Professional Documents
Culture Documents
A. INTRODUCTION
Switch is one of the Network OSI models. It is placed in Layer 2 Data Link Layer. The Data link
layer is one of the least secured and most often forgotten elements of networks. It's quite
common that administrators simply connect the switches, configure them to work and then
never worry about them. Pen-testing often reveals switches, which use a vulnerable version of
IOS and are not hardened in any way.
It is also commonly thought, that implementing VLAN in a network keeps malicious attackers
away. However, VLAN architecture can just as well be defeated and therefore all higher OS layer
attacks such as sniffing passwords, Man-in-the-Middle are possible across VLANs.
Switched act as arbiters to forward and control all the data flowing across the network. It
provides the functional and procedural means to transfer data between network entities with
interoperability and interconnectivity to other layers, but from a security perspective, the data
link layer presents its own challenges. Network security is only as strong as the weakest link,
and layer 2 is no exception. There are some weaknesses in Layer 2 OSI model, so thats why
Device in Layer 2 should be secured.
Security is generally defined as the freedom from danger or as the condition of safety.
Computer security, specifically, is the protection of data in a system against unauthorized
disclosure, modification, or destruction and protection of the computer system itself against
unauthorized use, modification, or denial of service. Because certain computer security controls
inhibit productivity, security is typically a compromise toward which security practitioners,
system users, and system operations and administrative personnel work to achieve a
satisfactory balance between security and productivity.
Controls for providing information security can be physical, technical, or administrative. These
three categories of controls can be further classified as either preventive or detective.
Preventive controls attempt to avoid the occurrence of unwanted events, whereas detective
controls attempt to identify unwanted events after they have occurred. Preventive controls
inhibit the free use of computing resources and therefore can be applied only to the degree that
the users are willing to accept. Effective security awareness programs can help increase users
level of tolerance for preventive controls by helping them understand how such controls enable
them to trust their computing systems. Common detective controls include audit trails,
intrusion detection methods, and checksums.
B. TYPES OF CONTROLS
There are three types of control; Administrative, Physical, and Technical. The actions of these
controls are preventive and detective. Preventative controls are designed to keep errors or
irregularities from occurring in the first place. They are built into internal control systems and
require a major effort in the initial design and implementation stages. However, preventative
controls do not require significant ongoing investments. While, Detective controls are
designed to detect errors and irregularities, which have already occurred and to assure their
prompt correction. These controls represent a continuous operating expense and are often
Document Type: Analysis, Testing, Compare
Project : 2nd project
3
costly, but necessary. Detective controls supply the means with which to correct data errors,
modify controls or recover missing assets
Administrative Control
- Routine security awareness
training programs
- Clearly defined security
policies
- A change management
system, which notifies
appropriate parties of a
system changes
- Logging configuration
changes
- Properly screening potential
employees ( for example,
performing criminal
background checks )
- Disaster preparedness and
recovery plan
Type of Control
Physical Control
- Security System to monitor
for intruders
- Physical security barrier (for
example, locked door)
- Climate protection systems,
to maintain proper
temperature and humidity,
in addition for alerting
personnel in the event of fire - Security personnel to guard the data
Preventive
Physical
Control
Technical
Control
Technical Control
Security appliances (for
example, firewalls, IPSs, and
VPN)
Authorization applications (for
example, RADIUS or
TACACS+ server, one-time
password (OTP), and
biometric security scanner)
Detail configuration
Encryption
Types of Actions
Detective
- Separation of duties
- Procedures for recruiting and
terminating employees
- Security policies and procedures
- Supervision
- Disaster recovery, contingency, and
emergency plans
- User registration for computer access
- Standby monitoring non workdays
- Backup files and documentation
- Fences
- Security Guards
- Badge systems
- Double door system
- Locks and keys
- Backup power
- Biometric access controls
- Site selection
Fire extinguishers
- Access control software
- Antivirus software
- Library control system
- Passwords
- Smart cards
- Encryption
- Dial-up access control and callback
systems
Motion Detectors
Fire and Smoke Detectors
Close-Circuit Television Monitor
Sensor and Alarms
- Audit trails
- Intrusion detection system
C. CONTROLLING ASPECTS
Document Type: Analysis, Testing, Compare
Project : 2nd project
1. Administrative Control
Administrative controls are primarily policy-centric.
1.1.
