Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

In depth understanding network security

380 views

Published on

Published in: Technology
  • Be the first to comment

In depth understanding network security

  1. 1. In-depth UnderstandingNetwork Security(Hardening CISCO Router/Switch)
  2. 2. CIS Level 1 & 2 Benchmarksand Audit Toolfor Cisco IOS Routers and PIX firewalls
  3. 3. IOS/PIX Benchmarks and RAT forWindowsFeatures of the 2.2 version of the RouterAudit Tool (RAT):– Ability to score Cisco Router IOS.– Ability to score Cisco PIX firewalls.– Includes benchmark documents (PDF) for bothCisco IOS and Cisco ASA, FWSM, and PIXsecurity settings.
  4. 4. RAT for Windows
  5. 5. RAT for WindowsTo run any RAT programs, youll need toknow the drive and pathname where RATwas installed.You can put this directory onto your PATH:C:> set PATH=D:CISRATbin;%PATH%
  6. 6. RAT for WindowsTo run the rat program and see a list of itsoptions, you could type the following:C:> rat --help
  7. 7. RAT for WindowsBefore you use RAT, you should use thencat_config program to create a rule file specificto your routers.Here is how to run ncat_config:D:> ncat_config... lots of questions appear here ...After all QUESTIONS we will get a template named“D:CISRAT/etc/configs/cisco-ios/local.conf"
  8. 8. RAT for Windows1. Copy Template to Test Directory2. Copy configuration files from your router3. Run rat to audit your configuration file:D:>cd TestD:Test> rat -r local.conf cisco-router-confg
  9. 9. RAT for Windows
  10. 10. RAT for Windows
  11. 11. RAT for Windows
  12. 12. RAT for Windows
  13. 13. RAT for Windows
  14. 14. Hardening Cisco RouterBased onNSA Router Security Configuration Guide
  15. 15. Router Security ConfigurationGuide of NSA’s SNAC(Based on version 1.1c)
  16. 16. Physical Security Network equipment, especially routers and switches,should be located in a limited access area. This area should be under some sort of supervision 24hours a day and 7 days a week. A room where routers are located should be free ofelectrostatic and magnetic interference. The area shouldalso be controlled for temperature and humidity. If at all possible, all routers should be placed on anUninterruptible Power Supply (UPS), because a shortpower outage can leave some network equipment inundetermined states.
  17. 17. Cisco IOS routers have the ability to define internal virtualinterfaces, called loopback interfaces. It is considered bestpractice, in configuring Cisco routers, to define one loopbackinterface, and designate it as the source interface for most trafficgenerated by the router itself.Cisco IOS routers have the ability to define internal virtualinterfaces, called loopback interfaces. It is considered bestpractice, in configuring Cisco routers, to define one loopbackinterface, and designate it as the source interface for most trafficgenerated by the router itself.Router Network Traffic and theLoopback Interface
  18. 18. Banner Rules
  19. 19. Banner RulesRouter1#configure terminalRouter1(config)#banner motd ^C*************************************************************!! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGON UNDER PENALTY OFLAW !!This is a private computer network and may be used only bydirect permission of its owner(s). The owner(s) reserves the rightto monitor use of this network to ensure network security and torespond to specific allegations of misuse. Use of this networkshall constitute consent to monitoring for these and any otherpurposes. In addition, the owner(s) reserves the right to consentto a valid law enforcement request to search the network forevidence of a crime stored within this network.*************************************************************^C
  20. 20. Stopping SYN FloodingAttacks
  21. 21. (config)#normal TCP 3-Way Handshake
  22. 22. TCP SYN flooding attackAttack Demonstration:E(config)#nough illegitimateTCBs are inSYN-RECEIVED that alegitimate connectioncan(config)#not be initiated.Attack Demonstration:E(config)#nough illegitimateTCBs are inSYN-RECEIVED that alegitimate connectioncan(config)#not be initiated.
