Скачать презентацию
Идет загрузка презентации. Пожалуйста, подождите
1
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Applying Security Policies to Network Switches
2
© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Basic Switch Operation Switches Are Targets Securing Network Access to Layer 2 LAN Switches Protecting Administrative Access to Switches Protecting Access to the Management Port Turning Off Unused Network Interfaces and Services Summary
3
© 2006 Cisco Systems, Inc. All rights reserved. SND v Host BHost A Physical Links MAC Addresses IP Addresses Protocols and Ports Application Stream OSI was built to allow different layers to work without knowledge of each other. Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Why Worry About Layer 2 Security?
4
© 2006 Cisco Systems, Inc. All rights reserved. SND v MAC Addresses Domino Effect If one layer is hacked, communications are compromised without the other layers being aware of the problem. Security is only as strong as your weakest link. When it comes to networking, Layer 2 can be a very weak link. Physical Links IP Addresses Protocols and Ports Application Stream Application Presentation Session Transport Network Data Link Physical Compromised Application Presentation Session Transport Network Data Link Physical Initial Compromise
5
© 2006 Cisco Systems, Inc. All rights reserved. SND v Switches Are Targets Protection should include: Constraining Telnet access SNMP read-only Turning off unneeded services Logging unauthorized access attempts VLANs are an added vulnerability: Remove user ports from automatic trunking Use nonuser VLANs for trunk ports Set unused ports to a nonrouted VLAN Do not depend on VLAN separation Use private VLANs
6
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing Network Access at Layer 2 Follow these steps: Protect administrative access to the switch. Protect the switch management port. Turn off unused network services. Lock down the ports. Use Cisco Catalyst switch security features.
7
© 2006 Cisco Systems, Inc. All rights reserved. SND v Protecting Administrative Access Two access levels: –User levelaccessed via Telnet or SSH connections to a switch or via the console line on the switch –Privileged levelaccessed after user level is established The main vulnerability arises from poor password security.
8
© 2006 Cisco Systems, Inc. All rights reserved. SND v Password Encryption Specifies an additional layer of security over the enable password command enable secret [level level] {password | [encryption-type] encrypted-password} Sets a local password to control access to various privilege levels Switch(config)# enable password password
![© 2006 Cisco Systems, Inc. All rights reserved. SND v2.03-8 Password Encryption Specifies an additional layer of security over the enable password command enable secret [level level] {password | [encryption-type] encrypted-password} Sets a local pass](http://images.myshared.ru/9/885499/slide_8.jpg "© 2006 Cisco Systems, Inc. All rights reserved. SND v2.03-8 Password Encryption Specifies an additional layer of security over the enable password command enable secret [level level] {password | [encryption-type] encrypted-password} Sets a local pass")
9
© 2006 Cisco Systems, Inc. All rights reserved. SND v Password Guidelines Use passwords at least 10 characters long Do not use real words Mix letters, numbers, and special characters Do not use a number for the first character of the password Administrators should perform these tasks: Change passwords every 90 days Make sure that the enable secret password is unique for each switch Do not use enable secret passwords for anything else on the switch
10
© 2006 Cisco Systems, Inc. All rights reserved. SND v Protecting the Management Port Assign a unique account for each administrator Use a strong and unique password on every switch Set a timeout Use a banner Use OOB management
11
© 2006 Cisco Systems, Inc. All rights reserved. SND v Turning Off Unused Network Services Less is more. Enabled network services open vulnerabilities for these reasons: Many connections are unencrypted. Default user accounts allow unauthorized entry. Weak and shared passwords on services open doors for attackers. Extended timeouts allow hijacking.
12
© 2006 Cisco Systems, Inc. All rights reserved. SND v Shutting Down Interfaces Switch(config)# interface fastethernet 0/1 Switch(config-if)# shutdown Switch(config)# interface range fastethernet 0/2 - 8 Switch(config-if-range)# shutdown Shuts down a single interface Shuts down a range of interfaces
13
© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Layer 2 vulnerabilities often escape notice, but network security is only as strong as its weakest link. Switches are targets because they can give attackers access to an entire network. Five basic steps can mitigate Layer 2 attacks. Use passwords to protect administrative access to switches. Protect the management port by assigning unique accounts and using strong passwords, timeouts, banners, and OOB management. Turn off unused network services and interfaces.
14
© 2006 Cisco Systems, Inc. All rights reserved. SND v
Еще похожие презентации в нашем архиве:
