Académique Documents
Professionnel Documents
Culture Documents
Console protection Vty protection Enable/secret password Encrypt all password Minimum length Telnet Ssh Acl for telnet/ssh,http Port security CDP banner Logging SNMP Time stamps Mac based blocking STP protection Storm control Password recovery DHCP snooping IPSG DAI VACL MACL Best practices Vlan hopping SPAN, RSPAN PVLAN Port block Protected port Etherchannel guard DOS & DDOS protection
1. Console protection 1. By password: Line console 0 Password <password> Login 2. By Exec-timeout Exec-timeout < 0-35791 min 0-2147483 sec>
3. By baud rate
4. minimum length for all passwords Security passwords min-length <0-16 length> % Password too short - must be at least 5 characters. Password configuration failed 5. Encrypt all password once Service password-encryption 6. Telnet Step 1: Configure IP for vlan Interface vlan VLAN-ID Ip address x.x.x.x x.x.x.x.x No shut Step 2: Enable vty users Line vty 0 4 Password <password> Login OR login local Step 3: Enable password Enable password <password> // global mode
//uses CISCO's own algorithm - weak // plain text - port no 23 // global mode
Attacker will use victim ip address to get a copy of all data from there PC
1. 2. 3. 4. 5. 6. 7. 8.
Enable crypto key with 1024 Disable vty 0 15 Decide the range of VTY Enable ssh only for that range
Username admin password admin switch(config)#crypto key generate rsa <-----RIVEST SHAMIR ADLEMAN
% Please define a hostname other than switch switch(config)#Hostname SW1 SW1(config)#Ip domain-name cisco.com SW1(config)#Crypto key generate rsa : 1024 The name for the keys will be: SW1.cisco.com SW1(config)#Inter vlan 1 SW1(config-if)#Ip address x.x.x.x x.x.x.x SW1(config-if)#No shut SW1(config)#Line vty 0 15 SW1(config-line)#Transport input none SW1(config-line)#Lin vty 0 15 SW1(config-line)#Tranport input ssh SW1(config-line)#Login local
SW1(config)#ip ssh authentication-retires <0-5> SW1(config)#ip ssh time-out <0-120sec> //optional //optional
security Page 2
Verification:
In secureCRT type the following:
Veirification: Show user Show ssh 8. Protect telnet Access-list <1-99> permit <ip.add> <wildcard.mask> Lin vty <0 - 15> Access-class <1-99> in
Verification: Show ip access-list Sh run | be line
Ip http server
security Page 3
10. PORT-SECURITY Used to protect port from unauthorized access Default not enabled Default violation is SHUTDOWN Applied only on ACCESS port Default 1 Maximum 1024 mac allowed in a port [depends on models in 3550 switches total mac capacity 5120] For sticky no aging - can be set if a system is silent for some time Maximum no is given but not specify all mac so remaining mac will be learned dynamically SW1(config-if)#switchport port-security Command rejected: Fa0/10 is not an access or trunk or tunnel port. SW1(config-if)#no switchport SW1(config-if)#switchport port-security
security Page 4
SW1(config-if)#switchport port-security ^ % Invalid input detected at '^' marker. OR SW1(config-if)#no switchport SW1(config-if)#switchport port-security Command rejected: Fa0/7 not a switching port. SW1(config-if)#channel-protocol lacp SW1(config-if)#switchport por? % Unrecognized command VIOLATION METHODS: 0023.32b9.ad97 - trusted 0023.32b9.ad96 - untrusted PROTECT Drop frame from unauthorized user Forward frame from authorized user No trap message for admin RESTRICT Drop frame from unauthorized user Forward frame from authorized user trap message for admin via console and SNMP if it is configured Violation count will increased whenever violation is happening 03:05:49: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0023.32b9.ad96 on port FastEthernet0/2.