Preventive control
b. Separation of duties
This administrative control separates a process into component parts, with different
users responsible for different parts of the process. Judicious separation of duties
prevents one individual from obtaining control of an entire process and forces collusion
with others in order to manipulate the process for personal gain.
c. Procedures for recruiting and terminating employees
Appropriate recruitment procedures can prevent the hiring of people who are likely to
violate security policies. A thorough background investigation should be conducted,
including checking on the applicants criminal history and references. Although this
does not necessarily screen individuals for honesty and integrity, it can help identify
areas that should be investigated further.
Three types of references should be obtained: (1) employment, (2) character, and (3)
credit. Employment references can help estimate an individuals competence to
perform, or be trained to perform, the tasks required on the job. Character references
can help determine such qualities as trustworthiness, reliability, and ability to get along
with others. Credit references can indicate a persons financial habits, which in turn can
be an indication of maturity and willingness to assume responsibility for ones own
actions.
In addition, certain procedures should be followed when any employee leaves the
company, regardless of the conditions of termination. Any employee being involuntarily
terminated should be asked to leave the premises immediately upon notification, to
prevent further access to computing resources. Voluntary terminations may be handled
differently, depending on the judgment of the employees supervisors, to enable the
employee to complete work in process or train a replacement.
All authorizations that have been granted to an employee should be revoked upon
departure. If the departing employee has the authority to grant authorizations to
others, these other authorizations should also be reviewed. All keys, badges, and other
devices used to gain access to premises, information, or equipment should be retrieved
from the departing employee. The combinations of all locks known to a departing
employee should be changed immediately. In addition, the employees log-on IDs and
Document Type: Analysis, Testing, Compare
Project : 2nd project
5
passwords should be canceled, and the related active and backup files should be either
deleted or reassigned to a replacement employee.
Any special conditions to the termination (e.g., denial of the right to use certain
information) should be reviewed with the departing employee; in addition, a document
stating these conditions should be signed by the employee. All terminations should be
routed through the computer security representative for the facility where the
terminated employee works to ensure that all information system access authority has
been revoked.
d. Security policies and procedures
Appropriate policies and procedures are key to the establishment of an effective
information security program. Policies and procedures should reflect the general
policies of the organization as regards the protection of information and computing
resources. Policies should cover the use of computing resources, marking of sensitive
information, movement of computing resources outside the facility, introduction of
personal computing equipment and media into the facility, disposal of sensitive waste,
and computer and data security incident reporting. Enforcement of these policies is
essential to their effectiveness. An outside people who will access in Data Center
(Crucial Data) must follow the security policies and do the procedures. The important
aspects are what kinds of policy and procedure should be create?
- Security Policies, Make sure the policies include the specific identity of the guest, the law
threat, what they carry in,
- Procedures, Standardizations of guest access are no capture picture, attach stickers in all
mobile phone or camera, and check hazardous tools. Operator has a big role in a
procedure, they have to supervise or monitor the process what the guess does for
preventing the human error.
e. Supervision
Often, an alert supervisor is the first person to notice a change in an employees
attitude. Early signs of job dissatisfaction or personal distress should prompt
supervisors to consider subtly moving the employee out of a critical or sensitive
position.
Supervisors must be thoroughly familiar with the policies and procedures related to the
responsibilities of their department. Supervisors should require that their staff members
comply with pertinent policies and procedures and should observe the effectiveness of
these guidelines. If the objectives of the policies and procedures can be accomplished
more effectively, the supervisor should recommend appropriate improvements. Job
assignments should be reviewed regularly to ensure that an appropriate separation of
duties is maintained, that employees in sensitive positions are occasionally removed
from a complete processing cycle without prior announcement, and that critical or
sensitive jobs are rotated periodically among qualified personnel.
f. Disaster recovery, contingency, and emergency plans
The disaster recovery plan is a document containing procedures for emergency
response, extended backup operations, and recovery should a computer installation
experience a partial or total loss of computing resources or physical facilities (or of
access to such facilities). The primary objective of this plan, used in conjunction with
Document Type: Analysis, Testing, Compare
Project : 2nd project
6
the contingency plans, is to provide reasonable assurance that a computing installation
can recover from disasters, continue to process critical applications in a degraded
mode, and return to a normal mode of operation within a reasonable time. A key part of
disaster recovery planning is to provide for processing at an alternative site during the
time that the original facility is unavailable.