  23. 23. Countermeasures: TCP SYN flooding attackYou can configure a router to protect your servers against TCP SYNattacks by enabling the ip tcp intercept command:Router1#configure terminalRouter1(config)#access-list 109 permit ip any host 192.168.99.2Router1(config)#ip tcp intercept list 109Router1(config)#ip tcp intercept max-incomplete high 10Router1(config)#ip tcp intercept one-minute high 15Router1(config)#ip tcp intercept max-incomplete low 5Router1(config)#ip tcp intercept one-minute low 10Router1(config)#endRouter1#You can configure a router to protect your servers against TCP SYNattacks by enabling the ip tcp intercept command:Router1#configure terminalRouter1(config)#access-list 109 permit ip any host 192.168.99.2Router1(config)#ip tcp intercept list 109Router1(config)#ip tcp intercept max-incomplete high 10Router1(config)#ip tcp intercept one-minute high 15Router1(config)#ip tcp intercept max-incomplete low 5Router1(config)#ip tcp intercept one-minute low 10Router1(config)#endRouter1#
  24. 24. TCP Intercept featureWhen you enable the TCP Intercept feature, the routerdoesnt forward the initial SYN packet to the server.Instead, it responds directly to the client with a SYN-ACKpacket, as if it were the server.If the client is legitimate and begins the TCP session,then the router quickly opens a session to the server,knits the two ends of the connection together, and stepsinto its more usual role of simply forwarding packets.When you enable the TCP Intercept feature, the routerdoesnt forward the initial SYN packet to the server.Instead, it responds directly to the client with a SYN-ACKpacket, as if it were the server.If the client is legitimate and begins the TCP session,then the router quickly opens a session to the server,knits the two ends of the connection together, and stepsinto its more usual role of simply forwarding packets.
  25. 25. TCP Intercept featureRouter1(config)#access-list 109 permit ip any host 192.168.99.2Router1(config)#ip tcp intercept list 109
  26. 26. TCP Intercept featureBy default, the router allows 1,100 half-open sessions before going intoaggressive mode.Configure this value using the ip tcp intercept max-incomplete highcommand.Router1(config)#ip tcp intercept max-incomplete high 10When we deliberately initiate a series of half-open sessions, we see this logmessage:(config)#nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count(10/10) 1 min 0A short time later, the attack ended, and the router went back into its(config)#normal mode:(config)#nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min11By default, the router allows 1,100 half-open sessions before going intoaggressive mode.Configure this value using the ip tcp intercept max-incomplete highcommand.Router1(config)#ip tcp intercept max-incomplete high 10When we deliberately initiate a series of half-open sessions, we see this logmessage:(config)#nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count(10/10) 1 min 0A short time later, the attack ended, and the router went back into its(config)#normal mode:(config)#nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min11
  27. 27. TCP Intercept featureyou can also set thresholds on the number of TCP sessions initiatedper minute:Router1(config)#ip tcp intercept one-minute high 15The conditions for returning to (config)#normal mode are defined bythese two commands:Router1(config)#ip tcp intercept max-incomplete low 5Router1(config)#ip tcp intercept one-minute low 10The first command sets the low-water mark for the total number ofhalf-open sessions, while the second command sets the low-watermark for the number of session-initiation attempts per minute.you can also set thresholds on the number of TCP sessions initiatedper minute:Router1(config)#ip tcp intercept one-minute high 15The conditions for returning to (config)#normal mode are defined bythese two commands:Router1(config)#ip tcp intercept max-incomplete low 5Router1(config)#ip tcp intercept one-minute low 10The first command sets the low-water mark for the total number ofhalf-open sessions, while the second command sets the low-watermark for the number of session-initiation attempts per minute.
