En Switch v6 Ch06

Ch$%ter #& Securing the C$m%us In'r$structure
CCNP SWITCH: Implementing IP Switching
I!C" v# Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 6 Objectives
Identi'ic$r los $t$(ues y $men$)$s $ los switches y los m*todos %$r$ mitig$r los $t$(ues. Con'igur$r los s+itches %$r$ %rotegerse contr$ los $t$(ues basados en !C. Con'igur$r el control estricto de los enlaces tr"n# ,-A. %$r$ mitig$r los $t$(ues de s$lto. Con'igure s+itches to gu$rd against $HCP% !C% and address resol"tion protocol &!'P( thre$ts. Secure )a*er + devices $nd %rotocols. /evelo% $nd im%lement org$ni)$tion$l sec"rit* policies. /escribe tools "sed to monitor and anal*,e net+or0 tr$''ic.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
S+itch Security 2und$ment$ls
Sec"rit* In-rastr"ct"re Services
!cceso no a"tori,ado de dispositivos no a"tori,ados
Access Points S+itches Servers
dispositivos no a"tori,ados
)a*er + !ttac# Categories &.(

!ttac# ethod $escription Steps to itigation
!C )a*er !ttac#s
5AC Address 2looding
2r$mes +ith uni(ue, inv$lid source 5AC $ddresses 'lood the s+itch, e6h$usting content $ddress$ble memory 7C! 8 t$ble s%$ce, dis$llo+ing ne+ entries 'rom v$lid hosts. !r$''ic to v$lid hosts is subse(uently 'looded out $ll %orts. Port sec"rit*. 5AC $ddress ,-A. $ccess m$%s.
/)!N !ttac#s
,-A. "o%%ing
9y altering the /)!N I$ on %$c0ets enc$%sul$ted 'or tr"n#ing, $n $tt$c0ing device c$n send or receive %$c0ets on v$rious ,-A.s, by%$ssing -$yer 1 security me$sures. /evices might need %rotection 'rom one $nother, even though they $re on $ common /)!N. !his is es%eci$lly true on service:%rovider segments th$t su%%ort devices 'rom multi%le customers. !ighten u% trun0 con'igur$tions $nd the negoti$tion st$te o' unused %orts. Place "n"sed ports in a common /)!N0 Implement private /)!Ns &P/)!N(0
Att$c0s bet+een /evices on $ Common /)!N
)a*er + !ttac# Categories &+(

!ttac# ethod $escription
An $tt$c0ing device c$n e6h$ust the $ddress s%$ce $v$il$ble to the /"CP servers 'or $ %eriod o' time or est$blish itsel' $s $ $HCP server in man1in1the1 middle attac#s0 Att$c0ing device s%oo's the root bridge in the S!P to%ology. I' success'ul, the net+or0 $tt$c0er c$n see $ v$riety o' 'r$mes. Att$c0ing device s%oo's the 5AC $ddress o' $ v$lid host currently in the CA5 t$ble. !he s+itch then -orwards -rames destined -or the valid host to the $tt$c0ing device. Att$c0ing device cr$'ts A=P re%lies intended 'or v$lid hosts. !he $tt$c0ing device>s 5AC $ddress then becomes the destin$tion $ddress 'ound in the -$yer 2 'r$mes sent by the v$lid net+or0 device.
Steps to
itigation
Spoo-ing !ttac#s
/"CP St$rv$tion $nd /"CP S%oo'ing S%$nning:tree Com%romises 5AC S%oo'ing
;se /"CP snoo%ing.
Pro$ctively con-ig"re the primar* and bac#"p root devices. <n$ble root g"ard. ;se $HCP snooping, %ort security.
Address =esolution Protocol 7A=P8 S%oo'ing
;se /yn$mic !'P Inspection &$!I(, /"CP snoo%ing, %ort security.
)a*er + !ttac# Categories &2(

!ttac# ethod $escription
In'orm$tion sent through C/P is tr$nsmitted in clear te3t $nd un$uthentic$ted, $llo+ing it to be c$%tured $nd divulge net+or0 to%ology in'orm$tion. !elnet %$c0ets c$n be re$d in cle$r te6t. SS" is $n o%tion but h$s security issues in version 1.
Steps to
itigation
Switch $evice !ttac#s

Cisco /iscovery Protocol 7C/P8 5$ni%ul$tion
/is$ble C/P on $ll %orts +here it is not intention$lly used.
Secure Shell Protocol 7SS"8 $nd !elnet Att$c0s
;se SS" version 2. ;se !elnet +ith vty AC-s.
4nderstanding and Protecting against !C )a*er !ttac#s
4nderstanding
!C )a*er !ttac#s
Step .0 S+itch 'or+$rds tr$''ic b$sed on v$lid 5AC $ddress t$ble entries. Step +0 Att$c0er 75AC $ddress C8 sends out m"ltiple pac#ets with vario"s so"rce !C addresses0
10
4nderstanding
!C )a*er !ttac#s
Step 20 Aver $ short time %eriod, the CA5 t$ble in the s+itch 'ills u% until it c$nnot $cce%t ne+ entries. As long $s the $tt$c0 is running, the 5AC $ddress t$ble on the s+itch rem$ins 'ull. Step 50 Switch begins to -lood all pac#ets th$t it receives out o' every %ort so th$t 'r$mes sent 'rom "ost A to "ost 9 $re $lso 'looded out o' Port 1 on the s+itch.
11
Protecting against
!C )a*er !ttac#s
!o %revent 5AC Address 'looding, port sec"rit* can be "sed. Con'igure %ort security to de'ine the number o' 5AC $ddresses $llo+ed on $ given %ort. Port security c$n $lso s%eci'y what !C address is $llo+ed on $ given %ort.
12
Port Sec"rit*
Cisco:%ro%riet$ry 'e$ture on C$t$lyst s+itches. =estricts s+itch %ort to s%eci'ic set or number o' 5AC $ddresses, +hich c$n be le$rned dyn$mic$lly or con'igured st$tic$lly. BStic0y le$rningC combines dyn$mic$lly le$rned $nd st$tic$lly con'igured $ddresses. /yn$mic$lly le$rned $ddresses $re converted to sticky secure addresses, $s i' they +ere con'igured using the switchport port-security mac-address sticky inter-ace command0
11
Port Sec"rit* Scenario . &Slide .(

Im$gin$ cinco %erson$s cuyos %ortDtiles %ueden conect$rse $ un %uerto de s+itch es%ecE'icos cu$ndo visit$n un Dre$ de l$ construcciFn. ;sted dese$ restringir el $cceso del %uerto de s+itch $ l$s direcciones 5AC de los cinco %ortDtiles y no %ermitir l$s direcciones (ue h$y (ue $%render de 'orm$ dinDmic$ en ese %uerto.
13
Port Sec"rit* Scenario . &Slide +(

Step
1
!ction
Con'igure %ort security.
Notes
Con'igur$r l$ segurid$d del %uerto %$r$ %ermitir sFlo cinco cone6iones en dicho %uerto. Con'igur$r un$ entr$d$ %$r$ c$d$ un$ de l$s cinco direcciones 5AC %ermitid$s. <sto, en e'ecto, se rellen$ l$ t$bl$ de direcciones 5AC con cinco entr$d$s %$r$ el %uerto y no %ermite entr$d$s $dicion$les (ue h$y (ue $%render de 'orm$ dinDmic$. hen 'r$mes $rrive on the s+itch %ort, their source 5AC $ddress is chec0ed $g$inst the 5AC $ddress t$ble. I' the 'r$me source 5AC $ddress m$tches $n entry in the t$ble 'or th$t %ort, the 'r$mes $re 'or+$rded to the s+itch to be %rocessed li0e $ny other 'r$mes on the s+itch. hen 'r$mes +ith $ non:$llo+ed 5AC $ddress $rrive on the %ort, the s+itch determines th$t the $ddress is not in the current 5AC $ddress t$ble $nd does not cre$te $ dyn$mic entry 'or th$t ne+ 5AC $ddress bec$use the number o' $llo+ed $ddresses h$s been limited. !he s+itch dis$llo+s $ccess to the %ort $nd t$0es one o' these con'igur$tion:de%endent $ctions& 7$8 the entire s+itch %ort c$n be shut do+nG 7b8 $ccess c$n be denied 'or th$t 5AC $ddress only $nd $ log error c$n be gener$tedG 7c8 $ccess c$n be denied 'or th$t 5AC $ddress but +ithout gener$ting $ log mess$ge.
2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Allo+ed 'r$mes $re %rocessed.
.e+ $ddresses $re not $llo+ed to cre$te ne+ 5AC $ddress t$ble entries. S+itch t$0es action in res%onse to non:$llo+ed 'r$mes.
Ch$%ter #
14
Port Sec"rit* Scenario + &Slide .(
An $tt$c0er en$bles $ h$c0ing tool on the $tt$c0er>s rogue device to 'lood s+itch CA5 t$bles +ith '$ls$s 5AC $ddresses, c$using the 5AC $ddress t$ble to 'ill u%. hen the 5AC $ddress t$ble is 'ull, it turns the s+itch into $ h"b $nd 'loods $ll unic$st 'r$mes.
1#
Port Sec"rit* Scenario + &Slide +(
Port security is con'igured on untrusted user %orts. <n$bling %ort security limits 5AC 'looding $tt$c0s $nd loc0s do+n the %ort. Port security $lso sets $n SN P trap $lerting o' $ny viol$tion. Port security $llo+s the 'r$mes 'rom $lre$dy secured 5AC $ddress belo+ the m$6imum number o' 5AC $ddresses en$bled on th$t %ort, $nd $ny 'r$me +ith $ ne+ 5AC $ddress over the limit is dro%%ed.
17
Con-ig"ring Port Sec"rit*