SHUTDOWN Port will be moved to err-disable state if violation is happened Admin have to type shutdown to bring err-disable port to administratively down Steps to recover Shutdown - so it will come to admin down from err-disable No shutdown - from admin down to up state Or use recovery mechanism for auto recovery 03:07:54: %PM-4-ERR_DISABLE: psecure-violation error detected on FastEthernet0/24, putting FastEthernet0/24 in err -disable state SW1#sh inter f0/2 | in err FastEthernet0/2 is down, line protocol is down (err-disabled)
To recover err-disable state manually: SW1(config-if)#shutdown SW1(config-if)#no shutdown To recover err-disable state automatically: SW1(config)#errdisable recovery cause psecure-violation SW1(config)#errdisable recovery interval <30-86400 sec> *Mar 1 00:57:28.227: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/2 Verification: show port-security interface <int-name> Show port-security show interfaces status err-disabled For clear a mac in restrict or protect mode to allow a other host to be communicate Sw#clear port-security dynamic [address mac-addr | interface type mod/num] 11. CDP - CISCO DISCOVERY PROTOCOL Disable CDP services if its not necessary no cdp run <------config MODE no cdp enable <------config-if MODE SW1#sh cdp
security Page 5
SW1#sh cdp % CDP is not enabled SW1(config)#no cdp run SW1(config)#inter fa0/24 SW1(config-if)#cdp enable % Cannot enable CDP on this interface, since CDP is not running
SW1#sh clock 15:45:26.283 Fri Oct 14 2011 SW1(config)#service timestamps log datetime localtime Oct 14 3:45:51: %LINK-5-CHANGED: Interf.. SW1(config)#service timestamps log uptime 01:10:17: %LINK-5-CHANGED: Interf.. SW1(config)#service timestamps log datetime localtime show -timezone Oct 14 15:51:14 IST: %LINK-5-CHANGED: Interf.. 14. Logging via CONSOLE, TERMINAL (TELNET) WINDOW SYSLOG, BUFFER, SNMP
critical
errors warnings notifications
Critical conditions
Error conditions Warning conditions Normal but significant conditions
(severity=2)
(severity=3) (severity=4) (severity=5)
informational
debugging
Informational messages
Debugging messages
(severity=6)
(severity=7)
//x.x.x.x - syslog server installed PC //Logging trap will enable all severity level to be logged
*Oct 14 10:52:01.443: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.1.1.10 port 514 started - CLI initiated
security Page 6
15. MAC based traffic blocking MAC address based traffic blocking: Mac-address-table static <mac-address> vlan <VLAN-ID> drop Verification: Show mac address-table 1 b8ac.6f5a.6650 STATIC
Drop
STP ATTACK: Sending RAW Configuration BPDU Sending RAW TCN BPDU Denial of Service (DoS) sending RAW Configuration BPDU DoS Sending RAW TCN BPDU Claiming Root Role Claiming Other Role Claiming Root Role Dual-Home (MITM) 16. BPDU guard move a port to err-disable state whenever receive any BPDU Spanning-tree bpduguard enable //interface mode
Oct 14 16:40:04 IST: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/23 with BPDU Guard enabled. Disabling port. Oct 14 16:40:04 IST: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/23, putting Fa0/23 in err -disable state SW1(config)#errdisable recovery cause bpduguard Oct 14 16:42:56 IST: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err -disable state on Fa0/23
17. BPDU filter Stop sending and Stop processing any BPDU
Spanning-tree bpdufilter enable 18. ROOT guard prevent other switches to become ROOT Spanning-tree guard root enable //interface mode //interface mode
*Mar 1 00:12:05.231: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/23. *Mar 1 00:12:48.791: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/23 on VLAN0001.
If inferior BPDU is started receiving on root guard enabled port the port will come out of root inconsistence state *Mar 1 00:14:52.791: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/23 on VLAN0001.
If Root Guard is disabled on port: *Mar 1 00:39:53.151: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port FastEthernet0/23.
