CCNA Security-Chapter6-L2 Security

topolo

no ip domain-lookup
ip domain-name lab.local
enable secret 5 $1$ESzt$kxA3lPasM5m.YxaMbrobZ1
username admin privilege 15 secret 5 $1$8FmU$aYM9in7iOjtZY08im/Sn7.
service password-encryption
no enable password
!
line console 0
logging synchronous
exec-timeout 0 0
history size 30
password 0 console@2014
login
exit
!
line vty 0 4
logging synchronous
exec-timeout 2 0
history size 30
password 0 terminal@2014
login
exit
!
clock timezone CO/BOG -5
!
service timestamps log datetime msec localtime
service timestamps debug datetime msec localtime
!
security passwords min-length 10
security authentication failure rate 3 log
!
login delay 2
login on-success log every 1
login on-failure log every 3
login block-for 120 attempts 3 within 60
login quiet-mode access-class PERMIT-ADMIN
!
ip access-list standard PERMIT-ADMIN
permit 192.168.180.0 0.0.0.255
deny any log
exit
!
!
no ip routing
!
!
vlan database
vlan 5 name DATA_1
vlan 10 name DATA_2
vlan 15 name NATIVE_VLAN
vlan 20 name MANAGEMENT
apply
vtp server
vtp v2-mode
vtp domain CCNASECURITY
vtp password CCNASECURITY@2014
apply
exit
!
!
interface fa1/0
description R1_fa0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 15
no shutdown
!
interface fa1/1
description SW-1_fa0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 15
no shutdown
!
interface fa1/2
description SW-2_fa1/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 15
no shutdown
!
show vlan-switch brief
show vtp status
show vtp password
!
!
interface vlan 1
shutdown
exit
!
interface vlan 20
ip address 192.168.180.3 255.255.255.0
exit
!

hostname R1
no ip domain-lookup
ip domain-name lab.local
enable secret 5 $1$ESzt$kxA3lPasM5m.YxaMbrobZ1
username admin privilege 15 secret 5 $1$8FmU$aYM9in7iOjtZY08im/Sn7.
service password-encryption
no enable password
!
line console 0
logging synchronous
exec-timeout 0 0
history size 30
password 0 console@2014
login
exit
!
line vty 0 4
logging synchronous
exec-timeout 2 0
history size 30
password 0 terminal@2014
login
exit
!
clock timezone CO/BOG -5
!
service timestamps log datetime msec localtime
service timestamps debug datetime msec localtime
!
security passwords min-length 10
security authentication failure rate 3 log
!
login delay 2
login on-success log every 1
login on-failure log every 3
login block-for 120 attempts 3 within 60
login quiet-mode access-class PERMIT-ADMIN
!
ip access-list standard PERMIT-ADMIN
permit 192.168.180.0 0.0.0.255
deny any log
exit
!
ip access-list standard NAT-ACL
permit 192.168.5.0 0.0.0.255
permit 192.168.10.0 0.0.0.255
deny any log
exit
!
ip nat inside source list NAT-ACL interface fa0/0 overload
!
!
no ip routing
!
interface fa0/0
ip address dhcp
no shutdown
description INTERNET_CONNECTION
ip nat outside
exit
!
interface fa0/1
no shutdown
description CAMPUS_NETWORK_CORE-CENTRAL_fa1/0
exit
!
interface fa0/1.5
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
description GW_VLAN_5
ip nat inside
exit
!
interface fa0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
description GW_VLAN_10
ip nat inside
exit
!
interface fa0/1.15
encapsulation dot1Q 15 native
description GW_VLAN_15
exit
!
interface fa0/1.20
encapsulation dot1Q 20
ip address 192.168.180.2 255.255.255.0
description GW_VLAN_20
exit
!
!
ping ip 8.8.8.8 source fa0/1.5
ping ip 8.8.8.8 source fa0/1.10
!
show interfaces description
!

