Saturday, July 28, 2012

ACCESS CONTROL LIST



at No comments:
  • For protecting routers, Layer 3 forwarding (IP routing), and the layer 3 control plane(routing protocols), additionally RFCs 2827 & 3704 outline other types of protections
  • RFC 2827 addresses issues with
    • the use of the IP source & destination fields in the IP header to form some kind of attack
  • RFC 3704 details some issues related to how the tools of 2827 may be best deployed over the internet.

at No comments:

KEY LAYER 3 SECURITY recommendations from SAFE blueprint


  • Using Secure Shell, enable secure telnet access to a router user interface.
  • Enable SNMP security, particularly  adding SNMPv3 support
  • Turn off all unnecessary servieces on the router platform
  • Turn on logging to provide an audit trail
  • Enable routing protocol authentication
  • Enable the CEF forwarding path to avoid using flow-based paths like fast switching
at No comments:

Monday, July 9, 2012

General Layer 2 Security Recommendatinos

  • Put unused switch ports in an unused VLAN & not use the VLAN 1.
  • Native VLANs are not use on trunks.
    • Reason is, an attacker on an access port might be able to hop from its access port VLAN to a trunk's native VLAN by sending frames that begin with multiple 802.1Q header.
  • Cisco suggest using a different native VLAN for each trunk.
  • Private VLANs restrict hosts on some ports from sending frames directly to each other.
  • Private VLANs are created with some number of selected ports in the primary VLAN, with other isolated & community ports in one or more secondary VLANs.
    • Isolated ports can send frames only to selected ports, and community ports can send frames to selected ports & other community ports in the same 2ry VLAN.
  • Private VLANs could be applied generally for better security by making user ports isolated,
    • They only allowing them access to ports like routers, servers or other network services.
    • However, DHCP snooping, DAI & IP source gaurd are typically better choices
  • Attackers uses the default gateway to overcome security provided by PVlans,
    • to solve this router simply need inbound ACL, that denies traffic whose source & destination ip address are in the same local connected subnet.
at

Thursday, July 5, 2012

Storm Control

  • Catalyst switches need rate-limiting traffic at layer-2
  • To do this uses the storm-control commands.
  • Storm control configured to set min & max port traffic (unicast, multicast & broadcast).
  • Each rate limit can be configured on a per-port basis.
  • Storm control can be configured on each type of traffic based on
    • Either packet rate or a percentage of the interface bandwidth.
  • We can also specify rising & falling thresholds for each traffic type.
  • If we don't specify falling threshold or if the falling threshold is the same as the rising threshold
    • the switch port forward all traffic up to the configured limit 
    • and will not wait for the specified falling threshold before forwarding it again.
  • When any of the configured threshold is passed, the switch can take 3 additional actions (also on port basis)
    • 1st & default is the switch can rate-limit by discarding excess traffic according to the configured commands & take no further action.
    • The other 2 actions include performing the rate-limiting function & either shutting down the port or sending an SNMP trap.
  • Commands
    • interface f0/0
      • storm-control broadcast level pps 100 50
        • limit broadcast traffic to 100packets per seconds
        • when traffic drops back to 50 pack/sec, begin forwarding traffic again.
      • storm-control multicast level 0.50 0.40
        • limit multicast traffic to 0.5 percent of the 100Mbps interface rate
        • when traffic drops back to 400kbps, begin forwarding again
      • storm-control action trap
        • any of above conditions occure & results in rate-limiting, send an SNMP trap.
    • show storm-control f0/0 {unicast | multicast \ broadcast }
  • Limitation:
    • it supports only physical ports
      • storm control configure on etherchannel interface, but it has no effect.

at

802.1X Configuration


  • 802.1X switch configuration resembles the AAA configuration.
  • The Switch configuration treats 802.1X user authentication as another option for AAA authentication.
  • Configuration Steps:
    • As with other AAA authentication methods, enable AAA with global command
      • aaa new-model
    • As with other configurations using RADIUS servers, define the RADIUS servers ip address & encryption keys using command
      • radius-server host 
      • radius-server key
    • Similar to login authentication configuration, define the 802.1X authentication method (RADIUS only) using global commands
      • aaa authentcation dot1x default
      • for multiple groups aaa authentication dot1x group name
    • Enable 802.1X globally using global command
      • dot1x system auth-control 
    • Set each interface to use one of three operational settings using the command
      • dot1x port-control { auto | force-authorized | force-unauthorized }
        • using 802.1x (auto)
        • not using 802.1x, but the interface is automatically authorized 
          • force-authorized   default
        • not using 802.1x, but the interface is automatically unauthorized
          • force-unauthorized
at

802.1X Roles:

  • Supplicant:
    • the 802.1x driver supplies a username/password prompt to the user and sends/recives the EAPoL messages.
  • Authentication:
    • Translate between EAPoL & RADIUS messages in bothe directions and enables/disables ports based on the success/failure of authentication
  • Authentication Server:
    • Stores usernames/passwords and verifies that the correct values were submitted before authenticating the user
at
Subscribe to: Posts (Atom)