Documentos de Académico
Documentos de Profesional
Documentos de Cultura
I!C" v# Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 6 Objectives
Identi'ic$r los $t$(ues y $men$)$s $ los switches y los m*todos %$r$ mitig$r los $t$(ues. Con'igur$r los s+itches %$r$ %rotegerse contr$ los $t$(ues basados en !C. Con'igur$r el control estricto de los enlaces tr"n# ,-A. %$r$ mitig$r los $t$(ues de s$lto. Con'igure s+itches to gu$rd against $HCP% !C% and address resol"tion protocol &!'P( thre$ts. Secure )a*er + devices $nd %rotocols. /evelo% $nd im%lement org$ni)$tion$l sec"rit* policies. /escribe tools "sed to monitor and anal*,e net+or0 tr$''ic.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
dispositivos no a"tori,ados
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
!C )a*er !ttac#s
5AC Address 2looding
2r$mes +ith uni(ue, inv$lid source 5AC $ddresses 'lood the s+itch, e6h$usting content $ddress$ble memory 7C! 8 t$ble s%$ce, dis$llo+ing ne+ entries 'rom v$lid hosts. !r$''ic to v$lid hosts is subse(uently 'looded out $ll %orts. Port sec"rit*. 5AC $ddress ,-A. $ccess m$%s.
/)!N !ttac#s
,-A. "o%%ing
9y altering the /)!N I$ on %$c0ets enc$%sul$ted 'or tr"n#ing, $n $tt$c0ing device c$n send or receive %$c0ets on v$rious ,-A.s, by%$ssing -$yer 1 security me$sures. /evices might need %rotection 'rom one $nother, even though they $re on $ common /)!N. !his is es%eci$lly true on service:%rovider segments th$t su%%ort devices 'rom multi%le customers. !ighten u% trun0 con'igur$tions $nd the negoti$tion st$te o' unused %orts. Place "n"sed ports in a common /)!N0 Implement private /)!Ns &P/)!N(0
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Steps to
itigation
Spoo-ing !ttac#s
/"CP St$rv$tion $nd /"CP S%oo'ing S%$nning:tree Com%romises 5AC S%oo'ing
;se /"CP snoo%ing.
Pro$ctively con-ig"re the primar* and bac#"p root devices. <n$ble root g"ard. ;se $HCP snooping, %ort security.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Steps to
itigation
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
4nderstanding
!C )a*er !ttac#s
Step .0 S+itch 'or+$rds tr$''ic b$sed on v$lid 5AC $ddress t$ble entries. Step +0 Att$c0er 75AC $ddress C8 sends out m"ltiple pac#ets with vario"s so"rce !C addresses0
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
10
4nderstanding
!C )a*er !ttac#s
Step 20 Aver $ short time %eriod, the CA5 t$ble in the s+itch 'ills u% until it c$nnot $cce%t ne+ entries. As long $s the $tt$c0 is running, the 5AC $ddress t$ble on the s+itch rem$ins 'ull. Step 50 Switch begins to -lood all pac#ets th$t it receives out o' every %ort so th$t 'r$mes sent 'rom "ost A to "ost 9 $re $lso 'looded out o' Port 1 on the s+itch.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
11
Protecting against
!C )a*er !ttac#s
!o %revent 5AC Address 'looding, port sec"rit* can be "sed. Con'igure %ort security to de'ine the number o' 5AC $ddresses $llo+ed on $ given %ort. Port security c$n $lso s%eci'y what !C address is $llo+ed on $ given %ort.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
12
Port Sec"rit*
Cisco:%ro%riet$ry 'e$ture on C$t$lyst s+itches. =estricts s+itch %ort to s%eci'ic set or number o' 5AC $ddresses, +hich c$n be le$rned dyn$mic$lly or con'igured st$tic$lly. BStic0y le$rningC combines dyn$mic$lly le$rned $nd st$tic$lly con'igured $ddresses. /yn$mic$lly le$rned $ddresses $re converted to sticky secure addresses, $s i' they +ere con'igured using the switchport port-security mac-address sticky inter-ace command0
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
11
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
13
!ction
Con'igure %ort security.
