© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

Slides:



Advertisements
Similar presentations
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Advertisements

Mitigating Layer 2 Attacks
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing And Switching 2.0.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Chapter 6: Securing the Campus Infrastructure
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Ch. 6 – Switch Configuration CCNA 3 version Overview Identify the major components of a Catalyst switch Monitor switch activity and status using.
802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30 th Paul Dekkers.
Sybex CCENT Chapter 10: Layer 2 Switching Instructor & Todd Lammle.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Ch. 7 – Switch Configuration
Securing the Local Area Network
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-1 Implementing Spanning Tree Describing STP Stability Mechanisms.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Initial Switch Configuration Internetworking Fundamentals Instructor: Abdirahman I. Abdi.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Configuring PVLANs.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—1-1 Configuring Catalyst Switch Operations Configuring a Catalyst Switch.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
Module 6 – Switch Configuration CCNA 3 Cabrillo College.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration Cisco Networking Academy.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration.
© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V
– Chapter 5 – Secure LAN Switching
Building Cisco Multilayer Switched Networks (BCMSN)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Ch. 6 – Switch Configuration
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Network Infrastructure Configuration for MAB Port Configuration Interface fastethernet 0/1 description Trustsec:802.1X+MAB+MultiAuth switchport access.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Part V: Monitoring Campus Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Configure a Switch LAN Switching and Wireless – Chapter 2.
NetPro-ITI Ethernet LANs
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs Cisco Networking Academy.
Chapter 6: Securing the Local Area Network
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against VLAN Attacks.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Understanding Switch Security.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
انجمن سیسکو به پارسی آشنایی با برخی حملات در لایه 2 آشنایی با برخی حملات در لایه 2 علیرضا.
CCNP Routing and Switching Exam Pass4sure.
© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security.
© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security.
Cisco LAN Switches.
Cisco Implementing Cisco IP Switched Networks (SWITCH )
Instructor Materials Chapter 5: Network Security and Monitoring
Chapter Six Securing the Local Area Network
Chapter 10 Layer 2 Switching
Layer 2 Attacks and Security
Understanding Switch Security
– Chapter 5 – Secure LAN Switching
Chapter 2: Basic Switching Concepts and Configuration
Instructor: Mr Malik Zaib
Chapter 5: Network Security and Monitoring
Understanding Switch Security
Network Security and Monitoring
Net 412 (Practical Part) LAB 5-port security
Sécurisation au niveau 2 pour certains matériels Cisco
Presentation transcript:

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-2 Overview of Switch Security

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-3 Modularizing Internal Security

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-4 Reasons for Internal Security  The enterprise campus is protected by security functions in the enterprise edge: –If the enterprise edge security fails, the enterprise campus is vulnerable. –The potential attacker can gain physical access to the enterprise campus. –Some network solutions require indirect external access to the enterprise campus.  All vital elements in the enterprise campus must be protected independently.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-5 Rogue Devices  Rogue network devices can be –Switches –Wireless access points –Hubs  Connected to ports on access switches  Connecting devices such as laptops or printers

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-6 Switch Attack Categories  MAC address–based attacks –MAC address flooding  VLAN attacks –VLAN hopping  Spoofing attacks –Spoofing of DHCP, ARP, and MAC addressing  Attacks on switch devices –Cisco Discovery Protocol –Management protocols

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-7 MAC Flooding Attack

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-8 Port Security Prevents MAC-Based Attacks PROBLEM:  Script kiddie hacking tools enable attackers to flood switch CAM tables with bogus MACs.  Turns the VLAN into a hub and floods all unicast frames.  Switch CAM table is limited for number of MAC addresses. SOLUTION:  Port security limits MAC flooding attacks and locks down the port.  Port security sets an SNMP trap.  Allowed frames are forwarded.  New MAC addresses over limit are not allowed.  Switch responds to nonallowed frames.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-9 Configuring Port Security on a Switch  Enable port security.  Set MAC address limit.  Specify allowable MAC addresses (optional).  Define violation actions (shut down / protect / restrict).  Configure address aging (optional). switch(config)# interface fa0/1 switch(config-if)# description Access Port switch(config-if)# switchport mode access switch(config-if)# switchport access vlan 2 switch(config-if)# switchport port-security switch(config-if)# switchport port-security maximum 2 switch(config-if)# switchport port-security mac-address switch(config-if)# switchport port-security mac-address switch(config-if)# switchport port-security violation restrict switch(config-if)# switchport port-security aging time 60 switch(config-if)# switchport port-security aging type inactivity

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-10 Verifying Port Security switch# show port-security [interface intf-id] [address] switch# show port-security interface fastethernet0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 60 mins Aging Type : Inactivity SecureStatic Address Aging : Enabled Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 001b.d513.2ad2:5 Security Violation Count : 0

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-11 Verifying Port Security (Cont.) switch# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Fa0/ Restrict Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144 switch# show port-security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age (mins) b.d513.2ad2 SecureDynamic Fa0/1 60 (I) Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-12 Configuring Sticky MAC Addresses switch# show port-security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age (mins) b.d513.2ad2 SecureSticky Fa0/1 - switch# show running-config fastethernet 0/1 interface FastEthernet0/1 switchport access vlan 2 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 001b.d513.2ad2 switch(config)# interface fa0/1 switch(config-if)# switchport port-security mac-address sticky

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-13 AAA Network Configuration  Authentication –Verifies a user identify  Authorization –Specifies the permitted tasks for the user  Accounting –Provides billing, auditing, and monitoring

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-14 Configuring User AAA Authentication  Enable AAA.  Configure RADIUS server.  Configure authentication methods.  Apply methods to interfaces. sw(config)# username admin password cisco sw(config)# aaa new-model sw(config)# radius-server host auth-port 1812 key xyz123 sw(config)# aaa authentication login default group radius local line sw(config)# aaa authentication login NO_AUTH none sw(config)# Line vty 0 15 sw(config-li)# login authentication default sw(config-li)# password sanfran sw(config-li)# line console 0 sw(config-li)# login authentication NO_AUTH

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0— X Port-Based Authentication Network access through switch requires RADIUS authentication.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-16 Configuring 802.1X  Enable AAA.  Configure RADIUS server.  Enable 802.1X globally.  Configure interface for 802.1X.  Define local user authentication. sw(config)# aaa new-model sw(config)# radius-server host auth-port 1812 key xyz123 sw(config)# aaa authentication dot1x default group radius sw(config)# dot1x system-auth-control sw(config)# interface fa0/1 sw(config-if)# description Access Port sw(config-if)# switchport mode access sw(config-if)# dot1x port-control auto

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-17 Summary  Layer 2 security measures must be taken as a subset of the overall network security plan.  Rogue devices can allow access to the network and undermine the security.  Switch attacks fall into four main categories.  MAC flooding attacks are launched against Layer 2 access switches and can cause the CAM table to overflow.  Port security can be configured at Layer 2 to block input from devices.  Sticky MAC addresses allow port security to limit access to a specific, dynamically learned MAC address.  AAA can be used for authentication on a multilayer switch.  802.1x port-based authentication can mitigate risk of rogue devices gaining unauthorized access.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.