Chapter2 Port Security

Chapter 2: Introduction
to Switched Networks
Routing and Switching
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Chapter 2
2.0 Introduction
2.1 Basic Switch Configuration
2.2 Switch Security: Management and Implementation
Chapter 2: Objectives
Upon completion of this chapter, you will be able to:
 Explain the advantages and disadvantages of static routing.
 Configure initial settings on a Cisco switch.
 Configure switch ports to meet network requirements.
 Configure the management switch virtual interface.
 Describe basic security attacks in a switched environment.
 Describe security best practices in a switched environment.
 Configure the port security feature to restrict network access.
Basic Switch Configuration
Switch Boot Sequence
1. Power-on self test (POST).
2. Run boot loader software.
3. Boot loader performs low-level CPU initialization.
4. Boot loader initializes the flash file system
5. Boot loader locates and loads a default IOS operating system
software image into memory and passes control of the switch
over to the IOS.
Switch Boot Sequence (cont.)
To find a suitable Cisco IOS image, the switch goes through the
following steps:
Step 1. It attempts to automatically boot by using information in the
BOOT environment variable.
Step 2. If this variable is not set, the switch performs a top-to-bottom
search through the flash file system. It loads and executes
the first executable file, if it can.
Step 3. The IOS software then initializes the interfaces using the
Cisco IOS commands found in the configuration file and
startup configuration, which is stored in NVRAM.
Note: The boot system command can be used to set the BOOT
environment variable.
Recovering from a System Crash
 The boot loader can also be used to manage the switch if the IOS
cannot be loaded.
 The boot loader can be accessed through a console connection by:
1. Connecting a PC by console cable to the switch console port.
Unplug the switch power cord.
2. Reconnecting the power cord to the switch and press and hold
the Mode button.
3. The System LED turns briefly amber and then solid green.
Release the Mode button.
 The boot loader switch:prompt appears in the terminal
emulation software on the PC.
Switch LED Indicators
 Each port on Cisco Catalyst switches have status LED indicator
lights.
 By default, these LED lights reflect port activity, but they can also
provide other information about the switch through the Mode
button.
 The following modes are available on Cisco Catalyst 2960
switches:
• System LED
• Redundant Power System (RPS) LED
• Port Status LED
• Port Duplex LED
• Port Speed LED
• Power over Ethernet (PoE) Mode LED
Preparing for Basic Switch Management
(cont.)
Preparing for Basic Switch Management
(cont.)
Configuring Switch Ports
Duplex Communication
Configuring Switch Ports at the Physical
Layer
Auto-MDIX Feature
 Certain cable types (straight-through or crossover) were
historically required when connecting devices.
 The automatic medium-dependent interface crossover (auto-
MDIX) feature eliminates this problem.
 When auto-MDIX is enabled, the interface automatically detects
and appropriately configures the connection.
 When using auto-MDIX on an interface, the interface speed and
duplex must be set to auto.
Auto-MDIX Feature (cont.)
Verifying Switch Port Configuration
Network Access Layer Issues
Secure Remote Access
SSH Operation
 Secure Shell (SSH) is a protocol that provides a secure
(encrypted), command-line based connection to a remote device.
 SSH is commonly used in UNIX-based systems.
 The Cisco IOS software also supports SSH.
 A version of the IOS software, including cryptographic (encrypted)
features and capabilities, is required to enable SSH on Catalyst
2960 switches.
 Because its strong encryption features, SSH should replace Telnet
for management connections.
 SSH uses TCP port 22, by default. Telnet uses TCP port 23.
SSH Operation (cont.)
Configuring SSH
Verifying SSH
Security Concerns in LANs
MAC Address Flooding
 Switches automatically populate their CAM tables by watching
traffic entering their ports.
 Switches forward traffic trough all ports if it cannot find the
destination MAC in its CAM table.
 Under such circumstances, the switch acts as a hub. Unicast