Ste% 1. <n$ble %ort security&
Switch(config-if)# switchport port-security
Ste% 2. Set $ m$6imum number o' 5AC $ddresses th$t +ill be $llo+ed on this %ort. !he de'$ult is one&
Switch(config-if)#switchport port-security maximum value
Ste% 1. S%eci'y +hich 5AC $ddresses +ill be $llo+ed on this %ort 7o%tion$l8&
Switch(config-if)#switchport port-security mac-address mac-address
Ste% 3. /e'ine +h$t $ction $n inter'$ce +ill t$0e i' $ non:$llo+ed 5AC $ddress $ttem%ts $ccess&
Switch(config-if)#switchport port-security violation {shutdown | restrict | protect}
1?
Port Sec"rit* 63ample
4503(config)# interface FastEthernet 3/47 4503(config-if)# switchport 4503(config-if)# switchport mode access 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config)# interface FastEthernet &/& 4503(config-if)# switchport 4503(config-if)# switchport mode access 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security 4503(config-if)# switchport port-security
Ch$%ter #
mac-address ! ma#imum $ a%in% time & a%in% static violation restrict
"
mac-address ! ma#imum $ a%in% time & a%in% static violation shutdown
!$$$"
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
1@
/eri-*ing Port Sec"rit* &.(

The show port-security command can be used to verify the ports on which port security has been enab ed! "t a so disp ays count information and security actions to be ta#en per interface!
switch# show port-security Secure $ort %a&Secure'ddr (urrent'ddr Security)io ation Security 'ction ((ount) ((ount) ((ount) -----------------------------------------------------------------------*a0+, , 0 .estrict -----------------------------------------------------------------------Tota 'ddresses in System (e&c uding one mac per port) / 0 %a& 'ddresses imit in System (e&c uding one mac per port) / 0,44
20
/eri-*ing Port Sec"rit* &+(

switch# show port-security $ort Security / 1nab ed $ort Status / Secure-up )io ation %ode / .estrict 'ging Time / 00 mins 'ging Type / "nactivity SecureStatic 'ddress 'ging %a&imum %'( 'ddresses / Tota %'( 'ddresses / , (onfigured %'( 'ddresses / Stic#y %'( 'ddresses / 0 2ast Source 'ddress/) an / Security )io ation (ount / interface fastethernet /$
/ 1nab ed 0 00,b!d5,3!-ad-/5 0
switch# show port-security address Secure %ac 'ddress Tab e -----------------------------------------------------------------------) an %ac 'ddress Type $orts .emaining 'ge (mins) -------------- -------------------00,b!d5,3!-adSecure3ynamic *a0+, 00 (") -----------------------------------------------------------------------Tota 'ddresses in System (e&c uding one mac per port) / 0 %a& 'ddresses imit in System (e&c uding one mac per port) / 0,44
21
Con-ig"ring Port Sec"rit* with Stic#*
!C !ddresses
switch# show runnin%-confi% fastethernet /$ interface *ast1thernet0+, switchport access v an switchport mode access switchport port-security ma&imum switchport port-security switchport port-security vio ation restrict switchport port-security mac-address stic#y switchport port-security mac-address stic#y 00,b!d5,3!-adswitch# show port-security address Secure %ac 'ddress Tab e -----------------------------------------------------------------------) an %ac 'ddress Type $orts .emaining 'ge (mins) --------------------------------00,b!d5,3!-adSecureStic#y *a0+, -
22
7loc#ing 4nicast 8looding

(isco (ata yst switches can restrict f ooding of un#nown mu ticast %'(-addressed traffic on a per-port basis4 in addition to restricting f ooding of un#nown unicast destination %'( addresses!
4503# confi%ure terminal 1nter configuration commands4 one per ine! 1nd with (5T2+6! 4503(config)# interface FastEthernet 3/&& 4503(config-if)# switchport 'lock unicast 4503(config-if)# switchport 'lock multicast
21
4nderstanding and Protecting against /)!N !ttac#s
23
/)!N Hopping
S+itch S%oo'ing /ouble !$gging
24
/)!N Hopping 9 Switch Spoo-ing &.(

An $tt$c0er c$n send $ m$licious /!P 'r$me. ;%on receiving the 'r$me, the switch wo"ld -orm a tr"n# port, +hich +ould then give the $tt$c0er $ccess to $ll the ,-A.s on the trun0. !he $tt$c0er %ort becomes $ trun0 %ort, $nd the $tt$c0er c$n $tt$c0 $ victim in $ny ,-A. c$rried on the trun0.
2#
/)!N Hopping 9 Switch Spoo-ing &+(
In $nother ty%e o' s+itch spoo-ing $tt$c0, the net+or0 $tt$c0er connects $n un$uthori)ed Cisco s+itch to the s+itch %ort. !he un$uthori)ed s+itch c$n send /!P 'r$mes $nd 'orm $ trun0. !he $tt$c0er h$s $ccess to $ll the ,-A.s through the trun0. !he $tt$c0er c$n $tt$c0 $ victim in $ny ,-A..
27
/)!N Hopping 9 $o"ble Tagging
Step .0 Att$c0er 7n$tive ,-A. 108 sends $ 'r$me +ith two :;+0.< he$ders to S+itch 1. Step +0 S+itch 1 stri%s the outer t$g $nd 'or+$rds the 'r$me to $ll %orts +ithin s$me n$tive ,-A.. Step 20 S+itch 2 inter%rets 'r$me $ccording to in'orm$tion in the inner t$g m$r0ed +ith ,-A. I/ 20. Step 50 S+itch 2 'or+$rds the 'r$me out $ll %orts $ssoci$ted +ith ,-A. 20, including trun0 %orts.
2?
itigating /)!N Hopping !ttac#s

Con'igure $ll unused %orts $s $ccess %orts so th$t trun0ing c$nnot be negoti$ted $cross those lin0s. Pl$ce $ll unused %orts in the shutdo+n st$te $nd $ssoci$te them +ith $ ,-A. designed 'or only unused %orts, c$rrying no user d$t$ tr$''ic. hen est$blishing $ trun0 lin0, %ur%ose'ully con'igure $rguments to $chieve the 'ollo+ing results&

!he n$tive ,-A. is di''erent 'rom $ny d$t$ ,-A.s. !run0ing is set u% $s An or .onegoti$te r$ther th$n negoti$ted. !he s%eci'ic ,-A. r$nge is c$rried on the trun0. !his ensures th$t the n$tive ,-A. +ill be %runed $long +ith $ny other ,-A.s not e6%licitly $llo+ed on the trun0.
2@
Catal*st
"ltila*er Switch !C) T*pes
'o"ter access control lists &'!C)(:

A%%lied to -$yer 1 inter'$ces such $s S,I or -1 routed %orts
Port access control list &P!C)(: A%%lied

on $ -$yer 2 s+itch %ort, trun0 %ort, or <therCh$nnel %ort.
/!C)=s: Also 0no+n $s ,-A. $ccess:m$%s, $%%ly to $ll tr$''ic in $ ,-A.
10
Con-ig"ring /!C)=s &.(

!hree AC- $ctions $re %ermitted +ith ,AC->s& Permit 7+ith c$%ture, C$t$lyst #400 only8 'edirect 7C$t$lyst #400 only8 $en* 7+ith logging, C$t$lyst #400 only8
11
Con-ig"ring /!C)=s &+(

Ste% 1. /e'ine $ ,-A. $ccess m$%&
Switch(config)# vlan access-map map_name 7seq#8
Ste% 2. Con'igure $ m$tch cl$use&

Switch(config-access-map)# match {drop (lo%)} | {forward (capture)} | {redirect {{fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel channel_id99
Ste% 1. Con'igure $n $ction cl$use&

Switch(config-access-map)# action {drop (lo%)} | {forward (capture)} | {redirect {{fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel channel_id}}
Ste% 3. A%%ly $ m$% to ,-A.s&

Switch(config)# vlan filter map_name vlan_list list
Ste% 4. ,eri'y the ,AC- con'igur$tion&

Switch# show vlan access-map map_name Switch# show vlan filter ( access-map map_name | vlan vlan_id )
12
Con-ig"ring /!C)=s &2(

