Posts from ‘Security’
Catalyst switch port security is so often recommended. This is because of a couple of important points:
- There are many attacks that are simple to carry out at Layer 2
- There tends to be a gross lack of security at Layer 2
- Port Security can guard against so many different types of attacks such as MAC flooding, MAC spoofing, and rouge DHCP and APs, just to name a few
I find when it comes to port security, however, many students cannot seem to remember two main points:
- What in the world is Sticky Learning and how does it work?
- What is the difference between the different violation modes and how can I remember them?
Sticky learning is a convenient way to set static MAC address mappings for MAC addresses that you allow on your network. What you do is confirm that the correct devices are connected. You then turn on sticky learning and the port security feature itself, for example:
switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security
Join us Friday, June 25th at 11AM Pacific / 2PM Eastern for another installment in the Open Lecture Series.
The topic that will be covered is Privilege Levels and Role Based CLI.
We look forward to seeing you there. Seats are limited.
We are putting the final touches together for the CCSP bootcamp that is launching soon. (PS, it is going to ROCK! ) As I was going through the demo’s on L2 security, I was reminded of how this topic is often an Achilles heel for many CCIE candidates, both R/S and Security.
This blog post is to refresh your memories and provide some examples for layer 2 security on the Catalyst switch. We will begin with DHCP snooping. Continue Reading
Bob turned up the volume on his MP3 player. It was difficult to hear his music over the whirring of the humidifiers. He sat down in one of the small chairs in front of a computer with SecureCRT. It was freezing in the data center, and a short sleeved Bob was hoping for a quick and working solution. It all happened like this:
After his huge success implementing DMVPN and GET VPN overlay, (with a lot of help from his INE Blog Buddies), Bob was on a roll. He decided to attempt VRF and IPSec integration as his next challenge.
Beginning in October 2009, students will be required to demonstrate mastery of the Cisco IOS Intrusion Prevention System (IPS) for the CCIE R/S track. This blog post introduces candidates to this relatively new security feature. Note this series of blog posts will focus on Tier 1 knowledge. This information allows mastery for the Core Knowledge section and builds a foundation for later mastery at the Command Line Interface.
Intrusion Prevention replaces mere Intrusion Detection from previous IOS versions. IDS for the IOS was certainly nice (you get alerted when a security attack is occurring), but obviously, stopping an attack is much more powerful.
Female Voice: “Don’t tell me which zone’s for stopping and which zone’s for loading!
Male Voice: “Listen, Betty, don’t start your white zone sh*t again. There is just no stopping in the white zone.” – Airplane 1980
In an earlier blog post, we introduced you to the IOS Zone-Based Firewall from Cisco Systems. You can find that post here if you need it.
This post will walk you through an example of the Zone-Based Firewall at the command line. Here is the simple topology we will use in this example:
In this blog post, we will obtain some good solid Tier 1 level knowledge regarding VLAN Access Control Lists or VACLs. These are often also referred to as VLAN Access Maps or just VLAN Maps; thanks to the syntax that is used in their creation.
When you want to filter traffic that is moving from one VLAN to another, things are real CCNA-like and friendly We use an Access Control List. In fact, we should elaborate on that term a bit now in light of this discussion. We actually use a Router-based Access Control List or RACL.
But what if we want to filter traffic that is flowing within a VLAN? On no, a Router-based Access Control List cannot help us! This is when we turn to the VLAN Access Control List. To help us understand this feature, let us create a topology and a sample scenario. Here is the simple topology:
Flexible Packet Matching is a new feature that allows for granular packet inspection in Cisco IOS routers. Using FPM you can match any string, byte or even bit at any position in the IP (or theoretically non-IP) packet. This may greatly aid in identifying and blocking network attacks using static patterns found in the attack traffic. This feature has some limitation though.
a) First, it is completely stateless, e.g. does not track the state/history of the packet flow. Thus, FPM cannot discover dynamic protocol ports such as use by H.323 or FTP nor cannot it detect patterns split across multiple packets. Essentially, you are allowed to apply inspection per-packet basis only.
b) Additionally, you cannot apply FPM to the control-plane traffic, as the feature is implemented purely in CEF switching layer. Fragmented traffic is not assembled for matching, and the only inspected packet is the initial fragment of the IP packet flow.
c) IP packets with IP options are not matched by FPM as well, because they are punted to the route processor.
d) Lastly, this feature inspects only unicast packets and does not apply to MPLS encapsulated packets.
Configuring an FPM filter consists of a few steps.
(1) Loading protocol headers.
(2) Defining a protocol stack.
(3) Defining a traffic filter.
(4) Applying the policy & Verifying
Let’s look at every of these steps in depth.
The Security section of Internetwork Expert’s CCIE Routing & Switching Lab Workbook Volume 1 Version 5.0 is completed and available on the members site. As of now the fully completed and posted sections are Bridging & Switching, Frame Relay, IP Routing, RIP, EIGRP, OSPF, QoS, Security, System Management, and IP Services. BGP, Multicast, and IPv6 remain, and will be incrementally posted next.
The final release of the Security section contains around 35 lab scenarios in approximately 150 pages. The final release consists of the following sections:
- AAA Authentication Lists
- AAA Exec Authorization
- AAA Local Command Authorization
One of my student friends from Cisco RTP suggested a great weekly addition to our blog – a sample task from a Mock Lab to challenge the blog faithful. Cool idea! Love it! To not spoil your fun when taking our Mock Labs, these tasks have been written special so that there is no carryover.
My first installment is a topic that could easily appear on either the R/S Lab or the Security Lab. Enjoy! You are more than welcome to post your suggested solution in the comments. I will wait a week and then post a solution in there myself – along with some explanation text. If you enjoy this new blog installment, you should check out our products, because they are even better!
Here we go!
8.1 DoS Protection
You are concerned about DoS attacks against a key perimeter router in your company. Configure R1 so that it limits the aggregate rate of ARP traffic toward the route processor to 75 packets per second. Routing control traffic marked with an IP Precedence value of 6 should be limited to 100 packets per second.
NOTE: The solution and walkthrough are posted in the comments below dated February 6, 2009. Once again, this is a fraction of what you receive in our products!