Router & Switch Device Security
– to encrypt passwords with the following command #service password-encryption
- “#no service password-encryption” – does not automatically decrypt the password. It waits until a new password is added.
– #enable secret – encrypts the password as md5
– #enable password – type 7 password
– #username password <pass> – encrypts the password as MD5
- “#no service password-encryption” – does not automatically decrypt the password. It waits until a new password is added.
– #enable secret – encrypts the password as md5
– #enable password – type 7 password
– #username password <pass> – encrypts the password as MD5
AAA – Authentication, Authorization and Accounting
Radius vs Tacacs
| RADIUS | TACACS | |
| Scope of Encryption: Packet Payload or just Password | Password Only | Entire Payload |
| Layer 4 Protocol | UDP | TCP |
| Well Known ports | 1812/1645 | 49/49 |
| Standard or Cisco Propriety | Standard | Cisco |
AAA authentication Methods
Steps
1. Enable AAA with “aaa new-model”
2. RADIUS or TACACS, define IP address or Key
3. Define the default set of authentication methods used for all CLI access by: “#aaa authentication login default”
4. Define the default set of authentication methods for enable by using “aaa authentication enable default”
– there is no limit to the number of RADIUS/TACACS servers. The logic of the IOS is to get the 1st one, thennext etc
– you can create group and specify the order of the logging servers
Steps
1. Enable AAA with “aaa new-model”
2. RADIUS or TACACS, define IP address or Key
3. Define the default set of authentication methods used for all CLI access by: “#aaa authentication login default”
4. Define the default set of authentication methods for enable by using “aaa authentication enable default”
– there is no limit to the number of RADIUS/TACACS servers. The logic of the IOS is to get the 1st one, thennext etc
– you can create group and specify the order of the logging servers
PPP Security
– PPP can use PAP or CHAP
– defaul tauthentication is with #username password Steps
1. Enable AAA “aaa new-model”
2. Configure RADIUS/TACACS
3. Define the set of authentication using #aaa authentication ppp default
4. Create groups with #aaa authentication group ..
– defaul tauthentication is with #username password Steps
1. Enable AAA “aaa new-model”
2. Configure RADIUS/TACACS
3. Define the set of authentication using #aaa authentication ppp default
4. Create groups with #aaa authentication group ..
Layer2 Security
Recommandations
1. Disable unneeded dynamic protocols like CDP and DTP
2. Disable trunking by configuring these ports as access ports
3. Enable BPDU Guard and Root Guard to prevent STP attacks
4. Use DAI or private VLANs to prevent frame sniffing
5. Enable port security
6. Use 802.1x user authentication
7. Use DHCP snooping and IP Source Guard to prevent DHCP DOS and man-in-the-middle attacks
8. Use private VLANs to protect from sniffing
9. Configurat VTP authentication
10. Disable unused switch ports and place them in an unused VLAN (ex. VLAN 999)
11. Avoid using VLAN1
12. For trunks, do not use native VLAN
1. Disable unneeded dynamic protocols like CDP and DTP
2. Disable trunking by configuring these ports as access ports
3. Enable BPDU Guard and Root Guard to prevent STP attacks
4. Use DAI or private VLANs to prevent frame sniffing
5. Enable port security
6. Use 802.1x user authentication
7. Use DHCP snooping and IP Source Guard to prevent DHCP DOS and man-in-the-middle attacks
8. Use private VLANs to protect from sniffing
9. Configurat VTP authentication
10. Disable unused switch ports and place them in an unused VLAN (ex. VLAN 999)
11. Avoid using VLAN1
12. For trunks, do not use native VLAN
Port Security
– requirs that a port is staically set as either access or trunking
#switchport port-security [aging] [violation] { protect|restrict|shutdown}
protect – tells the switch to perform port-security
restrict – tells it to send SNMP traps and issue log message regarding the violation
shutdown – puts the port in err-disable state
#switchport port-security [aging] [violation] { protect|restrict|shutdown}
protect – tells the switch to perform port-security
restrict – tells it to send SNMP traps and issue log message regarding the violation
shutdown – puts the port in err-disable state
Dynamic ARP Inspection (DAI)
-works by sending a GARP
– DAI is used to defeat ARP attacks
DAI determines if an ARP message is inappropiate by using the following logic:
1. If an ARP reply lists a source ARP address that was not DHCP assigned to a device off that port, DAI filters the ARP reply
2. Uses a list of static defined IP/MAC Address
3. For a received ARP reply, DAI compares the source MAC in the Ethenrnet header to the SMAC in the ARP message. If it is not equaled => it is filtered
4. DAI compares the destination Ethernet MAC and the targe MAC listed in the ARP body
5. DAI checks for unexpected IP address like “0.0.0.0” pr “255.255.255.255”
DHCP snooping must be enabled for DAI to work
– DAI is used to defeat ARP attacks
