DOCSLIB.ORG

Security Best Practices in Catalyst Campus Switches

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security Best Practices in Catalyst Campus Switches Security Best Practices in Catalyst Campus Switches Mike Peeters SE Toronto PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 1 Agenda • Security Myths • Management Channels • VLAN Isolation • Known Attacks • Secure Switch Configuration PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 2 Security Myths • MAC addresses cannot be spoofed • A Switch protects against sniffers • VLANs are completely isolated PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 3 Agenda • Security Myths • Management Channels • VLAN Isolation • Known Attacks • Secure Switch Configuration PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 4 Management Channels • Telnet: for command line interface • SNMP: to read/write data from/to the switch • VTP: VLAN Trunking Protocol • VQP for VMPS Virtual Membership Policy Server • CDP: Cisco Discovery Protocol PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 5 Using a Out of Band Management • Cat 4000 has a dedicated physical Ethernet port for management can be put in a separate VLAN or even to another physical LAN • Cat 5k & Cat 6K have a logical Ethernet port for management MUST be put in a VLAN this should be a dedicated VLAN PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 6 Out of Band Management (Cont.) Management Inbound ACL VLAN or LAN deny nms any Outbound ACL permit any any permit nms any deny any any WAN Inbound ACL Inbound ACL deny nms any permit nms any Network Management permit any any deny any any • Use topological ACL to prevent IP spoofing for the management VLAN • IPSec tunnel can provide authentication & confidentiality on the WAN PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 7 Management Channels: Telnet • Telnet can give access to the command line from remote ( passwords are sent in clear text) • two passwords: login password enable password PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 8 Management Channel: SSH • On Cat 4K, 6K with CatOS 6.1 (or IOS 12.1(6)E) SSH can be used to replace Telnet • On Cat 2950 EI and 3550 SSH is available on 12.1(11)EA1 • SSH is using 3DES to provide confidentiality to the Telnet session PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 9 Passwords • Enable password should be different than login password • Physical access to console port means no password needed upon reboot • Passwords are stored in clear text on TFTP servers • Passwords should be more creative than : Router, switch, sanfran, cisco, enable..... PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10 Using Radius/TACACS+ Can use one time token for login/enable authentication CATALYST> set authentication login tacacs+ enable set authentication enable tacacs+ enable set tacacs key mysecret set tacacs server 1.1.1.1 set tacacs server 2.2.2.2 PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 11 Management Channels: SNMP • SNMP is used to: send traps get information from switch set information to switch • three community strings (RO, RW, RW-all). Defaults public, private • use SNMPv1 => everything in clear including community string • Catalyst switches support SNMP V3 (DES Encryption) PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 12 Restricting Telnet/SNMP Access • Telnet and SNMP access can be restricted to 10 IP addresses CATALYST> set ip permit 192.168.1.0 255.255.255.0 set ip permit 192.168.100.1 set ip permit enable PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 13 VLAN Trunking Protocol (VTP) • Used to distribute VLAN configuration among switches • VTP is used over trunk ports • VTP can cause more problems than it solves, consider if it is needed • If needed, VTP can (and should) be authenticated: CatOS> (enable) set vtp [domain domain_name] [mode {client | server | transparent | off}] [passwd passwd][pruning {enable | disable}] [v2 {enable | disable}] IOS(config)#vtp password password-value PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 14 Potential VTP Attacks • Most VTP attacks fall into the “nuisance” category of attacks • DoS is possible by changing around the VLANs on multiple switches • Disabling VTP: CatOS> (enable) set vtp mode transparent | off IOS(config)#vtp mode transparent PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 15 Management Channels: VMPS • VLAN Membership Policy Server is used to assign a VLAN to a port based on: MAC address NT or Novell usernames (with URT) PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 16 VMPS Architecture VMPS TFTP server VMPS database VMPS Query client Reply AllAll VMPSVMPS traffic:traffic: ••clearclear texttext ••nonnon authenticationauthentication ••UDPUDP basedbased (spoofing(spoofing