Contingency and emergency plans establish recovery procedures that address specific
threats. These plans help prevent minor incidents from escalating into disasters. For
example, a contingency plan might provide a set of procedures that defines the
condition and response required to return a computing capability to nominal operation;
an emergency plan might be a specific procedure for shutting down equipment in the
event of a fire or for evacuating a facility in the event of an earthquake.
g. Standby monitoring out workdays
In Weekend or holiday, there is no any usual activity in working area. Thats why
standby monitoring employee (called Operator) is needed. They can monitoring and
reporting a vulnerabilities and trouble of network or system device
h. User registration for computer access
Formal user registration ensures that all users are properly authorized for system and
service access. In addition, it provides the opportunity to acquaint users with their
responsibilities for the security of computing resources and to obtain their agreement
to comply with related policies and procedures.
1.2.
Detective control
7
projects should conduct these investigations while obtaining the required security
clearance for the employee.
e. Rotation of duties
Like required vacations, rotation of duties (i.e., moving employees from one job to
another at random intervals) helps deter fraud. An additional benefit is that as a result
of rotating duties, employees are cross-trained to perform each others functions in
case of illness, vacation, or termination.
2. Physical Control
2.1.
Preventive controls
a. Backup files and documentation
Should an accident or intruder destroy active data files or documentation, it is essential
that backup copies be readily available. Backup files should be stored far enough away
from the active data or documentation to avoid destruction by the same incident that
destroyed the original. Backup material should be stored in a secure location
constructed of noncombustible materials, including two-hour-rated fire walls. Backups
of sensitive information should have the same level of protection as the active files of
this information; it is senseless to provide tight security for data on the system but lax
security for the same data in a backup location
b. Fences
Although fences around the perimeter of the building do not provide much protection
against a determined intruder, they do establish a formal no trespassing line and can
dissuade the simply curious person. Fences should have alarms or should be under
continuous surveillance by guards, dogs, or TV monitors
c. Security Guards
Security guards are often stationed at the entrances of facilities to intercept intruders
and ensure that only authorized persons are allowed to enter. Guards are effective in
inspecting packages or other hand-carried items to ensure that only authorized,
properly described articles are taken into or out of the facility. The effectiveness of
stationary guards can be greatly enhanced if the building is wired with appropriate
electronic detectors with alarms or other warning indicators terminating at the guard
station. In addition, guards are often used to patrol unattended spaces inside buildings
after normal working hours to deter intruders from obtaining or profiting from
unauthorized access
d. Badge systems
Physical access to computing areas can be effectively controlled using a badge system.
With this method of control, employees and visitors must wear appropriate badges
whenever they are in access-controlled areas. Badge-reading systems programmed to
allow entrance only to authorized persons can then easily identify intruders.
e. Double door system
Double door systems can be used at entrances to restricted areas (e.g., computing
facilities) to force people to identify themselves to the guard before they can be
released into the secured area. Double doors are an excellent way to prevent intruders
from following closely behind authorized persons and slipping into restricted areas.
f.
8
Locks and keys are commonly used for controlling access to restricted areas. Because it
is difficult to control copying of keys, many installations use cipher locks (i.e.,
combination locks containing buttons that open the lock when pushed in the proper
sequence). With cipher locks, care must be taken to conceal which buttons are being
pushed to avoid a compromise of the combination.
g. Backup power
Backup power is necessary to ensure that computer services are in a constant state of
readiness and to help avoid damage to equipment if normal power is lost. For short
periods of power loss, backup power is usually provided by batteries. In areas
susceptible to outages of more than 1530 min., diesel generators are usually
recommended. Including the High Voltage (HV) Substation, Standby generators, and
Uninterruptable Power Supply (UPS) systems
h. Biometric access controls
Biometric identification is a more sophisticated method of controlling access to
computing facilities than badge readers, but the two methods operate in much the
same way. Biometrics used for identification include fingerprints, handprints, voice
patterns, signature samples, and retinal scans. Because biometrics cannot be lost,
stolen, or shared, they provide a higher level of security than badges. Biometric
identification is recommended for high-security, low-traffic entrance control.
i. Site selection
The site for the building that houses the computing facilities should be carefully chosen
to avoid obvious risks. For example, wooded areas can pose a fire hazard, areas on or
adjacent to an earthquake fault can be dangerous and sites located in a flood plain are
susceptible to water damage. In addition, locations under an aircraft approach or
departure route are risky, and locations adjacent to railroad tracks can be susceptible
to vibrations that can precipitate equipment problems.
j. Fire extinguishers
The control of fire is important to prevent an emergency from turning into a disaster
that seriously interrupts data processing. Computing facilities should be located far
from potential fire sources (e.g., kitchens or cafeterias) and should be constructed of
noncombustible materials. Furnishings should also be noncombustible. It is important
that appropriate types of fire extinguishers be conveniently located for easy access.
