Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

Published byDulcie Howard Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services."— Presentation transcript:

1 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services

2 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-2 Discovering Neighbors with Cisco Discovery Protocol  Cisco Discovery Protocol runs on Cisco IOS devices.  Summary information includes: –Device identifiers –Address list –Port identifier –Capabilities list –Platform

3 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-3 Neighbor Discovery Protocols  Cisco Discovery Protocol –Cisco Layer 2 protocol –Has additional capabilities (VLAN or PoE negotiation) –Enabled by default  LLDP –Standard-based Layer 2 protocol –Disabled by default  Provides a summary of directly connected switches, routers, and other Cisco devices  Discovers neighbor devices regardless of which protocol suite they are running

4 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-4 Cisco Discovery Protocol Configuration switch(config)# [no] cdp run switch(config-if)# [no] cdp enable switch# show cdp neighbor [detail] switch# show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID c2960-8 Fas 0/8 168 S I WS-C2960- Fas 0/8

5 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-5 LLDP Configuration switch(config)# [no] lldp run switch(config-if)# [no] lldp enable switch# show lldp neighbor [detail] switch# show lldp neighbor Capability codes: (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other Device ID Local Intf Hold-time Capability Port ID c2960-8 Fa0/8 120 B Fa0/8 Total entries displayed: 1

6 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-6 Vulnerabilities of Discovery Protocols

7 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-7 Vulnerabilities of the Telnet Protocol The Telnet connection sends text unencrypted and potentially readable.

8 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-8 About SSH SSH replaces the Telnet session with an encrypted connection.

9 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-9 Configuration of SSH  Configure username and password.  Configure domain name.  Generate RSA keys. –SSH process is automatically started.  Allow SSH protocol on vty lines. switch(config)# username xyz password abc123 switch(config)# ip domain-name xyz.com switch(config)# crypto key generate rsa switch(config)# ip ssh version 2 switch(config)# line vty 0 15 switch(config-line)# login local switch(config-line)# transport input ssh

10 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-10 Configuration of vty ACLs  Create standard or extended IP ACL.  Configure access-class on line vty.

11 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-11 Configuration of an HTTP Server  Configure username and password.  Configure domain name.  Generate RSA keys.  Enable HTTPS (SSL) server.  Configure HTTP authentication.  Configure an access list to limit access. sw(config)# access-list 100 permit ip 10.1.9.0 0.0.0.255 any sw(config)# username xyz password abc123 sw(config)# ip domain-name xyz.com sw(config)# crypto key generate rsa sw(config)# no ip http server sw(config)# ip http secure-server sw(config)# http access-class 100 in sw(config)# http authentication local

12 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-12 Switch Security Recommendations Secure switch access  Configure system passwords.  Authenticate admin access via TACACS+ server.  Configure encrypted or hashed passwords.  Secure physical access to the console.  Secure Telnet access with ACL.  Use SSH when possible.  Use HTTPS (SSL) when possible.  Configure system-warning banners.  Use syslog to log system messages.  Disable unused services.

13 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-13 Switch Security Recommendations (Cont.) Secure switch protocols  Trim Cisco Discovery Protocol and LLDP and use only as needed.  Secure spanning tree. Mitigate compromises through a switch  Take precautions for trunk links.  Minimize physical port access.  Establish standard access port configuration for both unused and used ports.  Shut down unused ports.

14 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-14 Summary  Cisco Discovery Protocol / LLDP packets can expose some network information.  Authentication information and data carried in Telnet sessions is vulnerable.  SSH provides a more secure option for Telnet.  vty ACLs should be used to limit Telnet access to switch devices.  Web service should be secured by using HTTPS and limiting who should access the web server and from where.  Sound security measures and trimming of unused applications are recommended.

15 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-15

Download ppt "© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services."

Similar presentations

Learning about Neighboring and Remote Devices PJC CCNA Semester 2 Ver. 3.0 by William Kelly.

Learning about Neighboring and Remote Devices PJC CCNA Semester 2 Ver. 3.0 by William Kelly.
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
Implementing a Highly Available Network

Implementing a Highly Available Network
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.
1 CCNA 2 v3.1 Module 4. 2 CCNA 2 Module 4 Learning about Devices.

1 CCNA 2 v3.1 Module 4. 2 CCNA 2 Module 4 Learning about Devices.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 4 Learning About Other Devices.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 4 Learning About Other Devices.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—-6-1 Network Environment Management Discovering Neighbors on the Network.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—-6-1 Network Environment Management Discovering Neighbors on the Network.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
Module 4 – Learning about other Devices Testing network connections.

Module 4 – Learning about other Devices Testing network connections.
1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 6 Configuring a Router/ Learning About Other Devices/ Managing Cisco IOS Software.

1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 6 Configuring a Router/ Learning About Other Devices/ Managing Cisco IOS Software.
CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.

CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.

Similar presentations

Ads by Google