19. STORM CONTROL Inter f0/10 storm-control unicast/broadcast/multicast <threshold level>/ pps <pps> storm-control action shutdown/trap
security Page 7
Without action defined: 01:55:36: %STORM_CONTROL-3-FILTERED: A Unicast storm detected on Fa0/9. A packet filter action has been applied on the interface. With action shutdown defined: 01:50:37: %PM-4-ERR_DISABLE: storm-control error detected on Fa0/9, putting Fa0/9 in err-disable state 01:50:37: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Fa0/9. The interface has been disabled. 01:50:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/9, changed state to down Verification:
debug storm-control statistics *Mar 1 00:45:04.755: storm_update_receive_stats:I/F: Fa0/1, Accumulated - Bytes: 0x46140, packets: 0x140time elapsed 1012 debug storm-control detection *Mar 1 00:45:48.287: storm_detect_and_control:I/F: Fa0/1, elapsed time = 1016, bytes = 285246, packets = 318, normalized ra te = 2246 20. SWITCH PASSWORD RECOVERY Password recovery scenarios: Scenario 1: lost console password know vty, enable/secret password no password recovery required Scenario 2: Lost vty password know console, enable/secret password no password recovery required Scenario 3: Lost enable/secret password know console, vty password password recovery required Scenario 4: Lost console, vty password know enable/secret password password recovery required Scenario 5: Lost console, vty, enable/secret password password recovery required Procedure If password recovery mechanism is disabled Base ethernet MAC Address: 00:0b:be:a2:ad:00 Xmodem file system is available. The password-recovery mechanism is disabled. Initializing Flash... flashfs[0]: 12 files, 3 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 15998976 flashfs[0]: Bytes used: 10037248 flashfs[0]: Bytes available: 5961728 flashfs[0]: flashfs fsck took 33 seconds. ...done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 The password-recovery mechanism has been triggered, but is currently disabled. Access to the boot loader prompt through the password-recovery mechanism is disallowed at this point. However, if you agree to let the system be
security Page 8
this point. However, if you agree to let the system be reset back to the default system configuration, access to the boot loader prompt can still be allowed. Would you like to reset the system back to the default configuration (y/n)? The system has been interrupted, and the config file has been deleted. The following command will finish loading the operating system software: boot switch: <<<< rescue mode Step 1: unplug cable and plug it again Step 2: hold mode button within 5 sec (depends on MODEL) Step 3: switch:flash_init Step 4: Switch:dir flash: step 5: switch:load_helper //to access flash directory // it will show all files in flash note config.text file // to use rename commands
03:10:19: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 172.16.1.1. Its a prevention method for DHCP spoofing attack creates table that maps IP address to MAC address on per interface basis, and then it will drop DHCP messages that do not app ear inside DHCP snooping table ip dhcp snooping ip dhcp snooping vlan 10 int Fa0/3 ip dhcp snooping trust
Ip dhcp snooping limt rate <1-2048>
If no DHCP Snooping is available, then we can use VLAN ACLs to block DHCP replies from all sources except DHCP server.
security Page 9
Interface Trusted Allow option Rate limit (pps) ----------------------- ------- ------------ ---------------FastEthernet0/2 yes yes unlimited If dhcp-rate-limit is crossing port will move into err-disable state: Errdisable recovery cause dhcp-rate-limit
22. IP Source guard (IPSG) For preventing IP, MAC, VLAN, INTERFACE spoofing
Attacker impersonates as victim's MAC address. "ip source guard" consults dhcp snooping table and if entry is not there, then blocks it
security Page 10
*Mar 1 00:06:13.519: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 10.([b8ac.6f6a.b36f/10.1.1.10/0000.0000.0000/10.1.1.1/00:06:13 UTC Mon Mar 1 1993])
ATTACKING TOOL: Dsniff Ettercap cain
Prevent ARP Spoofing when victim sends ARP Request message requesting MAC of IP 1.2.3.4, attacker replies "I'm 1.2.3.4 and my MAC is a.b.c.d", pre tending that they have the requested IP address Gratuitous ARP is a feature that sends ARP request or reply without being ask for it. So attacker can send Gratuitous ARP and all the hosts will store that information
Verification:
sh ip arp inspection sh ip arp inspection vlan 10 ADVANCED ARP INSPECTION: ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 100 interval 10 interface Fa1/1 ip arp inspection limit rate 100 burst interval 1
security Page 11
TOPOLOGY:
CONFIGURATION:
Verification: SW1#sh vlan access-map Vlan access-map "VMAP" 10 Match clauses: ip address: deny-10 Action: drop Vlan access-map "VMAP" 20 Match clauses: Action: forward 25. MACL - mac access-control list mac access-list extended <macl-name> Permit host <source mac> <source mac mask> <destination mac> <dest mac mask> <protocol> To apply MACL Inter <inter name> mac access-group <macl-name> in For verification: sh mac access-group <output omitted> Interface FastEthernet0/3: Inbound access-list is MACL <output omitted> 26. Best practice in SWITCH Unused port Should be shutdown Unused port to be in Access mode should be in Unused vlan (unused vlan means NO VLAN MEMBER in a particular VLAN) Inter f0/10 Shutdown Switchport mode access Switchport access vlan 200 Description **** unused port - access port - unused vlan 200 - shutdown state **** 27. VLAN HOPPING - double tagging - vlan spoofing Scenario 1:
security Page 12
Scenario 1: Attacker plugs to the network with the rogue switch. Attacker configures it to establish trunk with other network switches. O nce trunk is up, attacker will be able to gain access to any VLAN available on the trunk port. Scenario 2: attacker sends 802.1q frames with multiple vlan tags. Outside VLAN tag is for padding, and inside tag is of victim's VLAN. Mitigation: avoid using VLAN 1, explicitly configure "access" mode on all of the non-trunk ports. Native VLAN - is a VLAN where all untagged frames are matched. On trunks native VLAN does not get encapsulated with ISL or dot1q. vlan dot1q tag native is a feature that tags all outgoing frames with Native VLAN ID, but all incoming frames without tag are dropped.