  28. 28. TCP Intercept featureBy default, the router will allow a TCP session to be inactive for 24 hours(86,400 seconds).However, you can change this using the ip tcp interceptconnection-timeout command, which accepts an argument inseconds. Here we set a maximum value of one hour:Router1(config)#ip tcp intercept connection-timeout 3600By default the aggressive mode of the TCP Intercept feature will drop theoldest half-open connection each time it receives a new connection attempt.However, you can instead configure it to drop a randomly selectedconnection out of the table:Router1(config)#ip tcp intercept drop-mode randomBy default, the router will allow a TCP session to be inactive for 24 hours(86,400 seconds).However, you can change this using the ip tcp interceptconnection-timeout command, which accepts an argument inseconds. Here we set a maximum value of one hour:Router1(config)#ip tcp intercept connection-timeout 3600By default the aggressive mode of the TCP Intercept feature will drop theoldest half-open connection each time it receives a new connection attempt.However, you can instead configure it to drop a randomly selectedconnection out of the table:Router1(config)#ip tcp intercept drop-mode random
  29. 29. TCP Intercept featureYou can configure how long the router will watch a session, waiting forit to complete the TCP session initiation.By default, it waits 30 seconds, but you can change this value with thefollowing command, which specifies this timeout value in seconds:Router1(config)#ip tcp intercept watch-timeout 15You can configure how long the router will watch a session, waiting forit to complete the TCP session initiation.By default, it waits 30 seconds, but you can change this value with thefollowing command, which specifies this timeout value in seconds:Router1(config)#ip tcp intercept watch-timeout 15
  30. 30. TCP Intercept featureAnd one final option allows you to set whether the router activelyintercepts and responds to TCP SYN packets, or instead allowsthese packets to pass through (config)#normally, but watches thesession to ensure that it connects properly.By default the router will completely protect the server by taking overall responsibility for setting up the session. You can configure it tolet the server handle the call, and only step in if there is a problemby configuring watch mode:Router1(config)#ip tcp intercept mode watchAnd one final option allows you to set whether the router activelyintercepts and responds to TCP SYN packets, or instead allowsthese packets to pass through (config)#normally, but watches thesession to ensure that it connects properly.By default the router will completely protect the server by taking overall responsibility for setting up the session. You can configure it tolet the server handle the call, and only step in if there is a problemby configuring watch mode:Router1(config)#ip tcp intercept mode watch
  31. 31. Other IP stack Tune-ups
  32. 32. Nagle congestion control algorithmThe Nagle Algorithm prevents excessive bandwithutilization by applications that send many small packets.It allows slight delays before sending individual smallpackets in order to combine them into a single largerpacket.Router1#configure terminalRouter1(config)#(config)#service nagle
  33. 33. Limit embryonic TCP connectionsTo help limit the vulnerability to TCP SYN-Floodattacks, use the global configuration ip tcpsynwait-time command to limit the secondsthat the router spends waiting for the ACKbefore giving up on a half-open connectionRouter1#configure terminalRouter1(config)#ip tcp synwait-time 10
  34. 34. TCP selective acknowledgmentThe TCP selective acknowledgment mechanism helpsovercome these limitations.The receiving TCP returns selective acknowledgmentpackets to the sender, informing the sender about datathat has been received. The sender can then retransmitonly the missing data segments.Router1#configure terminalRouter1(config)#ip tcp selective-ack
  35. 35. AccessBefore deciding how to control routeraccess, ask these questions?• Who needs access?• When do they need access?• From where do they needaccess?• During what time scheduledo they need access?
