Shulou(Shulou.com)06/01 Report--

When it comes to security, you often think that it comes from the Internet, while the internal security of the local area network is ignored. There are also many security risks in the enterprise local area network. This blog introduces several kinds of internal security and defense of the local area network.

Common local area network *

1. MAC address diffusion *

We know that when the switch forwards the data frame, it will query the source MAC address entry of the interface in the MAC address table. If there is no source MAC address of the data frame, the switch will learn the source MAC address and correspond to the interface, add it to the MAC address table, and look it up according to the destination MAC address. If the destination MAC address is not found, the data frame is forwarded as a broadcast. MAC address diffusion * * takes advantage of this characteristic of the switch.

* principle: the MAC address table space of each switch is limited. If a host sends a large number of fake source MAC address data frames, the switch MAC address table overflows. At this time, when the switch is receiving a normal data frame, the MAC address table will not find the corresponding entry, the data frame will be forwarded, and * * users will get normal communication data, as shown below:

When using MAC address diffusion, an obvious phenomenon is that the CPU utilization of the switch is high and is easy to find. Use the "show processes cpu" command to view the CPU utilization of a device

2. ARP*** and cheating

(1) the principle of ARP***

The ● host makes a fake ARP reply and sends it to all hosts except the host. The ARP reply includes the IP address of the host and the false MAC address

The ● * * host makes a fake ARP reply and sends it to the victim host. The ARP reply includes the IP address and false MAC address of all hosts except the host.

As long as you execute one of the above, you can realize that the host cannot communicate with other hosts properly.

(2) the principle of ARP deception.

ARP spoofing does not prevent the network from communicating properly, but controls traffic or steals confidential information by impersonating a gateway or other host.

3. DHCP server spoofing and address exhaustion

(1) DHCP server spoofing: clients configure themselves as DHCP servers to distribute fake IP addresses or respond directly to DHCP requests

(2) DHCP address exhaustion: the client constantly sends DHCP requests pretending to be a new client, requesting the server to assign an IP address for itself, so that the server address is exhausted, while the normal host cannot obtain the IP address.

4. IP address spoofing

The client uses its own configured IP address to impersonate other clients or network administrators to illegally operate on other hosts, devices, servers, etc. 0

A solution to the defense.

Scenario 1: Port security configuration of the switch

The Cisco switch provides a security feature that controls port access based on MAC addresses, imposes traffic restrictions on MAC addresses, sets the number of hosts allowed to access the port, or manually sets MAC addresses on the port. Only bound MAC addresses can be forwarded

Port security is a kind of verification of network access. Only clients that meet the setting rules can access the local area network to prevent unauthorized clients from accessing the network. The following functions can be achieved:

● limits and allows client traffic based on MAC addresses

● avoids MAC address diffusion *

● avoids MAC address spoofing * *

(1) start the switch interface security features

The configuration commands in interface mode are as follows:

Switch (config-if) # switchport port-security

Note: the interface for enabling security features cannot be in Dynamic negotiation mode, but must be in Access or Trunk mode

(2) configure network MAC addresses that are allowed to be accessed

Limit the maximum number of MAC addresses and statically bound MAC addresses allowed to access the network, as follows:

Switch (config-if) # switchport port-security maximum {max-addr} / / max-addr defaults to 1, and the range is 1-8192switch (config-if) # switchport port-security mac-address {mac-addr} / / mac-addr is a statically bound MAC address in X.X.X format

(3) configure aging time

By default, the switch does not delete the MAC address obtained by the interface, and if the clients of the interface change frequently and the old MAC address is retained, it may cause newly connected clients to be unable to communicate. You can configure the aging time to allow the switch to delete MAC addresses with no traffic for a period of time, as follows:

Switch (config-if) # switchport port-security aging time {time} / / time range is 1-1440min, default is 0, do not delete switch (config-if) # switchport port-security aging type {absolute | inactivity}

Absolute indicates that when the aging time is up, delete all MAC addresses and relearn

Inactivity means that if there is no traffic for a period of time (aging time), its MAC address is deleted from the address table.