Notes
Con'igur$r l$ segurid$d del %uerto %$r$ %ermitir sFlo cinco cone6iones en dicho %uerto. Con'igur$r un$ entr$d$ %$r$ c$d$ un$ de l$s cinco direcciones 5AC %ermitid$s. <sto, en e'ecto, se rellen$ l$ t$bl$ de direcciones 5AC con cinco entr$d$s %$r$ el %uerto y no %ermite entr$d$s $dicion$les (ue h$y (ue $%render de 'orm$ dinDmic$. hen 'r$mes $rrive on the s+itch %ort, their source 5AC $ddress is chec0ed $g$inst the 5AC $ddress t$ble. I' the 'r$me source 5AC $ddress m$tches $n entry in the t$ble 'or th$t %ort, the 'r$mes $re 'or+$rded to the s+itch to be %rocessed li0e $ny other 'r$mes on the s+itch. hen 'r$mes +ith $ non:$llo+ed 5AC $ddress $rrive on the %ort, the s+itch determines th$t the $ddress is not in the current 5AC $ddress t$ble $nd does not cre$te $ dyn$mic entry 'or th$t ne+ 5AC $ddress bec$use the number o' $llo+ed $ddresses h$s been limited. !he s+itch dis$llo+s $ccess to the %ort $nd t$0es one o' these con'igur$tion:de%endent $ctions& 7$8 the entire s+itch %ort c$n be shut do+nG 7b8 $ccess c$n be denied 'or th$t 5AC $ddress only $nd $ log error c$n be gener$tedG 7c8 $ccess c$n be denied 'or th$t 5AC $ddress but +ithout gener$ting $ log mess$ge.
2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
.e+ $ddresses $re not $llo+ed to cre$te ne+ 5AC $ddress t$ble entries. S+itch t$0es action in res%onse to non:$llo+ed 'r$mes.
Ch$%ter #
14
An $tt$c0er en$bles $ h$c0ing tool on the $tt$c0er>s rogue device to 'lood s+itch CA5 t$bles +ith '$ls$s 5AC $ddresses, c$using the 5AC $ddress t$ble to 'ill u%. hen the 5AC $ddress t$ble is 'ull, it turns the s+itch into $ h"b $nd 'loods $ll unic$st 'r$mes.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
1#
Port security is con'igured on untrusted user %orts. <n$bling %ort security limits 5AC 'looding $tt$c0s $nd loc0s do+n the %ort. Port security $lso sets $n SN P trap $lerting o' $ny viol$tion. Port security $llo+s the 'r$mes 'rom $lre$dy secured 5AC $ddress belo+ the m$6imum number o' 5AC $ddresses en$bled on th$t %ort, $nd $ny 'r$me +ith $ ne+ 5AC $ddress over the limit is dro%%ed.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
17
Ste% 2. Set $ m$6imum number o' 5AC $ddresses th$t +ill be $llo+ed on this %ort. !he de'$ult is one&
Switch(config-if)#switchport port-security maximum value
Ste% 1. S%eci'y +hich 5AC $ddresses +ill be $llo+ed on this %ort 7o%tion$l8&
Switch(config-if)#switchport port-security mac-address mac-address
Ste% 3. /e'ine +h$t $ction $n inter'$ce +ill t$0e i' $ non:$llo+ed 5AC $ddress $ttem%ts $ccess&
Switch(config-if)#switchport port-security violation {shutdown | restrict | protect}
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
1?
4503(config)# interface FastEthernet 3/47 4503(config-if)# switchport 4503(config-if)# switchport mode access 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config)# interface FastEthernet &/& 4503(config-if)# switchport 4503(config-if)# switchport mode access 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security
Ch$%ter #
"
!$$$"
Cisco Public
1@
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
20
/ 1nab ed 0 00,b!d5,3!-ad-/5 0
switch# show port-security address Secure %ac 'ddress Tab e -----------------------------------------------------------------------) an %ac 'ddress Type $orts .emaining 'ge (mins) -------------- -------------------00,b!d5,3!-adSecure3ynamic *a0+, 00 (") -----------------------------------------------------------------------Tota 'ddresses in System (e&c uding one mac per port) / 0 %a& 'ddresses imit in System (e&c uding one mac per port) / 0,44
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
21
!C !ddresses
switch# show runnin%-confi% fastethernet /$ interface *ast1thernet0+, switchport access v an switchport mode access switchport port-security ma&imum switchport port-security switchport port-security vio ation restrict switchport port-security mac-address stic#y switchport port-security mac-address stic#y 00,b!d5,3!-adswitch# show port-security address Secure %ac 'ddress Tab e -----------------------------------------------------------------------) an %ac 'ddress Type $orts .emaining 'ge (mins) --------------------------------00,b!d5,3!-adSecureStic#y *a0+, -
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
22
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
21
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
23
/)!N Hopping
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
24
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
2#
In $nother ty%e o' s+itch spoo-ing $tt$c0, the net+or0 $tt$c0er connects $n un$uthori)ed Cisco s+itch to the s+itch %ort. !he un$uthori)ed s+itch c$n send /!P 'r$mes $nd 'orm $ trun0. !he $tt$c0er h$s $ccess to $ll the ,-A.s through the trun0. !he $tt$c0er c$n $tt$c0 $ victim in $ny ,-A..