Employees must be trained in the proper use of fire extinguishers and in the procedures
to follow should a fire break out.
Automatic sprinklers are essential in computer rooms and surrounding spaces and
when expensive equipment is located on raised floors. Sprinklers are usually specified
by insurance companies for the protection of any computer room that contains
combustible materials. However, the risk of water damage to computing equipment is
often greater than the risk of fire damage. Therefore, carbon dioxide extinguishing
systems were developed; these systems flood an area threatened by fire with carbon
dioxide, which suppresses fire by removing oxygen from the air. Although carbon
dioxide does not cause water damage, it is potentially lethal to people in the area and
is now used only in unattended areas.
Current extinguishing systems flood the area with Halon, which is usually harmless to
equipment and less dangerous to personnel than carbon dioxide. At a concentration of
about 10%, Halon extinguishes fire and can be safely breathed by humans. However,
9
higher concentrations can eventually be a health hazard. In addition, the blast from
releasing Halon under pressure can blow loose objects around and can be a danger to
equipment and personnel. For these reasons and because of the high cost of Halon, it is
typically used only under raised floors in computer rooms. Because it contains
chlorofluorocarbons, it will soon be phased out in favor of a gas that is less hazardous
to the environment.
2.2.
Detective Control
a. Motion Detectors.
In computing facilities that usually do not have people in them, motion detectors are
useful for calling attention to potential intrusions. Motion detectors must be constantly
monitored by guards.
b. Fire and Smoke Detectors
Fire and smoke detectors should be strategically located to provide early warning of a
fire. All fire detection equipment should be tested periodically to ensure that it is in
working condition.
c. Close-Circuit Television Monitor
Closed-circuit televisions can be used to monitor the activities in computing areas
where users or operators are frequently absent. This method helps detect individuals
behaving suspiciously.
d. Sensor and Alarms
Sensors and alarms monitor the environment surrounding the equipment to ensure that
air and cooling water temperatures remain within the levels specified by equipment
design. If proper conditions are not maintained, the alarms summon operations and
maintenance personnel to correct the situation before a business interruption occurs
3. Technical Control
3.1.
Preventive Controls
a. Access control software
The purpose of access control software is to control sharing of data and programs
between users. In many computer systems, access to data and programs is
implemented by access control lists that designate which users are allowed access.
Access control software provides the ability to control access to the system by
establishing that only registered users with an authorized log-on ID and password can
gain access to the computer system.
After access to the system has been granted, the next step is to control access to the
data in the system. The data or program owner can establish rules that designate who
is authorized to use the data or program.
b. Antivirus software
Viruses have reached epidemic proportions throughout the micro computing world and
can cause processing disruptions and loss of data as well as significant loss of
productivity while cleanup is conducted. In addition, new viruses are emerging at an
ever-increasing rate currently about one every 48 hours. It is recommended that
antivirus software be installed on all microcomputers to detect, identify, isolate, and
c.
d.
e.
f.
g.
10
eradicate viruses. This software must be updated frequently to help fight new viruses.
In addition, to help ensure that viruses are intercepted as early as possible, antivirus
software should be kept active on a system, not used intermittently at the discretion of
users.
Library control system
These systems require that all changes to production programs be implemented by
library control personnel instead of the programmers who created the changes. This
practice ensures separation of duties, which helps prevent unauthorized changes to
production programs
Passwords
Passwords are used to verify that the user of an ID is the owner of the ID. The IDpassword combination is unique to each user and therefore provides a means of
holding users accountable for their activity on the system.
Fixed passwords that are used for a defined period of time are often easy for hackers to
compromise; therefore, great care must be exercised to ensure that these passwords
do not appear in any dictionary. Fixed passwords are often used to control access to
specific data bases. In this use, however, all persons who have authorized access to the
data base use the same password; therefore, no accountability can be achieved.
Currently, dynamic or one-time passwords, which are different for each log-on, are
preferred over fixed passwords. Dynamic passwords are created by a token that is
programmed to generate passwords randomly.
