SlideShare ist ein Scribd-Unternehmen logo

CCNA Security 07-Securing the local area network

Als PPT, PDF herunterladen
Ahmed Habib
Ahmed Habib

CCNA Security 640-554 By Eng-Ahmed Sultan

Bildung
1 von 22
06- Securing the Local Area Network Ahmed Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH © 2009 Cisco Learning Institute. 1
IPS Layer 2 Security Perimeter VPN ACS Firewall Web Server Email Server DNS Hosts Internet © 2009 Cisco Learning Institute. 2
OSI Model When it comes to networking, Layer 2 is often a very weak link. Application Application Stream Protocols and Ports IP Addresses Initial Compromise MAC Addresses Physical Links Presentation Session Transport Network Data Link Physical Compromised Application Presentation Session Transport Network Data Link Physical © 2009 Cisco Learning Institute. 3
MAC Address Spoofing Attack 1 2 Switch Port AABBcc 12AbDd MAC Address: AABBcc The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc MAC Address: 12AbDd MAC Address: AABBcc Attacker Port 1 Port 2 I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. © 2009 Cisco Learning Institute. 4
MAC Address Spoofing Attack MAC Address: AABBcc Switch Port 1 2 AABBcc I have changed the MAC 1 2 address on my computer to match the server. Attacker MAC Address: AABBcc Port 1 Port 2 AABBcc The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly. © 2009 Cisco Learning Institute. 5
MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs. © 2009 Cisco Learning Institute. 6
MAC Address Table Overflow Attack VLAN 10 VLAN 10 A B C D 2 1 Intruder runs macof to begin sending unknown bogus MAC addresses. Bogus addresses are added to the CAM table. CAM table is full. MAC Port X 3/25 Y 3/25 C 3/25 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood Host C VLAN 10 The switch floods the frames. 4 Attacker sees traffic to servers B and D. 3 © 2009 Cisco Learning Institute. 7
LAB MAC ADDRESS TABLE OVERFLOW ATTACK © 2009 Cisco Learning Institute. 8
STP Manipulation Attack • Spanning tree protocol operates by electing a root bridge • STP builds a tree topology • STP manipulation changes the topology of a network—the attacking host appears to be the root bridge F F Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234 F F F B © 2009 Cisco Learning Institute. 9
Configure Portfast Server Workstatio Command Description Switch(config-if)# spanning-tree portfast n Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning-tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port. © 2009 Cisco Learning Institute. 10
STP Manipulation Attack Root Bridge Priority = 8192 F B F F F Root Bridge F F F F F B STP BPDU Priority = 0 STP BPDU Priority = 0 F Attacker The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations. © 2009 Cisco Learning Institute. 11
BPDU Guard F F F F F B Root Bridge BPDU Guard Enabled Attacker STP BPDU Switch(config)# spanning-tree portfast bpduguard default • Globally enables BPDU guard on all ports with PortFast enabled © 2009 Cisco Learning Institute. 12
Root Guard Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d F F F F F B F STP BPDU Priority = 0 Root Guard Enabled MAC Address = 0000.0c45.1234 Attacker Switch(config-if)# spanning-tree guard root • Enables root guard on a per-interface basis © 2009 Cisco Learning Institute. 13
LAN Storm Attack Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast • Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network. © 2009 Cisco Learning Institute. 14
VLAN Attacks  Segmentatio n  Flexibility  Security VLAN = Broadcast Domain = Logical Network (Subnet) © 2009 Cisco Learning Institute. 15
VLAN Hopping Attack 802.1Q Trunk 802.1Q Server Trunk VLAN 20 VLAN 10 Attacker sees traffic destined for servers Server A VLAN hopping attack can be launched by spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode. © 2009 Cisco Learning Institute. 16
Port Security Overview MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C Attacker 1 MAC F Attacker 2 0/1 0/2 0/3 Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses © 2009 Cisco Learning Institute. 17
CLI Commands Switch(config-if)# switchport mode access • Sets the interface mode as access Switch(config-if)# switchport port-security • Enables port security on the interface Switch(config-if)# switchport port-security maximum value • Sets the maximum number of secure MAC addresses for the interface (optional) © 2009 Cisco Learning Institute. 18
LAB MAC ADDRESS TABLE OVERFLOW ATTACK © 2009 Cisco Learning Institute. 19
Mitigating VLAN Attacks Trunk (Native VLAN = 10) 1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else © 2009 Cisco Learning Institute. 20
Controlling Trunking Switch(config-if)# switchport mode trunk • Specifies an interface as a trunk link . Switch(config-if)# switchport nonegotiate • Prevents the generation of DTP frames. Switch(config-if)# switchport trunk native vlan vlan_number • Set the native VLAN on the trunk to an unused VLAN © 2009 Cisco Learning Institute. 21
CCNA Security 07-Securing the local area network

