Shulou(Shulou.com)06/01 Report--

This article refers to the notes made by the bookcase of the Cisco Network Security section, of course, this note is only part of the two-tier network security precautions, and needs to be implemented according to its own actual environment to ensure network security.

MAC*** and Prevention:

*: MAC Address flooding * *. You can use some tools (such as Ettercap, macof) to generate a large amount of MAC Address to fill the switch MAC Table, resulting in the paralysis of the entire network.

Prevention: 1) port security port security

2) MAC address activity notification MAC address activity advertisement

3) unknow unicast flooding protection unknown unicast flooding protection (this feature is only available in 6509)

STP spanning Tree * * and Prevention

* *: 1) artificial forged Bridge Root (bridge ID)

2) DoS*** (network loop) flooded with BPDU

3) flooding with configuration BPDU

4) simulate the bridging of a dual home host (Dual-homed) switch

Prevention: 1) Root guard (Root Guard) to ensure that the port is a designated port (designated port)

2) BPDU-guard (BPDU protection)

3) BPDU Filtering (BPDU filtering)

4) Layer 2 PDU rate limiter (layer 2 PDU rate limiter)

VLANN*** and Prevention

*: using the tool to hijack the header Vlan is TAG vlan. Note: native VLAN uploads are propagated by untagged. Tools: Yersinia can implement cdp, dhcp, dot1q, dtp, hsrp, isl, mpls, stp, vtp, etc.

Precautions: 1). Ensure that native VLAN is not assigned to any access port

2)。 Clear native VALN from Trunk (not recommended)

3)。 Force all traffic on the Trunk to carry a tag

DHCP*** and Prevention

Description: DHCP client listens to 68 Port of Datagram Protocol (User Datagram Protocol, UDP), while DHCP server listens to 67 Port of UDP

* *: 1) deplete the address pool range of DHCP (DHCP scope exhaustion)

2) install an illegal (rouge) DHCP server

Prevention: use DHCP snooping to monitor and restrict DHCP operations:

a. Port-level DHCP message rate limit

B. DHCP message acknowledgement (validation)

C. insertion and removal of Option 82

* * ip dhcp snooping informationoption-- > write to option82

d. Prevent DoS*** initiated through DHCP

The DHCP Snooping configuration is as follows:

Switch (config) # ip dhcp snooping / / turn on DHCP Snooping function

Switch (config) # ip dhcp snooping vlan 10 / / sets which VLAN the DHCP Snooping feature will work on

Switch (config) # ip dhcp snooping verify mac-address// detects whether the source MAC and CHADDR fields of DHCP request messages received by untrusted ports are the same to prevent DHCP exhaustion. This feature is enabled by default.

Switch (config-if) # ip dhcp snooping trust / / configuration interface is the trusted interface of DHCP snooping feature, and all interfaces default to untrusted interface

Switch (config-if) # ip dhcp snooping limit rate 15 / limit the DHCP packet rate of untrusted ports to 15 packets per second (the default is 15 packets per second) if this statement is not matched, the ports without the statement will not be listed in the show ip dhcp snooping result. The optional rate range is 1-2048.

Recommendation: after configuring the speed limit of DHCP messages on the port, it is best to configure the following two commands

Switch (config) # errdisable recovery cause dhcp-rate-limit// enables ports disabled due to DHCP packet speed limit to automatically recover from the err-disable state

Switch (config) # errdisable recovery interval 30 / / sets the recovery time. After the port is set to err-disable state, it will take 30 seconds to recover.

Switch (config) # ip dhcp snooping information option / / sets whether the DHCP message received by the switch is inserted into Option 82 for an untrusted port. The default is enabled.

Switch (config) # ip dhcp snooping information option allow-untrusted / / set the sink switch to receive DHCP messages with option 82 from access switches received from untrusted ports

Switch#ip dhcp snooping binding 000f.1fc5.1008 vlan 10 192.168.10.131interface fa0/2 expiry 692000 / / privileged mode command; manually add a DHCP snooping binding entry; expiry is the time value, that is, the lease (lease term) in the monitoring binding table

Witch (config) # ip dhcp snooping database flash:dhcp_snooping.db// saves the DHCP snooping binding table in flash and the file name is dhcp_snooping.db

Switch (config) # ip dhcpsnooping database t ftp://10.133.131.142/Switch/dhcp_snooping.db / / saves the DHCP snooping binding table to the tftp server; 192.168.2.5 is the tftp server address and must be reachable in advance. Switch in URL is a folder under the tftp server; the saved file is called dhcp_snooping.db, and a write operation is performed immediately when the save location is changed.

Switch (config) # ip dhcp snooping database write-delay 30amp / means that after the DHCP monitoring binding table is updated, wait 30 seconds before writing to the file. Default is 300 seconds. Optional range is 15-86400 seconds.