Smart cards
Smart cards are usually about the size of a credit card and contain a chip with logic
functions and information that can be read at a remote terminal to identify a specific
users privileges. Smart cards now carry prerecorded, usually encrypted access control
information that is compared with data that the user provides (e.g., a personal ID
number or biometric data) to verify authorization to access the computer or network.
Encryption
Encryption is defined as the transformation of plaintext (i.e., readable data) into cipher
text (i.e., unreadable data) by cryptographic techniques. Encryption is currently
considered to be the only sure way of protecting data from disclosure during network
transmissions.
Encryption can be implemented with either hardware or software. Software-based
encryption is the least expensive method and is suitable for applications involving lowvolume transmissions; the use of software for large volumes of data results in an
unacceptable increase in processing costs. Because there is no overhead associated
with hardware encryption, this method is preferred when large volumes of data are
involved.
Dial-up access control and callback systems
Dial-up access to a computer system increases the risk of intrusion by hackers. In
networks that contain personal computers or are connected to other networks, it is
difficult to determine whether dial-up access is available or not because of the ease
with which a modem can be added to a personal computer to turn it into a dial-up
access point. Known dial-up access points should be controlled so that only authorized
dial-up users can get through.
11
Currently, the best dial-up access controls use a microcomputer to intercept calls, verify
the identity of the caller (using a dynamic password mechanism), and switch the user
to authorized computing resources as requested. Previously, call-back systems
intercepted dial-up callers, verified their authorization and called them back at their
registered number, which at first proved effective; however, sophisticated hackers have
learned how to defeat this control using call-forwarding techniques.
3.2.
Detective Controls
a. Audit Trails
An audit trail is a record of system activities that enables the reconstruction and
examination of the sequence of events of a transaction, from its inception to output of
final results. Violation reports present significant, security-oriented events that may
indicate either actual or attempted policy transgressions reflected in the audit trail.
Violation reports should be frequently and regularly reviewed by security officers and
data base owners to identify and investigate successful or unsuccessful unauthorized
accesses.
b. Intrusion Detection Systems
These expert systems track users (on the basis of their personal profiles) while they are
using the system to determine whether their current activities are consistent with an
established norm. If not, the users session can be terminated or a security officer can
be called to investigate. Intrusion detection can be especially effective in cases in
which intruders are pretending to be authorized users or when authorized users are
involved in unauthorized activities.
12
broadcast storm. One of STP in a switch can be a root bridge to influence which switch with
the lowest cost or priority. Another topology which closest to the root bridge being a root
port.
The attack technique of this protocol, the Spanning Tree Protocol manipulation attack,
within this framework the attacker sends BPDUs to become root bridge (or switch) in the
network. Therefore the attacker can influence the flow of data. Requires attacker is dual
homed to two different bridges (or switches) or one of the two connections is WLAN access
point which is not connected to the same bridge (or switch). Attacker can eavesdrop all
messages of victims; he can inject new ones in MITM position .
Notice PC2 and PC3. If an attacker gained access to the switch ports of these two PCs, he
could introduce a rogue switch that advertised superior BPDUs, causing the rogue switch
to be elected as the new root bridge. The new data path between PC1 and Server1, as
shown in Figure 6-4, now passes through the attackers rogue switch. The attacker can
configure one of the switch ports as a Switch Port Analyzer (SPAN) port. A SPAN port can
receive a copy of traffic crossing another port or VLAN. In this example, the attacker could
use the SPAN port to receive a copy of traffic crossing the switch destined for the
attackers PC.
13
infrastructures are double tagged, with the outer tag containing the customer's access
VLAN ID, and the inner VLAN ID being the VLAN of the incoming traffic. When the
double-tagged packet enters another trunk port in a service-provider core switch, the
outer tag is stripped as the packet is processed inside the switch. The attacker sends
Double tagging frame. The first belongs to the own VLAN and the second one belongs
to the target VLAN. The switch performs only one level decapsulation (strip off first tag)
and the attacker can use unidirectional traffic to the Victim. This method works if trunk
has the same VLAN as the attacker and the trunk operates with 802.1q.
3. Other Attacks
3.1.
