SECURITY

edge&DMZ core&distribution access
firewall     routers       switch

1. mac flooding attacks
cam arp mac flooding
基于mac也许流量
port-security (先shutdown port 然后做完安全no shutdown)
conf ter
interface fastethernet 0/0
switchport port-security
switchport port-security {max-value | mac-address}
switchport port-security violation {shutdown | restrict | protect} （shutdown——>err-disable）
switchport port-security mac-address sticky
switchport port-security aging static
spanning-tree portfast
conf ter
errdisable recovery cause psecure-violation
#errdisable recovery interval 30
show errdisable recovery
show port-security
show port-security interface fastethernet 0/0
show port-security address

基于mac限制流量
mac-address-table static 0010.7b80.7b9b vlan 1 drop

阻止未知的unicast & multicast blocked
switchport block {unicast | multicast}

2. vlan attacks
vlan hopping
vlan hopping with double tagging
conf ter
switchport mode access

vacl
ip/mac——>FWD/DROP
conf ter
vlan access-map map_name [seq#]
match {ip address {1-199 | 1300-2699 | acl_name} | ipx address (800-999 | acl_name) | mac address acl_name }
action {drop [log]} | {foreward [capture]} | {redirect {type slot/port} | {port-channel channel_id}}
vlan filter map_name vlan_list list

private vlan (2个sub domain ：primary vlan，secondary vlan（隔离vlan isolated 团体vlan community）)
promiscuous：communicate with all other port
isolated：communicate with only promiscuous ports
community：communicate with other members of community and all promiscuous port
vtp模式transparent
pri、sec vlan
port——>vlan

交换机高版本
config
vtp mode transparent
vlan 20
private-vlan private
exit
vlan 501
private-vlan community
exit
vlan 502
private-vlan isolated
exit
vlan 20
private-vlan association 501,502
exit

conf ter
interface f 0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 20 501,502
spanning-tree portfast
no shutdown

conf ter
interface range f 0/2 f 0/3
switchport mode private-vlan host
switchport private-vlan host-association 20 501
spanning-tree portfast
no shutdown

conf ter
interface range f 0/4 f 0/5
switchport mode private-vlan host
switchport private-vlan host-association 20  502
spanning-tree portfast
no shutdown

网管交换机
conf ter
interface vlan 20
ip add 1.1.1.100 255.255.255.0
private-vlan mapping 501,502
no shutdown
exit
ip routing

低版本交换机
interface f0/0
switchport protected
interface f0/1
switchport protected

3. spoofing attacks
dhcp spoof attacks
R1是不合法的dhcp服务器
R2是合法的dhcp服务器
R3是dhcp客户端
配置
端口在同一个vlan
都为access端口
都启用spanning-tree portfast
R1分发1.1.1.0/24 不合法
ip dhcp pool DAVY
network 1.1.1.0 /24

R2分发2.2.2.0/24 合法
ip dhcp pool DAVY
network 2.2.2.0 /24

交换机上
ip dhcp snooping
ip dhcp snooping vlan 1 （基于vlan 交换机上端口全为untrust）
interface fastethernet 0/2
ip dhcp snooping trust

R2上还要做
ip dhcp relay information trust-all

R1限制discovery包的发生频率
ip dhcp snooping limit rate 1

交换机上对client端 (防止dos攻击 ip source guard)
interface fastethernet 0/3
ip verify source （vlan dhcp-snooping） port-security

arp spoofing  (DAI&dhcp snooping)
临时解决方法：静态arp绑定
正常网关路由器和pc之间做
arp 10.1.1.2 aaaa.bbbb.cccc arpa
show arp
arp -s 10.1.1.2 aaaa.bbbb.cccc arpa

dynamic arp inspection

client
interface fastethernet 0/1 （sw的0/1 untrust）
ip address dhcp
假使中毒虚拟个mac
interface fastethernet 0/1
mac-address aaaa.bbbb.cccc (被deny了)

dhcp server
ip arp inspection vlan 1
interface f 0/2 （合法）
ip arp inspection trust

int f 0/1
ip arp inspection limit rate 10

show ip arp

 

4. attacks on switch device
show cdp neighbors
show cdp neighbors detail
no cdp run
interface e 0/0
no cdp enable
实验
在R1上
conf ter
int e 0/0
ip address 192.168.1.100 255.255.255.0
no shutdown
exit

username DAVY password amanda
line vty 0 4
login local
exit

SSH（secure shell protocol）
show version (iso有k指安全版本)
conf ter
ip domain name davy.com
crypto key generate rsa usage-keysgeneral-keys）modulus 512

username DAVY password amanda
line vty 0 4
login local
transport input ssh
exit

客户端（win使用ssh软件 路由器可直接使用）
ssh -l DAVY 192.168.1.100