2. الطبقة 2 الأمن IPS MARS VPN ACS Iron Port Firewall Web Server Email Server DNS Hosts محيط الإنترنت
3.
4.
5. MAC عنوان الغش هجوم MAC Address: AABBcc AABBcc 12AbDd التبديل منفذ 1 2 MAC Address: AABBcc مهاجم Port 1 Port 2 MAC Address: 12AbDd ويرتبط أنا المنافذ 1 و 2 مع MAC عناوين الأجهزة المتصلة به . حركة المرور المتجهة لكل جهاز وسوف ترسل مباشرة التبديل يحتفظ من النهاية من خلال المحافظة على MAC معالجة الجدول . في MAC بالتحايل ، ومهاجم آخر يشكل وهوستا شركات € " في هذه الحالة ، AABBcc
6. MAC عنوان الغش هجوم MAC Address: AABBcc AABBcc التبديل منفذ 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 لقد تغيرت عنوان MAC على الكمبيوتر لمطابقة الملقم . لقد تغير الجهاز مع MAC معالجة AABBcc مواقع ل Port2 . ولا بد لي من ضبط مائدتي عنوان MAC وفقا لذلك . AABBcc 1 2
7. MAC العنوان تجاوز الجدول هجوم ويمكن التبديل بين الإطارات إلى الأمام و PC1 PC2 دون الفيضانات لأن الجدول يحتوي على عنوان MAC من المنفذ إلى MAC بين معالجة تعيينات في الجدول عنوان MAC لهذه الحواسيب .
8. MAC العنوان تجاوز الجدول هجوم A B C D VLAN 10 VLAN 10 الدخيل يدير macof لبدء إرسال عناوين وهمية غير معروفة MAC . 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood يتم إضافة عناوين وهمية الى طاولة كام . كام الجدول الكامل . Host C التبديل الفيضانات الإطارات . يرى مهاجم حركة المرور إلى ملقمات باء ودال . VLAN 10 1 2 3 4 MAC Port X 3/25 Y 3/25 C 3/25
9.
10. STP التلاعب هجوم Root Bridge Priority = 8192 Root Bridge F F F F F B STP BPDU Priority = 0 STP BPDU Priority = 0 F B F F F F مهاجم البث المضيفة مهاجمة خارج التكوين و STP BPDUs تغيير الهيكل . هذا هو محاولة لفرض إعادة الحسابات التي تغطي شجرة .
11. الشبكة المحلية هجوم العاصفة وقد غمرت الفيضانات البث والبث المتعدد أو أحادي الإرسال الحزم على جميع المنافذ في شبكة محلية ظاهرية واحدة . ويمكن لهذه العواصف زيادة استخدام وحدة المعالجة المركزية على التحول إلى 100 ٪ ، وخفض أداء الشبكة . Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast
12. عاصفة التحكم Total number of broadcast packets or bytes
13.
14. هجمات شبكة محلية ظاهرية 802.1Q 802.1Q Server يرى مهاجم حركة المرور المتجهة للخوادم Server Trunk Trunk VLAN 20 VLAN 10 ويمكن إطلاق شبكة محلية ظاهرية التنقل هجوم بطريقتين : خداع النشر المكتبي رسائل من المضيف لمهاجمة قضية التحول إلى إدخال وضع الكابلات إدخال مفتاح المارقة وتشغيل مقسم الهاتف
15. المزدوج الدالة شبكة محلية ظاهرية هجوم التبديل الثاني يتلقى الحزمة على شبكة محلية ظاهرية الأصلي مهاجم على شبكة محلية ظاهرية 10 ، ولكن يضع علامة 20 في الحزمة Victim (VLAN 20) ملاحظة : هذا الهجوم يعمل فقط إذا الجذع لديه شبكة محلية ظاهرية نفس الأم كما المهاجم . الشرائط التبديل الأول قبالة العلامة الأولى وأنه لا ريتاج ( ليس retagged الحركة الأم ). إلى الأمام ثم الحزمة للتبديل 2. 20,10 20 Trunk (Native VLAN = 10) 802.1Q, 802.1Q 802.1Q, Frame Frame 1 2 3 4 التبديل الثاني يتلقى الحزمة على شبكة محلية ظاهرية الأصلي
16.
17.
18. منفذ الأمن لمحة عامة MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C المهاجم 1 المهاجم 2 0/1 0/2 0/3 MAC F السماح لمسؤول لتحديد ثابت MAC عناوين منفذ أو السماح للتبديل إلى تعلم بشكل حيوي على عدد محدود من MAC عناوين
19.
20.
21.
22. التبديل منفذ بورت الأمن انتهاك معلمات المعلمة الوصف protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown vlan Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
23.
24. التبديل منفذ بورت الأمن الشيخوخة معلمات المعلمة وصف static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
25. تكوين نموذجي switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120 Switch(config-if)# S2 PC B
26.
27.
28.
29.
30.
31. تكوين Portfast خادم محطة عمل الامر الوصف Command Description Switch(config-if)# spanning-tree portfast Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning-tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port.
32.
33. Layer 2 Security IPS MARS VPN ACS Iron Port Firewall Web Server Email Server DNS Hosts Perimeter Internet
34.
35.
36. MAC Address Spoofing Attack MAC Address: AABBcc AABBcc 12AbDd Switch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 MAC Address: 12AbDd I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc
37. MAC Address Spoofing Attack MAC Address: AABBcc AABBcc Switch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 I have changed the MAC address on my computer to match the server. The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly. AABBcc 1 2
38. MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
39. MAC Address Table Overflow Attack A B C D VLAN 10 VLAN 10 Intruder runs macof to begin sending unknown bogus MAC addresses. 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood Bogus addresses are added to the CAM table. CAM table is full. Host C The switch floods the frames. Attacker sees traffic to servers B and D. VLAN 10 1 2 3 4 MAC Port X 3/25 Y 3/25 C 3/25
40.
41. STP Manipulation Attack Root Bridge Priority = 8192 Root Bridge F F F F F B STP BPDU Priority = 0 STP BPDU Priority = 0 F B F F F F Attacker The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.
46. Double-Tagging VLAN Attack The second switch receives the packet, on the native VLAN Attacker on VLAN 10, but puts a 20 tag in the packet Victim (VLAN 20) Note: This attack works only if the trunk has the same native VLAN as the attacker. The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2. 20,10 20 Trunk (Native VLAN = 10) 802.1Q, 802.1Q 802.1Q, Frame Frame 1 2 3 4 The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.
47.
48.
49. Port Security Overview MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C Attacker 1 Attacker 2 0/1 0/2 0/3 MAC F Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
50.
51.
52.
53. Switchport Port-Security Violation Parameters Parameter Description protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown vlan Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
54.
55. Switchport Port-Security Aging Parameters Parameter Description static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
56. Typical Configuration switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120 Switch(config-if)# S2 PC B
57.
58.
59.
60.
61.
62. Configure Portfast Server Workstation Command Description Switch(config-if)# spanning-tree portfast Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning-tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port.