securing yoursecuring your switches
DESCRIPTION
Securing Your SwitchesTRANSCRIPT
-
Securing Your SwitchesFebruary 12, 2014
Slide 1
Securing Your Switches
-
Securing Your SwitchesFebruary 12, 2014
Slide 2
OutlineHistory and Learning ExperiencesReasons to Protect the InfrastructureHow We Secure WSD InfrastructureMethods to Secure Your SwitchesResourcesFun with Security Questions and Credentials
-
Securing Your SwitchesFebruary 12, 2014
Slide 3
History and Learning Experiences97-98 - Started with 3Com PS Hub 40
Unmanaged10/100
98-99 Moved to 3Com 3300 series switchesManaged10/100First reported incident of switches being hackedWhat we learned not to do has to do with defaults
-
Securing Your SwitchesFebruary 12, 2014
Slide 4
History and Learning Experiences05-06 Started to introduce HP Procurve to WSD
Managed by IP Address in Data VLAN10/100
11-12 Started to Secure HP InfrastructureMix of 5300, 5400, 6200, 2800, 2600, 170010/100/1000Setup VLANs for Data, Voice, Video, GuestManagement VLAN
-
Securing Your SwitchesFebruary 12, 2014
Slide 5
Reasons to Protect the InfrastructureSeparations between network segmentsUptime / Reliability / Service DisruptionNetwork UtilizationStudents curiositySNMP information
-
Securing Your SwitchesFebruary 12, 2014
Slide 6
How we Secure WSD InfrastructureCurrently over 360 switches, not counting AP's.Dividing up network segments / VLANs
Network aware virusesManagement VLANMAC lockoutTelnet or SSHACL's for Guest WiFi (not in use yet)
It's not perfect but it works for us
-
Securing Your SwitchesFebruary 12, 2014
Slide 7
Methods to Secure Your SwitchesPassword protection (HP)
Password manager plaintext password (no username)Password manager user-name name plaintext password
More in PDF doc page Chapter 2 page 29
Password Protection (Cisco)Enable password 0 passwordEnable secret 0 passwordUsername name privilege 15 password 0 passwordservice password-encryption (more secure)
-
Securing Your SwitchesFebruary 12, 2014
Slide 8
Methods to Secure Your SwitchesManagement VLAN (HP)
management-vlan vlan-idip authorized-managers ip-address access manager mask
Management VLAN (Cisco)Create a vlan and write ACL's to prevent outside access
Remember using an ACL for IP Address management can be spoofed.
-
Securing Your SwitchesFebruary 12, 2014
Slide 9
Methods to Secure Your SwitchesMAC Lockout (HP)
mac-lockout mac-address
MAC Lockout (Cisco)I did not find a similar command for CiscoLook at port-security, Meraki Mobile Device Management and Identity Service Engine
-
Securing Your SwitchesFebruary 12, 2014
Slide 10
Methods to Secure Your SwitchesIdle Activity Timer (HP)
console inactivity-timer number (default is no timeout)
Idle Activity Timer (Cisco)Line console 0Exec-timeout number (default is 10 minutes)
-
Securing Your SwitchesFebruary 12, 2014
Slide 11
Methods to Secure Your SwitchesEnable SSH (HP)
crypto key generate sship ssh
no telnet-server (don't forget this step)Enable SSH (Cisco)
crypto key generateip ssh version 2line vty 0 15transport input ssh
-
Securing Your SwitchesFebruary 12, 2014
Slide 12
Methods to Secure Your SwitchesPort Security (HP)
Port-securityMore options than what can be covered hereHelps mitigate MAC flooding on the switch
Port Security (Cisco)switchport port-security
More options than what can be covered hereHelps mitigate MAC flooding on the switch
-
Securing Your SwitchesFebruary 12, 2014
Slide 13
Methods to Secure Your SwitchesSyslog Server (HP)
logging ip-addresslogging facility your-choiceslogging severity your-choices
Syslog Server (Cisco)logging ip-addresslogging facility your-choiceslogging console your-choicesservice timestamps log datetime localtime
-
Securing Your SwitchesFebruary 12, 2014
Slide 14
Methods to Secure Your SwitchesSNMP Access (HP)
no snmp-server community public
SNMP Access (Cisco)Default is off
Don't go back and give it away
-
Securing Your SwitchesFebruary 12, 2014
Slide 15
Commands to ShareHTTPS Access (HP)
crypto key generate cert 1024crypto host-cert generate self-signedweb-management sslno web-management plaintext
HTTPS Access (Cisco)crypto key generate rsaip http secure-serverno ip http server
-
Securing Your SwitchesFebruary 12, 2014
Slide 16
Commands to ShareProtect the Local Password (HP)
no front-panel-security factory-resetno front-panel-security password-clearno front-panel-security password-recovery
Protect the Local Password (Cisco)no service password recovery
-
Securing Your SwitchesFebruary 12, 2014
Slide 17
Methods to Secure Your SwitchesDisable unused ports (Private Industry? Not K-12?)Dynamic ARP inspection ARP rate limiting
mitigates ARP spoofing and MITM attacksDHCP snooping
mitigates unauthorized DHCP serversStorm Control
Mitigates unwanted traffic such as DoS
-
Securing Your SwitchesFebruary 12, 2014
Slide 18
Methods to Secure Your SwitchesNetwork Access Control (NAC)IEEE 802.1x Protocol require device/user to authPhysical SecurityBackup Backup Backup
-
Securing Your SwitchesFebruary 12, 2014
Slide 19
Methods to Secure Your SwitchesOSPF
Null Authentication Type 0Plaintext Authentication Type 1MD5 Authentication Type 2If OSPF Auth used, all routers must have same keys
NTPTampered with, or unsynchronized, clocks will make
forensic evidence less valuable.Authentication more secure from vulnerabilities
-
Securing Your SwitchesFebruary 12, 2014
Slide 20
Methods to Secure Your SwitchesOther PDF locations topics to review(S)NTP/TimeP Chapter 6 page 60SNMP Chapter 7 page 66RADIUS/TACACS Accounting
Chapter 10 page 92 and Chapter 11 page 109[MR]STP Chapter 18 page 166 and Chapter 19 page 170OSPF Chapter 21 page 184
-
Securing Your SwitchesFebruary 12, 2014
Slide 21
Methods to Secure Your SwitchesOther PDF locations topics to reviewACL's Chapter 23 page 197Spanning Tree Hardening Chapter 26 page 235DHCP Snooping Chapter 27 page 240ARP Protection Chapter 28 page 246Connection Rate Filtering? - Chapter 29 page 250802.1X Authentication Chapter 30 page 254
-
Securing Your SwitchesFebruary 12, 2014
Slide 22
Resources to ShareHP
http://evilrouters.net/2008/12/22/snmpv3-configuration-for-procurve-5400s/
http://h17007.www1.hp.com/docs/interoperability/Cisco/HP-Networking-and-Cisco-CLI-Reference-Guide_June_10_WW_Eng_ltr.pdf
ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap09-Port_Security.pdf
Ciscohttp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdynarp.html#wp1039658
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/swtrafc.html
-
Securing Your SwitchesFebruary 12, 2014
Slide 23
Fun with SecurityHP
show telnetkill number
banner motd .
Ciscoclear line numberbanner motd ...
-
Securing Your SwitchesFebruary 12, 2014
Slide 24
Questions and CredentialsAny Questions????
Brad Jones Network Sepcialist Wentzville R-IV School District [email protected]
I thank God for the experiences he has provided me and my family for putting up with my geekiness.
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24