The document discusses security concerns and mitigation strategies for switches in local area networks (LANs). It describes various attacks that switches are vulnerable to, such as password attacks, denial-of-service attacks, CDP attacks, and MAC address flooding. It recommends disabling unused ports, disabling the Cisco Discovery Protocol when not in use, configuring port security, and configuring DHCP snooping to help mitigate these attacks. The document then provides configuration examples for disabling unused ports, the Cisco Discovery Protocol, and configuring port security on interfaces.
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationAbdelkhalik Mosa
This chapter starts with discussing the key elements of ethernet/802.3 networks such as CSMA/CD, communication using unicast, multicast, and broadcast, the ethernet frame, MAC address, duplex settings, half-duplex and full-duplex, switch port settings, auto-MDIX, and the switch MAC table.
After that, there is a discussion about the design considerations for Ethernet networks such as bandwidth, throughput, goodput, collision domains, broadcast domains, LAN segmentation, and network latency.
Switch forwarding modes: store and forward and cut-through and the difference between symmetric and asymmetric switching.
Memory Buffering: port-based memory and shared memory.
The difference between layer 3 switches and routers.
Cisco switch CLI commands, accessing the history, switch boot sequence and recovering from system crash.
Managing the MAC address table, dynamic MAC addresses and static MAC addresses and backing configuration files to a TFTP server.
Configuring switch passwords and password recovery, configuring telnet and SSH.
Common Security Attacks such as MAC address flooding, spoofing attacks, CDP attacks and telnet attacks.
Switch port security, sticky port security and security violation modes: protect, restrict and shutdown and verifying poert security
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Webinar NETGEAR Prosafe Switch, la sicurezza della LANNetgear Italia
Introduzione alle funzionalità di sicurezza offerta dalle famiglie di switch gestiti di NETGEAR, SMART e FULL MANAGED, per proteggere la tua rete LAN: Protected Ports, Port Security, DHCP Snooping, 802.1x .....
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationAbdelkhalik Mosa
This chapter starts with discussing the key elements of ethernet/802.3 networks such as CSMA/CD, communication using unicast, multicast, and broadcast, the ethernet frame, MAC address, duplex settings, half-duplex and full-duplex, switch port settings, auto-MDIX, and the switch MAC table.
After that, there is a discussion about the design considerations for Ethernet networks such as bandwidth, throughput, goodput, collision domains, broadcast domains, LAN segmentation, and network latency.
Switch forwarding modes: store and forward and cut-through and the difference between symmetric and asymmetric switching.
Memory Buffering: port-based memory and shared memory.
The difference between layer 3 switches and routers.
Cisco switch CLI commands, accessing the history, switch boot sequence and recovering from system crash.
Managing the MAC address table, dynamic MAC addresses and static MAC addresses and backing configuration files to a TFTP server.
Configuring switch passwords and password recovery, configuring telnet and SSH.
Common Security Attacks such as MAC address flooding, spoofing attacks, CDP attacks and telnet attacks.
Switch port security, sticky port security and security violation modes: protect, restrict and shutdown and verifying poert security
Cisco CCNA Training/Exam Tips that are helpful for your Certification Exam!
To be Cisco Certified please Check out:
http://asmed.com/information-technology-it/
Webinar NETGEAR Prosafe Switch, la sicurezza della LANNetgear Italia
Introduzione alle funzionalità di sicurezza offerta dalle famiglie di switch gestiti di NETGEAR, SMART e FULL MANAGED, per proteggere la tua rete LAN: Protected Ports, Port Security, DHCP Snooping, 802.1x .....
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Security Concerns in LANs.pptx
1. Security Concerns in LANs
Enterprise Networking, Security, and Automation v7.0
(ENSA)
2. Switch Vulnerabilities
Switches are vulnerable to a variety of attacks including:
Password attacks
DoS attacks
CDP attacks
MAC address flooding
DHCP attacks
To mitigate against these attacks:
Disable unused ports
Disable CDP
Configure Port Security
Configure DHCP snooping
2
3. Disable Unused Ports and Assign to an
Unused (Garbage) VLAN
S1(config)#int range fa0/20 – 24
S1(config-if-range)# switchport access vlan 100
S1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/20, changed state to
administratively down
%LINK-5-CHANGED: Interface FastEthernet0/21, changed state to
administratively down
%LINK-5-CHANGED: Interface FastEthernet0/22, changed state to
administratively down
%LINK-5-CHANGED: Interface FastEthernet0/23, changed state to
administratively down
%LINK-5-CHANGED: Interface FastEthernet0/24, changed state to
administratively down
S1(config-if-range)#
4
4. Leveraging the Cisco Discovery Protocol
The Cisco Discovery Protocol is a Layer 2 Cisco proprietary protocol
used to discover other directly connected Cisco devices.
It is designed to allow the devices to autoconfigure their
connections.
If an attacker is listening to Cisco Discovery Protocol messages, it
could learn important information, such as the device model or the
running software version.
5
5. Leveraging the Cisco Discovery Protocol
Cisco recommends disabling CDP when it is not in use.
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version
12.2(44)SE, RELEASE SOFTWARE (fc1)…
6
6. Disabling CDP
S1(config)# no cdp run
S1(config)#
S1(config)# interface range fa0/1 – 24
S1(config-if-range)# no cdp enable
S1(config-if-range)#exit
S1(config)#
7
7. Layer 2 Switching
Packet Tracer Topology
In this scenario, the
switch has just
rebooted.
Verify the content of
the MAC address
table.
192.168.1.0 /24
.10 .11
.12 .13
000a.f38e.74b3 00d0.ba07.8499
0090.0c23.ceca
0001.9717.22e0
F0/1
F0/3
F0/2
F0/4
Sw1# show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
Sw1#
8
8. Layer 2 Switching
PC-A pings PC-B.
192.168.1.0 /24
.12 .13
0090.0c23.ceca
0001.9717.22e0
F0/1
F0/3
F0/2
F0/4
PC-A> ping 192.168.1.11
Pinging 192.168.1.11 with 32 bytes of data:
Reply from 192.168.1.11: bytes=32 time=62ms TTL=128
Reply from 192.168.1.11: bytes=32 time=62ms TTL=128
Reply from 192.168.1.11: bytes=32 time=63ms TTL=128
Reply from 192.168.1.11: bytes=32 time=63ms TTL=128
Ping statistics for 192.168.1.11:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 62ms, Maximum = 63ms, Average = 62ms
PC-A> 9
.10 .11
00d0.ba07.8499
000a.f38e.74b3
10. Unicast Flooding
11
Unicast
Mac Address Table
Port MAC Address
Mac Address Table
1.Learn – Examine Source MAC
address
In table: Reset 5 min timer
Not in table: Add Source MAC
address and port # to table
2.Forward – Examine
Destination MAC address
In table: Forward out that port.
Not in table: Flood out all ports
except incoming port.
AAAA BBBB
AAAA
BBBB
Not in table
Unknown Unicast
1 2
11. 12
MAC Flood Attack
If the attack is launched before the
beginning of the day, the CAM table would
be full as the majority of devices are
powered on.
If the initial, malicious flood of invalid CAM
table entries is a one-time event:
Can generate 155,000 MAC entries
per minute
“Typical” switch can store 4,000 to
8,000 MAC entries
Eventually, the switch will age out
older, invalid CAM table entries
New, legitimate devices will be able to
create an entry in the CAM
Traffic flooding will cease
Intruder may never be detected
(network seems normal).
12. Unicast Flooding
13
Unicast
Mac Address Table
Port MAC Address
Mac Address Table
1.Learn – Examine Source MAC
address
In table: Reset 5 min timer
Not in table: Add Source MAC
address and port # to table
2.Forward – Examine
Destination MAC address
In table: Forward out that port.
Not in table: Flood out all ports
except incoming port.
AAAA BBBB
AAAA
BBBB
Not in table or table is full
Unknown Unicast
1 2
13. Configure Port Security
Port security allows an administrator to limit the number of MAC addresses learned on a
port.
If this is exceeded, a switch action can be configured.
Configure each access port to accept 1 MAC address only or a small group of MAC
addresses.
Frames from any other MAC addresses are not forwarded.
By default, the port will shut down if the wrong device connects.
It has to be brought up again manually.
1 1 1 1
14
14. Configuring Port Security
Use the switchport port-security interface command to
enable port security on a port.
It is used to:
Set a maximum number of MAC addresses.
Define violation actions.
MAC address(es) can be learned dynamically, entered manually,
or learned and retained dynamically.
Set the aging time for dynamic and static secure address entries.
To verify port security status: show port-security
switchport port-security [max value] [violation {protect |
restrict | shutdown}] [mac-address mac-address [sticky]]
[aging time value]
Switch(config-if)#
15
15. Port Security: Secure MAC Addresses
The switch supports these types of secure MAC addresses:
Static
Configured using switchport port-security mac-address
mac-address
Stored in the address table
Added to running configuration.
Dynamic
These are dynamically configured
Stored only in the address table
Removed when the switch restarts
Sticky
These are dynamically configured
Stored in the address table
Added to the running configuration.
If running-config saved to startup-config, when the switch restarts, the
interface does not need to dynamically reconfigure them.
Note: When you enter this command, the interface converts all the
dynamic secure MAC addresses, including those that were dynamically
learned before sticky learning was enabled, to sticky secure MAC
addresses. The interface adds all the sticky secure MAC addresses to
the running configuration.
16
17. Port Security Defaults
Secure MAC addresses can be configured as follows:
Dynamically (learned but not retained after a reboot)
Statically (prone to errors)
Sticky (learned dynamically and retained)
Feature Default setting
Port Security Disabled on a port
Maximum # of Secure MAC
Addresses
1
Violation
Shutdown
• The port shuts down when the maximum number of secure MAC
addresses is exceeded, and an SNMP trap notification is sent.
Sticky Address Learning Disabled
18
18. Dynamic Secure MAC address
Learned dynamically
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
By default, only 1 address is learned.
Put in MAC address table
Not shown in running configuration
It is not saved or in the configuration when switch restarts.
