Friday, July 27, 2007

Basic Cisco Switches Auditing Guidelines

1. Always use VLAN to create collision domain to limit broadcast traffic. Remember that VLAN1 is the admin VLAN which is used for administrative purposes and avoid using VLAN1 to prevent hackers from plugging into unused ports to communicate with the rest of the network.

2. Avoid using autotrunking mode. Dynamic Trunking Protocol allows VLAN-Hopping attacks where hackers are able to communicate in various VLANs. Assign trunk interface to the native VLAN other than VLAN 1

3. Make sure Spanning Tree Protocol is mitigated from attacks. Enable portfast, bpdufiler, bpduguard, and root guard on the switches.

4. Disable all unused ports on the switch to prevent hackers from plugging into unused ports to communicate with the rest of the network.

5. Turn off VLAN Trunking Protocol if not in used. If required, VTP should be used with passwords enabled.

6. Review the network or configuration to limit thresholds for multicast and broadcast traffic on switch ports.

The Hacka Man

6 comments:

ntp said...

set port-security to 1 static and 1 dynamic per-port unless hubs must absolutely be used (and still restrict those to a reasonable number, such as 5 dynamic). prevents macof.

turn cdp off on everything. you can always use l2trace instead. i rarely have found cdp to be useful, except in cases where i wanted to identify my upstream ISP's equipment (i've also used packet-over-sonet for this). if you're smart, you won't allow this sort of footprinting, let alone expose another unnecessary protocol.

if you use dhcp, consider dhcp snooping or dynamic arp inspection. there are attacks against dhcp, so it may be best to use static ip addresses for everything using scripts for configuration instead.

vrrp and hsrp are vulnerable to gateway takeovers. if your layer-3 switch or router providing these services does not support native encryption of the passwords (they can be sniffed), then encrypt hsrp/glbp traffic with ipsec.

if your hsrp/glbp speaking switch/router also does not support ipsec, then use the highest ip addresses on the subnet for the virtual and logical standby ip's. for example - in a /24 cidr block network - .254 is the virtual, .253 is the primary router and .252 is the secondary router. ensure that all standby priorities are set to 255.

also on the router-side it is important to set your ospf/eigrp/isis areas to be passive for switch ports, so as to not send routing protocol traffic into the switched network. additionally, you'll want to protect them with authentication and possibly even specify all neighbor relationships explicitly.

finally - test your infrastructure with at least the yersinia and phenoelit tools.

additionally - you may want to look into qos security and voice security if you implement any of those in your network.

Anonymous said...

That is a good writeup ntp, as always you are the expert in this area too. This are just the basics, of course, there are more than what i had written.

Hackathology

gaohui said...

The holidays are a time ed hardy of getting together with friends ed hardy shoes and family, attending elaborate ed hardy clothing parties, and other exciting events ed hardy clothes that involves dressing up in stunning ed hardy store wardrobes. If you ed hardy Bikini are pregnant during ed hardy swimsuits the holidays, it does not ed hardy Caps mean that you are unable buy ed hardy to look fabulous and ed hardy swimwear stylish. Now, an expectant ed hardy sale mother has many styles of chic ed hardy glasses maternity clothing that allows cheap ed hardy her to show off her baby bump Christian audigier while looking spectacular.

chunxue said...

During the World War II, Art Deco jewellery was ugg sale a very popular style among women. The females started ugg boots wearing short dresses and cut their hair short. And uggs such boyish style was accessorized with Art Deco jewellery. They used cheap ugg boots long dangling earrings and necklaces, multiple bracelets and bold ugg boots uk rings.Art Deco jewellery has harshly geometric and symmetrical theme instead disocunt ugg boots of free flowing curves and naturalistic motifs. Art Deco Jewelry buy ugg boots today displays designs that consist of arcs, circles, rectangles, squares, and ugg outlet triangles. Bracelets, earrings, necklaces and rings are added with long ugg boots outlet lines and curves.One example of Art Deco jewelry is the Art Deco ring. Art Deco rings have ugg mall sophisticated sparkle and bold styles. These rings are not intended for a subtle look, they are meant to be noticed. Hence, these are perfect for people with bold styles.

Anonymous said...

Hmm.. it appears like your website didn't update my first comment (it was extremely long) so I will just sum it up what I submitted and say, I'm thoroughly enjoying your blog.
I am also an newbie writer but I am still new to the whole thing.
Do you have any tips for newbie blog writers? I'd really appreciate it.

Here is my website - How to Golf
My site > how to golf

Anonymous said...

It's very easy to find out any topic on web as compared to textbooks, as I found this post at this website.

Here is my page cityville cash tool