)'(2 est: configurado para descartar todo e tr:fico de a red ,0!,!;!0+-4 en a )2'5 ,0 y -0 y descartar todo e tr:fico de servidor de respa do a 0000!,,,,!4444!
switch(config)# access-list $ permit ip $ !$!*! ! ! !&++ any switch(config)# mac access-list e#tended ,-./0123E45E4 switch(config-e&t-mac)# permit any host !$$$$!4444 switch(config)# vlan access-map 678 $ switch(config-map)# match ip address $ switch(config-map)# action drop switch(config-map)# vlan access-map 678 & switch(config-map)# match mac address ,-./0123E45E4 switch(config-map)# action drop switch(config-map)# vlan access-map 678 3 switch(config-map)# action forward switch(config)# vlan filter 678 vlan-list $ 9&
11
4nderstanding and Protecting against Spoo-ing !ttac#s
13
Catal*st Integrated Sec"rit* 8eat"res

/yn$mic Address =esolution Protocol ins%ection 7/AI8 $H$de segurid$d $ A=P utili)$ndo l$ t$bl$ snoo%ing /"CP %$r$ minimi)$r el im%$cto de l$ A=P envenen$miento y $t$(ues de su%l$nt$ciFn. IP Source Iu$rd 7IPSI8 %revents IP s%oo'ing $ddresses using the /"CP snoo%ing t$ble. Port security %revents 5AC 'looding $tt$c0s. /"CP snoo%ing %revents client $tt$c0s on the /"CP server $nd s+itch.
14
$HCP Spoo-ing !ttac#

Ane o' the +$ys th$t $n $tt$c0er c$n g$in $ccess to net+or0 tr$''ic is to s%oo' res%onses th$t +ould be sent by $ v$lid $HCP server0 !he /"CP s%oo'ing device re%lies to client /"CP re(uests. !he legitim$te server c$n re%ly $lso, but i' the s%oo'ing device is on the s$me segment $s the client, its re%ly to the client might $rrive 'irst. !he intruder>s /"CP re%ly o''ers $n IP $ddress $nd su%%orting in'orm$tion th$t design$tes the intruder $s the de'$ult g$te+$y or /.S server.
2or $ g$te+$y, the clients then 'or+$rd %$c0ets to the $tt$c0ing device, +hich in turn sends them to the desired destin$tion. !his is re'erred to $s $ m$n:in:the:middle $tt$c0 $nd it c$n go entirely undetected $s the intruder interce%ts the d$t$ 'lo+ through the net+or0.
1#
$HCP Spoo-ing !ttac# 9 Scenario .
<n el %rimer escen$rio, un $t$c$nte l$n)$ un $t$(ue /oS medi$nte el env>o de miles de peticiones $HCP. <l servidor /"CP no tiene l$ c$%$cid$d %$r$ determin$r si l$ %eticiFn es verd$der$ y %or lo t$nto, %odrE$ termin$r %or agotar todas las direcciones IP disponibles. <sto se tr$duce en un cliente legEtimo no tener un$ direcciFn IP medi$nte /"CP.
17
$HCP Spoo-ing !ttac# 9 Scenario +
;n segundo escen$rio ocurre cu$ndo el $t$c$nte conect$ un servidor /"CP %$r$ l$ red y tiene (ue $sumir el %$%el del servidor /"CP %$r$ ese segmento. <sto %ermite (ue el intruso %$r$ d$r $ conocer in'orm$ciFn '$ls$ /"CP %$r$ l$ %uert$ de enl$ce %redetermin$d$ y los servidores de nombres de dominio, lo (ue $%unt$ $ los clientes $ l$ mD(uin$ del h$c0er. <sto %ermite $l h$c0er. convertirse en un hombre en el medio y %$r$ tener $cceso $ in'orm$ciFn con'idenci$l, como nombre de usu$rio y contr$seH$ de %$res, mientr$s (ue el usu$rio 'in$l no tiene conocimiento del $t$(ue.
1?
$HCP Snooping
/"CP snoo%ing is $ Cisco C$t$lyst 'e$ture th$t determines +hich s+itch %orts c$n res%ond to /"CP re(uests. Ports $re identi'ied $s trusted $nd untrusted.
1@
Con-ig"ring $HCP Snooping

Step
1. 2.
Commands
<n$ble /"CP snoo%ing glob$lly& Switch(config)# ip dhcp snoopin% <n$ble /"CP A%tion ?2& Switch(config)# ip dhcp snoopin% information option Con'igure /"CP server inter'$ces or u%lin0 %orts $s trusted& Switch(config-if)# ip dhcp snoopin% trust Con'igure the number o' /"CP %$c0ets %er second 7%%s8 th$t $re $cce%t$ble on the %ort& Switch(config-if)# ip dhcp snoopin% limit rate rate <n$ble /"CP snoo%ing on s%eci'ic ,-A.s& Switch(config)# ip dhcp snoopin% vlan number (number) ,eri'y the con'igur$tion& Switch# show ip dhcp snoopin%
1. 3.
4.
#.
Ch$%ter #
30
$HCP Snooping Con-ig"ration 63ample
switch(config)# ip dhcp snoopin% switch(config)# ip dhcp snoopin% information option switch(config)# ip dhcp snoopin% vlan $ 9& switch(config)# interface fastethernet /$ switch(config-if)# description -ccess 1ort switch(config-if)# ip dhcp limit rate + switch(config)# interface fastethernet /&4 switch(config-if)# description 0plink switch(config-if)# switchport mode trunk switch(config-if)# switchport trunk allowed vlan $ 9& switch(config-if)# ip dhcp snoopin% trust
31
/eri-*ing the $HCP Snooping Con-ig"ration

switch# show ip dhcp snoopin% Switch 3<($ snooping is enab ed 3<($ snooping is configured on fo owing )2'5s/ ,04-0 3<($ snooping is operationa on fo owing )2'5s/ ,04-0 3<($ snooping is configured on the fo owing 23 "nterfaces/ "nsertion of option =- is enab ed circuit-id defau t format/ v an-mod-port remote-id/ 00,a!e3>-!ab00 (%'() ?ption =- on untrusted port is not a owed )erification of hwaddr fie d is enab ed )erification of giaddr fie d is enab ed 3<($ snooping trust+rate is configured on the fo owing "nterfaces/ "nterface Trusted ' ow option .ate imit (pps) ---------------- ------- --------------------------*ast1thernet0+, no no 5 *ast1thernet0+-4 yes yes un imited
32
!'P Spoo-ing !ttac#
Step .0 "ost A sends $n A=P re(uest 'or C>s 5AC $ddress. Step +0 =outer C re%lies +ith its 5AC $nd IP $ddresses. C $lso u%d$tes its A=P c$che. Step 20 "ost A binds C>s 5AC $ddress to its IP $ddress in its A=P c$che. Step 50 "ost 9 7$tt$c0er8 sends A=P binding 9>s 5AC $ddress to C>s IP $ddress. Step ?0 "ost A u%d$tes A=P c$che +ith 9>s 5AC $ddress bound to C>s IP $ddress. Step 60 "ost 9 sends A=P binding 9>s 5AC $ddress to A>s IP $ddress. Step @0 =outer C u%d$tes A=P c$che +ith 9>s 5AC $ddress bound to A>s IP $ddress. Step :0 P$c0ets $re diverted through $tt$c0er 798.
31
Preventing !'P Spoo-ing thro"gh $*namic !'P Inspection &$!I(
/AI t$0es these $ctions& 2or+$rds A=P %$c0ets received on $ trusted inter'$ce +ithout $ny chec0s. Interce%ts $ll A=P %$c0ets on untrusted %orts. ,eri'ies th$t e$ch interce%ted %$c0et h$s $ v$lid IP:to:5AC $ddress binding be'ore 'or+$rding %$c0ets th$t c$n u%d$te the loc$l A=P c$che. /ro%s $nd logs A=P %$c0ets +ith inv$lid IP:to:5AC $ddress bindings.
/AI determines the v$lidity o' $n A=P %$c0et b$sed on $ v$lid 5AC:$ddress:to:IP:$ddress bindings d$t$b$se built by $HCP snooping
Ch$%ter #
33
$!I 'ecommended Con-ig"ration