  36. 36. Basic Authentication Basic authentication stores passwords as clear text Use(config)#service password-encryption– Encrypts passwords using a Vigenere cipher.– Can be cracked relatively easily– Does not encrypt SNMP community strings– no enable password Use(config)# enable secret <password>– Encrypts passwords using a MD5 hash
  37. 37. “Enable” Passwords
  38. 38. Demo: Crack Password
  39. 39. Line Authentication (VTY, CON, AUX)Use Access List to control VTY accessaccess-list 1 permit host 10.1.1.2line vty 0 4password 7 12552D23830F94exec-timeout 5 0access-class 1 inlogintransport input telnet sshControl CON accessline con 0password 7 12552D23830F94exec-timeout 5 0loginControl AUX accessline aux 0no execexec-timeout 0 0no logintransport input nonetransport output none
  40. 40. AAASecure user logins with AAA on all ports,virtual and physical– Local AAA (username)– RADIUS (Steel Belted Radius)– TACACS+ (Cisco Secure ACS)Use privilege levels to control granularaccess to commands
  41. 41. AAA Example for TACACS/RADIUSSecure user logins with AAA on all ports,virtual and physicalaaa new-modelaaa authentication login default group tacacs+|radius localaaa authorization exec default group tacacs+|radius localusername backup privilege 7 password 0 backuptacacs-server host 171.68.118.101tacacs-server key ciscoradius-server host 171.68.118.101radius-server key ciscoprivilege configure level 7 snmp-server hostprivilege configure level 7 snmp-server enableprivilege configure level 7 snmp-serverprivilege exec level 7 pingprivilege exec level 7 configure terminalprivilege exec level 7 configure
  42. 42. Demo: Crack RADIUS KEY
  43. 43. You can do with the Cisco IOS service command The TCP keepalive capabilityallows a router to detect when the host with which it is communicatingexperiences a system failure, even if data stops being transmitted (ineither direction). This is most useful on incoming connections.For example, if a host failure occurs while talking to a printer, therouter might never notice, because the printer does not generate anytraffic in the opposite direction. If keepalives are enabled, they aresent once every minute on otherwise idle connections. If five minutespass and no keepalives are detected, the connection is closed.(config)#service tcp-keepalives-in(config)#service tcp-keepalives-out
  44. 44. You can do with the Cisco IOS service command service timestampsYou can use the service timestamps command to createtimestamps on the router’s log files.Since version 11.3, the Cisco IOS has enabled certain timestamps bydefault, so most of us have this on.However, there are additional timestamps options that you can enableas well as places where timestamps are probably off by default.(config)#service timestamps message-type [uptime](config)#service timestamps message-type datetime [msec][localtime] [show-timezone]
  45. 45. Verify that the EXEC process is disabled on the auxiliary (aux) portUnused ports should be disabled, if not required, since they providea potential access path for attackers.The auxiliary port is primarily used for dial-up administration, whichis rarely used, via an external modem.Verify that the EXEC process is disabled on the auxiliary (aux) portUnused ports should be disabled, if not required, since they providea potential access path for attackers.The auxiliary port is primarily used for dial-up administration, whichis rarely used, via an external modem.Disable Login Through AUX Port
  46. 46. VTYs and Remote Administration
  47. 47. Forbid CDP (Cisco Discovery Protocol)Run GloballyThe Cisco Discovery Protocol is a proprietary protocol that Cisco devicesuse to identify each other on a LAN segment.It is useful only in specialized situations, and is considered a security risk.There have been published denial-of-service (DoS) attacks that use CDP.CDP should be completely disabled unless there is a need for it.The Cisco Discovery Protocol is a proprietary protocol that Cisco devicesuse to identify each other on a LAN segment.It is useful only in specialized situations, and is considered a security risk.There have been published denial-of-service (DoS) attacks that use CDP.CDP should be completely disabled unless there is a need for it.
  48. 48. Forbid tcp-small-servers,udp-small-serversTCP small services: echo, chargen and daytime (including UDP versions)are rarely used.Services that are not needed should be turned off because they presentpotential avenues of attack and may provide information that could beuseful for gaining unauthorized access.TCP small services: echo, chargen and daytime (including UDP versions)are rarely used.Services that are not needed should be turned off because they presentpotential avenues of attack and may provide information that could beuseful for gaining unauthorized access.
  49. 49. Forbid Finger ServiceFinger is used to find out whichusers are logged into a device.This service is rarely used inpractical environments andcan potentially provide anattacker with usefulinformation.Additionally, the finger servicecan exposed the device Fingerof Death denial-of-service(DoS) attack.
