© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v3.08-1 Minimizing Service Loss and Data Theft in a Campus Network Securing Network Switches. - презентация

1 © 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Securing Network Switches

2 © 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Describing Vulnerabilities in CDP

3 © 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Describing Vulnerabilities in the Telnet Protocol The Telnet connection sends text unencrypted and potentially readable.

4 © 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Describing the Secure Shell Protocol SSH replaces the Telnet session with an encrypted connection.

5 © 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Describing vty ACLs Set up standard IP ACL. Use line configuration mode to filter access with the access-class command. Set identical restrictions on every vty line.

6 © 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Configures a standard IP access list Switch(config)#access-list access-list-number {permit | deny | remark} source [mask] Enters configuration mode for a vty or vty range Restricts incoming or outgoing vty connections to addresses in the ACL Switch(config-line)#access-class access-list-number in|out Switch(config)#line vty {vty# | vty-range} Describing Commands to Apply ACLs

7 © 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Best Practices: Switch Security Secure switch access: Set system passwords. Secure physical access to the console. Secure access via Telnet. Use SSH when possible. Configure system warning banners. Use Syslog if available.

8 © 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Best Practices: Switch Security (Cont.) Secure switch protocols: Trim CDP and use only as needed. Secure spanning tree. Mitigate compromises through a switch: Take precautions for trunk links. Minimize physical port access. Establish standard access port configuration for both unused and used ports.

9 © 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Summary CDP packets can expose some network information. Authentication information and data carried in Telnet sessions are vulnerable. SSH provides a more secure option for Telnet. vty ACLs should be used to limit Telnet access to switch devices. vty ACL configuration commands use standard IP ACL lists. Sound security measures and trimming of unused applications are the basis of best practices.

10 © 2006 Cisco Systems, Inc. All rights reserved. BCMSN v