Empfohlen

CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4
Irsandi Hasan
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Cisco Russia
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
Woo Hyung Choi
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드
Woo Hyung Choi
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개
Woo Hyung Choi
 
CCNA4 Verson6 Chapter2
CCNA4 Verson6 Chapter2CCNA4 Verson6 Chapter2
CCNA4 Verson6 Chapter2
Chaing Ravuth
 
ACI DHCP Config Guide
ACI DHCP Config GuideACI DHCP Config Guide
ACI DHCP Config Guide
Woo Hyung Choi
 
ACI DHCP 구성 가이드
ACI DHCP 구성 가이드ACI DHCP 구성 가이드
ACI DHCP 구성 가이드
Woo Hyung Choi
 

Empfohlen

CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4
Irsandi Hasan
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Cisco Russia
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
Woo Hyung Choi
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드
Woo Hyung Choi
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개
Woo Hyung Choi
 
CCNA4 Verson6 Chapter2
CCNA4 Verson6 Chapter2CCNA4 Verson6 Chapter2
CCNA4 Verson6 Chapter2
Chaing Ravuth
 
ACI DHCP Config Guide
ACI DHCP Config GuideACI DHCP Config Guide
ACI DHCP Config Guide
Woo Hyung Choi
 
ACI DHCP 구성 가이드
ACI DHCP 구성 가이드ACI DHCP 구성 가이드
ACI DHCP 구성 가이드
Woo Hyung Choi
 
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
Salem Trabelsi
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Duane Bodle
 
CCNA2 Verson6 Chapter6
CCNA2 Verson6 Chapter6CCNA2 Verson6 Chapter6
CCNA2 Verson6 Chapter6
Chaing Ravuth
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 1
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 1CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 1
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 1
Waqas Ahmed Nawaz
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp uk
Johnsmith5188
 
CCNA R&S-09-Configuring Ethernet Switching
CCNA R&S-09-Configuring Ethernet SwitchingCCNA R&S-09-Configuring Ethernet Switching
CCNA R&S-09-Configuring Ethernet Switching
Amir Jafari
 
CCNA (R & S) Module 04 - Scaling Networks - Chapter 10
CCNA (R & S) Module 04 - Scaling Networks - Chapter 10CCNA (R & S) Module 04 - Scaling Networks - Chapter 10
CCNA (R & S) Module 04 - Scaling Networks - Chapter 10
Waqas Ahmed Nawaz
 
Cipc
CipcCipc
Cipc
ashiesh0007
 
CCNA4 Verson6 Chapter5
CCNA4 Verson6 Chapter5CCNA4 Verson6 Chapter5
CCNA4 Verson6 Chapter5
Chaing Ravuth
 
Ccna icnd2-labs exercices
Ccna icnd2-labs exercicesCcna icnd2-labs exercices
Ccna icnd2-labs exercices
saqrjareh
 
CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8
Chaing Ravuth
 
CCNP Switching Chapter 3
CCNP Switching Chapter 3CCNP Switching Chapter 3
CCNP Switching Chapter 3
Chaing Ravuth
 
CCNA3 Verson6 Chapter10
CCNA3 Verson6 Chapter10CCNA3 Verson6 Chapter10
CCNA3 Verson6 Chapter10
Chaing Ravuth
 
CCNA2 Verson6 Chapter1
CCNA2 Verson6 Chapter1CCNA2 Verson6 Chapter1
CCNA2 Verson6 Chapter1
Chaing Ravuth
 
CCNA3 Verson6 Chapter8
CCNA3 Verson6 Chapter8CCNA3 Verson6 Chapter8
CCNA3 Verson6 Chapter8
Chaing Ravuth
 
CCNA3 Verson6 Chapter3
CCNA3 Verson6 Chapter3CCNA3 Verson6 Chapter3
CCNA3 Verson6 Chapter3
Chaing Ravuth
 
Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT Configuration
Hamed Moghaddam
 