  50. 50. The HTTP server allows remote management of routers.Unfortunately, it uses simple HTTP authentication which sendspasswords in the clear.This could allow unauthorized access to, and [mis]management of therouter.The HTTP server allows remote management of routers.Unfortunately, it uses simple HTTP authentication which sendspasswords in the clear.This could allow unauthorized access to, and [mis]management of therouter.Forbid IP HTTP Server
  51. 51. HTTP Server with Access Control(Not Recommended)
  52. 52. the async line BOOTP service should be disabled on your system ifyou do not have a need for it in your networkthe async line BOOTP service should be disabled on your system ifyou do not have a need for it in your networkDisable Bootp Server
  53. 53. Forbid Remote Startup ConfigurationService config allows the device to autoload its startup configurationfrom a remote device (e.g. a tftp server).The protocols used to transfer configurations files. Since thesemethods are insecure, an attacker could potentially compromise orspoof the remote configuration service enabling maliciousreconfiguration of the device.Service config allows the device to autoload its startup configurationfrom a remote device (e.g. a tftp server).The protocols used to transfer configurations files. Since thesemethods are insecure, an attacker could potentially compromise orspoof the remote configuration service enabling maliciousreconfiguration of the device.
  54. 54. PAD Service(The packet assembler/disassembler service supports X.25 links)To not accept incoming/outgoing X.25 PacketAssembler/Disassembler (PAD) connections this globalconfiguration command should be used.It is important to make sure this is disabled by default.To not accept incoming/outgoing X.25 PacketAssembler/Disassembler (PAD) connections this globalconfiguration command should be used.It is important to make sure this is disabled by default.
  55. 55. Forbid IP source-routeSource routing is a feature of IP whereby individualpackets can specify routes. This feature is used inseveral kinds of attacks.Cisco routers normally accept and process sourceroutes. Unless a network depends on sourcerouting, it should be disabled.Source routing is a feature of IP whereby individualpackets can specify routes. This feature is used inseveral kinds of attacks.Cisco routers normally accept and process sourceroutes. Unless a network depends on sourcerouting, it should be disabled.
  56. 56. Forbid IP Proxy ARPProxy ARP breaks the LANsecurity perimeter, effectivelyextending a LAN at layer 2across multiple segments.Disable proxy ARP on allinterfaces.Proxy ARP breaks the LANsecurity perimeter, effectivelyextending a LAN at layer 2across multiple segments.Disable proxy ARP on allinterfaces.
  57. 57. Forbid IP Unreachable, Redirects, MaskReplies• Disable translation of directed to physical broadcasts on the same interface. Thisconfiguration prevents against “smurf” attacks.• Don’t allow redirect messages to pass through the router. ICMP redirects should bedisabled• Make it more difficult for someone to scan for valid IP addresses by turning off ipunreachables on all interfaces.• To prevent the Cisco IOS software from responding to Internet Control MessageProtocol (ICMP) mask requests by sending ICMP mask reply messages• Disable translation of directed to physical broadcasts on the same interface. Thisconfiguration prevents against “smurf” attacks.• Don’t allow redirect messages to pass through the router. ICMP redirects should bedisabled• Make it more difficult for someone to scan for valid IP addresses by turning off ipunreachables on all interfaces.• To prevent the Cisco IOS software from responding to Internet Control MessageProtocol (ICMP) mask requests by sending ICMP mask reply messages
  58. 58. Forbid MOPThe Maintenance Operations Protocol (MOP)was used for system utility services in theDECnet protocol suite.The Maintenance Operations Protocol (MOP)was used for system utility services in theDECnet protocol suite.
  59. 59. Forbid NTP Service
  60. 60. Forbid SNMP Services
  61. 61. Disable Router Name and DNS NameResolution
  62. 62. Configure DNS Server
  63. 63. Set a default DNS domain name(needed for SSH)
  64. 64. Disable Unused Interfaces
  65. 65. Filtering Traffic to the RouterItself
  66. 66. Remote Login (Telnet) Service
  67. 67. SNMP Service(Recommend only SNMPv3 AuthNoPriv& AuthPriv)
  68. 68. Routing Service
  69. 69. Filtering Traffic through theRouter
  70. 70. IP Address Spoof Protection (InboundTraffic)
  71. 71. IP Address Spoof Protection (OutboundTraffic)
  72. 72. Exploits Protection
  73. 73. TCP SYN Attack
  74. 74. Limiting External Access with TCPIntercept (If your IOS support it.)
