SlideShare a Scribd company logo

Security Concerns in LANs.pptx

Download as PPTX, PDF
J
joko

The document discusses security concerns and mitigation strategies for switches in local area networks (LANs). It describes various attacks that switches are vulnerable to, such as password attacks, denial-of-service attacks, CDP attacks, and MAC address flooding. It recommends disabling unused ports, disabling the Cisco Discovery Protocol when not in use, configuring port security, and configuring DHCP snooping to help mitigate these attacks. The document then provides configuration examples for disabling unused ports, the Cisco Discovery Protocol, and configuring port security on interfaces.

Technology
1 of 33
Security Concerns in LANs Enterprise Networking, Security, and Automation v7.0 (ENSA)
Switch Vulnerabilities  Switches are vulnerable to a variety of attacks including:  Password attacks  DoS attacks  CDP attacks  MAC address flooding  DHCP attacks  To mitigate against these attacks:  Disable unused ports  Disable CDP  Configure Port Security  Configure DHCP snooping 2
Disable Unused Ports and Assign to an Unused (Garbage) VLAN S1(config)#int range fa0/20 – 24 S1(config-if-range)# switchport access vlan 100 S1(config-if-range)# shutdown %LINK-5-CHANGED: Interface FastEthernet0/20, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/21, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/22, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/23, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down S1(config-if-range)# 4
Leveraging the Cisco Discovery Protocol  The Cisco Discovery Protocol is a Layer 2 Cisco proprietary protocol used to discover other directly connected Cisco devices.  It is designed to allow the devices to autoconfigure their connections.  If an attacker is listening to Cisco Discovery Protocol messages, it could learn important information, such as the device model or the running software version. 5
Leveraging the Cisco Discovery Protocol  Cisco recommends disabling CDP when it is not in use. Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE, RELEASE SOFTWARE (fc1)… 6
Disabling CDP S1(config)# no cdp run S1(config)# S1(config)# interface range fa0/1 – 24 S1(config-if-range)# no cdp enable S1(config-if-range)#exit S1(config)# 7
Layer 2 Switching Packet Tracer Topology In this scenario, the switch has just rebooted. Verify the content of the MAC address table. 192.168.1.0 /24 .10 .11 .12 .13 000a.f38e.74b3 00d0.ba07.8499 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 Sw1# show mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- Sw1# 8
Layer 2 Switching PC-A pings PC-B. 192.168.1.0 /24 .12 .13 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 PC-A> ping 192.168.1.11 Pinging 192.168.1.11 with 32 bytes of data: Reply from 192.168.1.11: bytes=32 time=62ms TTL=128 Reply from 192.168.1.11: bytes=32 time=62ms TTL=128 Reply from 192.168.1.11: bytes=32 time=63ms TTL=128 Reply from 192.168.1.11: bytes=32 time=63ms TTL=128 Ping statistics for 192.168.1.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 62ms, Maximum = 63ms, Average = 62ms PC-A> 9 .10 .11 00d0.ba07.8499 000a.f38e.74b3
Layer 2 Switching Sw1# show mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 000a.f38e.74b3 DYNAMIC Fa0/1 1 00d0.ba07.8499 DYNAMIC Fa0/2 Sw1# 10 192.168.1.0 /24 .12 .13 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 .10 .11 00d0.ba07.8499 000a.f38e.74b3
Unicast Flooding 11 Unicast Mac Address Table Port MAC Address Mac Address Table 1.Learn – Examine Source MAC address In table: Reset 5 min timer Not in table: Add Source MAC address and port # to table 2.Forward – Examine Destination MAC address In table: Forward out that port. Not in table: Flood out all ports except incoming port. AAAA BBBB AAAA BBBB Not in table Unknown Unicast 1 2
12 MAC Flood Attack  If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on.  If the initial, malicious flood of invalid CAM table entries is a one-time event:  Can generate 155,000 MAC entries per minute  “Typical” switch can store 4,000 to 8,000 MAC entries  Eventually, the switch will age out older, invalid CAM table entries  New, legitimate devices will be able to create an entry in the CAM  Traffic flooding will cease  Intruder may never be detected (network seems normal).
Unicast Flooding 13 Unicast Mac Address Table Port MAC Address Mac Address Table 1.Learn – Examine Source MAC address In table: Reset 5 min timer Not in table: Add Source MAC address and port # to table 2.Forward – Examine Destination MAC address In table: Forward out that port. Not in table: Flood out all ports except incoming port. AAAA BBBB AAAA BBBB Not in table or table is full Unknown Unicast 1 2
Configure Port Security  Port security allows an administrator to limit the number of MAC addresses learned on a port.  If this is exceeded, a switch action can be configured.  Configure each access port to accept 1 MAC address only or a small group of MAC addresses.  Frames from any other MAC addresses are not forwarded.  By default, the port will shut down if the wrong device connects.  It has to be brought up again manually. 1 1 1 1 14
Configuring Port Security  Use the switchport port-security interface command to enable port security on a port.  It is used to:  Set a maximum number of MAC addresses.  Define violation actions.  MAC address(es) can be learned dynamically, entered manually, or learned and retained dynamically.  Set the aging time for dynamic and static secure address entries.  To verify port security status: show port-security switchport port-security [max value] [violation {protect | restrict | shutdown}] [mac-address mac-address [sticky]] [aging time value] Switch(config-if)# 15