trivial)trivial) PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 17 Risks with VQP • DoS: preventing people to join the right VLAN • impersonation: joining a desirable but forbidden VLAN PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 18 Adding Security to VMPS Use an out of band management channel Note: MAC addresses can be forged... PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 19 Management Channels: CDP • Can be used to learn sensible information about the CDP sender (IP address, software version, …) • be sure to disable CDP on ALL non trunk ports CATALYST> set cdp disable all set cdp enable 1/1 PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 20 Agenda • security myths • management channels • VLAN isolation • known attacks • secure switch configuration PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 21 VLAN Isolation MYTH: VLAN a is completely isolated from VLAN b I.e. without layer 3 device, no station on one VLAN can send data to another station on another VLAN PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 22 Trunk Port Refresher Trunk Port • Trunk ports have access to all VLANs by default • Used to route traffic for multiple VLANs across the same physical link (generally used between switches) • Encapsulation can be 802.1Q or ISL PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 23 Dynamic Trunk Protocol (DTP) • What is DTP? Automates ISL/802.1Q trunk configuration Operates between switches Does not operate on routers Not supported on 2900XL or 3500XL • DTP synchronizes the trunking Dynamic mode on link ends Trunk Protocol • DTP prevents the need for management intervention on both sides • DTP state on ISL/1Q trunking port can be set to “Auto”, “On”, “Off”, “Desirable”, or “Non- Negotiate” PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 24 DTP Administrative States • Administrator configurable trunk states ON I want to be a trunk and I don’t care what you think! (Used when the other end does not understand DTP) OFF I don’t want to be a trunk and I don’t care what you think! (Used when the other end cannot do ISL or .1Q) Desirable I’m willing to become a VLAN trunk; are you interested? (Used when you are interested in being a trunk) Auto I’m willing to go with whatever you want! (This is the default on many switches!) Non-Negotiate I want to trunk, and this is what kind of trunk I will be! (Used when you want a specific type of trunk ISL or .1Q) PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 25 Basic VLAN Hopping Attack Trunk Port Trunk Port • A station can spoof as a switch with ISL or 802.1Q signaling (DTP signaling is usually required as well) • The station is then member of all VLANs • Requires a trunking favorable setting on the port (the SANS paper is three years old) http://www.sans.org/newlook/resources/IDFAQ/vlan.htm PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 26 Double Encapsulated 802.1Q VLAN Hopping Attack Strip off First, and Send 802.1q, 802.1q Back out Attacker 802.1q, Frame Frame Note: Only Works if Trunk Has the Same Native VLAN as the Attacker ( then the trunk will not append a new tag) Victim • Send double encapsulated 802.1Q frames • Switch performs only one level of decapsulation • Unidirectional traffic only • Works even if trunk ports are set to off PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 27 Disabling Auto-Trunking CatOS> (enable) set trunk <mod/port> off IOS(config-if)#switchport mode access • Defaults change depending on switch; always check: From the Cisco docs: “The default mode is dependent on the platform…” To check from the CLI: CatOS> (enable) show trunk [mod|mod/port] IOS(config-if)#show interface type number switchport PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 28 Security Best Practices for VLANs and Trunking • Always use a dedicated VLAN ID ( native VLAN) for all trunk ports that is not defined as an access port on the switch • Disable unused ports and put them in an unused VLAN • Be paranoid: Do not use VLAN 1 for anything • Set all user ports to non-trunking (DTP Off) PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 29 Agenda • security myths • management channels • VLAN isolation • known attacks • secure switch configuration PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 30 Spanning Tree Attacks PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 31 Spanning Tree • Purpose: To maintain loop-free topologies in a redundant Layer 2 infrastructure • Provides path recovery services • Hackers are just starting to play around with STP; the “dsniff” of STP attacks has yet to be released PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 32 Spanning Tree Basics A F F F F A Switch Is Root Elected as Root A ‘Tree-Like’ Loop-Free Topology Is Established F F B X F B Loop-Free Connectivity PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc.