19
19. Static Secure MAC address
Static secure MAC address is manually configured in interface
config mode
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security mac-address
000c.7259.0a63
MAC address is stored in MAC address table
Shows in the running configuration
Can be saved with the configuration. 20
20. Sticky Secure MAC address
Dynamically learned and can be retained.
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security mac-address sticky
You can choose how many can be learned (default 1).
Added to the running configuration
Saved only if you save running configuration.
Note:
When you enter this command, the interface converts all the
dynamic secure MAC addresses, including those that were
dynamically learned before sticky learning was enabled, to sticky
secure MAC addresses.
The interface adds all the sticky secure MAC addresses to the
running configuration. 21
21. 22
interface FastEthernet0/2
switchport mode access
Sets the interface mode as access; an interface in the default mode (dynamic
desirable) cannot be configured as a secure port.
switchport port-security
Enables port security on the interface
switchport port-security maximum 6
(Optional) Sets the maximum number of secure MAC addresses for the interface. The
range is 1 to 132; the default is 1.
switchport port-security aging time 5
Learned addresses are not aged out by default but can be with this command. Value
from 1 to 1024 in minutes.
switchport port-security mac-address 0000.0000.000b
(Optional) Enter a static secure MAC address for the interface, repeating the
command as many times as necessary. You can use this command to enter the
maximum number of secure MAC addresses. If you configure fewer secure MAC
addresses than the maximum, the remaining MAC addresses are dynamically
learned.
switchport port-security mac-address sticky
(Optional) Enable stick learning on the interface.
switchport port-security violation shutdown
(Optional) Set the violation mode, the action to be taken when a security violation is
detected. (Next)
NOTE: switchport host command will disable channeling, and enable access/portfast
Switch(config-if)# switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
23. Port Security: Maximum of 1
The secure MAC addresses are stored in an address table.
Setting a maximum number of addresses to 1 and configuring the
MAC address of an attached device ensures that the device has the
full bandwidth of the port.
Switch(config-if)# switchport port-security maximum 1
24
24. Port Security: Static
Addresses
Restricts input to an interface by limiting and identifying MAC
addresses of the stations allowed to access the port.
The port does not forward packets with source addresses outside the
group of defined addresses.
Switch(config)# interface fa 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 3
Switch(config-if)# switchport port-security mac-address 0000.0000.000a
Switch(config-if)# switchport port-security mac-address 0000.0000.000b
Switch(config-if)# switchport port-security mac-address 0000.0000.000c
X
25
25. 26
Port Security: Violation
Station attempting to access the
port is different from any of the
identified secure MAC addresses,
a security violation occurs.
26. Port Security: Violation
By default, if the maximum number of connections is achieved and a
new MAC address attempts to access the port, the switch must take
one of the following actions:
Protect: Frames from the nonallowed address are dropped, but there
is no log of the violation.
Restrict: Frames from the nonallowed address are dropped, a log
message is created and Simple Network Management Protocol
(SNMP) trap sent.
Shut down: If any frames are seen from a nonallowed address, the
interface is errdisabled, a log entry is made, SNMP trap sent and
manual intervention (no shutdown) or errdisable recovery must be
used to make the interface usable.
Switch(config-if)#switchport port-security violation
{protect | restrict | shutdown}
27
27. DHCP Attacks
DHCP is a network protocol used to automatically assign IP
information.
Two types of DHCP attacks are:
DHCP spoofing: A fake DHCP server is placed in the network to
issue DHCP addresses to clients.
DHCP starvation: DHCP starvation is often used before a
DHCP spoofing attack to deny service to the legitimate DHCP
server.
28
29. DHCP Spoof Attacks
“I need an IP
address/mask, default
gateway, and DNS
server.”
“Here you go, I
might be first!”
(Rouge)
“Here you go.”
(Legitimate)
“Got it, thanks!”
“Already got the info.”
All default gateway
frames and DNS
requests sent to
Rogue.
“I can now
forward these on
to my leader.”
(Rouge)
30
30. Solution:
Configure
DHCP
Snooping
DHCP snooping is a Cisco Catalyst feature that determines which
switch ports can respond to DHCP requests.
Ports are identified as trusted and untrusted.
Trusted ports: Host a DHCP server or can be an uplink toward
the DHCP server and can source all DHCP messages, including
DHCP offer and DHCP acknowledgement packets
Untrusted ports: Can source requests only. 31
31. DHCP Snooping
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10,20
S1(config)# interface gig 0/1
S1(config-if)# ip dhcp snooping trust
S1(config)# interface fa 0/0
S1(config-if)# ip dhcp snooping limit rate 100
Fa0/0
Gig0/1
By default all interfaces are untrusted.
Fa0/0
S1
32
32. DHCP Snooping
“I need an IP
address/mask,
default gateway,
and DNS server.”
“Here you go, I
might be first!”
(Rouge)
“Here you go.”
(Legitimate)
Switch: This is an
untrusted port, I will
block this DHCP Offer”
“Thanks, got it.”
Switch: This is a trusted port, I
will allow this DHCP Offer”
33