Ccnas v11 ch02_eb
Ccnas v11 ch02_ebCcnas v11 ch02_eb
Ccnas v11 ch02_eb
Edgar Benavente
 
CCNA Lab 1-Configuring a Switch Part I
CCNA Lab 1-Configuring a Switch Part ICCNA Lab 1-Configuring a Switch Part I
CCNA Lab 1-Configuring a Switch Part I
Amir Jafari
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
Nil Menon
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
Ahmed Habib
 
CCNA Security 03- network foundation protection
CCNA Security 03- network foundation protectionCCNA Security 03- network foundation protection
CCNA Security 03- network foundation protection
Ahmed Habib
 

Weitere ähnliche Inhalte

Was ist angesagt?

2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
Salem Trabelsi
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Duane Bodle
 

Was ist angesagt? (20)

2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
 
CCNA2 Verson6 Chapter6
CCNA2 Verson6 Chapter6CCNA2 Verson6 Chapter6
CCNA2 Verson6 Chapter6
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 1
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 1CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 1
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 1
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp uk
 
CCNA R&S-09-Configuring Ethernet Switching
CCNA R&S-09-Configuring Ethernet SwitchingCCNA R&S-09-Configuring Ethernet Switching
CCNA R&S-09-Configuring Ethernet Switching
 
CCNA (R & S) Module 04 - Scaling Networks - Chapter 10
CCNA (R & S) Module 04 - Scaling Networks - Chapter 10CCNA (R & S) Module 04 - Scaling Networks - Chapter 10
CCNA (R & S) Module 04 - Scaling Networks - Chapter 10
 
Cipc
CipcCipc
Cipc
 
CCNA4 Verson6 Chapter5
CCNA4 Verson6 Chapter5CCNA4 Verson6 Chapter5
CCNA4 Verson6 Chapter5
 
Ccna icnd2-labs exercices
Ccna icnd2-labs exercicesCcna icnd2-labs exercices
Ccna icnd2-labs exercices
 
CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8
 
CCNP Switching Chapter 3
CCNP Switching Chapter 3CCNP Switching Chapter 3
CCNP Switching Chapter 3
 
CCNA3 Verson6 Chapter10
CCNA3 Verson6 Chapter10CCNA3 Verson6 Chapter10
CCNA3 Verson6 Chapter10
 
CCNA2 Verson6 Chapter1
CCNA2 Verson6 Chapter1CCNA2 Verson6 Chapter1
CCNA2 Verson6 Chapter1
 
CCNA3 Verson6 Chapter8
CCNA3 Verson6 Chapter8CCNA3 Verson6 Chapter8
CCNA3 Verson6 Chapter8
 
CCNA3 Verson6 Chapter3
CCNA3 Verson6 Chapter3CCNA3 Verson6 Chapter3
CCNA3 Verson6 Chapter3
 
Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT Configuration
 
Ccnas v11 ch02_eb
Ccnas v11 ch02_ebCcnas v11 ch02_eb
Ccnas v11 ch02_eb
 
CCNA Lab 1-Configuring a Switch Part I
CCNA Lab 1-Configuring a Switch Part ICCNA Lab 1-Configuring a Switch Part I
CCNA Lab 1-Configuring a Switch Part I
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
 

Andere mochten auch

CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
 
Ccna security
Ccna securityCcna security
Ccna security
dkaya
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
Irsandi Hasan
 
Ccna 3 chapter 1 v4.0 answers 2011
Ccna 3 chapter 1 v4.0 answers 2011Ccna 3 chapter 1 v4.0 answers 2011
Ccna 3 chapter 1 v4.0 answers 2011
Dân Chơi
 

Andere mochten auch (20)

CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
 
CCNA Security 03- network foundation protection
CCNA Security 03- network foundation protectionCCNA Security 03- network foundation protection
CCNA Security 03- network foundation protection
 
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asa
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
 
CCNA Security 06- AAA
CCNA Security 06- AAACCNA Security 06- AAA
CCNA Security 06- AAA
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
 
Ccna security
Ccna securityCcna security
Ccna security
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
 
Router commands
Router commandsRouter commands
Router commands
 
CCNA Routing and Switching Lesson 13 - Switching - Eric Vanderburg
CCNA Routing and Switching Lesson 13 - Switching - Eric VanderburgCCNA Routing and Switching Lesson 13 - Switching - Eric Vanderburg
CCNA Routing and Switching Lesson 13 - Switching - Eric Vanderburg
 