Cisco Discovery Protocol (CDP) attack
The Cisco Discovery Protocol (CDP) is a proprietary protocol that all Cisco devices can
be configured to use. CDP discovers other Cisco devices that are directly connected,
which allows the devices to auto-configure their connection in some cases. CDP
messages are not encrypted. Most Cisco routers and switches have CDP enabled in the
default configuration. Can be used to learn sensible information about the CDP sender
(IP address, Cisco IOS software version, router model, capabilities).
Besides the information gathering benefit CDP offers an attacker, there was
vulnerability in CDP that allowed Cisco devices to run out of memory and potentially
crash if you sent it tons of bogus CDP packets. CDP is unauthenticated: an attacker
could craft bogus CDP packets and have them received by the attacker's directly
connected Cisco device. If the attacker can get access to the router via Telnet, he can
use the CDP information to discover the entire topology of your network at Layer 2 and
3, and he could launch a very effective attack against your network.
3.2.
MAC address flooding is an attack technique used to exploit the memory and hardware
limitations in a switch's CAM table. Different switches are able to store numerous
amounts of entries in the CAM table, however, once the resources are exhausted, the
14
traffic is flooded out on the VLAN, as the CAM table can no longer store MAC addresses,
thus is no longer able to locate the MAC destination MAC address within a packet.
Due to hardware restrictions, all CAM tables have a limited size. If there are enough
entries stored in a CAM table before the expiration of other entries, no new entries can
be accepted into the CAM table. An attacker is able to exploit this limitation by flooding
the switch with an influx of (mostly invalid) MAC addresses, until the CAM tables
resources are depleted. When the aforementioned transpires, the switch has no choice
but to flood all ports within the VLAN with all incoming traffic. This is due to the fact
that it cannot find the switch port number for a corresponding MAC address within the
CAM table. By definition, the switch, acts like, and becomes a hub.
In order for the switch to continue acting like a hub, the intruder needs to maintain the
flood of MAC addresses. If the flooding stops, the timeouts that are set on the switch
will eventually start clearing out the CAM table entries, thus enabling the switch return
to normal operation. Traffic is only flooded within the local VLAN when a CAM table
overflow occurs, albeit the attacker will only be able to sniff traffic belonging to the
local VLAN on which the attack occurs.
3.3.
In short words, Client PC is sending DHCP request on the network. This request is a
broadcast and all host on the LAN will receive it. Only DHCP server knows what this
request means and in the normal situation only the REAL DHCP server will reply to that
request.
DHCP server is then replying to the Client with messages that will configure the host
CLIENT PC with IP address, Subnet mask and Default Gateway.
When we have attacker PC in the network he will simulate DHCP server on his host PC.
With this action he will be able to reply to DHCP request before the REAL DHCP server
because it closer to the CLIENT host. It will configure the Client host with IP address of
that subnet but it will also give to host false Default Gateway address and maybe even
false DNS server address. DNS server address and Default Gateway address will both
be IP address of Attacker computer. In this manner, he will point all the communication
of the Client host to himself. Later he will make possible to forward the frames from
Client host to real destinations in order to make communication of Client possible.
Client will not know that his communication is always going across Attacker PC and that
Attacker can easily sniff frames.
Document Type: Analysis, Testing, Compare
Project : 2nd project
15
3.4.
The DHCP server is used to configure network devices so that they can communicate
on computer network. The clients and a server are operating in a client-server model.
DHCP client sends a query requesting necessary information (IP address, default
gateway25, and so on) to a DHCP server. On receiving a valid request, the server
assigns the computer an IP address, and other IP configuration parameters.
This is special kind of attack where attacker sends tons of requests to the DHCP server
with a false MAC address. If enough requests flooded onto the network, the attacker
can completely exhaust all of the available DHCP addresses. Clients of the victim
network are then starved of the DHCP resource. The network attacker can then set up a
Rogue DHCP Server on the network and reply modified IP configurations to the victims.
(Figure 9.) These parameters ensure the MITM possibilities to the attacker.
16
17
Root Guard
The Root Guard feature can enable on all switch ports in the network off of which the
root bridge should not appear. If a port configure for Root Guard receives a superior
BPDU, instead of believing the BPDU, the port goes into a root-inconsistent state. It
also prevent a port becoming a root port. While a port is in the root-inconsistent state,
no user data is sent across it. However after BPDUs stop, the port returns to the
forwarding state.
