Upload File

securing yoursecuring your switches

24
Securing Your Switches February 12, 2014 Slide 1 Securing Your Switches

Upload: iwc2008007

Post on 13-Sep-2015

222 views

Category:

Documents


0 download

Report

Tags:

DESCRIPTION

Securing Your Switches

TRANSCRIPT

  • Securing Your SwitchesFebruary 12, 2014

    Slide 1

    Securing Your Switches

  • Securing Your SwitchesFebruary 12, 2014

    Slide 2

    OutlineHistory and Learning ExperiencesReasons to Protect the InfrastructureHow We Secure WSD InfrastructureMethods to Secure Your SwitchesResourcesFun with Security Questions and Credentials

  • Securing Your SwitchesFebruary 12, 2014

    Slide 3

    History and Learning Experiences97-98 - Started with 3Com PS Hub 40

    Unmanaged10/100

    98-99 Moved to 3Com 3300 series switchesManaged10/100First reported incident of switches being hackedWhat we learned not to do has to do with defaults

  • Securing Your SwitchesFebruary 12, 2014

    Slide 4

    History and Learning Experiences05-06 Started to introduce HP Procurve to WSD

    Managed by IP Address in Data VLAN10/100

    11-12 Started to Secure HP InfrastructureMix of 5300, 5400, 6200, 2800, 2600, 170010/100/1000Setup VLANs for Data, Voice, Video, GuestManagement VLAN

  • Securing Your SwitchesFebruary 12, 2014

    Slide 5

    Reasons to Protect the InfrastructureSeparations between network segmentsUptime / Reliability / Service DisruptionNetwork UtilizationStudents curiositySNMP information

  • Securing Your SwitchesFebruary 12, 2014

    Slide 6

    How we Secure WSD InfrastructureCurrently over 360 switches, not counting AP's.Dividing up network segments / VLANs

    Network aware virusesManagement VLANMAC lockoutTelnet or SSHACL's for Guest WiFi (not in use yet)

    It's not perfect but it works for us

  • Securing Your SwitchesFebruary 12, 2014

    Slide 7

    Methods to Secure Your SwitchesPassword protection (HP)

    Password manager plaintext password (no username)Password manager user-name name plaintext password

    More in PDF doc page Chapter 2 page 29

    Password Protection (Cisco)Enable password 0 passwordEnable secret 0 passwordUsername name privilege 15 password 0 passwordservice password-encryption (more secure)

  • Securing Your SwitchesFebruary 12, 2014

    Slide 8

    Methods to Secure Your SwitchesManagement VLAN (HP)

    management-vlan vlan-idip authorized-managers ip-address access manager mask

    Management VLAN (Cisco)Create a vlan and write ACL's to prevent outside access

    Remember using an ACL for IP Address management can be spoofed.

  • Securing Your SwitchesFebruary 12, 2014

    Slide 9

    Methods to Secure Your SwitchesMAC Lockout (HP)

    mac-lockout mac-address

    MAC Lockout (Cisco)I did not find a similar command for CiscoLook at port-security, Meraki Mobile Device Management and Identity Service Engine

  • Securing Your SwitchesFebruary 12, 2014

    Slide 10

    Methods to Secure Your SwitchesIdle Activity Timer (HP)

    console inactivity-timer number (default is no timeout)

    Idle Activity Timer (Cisco)Line console 0Exec-timeout number (default is 10 minutes)

  • Securing Your SwitchesFebruary 12, 2014

    Slide 11

    Methods to Secure Your SwitchesEnable SSH (HP)

    crypto key generate sship ssh

    no telnet-server (don't forget this step)Enable SSH (Cisco)

    crypto key generateip ssh version 2line vty 0 15transport input ssh

  • Securing Your SwitchesFebruary 12, 2014

    Slide 12

    Methods to Secure Your SwitchesPort Security (HP)

    Port-securityMore options than what can be covered hereHelps mitigate MAC flooding on the switch

    Port Security (Cisco)switchport port-security

    More options than what can be covered hereHelps mitigate MAC flooding on the switch

  • Securing Your SwitchesFebruary 12, 2014

    Slide 13

    Methods to Secure Your SwitchesSyslog Server (HP)

    logging ip-addresslogging facility your-choiceslogging severity your-choices

    Syslog Server (Cisco)logging ip-addresslogging facility your-choiceslogging console your-choicesservice timestamps log datetime localtime

  • Securing Your SwitchesFebruary 12, 2014

    Slide 14

    Methods to Secure Your SwitchesSNMP Access (HP)

    no snmp-server community public

    SNMP Access (Cisco)Default is off

    Don't go back and give it away

  • Securing Your SwitchesFebruary 12, 2014

    Slide 15

    Commands to ShareHTTPS Access (HP)

    crypto key generate cert 1024crypto host-cert generate self-signedweb-management sslno web-management plaintext

    HTTPS Access (Cisco)crypto key generate rsaip http secure-serverno ip http server

  • Securing Your SwitchesFebruary 12, 2014

    Slide 16

    Commands to ShareProtect the Local Password (HP)

    no front-panel-security factory-resetno front-panel-security password-clearno front-panel-security password-recovery