Port Security: Secure MAC Addresses  The switch supports these types of secure MAC addresses:  Static  Configured using switchport port-security mac-address mac-address  Stored in the address table  Added to running configuration.  Dynamic  These are dynamically configured  Stored only in the address table  Removed when the switch restarts  Sticky  These are dynamically configured  Stored in the address table  Added to the running configuration.  If running-config saved to startup-config, when the switch restarts, the interface does not need to dynamically reconfigure them.  Note: When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The interface adds all the sticky secure MAC addresses to the running configuration. 16
Port Security: Steps 17
Port Security Defaults  Secure MAC addresses can be configured as follows:  Dynamically (learned but not retained after a reboot)  Statically (prone to errors)  Sticky (learned dynamically and retained) Feature Default setting Port Security Disabled on a port Maximum # of Secure MAC Addresses 1 Violation Shutdown • The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent. Sticky Address Learning Disabled 18
Dynamic Secure MAC address  Learned dynamically  S1(config-if)# switchport mode access  S1(config-if)# switchport port-security  By default, only 1 address is learned.  Put in MAC address table  Not shown in running configuration  It is not saved or in the configuration when switch restarts. 19
Static Secure MAC address  Static secure MAC address is manually configured in interface config mode S1(config-if)# switchport mode access S1(config-if)# switchport port-security mac-address 000c.7259.0a63  MAC address is stored in MAC address table  Shows in the running configuration  Can be saved with the configuration. 20
Sticky Secure MAC address  Dynamically learned and can be retained.  S1(config-if)# switchport mode access  S1(config-if)# switchport port-security mac-address sticky  You can choose how many can be learned (default 1).  Added to the running configuration  Saved only if you save running configuration.  Note:  When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.  The interface adds all the sticky secure MAC addresses to the running configuration. 21
22 interface FastEthernet0/2 switchport mode access  Sets the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port. switchport port-security  Enables port security on the interface switchport port-security maximum 6  (Optional) Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1. switchport port-security aging time 5  Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes. switchport port-security mac-address 0000.0000.000b  (Optional) Enter a static secure MAC address for the interface, repeating the command as many times as necessary. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. switchport port-security mac-address sticky  (Optional) Enable stick learning on the interface. switchport port-security violation shutdown  (Optional) Set the violation mode, the action to be taken when a security violation is detected. (Next) NOTE: switchport host command will disable channeling, and enable access/portfast Switch(config-if)# switchport host switchport mode will be set to access spanning-tree portfast will be enabled channel group will be disabled
Port Security: Steps 23
Port Security: Maximum of 1  The secure MAC addresses are stored in an address table.  Setting a maximum number of addresses to 1 and configuring the MAC address of an attached device ensures that the device has the full bandwidth of the port. Switch(config-if)# switchport port-security maximum 1 24
Port Security: Static Addresses  Restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.  The port does not forward packets with source addresses outside the group of defined addresses. Switch(config)# interface fa 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 3 Switch(config-if)# switchport port-security mac-address 0000.0000.000a Switch(config-if)# switchport port-security mac-address 0000.0000.000b Switch(config-if)# switchport port-security mac-address 0000.0000.000c X 25
26 Port Security: Violation  Station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
Port Security: Violation  By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions:  Protect: Frames from the nonallowed address are dropped, but there is no log of the violation.  Restrict: Frames from the nonallowed address are dropped, a log message is created and Simple Network Management Protocol (SNMP) trap sent.  Shut down: If any frames are seen from a nonallowed address, the interface is errdisabled, a log entry is made, SNMP trap sent and manual intervention (no shutdown) or errdisable recovery must be used to make the interface usable. Switch(config-if)#switchport port-security violation {protect | restrict | shutdown} 27
DHCP Attacks  DHCP is a network protocol used to automatically assign IP information.  Two types of DHCP attacks are:  DHCP spoofing: A fake DHCP server is placed in the network to issue DHCP addresses to clients.  DHCP starvation: DHCP starvation is often used before a DHCP spoofing attack to deny service to the legitimate DHCP server. 28
DHCP Review 29
DHCP Spoof Attacks “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) “Got it, thanks!” “Already got the info.” All default gateway frames and DNS requests sent to Rogue. “I can now forward these on to my leader.” (Rouge) 30
Solution: Configure DHCP Snooping  DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests.  Ports are identified as trusted and untrusted.  Trusted ports: Host a DHCP server or can be an uplink toward the DHCP server and can source all DHCP messages, including DHCP offer and DHCP acknowledgement packets  Untrusted ports: Can source requests only. 31
DHCP Snooping S1(config)# ip dhcp snooping S1(config)# ip dhcp snooping vlan 10,20 S1(config)# interface gig 0/1 S1(config-if)# ip dhcp snooping trust S1(config)# interface fa 0/0 S1(config-if)# ip dhcp snooping limit rate 100 Fa0/0 Gig0/1 By default all interfaces are untrusted. Fa0/0 S1 32
DHCP Snooping “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) Switch: This is an untrusted port, I will block this DHCP Offer” “Thanks, got it.” Switch: This is a trusted port, I will allow this DHCP Offer” 33
Security Concerns in LANs.pptx

