Wednesday, 26 September 2012

Implementing Basic Cisco Switch Security Part 1

Since many easy to use security auditing tools are available to individuals with hostile intentions , security has become a vital part in computer networks .

The most common easy to pull Man In The Middle attacks are :

  • ARP Poisoning
  • DHCP Spoofing
  • MAC Flooding

Those attacks are popular because :
The Attacker intercepts traffic and usually forwards it to the right destination while is gleaning any information that can use to further attack or to steal information like voice over ip conversations , passwords and many more.

It is not uncommon for the attacker to place a rogue device on the network to assist his/her purpose.

Preventing the attacker : 

Fortunately Cisco Switches have ready to use tools to help you secure your network :
  •  Port security : Use it to prevent Mac Flooding and rogue device placing.
  • Dynamic ARP Inspection : Prevents ARP Poisoning.
  • DHCP Snooping : Protects against Rogue DHCP Servers.

Network Devices Management :

Alas , with no secure device management anything you do to protect your network it will be in vain. 
  • Avoid using telnet and http to manage your devices , use ssh and https instead.
  • Use strong passwords
  • If possible use VPNs to secure management traffic .
  • Management traffic should be on a separate network/vlan . 

Port security :

This feature allows you to set who and how many can connect to a switch port(using the mac addresses) .
By default if you enable port security , it allows one device on the port and if some other device connects to that port (using a hub or a switch) the port shutdowns to prevent the attacker to use that port.
port security is effective versus MAC Flooding attacks and prevents rogue devices from connecting to your network .

Port security has 3 violation modes : 
  • Shutdown (default) : when used the port shuts down, it can sent an  SNMP trap , creates a syslog message and increments the violation counter.
  • Restrict : The port ignores any packets from the rogue device , stays up  , creates a syslog message and increments the violation counter.
  • Protect : This mode is similar with Restrict but it just wont do anything to let you know if there is a violation , the port stays up and ignores the offending device packets.

Configuring Port security

First you have to enable port security on the ports you want to protect:
switch# configure terminal
switch(config)# interface fa0/1
switch(config-if)# switchport mode access \\ port security needs the port to be in access mode to function
switch(config-if)# switchport port-security    \\ this enables the feature
switch(config-if)#switchport port-security maximum 1  \\ it configures the port to allow for 1 device.
 switch(config-if)#switchport port-security violation shutdown \\ it configures the violation mode to shutdown
Remember to allow exact as many devices are connected to the port , if you put a maximum of 4 for example you allow 4 devices to use that port simultaneously , if you have fewer devices that make your port security useless , the same applies when the opposite occurs having more devices than the maximum value configured and the port will shutdown or you will have connectivity problems.
 If the devices do not change places in certain ports (they are no mobile) it is a good practice to hard-code the mac-address of the device in port security :
switch(config-if)#switchport port-security mac-address 1a1a.11a1.a111
// the 1a1a.11a1.a111 is an example how to write the mac address .

No comments:

Post a Comment