It is increasingly common that primary business resources, including data centers, applications, endpoints, as well as users, all exist outside the traditional business perimeter. Cisco calls this the borderless network.
!
The challenge is how to allow these heterogeneous devices to connect to enterprise resources securely. To address these very issues, Cisco created the SecureX architecture.
!
IronPort is a leading provider of anti-spam, antivirus, and anti-spyware appliances. IronPort uses SenderBase, the world’s largest threat detection database, to help provide preventive and reactive security measures.
!
IronPort offers different security appliances:
!!!!
C-Series – An email security appliance for virus and spam control.
S-Series – A web security appliance for spyware filtering, URL filtering, and anti-malware.
M-Series – A security management appliance that compliments the email and web security appliances by managing and monitoring an organization’s policy settings and audit information.
!
MACOF
YERSINIA
!
NAC helps maintain network stability by providing four important features: authentication and authorization, posture assessment (evaluating an incoming device against the policies of the network), quarantining of noncompliant systems, and remediation of noncompliant systems.
!
Network security professionals must mitigate attacks within the Layer 2 infrastructure. These attacks include MAC address spoofing, STP manipulation, MAC address table overflows, LAN storms, and VLAN attacks.
!
It is important for the network security professional to remember that Layer 2 attacks typically require internal access, either from an employee or visitor.
!
Buffer overflows are perhaps the most common method of application subversion on the Internet today. They are mostly used to gain access to root privileges or cause a DoS attack.
!
In networks with multiple interconnected switches, the MAC address tables record multiple MAC addresses for the ports interconnecting switches. These MAC addresses reflect remote nodes or nodes that are connected to another switch within the switched domain.
!
MAC spoofing attacks occur when an attacker alters the MAC address of their host to match another known MAC address of a target host. The attacking host then sends a frame throughout the network with the newly configured MAC address. When the switch receives the frame, it examines the source MAC address. The switch overwrites the current MAC address table entry and assigns the MAC address to the new port. It then inadvertently forwards frames destined for the target host to the attacking host.
!
The key to understanding how MAC address overflow attacks work is to know that MAC address tables are limited in size. MAC flooding takes advantage of this limitation by bombarding the switch with fake source MAC addresses until the switch MAC address table is full.
!
The most common way of implementing a MAC address table overflow attack is using the MACOF tool. This tool floods a switch with frames containing randomly generated source and destination MAC and IP addresses
!
Both MAC spoofing and MAC address table overflow attacks can be mitigated by configuring port security on the switch.
!
STP operates by electing a root bridge and building a tree topology from that root. STP allows for redundancy, but at the same time, ensures that only one link is operational at a time and no loops are present.
!
Network attackers can manipulate STP to conduct an attack by changing the topology of a network. An attacker can make it appear that the attacking host is a root bridge, thereby spoofing the root bridge. All traffic for the immediate switched domain then passes through the rogue root bridge (the attacking system).
!
Mitigation techniques for STP manipulation include enabling PortFast as well as root guard and BPDU guard.
!
A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol stack implementation, mistakes in network configurations, or users issuing a DoS attack can cause a storm. Broadcast storms can also occur on networks. Remember that switches always forward broadcasts out all ports. Some necessary protocols, such as ARP and DHCP, use broadcasts; therefore, switches must be able to forward broadcast traffic.
!
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within a certain time interval and compares the measurement with a predefined suppression-level threshold. Storm control then blocks traffic when the rising threshold is reached.
!
By default, trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches. The data moving across these links might be encapsulated with IEEE 802.1Q or inter-switch link (ISL).
!
This attack requires a configuration on the port that supports trunking with auto or dynamic mode to succeed. As a result, the attacker is a member of all the VLANS that are trunked on the switch and can hop, that is, send and receive traffic on all the VLANs.
!
The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking.
!
This type of attack is unidirectional and works only when the attacker is connected to a port residing in the same VLAN as the native VLAN of the trunk port. Thwarting this type of attack is not as easy as stopping basic VLAN hopping attacks. The best approach is to ensure that the native VLAN of the trunk ports is different from the VLAN of the user ports. In fact, it is considered a security best practice to use a dummy VLAN that is unused throughout the switched LAN as the native VLAN for all 802.1Q trunks in a switched LAN.
!
!
!
!
!
!
For example to prevent MAC spoofing and MAC table overflows, enable port security.
!
port security can be used to control unauthorized expansion of the network.
!
It is recommended that an administrator configure the port security feature to issue a shutdown rather than dropping frames from insecure hosts with the restrict option. The restrict option might fail under the load of an attack.
!
!!! PORT-SECURITY CONFIG
!!!!!!!!!!!!!!!!!!!!!!!!!
————————–
interface g1/0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
!
!
no switchport port-security
!
errdisable recovery cause psecure-violation
!
Use aging to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses.
!
switchport port-security aging time 3
switchport port-security aging type absolute
switchport port-security aging type inactivity
!
!
The addresses are usually learned dynamically. However, when configuring port security with an IP phone, the voice addresses cannot be made sticky.
!
show port-security
show port-security interface g1/0/1
show port-security address
show port-security address vlan 147
show port-security interface g1/0/1 address
!
!
MAC address notifications are generated only for dynamic and secure MAC addresses.
!
mac address-table notification
!
!
To mitigate STP manipulation, the PortFast, root guard, and BPDU guard STP enhancement commands can be enabled. These features enforce the placement of the root bridge in the network and enforce the STP domain borders.
!
!!! SPANNING-TREE SECURITY FEATURES CONFIG
!!!!!!!!!!!!!!!!!!!!!!!!!
————————–
!
spanning-tree portfast default