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
27
Step .0 Att$c0er 7n$tive ,-A. 108 sends $ 'r$me +ith two :;+0.< he$ders to S+itch 1. Step +0 S+itch 1 stri%s the outer t$g $nd 'or+$rds the 'r$me to $ll %orts +ithin s$me n$tive ,-A.. Step 20 S+itch 2 inter%rets 'r$me $ccording to in'orm$tion in the inner t$g m$r0ed +ith ,-A. I/ 20. Step 50 S+itch 2 'or+$rds the 'r$me out $ll %orts $ssoci$ted +ith ,-A. 20, including trun0 %orts.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
2?
!he n$tive ,-A. is di''erent 'rom $ny d$t$ ,-A.s. !run0ing is set u% $s An or .onegoti$te r$ther th$n negoti$ted. !he s%eci'ic ,-A. r$nge is c$rried on the trun0. !his ensures th$t the n$tive ,-A. +ill be %runed $long +ith $ny other ,-A.s not e6%licitly $llo+ed on the trun0.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
2@
Catal*st
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
10
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
11
12
switch(config)# access-list $ permit ip $ !$!*! ! ! !&++ any switch(config)# mac access-list e#tended ,-./0123E45E4 switch(config-e&t-mac)# permit any host !$$$$!4444 switch(config)# vlan access-map 678 $ switch(config-map)# match ip address $ switch(config-map)# action drop switch(config-map)# vlan access-map 678 & switch(config-map)# match mac address ,-./0123E45E4 switch(config-map)# action drop switch(config-map)# vlan access-map 678 3 switch(config-map)# action forward switch(config)# vlan filter 678 vlan-list $ 9&
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
11
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
13
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
14
2or $ g$te+$y, the clients then 'or+$rd %$c0ets to the $tt$c0ing device, +hich in turn sends them to the desired destin$tion. !his is re'erred to $s $ m$n:in:the:middle $tt$c0 $nd it c$n go entirely undetected $s the intruder interce%ts the d$t$ 'lo+ through the net+or0.
1#
<n el %rimer escen$rio, un $t$c$nte l$n)$ un $t$(ue /oS medi$nte el env>o de miles de peticiones $HCP. <l servidor /"CP no tiene l$ c$%$cid$d %$r$ determin$r si l$ %eticiFn es verd$der$ y %or lo t$nto, %odrE$ termin$r %or agotar todas las direcciones IP disponibles. <sto se tr$duce en un cliente legEtimo no tener un$ direcciFn IP medi$nte /"CP.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
17
;n segundo escen$rio ocurre cu$ndo el $t$c$nte conect$ un servidor /"CP %$r$ l$ red y tiene (ue $sumir el %$%el del servidor /"CP %$r$ ese segmento. <sto %ermite (ue el intruso %$r$ d$r $ conocer in'orm$ciFn '$ls$ /"CP %$r$ l$ %uert$ de enl$ce %redetermin$d$ y los servidores de nombres de dominio, lo (ue $%unt$ $ los clientes $ l$ mD(uin$ del h$c0er. <sto %ermite $l h$c0er. convertirse en un hombre en el medio y %$r$ tener $cceso $ in'orm$ciFn con'idenci$l, como nombre de usu$rio y contr$seH$ de %$res, mientr$s (ue el usu$rio 'in$l no tiene conocimiento del $t$(ue.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
1?
$HCP Snooping
/"CP snoo%ing is $ Cisco C$t$lyst 'e$ture th$t determines +hich s+itch %orts c$n res%ond to /"CP re(uests. Ports $re identi'ied $s trusted $nd untrusted.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
1@
Commands
<n$ble /"CP snoo%ing glob$lly& Switch(config)# ip dhcp snoopin% <n$ble /"CP A%tion ?2& Switch(config)# ip dhcp snoopin% information option Con'igure /"CP server inter'$ces or u%lin0 %orts $s trusted& Switch(config-if)# ip dhcp snoopin% trust Con'igure the number o' /"CP %$c0ets %er second 7%%s8 th$t $re $cce%t$ble on the %ort& Switch(config-if)# ip dhcp snoopin% limit rate rate <n$ble /"CP snoo%ing on s%eci'ic ,-A.s& Switch(config)# ip dhcp snoopin% vlan number (number) ,eri'y the con'igur$tion& Switch# show ip dhcp snoopin%
2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
1. 3.