Load more

Recommended publications
  • Implementing Cisco Cyber Security Operations
    2019 CLUS Implementing Cisco Cyber Security Operations Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers LTRCRT-2222 2019 CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#LTRCRT-2222 by the speaker until June 16, 2019. 2019 CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Goals and Objectives • Prerequisite Knowledge & Skills (PKS) • Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training Environment • Lab Evaluation • Cisco Cybersecurity Certification and Education Offerings 2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Goals and Objectives: • Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to effectively respond to security incidents. Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow. • Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye on network security monitoring systems designed to protect their organizations by detecting and responding to cybersecurity threats. • The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a threat centric security operations center. • This session will provide the student with an understanding of Security Onion as an open source network security monitoring tool (NSM).
    [Show full text]
  • Linux Networking Cookbook.Pdf
    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
    [Show full text]
  • Wireshark & Ethereal Network Protocol Analyzer
    377_Eth2e_FM.qxd 11/14/06 1:23 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations.
    [Show full text]
  • Introducing Network Analysis
    377_Eth_2e_ch01.qxd 11/14/06 9:27 AM Page 1 Chapter 1 Introducing Network Analysis Solutions in this chapter: ■ What is Network Analysis and Sniffing? ■ Who Uses Network Analysis? ■ How Does it Work? ■ Detecting Sniffers ■ Protecting Against Sniffers ■ Network Analysis and Policy Summary Solutions Fast Track Frequently Asked Questions 1 377_Eth_2e_ch01.qxd 11/14/06 9:27 AM Page 2 2 Chapter 1 • Introducing Network Analysis Introduction “Why is the network slow?”“Why can’t I access my e-mail?”“Why can’t I get to the shared drive?”“Why is my computer acting strange?” If you are a systems administrator, network engineer, or security engineer you have heard these ques- tions countless times.Thus begins the tedious and sometimes painful journey of troubleshooting.You start by trying to replicate the problem from your computer, but you can’t connect to the local network or the Internet either. What should you do? Go to each of the servers and make sure they are up and functioning? Check that your router is functioning? Check each computer for a malfunctioning network card? Now consider this scenario.You go to your main network switch or border router and configure one of the unused ports for port mirroring.You plug in your laptop, fire up your network analyzer, and see thousands of Transmission Control Protocol (TCP) packets (destined for port 25) with various Internet Protocol (IP) addresses.You investigate and learn that there is a virus on the network that spreads through e-mail, and immediately apply access filters to block these packets from entering or exiting your network.Thankfully, you were able to contain the problem relatively quickly because of your knowledge and use of your network analyzer.
    [Show full text]
  • The Golden Age of Hacking
    The golden age of hacking Sniffing and spoofing Session hijacking Netcat DoS attacks Sniffing • A sniffer captures data via promiscuous mode • Useful for troubleshooting – Admin/root account is usually needed – Hub vs. switch • Island hopping attack • Passive vs. active sniffers – Tcpdump, Windump, ngrep – WireShark, Tshark – Sniffit, got ability to sniff sessions interactively – Dsniff - fragroute guy – Snort IDS - overkill for hacking – WinPcap: The Windows Packet Capture Library – Cain, Ettercap Passive OS fingerprinting • Every OS has its peculiarities regarding TCP stack etc. • P0f v2, identifies OS on: – Machines that connect to your box (SYN mode) – Machines you connect to (SYN+ACK mode) – Machine you cannot connect to (RST+ mode) – Machines whose communications you can observe – Firewall presence, NAT use (useful for policy enforcement) – Existence of a load balancer setup – The distance to the remote system and its uptime – Other guy's network hookup (DSL, optical/avian carriers) and his ISP – http://lcamtuf.coredump.cx/p0f.shtml • Tutorial - Passive OS Fingerprinting With P0f And Ettercap – http://www.irongeek.com/i.php?page=videos/passive-os-fingerprinting – Ettercap • http://ettercap.sourceforge.net/ • PVS (Passive Vulnerability Scanner) – Tenable Network Security (Nessus) ARP operation Jumbo Frames > 1500 • Ethernet frame • ARP packet Dsniff suite - foiling switches http://monkey.org/~dugsong/dsniff/ • Unix tools with good parsing capabilities for many clear-text protocols • MAC flooding switch attack – CAM (Content Addressable