1)
2)
BPDU Guard
Protecting STP by BPDU (read: Bridge Protocol Data Units) guard feature is enabled on
port configured with the Cisco Portfast feature. The portfast feature is enabled on ports
that connect to end-user devices, such as PCs. It reduces the amount of time required
for the port to go into forwarding state after being connected. The logic portfast is that
a port that connects to an end-user device does not have the potential to create a
topology loop. Therefore, the port can go active sooner by skipping STPs listening and
learning state, which by default take 15 seconds each. Because these portfast ports
are connected to end-user devices, they should never receive a BPDU. Therefore, if a
port enabled for BPDU guard receives a BPDU, the port is disabled.
Cisco (config) # interface fast Ethernet 0/3
Cisco (config-if) # spanning-tree portfast bpduguard
2.2.
Trunking Protocol
Switch Spoofing
Enabling VLAN
Cisco (config) # interface fast Ethernet 0/3
Cisco (config-if) # switchPort mode access
Cisco (config-if) # switchPort access vlan 8
Double Tagging
Disabling trunking
Cisco (config) # interface fast Ethernet 0/3
Cisco (config-if) # switchPort trunk native vlan 8
2.3.
Other Attack
2.3.1.
CDP attack
Cisco Discovery Protocol (CDP) is a Cisco proprietary Layer 2 protocol designed to
facilitate the administration and troubleshooting of network devices by providing
information on neighboring equipment. With CDP enabled, network administrators
can execute CDP commands that provide them with the platform, model, software
version, and even the IP addresses of adjacent equipment.
CDP is a useful protocol, but potentially could reveal important information to an
attacker. CDP is enabled by default, and can be disabled globally or for each
interface. The best practice is to disable CDP globally when the service is not used,
or per interface when CDP is still required. In cases where CDP is used for
troubleshooting or security operations, CDP should be left enabled globally, and
should be disabled only on those interfaces on which the service may represent a
risk, for example, interfaces connecting to the Internet. As a general practice, CDP
Document Type: Analysis, Testing, Compare
Project : 2nd project
18
should not be enabled on interfaces that connect to external networks, such as the
Internet.
Disable CDP globally
Cisco (config) # no cdp run
2.3.2.
For avoiding CAM table flooding, MAC address registered or sticky permanently are
needed to prevent it. The switchport also must be protected to avoid send/receive
traffic to other ports.
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
2.3.3.
The DHCP snooping feature on Cisco Catalyst switches can be used to combat a
DHCP server spoofing attack. With this solution, Cisco Catalyst Switch ports are
configured in either the trusted or untrusted site. If a port is trusted, it is allowed to
receive DHCP responses (for example, DHCPOFFER, DHCPACK, and DHCPNAK).
Conversely, if a port is untrusted, it is not allowed to receive DHCP responses, and
if a DHCP response attempts to enter an untrusted port, the port is disabled.
Fortunately, not every switchPort needs to be configures to support DHCP snooping.
If a port is not explicitly configured as a trusted port, it is implicitly considered to be
an untrusted port. To configure DHCP snooping, the feature must first be enabled
Cisco (config) # ip dhcp snooping
Cisco (config) ip dhcp snooping vlan 1, 10, 13-15 (for specific vlan)
2.3.4.
Access Login
2) Password
An administrators can access a router for administrative purposes in a variety
ways. There are user mode and privilege mode. This two modes must have
different password to protect a router from unauthorized access, a strong
password should be selected. A strong password is one that is difficult for an
attacker to guess or compromise:
Select at least 10 character. The security password min-length 10 global
configuration mode command can be used to enforce attacker
Use a mixture of alphabetic (both uppercase and lowercase), Numeric, and special
characters (pass-phrase character)
The password should not be common word found in dictionary
Create a policy that dictates how and when password are to be changed
Cisco (config-line) # password azsNYs13@!
Complex password
19
Service-password encryption (console, auxiliary, and vty line password appear in
encrypted format)
Ciscorouter (config) # service password-encryption
4) Banner Message
When someone connects to one of our router, he sees some short of message of
prompt. For legal reason, banner message is needed to warn potential attacker not
to attempt a login
- The banner text is case sensitive. Make sure you do not add any spaces before or
after the banner text.
- Use a delimiting character before and after the banner text to indicate where the
text begins and ends. The delimiting character used in the example below is %,
but you can use any character that is not used in the banner text.
- After configure the MOTD, log out of the switch to verify that the banner displays
when it log back in.