4.
#.
Ch$%ter #
30
switch(config)# ip dhcp snoopin% switch(config)# ip dhcp snoopin% information option switch(config)# ip dhcp snoopin% vlan $ 9& switch(config)# interface fastethernet /$ switch(config-if)# description -ccess 1ort switch(config-if)# ip dhcp limit rate + switch(config)# interface fastethernet /&4 switch(config-if)# description 0plink switch(config-if)# switchport mode trunk switch(config-if)# switchport trunk allowed vlan $ 9& switch(config-if)# ip dhcp snoopin% trust
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
31
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
32
Step .0 "ost A sends $n A=P re(uest 'or C>s 5AC $ddress. Step +0 =outer C re%lies +ith its 5AC $nd IP $ddresses. C $lso u%d$tes its A=P c$che. Step 20 "ost A binds C>s 5AC $ddress to its IP $ddress in its A=P c$che. Step 50 "ost 9 7$tt$c0er8 sends A=P binding 9>s 5AC $ddress to C>s IP $ddress. Step ?0 "ost A u%d$tes A=P c$che +ith 9>s 5AC $ddress bound to C>s IP $ddress. Step 60 "ost 9 sends A=P binding 9>s 5AC $ddress to A>s IP $ddress. Step @0 =outer C u%d$tes A=P c$che +ith 9>s 5AC $ddress bound to A>s IP $ddress. Step :0 P$c0ets $re diverted through $tt$c0er 798.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
31
/AI t$0es these $ctions& 2or+$rds A=P %$c0ets received on $ trusted inter'$ce +ithout $ny chec0s. Interce%ts $ll A=P %$c0ets on untrusted %orts. ,eri'ies th$t e$ch interce%ted %$c0et h$s $ v$lid IP:to:5AC $ddress binding be'ore 'or+$rding %$c0ets th$t c$n u%d$te the loc$l A=P c$che. /ro%s $nd logs A=P %$c0ets +ith inv$lid IP:to:5AC $ddress bindings.
/AI determines the v$lidity o' $n A=P %$c0et b$sed on $ v$lid 5AC:$ddress:to:IP:$ddress bindings d$t$b$se built by $HCP snooping
2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Ch$%ter #
33
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
34
$!I Commands
Command
Switch(config)# ip arp inspection vlan vlan_id (vlan_id) Switch(config-if)# ip arp inspection trust
$escription
<n$bles /AI on $ ,-A. or r$nge o' ,-A.>s.
Con'igures /AI to dro% A=P %$c0ets +hen the IP $ddresses $re inv$lid, or +hen the 5AC $ddresses in the body o' the A=P %$c0ets do not m$tch the $ddresses s%eci'ied in the <thernet he$der.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
3#
"ost 1 is connected to S+itch A $nd "ost 2 is connected to S+itch 9, both in ,-A. 10. <l servidor /"CP estD conect$do $l s+itch A. snoo%ing /"CP estD h$bilit$do en el S+itch A y 9 s+icth como re(uisito %revio %$r$ l$ /AI. -os enl$ces entre s+itches estDn con'igur$dos como %uertos de /AI de con'i$n)$, y los %uertos de usu$rio %erm$necen en el est$do %or de'ecto de con'i$n)$.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
37
Switch'# confi%ure terminal 1nter configuration commands4 one per ine! 1nd with (5T2+6! Switch'(config)# ip arp inspection vlan $ Switch'(config)# interface %i%a'itEthernet $/$ Switch'(config-if)# ip arp inspection trust Switch'(config-if)# end Switch@# confi%ure terminal 1nter configuration commands4 one per ine! 1nd with (5T2+6! Switch@(config)# ip arp inspection vlan $ Switch@(config)# interface %i%a'itEthernet $/$ Switch@(config-if)# ip arp inspection trust Switch@(config-if)# end
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
3?
