanan jaringan. Pengetestan yang dilakukan adalah: a) Network Security Audits: • Mengumpulkan information Attacker, dengan melakukan monitoring network traffic. • Tentukan MAC address table limits and age-out period. a) Network Penetration Testing: • Identifikasi kelemahan-kelemahan dari security network kita. • Rencanakan dan buatlah security pada network anda yang tidak akan mempengaruhi performance network tersebut. Network Security ToolsNetwork Security Tools
    • CCNA3-15 Chapter 2-2 c) Common Features: • Service Identification: • IANA port numbers, discover FTP and HTTP servers, test all of the services running on a host. • Support of SSL Service: • Testing services that use SSL Level security. • HTTPS, SMTPS, IMAPS and security certificates. • Non-destructive and Destructive Testing: • Security audits that can degrade performance. • Database of Vulnerabilities (kerentanan database): • Compile a database that can be updated over time. Network Security ToolsNetwork Security Tools
    • CCNA3-16 Chapter 2-2 • Dengan tools tersebut, kita dapat melakukan:Dengan tools tersebut, kita dapat melakukan: • Capture chat messages.Capture chat messages. • Capture files from NFS traffic.Capture files from NFS traffic. • Capture HTTP requests.Capture HTTP requests. • Capture mail messages.Capture mail messages. • Capture passwords.Capture passwords. • Display captured URLs in a browser in real-time.Display captured URLs in a browser in real-time. • Flood a switched LAN with random MAC addresses.Flood a switched LAN with random MAC addresses. • Forge replies to DNS addresses.Forge replies to DNS addresses. • Intercept packets.Intercept packets. Network Security ToolsNetwork Security Tools
    • CCNA3-17 Chapter 2-2 • Implement Port Security to: • Port security is disabled by default. • Limit the number of valid MAC addresses allowed on a port. • Ketika mac address port security diaktifkan pada port switch, maka port tidak akan mem-forward packets jika source addresses bukanlah address yang telah kita defenisikan/tentukan. • Specify a group of valid MAC addresses allowed on a port. • Or Allow only one MAC address access to the port. • Specify that the port automatically shuts down (Security Violation Modes) if an invalid MAC address is detected. Configuring Port SecurityConfiguring Port Security
    • CCNA3-18 Chapter 2-2 • Secure MAC Address types: 1. Static: • Manually specify that a specific MAC address is the ONLY address allowed to connect to that port. • They are added to the MAC address table and stored in the running configuration. 2. Dynamic: • MAC addresses are learned dynamically when a device connects to the switch. • They are stored in the address table and are lost when the switch reloads. Configuring Port SecurityConfiguring Port Security
    • CCNA3-19 Chapter 2-2 3. Sticky: • Specifies that MAC addresses are: • Dynamically learned. • Added to the MAC address table. • Stored in the running configuration. • You may also manually add a MAC address. Configuring Port SecurityConfiguring Port Security
    • CCNA3-20 Chapter 2-2 • Security Violation Modes: • Terjadi ketika: • Host dengan MAC address yang tidak terdapat dalam mac address table mencoba untuk mengakses interface dan kondisi address table sudah full/penuh. • Sebuah mac address yang digunakan pada 2 interface yang secure di VLAN yang sama. • Modes: • Protect: drop frames – no notify • Restrict: drop frames - notify • Shutdown: disable port - notify Configuring Port SecurityConfiguring Port Security
    • CCNA3-21 Chapter 2-2 • Default/Static Port Security Configuration:Default/Static Port Security Configuration: Switch(config)#interface FastEthernet0/1Switch(config)#interface FastEthernet0/1 Switch(config-if)#description Port to PC1Switch(config-if)#description Port to PC1 Switch(config-if)#switchport access vlan 1Switch(config-if)#switchport access vlan 1 Switch(config-if)#switchport mode accessSwitch(config-if)#switchport mode access Switch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security Switch(config-if)#switchport port-security mac-addressSwitch(config-if)#switchport port-security mac-address 0003.E4A3.EC190003.E4A3.EC19 Configuring Port SecurityConfiguring Port Security
    • CCNA3-22 Chapter 2-2 • Configure Dynamic Port Security: • Dynamically learned when the device connects. • Added to MAC table only. Configuring Port SecurityConfiguring Port Security Switch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 3Switch(config-if)#switchport port-security maximum 3 (1-132)(1-132) Switch(config-if)#switchport port-security mac-addressSwitch(config-if)#switchport port-security mac-address mac-ad1mac-ad1 Switch(config-if)#switchport port-security mac-addressSwitch(config-if)#switchport port-security mac-address mac-ad2mac-ad2 Switch(config-if)#switchport port-security mac-addressSwitch(config-if)#switchport port-security mac-address mac-ad3mac-ad3 Switch(config)#interface FastEthernet0/1Switch(config)#interface FastEthernet0/1 Switch(config-if)#description Port to PC1Switch(config-if)#description Port to PC1 Switch(config-if)#switchport access vlan 1Switch(config-if)#switchport access vlan 1 Switch(config-if)#switchport mode accessSwitch(config-if)#switchport mode access Switch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security • Configure Static Port Security with Dynamic LearningConfigure Static Port Security with Dynamic Learning • Dynamically learned from list static mac-address when the device connects.Dynamically learned from list static mac-address when the device connects. • AddedAdded ManuallyManually to MAC table and Running Configurationsto MAC table and Running Configurations
    • CCNA3-23 Chapter 2-2 • Configure Sticky Port Security: • Dynamically learn MAC addresses. • Added Auto to MAC table and save in Running Configuration. Configuring Port SecurityConfiguring Port Security Switch(config)#interface FastEthernet0/1 Switch(config-if)#description Port to PC1 Switch(config-if)#switchport access vlan 1 Switch(config-if)#switchport mode access Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 3 (1-132) Switch(config-if)#switchport port-security mac-address sticky Jika port switch dihubungkan ke komputer, akan secara auto menambahkan configurasi sticky mac-addressnya, maksimum 3 mac-address, misalnya : switchport port-security mac-address sticky 0007.EC74.2861 switchport port-security mac-address sticky 0007.EC74.2862 switchport port-security mac-address sticky 0007.EC74.2863
    • CCNA3-24 Chapter 2-2 • Verify Port Security Settings:Verify Port Security Settings: Verify Port SecurityVerify Port Security
    • CCNA3-25 Chapter 2-2 • Verify Secure MAC Addresses:Verify Secure MAC Addresses: Verify Port SecurityVerify Port Security
    • CCNA3-26 Chapter 2-2 • Disable unused ports:Disable unused ports: Securing Unused PortsSecuring Unused Ports You can specify a range of interfaces.You can specify a range of interfaces. For example, to specify the first 10 interfaces:For example, to specify the first 10 interfaces: interface range fastethernet 0/1 - 10interface range fastethernet 0/1 - 10 You can specify a range of interfaces.You can specify a range of interfaces. For example, to specify the first 10 interfaces:For example, to specify the first 10 interfaces: interface range fastethernet 0/1 - 10interface range fastethernet 0/1 - 10
    • CCNA3-27 Chapter 2-2 End Chapter 02End Chapter 02 Lab ActivityLab Activity