© 2006 Cisco Systems, Inc. All rights reserved. SND v2.03-1 Securing LAN and WLAN Devices Applying Security Policies to Network Switches.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved.SND v Module Summary To secure network access at Layer 2, follow these steps: –Protect administrative.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Securing Network Switches.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Configuring a Router.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Disabling Unused Cisco Router Network Services and Interfaces.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Module Summary The Cisco Discovery Protocol is an information-gathering tool used by network.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Building a Simple Serial Network Understanding the OSI Model.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Applying a Security Policy for Cisco Routers.
© 2006 Cisco Systems, Inc. All rights reserved.BCMSN v Defining VLANs Implementing Trunks.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Using Cisco Catalyst Switch Security Features.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Managing Your Network Environment Managing Cisco Devices.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Starting a Switch.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 4 Cisco Intrusion Detection System Architecture.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Protecting Against Spoof Attacks.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Understanding Switch Security.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Ensuring the Reliability of Data Delivery Understanding How UDP and TCP Work.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Network Foundation Protection Securing the Management Plane.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Implementation Configuring VRF Tables.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Completing ISDN Calls Configuring ISDN BRI and PRI.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Applying Security Policies to Network Switches

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Basic Switch Operation Switches Are Targets Securing Network Access to Layer 2 LAN Switches Protecting Administrative Access to Switches Protecting Access to the Management Port Turning Off Unused Network Interfaces and Services Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Host BHost A Physical Links MAC Addresses IP Addresses Protocols and Ports Application Stream OSI was built to allow different layers to work without knowledge of each other. Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Why Worry About Layer 2 Security?

© 2006 Cisco Systems, Inc. All rights reserved. SND v MAC Addresses Domino Effect If one layer is hacked, communications are compromised without the other layers being aware of the problem. Security is only as strong as your weakest link. When it comes to networking, Layer 2 can be a very weak link. Physical Links IP Addresses Protocols and Ports Application Stream Application Presentation Session Transport Network Data Link Physical Compromised Application Presentation Session Transport Network Data Link Physical Initial Compromise

© 2006 Cisco Systems, Inc. All rights reserved. SND v Switches Are Targets Protection should include: Constraining Telnet access SNMP read-only Turning off unneeded services Logging unauthorized access attempts VLANs are an added vulnerability: Remove user ports from automatic trunking Use nonuser VLANs for trunk ports Set unused ports to a nonrouted VLAN Do not depend on VLAN separation Use private VLANs

© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing Network Access at Layer 2 Follow these steps: Protect administrative access to the switch. Protect the switch management port. Turn off unused network services. Lock down the ports. Use Cisco Catalyst switch security features.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Protecting Administrative Access Two access levels: –User levelaccessed via Telnet or SSH connections to a switch or via the console line on the switch –Privileged levelaccessed after user level is established The main vulnerability arises from poor password security.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Password Encryption Specifies an additional layer of security over the enable password command enable secret [level level] {password | [encryption-type] encrypted-password} Sets a local password to control access to various privilege levels Switch(config)# enable password password

© 2006 Cisco Systems, Inc. All rights reserved. SND v Password Guidelines Use passwords at least 10 characters long Do not use real words Mix letters, numbers, and special characters Do not use a number for the first character of the password Administrators should perform these tasks: Change passwords every 90 days Make sure that the enable secret password is unique for each switch Do not use enable secret passwords for anything else on the switch

© 2006 Cisco Systems, Inc. All rights reserved. SND v Protecting the Management Port Assign a unique account for each administrator Use a strong and unique password on every switch Set a timeout Use a banner Use OOB management

© 2006 Cisco Systems, Inc. All rights reserved. SND v Turning Off Unused Network Services Less is more. Enabled network services open vulnerabilities for these reasons: Many connections are unencrypted. Default user accounts allow unauthorized entry. Weak and shared passwords on services open doors for attackers. Extended timeouts allow hijacking.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Shutting Down Interfaces Switch(config)# interface fastethernet 0/1 Switch(config-if)# shutdown Switch(config)# interface range fastethernet 0/2 - 8 Switch(config-if-range)# shutdown Shuts down a single interface Shuts down a range of interfaces

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Layer 2 vulnerabilities often escape notice, but network security is only as strong as its weakest link. Switches are targets because they can give attackers access to an entire network. Five basic steps can mitigate Layer 2 attacks. Use passwords to protect administrative access to switches. Protect the management port by assigning unique accounts and using strong passwords, timeouts, banners, and OOB management. Turn off unused network services and interfaces.

© 2006 Cisco Systems, Inc. All rights reserved. SND v