    Protect the Local Password (Cisco)no service password recovery

  • Securing Your SwitchesFebruary 12, 2014

    Slide 17

    Methods to Secure Your SwitchesDisable unused ports (Private Industry? Not K-12?)Dynamic ARP inspection ARP rate limiting

    mitigates ARP spoofing and MITM attacksDHCP snooping

    mitigates unauthorized DHCP serversStorm Control

    Mitigates unwanted traffic such as DoS

  • Securing Your SwitchesFebruary 12, 2014

    Slide 18

    Methods to Secure Your SwitchesNetwork Access Control (NAC)IEEE 802.1x Protocol require device/user to authPhysical SecurityBackup Backup Backup

  • Securing Your SwitchesFebruary 12, 2014

    Slide 19

    Methods to Secure Your SwitchesOSPF

    Null Authentication Type 0Plaintext Authentication Type 1MD5 Authentication Type 2If OSPF Auth used, all routers must have same keys

    NTPTampered with, or unsynchronized, clocks will make

    forensic evidence less valuable.Authentication more secure from vulnerabilities

  • Securing Your SwitchesFebruary 12, 2014

    Slide 20

    Methods to Secure Your SwitchesOther PDF locations topics to review(S)NTP/TimeP Chapter 6 page 60SNMP Chapter 7 page 66RADIUS/TACACS Accounting

    Chapter 10 page 92 and Chapter 11 page 109[MR]STP Chapter 18 page 166 and Chapter 19 page 170OSPF Chapter 21 page 184

  • Securing Your SwitchesFebruary 12, 2014

    Slide 21

    Methods to Secure Your SwitchesOther PDF locations topics to reviewACL's Chapter 23 page 197Spanning Tree Hardening Chapter 26 page 235DHCP Snooping Chapter 27 page 240ARP Protection Chapter 28 page 246Connection Rate Filtering? - Chapter 29 page 250802.1X Authentication Chapter 30 page 254

  • Securing Your SwitchesFebruary 12, 2014

    Slide 22

    Resources to ShareHP

    http://evilrouters.net/2008/12/22/snmpv3-configuration-for-procurve-5400s/

    http://h17007.www1.hp.com/docs/interoperability/Cisco/HP-Networking-and-Cisco-CLI-Reference-Guide_June_10_WW_Eng_ltr.pdf

    ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap09-Port_Security.pdf

    Ciscohttp://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdynarp.html#wp1039658

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/swtrafc.html

  • Securing Your SwitchesFebruary 12, 2014

    Slide 23

    Fun with SecurityHP

    show telnetkill number

    banner motd .

    Ciscoclear line numberbanner motd ...

  • Securing Your SwitchesFebruary 12, 2014

    Slide 24

    Questions and CredentialsAny Questions????

    Brad Jones Network Sepcialist Wentzville R-IV School District [email protected]

    I thank God for the experiences he has provided me and my family for putting up with my geekiness.

    Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24


Securing Your Web Server

Securing Your OnBase Solution

Securing Your Drupal Site

Securing Your Linux System

Securing Layer 2 Switches

Securing Your Network

Securing your EmberJS Application

Securing Your Plugin

Securing Your WebSite

Securing Your Privacy

Securing your Cloud Transformation

Lab - Securing Layer 2 Switches - Kinnunen Networknvd.kinnunen-network.com/src/labs/ccna_security/LAB 2... · 2015-02-13 · Lab - Securing Layer 2 Switches . Topology . ... IP phones,

Chapter 6 Lab A - Securing Layer 2 Switches Instructor …kotfid/secvoice10/labs/Security_Chp6_Lab... · Web viewCCNA Security Chapter 6 Lab A, Securing Layer 2 Switches Instructor

Securing your site

Securing your MySQL/MariaDB Data - MySQL Expert - AWS ...ronaldbradford.com/presentations/Securing-your-MySQL-MariaDB-data... · Securing your MySQL/MariaDB Data Ronald ... MySQL

Securing your Node.js App

Securing Your Parish Data

Securing Your MongoDB Implementation

Securing Your WPA

Securing Your Present Global

Securing Your Future

Securing Your Laptop

SECURING YOUR MOBILE COMMERCE - ISACA · SECURING YOUR MOBILE COMMERCE K.Seeburn | Aug.29.2014 . AGENDA 1. ... FOR SECURING YOUR MCOMMERCE Enterprises should analyse and choose at

Securing your AngularJS Application

Securing your cyberspace_Watson

Securing your esi_piedmont

Securing Your SAN - Cisco

Securing Your Business

Securing your wireless LAN

Securing Your Retirement

Breakers and Switches Transfer, change-over and bypass ... · Transfer, change-over and bypass switches Securing your power to perform Transfer, change-over and bypass switches

securing the data plane on cisco catalyst switches

CCNA Security Lab - Securing Layer 2 Switches · PDF file6.07.2016 · CCNA Security Lab - Securing Layer 2 Switches Topology Note: ISR G1 devices use FastEthernet interfaces instead

Securing Your World - G4S

Securing Your Endpoints