Recommended

Cap2 configuring switch
Cap2 configuring switchCap2 configuring switch
Cap2 configuring switch
Hector Camba Lainez
 
Switch security
Switch securitySwitch security
Switch security
nullowaspmumbai
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch Port
IPMAX s.r.l.
 
SRWE_Module_11.pptx
SRWE_Module_11.pptxSRWE_Module_11.pptx
SRWE_Module_11.pptx
Josimar Caitano
 
Ch6
Ch6Ch6
Ch6scary5800
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
INFitunes
 
Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptx
SulSya
 
Configuring dynamic switchport security
Configuring dynamic switchport securityConfiguring dynamic switchport security
Configuring dynamic switchport securityIT Tech
 

Recommended

Cap2 configuring switch
Cap2 configuring switchCap2 configuring switch
Cap2 configuring switch
Hector Camba Lainez
 
Switch security
Switch securitySwitch security
Switch security
nullowaspmumbai
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch Port
IPMAX s.r.l.
 
SRWE_Module_11.pptx
SRWE_Module_11.pptxSRWE_Module_11.pptx
SRWE_Module_11.pptx
Josimar Caitano
 
Ch6
Ch6Ch6
Ch6scary5800
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
INFitunes
 
Network Security- port security.pptx
Network Security- port security.pptxNetwork Security- port security.pptx
Network Security- port security.pptx
SulSya
 
Configuring dynamic switchport security
Configuring dynamic switchport securityConfiguring dynamic switchport security
Configuring dynamic switchport securityIT Tech
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
dkaya
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationLAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
Abdelkhalik Mosa
 
Switchport port security explained with examples
Switchport port security explained with examplesSwitchport port security explained with examples
Switchport port security explained with examples
teameassefa
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) Mohmed Abou Elenein Attia
 
CCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part IICCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part II
Amir Jafari
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig
Alex Ramirez
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Confphanleson
 
Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Dân Chơi
 
CCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkCCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area network
Ahmed Habib
 
Attack.pptx
Attack.pptxAttack.pptx
Attack.pptx
ISMT College
 
LAYER2_
LAYER2_LAYER2_
LAYER2_Nishad Dadhaniya
 
VLAN
VLANVLAN
VLANAnuj Kumar
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
dkaya
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port Security
Hamed Moghaddam
 