traffic can be seen by all devices connected to the switch.
 An attacker could exploit this behavior to gain access to traffic
normally controlled by the switch by using a PC to run a MAC
flooding tool.
 Such tool is a program created to generate and send out frames
with bogus source MAC addresses to the switch port.
 As these frames reach the switch, it adds the bogus MAC address
to its CAM table, taking note of the port the frames arrived.
MAC Address Flooding (cont.)
 Eventually the CAM table fills out with bogus MAC addresses.
 The CAM table now has no room for legit devices present in the
network and, therefore, never finds their MAC addresses in the
CAM table.
 All frames are now forwarded to all ports, allowing the attacker to
access traffic to other hosts.
An attacker flooding the CAM table with bogus entries.
The switch now behaves as a hub.
DHCP Spoofing
 DHCP is a network protocol used to automatically assign IP
information.
 Two types of DHCP attacks are:
• DHCP spoofing
• DHCP starvation
 In DHCP spoofing attacks, a fake DHCP server is placed in the
network to issue DHCP addresses to clients.
 DHCP starvation is often used before a DHCP spoofing attack to
deny service to the legitimate DHCP server.
DHCP Spoof Attack
Security Best Practices
10 Best Practices
 Develop a written security policy for the organization.
 Shut down unused services and ports.
 Use strong passwords and change them often.
 Control physical access to devices.
 Use HTTPS instead of HTTP.
 Perform backup operations on a regular basis.
 Educate employees about social engineering attacks.
 Encrypt and password-protect sensitive data.
 Implement firewalls.
 Keep software up-to-date.
Switch Port Security
Secure Unused Ports
Disabling unused ports is a simple, yet efficient security guideline.
DHCP Snooping
DHCP Snooping specifies which switch ports can respond to
DHCP requests
Port Security: Operation
 Port security limits the number of valid MAC addresses allowed on
a port.
 The MAC addresses of legitimate devices are allowed access,
while other MAC addresses are denied.
 Any additional attempts to connect by unknown MAC addresses
generate a security violation.
 Secure MAC addresses can be configured in a number of ways:
• Static secure MAC addresses
• Dynamic secure MAC addresses
• Sticky secure MAC addresses
Port Security: Violation Modes
 IOS considers a security violation when either of these situations
occurs:
• The maximum number of secure MAC addresses for that
interface have been added to the CAM, and a station whose
MAC address is not in the address table attempts to access
the interface.
• An address learned or configured on one secure interface is
seen on another secure interface in the same VLAN.
 There are three possible actions to take when a violation is
detected:
• Protect
• Restrict
• Shutdown
Dynamic Port Security Defaults
Configuring Dynamic Port Security
Configuring Port Security Sticky
switchport port-security violation {protect | restrict |shutdown}
Verifying Port Security Sticky
Verifying Port Security Stick – Running
Configuration
Verifying Port Security – Secure MAC
Addresses
Network Time Protocol
 The Network Time Protocol (NTP) is used to synchronize the
clocks of computer systems data networks.
 NTP can get the correct time from an internal or external time
source.
 Time sources can be:
• Local master clock
• Master clock on the Internet
• GPS or atomic clock
 A network device can be configured as either an NTP server or an
NTP client.
 See slide notes for more information on NTP.
Configuring NTP
Verifying NTP
Chapter 2: Summary
In this chapter, you learned:
 Cisco LAN switch boot sequence.
 Cisco LAN switch LED modes.
 How to remotely access and manage a Cisco LAN switch through a
secure connection.
 Cisco LAN switch port duplex modes.
 Cisco LAN switch port security, violation modes, and actions.
 Best practices for switched networks.

Chapter2 Port Security

Uploaded by

Copyright:

Available Formats

Chapter2 Port Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter2 Port Security

Uploaded by

Copyright:

Available Formats

Chapter 2: Introduction

Routing and Switching

switchport port-security violation {protect | restrict |shutdown}

You might also like