/AI c$n $lso be used to r$te limit the A=P %$c0ets $nd then errdis$ble the inter'$ce i' the r$te is e6ceeded. !he 'igure here sho+s the recommended /AI con'igur$tion.
34
$!I Commands
Command
Switch(config)# ip arp inspection vlan vlan_id (vlan_id) Switch(config-if)# ip arp inspection trust
$escription
<n$bles /AI on $ ,-A. or r$nge o' ,-A.>s.
<n$bles /AI on $n inter'$ce $nd sets the inter'$ce $s $ trusted inter'$ce.
Switch(config)# ip arp inspection validate {(src-mac) (dst-mac) (ip)}
Con'igures /AI to dro% A=P %$c0ets +hen the IP $ddresses $re inv$lid, or +hen the 5AC $ddresses in the body o' the A=P %$c0ets do not m$tch the $ddresses s%eci'ied in the <thernet he$der.
3#
$!I Scenario with Catal*st Switches &.(
"ost 1 is connected to S+itch A $nd "ost 2 is connected to S+itch 9, both in ,-A. 10. <l servidor /"CP estD conect$do $l s+itch A. snoo%ing /"CP estD h$bilit$do en el S+itch A y 9 s+icth como re(uisito %revio %$r$ l$ /AI. -os enl$ces entre s+itches estDn con'igur$dos como %uertos de /AI de con'i$n)$, y los %uertos de usu$rio %erm$necen en el est$do %or de'ecto de con'i$n)$.
37
$!I Scenario with Catal*st Switches &+(
Switch'# confi%ure terminal 1nter configuration commands4 one per ine! 1nd with (5T2+6! Switch'(config)# ip arp inspection vlan $ Switch'(config)# interface %i%a'itEthernet $/$ Switch'(config-if)# ip arp inspection trust Switch'(config-if)# end Switch@# confi%ure terminal 1nter configuration commands4 one per ine! 1nd with (5T2+6! Switch@(config)# ip arp inspection vlan $ Switch@(config)# interface %i%a'itEthernet $/$ Switch@(config-if)# ip arp inspection trust Switch@(config-if)# end
3?
$!I Scenario with Catal*st Switches &2(
Switch'# show ip arp inspection interfaces "nterface Trust State .ate (pps) @urst "nterva ---------------------------------- -------------Ai,+, Trusted 5one 5+' Ai,+Bntrusted ,5 , *a-+, Bntrusted ,5 , *a-+Bntrusted ,5 ,
3@
Switch'# show ip arp inspection vlan $ Source %ac )a idation / 3isab ed 3estination %ac )a idation / 3isab ed "$ 'ddress )a idation / 3isab ed ) an (onfiguration ?peration '(2 %atch ---------------- --------- --------,0 1nab ed 'ctive ) an '(2 2ogging 3<($ 2ogging ------------------------,0 3eny 3eny
Ch$%ter #
Static '(2 ----------
Cisco Public
40
$!I Scenario with Catal*st Switches &?(
Switch'# show ip dhcp snoopin% 'indin% %ac'ddress "p'ddress 2ease(sec) Type )2'5 "nterface -------------------------- ---------- -------------- -------------00/0,/00/0,/00/0, ,0!,0!,0!, 4;;5 dhcp-snooping ,0 *ast1thernet-+,
41
Switch@# show ip arp inspection interfaces "nterface Trust State .ate (pps) @urst "nterva --------------- -------------------- -------------Ai,+, Trusted 5one 5+' Ai,+Bntrusted ,5 , *a-+, Bntrusted ,5 , *a-+Bntrusted ,5 , *a-+3 Bntrusted ,5 , *a-+4 Bntrusted ,5 , Coutput omittedD
42
$!I Scenario with Catal*st Switches &@(
Switch@# show ip arp inspection vlan $ Source %ac )a idation / 3isab ed 3estination %ac )a idation / 3isab ed "$ 'ddress )a idation / 3isab ed ) an (onfiguration ?peration '(2 %atch ------------------------ --------,0 1nab ed 'ctive ) an '(2 2ogging -------------,0 3eny 3eny
Ch$%ter #
Static '(2 ----------
3<($ 2ogging ----------- 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
41
$!I Scenario with Catal*st Switches &:(
Switch@# show ip dhcp snoopin% 'indin% %ac'ddress "p'ddress 2ease(sec) Type )2'5 "nterface ------------------------------------- ------------- ---- - ----------00/0-/00/0-/00/0,0!,0!,0!4;;5 dhcp-snooping ,0 *ast1thernet-+-
43
$!I Scenario with Catal*st Switches &A(

"f an attac#er connects to Switch @ and tries to send a bogus '.$ reEuest4 Switch @ wi detect it and drop the '.$ reEuest pac#et! Switch @ can a so errdisab e the port and send a og message to a ert the administrator! 3'" discards any '.$ pac#ets with inva id %'(-address-to-"$-address bindings! 'n error message is disp ayed on the switch when a security vio ation 0-/40/4;/ FSGH3'"-4-3<($HS5??$"5AH315I/ , "nva id '.$s (.eE) on *a3+34 occurs/ ,0!(7000,!000,!000,+,0!,0!,0!,+0000!0000!0000+0!0!0!0+0;/-3/-4 BT( Thu
-0038)
v an 5ov ->
44
IP Spoo-ing and IP So"rce B"ard

Atacante suplanta a un host legitimo de la red de falsificacin de la direccin IP de la vctima IP Source Guard (IPSG) impide que un host malicioso de atacar a la red con una direccin IP no propia. IPSG provides per-port traffic filtering of assigned source IP. IPSG dynamically maintains per-port ACL s based on IP-to-MAC-to-switch port bindings. IPSG t picall deplo ed for untrusted ports at access la er. IPSG tra!a"a en estrecha cola!oracin con snooping #$%P.
4#
IP So"rce B"ard Operations

IPSI c$n be en$bled on $ /"CP snoo%ing untrusted -$yer 2 %ort to %revent IP s%oo'ing. Al %rinci%io, todo el trD'ico IP en el %uerto estD blo(ue$do e6ce%to %or /"CP %$(uetes c$%tur$dos %or el %roceso de snoo%ing /"CP !his %rocess restricts the client IP tr$''ic to those source IP $ddresses con'igured in the bindingG $ny IP tr$''ic +ith $ source IP $ddress other th$n th$t in the IP source binding is 'iltered out. !his 'iltering limits $ host>s c$%$bility to $tt$c0 the net+or0 by cl$iming $ neighbor host>s IP $ddress.
47
Con-ig"ring IP So"rce B"ard

Step
1. 2. 1. Commands Switch(config)# ip dhcp snoopin% Switch(config)# ip dhcp snoopin% vlan number [number] Switch(config-if)# ip verify source vlan dhcp-snoopin% or Switch(config-if)# ip verify source vlan dhcp-snoopin% port-security Switch(config-if)# switchport portsecurity limit rate invalid-source-mac N Switch(config)# ip source 'indin% ipaddr ip vlan number interface interface-id
3. 4.
4?
IPSB Scenario &.(
;n$ est$ciFn de tr$b$Jo %or medio de /"CP %$r$ l$ $d(uisiciFn de l$s direcciones IP se conect$ $l mismo s+itch C$t$lyst (ue un servidor con un$ direcciFn IP estDtic$.
4@
IPSB Scenario &+(
Switch# confi%ure terminal 1nter configuration commands4 one per ine! 1nd with (5T2+6! Switch(config)# ip dhcp snoopin% Switch(config)# ip dhcp snoopin% vlan $9$ Switch(config)# ip dhcp snoopin% verify mac-address Switch(config)# ip source 'indin% ! a! ' vlan $ $ !$!$ !$$ interface Fa&/$" Switch(config)# interface fastethernet &/$ Switch(config-if)# switchport Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# ip verify source vlan dhcp-snoopin% port-security Switch(config)# interface fastethernet &/$" Switch(config-if)# switchport Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# ip verify source vlan dhcp-snoopin% port-security
#0
IPSB Scenario &2(
Switch# show ip source 'indin% %ac'ddress "p'ddress 2ease(sec) Type )2'5 "nterface ------------------ ------------ ---------- ------------------------00/0-/@3/3*/3@/;; ,0!,!,!,, 05-dhcp-snooping , *ast1thernet-+, 00/00/00/0'/00/0@ ,0!,!,0!,, infinite static ,0 *ast1thernet-+,= Switch# show ip verify source "nterface *i ter-type *i ter-mode --------- ----------- ----------*a-+, ip-mac active *a-+,= ip-mac active
"$-address %ac-address ) an --------------- ----------------- ---------,0!,!,!,, 00/0-/@3/3*/3@/;; , ,0!,!,0!,, 00/00/00/0a/00/0b ,0
#1
IPSB Scenario &5(

;n $t$c$nte se conect$ $ l$ inter'$) de 2 K 10 y estD tr$t$ndo de '$lsi'ic$r l$ direcciFn IP del servidor. !he C$t$lyst s+itch detects $nd dro%s the %$c0ets in the h$rd+$re %$th. !he C$t$lyst s+itch $lso %rovides $n error mess$ge to indic$te the viol$tion.
#2
Securing .et+or0 S+itches
#1
Neighbor $iscover* Protocols &N$P(
Cisco /iscovery Protocol 7C/P8 -in0 -$yer /iscovery Protocol 7--/P8 &
Ch$%ter #
r$ti'ied $s I<<< st$nd$rd ?02.1A9 in
2004 : --/P is dis$bled by de'$ult on Cisco devices

#3
Con-ig"ring C$P
C/P is en$bled by de'$ult. !he no cdp run comm$nd dis$bles C/P glob$lly. !he no cdp ena'le comm$nd dis$bles C/P on $n inter'$ce.
#4
$ispla*ing C$P In-ormation &.(

Ghen (3$ is enab ed the command show cdp nei%h'or disp ays a summary of which devices are seen on which ports!
switch# show cdp nei%h'or (apabi ity (odes/ . - .outer4 T S - Switch4 < - <ost4 3 - .emote4 ( - ()T'4 3evice "3 2oca "ntrfce c-;00-= *as 0+= ,0=
- Trans @ridge4 @ - Source .oute @ridge " - "A%$4 r - .epeater4 $ - $hone4 % - Two-port %ac .e ay <o dtme (apabi ity $ atform $ort "3 S " GS-(-;00-*as 0+=
##
$ispla*ing C$P In-ormation &+(