Day 13.1..1 catalyst switch
Day 13.1..1 catalyst switchDay 13.1..1 catalyst switch
Day 13.1..1 catalyst switch
CYBERINTELLIGENTS
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Netgear Italia
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Sumutiu Marius
 
Cisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switchesCisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switches
KJ Savaliya
 
Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 3Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 3
3c telecom
 
Hacking L2 Switches
Hacking L2 SwitchesHacking L2 Switches
Hacking L2 Switches
Navaneetha Sankar
 
manajemen-jaringan.ppt
manajemen-jaringan.pptmanajemen-jaringan.ppt
manajemen-jaringan.ppt
joko
 
Latihan soal
Latihan soalLatihan soal
Latihan soal
joko
 

More Related Content

Similar to Security Concerns in LANs.pptx

Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
dkaya
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationLAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
Abdelkhalik Mosa
 
Switchport port security explained with examples
Switchport port security explained with examplesSwitchport port security explained with examples
Switchport port security explained with examples
teameassefa
 
CCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part IICCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part II
Amir Jafari
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig
Alex Ramirez
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Confphanleson
 
Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Dân Chơi
 
CCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkCCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area network
Ahmed Habib
 
Attack.pptx
Attack.pptxAttack.pptx
Attack.pptx
ISMT College
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
dkaya
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port Security
Hamed Moghaddam
 
Day 13.1..1 catalyst switch
Day 13.1..1 catalyst switchDay 13.1..1 catalyst switch
Day 13.1..1 catalyst switch
CYBERINTELLIGENTS
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Netgear Italia
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Sumutiu Marius
 
Cisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switchesCisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switches
KJ Savaliya
 
Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 3Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 3
3c telecom
 
Hacking L2 Switches
Hacking L2 SwitchesHacking L2 Switches
Hacking L2 Switches
Navaneetha Sankar
 

Similar to Security Concerns in LANs.pptx (20)

Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and ConfigurationLAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
 
Switchport port security explained with examples
Switchport port security explained with examplesSwitchport port security explained with examples
Switchport port security explained with examples
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
CCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part IICCNA Lab 2-Configuring a Switch Part II
CCNA Lab 2-Configuring a Switch Part II
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig2.2.4.9 packet tracer configuring switch port security instructions - ig
2.2.4.9 packet tracer configuring switch port security instructions - ig
 
Chapter 14 - Sw Conf
Chapter 14 - Sw ConfChapter 14 - Sw Conf
Chapter 14 - Sw Conf
 
Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011Ccna 3 chapter 2 v4.0 answers 2011
Ccna 3 chapter 2 v4.0 answers 2011
 
CCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkCCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area network
 
Attack.pptx
Attack.pptxAttack.pptx
Attack.pptx
 
LAYER2_
LAYER2_LAYER2_
LAYER2_
 
VLAN
VLANVLAN
VLAN
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port Security
 
Day 13.1..1 catalyst switch
Day 13.1..1 catalyst switchDay 13.1..1 catalyst switch
Day 13.1..1 catalyst switch
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LANWebinar NETGEAR Prosafe Switch, la sicurezza della LAN
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
 
Cisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switchesCisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switches
 
Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 3Hướng dẫn cài đặt switch planet layer 3
Hướng dẫn cài đặt switch planet layer 3
 
Hacking L2 Switches
Hacking L2 SwitchesHacking L2 Switches
Hacking L2 Switches
 

More from joko

manajemen-jaringan.ppt
manajemen-jaringan.pptmanajemen-jaringan.ppt
manajemen-jaringan.ppt
joko
 
Latihan soal
Latihan soalLatihan soal
Latihan soal
joko
 
Uni fi controller_ug
Uni fi controller_ugUni fi controller_ug
Uni fi controller_ug
joko
 
Session#1 pengantar akuntansi dan bisnis
Session#1 pengantar akuntansi dan bisnisSession#1 pengantar akuntansi dan bisnis
Session#1 pengantar akuntansi dan bisnisjoko
 