Switch'# show ip arp inspection interfaces "nterface Trust State .ate (pps) @urst "nterva ---------------------------------- -------------Ai,+, Trusted 5one 5+' Ai,+Bntrusted ,5 , *a-+, Bntrusted ,5 , *a-+Bntrusted ,5 ,
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
3@
Switch'# show ip arp inspection vlan $ Source %ac )a idation / 3isab ed 3estination %ac )a idation / 3isab ed "$ 'ddress )a idation / 3isab ed ) an (onfiguration ?peration '(2 %atch ---------------- --------- --------,0 1nab ed 'ctive ) an '(2 2ogging 3<($ 2ogging ------------------------,0 3eny 3eny
Ch$%ter #
Cisco Public
40
Switch'# show ip dhcp snoopin% 'indin% %ac'ddress "p'ddress 2ease(sec) Type )2'5 "nterface -------------------------- ---------- -------------- -------------00/0,/00/0,/00/0, ,0!,0!,0!, 4;;5 dhcp-snooping ,0 *ast1thernet-+,
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
41
Switch@# show ip arp inspection interfaces "nterface Trust State .ate (pps) @urst "nterva --------------- -------------------- -------------Ai,+, Trusted 5one 5+' Ai,+Bntrusted ,5 , *a-+, Bntrusted ,5 , *a-+Bntrusted ,5 , *a-+3 Bntrusted ,5 , *a-+4 Bntrusted ,5 , Coutput omittedD
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
42
Switch@# show ip arp inspection vlan $ Source %ac )a idation / 3isab ed 3estination %ac )a idation / 3isab ed "$ 'ddress )a idation / 3isab ed ) an (onfiguration ?peration '(2 %atch ------------------------ --------,0 1nab ed 'ctive ) an '(2 2ogging -------------,0 3eny 3eny
Ch$%ter #
3<($ 2ogging ----------- 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
41
Switch@# show ip dhcp snoopin% 'indin% %ac'ddress "p'ddress 2ease(sec) Type )2'5 "nterface ------------------------------------- ------------- ---- - ----------00/0-/00/0-/00/0,0!,0!,0!4;;5 dhcp-snooping ,0 *ast1thernet-+-
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
43
v an 5ov ->
44
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
4#
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
47
3. 4.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
4?
;n$ est$ciFn de tr$b$Jo %or medio de /"CP %$r$ l$ $d(uisiciFn de l$s direcciones IP se conect$ $l mismo s+itch C$t$lyst (ue un servidor con un$ direcciFn IP estDtic$.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
4@
Switch# confi%ure terminal 1nter configuration commands4 one per ine! 1nd with (5T2+6! Switch(config)# ip dhcp snoopin% Switch(config)# ip dhcp snoopin% vlan $9$ Switch(config)# ip dhcp snoopin% verify mac-address Switch(config)# ip source 'indin% ! a! ' vlan $ $ !$!$ !$$ interface Fa&/$" Switch(config)# interface fastethernet &/$ Switch(config-if)# switchport Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# ip verify source vlan dhcp-snoopin% port-security Switch(config)# interface fastethernet &/$" Switch(config-if)# switchport Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# ip verify source vlan dhcp-snoopin% port-security
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
#0
Switch# show ip source 'indin% %ac'ddress "p'ddress 2ease(sec) Type )2'5 "nterface ------------------ ------------ ---------- ------------------------00/0-/@3/3*/3@/;; ,0!,!,!,, 05-dhcp-snooping , *ast1thernet-+, 00/00/00/0'/00/0@ ,0!,!,0!,, infinite static ,0 *ast1thernet-+,= Switch# show ip verify source "nterface *i ter-type *i ter-mode --------- ----------- ----------*a-+, ip-mac active *a-+,= ip-mac active
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
#1
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
#2
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
#1
Cisco /iscovery Protocol 7C/P8 -in0 -$yer /iscovery Protocol 7--/P8 &
Ch$%ter #
#3
Con-ig"ring C$P
C/P is en$bled by de'$ult. !he no cdp run comm$nd dis$bles C/P glob$lly. !he no cdp ena'le comm$nd dis$bles C/P on $n inter'$ce.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
#4
switch# show cdp nei%h'or (apabi ity (odes/ . - .outer4 T S - Switch4 < - <ost4 3 - .emote4 ( - ()T'4 3evice "3 2oca "ntrfce c-;00-= *as 0+= ,0=
- Trans @ridge4 @ - Source .oute @ridge " - "A%$4 r - .epeater4 $ - $hone4 % - Two-port %ac .e ay <o dtme (apabi ity $ atform $ort "3 S " GS-(-;00-*as 0+=
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
##
#7
Con-ig"ring ))$P
--/P is dis$bled by de'$ult. !he comm$nd lldp run en$bles --/P glob$lly. !he comm$nd lldp ena'le en$bles --/P on $n inter'$ce.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
#?
switch(config)# lldp run switch(config)# end switch# show lldp nei%h'or (apabi ity codes/ (.) .outer4 (@) @ridge4 (T) Te ephone4 (() 3?(S"S (ab e 3evice (G) G2'5 'ccess $oint4 ($) .epeater4 (S) Station4 (?) ?ther 3evice "3 2oca "ntf <o d-time (apabi ity $ort "3 c-;00-= *a0+= ,-0 @ *a0+= Tota entries disp ayed/ ,
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
#@
C$P /"lnerabilities
SeC"ence $escription o- 6vents
1.