    [Show full text]
  • Packet Sockets, BPF and Netsniff-NG
    Packet Sockets, BPF and Netsniff-NG (Brief intro into finding the needle in the network haystack.) Daniel Borkmann <[email protected]> Open Source Days, Copenhagen, March 9, 2013 D. Borkmann (Red Hat) packet mmap(2), bpf, netsniff-ng March 9, 2013 1 / 9 Motivation and Users of PF PACKET Useful to have raw access to network packet data in user space Analysis of network problems Debugging tool for network (protocol-)development Traffic monitoring, security auditing and more libpcap and all tools that use this library Used only for packet reception in user space tcpdump, Wireshark, nmap, Snort, Bro, Ettercap, EtherApe, dSniff, hping3, p0f, kismet, ngrep, aircrack-ng, and many many more netsniff-ng toolkit (later on in this talk) Suricata and other projects, also in the proprietary industry Thus, this concerns a huge user base that PF PACKET is serving! D. Borkmann (Red Hat) packet mmap(2), bpf, netsniff-ng March 9, 2013 2 / 9 Motivation and Users of PF PACKET Useful to have raw access to network packet data in user space Analysis of network problems Debugging tool for network (protocol-)development Traffic monitoring, security auditing and more libpcap and all tools that use this library Used only for packet reception in user space tcpdump, Wireshark, nmap, Snort, Bro, Ettercap, EtherApe, dSniff, hping3, p0f, kismet, ngrep, aircrack-ng, and many many more netsniff-ng toolkit (later on in this talk) Suricata and other projects, also in the proprietary industry Thus, this concerns a huge user base that PF PACKET is serving! D. Borkmann (Red Hat) packet mmap(2), bpf, netsniff-ng March 9, 2013 2 / 9 Features of PF PACKET Normally sendto(2), recvfrom(2) calls for each packet Buffer copies between address spaces, context switches How can this be further improved (PF PACKET features)?1 Zero-copy RX/TX ring buffer (“packet mmap(2)”) “Avoid obvious waste” principle Socket clustering (“packet fanout”) with e.g.
    [Show full text]
  • Real Time Interception and Filtering of Instant Messaging Protocols
    Real time interception and filtering of instant messaging protocols Warren Harrop1 Centre for Advanced Internet Architectures. Technical Report 030919A Swinburne University of Technology Melbourne, Australia [email protected] Abstract- Internet engineers must actively develop tools and Pkthisto [2] is a packet traffic analysis tool for the technologies to support safe, secure and trustworthy methods for study of on line game traffic, and is being used within Lawful Interception. This paper describes the development of CAIA's Game ENvironment Internet Utilisation Study MsgSifter, a multi-protocol, instant message interception utility (GENIUS) project. It has a real time packet sniffing based on the existing open source software package 'msgsnarf'. ability that could have been modified to recreate TCP Logging and certain protocol filtering changes were made to the sessions, and the MsgSifter code could have been built msgsnarf code. In addition, a Java based GUI was created to from this point. Two other programs, msn666 [3] and place an easy to use control and filtering layer over the command aimsniff [4], already do part of the desired task, sniffing line msgsnarf program. their respective protocols, msn and aim. Each of these 3 programs are quite good in their own right, but Keywords- Instant Messaging, Network Sniffing, Security, combining or extending upon their respective source Lawful Interception, MsgSifter, Dsniff code to produce the desired results of this project would not have been a trivial matter in the time given. I. INTRODUCTION Finally, the code that was expanded upon is Dr. Philip Branch's paper, 'Lawful Interception of the 'msgsnarf', part of the dsniff [5] package of programs.
