NET-4-Switch Security
VLAN
- Virtual Local Area Network - Partitions a Layer 2 Network into multiple distinct segments - Protocol IEEE 802.1Q (tag)
Port Security Show Commands
. If only an overview is needed, show port-security can be run for a quick overview of the configuration. To view a specific interface, the command show port-security interface [interface] should be used, since it provides more information.
Four Steps that you can do with Risk
1- Mitigate 2- Avoid 3- Transfer 4- Accept
Access Mode
Access ports are responsible for traffic flow. Access mode should only be defined on ports connected to endpoint devices, such as PCs. You can configure port security on interfaces that you configured as access ports with access mode activated.
SSH Connection
Accessing the device remotely using SSH can be done using a CLI, such as PuTTY or the device's terminal. The universal command for creating an SSH session is: ssh -l <username> <target-ip> In the following example, the command is executed in Windows CMD.
Port Security -Sticky
Allowed MAC addresses are learned dynamically and are limited to the maximum number configured for the interface. The switch learns the source address of the first few devices associated with the interface, providing a fast and scalable method of operation.
Trunk Port
Configured to carry VLAN traffic. A port that is configured to carry traffic for multiple VLAN.
Telnet
Developed many years ago to allow users to manage devices from anywhere, via a simple and minimal configuration. Involves a potential security risk because usernames and passwords are sent in plain text on TCP port 23.
Protect -
In case of a violation, Ethernet frames with unauthorized source MAC addresses are dropped. In this violation mode, the switch does not provide notification regarding the event.
Restrict -
In case of a violation, Ethernet frames with unauthorized source MAC addresses are dropped. The switch provides notification of security violations and keeps count of the number of violations.
CAM Table Overflow
Is an attack that targets a switch's MAC table. The idea is to flood the table with a large number of fake addresses. When the list of addresses exceeds the maximum size of the table, the switch will initiate its fallback mode and begin to act as a hub, meaning every frame will be forwarded to every host on the network.
Port Security Configuration
Is configured by setting up each component individually using the same structure. Violation defines the type of violation rule to be applied to the port. The commands mac-address and maximum define sticky learning, up to a maximum of five addresses. Command: switchport port-security [configuration] [value]
Enable Port Security
Is done in the interface configuration mode, which is set using interface [interface-id]. Then, Access mode needs to be set with switchport mode access. Note: For port security to operate correctly, the interface must be configured as an Access port. Finally, Port Security can be enabled on the interface using the command: switchport port-security Commands: switchport mode access switchport port-security
Port Security
Is used to restrict input to an interface by limiting MAC addresses of workstations that are allowed to access a specific port. When secure MAC addresses are assigned to a port, the port will not forward packets with source addresses outside the defined group.
MAC Spoofing
Is when attackers change their own physical PC address to conceal their true identity and pose as someone else. For example, an attacker may spoof a MAC address with a legitimate address to bypass an access control mechanism, such as port security. I causes a DDOS.
SVI (Switched Virtual Interface)
Layer 2 switches create VLANs (Virtual LANs) that form a single broadcast domain. If a broadcast message is sent within the same VLAN, all devices connected to that VLAN will receive the message. Hosts can communicate on the same VLAN without a Layer 3 device (router). Devices on a different VLAN, on the other hand, cannot communicate with each other without proper routing. A router or Layer 3 switch can handle network segmentation and inter-VLAN communication. A router can segment a network and create separate broadcast domains, with each network segment using a different sub-interface of a physical interface on the router. Layer 3 switches require the creation of multiple VLANs on the switch, which form multiple broadcast domains. Then, for each VLAN, a corresponding Layer 3 interface needs to be created on the switch, to handle the routing. This Layer 3 interface is the SVI. The difference is that the SVI Layer 3 interface is virtual.
Port Security - Manual
Requires a static configuration of each allowed MAC address and its assignment to an interface. This is the most secure method, but it is very time consuming and open to faulty configuration.
SSH Prerequisites
Several initial settings must be configured before enabling SSH on the device. 1. Set the device name. 2. Create a local account. 3. Secure the privileged mode. 4. Set an appropriate security message (optional). 5. Set a domain name.
Verify SSH Configuration
Show ssh command presents the active SSH sessions on the network device. Show ip ssh displays the version definition, authentication timeout, and retries.
Allow Remote Access
Step 1 - Enter the VTY configuration mode. Select the number of maximum sessions. Step 2 - Enable authentication using a username and password. Step 3 - Telnet is enabled by default; the transport command prevents using Telnet and only uses SSH for remote connections. The options are none, all, Telnet, or SSH. Command: line vty <id-range> & login local
Generate RSA Keys
The crypto key command generates the Private and Public RSA keys on the network device. The switch or router needs those keys to secure the SSH session. Set the key length. The default is 512, but it is recommended to set the number of bits to higher than 1024. The maximum value is 2048. Command: crypto key generate rsa
IP Switch Settings
The default SVI is VLAN 1. Setting an address and enabling the interface is crucial if we want to communicate directly with the switch. If the switch needs to send data to other networks, the default gateway is also required. Command: Interface vlan 1 & ip address <ip-address> < subnet-mast>
Access Port
The interface on a switch used for an end node. Devices connected to access ports are unaware of VLAN information.
SSH Encryption
The public key is shared with everyone, while the private key is only given to specific persons. RSA ensures implementation of the CIA triangle, and avoids authentication rejection. Protocols like SSH and SSL/TLS use RSA to encrypt communication and digital signatures. Although RSA works through the computational difficulty of factoring large integers, computational complexity grows exponentially every day, and larger and larger numbers are required to maintain secure communication.
Shutdown -
This is the default violation mode. When a violation occurs, the port will be shut down, and the violation will be logged automatically. The port must then be reset manually to become operational again.
Err-Disabled
When a switch port is in Err-disabled mode, the port may have been disabled automatically by the switch operating system, due to port security shutdown mode violation. To determine if Err-disabled was turned off for a port, run the command: show interfaces [interface] status
Asymmetric Encryption
When two different keys are used to encrypt and decrypt messages. The keys are mathematically related in a way that messages encrypted with one key, usually the public key, cannot be decrypted by it. The decryption can be done only using the corresponding private key in the key pair.
Max Allowed MAC Addresses
default allowed in Port Security is one, the number can be changed within the range of 1 to 3072.
SSH
encrypts all data transferred between the user and end device. Uses RSA encryption, a robust and reliable encryption type. It operates on TCP port 22
Virtual Teletype (VTY)
is a command-line interface (CLI) in network devices used to create remote access connections. VTY is virtual and does not require any hardware. Switches have 16 VTY lines (0-15), routers have 5 VTY lines (0-4).
ECC (Elliptic Curve Cryptography)
is becoming popular, since it can create faster, smaller, and more efficient cryptographic keys.
SSH Configuration
• Change the default hostname. • Create a user account. • Set the enable password. • Configure a domain name. • Set a security message. • Enable VTY lines and limit protocol access. • Enable Layer 3 connectivity. • Generate SSH keys.
Common Reasons for err-disable
• Duplex Mismatch - This state occurs when two parties, set for point-to-point communication, are configured to use different duplex modes. • Bad NIC - A faulty network interface card with software problems or hardware problems may trigger the Err-disabled state. • Broadcast Storm - When there is a broadcast volume too large for processing in the broadcast domain, the switches may be overwhelmed and trigger err-disabled mode on its ports.