Administr$dor del sistem$ utili)$ C/P %$r$ ver l$ in'orm$ciFn del vecino. At$c$nte utili)$ un $n$li)$dor de %$(uetes %$r$ interce%t$r el trD'ico C/P. <l $t$c$nte $n$li)$ l$ in'orm$ciFn en los %$(uetes de C/P %$r$ obtener conocimientos de direcciDn de red * l$ in'orm$ciFn del dis%ositivo. At$c$nte 'ormul$ $t$(ues b$s$dos en & vulner$bilid$des conocid$s de l$ red %l$t$'orm$s.
Cisco Public
2.
1.
3.
70
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
71
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
72
Con-ig"ring SSH
,! -! 3! 4!
(onfigure a user with a password! (onfigure the hostname and domain name! Aenerate .S' #eys! ' ow SS< transport on the vty ines!
switch(config)# username #y: password a'c$&3 switch(config)# ip domain-name #y:!com switch(config)# crypto key %enerate rsa switch(config)# ip ssh version & switch(config)# line vty $+ switch(config- ine)# lo%in local switch(config- ine)# transport input ssh
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
71
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
73
access-list $ permit ip $ !$!*! username #y: password a'c$&3 ip domain-name #y:!com crypto key %enerate rsa no ip http server ip http secure-server http access-class $ in http authentication local
! ! !&++ any
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
74
!he AAA net+or0:security services %rovide the %rim$ry 'r$me+or0 through +hich you set u% $ccess control on $ Cisco IOS switch. AAA is $n $rchitectur$l 'r$me+or0 'or con'iguring $ set o' three inde%endent security 'unctions in $ consistent m$nner.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
7#
!"thentication: identi-ica a los "s"arios antes de acceder a los servicios de red * la red
Autenti'ic$ciFn %ro%orcion$ un m*todo %$r$ control$r & ;ser identi'ic$tion -ogin $nd %$ss+ord di$log Ch$llenge $nd res%onse 5ess$ging <ncry%tion All $uthentic$tion methods, e6ce%t 'or loc$l, line %$ss+ord, $nd en$ble $uthentic$tion, re(uire the use o' AAA.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
77
!"thori,ation
Authori)$tion %rovides the method 'or remote $ccess control. =emote $ccess control includes&
Ane:time $uthori)$tion or Authori)$tion 'or e$ch service on $ %er:user $ccount list or $ user grou% b$sis.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
7?
!cco"nting
Authori)$tion %rovides the method 'or collecting $nd sending security server in'orm$tion used 'or billing, $uditing, $nd re%orting. Includes&
;ser identities St$rt $nd sto% times <6ecuted comm$nds .umber o' %$c0ets .umber o' bytes
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
7@
Con-ig"ring !"thentication
,$riety o' login $uthentic$tion methods. 2irst use aaa new-model comm$nd to initi$li)e AAA. ;se aaa authentication lo%in comm$nd to en$ble AAA login $uthentic$tion. ith aaa authentication lo%in comm$nd, con'igure one or more lists o' $uthentic$tion methods. !he lo%in authentication line {default | list-name} method1 (method2!!!) comm$nd de'ines the list n$me $nd the $uthentic$tion methods in order, such $s !ACACSL or =A/I;S. !he lo%in authentication {default | list-name} comm$nd $%%lies the $uthentic$tion list to $n in%ut line.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
?0
utilice siem%re un$ cone6iFn de consol$ %$r$ evit$r el blo(ueo mismo de el router o s+itch $ tr$v*s de un$ m$l$ con'igur$ciFn.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
?1
hen using Cisco Access Control Server 7ACS8 'or 5icroso't +ithout s%eci'ic o%tions.
hen using Cisco ACS 'or 5icroso't indo+s, cre$te $ ne+ net+or0 device by s%eci'ying the /.S n$me $nd IP $ddress, $nd s%eci'y $ 0ey to be used 'or !ACACSL.