15843 15841-1-pb
15843 15841-1-pb15843 15841-1-pb
15843 15841-1-pbjoko
 
Layer 3
Layer 3Layer 3
Layer 3joko
 
Networking media
Networking mediaNetworking media
Networking mediajoko
 
Network devices
Network devicesNetwork devices
Network devicesjoko
 
Networking media
Networking mediaNetworking media
Networking mediajoko
 
Ip address
Ip addressIp address
Ip addressjoko
 
Dfd
DfdDfd
Dfdjoko
 
Inventory
InventoryInventory
Inventoryjoko
 
Card file
Card fileCard file
Card filejoko
 
Accounts
AccountsAccounts
Accountsjoko
 
Session 6
Session 6Session 6
Session 6joko
 
Session 4
Session 4Session 4
Session 4joko
 
Session 3
Session 3Session 3
Session 3joko
 
Session 3
Session 3Session 3
Session 3joko
 
Session 5
Session 5Session 5
Session 5joko
 
Session 4
Session 4Session 4
Session 4joko
 

More from joko (20)

manajemen-jaringan.ppt
manajemen-jaringan.pptmanajemen-jaringan.ppt
manajemen-jaringan.ppt
 
Latihan soal
Latihan soalLatihan soal
Latihan soal
 
Uni fi controller_ug
Uni fi controller_ugUni fi controller_ug
Uni fi controller_ug
 
Session#1 pengantar akuntansi dan bisnis
Session#1 pengantar akuntansi dan bisnisSession#1 pengantar akuntansi dan bisnis
Session#1 pengantar akuntansi dan bisnis
 
15843 15841-1-pb
15843 15841-1-pb15843 15841-1-pb
15843 15841-1-pb
 
Layer 3
Layer 3Layer 3
Layer 3
 
Networking media
Networking mediaNetworking media
Networking media
 
Network devices
Network devicesNetwork devices
Network devices
 
Networking media
Networking mediaNetworking media
Networking media
 
Ip address
Ip addressIp address
Ip address
 
Dfd
DfdDfd
Dfd
 
Inventory
InventoryInventory
Inventory
 
Card file
Card fileCard file
Card file
 
Accounts
AccountsAccounts
Accounts
 
Session 6
Session 6Session 6
Session 6
 
Session 4
Session 4Session 4
Session 4
 
Session 3
Session 3Session 3
Session 3
 
Session 3
Session 3Session 3
Session 3
 
Session 5
Session 5Session 5
Session 5
 
Session 4
Session 4Session 4
Session 4
 

Recently uploaded

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 

Recently uploaded (20)