4500# show cdp nei%h'or detail ----------------------3evice "3/ T@'0350,0>4(Switch'-0500) 1ntry address(es)/ "$ address/ ,0!,=!-!,3> $ atform/ GS-(05004 (apabi ities/ Trans-@ridge Switch "A%$ "nterface/ *ast1thernet3+-,4 $ort "3 (outgoing port)/ 3+30 <o dtime / ,>0 sec )ersion / GS-(0500 Software4 )ersion %cpSG/ >!0(,) 5mpSG/ >!0(,) (opyright J ,;;5--003 by (isco Systems advertisement version/ )T$ %anagement 3omain/ K0L 5ative )2'5/ , 3up e&/ fu ----------------------3evice "3/ Switch(-4503 1ntry address(es)/ "$ address/ ,0!,=!-!,3$ atform/ cisco GS-(45034 (apabi ities/ .outer Switch "A%$ "nterface/ *ast1thernet3+->4 $ort "3 (outgoing port)/ *ast1thernet3+,4 <o dtime / ,30 sec )ersion / (isco "nternetwor# ?perating System Software "?S (tm) (ata yst 4000 23 Switch Software (cat4000-"5S-%)4 )ersion ,-!,(,;)1G4 ("S(? 15<'5(13 $.?3B(T"?5 )1.S"?5 (opyright J ,;=0--003 by cisco Systems4 "nc! (ompi ed Tue ->-%ay-03 04/3, by prothero Coutput omittedD
#7
Con-ig"ring ))$P
--/P is dis$bled by de'$ult. !he comm$nd lldp run en$bles --/P glob$lly. !he comm$nd lldp ena'le en$bles --/P on $n inter'$ce.
#?
$ispla*ing ))$P In-ormation

Ghen 223$ is enab ed the command show lldp nei%h'or disp ays a summary of which devices are seen on which ports!
switch(config)# lldp run switch(config)# end switch# show lldp nei%h'or (apabi ity codes/ (.) .outer4 (@) @ridge4 (T) Te ephone4 (() 3?(S"S (ab e 3evice (G) G2'5 'ccess $oint4 ($) .epeater4 (S) Station4 (?) ?ther 3evice "3 2oca "ntf <o d-time (apabi ity $ort "3 c-;00-= *a0+= ,-0 @ *a0+= Tota entries disp ayed/ ,
#@
C$P /"lnerabilities
SeC"ence $escription o- 6vents
1.
Administr$dor del sistem$ utili)$ C/P %$r$ ver l$ in'orm$ciFn del vecino. At$c$nte utili)$ un $n$li)$dor de %$(uetes %$r$ interce%t$r el trD'ico C/P. <l $t$c$nte $n$li)$ l$ in'orm$ciFn en los %$(uetes de C/P %$r$ obtener conocimientos de direcciDn de red * l$ in'orm$ciFn del dis%ositivo. At$c$nte 'ormul$ $t$(ues b$s$dos en & vulner$bilid$des conocid$s de l$ red %l$t$'orm$s.
Cisco Public
2.
1.
3.
Ch$%ter # 2007 2010, Cisco Systems, Inc. All rights reserved.
70
Sec"ring Switch !ccess

!elnet ,ulner$bilities Secure Shell 7SS"8 ,ulner$bilities
71
Sec"re Shell &SSH(

All usern$mes, %$ss+ords, $nd d$t$ sent over the %ublic net+or0 in cle$r te6t $re vulner$ble. A user +ith $n $ccount on the system could g$in elev$ted %rivileges. A remote $tt$c0er could cr$sh the !elnet service, %reventing legitim$te use o' th$t service by %er'orming $ /oS $tt$c0 such $s o%ening too m$ny bogus !elnet sessions. A remote $tt$c0er could 'ind $n en$bled guest $ccount th$t might be %resent $ny+here +ithin the trusted dom$ins o' the server.
S"S version 1 im%lement$tions $re vulner$ble to v$rious security com%romises. henever %ossible, use SS" version 2 inste$d o' SS" version 1.
72
Con-ig"ring SSH
Step Step Step Step
,! -! 3! 4!
(onfigure a user with a password! (onfigure the hostname and domain name! Aenerate .S' #eys! ' ow SS< transport on the vty ines!
switch(config)# username #y: password a'c$&3 switch(config)# ip domain-name #y:!com switch(config)# crypto key %enerate rsa switch(config)# ip ssh version & switch(config)# line vty $+ switch(config- ine)# lo%in local switch(config- ine)# transport input ssh
71
/TE !ccess Control )ists
73
HTTP Sec"re Server

Step Step Step Step Step Step ,! -! 3! 4! 5! 0! (onfigure username and password! (onfigure domain name! Aenerate .S' #eys! 1nab e <TT$S (SS2) server! (onfigure <TT$ authentication! (onfigure an access ist to imit access!
sw(config)# sw(config)# sw(config)# sw(config)# sw(config)# sw(config)# sw(config)# sw(config)#
access-list $ permit ip $ !$!*! username #y: password a'c$&3 ip domain-name #y:!com crypto key %enerate rsa no ip http server ip http secure-server http access-class $ in http authentication local
! ! !&++ any
74
!"thentication% !"thori,ation% and !cco"nting &!!!(
!he AAA net+or0:security services %rovide the %rim$ry 'r$me+or0 through +hich you set u% $ccess control on $ Cisco IOS switch. AAA is $n $rchitectur$l 'r$me+or0 'or con'iguring $ set o' three inde%endent security 'unctions in $ consistent m$nner.
7#
!"thentication: identi-ica a los "s"arios antes de acceder a los servicios de red * la red
Autenti'ic$ciFn %ro%orcion$ un m*todo %$r$ control$r & ;ser identi'ic$tion -ogin $nd %$ss+ord di$log Ch$llenge $nd res%onse 5ess$ging <ncry%tion All $uthentic$tion methods, e6ce%t 'or loc$l, line %$ss+ord, $nd en$ble $uthentic$tion, re(uire the use o' AAA.
77
!"thori,ation
Authori)$tion %rovides the method 'or remote $ccess control. =emote $ccess control includes&

Ane:time $uthori)$tion or Authori)$tion 'or e$ch service on $ %er:user $ccount list or $ user grou% b$sis.
;ses =A/I;S or !ACACSL security servers.
7?
!cco"nting
Authori)$tion %rovides the method 'or collecting $nd sending security server in'orm$tion used 'or billing, $uditing, $nd re%orting. Includes&

;ser identities St$rt $nd sto% times <6ecuted comm$nds .umber o' %$c0ets .umber o' bytes
7@
Con-ig"ring !"thentication
,$riety o' login $uthentic$tion methods. 2irst use aaa new-model comm$nd to initi$li)e AAA. ;se aaa authentication lo%in comm$nd to en$ble AAA login $uthentic$tion. ith aaa authentication lo%in comm$nd, con'igure one or more lists o' $uthentic$tion methods. !he lo%in authentication line {default | list-name} method1 (method2!!!) comm$nd de'ines the list n$me $nd the $uthentic$tion methods in order, such $s !ACACSL or =A/I;S. !he lo%in authentication {default | list-name} comm$nd $%%lies the $uthentic$tion list to $n in%ut line.
?0
!!! !"thentication 63ample

Switch(config)# aaa new-model Switch(config)# aaa authentication lo%in ;E3; tacacs< Switch(config)# tacacs-server host $*&!$="!$ !$ Switch(config)# line vty 4 Switch(config- ine)# lo%in authentication ;E3;
utilice siem%re un$ cone6iFn de consol$ %$r$ evit$r el blo(ueo mismo de el router o s+itch $ tr$v*s de un$ m$l$ con'igur$ciFn.
?1
!!! !"thentication Con-ig"ration $etail

Ste% 1. Con'igure the !ACACSL server 'or $ test user&
hen using Cisco Access Control Server 7ACS8 'or 5icroso't +ithout s%eci'ic o%tions.
indo+s, cre$te $ ne+ test user
Ste% 2. Con'igure $ ne+ net+or0 device on the !ACACSL server&
hen using Cisco ACS 'or 5icroso't indo+s, cre$te $ ne+ net+or0 device by s%eci'ying the /.S n$me $nd IP $ddress, $nd s%eci'y $ 0ey to be used 'or !ACACSL.
Ste% 1. Access the s+itch using the Console 7out:o':b$nd8 connection. Ste% 3. <n$ble AAA glob$lly&
svs-san-3550-,(config)# aaa new-model
Ste% 4. Con'igure the !ACACSL server $nd 0ey&

svs-san-3550-,(config)# tacacs-server host $7&!$"!$$4!33 svs-san-3550-,(config)# tacacs-server key 3>?;.@
Ste% #. Con'igure the de'$ult login $ccess&

svs-san-3550-,(config)# aaa authentication lo%in default %roup tacacs< ena'le
Ste% 7. !est the login using $ se%$r$te connection&
!his en$bles you to troubleshoot $nd m$0e ch$nges in re$l time +hile testing the con'igur$tion.
Ch$%ter #
?2
!!! !"thori,ation Con-ig"ration

