These are some of my Layer 2 Security Notes:
Vlan Threats:
Vlan Hopping: Traffic can be sent by attacker to one vlan from another without going through a Layer 3 device.
http://en.wikipedia.org/wiki/VLAN_hopping
Methods:
Switch spoofing (an attacking host acts as if it is a switch).
- To mitigate make sure auto trunking is off on all ports. Turn off DTP and manually set ports
Double Tagging (an attacker encapsulates a dot1q frame inside of another dot1q frame)
- Make different Native Vlans for Trunks and Access ports.
- Disable unused ports
Important Commands:
Switchport mode trunk - Sets a port as a trunk
Switchport nonegotiate - Turns off DTP frames
Switchport trunk Native Vlan vlan number - Sets the native Vlan
Additional information:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
STP Threats:
An attacker can send out false BPDUs to force an STP recalculation and thusly make itself the Root Bridge.
Mitigation Techniques:
BPDU Guard: Blocks BPDUs on ports that shouldn't recieve them (best used on access ports)
BPDU Filter: Stops ports from sending BPDUs that should send them
Root Guard: Limits the ports which the root bridge can be negotiated
Spanning-Tree Portfast Bpduguard default : Enables BPDU guard on ports with portfast
Spanning-Tree BpduFilter Enables BPDU filter
Spanning-Tree group root - Enables Root Guard
Show spanning-tree summary - Shows valuable spanning tree information
Cam Attacks, Mac spoofing and other things are best covered by this article:
http://articles.techrepublic.com.com/5100-10878_11-6154589.html
Tuesday, January 19, 2010
Monday, January 18, 2010
Oh yea maybe I should define this.. Blog 2010 Charter Woot!!!!
Well I have finalized my 2010 plans, they are as follows:
School:
3.5 gpa in both my Network Engineering and Software Development tracks.
Certs*:
Cisco: CCNA Security and CCDA.
Microsoft: MCP MCTS, MCSA and MCSA:Security
Comptia: Security+ and Linux+
Working towards: MCITP:EA/SA, LPIC-1 , CCNA Voice
Learning (non-certs)
Basics: Perl, C/C++, X-SQL, RegEx
Basics+ Intermediate: *nix, MS server/technologies networking IPv6, LAMP and Virtualization
So that is it. My blog maybe all over the place but I will make sure to put the subject area in the title.
*(If time and money permit)
School:
3.5 gpa in both my Network Engineering and Software Development tracks.
Certs*:
Cisco: CCNA Security and CCDA.
Microsoft: MCP MCTS, MCSA and MCSA:Security
Comptia: Security+ and Linux+
Working towards: MCITP:EA/SA, LPIC-1 , CCNA Voice
Learning (non-certs)
Basics: Perl, C/C++, X-SQL, RegEx
Basics+ Intermediate: *nix, MS server/technologies networking IPv6, LAMP and Virtualization
So that is it. My blog maybe all over the place but I will make sure to put the subject area in the title.
*(If time and money permit)
Jan 30th is the Big Day
Welp I am making my final push towards the CCNA:S. My overall plan is to study between 4-6 hours week day (so about 45-54 hours) and 8 hours on my 3 day weekend (24 hours). I will post any notes I think that will be important to review between now and then and I will give a full right up after the exam. Wish me luck!!!!
Wednesday, January 13, 2010
AAA Notes
AAA: Authentication , Authorization, Accounting.
Authentication: Who you are.
Authorization: What you can do.
Accounting: What you did.
Modes of operation:
Character Mode: Used with things that can configure the device
- Vty lines, Aux lines, Con ports, etc
Packet Mode: Used for things that allow the device to connect to another device/network
- Async, BRI, PRI, Serial ports, etc
RADIUS:
- Defined in RFC 2865 http://www.faqs.org/rfcs/rfc2865.html
- Open standard
-UDP port 1645 (default on cisco routers)
- Encrypts only password
- Combines authentication and authorization
- Does not support all protocols:
- Apple Talk Remote Access Protocol (ARA)
- NetBios Frame Protocol Control Protocol
- Novell Asynchronous Services Interface (NASI)
- X. 25 DAD connections
TACACS:
- Cisco defined
- Defined in RFC 1492 http://www.faqs.org/rfcs/rfc1492.html
- Encrypts entire packet
- Seperates authentication and authorization
- Multiprotocol support
Important Commands
AAA new-model - Starts AAA
Radius-server host - Sets Radius Server
Tacacs-server host - Sets Tacacs Server
Debug AAA Authentication - Shows Authentication Events
Debug AAA Authorization - Shows Authorization Events
Debug AAA Accounting - Shows Accounting Events
Debug Tacacs - Shows Tacacs information
Debug Radius - Shows Radius information
Authentication: Who you are.
Authorization: What you can do.
Accounting: What you did.
Modes of operation:
Character Mode: Used with things that can configure the device
- Vty lines, Aux lines, Con ports, etc
Packet Mode: Used for things that allow the device to connect to another device/network
- Async, BRI, PRI, Serial ports, etc
RADIUS:
- Defined in RFC 2865 http://www.faqs.org/rfcs/rfc2865.html
- Open standard
-UDP port 1645 (default on cisco routers)
- Encrypts only password
- Combines authentication and authorization
- Does not support all protocols:
- Apple Talk Remote Access Protocol (ARA)
- NetBios Frame Protocol Control Protocol
- Novell Asynchronous Services Interface (NASI)
- X. 25 DAD connections
TACACS:
- Cisco defined
- Defined in RFC 1492 http://www.faqs.org/rfcs/rfc1492.html
- Encrypts entire packet
- Seperates authentication and authorization
- Multiprotocol support
Important Commands
AAA new-model - Starts AAA
Radius-server host - Sets Radius Server
Tacacs-server host - Sets Tacacs Server
Debug AAA Authentication - Shows Authentication Events
Debug AAA Authorization - Shows Authorization Events
Debug AAA Accounting - Shows Accounting Events
Debug Tacacs - Shows Tacacs information
Debug Radius - Shows Radius information
Tuesday, January 12, 2010
Change of Plans
Welp, life changes so fast. New year, new me, new plans! I have scaled my plans back drastically for 2010 and it is now down to this (certification wise) (in order): CCNA:S (JAN) Security+ (FEB) Linux+(MARCH) JNCIA:ER (SPRING or SUMMER) and ASA Specialist (FALL or WINTER) or CCNA:Voice (or both if I can afford it this year). The first three are fixed (since I want to get them done before I go back to school in April) but the last 2 are not. I am currently working towards finishing the CCNA:S so the next few post are going to be about that. My CCNA:S test is on Jan 30th. Wish me luck!!!
Subscribe to:
Posts (Atom)