DAI determines if an ARP message is inappropiate by using the following logic:
1. If an ARP reply lists a source ARP address that was not DHCP assigned to a device off that port, DAI filters the ARP reply
2. Uses a list of static defined IP/MAC Address
3. For a received ARP reply, DAI compares the source MAC in the Ethenrnet header to the SMAC in the ARP message. If it is not equaled => it is filtered
4. DAI compares the destination Ethernet MAC and the targe MAC listed in the ARP body
5. DAI checks for unexpected IP address like “0.0.0.0” pr “255.255.255.255”
DHCP snooping must be enabled for DAI to work
Dynamic ARP inspection Commands
| Command | Prupose |
| ip arp inspection vlan <vlan-range> | Global command to enable DAI on the switch for specific VLANs |
| ip arp inspection trust | Interface sub-command that enables or disables DAI on the interface. Default is enabled |
| ip arp inspect filter <arp-cal-name> vlan <vlan-range> static | Global command to refer to an ARP ACL that defines static IP/MAC address to be checked by DAI |
| ip arp inspection vlidate {[src-mac][dst-mac][ip]} | Enables additional optional checking of ARP messages |
| * ip arp inspect limit { rate pps [burst interval in seconds|none]} | Limits the ARP message rate to prevent DOS attacks carried out by sending a large number of ARPs |
* by default DAI automatically sets a limit of 15 ARP messages per port/per second to mitigate that risk; the settings can be changed using the “ip arp inspection limit”
DHCP Snooping
– builds a table of IP addresses and port mapping , called DHCP snooping binding table
– the table is used by DAI and IP Source Guard
-used to prevent DHCP attacks
– DHCP Attack, man-in-the-middle attack, by using bogus DHCP server, giving out the gateway of the attacker.
To not deplete the IP Pool, the DHCP uses the following logic for filtering of packets
1. It filters messages sent exclusively by DHCP servers
2. The switch checks DHCP release and decline messages againsts the DHCP snooping binding table; if the IP
– the table is used by DAI and IP Source Guard
-used to prevent DHCP attacks
– DHCP Attack, man-in-the-middle attack, by using bogus DHCP server, giving out the gateway of the attacker.
To not deplete the IP Pool, the DHCP uses the following logic for filtering of packets
1. It filters messages sent exclusively by DHCP servers
2. The switch checks DHCP release and decline messages againsts the DHCP snooping binding table; if the IP
address in those messages is not listed with the port in the DHCP snooping binding table, the messages are
filtered
3. Optionally, it compares a DHCP request client HW value with the source address inside the ETH frame
3. Optionally, it compares a DHCP request client HW value with the source address inside the ETH frame
| Commands | Features |
| ip dhcp snooping vlan <vlan range> | Global command to enable dhcp snooping |
| ip dhcp trust | Enables trust |
| ip dhcp snooping binding <mac-addr> vlan <id> <ip-address> interface <id> expiry <seconds> | Global command to add static entries to the DHCP snooping binding database |
| ip dhcp snooping limit rate <rate> | Sets the maximum number of DHCP messages per second to mitigate DoS attacks |
IP source Guard
-if enabled with dhcp snooping, IP Source Guard checks the source IP address of received packet against the DHCP snooping binding database
– is enabled on the interfaces
– is enabled on the interfaces
802.1x Authentication using EAP
– switches use 802.1x to atuenticaticate traffic, before it is allowed to joing the network
– EAP can be used to authenticate the PC, or can be used as a OTP (One Time Paswword)
– EAP messages are incapsulated into the frames, they are called EAP over LAN (EAPoL)
– RADIUS expects the EAP message, as a data structure called RADIUS attribute, with this attributs sitting inside a normal RADIUS message
– EAP can be used to authenticate the PC, or can be used as a OTP (One Time Paswword)
– EAP messages are incapsulated into the frames, they are called EAP over LAN (EAPoL)
– RADIUS expects the EAP message, as a data structure called RADIUS attribute, with this attributs sitting inside a normal RADIUS message
802.1x roles
1. Supplicant – the PC that asends the message
2. Authentication – the switch that translates froam EAP to RADIUS
3. Authentication Server – stores username/password and verifies that the correct values were submitted before authenticating the user
2. Authentication – the switch that translates froam EAP to RADIUS
3. Authentication Server – stores username/password and verifies that the correct values were submitted before authenticating the user
Storm Control
– supports rate-limiting traffic at LAyer 2 using the #Strom-control commands
– can be configurated for: unicast, multicast, broadcast traffic
– can be configured per port
– it support only physical interfaces and not: suinterface, etherchannels etc
– can be configurated for: unicast, multicast, broadcast traffic
– can be configured per port
– it support only physical interfaces and not: suinterface, etherchannels etc
No comments:
Post a Comment