;se the comm$nd& aaa authori:ation {auth-pro#y | network | e#ec | commands level | reverse-access | confi%uration | ipmo'ile} {default | list-name} (method1 (method2...)) authorization {arap | commands level | e#ec | reverse-access} {default | list-name} ;se the aaa authori:ation comm$nd +ith the %roup tacacs< method 0ey+ords to re(uest $uthori)$tion vi$ $ !ACACSL server. !he %roup tacacs< method instructs the s+itch to use $ list o' $ll !ACACSL servers 'or $uthentic$tion. ;se the aaa authori:ation comm$nd +ith the local method 0ey+ord to re(uest $uthori)$tion vi$ the loc$l user d$t$b$se. ;se the aaa authori:ation comm$nd +ith the %roup radius method 0ey+ords to re(uest $uthori)$tion vi$ $ =A/I;S server.
?1
!!! !"thori,ation 63ample

This configuration e&amp e i ustrates configuring ''' authoriMation for users via )TI access for she commands! To a ow users to access the functions they reEuest as ong as they have been authenticated4 use the aaa authori:ation command with the if-authenticated method #eyword4 as shown!
Switch(config)# aaa new-model Switch(config)# aaa authori:ation commands if-authenticated %roup tacacs< Switch(config)# line vty 4 Switch(config- ine)# authori:ation commands
default default
?3
!!! !cco"nting T*pes S"pported

Networ# acco"nting: Provides in'orm$tion 'or $ll PPP, S-IP, or A=AP sessions, including %$c0et $nd byte counts. Connection acco"nting: Provides in'orm$tion $bout $ll outbound connections m$de 'rom the net+or0, such $s !elnet $nd rlogin. 6F6C acco"nting: Provides in'orm$tion $bout user <M<C termin$l sessions 7user shells8 on the net+or0 $ccess server, including usern$me, d$te, st$rt $nd sto% times, the $ccess server IP $ddress, $nd 7'or di$l:in users8 the tele%hone number 'rom +hich the c$ll origin$ted. S*stem acco"nting: Provides in'orm$tion $bout $ll system:level events 7'or e6$m%le, +hen the system reboots $nd +hen $ccounting is turned on or o''8. Command acco"nting: Provides in'orm$tion $bout the <M<C shell comm$nds 'or $ s%eci'ied %rivilege level e6ecuted on $ net+or0 $ccess server. 'eso"rce acco"nting: Provides st$rt $nd sto% record su%%ort 'or c$lls th$t h$ve %$ssed user $uthentic$tion.
?4
!!! !cco"nting Con-ig"ration

;se the comm$nd&
aaa accountin% {system | network | e#ec | connection | commands level} {default | list-name} {start-stop | stop-only | none} (method1 (method2...))
A%%ly the $ccounting method to $n inter'$ce or lines using the comm$nd&

accountin% {arap | commands level | connection | e#ec} {default | list-name}
?#
!!! !cco"nting 63ample

This configuration e&amp e i ustrates configuring ''' authoriMation for users via )TI access for she commands! To a ow users to access the functions they reEuest as ong as they have been authenticated4 use the aaa authori:ation command with the if-authenticated method #eyword4 as shown!
Switch(config)# aaa new-model Switch(config)# aaa accountin% e#ec default start-stop %roup tacacs< Switch(config)# line vty 4 Switch(config- ine)# accountin% e#ec default
?7
Sec"rit* 4sing I666 :;+0.F Port17ased !"thentication
hen con'igured 'or ?02.1M %ort:b$sed $uthentic$tion, the %ort st$rts in the un$uthori)ed st$te. hile in this st$te, the %ort dis$llo+s $ll ingress $nd egress tr$''ic e6ce%t 'or ?02.1M %rotocol %$c0ets
??
:;+0.F 'oles
N Client &or s"pplicant(: !he device th$t re(uests $ccess to -A. $nd s+itch services $nd then res%onds to re(uests 'rom the s+itch. !he +or0st$tion must be running ?02.1M:com%li$nt client so-tware0 N !"thentication server: Per'orms the $ctu$l $uthentic$tion o' the client. !he $uthentic$tion server v$lid$tes the identity o' the client $nd noti'ies the s+itch +hether the client is $uthori)ed to $ccess the -A. $nd s+itch services. The '!$I4S sec"rit* system +ith <AP e6tensions is the only su%%orted $uthentic$tion server. N Switch &or a"thenticator(: Controls %hysic$l $ccess to the net+or0 b$sed on the $uthentic$tion st$tus o' the client. !he s+itch $cts $s $n intermedi$ry 7%ro6y8 bet+een the client $nd the $uthentic$tion server, re(uesting identi'ying in'orm$tion 'rom the client, veri'ying th$t in'orm$tion +ith the $uthentic$tion server, $nd rel$ying $ res%onse to the client.
?@
:;+0.F Port !"thori,ation State &.(

Oou control the %ort $uthori)$tion st$te by using the inter'$ce con'igur$tion comm$nd & dot$# port-control {auto | force-authori:ed | force-unauthori:ed} !he force-authori:ed 0ey+ord disables ?02.1M %ort:b$sed $uthentic$tion $nd c$uses the %ort to tr$nsition to the $uthori)ed st$te +ithout $ny $uthentic$tion e6ch$nge re(uired. !he %ort tr$nsmits $nd receives norm$l tr$''ic +ithout ?02.1M:b$sed $uthentic$tion o' the client. !his is the de'$ult setting. !his con'igur$tion mode su%%orts $ny non:dot16:en$bled client.
@0
:;+0.F Port !"thori,ation State &+(

Oou control the %ort $uthori)$tion st$te by using the inter'$ce con'igur$tion comm$nd &
dot$# port-control {auto | force-authori:ed | force-unauthori:ed}
!he force-unauthori:ed 0ey+ord h$ce (ue el %uerto sig$ en el est$do no $utori)$do, h$ciendo c$so omiso de todos los intentos %or %$rte del cliente %$r$ $utentic$r. 6l swtich no p"ede proporcionar servicios de a"tenticaciDn %$r$ el cliente $ tr$v*s de l$ inter'$). <ste modo de con'igur$ciFn %uede ser $ctiv$do %$r$ evit$r (ue l$s cone6iones de los usu$rios de los %uertos no $utori)$dos.
@1
:;+0.F Port !"thori,ation State &2(

Oou control the %ort $uthori)$tion st$te by using the inter'$ce con'igur$tion comm$nd &
dot$# port-control {auto | force-authori:ed | force-unauthori:ed}
!he auto 0ey+ord en$bles ?02.1M %ort:b$sed $uthentic$tion $nd c$uses the %ort to begin in the un$uthori)ed st$te, en$bling only <APA- 'r$mes to be sent $nd received through the %ort. !he $uthentic$tion %rocess begins +hen the lin0 st$te o' the %ort tr$nsitions 'rom do+n to u% 7a"thenticator initiation8 or +hen $n <APA-:st$rt 'r$me is received 7su%%lic$nt initi$tion8. !he s+itch re(uests the identity o' the client $nd begins rel$ying $uthentic$tion mess$ges bet+een the client $nd the $uthentic$tion server. !he s+itch uni(uely identi'ies e$ch client $ttem%ting to $ccess the net+or0 by using the client 5AC $ddress. !his con'igur$tion mode c$n be used on %orts th$t connect to $ ?02.1M client.
@2
Con-ig"ring I666 :;+0.F

Ste% 1. <n$ble AAA&
Switch(config)# aaa new-model
Ste% 2. Cre$te $n ?02.1M %ort:b$sed $uthentic$tion method list&

Switch(config)# aaa authentication dot$# {default} method1 (method2...)
Ste% 1. Ilob$lly en$ble ?02.1M %ort:b$sed $uthentic$tion&

Switch(config)# dot$# system-auth-control
Ste% 3. <nter inter'$ce con'igur$tion mode $nd s%eci'y the inter'$ce to be en$bled 'or ?02.1M %ort:b$sed $uthentic$tion&
Switch(config)# interface t pe slot/port
Ste% 4. <n$ble ?02.1M %ort:b$sed $uthentic$tion on the inter'$ce&

Switch(config-if)# dot$# port-control auto
@1
I666 :;+0.F Con-ig"ration 63ample
sw(config)# aaa new-model sw(config)# radius-server host $ !$!$!+ auth-port $"$& key #y:$&3 sw(config)# aaa authentication dot$# default %roup radius sw(config)# dot$# system-auth-control sw(config)# interface fa /$ sw(config-if)# description -ccess 1ort sw(config-if)# switchport mode access sw(config-if)# dot$# port-control auto
@3
Switch Sec"rit* Considerations
@4
Organi,ational Sec"rit* Policies