Ste% 1. Access the s+itch using the Console 7out:o':b$nd8 connection. Ste% 3. <n$ble AAA glob$lly&
svs-san-3550-,(config)# aaa new-model
!his en$bles you to troubleshoot $nd m$0e ch$nges in re$l time +hile testing the con'igur$tion.
2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Ch$%ter #
?2
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
?1
Switch(config)# aaa new-model Switch(config)# aaa authori:ation commands if-authenticated %roup tacacs< Switch(config)# line vty 4 Switch(config- ine)# authori:ation commands
default default
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
?3
?4
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
?#
Switch(config)# aaa new-model Switch(config)# aaa accountin% e#ec default start-stop %roup tacacs< Switch(config)# line vty 4 Switch(config- ine)# accountin% e#ec default
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
?7
hen con'igured 'or ?02.1M %ort:b$sed $uthentic$tion, the %ort st$rts in the un$uthori)ed st$te. hile in this st$te, the %ort dis$llo+s $ll ingress $nd egress tr$''ic e6ce%t 'or ?02.1M %rotocol %$c0ets
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
??
:;+0.F 'oles
N Client &or s"pplicant(: !he device th$t re(uests $ccess to -A. $nd s+itch services $nd then res%onds to re(uests 'rom the s+itch. !he +or0st$tion must be running ?02.1M:com%li$nt client so-tware0 N !"thentication server: Per'orms the $ctu$l $uthentic$tion o' the client. !he $uthentic$tion server v$lid$tes the identity o' the client $nd noti'ies the s+itch +hether the client is $uthori)ed to $ccess the -A. $nd s+itch services. The '!$I4S sec"rit* system +ith <AP e6tensions is the only su%%orted $uthentic$tion server. N Switch &or a"thenticator(: Controls %hysic$l $ccess to the net+or0 b$sed on the $uthentic$tion st$tus o' the client. !he s+itch $cts $s $n intermedi$ry 7%ro6y8 bet+een the client $nd the $uthentic$tion server, re(uesting identi'ying in'orm$tion 'rom the client, veri'ying th$t in'orm$tion +ith the $uthentic$tion server, $nd rel$ying $ res%onse to the client.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
?@
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
@0
!he force-unauthori:ed 0ey+ord h$ce (ue el %uerto sig$ en el est$do no $utori)$do, h$ciendo c$so omiso de todos los intentos %or %$rte del cliente %$r$ $utentic$r. 6l swtich no p"ede proporcionar servicios de a"tenticaciDn %$r$ el cliente $ tr$v*s de l$ inter'$). <ste modo de con'igur$ciFn %uede ser $ctiv$do %$r$ evit$r (ue l$s cone6iones de los usu$rios de los %uertos no $utori)$dos.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
@1
!he auto 0ey+ord en$bles ?02.1M %ort:b$sed $uthentic$tion $nd c$uses the %ort to begin in the un$uthori)ed st$te, en$bling only <APA- 'r$mes to be sent $nd received through the %ort. !he $uthentic$tion %rocess begins +hen the lin0 st$te o' the %ort tr$nsitions 'rom do+n to u% 7a"thenticator initiation8 or +hen $n <APA-:st$rt 'r$me is received 7su%%lic$nt initi$tion8. !he s+itch re(uests the identity o' the client $nd begins rel$ying $uthentic$tion mess$ges bet+een the client $nd the $uthentic$tion server. !he s+itch uni(uely identi'ies e$ch client $ttem%ting to $ccess the net+or0 by using the client 5AC $ddress. !his con'igur$tion mode c$n be used on %orts th$t connect to $ ?02.1M client.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
@2
Ste% 3. <nter inter'$ce con'igur$tion mode $nd s%eci'y the inter'$ce to be en$bled 'or ?02.1M %ort:b$sed $uthentic$tion&
Switch(config)# interface t pe slot/port
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
@1
sw(config)# aaa new-model sw(config)# radius-server host $ !$!$!+ auth-port $"$& key #y:$&3 sw(config)# aaa authentication dot$# default %roup radius sw(config)# dot$# system-auth-control sw(config)# interface fa /$ sw(config-if)# description -ccess 1ort sw(config-if)# switchport mode access sw(config-if)# dot$# port-control auto
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
@3
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
@4
Oou should consider the %olicies o' $n org$ni)$tion +hen determining +h$t level o' security $nd +h$t ty%e o' security should be im%lemented
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
@#
Ch$%ter #
@7
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
@?
'estricting
Subnet ,0!,!-!0+-4 is used for accessing a networ# devices for management purposes! This subnet does not pass user data traffic! 'ccess to this subnet is imited to system administrators in the ,0!,!3!0+-4 subnet!