1. Move unused port into unused VLAN aka bogus VLAN Inter ra f0/10-23 Switchport access vlan 10 <<<<<< VLAN 10 is unused vlan it mean no active member on that VLAN
2. On trunk configure unused vlan as nativeVLAN Inter f0/24 <<<<< trunk port Switchport mode trunk Switchport trunk native vlan 10
3. On Trunk dont allow native vlan to pass through Inter f0/24 <<<<< trunk port Switchport trunk allowed vlan remove 10
28. Analyzer
Source port:
Also called monitored port It can be Switchport It can be Any no of ports It can be in multiple session Ingress or egress or both can be monitored It can access, voice vlan port, trunk port, routed port Can be from any vlan
Source VLAN:
security Page 13
Source VLAN:
Also called VSPAN - VLAN SPAN All active ports in VLAN will be monitored Either or both direction If destination belong to same vlan it will be excluded from monitor Maximum 64 ports
Destination port:
It cannot be etherchannel port //it wiill be removed from etherchannel It cannot be routed port //it will be l2 port It cannot be PVLAN port It can be 802.1x port Participate in only one session Incoming traffic is disabled default STP, VTP, CDP, DTP, PagP disabled For RSPAN, original VLAN ID is lost because it is overwritten by RSPAN VLAN ID. Therefore, all packets appear on destination port as untagged
Reflector port:
mechanism that copies packets onto an RSPAN VLAN forwards only traffic from the RSPAN source session with which it is affiliated Any device connected to a port set as a reflector port loses connectivity until the RSPAN source session is disabled It cannot be an EtherChannel group it does not trunk Destination port on one session cannot be used as destination on other session % Interface(s) Fa0/25 already configured as monitor destinations in other monitor sessions Destination port cannot be a source port for same or other session % Interface(s) Fa0/25 already configured as monitor destinations
Criteria for SPAN, VSPAN,RSPAN:
Source of one session cannot be destination for same/other session Destination of one session cannot be a source/destination same/other session Source of one session can be a source other session Multiple source can be in same/other session Only single destination are allowed in each session Source interfaces can be any vlan Source interface & destination interface can be in same/other vlan In VSPAN Source vlan and destination port vlan should not be in same VLAN Session ID are local to the switches If source direction not mentioned both direction will be monitored By default in monitoring incoming traffic is not allowed & can be allowed by ingress command In ingress command have to untagged vlan RSPAN vlan should not have any active member. That vlan only to carry monitored interfaces traffic RSPAN will reflect a copy of data on only one port On reflected port return traffic is not allowed Reflected port cannot a source or destination of any session Once port declared as reflector port the port LED will goes to OFF Separate port will be used to carry other VLAN traffic from one switch to other switch
monitor session 1 source interface Fa0/13 monitor session 1 destination interface Fa0/2 ingress vlan 10
VSPAN: In sw1
monitor session 1 source vlan <vlan-id> monitor session 1 destination interface Fa0/2 ingress vlan <id>
RSPAN: In sw1 & sw2 Vlan 100 Remote-span
In sw1 monitor session 1 source interface Fa0/13 monitor session 1 destination remote vlan 100 reflector-port Fa0/23 In sw2 monitor session 1 source remote vlan 100 monitor session 1 destination interface Fa0/2 encapsulation dot1q ingress vlan 10 <<<analyzer pc allow incoming traffic Monitor session 1 filter vlan <> //to limit vlan on Verification: sh monitor session 1
security Page 14
! interface F0/1 description Monitor Port ! interface Vlan10 ip address 10.10.10.1 255.255.255.0 ! interface Vlan20 ip address 10.20.20.1 255.255.255.0 ! ! VACLs require that a corresponding SVI (L3 interface) exists ! It can remain unconfigured and administratively shutdown interface Vlan100 description RSPAN VLAN - Must exist for VACL on RSPAN VLAN shutdown ! ! The IP extended ACL that matches TCP traffic destined to ports 5000 6000 ip access-list extended TCP-TRAFFIC permit tcp any any range 5000 6000 ! ! Defines the VLAN access-map (VACL) vlan access-map RSPAN-VACL 10 match ip address TCP-TRAFFIC action forward ! ! Maps the VACL to the RSPAN VLAN vlan filter RSPAN-VACL vlan-list 100 ! ! Monitor session 1 captures bidirectional traffic from ! VLANs 10 and 20 to RSPAN VLAN 100 monitor session 1 source vlan 10 , 20 monitor session 1 destination remote vlan 100 ! ! Monitor session 2 captures bidirectional traffic from ! RSPAN VLAN 100 to interface gig4/5 monitor session 2 source remote vlan 100 monitor session 2 destination interface Gi4/5