Provides $ %rocess 'or $uditing e6isting net+or0 security. Provides $ gener$l security 'r$me+or0 'or im%lementing net+or0 security. /e'ine los com%ort$mientos no %ermitidos $ d$tos electrFnicos. /etermines +hich tools $nd %rocedures $re needed 'or the org$ni)$tion. /e'ine l$s res%ons$bilid$des de los usu$rios y $dministr$dores. /e'ine un %roceso %$r$ el m$neJo de incidentes de segurid$d de red.
Oou should consider the %olicies o' $n org$ni)$tion +hen determining +h$t level o' security $nd +h$t ty%e o' security should be im%lemented
@#
Sec"ring Switch $evices and Protocols

Con'igure strong system %$ss+ords. =estrict m$n$gement $ccess using AC-s. Secure %hysic$l $ccess to the console. Secure $ccess to vty lines. Con'igure system +$rning b$nners. /is$ble unneeded or unused services. !rim $nd minimi)e the use o' C/PK--/P. /is$ble the integr$ted "!!P d$emon 7+here $%%ro%ri$te8. Con'igure b$sic system logging 7syslog8. Secure S.5P. -imit trun0ing connections $nd %ro%$g$ted ,-A.s. Secure the s%$nning:tree to%ology.
Ch$%ter #
@7
Con-ig"ring Strong S*stem Passwords

;se the ena'le secret comm$nd inste$d o' using the ena'le password comm$nd0 9ec$use the ena'le secret comm$nd sim%ly im%lements $n 5/4 h$sh on the con'igured %$ss+ord, th$t %$ss+ord rem$ins vulner$ble to diction$ry $tt$c0s. !here'ore, st$nd$rd %r$ctice in selecting $ 'e$sible %$ss+ord $%%lies. !ry to %ic0 %$ss+ords th$t cont$in letters, numbers, $nd s%eci$l ch$r$cters. An e6$m%le o' $ 'e$sible %$ss+ord is BP%eci$1PC th$t is, the +ord Bs%eci$lsC +here e$ch BsC h$s been re%l$ced by BPC $nd the letter BlC h$s been re%l$ced +ith the numer$l B1C.
@?
'estricting
anagement !ccess 4sing !C)=s
Subnet ,0!,!-!0+-4 is used for accessing a networ# devices for management purposes! This subnet does not pass user data traffic! 'ccess to this subnet is imited to system administrators in the ,0!,!3!0+-4 subnet!
Coutput omittedD interface ) an000 description Bser 2'5 ip address ,0!,!,!, -55!-55!-55!0 N interface ) an00, description %anagement )2'5 ip address ,0!,!-!, -55!-55!-55!0 ip access-group ,00 in N interface ) an00description "T 2'5 ip address ,0!,!3!, -55!-55!-55!0 N access- ist ,00 permit ip ,0!,!3!0 0!0!0!-55 ,0!,!-!0 0!0!0!-55 access- ist ,00 deny ip any any og N Coutput omittedD
@@
Sec"ring Ph*sical !ccess to the Console

Physic$l security o' s+itches or routers is o'ten overloo0ed but is $ v$lu$ble security %rec$ution. Console $ccess re(uires $ minimum level o' security both %hysic$lly $nd logic$lly. ;n$ %erson$ (ue obtiene $cceso $ l$ consol$ $ un sistem$ $d(uiere l$ c$%$cid$d de recu%er$r o rest$blecer l$s contr$seH$s o volver $ c$rg$r el sistem$, lo (ue %ermite (ue el individuo %$r$ $nul$r l$s medid$s de segurid$d im%lement$d$s en el sistem$. <s im%rescindible %$r$ $segur$r 'Esic$mente el $cceso $ l$ consol$ medi$nte el uso de %erson$l de segurid$d, circuito cerr$do de televisiFn, cl$ve de t$rJet$ de los sistem$s de entr$d$, blo(ueo de los g$binetes, el registro de $cceso u otros medios %$r$ control$r el $cceso 'Esico como %rDctic$ h$bitu$l.
100
Sec"ring !ccess to vt* )ines

A%%ly AC-s on $ll vty lines to limit in:b$nd $ccess only to m$n$gement st$tions 'rom s%eci'ic subnets. Con'igure strong %$ss+ords 'or $ll con'igured vty lines. ;se Secure Shell 7SS"8 inste$d o' !elnet to $ccess the device remotely.
101
Con-ig"ring S*stem Warning 7anners

2or both leg$l $nd $dministr$tive %ur%oses, con'iguring $ system +$rning b$nner to dis%l$y %rior to login is $ convenient $nd e''ective +$y o' rein'orcing security $nd gener$l us$ge %olicies. Cle$rly st$ting the o+nershi%, us$ge, $ccess, $nd %rotection %olicies %rior to $ login $ids in stronger %rosecution i' un$uthori)ed $ccess occurs. ;se the glob$l con'igur$tion b$nner comm$nd to con'igure system b$nner mess$ges.
102
$isabling 4nneeded or 4n"sed Services

!CP Sm$ll Servers 7<cho, Ch$rgen, /isc$rd, /$ytime8 ;/P Sm$ll Servers 7<cho, /isc$rd, Ch$rgen8 2inger Auto con'ig P$c0et Assembler $nd /is$ssembler 7PA/8 9AA!P server Identi'ic$tion service .!P +ithout $uthentic$tion Source routing IP Pro6y:A=P IC5P unre$ch$bles IC5P redirects /irected bro$dc$st 'or+$rding 5$inten$nce A%er$tion Protocol 75AP8
Ch$%ter #
101
Trimming and
inimi,ing 4se o- C$PG))$P
/is$ble C/PK--/P on $ %er:inter'$ce b$sis. =un C/PK--/P only 'or $dministr$tive %ur%oses, such $s on inter:s+itch connections $nd inter'$ces +here IP %hones reside. Con'ine C/PK--/P de%loyment to run bet+een devices under your control. 9ec$use C/PK--/P is $ lin0:level 7-$yer 28 %rotocol, it does not %ro%$g$te end:to:end over $ 5A. or A. unless $ -$yer 2 tunneling mech$nism is in %l$ce. As $ result, 'or 5A. $nd A. connections, C/P t$bles might include the service %rovider>s ne6t:ho% router or s+itch $nd not the '$r:end router under your control. /o not run C/PK--/P to $ny unsecured connection, such $s Internet connections.
103
$isabling Integrated HTTP $aemon

Bse the no ip http server command in (isco "?S to disab e <TT$ server access on a switch! "f <TT$ access is needed4 it is recommended to change the defau t T($ port number (=0) using the ip http port port-no command! Secure <TT$ is recommended over <TT$ access! Secure <TT$ can be enab ed via the ip http secure-server command!
svs-san-msfc# configure termina 1nter configuration commands4 one per ine! 1nd with (5T2+6! svs-san-msfc(config)# no ip http server svs-san-msfc(config)# end
104
Con-ig"ring 7asic S*stem )ogging

P$r$ h$cer (ue el sistem$ de registro de Qtil, $ument$r el t$m$Ho de bQ'er %redetermin$do, %or lo gener$l, el t$m$Ho de bQ'er %redetermin$do no es el $decu$do %$r$ el registro de l$ m$yorE$ de los eventos
10#
Sec"ring SN P
henever %ossible, $void using S.5P re$d:+rite 'e$tures. S.5Pv2c $uthentic$tion consists o' sim%le te6t strings th$t $re communic$ted bet+een devices in cle$r, unencry%ted te6t. In most c$ses, $ re$d:only community string is su''icient. !o use S.5P in $ secure method, use S.5Pv1 +ith $n encry%ted %$ss+ord $nd use AC- to limit S.5P 'rom only trusted +or0st$tions $nd subnets.
107
)imiting Tr"n#ing Connections and Propagated /)!N=s
9y de'$ult, s%eci'ic models o' C$t$lyst s+itches th$t $re running Cisco IAS $utom$tic$lly negoti$te trun0ing c$%$bilities. !his %oses $ security ris0 bec$use the negoti$tion en$bles the introduction o' $n un$uthori)ed trun0 %ort into the net+or0. I' $n un$uthori)ed trun0 %ort is used 'or tr$''ic interce%tion $nd to gener$te /oS $tt$c0s, the conse(uences c$n be '$r more serious th$n i' only $n $ccess %ort is used. 7A /oS $tt$c0 on $ trun0 %ort might $''ect multi%le ,-A.s, +here$s $ /oS $tt$c0 on $n $ccess %ort $''ects only $ single ,-A..8 !o %revent un$uthori)ed trun0s, dis$ble $utom$tic negoti$tion o' trun0ing on host $nd $ccess %orts. In $ddition, remove unused ,-A.s 'rom trun0s m$nu$lly or by using ,!P.
10?
Sec"ring the Spanning1Tree Topolog*

In$dvertent or m$licious introduction o' S!P 9P/;s %otenti$lly over+helms $ device or cre$tes $ /oS. !he 'irst ste% in st$bili)ing $ s%$nning:tree inst$ll$tion is to %ositively identi'y the intended root $nd design$ted bridge in the design $nd to h$rd:code th$t bridge>s S!P bridge %riority to $n $cce%t$ble root v$lue. <n$ble the root:gu$rd 'e$ture to %revent $uthori)ed bridges +ith lo+er %riorities 'rom t$0ing over the legitim$te one. ;se 9P/; Iu$rd 'e$ture to %revent host devices 'rom m$liciously sending 9P/;s to $ %ort. ;%on recei%t o' $n un$uthori)ed S!P 9P/;, the 'e$ture $utom$tic$lly dis$bles the %ort until user intervention occurs or $ time:out v$lue is re$ched.
10@
itigating Iss"es So"rced -rom a Switch

