Implement switches Security (part 1)

Jafar Tavana · ‎05-06-2019

How-to-Configure-Switch-to-Mitigate-VLAN-Attacks..jpg

Hi Everyone

at this Article we want to talk about very commonly project in network security section, and today's Network security is bolder than old, and we see some article about Security but they have only some theoretical info, in this Article we want to have a very common security feature in CISCO or any other switches( Management switches ), its about Port Security. How you can manage your Security of your network ? maybe you have a wireless network, in this situation you must select another solution or maybe you have different scenario with different hardware or virtualization and you have another option with different name for implement basic Access security .

In this Article we visualize we have an Ethernet Network with simple equipment and as refer to Ethernet standard each device have a MAC Address.

so how we can secure our network ? we have so many security solution but some of there is:

-DHCP Snooping :

Attacker can run a DHCP Server on here PC or device then get Address to your Network devices, maybe you think its good, cause your DHCP Server use less CPU and Attacker computer help it, but Attacker do that for here destiny, for example set Default Gateway or DNS of here system and then can very easily redirect your network traffic to capture or any other use.

or another attack is send so many IP Address request to DHCP and used capacity of your DHCP pool.

-Dynamic ARP Protection: Protects your network from ARP cache poisoning.

refer to Ethernet standard and how ARP working, as you know, ARP table filled via frames come to your nodes, Ethernet device extract source of that device and if it wasn't in here CAM Table then add it (of course for unicast Address ) so today's i can very easily create or build an script with Ruby, Python , .... that send crafted frame to Network, for example i can create empty frame with source address of my Router MAC and destination MAC address of another node then send it to Network, what happened if you haven't enough security implementation on your central devices like switches ? when destination node receive this frame extract it Source MAC address then Extract source IP Address and see the MAC address of her gateway or router was changed so it change here CAM Table, after that if this node want to send any data to her gateway, create an frame with this information: Destination IP Address: Router Address | Destination MAC Address: Attacker MAC Address

and what can be happened ? all of traffic send to the Attacker device. OK for prevent this type of Attack we can use ARP Protection Method.

Port Security Configuration:

select Interface or interface range

switchport port-security

set maximum MAC Address can be assigned to this port:

switchport port-security maximum XXX

set Violation mode to what happen when maximum number of MAC Address rich :

switchport port-security violation XXXX

Add manually MAC Address to MAC Table that allow forward Frames:

switchport port-security mac-address mac_address

Enable sticky Learning MAC Address of each node connected to this port(unless maximum number rich)

switchport port-security mac-address sticky

show port security status of all ports you enable it:

show port-security

Show Address learned of all Interfaces :

show port-security address

show Address of specify port that allow forward traffic:

show port-security address interface interface_id

Implement switches Security (part 1)

AnyConnect Certificate Based Authentication.

Getting past intermittent/unexplained 802.1x problems on Windows 7

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)