  75. 75. Land Attack
  76. 76. Land Attack
  77. 77. Smurf Attack
  78. 78. ICMP Message Types and Traceroute
  79. 79. Distributed Denial of Service (DDoS)Attacks
  80. 80. Routing Protocol Security
  81. 81. OSPF MD5 Authentication
  82. 82. RIP MD5 Authentication
  83. 83. EIGRP MD5 Authentication
  84. 84. EIGRP MD5 Authentication
  85. 85. Disabling unneeded routing-related services
  86. 86. Passive Interfaces (OSPF)
  87. 87. Using filters to block routingupdates
  88. 88. First Define Access Control List
  89. 89. Filter Distributed List (OSPF)
  90. 90. Filter Distributed List (RIP)
  91. 91. Not enable OSPF on certain interfaces,
  92. 92. Passive Interfaces (RIP)
  93. 93. Audit and Management
  94. 94. Overview and Motivations for Logging Recording router configuration changes andreboots Recording receipt of traffic that violatesaccess lists Recording changes in interface and networkstatus Recording router cryptographic securityviolations
  95. 95. Logging Types Console logging Terminal Line logging Buffered logging Syslog logging SNMP trap logging
  96. 96. Cisco Log Message Severity Levels
  97. 97. Format of a Cisco IOS Log Message
  98. 98. Turning on logging services
  99. 99. Setting up Console and BufferedLogging
  100. 100. Buffered logging
  101. 101. Setting up Terminal Line Logging
  102. 102. Setting up Syslog Logging
  103. 103. A Small Syslog Configurationserver host
  104. 104. Centralized Syslog Configuration
  105. 105. Syslog and access list
  106. 106. SNMP Trap Logging
  107. 107. Time Services, Network TimeSynchronization and NTP
  108. 108. Setting the Time Manually
  109. 109. The NTP Hierarchy
  110. 110. Configuring Basic NTP Service
  111. 111. NTP and access-list
  112. 112. Configuring NTP Authentication
  113. 113. SNMP Security
  114. 114. SNMPv3 Security
  115. 115. Configuring SNMP - Getting Started
  116. 116. SNMPv3 with limited view
  117. 117. Cisco IOS Software Updates
  118. 118. Show version
  119. 119. Update Procedure TFTP See Cisco web sites concerning particularmodel of router or switch
  120. 120. Router Status andConfiguration Commands
  121. 121. show logging
  122. 122. show ip protocol summary
  123. 123. show arp
  124. 124. show users
  125. 125. show host
  126. 126. show ip interface brief.
  127. 127. show ip socket
  128. 128. Viewing the current configuration show startup-config show running-config
  129. 129. Viewing currently running processes show process
  130. 130. Router Throughput and TrafficCommands
  131. 131. Clear counter
  132. 132. Viewing IP Protocol Statistics show ip traffic.
  133. 133. Viewing SNMP Protocol Statistics
  134. 134. configure debugging and turn ondebugging messages for ICMP.
  135. 135. Security for Router NetworkAccess Services
  136. 136. AAA Authentication Authorization Accounting
  137. 137. Types of accounting There are several types of accounting whichcan be enabled and configured separately:exec, network, connection, command,system. All types are supported by TACACS+, butRADIUS does not support command orsystem.
  138. 138.  network accounting– Provides information for PPP, SLIP, and ARAPprotocols. The information includes the numberof packets and bytes. EXEC accounting– Provides information about user EXEC sessionson the router. The information includes theusername, date, start and stop times, IP addressof access server, and telephone number the calloriginated from for dial-in users. Connection accounting– Provides information about all outboundconnections made from the network accessserver. This includes telnet, rlogin, etc.