Note: statically bound MAC addresses are not affected by aging time

Some work environments require that statically bound MAC addresses are also affected by aging time. The configuration commands are as follows:

Switch (config-if) # switchport port-security aging static

(4) configure the policy after MAC address violation

A MAC address violation occurs when the following occurs

A new MAC address outside the MAC address table of the maximum secure number of ● accesses the port

● is configured with a secure MAC address on another port to try to access this port

When an MAC address violation occurs, there are three ways to handle it. The configuration command is as follows:

Switch (config-if) # switchport port-security violation {protect | restrict | shutdown}

Protect discards packets of illegal MAC addresses, but the port is in the up state. The switch does not record violation packets

Restrict discards packets of illegal MAC addresses, but the port is in the up state. The switch records violation packets.

The shutdown port becomes err-disabled, which is equivalent to shutting down the port.

When the err-disabled state occurs, it is not automatically restored by default. There are two ways to restore a port:

Manual recovery: first close the port (shutdown), then open the port (no shutdown)

Automatic recovery: set the timer, start the time when the port enters the err-disabled state, and resume automatically when the timer is over. The timer configuration commands are as follows:

Switch (config) # errdisable recovery cause psecure-violation / / configure the reason for the err-disabled status switch (config) # errdisable recovery interval {time} / / time is 30-86400 in s

(5) configure the Sticky (adhesion) feature of port security

If you configure static binding for each port, the workload is very heavy. With the port security Sticky feature, the MAC address learned by the switch is dynamically translated into Sticky MAC address, and added to the running configuration, the static MAC address table entry allowed by port security is automatically formed. Save the configuration and the switch restart will not be relearned. The configuration commands are as follows:

Switch (config) # switchport port-security mac-address sticky

(6) View and clear port status

Switch# show port-security int f0swap 1 / View Port Security enabled status switch# show interfaces status err-disabled / / View Port Summary Information in err-disabled status switch# show port-security / / View Port Security Summary Information switch# clear port-security dynamic {address mac-addr | int f0swap 1} / clear the MAC address or all port cache of the interface

Example: configure port security on the switch with the following commands:

Switch (config) # int f0/1switch (config-if) # switchport mode accessswitch (config-if) # switchport access vlan 2switch (config-if) # switchport port-security / / enable port security switch (config-if) # switchport port-security mac-address 0025.1234.1258 / / statically bind MAC address switch (config-if) # switchport port-security aging time 1 / / configure aging time 1min switch (config-if ) # switchport port-security aging type inactivity / / configure the policy to delete port MAC switch (config-if) # switchport port-security violation restrict / / configure the policy in case of a violation

Port security is enabled on port f0max 1, allowing the maximum MAC address to be 1, and statically bind MAC addresses

View the status of enabling port security

Switch# show port-security int f0/1Port Security: Enabled / / Port security enable Port Status: Secure-up / / Port status is upViolation Mode: Restrict / / Policy adopted by MAC address Aging Time: 1 mins / / Aging time Aging Type : Inactivity / / Port MAC address deletion policy SecureStaticAddress Aging: Disabled / / whether the port is allowed to delete statically bound MAC addresses Maximum MAC Addresses: 1 / / maximum number of MAC addresses Total MAC Addresses: 1 / / end × × jump MAC addresses (including statically bound MAC addresses) Configured MAC Addresses: 1 / / number of statically bound MAC addresses Sticky MAC Addresses: 0 / number of adhered MAC addresses Last Source Address:Vlan: 0025.1234.1258 Last Source Address:Vlan / / latest source MAC address and its VLANSecurity Violation Count: 0 / / number of security violations

Scenario 2:DHCP snooping

DHCP snooping (DHCP Snooping) is a security mechanism to protect DHCP servers. It can filter untrusted DHCP messages from hosts or other devices in the network to ensure that clients can obtain IP addresses from the correct DHCP server, avoiding DHCP server spoofing and DHCP address exhaustion.