    [Show full text]
  • Hacking Layer 2: Fun with Ethernet Switches Sean Convery, Cisco Systems [email protected]
    Hacking Layer 2: Fun with Ethernet Switches Sean Convery, Cisco Systems [email protected] l2-security-bh.ppt © 2002, Cisco Systems, Inc. All rights reserved. 1 Agenda ¥ Layer 2 Attack Landscape ¥ Specific Attacks and Countermeasures (Cisco and @Stake Testing)Ñhttp://www.atstake.com MAC Attacks VLAN ÒHoppingÓ Attacks ARP Attacks Spanning Tree Attacks Layer 2 Port Authentication Other Attacks ¥ Summary and Case Study l2-security-bh.ppt © 2002, Cisco Systems, Inc. All rights reserved. 2 Caveats ¥ All attacks and mitigation techniques assume a switched Ethernet network running IP If shared Ethernet access is used (WLAN, Hub, etc.) most of these attacks get much easier If you arenÕt using Ethernet as your L2 protocol, some of these attacks may not work, but you may be vulnerable to different ones J ¥ Attacks in the ÒtheoreticalÓ category can move to the practical in a matter of days ¥ All testing was done on Cisco equipment, Ethernet switch attack resilience varies widely from vendor to vendor ¥ This is not a comprehensive talk on configuring Ethernet switches for security; the focus is on L2 attacks and their mitigation l2-security-bh.ppt © 2002, Cisco Systems, Inc. All rights reserved. 3 Why Worry about Layer 2 Security? OSI Was Built to Allow Different Layers to Work without Knowledge of Each Other Host A Host B Application Stream Application Application Presentation Presentation Session Session Transport Protocols/Ports Transport Network IPIP AddressesAddresses Network MAC Addresses Data Link Data Link Physical Links Physical Physical l2-security-bh.ppt
    [Show full text]
  • Linux Security Cookbook
    Linux Security Cookbook Authors : Daniel J. Barrett, Robert G. Byrnes, Richard Silverman Publisher : O'Reilly Pub Date : June 2003 ISBN : 0-596-00391-9 Table of Contents Preface A Cookbook About Security?!? Intended Audience Roadmap of the Book Our Security Philosophy Supported Linux Distributions Trying the Recipes Conventions Used in This Book We'd Like to Hear from You Acknowledgments Chapter 1. System Snapshots with Tripwire Recipe 1.1. Setting Up Tripwire Recipe 1.2. Displaying the Policy and Configuration Recipe 1.3. Modifying the Policy and Configuration Recipe 1.4. Basic Integrity Checking Recipe 1.5. Read-Only Integrity Checking Recipe 1.6. Remote Integrity Checking Recipe 1.7. Ultra-Paranoid Integrity Checking Recipe 1.8. Expensive, Ultra-Paranoid Security Checking Recipe 1.9. Automated Integrity Checking Recipe 1.10. Printing the Latest Tripwire Report Recipe 1.11. Updating the Database Recipe 1.12. Adding Files to the Database Recipe 1.13. Excluding Files from the Database Recipe 1.14. Checking Windows VFAT Filesystems Recipe 1.15. Verifying RPM-Installed Files Recipe 1.16. Integrity Checking with rsync Recipe 1.17. Integrity Checking Manually Chapter 2. Firewalls with iptables and ipchains Recipe 2.1. Enabling Source Address Verification Recipe 2.2. Blocking Spoofed Addresses Recipe 2.3. Blocking All Network Traffic Recipe 2.4. Blocking Incoming Traffic Recipe 2.5. Blocking Outgoing Traffic Recipe 2.6. Blocking Incoming Service Requests Recipe 2.7. Blocking Access from a Remote Host Recipe 2.8. Blocking Access to a Remote Host Recipe 2.9. Blocking Outgoing Access to All Web Servers on a Network Recipe 2.10.
    [Show full text]
  • TPS Quickstart - Sniffing Switched Networks with Dsniff (V1.0) Chris Vicious Œ [email protected]
    TPS Quickstart - Sniffing switched networks with Dsniff (v1.0) Chris Vicious œ [email protected] Abstract: Dsniff is an advanced suite of utilities which are commonly used for network and penetration testing. This document is intended as a Quickstart guide to implementing a common Man-in-the-Middle (MitM) attack using Dsniff and MAC address spoofing. Before experimenting, please make sure that you are authorized to utilize these techniques on the network that you're testing. For additional warnings and information, please refer to the Dsniff FAQ below. Background: To understand how or why Dsniff works in the manner in which it does, it is helpful to have a little background information with regard to shared and switched network topologies. In a shared network topology (e.g. using a simple hub), Ethernet frames are broadcast to every host on the local segment. Under normal circumstances, the frames are processed only by the host for which the traffic is destined. With this type of network, one may œ assuming root access and a NIC that permits promiscuous mode œ easily deploy a sniffer to any host on the segment in order to capture data. In a switched network topology, Ethernet frames are sent only to the host for which the data is destined œ which has historically been a relatively successful defense against rudimentary sniffing attacks. The destination host is signified within the Ethernet frame by the MAC address œ a "unique" hardware address for each NIC attached to the network. Tools Used: TPS Linux • Fragrouter • Dsniff (Dsniff) • ailsnarf (Dsniff) • Arpspoof (Dsniff) Step 1 - Fragrouter: One of the most common errors in attempting to sniff a switched network is when the attacker fails to enable IP forwarding.