CCNA 2
CCNA 2 CCNA 2
CCNA 2
 
Ataques spoofing y botnet
Ataques spoofing y botnetAtaques spoofing y botnet
Ataques spoofing y botnet
 
Ccna 3 chapter 1 v4.0 answers 2011
Ccna 3 chapter 1 v4.0 answers 2011Ccna 3 chapter 1 v4.0 answers 2011
Ccna 3 chapter 1 v4.0 answers 2011
 
CCNA ppt Day 7
CCNA ppt Day 7CCNA ppt Day 7
CCNA ppt Day 7
 
ppt on 6 weeks summer training
ppt on 6 weeks summer training ppt on 6 weeks summer training
ppt on 6 weeks summer training
 
NAT Ccna
NAT CcnaNAT Ccna
NAT Ccna
 
CCNA part 7 acl
CCNA part 7 aclCCNA part 7 acl
CCNA part 7 acl
 

Ähnlich wie CCNA Security 07-Securing the local area network

06 module catalyst 1900 switch operations
06 module catalyst 1900 switch operations06 module catalyst 1900 switch operations
06 module catalyst 1900 switch operations
Asif
 
Cisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switchesCisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switches
KJ Savaliya
 
Expl sw chapter_02_switches_part_1
Expl sw chapter_02_switches_part_1Expl sw chapter_02_switches_part_1
Expl sw chapter_02_switches_part_1
aghacrom
 
Layer 2 forwarding on an spb fabric
Layer 2 forwarding on an spb fabricLayer 2 forwarding on an spb fabric
Layer 2 forwarding on an spb fabric
Jeff Green
 

Ähnlich wie CCNA Security 07-Securing the local area network (20)

Understanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 AttacksUnderstanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 Attacks
 
Ch6
Ch6Ch6
Ch6
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
Security Concerns in LANs.pptx
Security Concerns in LANs.pptxSecurity Concerns in LANs.pptx
Security Concerns in LANs.pptx
 
L2 Attacks.pdf
L2 Attacks.pdfL2 Attacks.pdf
L2 Attacks.pdf
 
Switch security
Switch securitySwitch security
Switch security
 
VLAN
VLANVLAN
VLAN
 
SRWE_Module_11.pptx
SRWE_Module_11.pptxSRWE_Module_11.pptx
SRWE_Module_11.pptx
 
06 module catalyst 1900 switch operations
06 module catalyst 1900 switch operations06 module catalyst 1900 switch operations
06 module catalyst 1900 switch operations
 
Cisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switchesCisco systems hacking layer 2 ethernet switches
Cisco systems hacking layer 2 ethernet switches
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
 
Hacking L2 Switches
Hacking L2 SwitchesHacking L2 Switches
Hacking L2 Switches
 
Switching
SwitchingSwitching
Switching
 
Expl sw chapter_02_switches_part_1
Expl sw chapter_02_switches_part_1Expl sw chapter_02_switches_part_1
Expl sw chapter_02_switches_part_1
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 
Layer 2 forwarding on an spb fabric
Layer 2 forwarding on an spb fabricLayer 2 forwarding on an spb fabric
Layer 2 forwarding on an spb fabric
 
Cap2 configuring switch
Cap2 configuring switchCap2 configuring switch
Cap2 configuring switch
 
Day 15.1 spanningtreeprotocol
Day 15.1 spanningtreeprotocolDay 15.1 spanningtreeprotocol
Day 15.1 spanningtreeprotocol
 
00-105 Interconnecting Cisco Networking Devices Part 1 (ICND1.pdf
00-105 Interconnecting Cisco Networking Devices Part 1 (ICND1.pdf00-105 Interconnecting Cisco Networking Devices Part 1 (ICND1.pdf
00-105 Interconnecting Cisco Networking Devices Part 1 (ICND1.pdf
 

Kürzlich hochgeladen

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Kürzlich hochgeladen (20)

Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 

CCNA Security 07-Securing the local area network

  • 1. 06- Securing the Local Area Network Ahmed Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH © 2009 Cisco Learning Institute. 1
  • 2. IPS Layer 2 Security Perimeter VPN ACS Firewall Web Server Email Server DNS Hosts Internet © 2009 Cisco Learning Institute. 2
  • 3. OSI Model When it comes to networking, Layer 2 is often a very weak link. Application Application Stream Protocols and Ports IP Addresses Initial Compromise MAC Addresses Physical Links Presentation Session Transport Network Data Link Physical Compromised Application Presentation Session Transport Network Data Link Physical © 2009 Cisco Learning Institute. 3
  • 4. MAC Address Spoofing Attack 1 2 Switch Port AABBcc 12AbDd MAC Address: AABBcc The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc MAC Address: 12AbDd MAC Address: AABBcc Attacker Port 1 Port 2 I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. © 2009 Cisco Learning Institute. 4
  • 5. MAC Address Spoofing Attack MAC Address: AABBcc Switch Port 1 2 AABBcc I have changed the MAC 1 2 address on my computer to match the server. Attacker MAC Address: AABBcc Port 1 Port 2 AABBcc The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly. © 2009 Cisco Learning Institute. 5
  • 6. MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs. © 2009 Cisco Learning Institute. 6
  • 7. MAC Address Table Overflow Attack VLAN 10 VLAN 10 A B C D 2 1 Intruder runs macof to begin sending unknown bogus MAC addresses. Bogus addresses are added to the CAM table. CAM table is full. MAC Port X 3/25 Y 3/25 C 3/25 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood Host C VLAN 10 The switch floods the frames. 4 Attacker sees traffic to servers B and D. 3 © 2009 Cisco Learning Institute. 7
  • 8. LAB MAC ADDRESS TABLE OVERFLOW ATTACK © 2009 Cisco Learning Institute. 8
  • 9. STP Manipulation Attack • Spanning tree protocol operates by electing a root bridge • STP builds a tree topology • STP manipulation changes the topology of a network—the attacking host appears to be the root bridge F F Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234 F F F B © 2009 Cisco Learning Institute. 9
  • 10. Configure Portfast Server Workstatio Command Description Switch(config-if)# spanning-tree portfast n Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning-tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port. © 2009 Cisco Learning Institute. 10
  • 11. STP Manipulation Attack Root Bridge Priority = 8192 F B F F F Root Bridge F F F F F B STP BPDU Priority = 0 STP BPDU Priority = 0 F Attacker The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations. © 2009 Cisco Learning Institute. 11
  • 12. BPDU Guard F F F F F B Root Bridge BPDU Guard Enabled Attacker STP BPDU Switch(config)# spanning-tree portfast bpduguard default • Globally enables BPDU guard on all ports with PortFast enabled © 2009 Cisco Learning Institute. 12
  • 13. Root Guard Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d F F F F F B F STP BPDU Priority = 0 Root Guard Enabled MAC Address = 0000.0c45.1234 Attacker Switch(config-if)# spanning-tree guard root • Enables root guard on a per-interface basis © 2009 Cisco Learning Institute. 13
  • 14. LAN Storm Attack Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast • Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network. © 2009 Cisco Learning Institute. 14
  • 15. VLAN Attacks  Segmentatio n  Flexibility  Security VLAN = Broadcast Domain = Logical Network (Subnet) © 2009 Cisco Learning Institute. 15
  • 16. VLAN Hopping Attack 802.1Q Trunk 802.1Q Server Trunk VLAN 20 VLAN 10 Attacker sees traffic destined for servers Server A VLAN hopping attack can be launched by spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode. © 2009 Cisco Learning Institute. 16
  • 17. Port Security Overview MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C Attacker 1 MAC F Attacker 2 0/1 0/2 0/3 Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses © 2009 Cisco Learning Institute. 17
  • 18. CLI Commands Switch(config-if)# switchport mode access • Sets the interface mode as access Switch(config-if)# switchport port-security • Enables port security on the interface Switch(config-if)# switchport port-security maximum value • Sets the maximum number of secure MAC addresses for the interface (optional) © 2009 Cisco Learning Institute. 18
  • 19. LAB MAC ADDRESS TABLE OVERFLOW ATTACK © 2009 Cisco Learning Institute. 19
  • 20. Mitigating VLAN Attacks Trunk (Native VLAN = 10) 1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else © 2009 Cisco Learning Institute. 20
  • 21. Controlling Trunking Switch(config-if)# switchport mode trunk • Specifies an interface as a trunk link . Switch(config-if)# switchport nonegotiate • Prevents the generation of DTP frames. Switch(config-if)# switchport trunk native vlan vlan_number • Set the native VLAN on the trunk to an unused VLAN © 2009 Cisco Learning Institute. 21