DHCP snooping divides switch ports into:

Untrusted port: the port that connects the end device. The port client can only send DHCP request messages and discard all other DHCP messages coming from the port

Trust port: connect to a legitimate DHCP server or aggregation port

DHCP snooping can also limit the rate at which clients can send DHCP requests, thus slowing down DHCP resource exhaustion. The Cisco switch supports enabling DHCP snooping on each VLAN

Configuration of DHCP snooping

(1) the commands to enable DHCP snooping are as follows:

Switch (config) # ip dhcp snooping

The command to set which VLAN DHCP snooping is acting on is as follows:

Switch (config) # ip dhcp snooping vlan number / / number is the VLAN number, and you can set more than one VLAN at a time, such as 2,3-5

(2) configure port trust or non-trust

When DHCP snooping is enabled, all ports are untrusted by default. To configure the port to trust, the configuration command is as follows:

Switch (config-if) # ip dhcp snooping trust

(3) configure to prevent DHCP exhaustion * *

Limit the rate of DHCP messages, slow down DHCP exhaustion *, and configure the following command on untrusted ports:

Switch (config-if) # ip dhcp snooping limit rate {rate} / / rate is the packet rate, in pmax smae Cisco 2960 switch 1-2048p/s

You can also enable the function of verifying MAC addresses to prevent false MAC addresses from requesting IP addresses, thus achieving DHCP exhaustion * *. The configuration command is as follows:

Switch (config) # ip dhcp snooping verify mac-address

When the DHCP packet rate of an untrusted port is greater than the specified value, a violation will occur and the port will have an err-disabled state. Like the above MAC address violation, it can also be recovered manually. Automatic recovery is described below, and the err-disabled timer is set. The command is as follows:

Switch (config) # errdisable recovery cause dhcp-rate-limit / / configure the reason for the err-disabled status switch (config) # errdisable recovery interval {time} / / time is 30-86400 in s

(4) DHCP snooping status query

Switch# show ip dhcp snooping / / View current DHCP snooping status and port status switch# show ip dhcp snooping binding / / View current DHCP snooping table switch# clear ip dhcp snooping binding / / clear DHCP snooping table

Case: enable DHCP snooping on the switch and limit the DHCP packet rate on untrusted ports to 100p/s

Switch (config) # ip dhcp snooping / / enable DHCP snooping switch (config) # ip dhcp snooping vlan 1 / / VLAN switch (config) # int f0/21switch (config-if) # ip dhcp snooping trust switch (config-if) # exitswitch (config) # int range f0VLAN switch 1-20switch (config-if-range) # ip dhcp snooping limit rate 100switch (config-if-range) # exitswitch (config) # int range f0x22-24switch (config-if -range) # ip dhcp snooping limit rate 100switch (config-if-range) # exit

If the DHCP server above is a router, the client may not be able to obtain the IP address and can configure any of the following commands on it:

Router (config-if) # ip dhcp relay information trusted / / the interface that receives DHCP messages or router (config) # ip dhcp relay information trust-all / / global mode, valid for all interfaces

Solution 3: deploy the network version of antivirus software

The biggest difference between the network version and the stand-alone antivirus software is that the control center can manage any computer in the network, unify the antivirus, upgrade the virus database, and realize the whole network management. Generally, it is composed of server side and client side, and has the following characteristics:

(1) client antivirus software can be installed or uninstalled remotely

(2) users can be prohibited from uninstalling client antivirus software by themselves.

(3) Anti-virus policies can be formulated, distributed and implemented across the network.

(4) the health status of the client system can be monitored remotely.

(5) provide remote alarm means to send virus information to network administrator automatically.

(6) allow clients to customize antivirus policies

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.