Switch (config) # ip dhcp snooping database timeout 60 shock / means that after an attempt to write to the DHCP listening binding table fails, retry the write operation until the attempt is stopped after 60 seconds. Default is 300s; optional range is 0-86400 seconds

Description: in fact, when the DHCP listening binding table changes, it will first wait for the write-delay time, and then perform the write operation. If the write operation fails (for example, the tftp server is unreachable), then wait for the timeout time, and try again and again during this time period. Stop the write attempt after the timeout time has passed. However, since the monitoring binding table has changed, we start waiting for write-delay time to perform write operations again. Loops until the write operation succeeds.

Switch#renew ip dhcp snooping database flash:dhcp_snooping.db// privilege level command; immediately read the DHCP snooping binding table from the saved database file.

Displays the status of the DHCP Snooping

Switch#show ip dhcpsnooping / / displays the options and port configuration of current DHCP snooping

Switch#show ip dhcp snooping binding// displays current DHCP snooping binding table

Switch#show ip dhcp snoopingdatabase / / displays information about DHCP snooping binding database

Switch#show ip dhcp snoopingstatistics// displays the work statistics of DHCP snooping

Switch#clear ip dhcp snoopingbinding / / clear the DHCP snooping binding table; Note: this command cannot clear a single entry, only all entries

Switch#clear ip dhcp snoopingdatabase statistics// clears the counters for DHCP snooping binding database

Switch#clear ip dhcp snoopingstatistics / / clear the work statistics counter for DHCP snooping

ARP*** and Prevention

Risk analysis of ARP: lack of authentication, information disclosure, usability problems

*: ARP spoofing (ARP spoofing), * tools: dsniff, ettercap, cain

Guard against:

1) add layer 3 switches. Discard all spoofed ARP reply packets with the help of ip,mac mapping learned from DHCP

2) Host, free ARP packets can be ignored

3) * Detection system (Intrusion Detection System,IDS). Can maintain the state of all (ip,mac) mappings and detect whether anyone is trying to change existing mappings

* * Cisco IOS enables DAI

* * Advanced DAI configuration in Cisco IOS

PoE Ethernet * and Prevention

PoE detection mechanism:

1). Cisco standard that sends an alternating current (AC) signal from a twisted pair of Category 5 wires and checks whether the current can be returned from the other pair.

2). IEEE 802.3af Apply a DC (DC) voltage from two pairs of twisted pairs of Category 5 wires and check for current flow.

PoE risk Analysis:

1)。 Power loss (Power Gobbling). Unauthorized devices are connected to the switch to request so much power that the authorized PES has no power available

2)。 Change power (Power Changing)

3)。 Burn down (Burning). * deceive the power supply detection mechanism of the switch, causing the switch to provide power to terminal workstations that do not need to be powered by Category 5 lines.

4)。 Shut down (shutting down) if the switch is turned off or the cable is cut off, the PES will not receive power and will be turned off

Prevention: 1) epidemic prevention and electricity theft

* * device port is 7W (7000mw)

HSRP*** and Prevention

HSRP description: HSRP runs on UDP, and the port number of IPV4 is 1985. The port number of IPv6 is 2029. The HSRP packet is sent to the multicast address 224.0.0.2 or 224.0.0.102, and the TTL value is set to 1.

HSRP***:

1) .dos * *, the HSRP tool in the IRPAS software package, with the following commands:

Hsrp-d 224.0.0.2-v 192.168.0.8-a cisco-GMuri eth0-S 192.168.0.66

2)。 Middleman *

3)。 Information disclosure

HSRP prevention: 1). Force authentication to validate all HSRP messages using MD5 HMAC

2)。 Use ACL to filter HSRP messages that are not sent from attached hosts

VRRP*** and Prevention

VRRP description: VRRP runs on the IP protocol, and the port number is 112.VRRP. The packet is sent to the multicast address 224.0.0.18 with a TTL value of 225.

VRRP***:1). The middleman (MIMT), where all end workstations send packets to the router rather than the real router

2). DoS***

VRRP prevention: 1). Use forced authentication to validate VRRP messages using MD5

2)。 Use ACL to filter VRRP spoofing that is not sent by attached hosts

CDP*** and Prevention

CDP description: CDP does not run on the IP protocol, but runs directly on the data link layer.

CDP***:1). Software or system BUG

2)。 Auxiliary VLAN,*** users can learn about the VLAN used by the IP phone

3) .CDP cache overflow

4)。 Occupy CDP cache

CDP prevention: 1). Check system BUG and upgrade

2)。 Close CDP

Three planes of switch

Data plane: the data plane completes packet forwarding.

Control plane: 1) address Resolution Protocol (ARP) packet

2) Cisco Discovery Protocol (CDP) packet

3) VLAN Trunk Protocol (VTP) / spanning Tree Protocol (STP) packet

4) routing protocol information

Management platform: the management plane is responsible for controlling / configuring the forwarding behavior of the switch

* * switch:

1) most data plane traffic affects only the fabric and Ethernet controllers of the switch

2) the control plane traffic is transmitted by a solar network controller and enters the central CPU through a switch.

3) the control plane traffic passes through the same path as the control plane traffic.