    [Show full text]
  • Cisco Router Security Solutions
    Cisco Router Security Solutions Technical Overview STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Cisco Router Security Portfolio Service Integration 3800 Series Scaled to Fit Every Size Branch Office 3200 Series 2800 Series High Density and Performance for 1800 Series Concurrent Services Rugged and 800 Series Mobile Applications Embedded, Advanced Voice, Video, Data, and Security Services Performance and Services Density Services and Performance Embedded Wireless, Security, and Data Small Office and Medium Mobile/Rugged Medium to Teleworker Small Branch Branch Branch Large Branch STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Only Cisco Router Security Delivers All This Secure Network Solutions Business Secure Secure Compliance Continuity Voice Mobility Integrated Threat Management 011111101010101 Advanced Content Intrusion Flexible Network Network 802.1x Firewall Filtering Prevention Packet Admission Foundation Matching Control Protection Secure Connectivity Management and Instrumentation Role-Based CCP NetFlow IP SLA GET VPN DMVPN Easy VPN SSL VPN Access STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 Cisco Router Security Certifications FIPS Common Criteria 140-2, Firewall IPSec (EAL4) Level 2 (EAL4) Cisco® 870 ISR Cisco 1800 ISR Cisco 2800 ISR Cisco 3800 ISR Cisco 7200 VAM2+ Cisco 7200 VSA --- Cisco 7301 VAM2+ Cisco 7600 IPSec VPN SPA --- Catalyst 6500 IPSec VPN SPA --- Cisco 7600 cisco.com/go/securitycert STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 Cisco Router Security Leadership in Innovation Industry First Cisco Integrated Services Router Innovations in Security . Industry-leading integration of VPN, routing, and QoS: DMVPN, GET VPN, SSL VPN, and Easy VPN .
    [Show full text]
  • Traffic Analysis with Wireshark
    TRAFFIC ANALYSIS WITH WIRESHARK INTECO-CERT February 2011 Author: Borja Merino Febrero The National Communications Technology Institute ( Instituto Nacional de Tecnologías de la Comunicación - INTECO ) recognises and is grateful to the following collaborators for their support in preparing this report. Manuel Belda, from the regional government of Valencia's Computer Security Incident Response Team (CSIRT-cv) and Eduardo Carozo Blumsztein from the ANTEL CSIRT of Uruguay. This publication is the property of the National Communications Technology Institute (INTECO) and is governed by the Spanish Creative Commons Non-commercial Recognition License 3.0. Therefore, copying, distributing, and publicly communicating this work is permitted only under the following circumstances: Recognition: The content of this report may be reproduced by third parties, in whole or in part, specifying its source and expressly referring to both INTECO and its website: http://www.inteco.es . Said recognition may not, under any circumstance, imply that INTECO supports these third parties or supports the use of this work. Non-commercial Use: The original material and the resulting work may be distributed, copied and shown provided that it is not used for commercial purposes. When the work is reused or distributed, its license terms must be made very clear. Some of these conditions may be not be applicable if the copyright license is not obtained from INTECO. Nothing in this license impairs or restricts INTECO's moral rights. http://creativecommons.org/licenses/by-nc-sa/3.0/es/ This document complies with the accessibility conditions for PDF (Portable Document Format). It is a structured and labeled document, with alternatives to all non-textual elements, language mark-up and suitable reading order.
    [Show full text]