Cisco Catalyst switch is fully secured within your network.
1. PASSWORDS
First of all passwords are
configured. One password is used for the enable password and the other will
later be assigned to the console port.
enable
secret [password]
username admin password [password]
2. CONSOLE
The console port is secured by
setting a timeout value along with assigning the previously configured username
and password.
line console 0
exec-timeout 30
login local
exec-timeout 30
login local
3. HTTP SERVER
By default the HTTP server is
enabled. This can be disabled unless otherwise required.
no ip http server
no ip http secure-server
no ip http secure-server
4. CDP
CDP can be used as an attack vector.
To disable CDP run the following command:
no cdp run
5. PREVENT ROUGE TRUNKS
By default ports are set to dynamic
desirable. Meaning that they can either be a trunk port or a access port
depending on what you plug in. To ensure that a rogue device can not be plugged
in and a trunk port formed (meaning all VLAN traffic would be sent out of this
port) a switchport can be configured to be only set to access mode.
(config-if)#
switchport mode access
6. PORT SECURITY
Cisco provides the ability via the
port-security commands to limit the amount of MAC address that can be populate
the mac address table via a specific port. This can prevent potential
CAM overflow attacks.
Note: When you enter the default
value the full command will not be displayed via a `show run`
(config-if)#
switchport port-security
(config-if)# switchport port-security maximum 1 [1 is default]
(config-if)# switchport port-security violation shutdown [shutdown is default]
(config-if)# switchport port-security maximum 1 [1 is default]
(config-if)# switchport port-security violation shutdown [shutdown is default]
The violation options are :
shutdown (default) - The interface is transitioned
to a state pf error-disable, that in turn blocks all traffic.
protect - Frames
from MAC addresses other than the permitted addresses are dropped;
traffic from allowed addresses is permitted to pass normally.
restrict - The
same as protect mode but additionally generates a syslog message.
Sticky MAC allows the configured
number of mac address that enters the port to be assigned against it, any
further MACs would be denied. Learnt addresses are added to the switches
configuration much the same as if you were to explicitly define the allowed
address via the port security command, such as :
(config-if)#
switchport port-security mac-address [mac]
To enable port-security sticky the
following command can be used :
(config-if)#
switchport port-security mac-address [sticky mac]
Below are the main show commands :
show
port-security interface fastethernet 0/8
show port-security
show port-security
7. SPANNING TREE SECURITY
Intruders can attempt to sabotage the
root bridge role, changing the root bridge role can then allow them to force
traffic over alternative STP path that is possible slower and also allow them
to span traffic from the switch that they have forced to become the root
bridge.
To guard against this you can use the
guard root feature. This will ensure that if someone plugs a switch into this
port and tries to place themselves as the root bridge the switch will place
this port into a "blocking" state.
(config-if)#
spanning-tree guard root
BPDU guard ensures that no STP
Protocol traffic (BPDU`s) are sent over ports that are designated as access
ports.
(config-if)#
spanning-tree bpduguard enable
(config-if)# spanning-tree portfast
(config-if)# spanning-tree portfast
You can also enable this globally on
any port that has portfast enabled by running the following command,
(config)
spanning-tree portfast bpduguard default
8. DHCP
DHCP attacks can cause network
outages and can also become a catalyst for man in the middle attacks. Man in
the middle attacks are produced via rogue DHCP server replying to DHCP requests
and then providing them with a default gateway of themselves. They then receive
the traffic, sniff it and pass it on to their own default gateway.
DHCP Snooping - DHCP Snooping is
intended to prevent a malicious user from pretending to be the network DHCP
server. This is achieved via :
- Telling the switch which port(s) the DHCP
server is connected to via issuing the ip dhcp snooping trust
command.
- DHCP snooping building a table of all DHCP
REQUESTS and OFFERS which is then uses to determine malicious intent.
Note : DHCP snooping also provides security
against ARP spoofing. Due to the switch building a table of all DHCP requests
and responses it can determine if a rogue ARP response is sent from
a device based on the information within its table.
Below we stop DHCP replies on the
following VLANs.
(config)# ip
dhcp snooping vlan 1,4,3
As our DHCP server is on port 24 we
allow DHCP
(config)#
interface fastethethernet 0/24
(config-if)# ip dhcp snooping trust
(config-if)# ip dhcp snooping trust
DHCP rate limiting prevents pool
exhaustion. The example below would allow for 3 DHCP replies per second.
(config-if) ip
dhcp snooping limit rate 3
9. MISC
9.1 Switch Port
Analyser (SPAN)
SPAN ports allow you to send all the
traffic from other ports out to a designated port. This is normally configured
if you need to either place a standard packet sniffer on the designated port or
an IDS/IPS.
(config)#monitor
session 1 source interface fastethernet 0/1 - 20 both
(config)#monitor session 1 destination interface fastethernet 0/24
(config)#monitor session 1 destination interface fastethernet 0/24
9.2 Private VLANs
PVLANs are VLANs inside of VLANs.
This allows you to segregate on a host to host level rather than a a subnet
level as with conventional VLANs.
9.3 Storm Control
9.3 Storm Control
Storm control allows you to configure
actions at a port level based on overall traffic levels seen per port seen by
the switch. Below gives you an example based upon port shutdown
should the total throughput of traffic be broadcast based.
(config-if)
storm-control action shutdown
(config-if) storm-control broadcast level 70
(config-if) storm-control broadcast level 70
No comments:
Post a Comment