Guard against switches * *:

1) use out-of-band management as much as possible

2) only accept traffic from specific subnets or hosts

3) encrypt all management traffic (SSH and SNMP V3)

4) use authentication, authorization and accounting (AAA)

5) enable syslog / SNMP Trap messages to monitor the behavior of all management planes

Supervision of the control plane

Data that resides in the control plane:

1) two-layer processing (L2 Processing). A switch must process and respond to the following packets: STP, PVST, LACP, PAgP, 802.1X, CDP, DTP, UDLD, VTP and keepalive packets

2) Internet Management Group Management Protocol (IGMP)

3) Internet Control message Protocol (ICMP)

4) three-tier processing (L3 Processing)

5) manage traffic

Protect the control plane of the switch:

1) hardware-based CoPP (Hardware-based CoPP), for unnecessary traffic, use the underlying ASIC characteristics to discard or implement rate limit (rate-limit). C6509 has hardware CoPP and uses the mls rate-limit command to change the value of the rate limiter. For example, in order to limit the number of packets per second that are discarded because the TTL expires

C6509 (config) # mls rate-limit all ttl-failure 10

* by enabling the multi-layer switching (MLS) QoS feature on the C6509, the CoPP of basic hardware can be enabled on the central policy feature card (Policy Feature Card,PFC) and line cards that support distributed forwarding

C6509 (config) # mls qos

2) Software-based CoPP (Software-basedCoPP, which is discarded or rate-limited using a central CPU for unnecessary traffic

a. Critical traffic levels (critical)

b. Critical Traffic level (important)

c. Normal (normal)

d. Special class of unnecessary traffic

e. Default traffic level

Using the switch to discover the denial of service in the data plane * (DoS)

Use NetFlow to detect DoS

Protect the network with RMON (Remote Monitoring)

Wire-speed access control list protects the network

Filter the Bogons segment and the bogon segment will not appear on the Internet. Include the following address:

1) Private address defined by RFC 1918

2) Loopback port address (127.0.0.0).

3) the address reserved by IANA.

4) Multicast address (224.0.0.0).

5) address for academic research (240.0.0.0).

6) DHCP local private address (169.254.0.0 Universe 16). This is what your PC uses if it cannot find aDHCP server from which to acquire its addressing information.

These addresses do not appear in the routing table on the Internet. * these addresses are often used to initiate DOS***, or IP spoofing. You can use the following methods to block these addresses:

1) ACL filtering

2) BGP prefix filtering

3) Black hole routing

4) Route policy filtering with route maps

Enable ACL filtering Bogons at the entrance of Internet

Router (config) # ipaccess-list extended ingress-filter

Router (config-ext-nacl) # remark Unassigned IANA addresses / / IANA unassigned address

Router (config-ext-nacl) # deny ip 1.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 2.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 5.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 7.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 23.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 27.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 31.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 36.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 37.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 39.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 41.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 42.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 49.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 50.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 58.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 59.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 60.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 70.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 71.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 72.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 73.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 74.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 75.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 76.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 77.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 78.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 79.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 83.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 84.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 85.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 86.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 87.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 88.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 89.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 90.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 91.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 92.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 93.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 94.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 95.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 96.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 97.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 98.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 99.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 100.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 101.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 102.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 103.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 104.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 105.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 106.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 107.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 108.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 109.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 110.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 111.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 112.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 113.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 114.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 115.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 116.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 117.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 118.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 119.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 120.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 121.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 122.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 123.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 124.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 125.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 126.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 197.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 201.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # private address defined by remark RFC1918 private addresses / / RFC1918

Router (config-ext-nacl) # deny ip 10.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 172.16.0.0 0.15.255.255 any

Router (config-ext-nacl) # deny ip 192.168.0.0 0.0.255.255 any

Router (config-ext-nacl) # remark Other bogons / / other bogons address

Router (config-ext-nacl) # deny ip 224.0.0.0 15.255.255.255 any / / Multicast address

Router (config-ext-nacl) # deny ip 240.0.0.0 15.255.255.255 any / / address for academic research

Router (config-ext-nacl) # deny ip 0.0.0.0 0.255.255.255 any

Router (config-ext-nacl) # deny ip 169.254.0.0 0.0.255.255 any / / DHCP local private address

Router (config-ext-nacl) # deny ip 192.0.2.0 0.0.255 any / / Test address

Router (config-ext-nacl) # deny ip 127.0.0.0 0.255.255.255 any / / Loopback address

Router (config-ext-nacl) # remark Internal networks / / address of the internal network segment

Router (config-ext-nacl) # deny ip 200.1.1.0 0.0.255 any / / address of the internal server network segment

Router (config-ext-nacl) # remark Allow Internet to specific services

Router (config-ext-nacl) # remark permit

Router (config-ext-nacl) # deny ip any any

Router (config-ext-nacl) # exit

Router (config) # interface ethernet1

Application of Router (config-if) # ipaccess-group ingress-filter in in IN Direction of WAN Port

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.