Cisco (config) # banner motd %authorized text%
Cisco (config) # end
5) SNMP
SNMP (read: Simple Network Management Protocol) is often used to collect
information about network device. The first two Lack Security versions (V1 and V2c)
is not a secure mechanism. If it would be used, please consider to allow SNMP only
Document Type: Analysis, Testing, Compare
Project : 2nd project
20
read information, NOT read-write information. Using SNMP Version 3 (V3) is a strong
security (more secure) to be implement in switchPort Security. The preceding brief
introduction to SNMP should raise a few issues for the security professional. As
mentioned, the default SNMP community strings are public for read-only access and
private for read-write. Most system and network administrators do not change
these values. Consequently, any user, authorized or not, can obtain information
through SNMP about the device and potentially change or reset values. For
example, if the read-write community string is the default, any user can change the
devices IP address and take it off the network. However, the common SNMP
security issues include:
Well-known default community strings
Ability to change the configuration information on the system where the SNMP
agent is running
Multiple management stations managing the same device
Denial-of-service attacks
As mentioned previously, there are two SNMP access policies, read-only and readwrite, using the default community strings of public and private, respectively. Many
organizations do not change the default community strings. Failing to change the
default values means it is possible for an unauthorized person to change the
configuration parameters associated with the device.
Consequently, SNMP community strings should be treated as passwords. The better
the quality of the password, the less likely an unauthorized person could guess the
community string and change the configuration.
F. TESTING OF MATERIAL
N
o
1
Detailed Testing
ARP poisoning
IP ARP Inspection
(DAI):
a. Inter vlan
b. Inter switch
Spanning tree
a. Root Guard
b. BPCU guard
Command
a. Cisco (config) # ip arp inspection
vlan {vlan_ID | vlan_range}
b. Cisco (config) # interface gigabit
Ethernet 0/1
c.Cisco (config) # ip arp inspection
trust
Verify
a. Show ip arp
inspection vlan
{vlan_ID |
vlan_range} | begin
vlan
b. Show ip arp
inspection interface
Gi0/1
Show spanning-tree
(normal 300 MAC)
K
P
21
3
Trunking Protocol
a. Enable VLAN
b. Preventing DTP
c. Disable trunking
(double tagging)
CDP attack
a. Disable CDP
globally
b. Disable CDP on
one/more
interfaces
DHCP server
spoofing
a. DHCP snooping
Access Login
a. Privilege Mode
b. Enable password
c. Password
d. Password
encryption
e. Disable password
recovery
f. Password telnet
g. Password console
h. Banner message
i. SNMP community
j. Disable unused
port
a. Show run
b. Show spanning-tree
c. Show run
Show run
Show ip dhcp
snooping
Show run
azsNYs13@!
Cisco (config-line) # login
g. Cisco (config-line) # line vty 0 15
Cisco (config-line) # login
Cisco (config-line) # password
azsNYs13@!
h. Cisco (config) # banner motd
%authorized text
Cisco (config) # end
i. Cisco (config) # snmp community
j. Cisco (config) # interface
fastEthernet 0/1
Cisco (config) # shutdown
22
G.ANALYSIS OF CONFIGURATION
Not standard (unsecured)
Not full standard (less secure)
1. ADMINISTRATIVE CONTROL
N
o
Solutio
n of
Control
Standard Policies
Security awareness and
technical training
PT.KP Standardization
Training CCNA and CCNA security for security
awareness
Separation of duties
Procedures for recruiting
and terminating
employees
Preventiv
e
Supervision
Disaster recovery,
contingency, and
emergency plans
Detectiv
e
23
Required vacations
Background investigations
Rotation of duties
2. PHYSICAL CONTROL
N
o
1
Solution
of
Control
Preventiv
e
Standard
Policies
PT.KP Standardization
Detective
3. TECHNICAL CONTROL
N
o
Solution
of
Control
Detailed Testing
PT.KP STANDARDIZATION
ARP poisoning:
IP ARP Inspection (DAI)
Spanning tree
a. Root Guard
b. BPCU guard
Trunking Protocol
a. Enable VLAN
b. Preventing DTP
c. Disable trunking (double
tagging)
CDP attacks:
a. Disable CDP globally
b. Disable CDP on one/more
interfaces
1
Preventive
a. Has implemented
b. Has implemented
c.Has implemented
d. Has implemented
e. Not yet implement
f. Has implemented
g. Has implemented
h. Has implemented
i. Using V2c (own community)
j. Not yet implement
24
Detective
Security Appliance VPN