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 

Security Concerns in LANs.pptx

  • 1. Security Concerns in LANs Enterprise Networking, Security, and Automation v7.0 (ENSA)
  • 2. Switch Vulnerabilities  Switches are vulnerable to a variety of attacks including:  Password attacks  DoS attacks  CDP attacks  MAC address flooding  DHCP attacks  To mitigate against these attacks:  Disable unused ports  Disable CDP  Configure Port Security  Configure DHCP snooping 2
  • 3. Disable Unused Ports and Assign to an Unused (Garbage) VLAN S1(config)#int range fa0/20 – 24 S1(config-if-range)# switchport access vlan 100 S1(config-if-range)# shutdown %LINK-5-CHANGED: Interface FastEthernet0/20, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/21, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/22, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/23, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/24, changed state to administratively down S1(config-if-range)# 4
  • 4. Leveraging the Cisco Discovery Protocol  The Cisco Discovery Protocol is a Layer 2 Cisco proprietary protocol used to discover other directly connected Cisco devices.  It is designed to allow the devices to autoconfigure their connections.  If an attacker is listening to Cisco Discovery Protocol messages, it could learn important information, such as the device model or the running software version. 5
  • 5. Leveraging the Cisco Discovery Protocol  Cisco recommends disabling CDP when it is not in use. Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE, RELEASE SOFTWARE (fc1)… 6
  • 6. Disabling CDP S1(config)# no cdp run S1(config)# S1(config)# interface range fa0/1 – 24 S1(config-if-range)# no cdp enable S1(config-if-range)#exit S1(config)# 7
  • 7. Layer 2 Switching Packet Tracer Topology In this scenario, the switch has just rebooted. Verify the content of the MAC address table. 192.168.1.0 /24 .10 .11 .12 .13 000a.f38e.74b3 00d0.ba07.8499 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 Sw1# show mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- Sw1# 8
  • 8. Layer 2 Switching PC-A pings PC-B. 192.168.1.0 /24 .12 .13 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 PC-A> ping 192.168.1.11 Pinging 192.168.1.11 with 32 bytes of data: Reply from 192.168.1.11: bytes=32 time=62ms TTL=128 Reply from 192.168.1.11: bytes=32 time=62ms TTL=128 Reply from 192.168.1.11: bytes=32 time=63ms TTL=128 Reply from 192.168.1.11: bytes=32 time=63ms TTL=128 Ping statistics for 192.168.1.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 62ms, Maximum = 63ms, Average = 62ms PC-A> 9 .10 .11 00d0.ba07.8499 000a.f38e.74b3
  • 9. Layer 2 Switching Sw1# show mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 000a.f38e.74b3 DYNAMIC Fa0/1 1 00d0.ba07.8499 DYNAMIC Fa0/2 Sw1# 10 192.168.1.0 /24 .12 .13 0090.0c23.ceca 0001.9717.22e0 F0/1 F0/3 F0/2 F0/4 .10 .11 00d0.ba07.8499 000a.f38e.74b3
  • 10. Unicast Flooding 11 Unicast Mac Address Table Port MAC Address Mac Address Table 1.Learn – Examine Source MAC address In table: Reset 5 min timer Not in table: Add Source MAC address and port # to table 2.Forward – Examine Destination MAC address In table: Forward out that port. Not in table: Flood out all ports except incoming port. AAAA BBBB AAAA BBBB Not in table Unknown Unicast 1 2
  • 11. 12 MAC Flood Attack  If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on.  If the initial, malicious flood of invalid CAM table entries is a one-time event:  Can generate 155,000 MAC entries per minute  “Typical” switch can store 4,000 to 8,000 MAC entries  Eventually, the switch will age out older, invalid CAM table entries  New, legitimate devices will be able to create an entry in the CAM  Traffic flooding will cease  Intruder may never be detected (network seems normal).
  • 12. Unicast Flooding 13 Unicast Mac Address Table Port MAC Address Mac Address Table 1.Learn – Examine Source MAC address In table: Reset 5 min timer Not in table: Add Source MAC address and port # to table 2.Forward – Examine Destination MAC address In table: Forward out that port. Not in table: Flood out all ports except incoming port. AAAA BBBB AAAA BBBB Not in table or table is full Unknown Unicast 1 2
  • 13. Configure Port Security  Port security allows an administrator to limit the number of MAC addresses learned on a port.  If this is exceeded, a switch action can be configured.  Configure each access port to accept 1 MAC address only or a small group of MAC addresses.  Frames from any other MAC addresses are not forwarded.  By default, the port will shut down if the wrong device connects.  It has to be brought up again manually. 1 1 1 1 14
  • 14. Configuring Port Security  Use the switchport port-security interface command to enable port security on a port.  It is used to:  Set a maximum number of MAC addresses.  Define violation actions.  MAC address(es) can be learned dynamically, entered manually, or learned and retained dynamically.  Set the aging time for dynamic and static secure address entries.  To verify port security status: show port-security switchport port-security [max value] [violation {protect | restrict | shutdown}] [mac-address mac-address [sticky]] [aging time value] Switch(config-if)# 15
  • 15. Port Security: Secure MAC Addresses  The switch supports these types of secure MAC addresses:  Static  Configured using switchport port-security mac-address mac-address  Stored in the address table  Added to running configuration.  Dynamic  These are dynamically configured  Stored only in the address table  Removed when the switch restarts  Sticky  These are dynamically configured  Stored in the address table  Added to the running configuration.  If running-config saved to startup-config, when the switch restarts, the interface does not need to dynamically reconfigure them.  Note: When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The interface adds all the sticky secure MAC addresses to the running configuration. 16
