1. Always use VLAN to create collision domain to limit broadcast traffic. Remember that VLAN1 is the admin VLAN which is used for administrative purposes and avoid using VLAN1 to prevent hackers from plugging into unused ports to communicate with the rest of the network.
2. Avoid using autotrunking mode. Dynamic Trunking Protocol allows VLAN-Hopping attacks where hackers are able to communicate in various VLANs. Assign trunk interface to the native VLAN other than VLAN 1
3. Make sure Spanning Tree Protocol is mitigated from attacks. Enable portfast, bpdufiler, bpduguard, and root guard on the switches.
4. Disable all unused ports on the switch to prevent hackers from plugging into unused ports to communicate with the rest of the network.
5. Turn off VLAN Trunking Protocol if not in used. If required, VTP should be used with passwords enabled.
6. Review the network or configuration to limit thresholds for multicast and broadcast traffic on switch ports.
The Hacka Man
Friday, July 27, 2007
Subscribe to:
Post Comments (Atom)
4 comments:
set port-security to 1 static and 1 dynamic per-port unless hubs must absolutely be used (and still restrict those to a reasonable number, such as 5 dynamic). prevents macof.
turn cdp off on everything. you can always use l2trace instead. i rarely have found cdp to be useful, except in cases where i wanted to identify my upstream ISP's equipment (i've also used packet-over-sonet for this). if you're smart, you won't allow this sort of footprinting, let alone expose another unnecessary protocol.
if you use dhcp, consider dhcp snooping or dynamic arp inspection. there are attacks against dhcp, so it may be best to use static ip addresses for everything using scripts for configuration instead.
vrrp and hsrp are vulnerable to gateway takeovers. if your layer-3 switch or router providing these services does not support native encryption of the passwords (they can be sniffed), then encrypt hsrp/glbp traffic with ipsec.
if your hsrp/glbp speaking switch/router also does not support ipsec, then use the highest ip addresses on the subnet for the virtual and logical standby ip's. for example - in a /24 cidr block network - .254 is the virtual, .253 is the primary router and .252 is the secondary router. ensure that all standby priorities are set to 255.
also on the router-side it is important to set your ospf/eigrp/isis areas to be passive for switch ports, so as to not send routing protocol traffic into the switched network. additionally, you'll want to protect them with authentication and possibly even specify all neighbor relationships explicitly.
finally - test your infrastructure with at least the yersinia and phenoelit tools.
additionally - you may want to look into qos security and voice security if you implement any of those in your network.
That is a good writeup ntp, as always you are the expert in this area too. This are just the basics, of course, there are more than what i had written.
Hackathology
Hmm.. it appears like your website didn't update my first comment (it was extremely long) so I will just sum it up what I submitted and say, I'm thoroughly enjoying your blog.
I am also an newbie writer but I am still new to the whole thing.
Do you have any tips for newbie blog writers? I'd really appreciate it.
Here is my website - How to Golf
My site > how to golf
It's very easy to find out any topic on web as compared to textbooks, as I found this post at this website.
Here is my page cityville cash tool
Post a Comment