spanning-tree portfast bpdufilter default

spanning-tree portfast
!
!
BPDU guard is used to protect the switched network from the problems caused by receiving BPDUs on ports that should not be receiving them.
!
spanning-tree portfast bpduguard default
!
show spanning-tree summary
!
The Cisco switch root guard feature provides a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge can be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, that port is moved to a root-inconsistent state. This is effectively equal to an STP listening state, and no data traffic is forwarded across that port.
!
!
Root guard is best deployed toward ports that connect to switches that should not be the root bridge.
!
!
With root guard, if an attacking host sends out spoofed BPDUs in an effort to become the root bridge, the switch, upon receipt of a BPDU, ignores the BPDU and puts the port in a root-inconsistent state. The port recovers as soon as the offending BPDUs cease.
!
!
spanning-tree guard root
!
show spanning-tree inconsistentports
!
!!! LAN STORM CONTROLL CONFIG
!!!!!!!!!!!!!!!!!!!!!!!!!
————————–
!
LAN storm attacks can be mitigated by using storm control to monitor predefined suppression-level thresholds. When enabling storm control, both a rising threshold and a falling threshold can be set.
!
!
storm-control unicast level 99.00 98.00
storm-control action shutdown
storm-control action trap
!
When a storm occurs and the action is to filter traffic, if the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. If the falling suppression level is specified, the switch blocks traffic until the traffic rate drops below this level.
!
%PM-4-ERR_DISABLE: storm-control error detected on Gi1/0/35, putting Gi1/0/35 in err-disable state
041077: Feb  4 16:27:18.012: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi1/0/35. The interface has been disabled.
!
!
show storm-control
show storm-control Gigabit-Ethernet 0/0/0 unicast
!
If no traffic type is specified, the default is broadcast traffic.
!
The best way to mitigate VLAN hopping attacks is to ensure that trunking is only enabled on ports that require trunking. Additionally, be sure to disable DTP (auto trunking) negotiations and manually enable trunking.
!
!!! VLAN Trunk Security CONFIG
!!!!!!!!!!!!!!!!!!!!!!!!!
————————–
!
Mitigating VLAN hopping attacks that use double 802.1Q encapsulation requires several modifications to the VLAN configuration. One of the more important elements is to use a dedicated native VLAN for all trunk ports. This attack is easy to stop when following the recommended practice of not using native VLANs for trunk ports anywhere else on the switch. In addition, disable all unused switch ports and place them in an unused VLAN.
!
!
switchport mode access

switchport mode trunk
switchport nonegotiate
switchport trunk native vlan
!
!
!!! SPAN CONFIG
!!!!!!!!!!!!!!!!!!!!!!!!!
————————–
SPAN copies (or mirrors) traffic received, sent, or both on source ports or source VLANs to a destination port for analysis. SPAN does not affect the switching of network traffic on the source ports or VLANs. The destination port is dedicated for SPAN use. Except for traffic that is required for the SPAN, destination ports do not receive or forward traffic. Interfaces should usually be monitored in both directions, while VLANs should be monitored in only one direction.
!
!
monitor session 1 source interface gigabitethernet0/1
monitor session 1 destination interface gigabitethernet0/2 encapsulation replicate
!
!
!!! PVLAN Edge CONFIG
!!!!!!!!!!!!!!!!!!!!!!!!!
————————–
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of the Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
!
!
switchport protected
show interfaces g1/0/35 switchport
!
!
!
Additionally, the management VLAN should be reassigned to an unused VLAN that is neither a user VLAN or the native VLAN.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s