  • 17. Port Security Defaults  Secure MAC addresses can be configured as follows:  Dynamically (learned but not retained after a reboot)  Statically (prone to errors)  Sticky (learned dynamically and retained) Feature Default setting Port Security Disabled on a port Maximum # of Secure MAC Addresses 1 Violation Shutdown • The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent. Sticky Address Learning Disabled 18
  • 18. Dynamic Secure MAC address  Learned dynamically  S1(config-if)# switchport mode access  S1(config-if)# switchport port-security  By default, only 1 address is learned.  Put in MAC address table  Not shown in running configuration  It is not saved or in the configuration when switch restarts. 19
  • 19. Static Secure MAC address  Static secure MAC address is manually configured in interface config mode S1(config-if)# switchport mode access S1(config-if)# switchport port-security mac-address 000c.7259.0a63  MAC address is stored in MAC address table  Shows in the running configuration  Can be saved with the configuration. 20
  • 20. Sticky Secure MAC address  Dynamically learned and can be retained.  S1(config-if)# switchport mode access  S1(config-if)# switchport port-security mac-address sticky  You can choose how many can be learned (default 1).  Added to the running configuration  Saved only if you save running configuration.  Note:  When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.  The interface adds all the sticky secure MAC addresses to the running configuration. 21
  • 21. 22 interface FastEthernet0/2 switchport mode access  Sets the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port. switchport port-security  Enables port security on the interface switchport port-security maximum 6  (Optional) Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1. switchport port-security aging time 5  Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes. switchport port-security mac-address 0000.0000.000b  (Optional) Enter a static secure MAC address for the interface, repeating the command as many times as necessary. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. switchport port-security mac-address sticky  (Optional) Enable stick learning on the interface. switchport port-security violation shutdown  (Optional) Set the violation mode, the action to be taken when a security violation is detected. (Next) NOTE: switchport host command will disable channeling, and enable access/portfast Switch(config-if)# switchport host switchport mode will be set to access spanning-tree portfast will be enabled channel group will be disabled
  • 23. Port Security: Maximum of 1  The secure MAC addresses are stored in an address table.  Setting a maximum number of addresses to 1 and configuring the MAC address of an attached device ensures that the device has the full bandwidth of the port. Switch(config-if)# switchport port-security maximum 1 24
  • 24. Port Security: Static Addresses  Restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.  The port does not forward packets with source addresses outside the group of defined addresses. Switch(config)# interface fa 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 3 Switch(config-if)# switchport port-security mac-address 0000.0000.000a Switch(config-if)# switchport port-security mac-address 0000.0000.000b Switch(config-if)# switchport port-security mac-address 0000.0000.000c X 25
  • 25. 26 Port Security: Violation  Station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
  • 26. Port Security: Violation  By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions:  Protect: Frames from the nonallowed address are dropped, but there is no log of the violation.  Restrict: Frames from the nonallowed address are dropped, a log message is created and Simple Network Management Protocol (SNMP) trap sent.  Shut down: If any frames are seen from a nonallowed address, the interface is errdisabled, a log entry is made, SNMP trap sent and manual intervention (no shutdown) or errdisable recovery must be used to make the interface usable. Switch(config-if)#switchport port-security violation {protect | restrict | shutdown} 27
  • 27. DHCP Attacks  DHCP is a network protocol used to automatically assign IP information.  Two types of DHCP attacks are:  DHCP spoofing: A fake DHCP server is placed in the network to issue DHCP addresses to clients.  DHCP starvation: DHCP starvation is often used before a DHCP spoofing attack to deny service to the legitimate DHCP server. 28
  • 29. DHCP Spoof Attacks “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) “Got it, thanks!” “Already got the info.” All default gateway frames and DNS requests sent to Rogue. “I can now forward these on to my leader.” (Rouge) 30
  • 30. Solution: Configure DHCP Snooping  DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests.  Ports are identified as trusted and untrusted.  Trusted ports: Host a DHCP server or can be an uplink toward the DHCP server and can source all DHCP messages, including DHCP offer and DHCP acknowledgement packets  Untrusted ports: Can source requests only. 31
  • 31. DHCP Snooping S1(config)# ip dhcp snooping S1(config)# ip dhcp snooping vlan 10,20 S1(config)# interface gig 0/1 S1(config-if)# ip dhcp snooping trust S1(config)# interface fa 0/0 S1(config-if)# ip dhcp snooping limit rate 100 Fa0/0 Gig0/1 By default all interfaces are untrusted. Fa0/0 S1 32
  • 32. DHCP Snooping “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) Switch: This is an untrusted port, I will block this DHCP Offer” “Thanks, got it.” Switch: This is a trusted port, I will allow this DHCP Offer” 33