642-637 SECURE V1.0

Switch Data Plane Controls

SWITCH SECURITY BASELINE 

VLAN HOPPING ATTACK
– Static Access n Port COnfiguration
– disable DTP
– No Native VLAN on trunk Port

STP Spoofing
– BPDU and Root Guard

MAC Spoofing
– Port Security and Static Mac Entry

CAM FLoods
– Mac limits in Port Security

DHCP Server Starvation
– DHCP Snooping

ARP Spoofing
– MAC limits in Port Security
– DHCP Snooping Rate Limits
– IP ARP Inspection

IP Spoofing
– IP Source Guard or Port Base ACLs

 

DHCP ATTACK
– When an attacker pretends to be the DHCP Server.
DHCP Spoofing
– When an attacker is sending multiple DHCP Discover MSG

Configuration :
Enable Globally ip dhcp snooping
Configure Ingress trusted port ( uplinks, trunks )
Configure the DHCP Database flash:dhcp-db.db ( whatever where you want it ) to prevent new dhcp rogue allocation after reboot.
Configure the write delay of the database to 30 sec.
Disable ip information option
configure the rate limit on each port for dhcp binding.

 

ARP ATTACK
– MAN in the Middle Attacks. ( gratuitous arp request )
This can be solved with the ARP inspections configuration.

Configuration :
Enable Globally ip dhcp snooping
Configure Ingress trusted port ( uplinks, trunks )
Use or Configure the DHCP Database flash:dhcp-db.db ( whatever where you want it ) to prevent new dhcp rogue allocation after reboot.   OR
Configure ARP ACL and Static IP-MAC mapping. ( create acl and then apply the filter globally )
configure the rate limit 15 pps / 1sec
Config Error-disable behavior
Enable on Specific Interfaces

 

SOURCE IP ATTACKS
– Spoofing Existing IP ADDRESS
– Spoofing Existing IP SOURCE ROUTING
– Spoofing Non-Existing IP ADDRESS

Configure DHCP Snooping
Enable IP SOURCE GUARD on DHCP enable port ( int level )  ( ip verify source )
Configure Static Mappings or PACLS if not using IP SOURCE GUARD.

IBNS Overview and 802.1x

Deployement :

Configuration on SWITCH
– Radius
– ENable 802.1X globally
-Tune 802.1X re-auth, Time Value, Guest Access
Configuration on ACS
Configuration on CLIENTS

 

Routed Data Plane Controls
– Use PACLS on sw
– Use IP Source Guard on sw
– Use no ip source-route on routers
– Use Static IP  ACLs on routers at ingress and egress

uRFP – prevent attack from spoofed addresses
Why uRPF rater then upper options :
– ACLs are manual
– uRFP is automated – relies on routing table and there is 2 types  :
Strict and Loose.
-Strict : Source must be in routing table pointing a specific interface where traffic is entering the router.
-Loose : Source IP must be in the routing table.

Config :
Enable CEF
Configure uRPF on interfaces  : ip verify unicast source reachable-via any or rx     or reverse-path ( old command )
Configure notification over SNMP

FPM ( flexible packet matching ) – identity and prevent specifics inside data stream
Load .phdf templates
Configure CLASS MAPs ( type access control ) and Service Policy on Interface

Netflow – Use to identify traffic flooding attacks
– Provide a record of the packets
– Sends the data to a collector
– Can be used to identify anomalies
Flows include : source destination ip and ports L3 protocol type, COS or TOS Bytes info ifindex of the input interfaces.
Multiple version
Treaditional versus Flexible. ?


Control Plane Controls
Routing Protocol Authentification

Route Filtering
Accept know good routing information from neighbors.
Reject unwanted

Management Plane Controls
Interface ACLs
ACLs on VTY
CPP
MPP with Mngm interface. <== BP
RBAC
User Parser view commands ( user rights )
Digital Signaed IOS ( show soft auth run )
Processor / Memories TRAPS

Network Address Translation

Zone-Based Firewalls

IOS IPS

IOS VPN

VTI-Based VPN with PKI

DMVPN

GET VPN

VPN-HA

RA VPN On Cisco IOS

 

Leave a Comment