<nter the sh"tdown comm$nd on $ll unused %orts $nd inter'$ces. Pl$ce $ll unused %orts in $ B%$r0ing:lotC ,-A. used s%eci'ic$lly to grou% unused %orts until they $re %ro$ctively %l$ced into service. Con'igure $ll unused %orts $s $ccess %orts, dis$llo+ing $utom$tic trun0 negoti$tion.
Ph*sical device access: Physic$l $ccess to the s+itch should be closely monitored to $void rogue device %l$cement in +iring closets +ith direct $ccess to s+itch %orts. !ccess port9based sec"rit*: S%eci'ic me$sures should be t$0en on every $ccess %ort o' $ny s+itch %l$ced into service. <nsure th$t $ %olicy is in %l$ce outlining the con'igur$tion o' unused s+itch %orts in $ddition to those th$t $re in use.
110
Chapter 6 S"mmar* &.(

Security is $ %rim$ry concern in m$int$ining $ secure, st$ble, $nd uninterru%ted net+or0. .et+or0 security goes '$r beyond the in'orm$tion in this ch$%ter $nd includes to%ics such $s intrusion detection, 'ire+$lls, virus %rotection, $nd o%er$ting system %$tching. ;nless you recogni)e $nd underst$nd the im%ort$nce o' net+or0 security, your net+or0 is $t ris0. !he 'ollo+ing list summ$ri)es the $s%ects $nd recommended %r$ctices 'or $voiding, limiting, $nd minimi)ing net+or0 vulner$bilities strictly rel$ted to C$t$lyst s+itches $s $ single net+or0 entity&
111
Chapter 6 S"mmar* &+(

-$yer 2 $tt$c0s v$ry in n$ture $nd include s%oo'ing $tt$c0s, ,-A. $tt$c0s, 5AC 'lood $tt$c0s, $nd s+itch device $tt$c0s, $mong others. ;se strong %$ss+ords +ith SS" $ccess inste$d o' !elnet e6clusively to Cisco net+or0 devices. /is$ble unused services such $s !CP $nd ;/P sm$ll services +here $%%ro%ri$te. ;se AAA 'or centr$li)ed $uthentic$tion, $uthori)$tion, $nd $ccounting o' net+or0 devices $nd remote $ccess. ;se $n $ccess control 'e$ture such $s ?02.1M or %ort security to restrict +or0st$tion $ccess to C$t$lyst s+itches. ;se /"CP snoo%ing to %revent rogue /"CP servers on the net+or0. ;se IPSI $nd /AI +ith /"CP snoo%ing to %revent IP $ddress $nd A=P s%oo'ing $tt$c0s. A%%ly m$n$gement AC-s to limit remote $ccess to Cisco net+or0 devices. A%%ly d$t$ %l$ne security AC-s to 'ilter un+$rr$nted tr$''ic in the net+or0. ;se %riv$te ,-A.s +here $%%ro%ri$te to limit communic$tion in s%eci'ic ,-A.s. ;se troubleshooting $nd monitoring tools such $s SPA., ,SPA., =SPA., <=SPA., -2 !r$ceroute, <<5, $nd .A5 to ensure %ro%er net+or0 %er'orm$nce.
112
Chapter 6 )abs
)ab 61.Sec"ring )a*er + Switches )ab 61+Sec"ring Spanning Tree Protocol )ab 612Sec"ring /)!Ns with Private /)!N=s% '!C)=s% and /!C)=s
111
'eso"rces
C$t$lyst 14#0 Comm$nd =e'erence
+++.cisco.comKenK;SK%$rtnerKdocsKs+itchesKl$nKc$t$lyst14#0Kso't+$reKrele$seK12.2R44R seKcomm$ndKre'erenceK14#0Rcr.html
Con'iguring Port Security&

+++.cisco.comKenK;SKdocsKs+itchesKl$nKc$t$lyst14#0Kso't+$reKrele$seK12.2R44RseKcon'ig ur$tionKguideKs+tr$'c.htmlS+%101?401
Con'iguring I<<< ?02.1M&

+++.cisco.comKenK;SKdocsKs+itchesKl$nKc$t$lyst14#0Kso't+$reKrele$seK12.2R44RseKcon'igu r$tionKguideKs+?0216.html
Con'iguring /AI&
+++.cisco.comKenK;SKdocsKs+itchesKl$nKc$t$lyst14#0Kso't+$reKrele$seK12.2R44RseKcon'igu r$tionKguideKs+dyn$r%.html
Con'iguring IP Source Iu$rd&

+++.cisco.comKenK;SKdocsKs+itchesKl$nKc$t$lyst14#0Kso't+$reKrele$seK12.2R44RseKcon'ig ur$tionKguideKs+dhc%?2.html
Ch$%ter #
Con'iguring <<5&
Cisco Public
113
114

En Switch v6 Ch06

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

En Switch v6 Ch06

Cargado por

Copyright:

Formatos disponibles

Ch$%ter #& Securing the C$m%us In'r$structure

CCNP SWITCH: Implementing IP Switching

S+itch Security 2und$ment$ls

Sec"rit* In-rastr"ct"re Services

!cceso no a"tori,ado de dispositivos no a"tori,ados

Access Points S+itches Servers

)a*er + !ttac# Categories &.(

Att$c0s bet+een /evices on $ Common /)!N

)a*er + !ttac# Categories &+(

Address =esolution Protocol 7A=P8 S%oo'ing

;se /yn$mic !'P Inspection &$!I(, /"CP snoo%ing, %ort security.

)a*er + !ttac# Categories &2(

Switch $evice !ttac#s

Secure Shell Protocol 7SS"8 $nd !elnet Att$c0s

;se SS" version 2. ;se !elnet +ith vty AC-s.

4nderstanding and Protecting against !C )a*er !ttac#s

Port Sec"rit* Scenario . &Slide .(

Port Sec"rit* Scenario . &Slide +(

Allo+ed 'r$mes $re %rocessed.

Port Sec"rit* Scenario + &Slide .(

Port Sec"rit* Scenario + &Slide +(

Con-ig"ring Port Sec"rit*

Port Sec"rit* 63ample

mac-address ! ma#imum $ a%in% time & a%in% static violation restrict

mac-address ! ma#imum $ a%in% time & a%in% static violation shutdown

2007 2010, Cisco Systems, Inc. All rights reserved.

/eri-*ing Port Sec"rit* &.(

/eri-*ing Port Sec"rit* &+(

Con-ig"ring Port Sec"rit* with Stic#*

7loc#ing 4nicast 8looding

4nderstanding and Protecting against /)!N !ttac#s

S+itch S%oo'ing /ouble !$gging

/)!N Hopping 9 Switch Spoo-ing &.(

/)!N Hopping 9 Switch Spoo-ing &+(

/)!N Hopping 9 $o"ble Tagging

itigating /)!N Hopping !ttac#s

"ltila*er Switch !C) T*pes

'o"ter access control lists &'!C)(:

Port access control list &P!C)(: A%%lied

/!C)=s: Also 0no+n $s ,-A. $ccess:m$%s, $%%ly to $ll tr$''ic in $ ,-A.

Con-ig"ring /!C)=s &.(

Con-ig"ring /!C)=s &+(

Ste% 2. Con'igure $ m$tch cl$use&

Ste% 1. Con'igure $n $ction cl$use&

Ste% 3. A%%ly $ m$% to ,-A.s&

Ste% 4. ,eri'y the ,AC- con'igur$tion&

Con-ig"ring /!C)=s &2(

4nderstanding and Protecting against Spoo-ing !ttac#s

Catal*st Integrated Sec"rit* 8eat"res

$HCP Spoo-ing !ttac#

$HCP Spoo-ing !ttac# 9 Scenario .

$HCP Spoo-ing !ttac# 9 Scenario +

Con-ig"ring $HCP Snooping

$HCP Snooping Con-ig"ration 63ample

/eri-*ing the $HCP Snooping Con-ig"ration

!'P Spoo-ing !ttac#

Preventing !'P Spoo-ing thro"gh $*namic !'P Inspection &$!I(

$!I 'ecommended Con-ig"ration

<n$bles /AI on $n inter'$ce $nd sets the inter'$ce $s $ trusted inter'$ce.

Switch(config)# ip arp inspection validate {(src-mac) (dst-mac) (ip)}

$!I Scenario with Catal*st Switches &.(

$!I Scenario with Catal*st Switches &+(

$!I Scenario with Catal*st Switches &2(

$!I Scenario with Catal*st Switches &5(

/eri-ing Port Sec"rit &.(

/eri-ing Port Sec"rit &+(

"ltilaer Switch !C) Tpes

Catalst Integrated Sec"rit 8eat"res