Coutput omittedD interface ) an000 description Bser 2'5 ip address ,0!,!,!, -55!-55!-55!0 N interface ) an00, description %anagement )2'5 ip address ,0!,!-!, -55!-55!-55!0 ip access-group ,00 in N interface ) an00description "T 2'5 ip address ,0!,!3!, -55!-55!-55!0 N access- ist ,00 permit ip ,0!,!3!0 0!0!0!-55 ,0!,!-!0 0!0!0!-55 access- ist ,00 deny ip any any og N Coutput omittedD
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
@@
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
100
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
101
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
102
Ch$%ter #
101
Trimming and
/is$ble C/PK--/P on $ %er:inter'$ce b$sis. =un C/PK--/P only 'or $dministr$tive %ur%oses, such $s on inter:s+itch connections $nd inter'$ces +here IP %hones reside. Con'ine C/PK--/P de%loyment to run bet+een devices under your control. 9ec$use C/PK--/P is $ lin0:level 7-$yer 28 %rotocol, it does not %ro%$g$te end:to:end over $ 5A. or A. unless $ -$yer 2 tunneling mech$nism is in %l$ce. As $ result, 'or 5A. $nd A. connections, C/P t$bles might include the service %rovider>s ne6t:ho% router or s+itch $nd not the '$r:end router under your control. /o not run C/PK--/P to $ny unsecured connection, such $s Internet connections.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
103
svs-san-msfc# configure termina 1nter configuration commands4 one per ine! 1nd with (5T2+6! svs-san-msfc(config)# no ip http server svs-san-msfc(config)# end
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
104
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
10#
Sec"ring SN P
henever %ossible, $void using S.5P re$d:+rite 'e$tures. S.5Pv2c $uthentic$tion consists o' sim%le te6t strings th$t $re communic$ted bet+een devices in cle$r, unencry%ted te6t. In most c$ses, $ re$d:only community string is su''icient. !o use S.5P in $ secure method, use S.5Pv1 +ith $n encry%ted %$ss+ord $nd use AC- to limit S.5P 'rom only trusted +or0st$tions $nd subnets.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
107
9y de'$ult, s%eci'ic models o' C$t$lyst s+itches th$t $re running Cisco IAS $utom$tic$lly negoti$te trun0ing c$%$bilities. !his %oses $ security ris0 bec$use the negoti$tion en$bles the introduction o' $n un$uthori)ed trun0 %ort into the net+or0. I' $n un$uthori)ed trun0 %ort is used 'or tr$''ic interce%tion $nd to gener$te /oS $tt$c0s, the conse(uences c$n be '$r more serious th$n i' only $n $ccess %ort is used. 7A /oS $tt$c0 on $ trun0 %ort might $''ect multi%le ,-A.s, +here$s $ /oS $tt$c0 on $n $ccess %ort $''ects only $ single ,-A..8 !o %revent un$uthori)ed trun0s, dis$ble $utom$tic negoti$tion o' trun0ing on host $nd $ccess %orts. In $ddition, remove unused ,-A.s 'rom trun0s m$nu$lly or by using ,!P.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
10?
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
10@
Ph*sical device access: Physic$l $ccess to the s+itch should be closely monitored to $void rogue device %l$cement in +iring closets +ith direct $ccess to s+itch %orts. !ccess port9based sec"rit*: S%eci'ic me$sures should be t$0en on every $ccess %ort o' $ny s+itch %l$ced into service. <nsure th$t $ %olicy is in %l$ce outlining the con'igur$tion o' unused s+itch %orts in $ddition to those th$t $re in use.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
110
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
111
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
112
Chapter 6 )abs
)ab 61.Sec"ring )a*er + Switches )ab 61+Sec"ring Spanning Tree Protocol )ab 612Sec"ring /)!Ns with Private /)!N=s% '!C)=s% and /!C)=s
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
111
'eso"rces
C$t$lyst 14#0 Comm$nd =e'erence
+++.cisco.comKenK;SK%$rtnerKdocsKs+itchesKl$nKc$t$lyst14#0Kso't+$reKrele$seK12.2R44R seKcomm$ndKre'erenceK14#0Rcr.html
Con'iguring /AI&
+++.cisco.comKenK;SKdocsKs+itchesKl$nKc$t$lyst14#0Kso't+$reKrele$seK12.2R44RseKcon'igu r$tionKguideKs+dyn$r%.html
Con'iguring <<5&
Cisco Public
113
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
114