  139. 139.  Command accounting– This applies to commands which are entered inan EXEC shell. This option will apply accountingto all commands issued at the specifiedprivilege level. If accounting is turned on forlevel 15 and user logged in at enable level 15runs a level 1 exec command no accountingevent will be generated. Account records aregenerated based upon the level of the commandnot the level of the user. Accounting records willinclude the command, date, time, and the user.Cisco IOS does not support commandacccounting with RADIUS. System– Provides information about system-level events.This would include information like system
  140. 140. AAA accounting requirement AAA accounting requires that– AAA is enabled,– security servers are defined, and– that a security server is specified for eachaccounting type which is desired.
  141. 141. Method Lists and Server Groups
  142. 142. Authentication
  143. 143. The authentication commands used fordefining messages
  144. 144. The default method list designatesRADIUS
  145. 145. RADIUS security server
  146. 146. Authorization
  147. 147. Authorization There are two primary scenarios whereauthorization is useful. First, if the router is used for dial in access,authorization is useful for controlling whocan access network services, etc. and whocan access and configure the router. Second, authorization can control differentadministrators who have access to differentprivilege levels on the router.
  148. 148. Accounting
  149. 149. Configuration of TACACS+ accounting:
  150. 150. Configuration of RADIUS accounting
  151. 151. Security Server Protocols
  152. 152. RADIUS
  153. 153. TACACS+
  154. 154. Hardening Cisco Switch(Based on NSA Cisco IOSSwitch Security ConfigurationGuide)
  155. 155. Port Security
  156. 156. Restricting a port statically on aCatalyst 3550 switch.
  157. 157. A strict security“unused” macro
  158. 158. A strictA strictsecurity “host”security “host”macromacro
  159. 159. Configure access ports of the switch
  160. 160. Virtual Local Area Networks(VLAN)
  161. 161. Create the out-of-band managementVLAN.
  162. 162. Create a management IP address
  163. 163. Assign the management VLAN to thededicated interface.
  164. 164. Ensure all trunk ports will not carry themanagement VLAN
  165. 165. Assigned the following name for VLAN1.
  166. 166. Assign all inactive interfaces to anunused VLAN (not VLAN1)
  167. 167. Virtual Trunking Protocol (VTP)
  168. 168. If VTP could be disabled
  169. 169. If VTP is necessary
  170. 170. Trunk Auto-Negotiation
  171. 171. Dynamic Trunking Protocol (DTP) A port may use the Dynamic TrunkingProtocol (DTP) to automatically negotiatewhich trunking protocol it will use, and howthe trunking protocol will operate.
  172. 172. DTP-related security issues
  173. 173. DTP-related security issues
  174. 174. VLAN Hopping
  175. 175. VLAN Hopping In certain situations it is possible to craft apacket in such a way that a port in trunkingmode will interpret a native VLAN packet asthough it were from another VLAN, allowingthe packet to become a member of a differentVLAN. This technique is known as VLAN hopping.
  176. 176. Spanning Tree Protocol
  177. 177. STP Portfast Bridge Protocol Data Unit(BPDU) Guard
  178. 178. STP Root Guard
  179. 179. 205(config)#no ip bootp server(config)#no tcp-small-servers(config)#no udp-small-servers(config)#service time log datetime localtime show-timezone msec(config)#service time debug datetime localtime show-timezone mseclogging x.x.x.xlogging trap debugginglogging source loopback0logging buffered 64000 debuggingntp authentication-key 10 md5 <key>ntp authenticatentp trusted-key 10ntp server x.x.x.x [key 10]ntp access-group peer 20access-list 20 permit host x.x.x.xaccess-list 20 deny any(config)#no (config)#service(config)#no (config)#service(config)#no ip http server(config)#no ip source-route(config)#no cdp run(config)#no boot network(config)#no (config)#service config(config)#no ip subnet-zero(config)#no ip identd(config)#no ip finger(config)#service nagleConfiguration basics (1) Turn off all the unneeded (config)#services Use syslog Use (authenticated) NTP

×