29. PVLAN
c3560-ipservicesk9-mz.122-53.SE2.bin
security Page 15
Primary VLAN Carry traffic from promiscuous to isolated and community and other promiscuous in same primary VLAN Isolated and community vlan to be associated Not more than one isolated are allowed Isolated VLAN Carry traffic from isolated to promiscuous port One per primary VLAN Community VLAN Carry traffic to and from same community
Secondary VLAN Isolated and community VLAN PVLAN can be extended to other switch via trunk by exchange primary, isolated and community in other switches
Any community NO
PVLAN will only in VTP mode TRANSPARENT Step 1. Create primary & secondary PVLANs Hostname(config)# vlan 101 Hostname(config-vlan)# private-vlan Hostname(config)# vlan 201 Hostname(config-vlan)# private-vlan Hostname(config)# vlan 202 Hostname(config-vlan)# private-vlan Hostname(config)# vlan 301 Hostname(config-vlan)# private-vlan primary community community isolated
Hostname(config)# vlan 101 Hostname(config-vlan)# private-vlan association 201-202,301 Step 3. Map secondary VLANs to SVI which is L3 VLAN interface of primary VLAN Hostname(config)# interface vlan 101 Hostname(config-if)# private-vlan mapping add 201-202,301 Step 4. Configure L2 interface as an isolated or community port, and associate port to primary VLAN & to selected secondary VLAN pair Hostname(config)# interface Fastethernet 1/1 Hostname(config-if)# switchport mode private-vlan host Hostname(config-if)# switchport private-vlan host-association 101 201 Hostname(config)# interface Fastethernet 1/2 Hostname(config-if)# switchport mode private-vlan host Hostname(config-if)# switchport private-vlan host-association 101 301 Step 5. Configure L2 interface as a PVLAN promiscuous port & map port to primary VLAN & to selected secondary VLAN pair Hostname(config)# interface Fastethernet 1/10 Hostname(config-if)# switchport mode private-vlan promiscuous Hostname(config-if)# switchport private-vlan mapping 101 201-202,301 Verification: show interface private-vlan mapping show interface [interface-id] switchport 30. Port block Unknown unicast and multicast frame will not flood from a port Sw(config-if)#switchport block multicast Sw(config-if)#switchport block unicast Any interface in etherchannel enabled with block command all ports in etherchannel will be enabled 31. switchport protected Any interface in etherchannel enabled with protected command all ports in etherchannel will be enabled Private-vlan port cannot be protected port Two protected port wont work Protected to non-protected port work normal Switch(config-if)#switchport protected 32. Etherchannel guard if misconfiguration happened in etherchannel port will be error disabled Misconfiguration can happen: When one side etherchannel configured other side not When etherchannel protocol mismatch between switches Switch(config)#spanning-tree etherchannel guard misconfig To recover from errdisable: Switch(config)#errdisable recovery cause channel-misconfig 33. DOS & DDOS attack: Control plane protection Control plane: Controlling switch operation Any data destined for switches ex DTP, STP, VTP Data plane protection Data plane: Responsible forward users data Management plane protection Management plane: Any management traffic will be handled Ssh, telnet, snmp, http, ftp, tftp, syslog
security Page 17
Reference: 1. Catalyst 3560 Switch Software Configuration Guide Cisco IOS Release 12.2(44)SE 2. Catalyst 6500 Series Switch Cisco IOS Software Configuration GuideRelease 12.1 E 3. CCNP SWITCH 642-813 Official Certification Guide 4. Cisco Switching Black Book 5. CCIE practical studies (CCIE self study) 6. CCIE security exam certification guide 7. LAN Switch Security What Hackers Know About Your Switches 8. Virtual LAN Security Best Practices - application notes 9. Infrastructure Protection on Cisco Catalyst 6500 and 4500 Series Switches
security Page 18