Archive for July, 2009

21
Jul
09

Basic Steps to secure your Cisco Switch

N95-1037

Vlan Hopping (Rogue Trunk)
Disable trunking on port (eg. gigabitethernet 0/1) which don’t require trunking:
Switch(config)#interface gigabitethernet 0/1
Switch(config-if)#switchport mode access

Disable DTP (Dynamic Trunking Protocol) on port which required trunking:
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate

—————————————————————————————————

Vlan Hopping(Double-Tagging)
Change Native Vlan to a unused Vlan
Switch(config)# interface gigabitethernet 0/1
Switch(confi-if)# switchport trunk native vlan 400 <– vlan 400 not used by anyone
————————————————————————————————–

STP Manipulation Attack
Enable portfast globally for non-trunking ports (non-trunking ports over here means the ports not connecting the other switches)
Switch(config)#spanning-tree portfast default

Turn On portfast mode on a selected interface (eg. gigabitethernet 0/1)
Switch (config)#interface gigabitethernet 0/1
Switch (config-if)#spanning-tree portfast

Enable BPDUGuard globally on all portfast ports. When these ports see BPDU frames (used to elect STP root switch), the frame will be ignored and dropped.
Switch(config)#spanning-tree portfast bpduguard default

Enable RootGuard on selected port (eg. gigabitethernet 0/1), thus the port will stop passing traffic when it see BPDU which superior to current root. It start passing traffic again after the superior BPDU ceased.
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# spanning-tree guard root
———————————————————————————————-

CAM table Overflow
Enable port security (this only work on non-trunking port, aka access port)
Switch(config)#interface gigabitethernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security violation [protect|restrict|Shutdown]

In previous example, that port will only learn 132 MAC address, other MAC address will trigger violation. The violation actions are:
protect: new MAC address will be ignored and not inserted into CAM table
restrict (default): switch will ignored new MAC address and send an SNMP trap or syslog to corresponding servers.
shutdown: New MAC address will be ignored and that network port will be shut down till manual turn on.

Instead of remember 132 MAC address, we can set the maximum MAC addresses to be learned (eg, maximum 50 addresses are allowed to be learned)
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security maximum 50
Switch(config-if)# switchport port-security violation [protect|restrict|Shutdown]

If we want the port to remember 1 MAC address only, there are 2 ways (dynamic and static)
Dynamic
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security sticky
Switch(config-if)# switchport port-security violation [protect|restrict|Shutdown]

Static
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security static 1234.1234.1234
Switch(config-if)# switchport port-security violation [protect|restrict|Shutdown]

Configure MAC address aging in CAM table
Scenario: Age out the MAC address which has been inactive for 100minutes
Switch(config-if)# switchport port-security aging time 100
Switch(config-if)# switchport port-security aging type inacitivity

Scenario: Age out the MAC address after 100minutes no matter what!
Switch(config-if)# switchport port-security aging time 100
Switch(config-if)# switchport port-security aging type absolute

Check port-security status
Switch#show port-security
—————————————————————————————

Create SPAN port
Replicate all traffic on a port (eg. gigabitethernet 0/1) to another port (eg gigabitethernet 0/2) for analaysis (normally for IDS/IPS):
Switch(config-if)# monitor session 1 source interface gigabitethernet 0/1
Switch(config-if)# monitor session 1 destination interface gigabitethernet 0/2 encapsulation replica
——————————————————————————————-

Storm-Control
Controlling 3 types of traffic: unicast, multicast and broadcast
Scenario, shutdown the port (eg. gigabitethernet 0/1) if:
a) unicast traffic is more than 99%
b) multicast reach 50Mbps
c) broadcast packet reach 3000 per second

Switch(config)# interface gigabitethernet 0/1
Switch(config-if)#storm-control unicast level 99
Switch(config-if)#storm-control multicast level bps 50m
Switch(config-if)#storm-control broadcast level pps 3k
Switch(config-if)#storm-control action shutdown

*Traffic measurements percentage, bps, pps can be freely used for unicast, multicast and broadcast.

See this example:
Switch(config-if)#storm-control unicast level bps 50m 30m
Switch(config-if)#storm-control action trap

Meaning: Switch will send SNMP trap and message to syslog once unicast traffic reach 50Mbps, and it will stop sending the message when unicast traffic fall below 30Mbps.

———————————————————————————————
Switch Security Best Practise

  1. Secure Management: Use SSH, dedicated management Vlan, out of band etc.
  2. Native Vlan: use dedicated Vlan for trunk ports and avoid vlan 1 at all.
  3. User ports: configure it as non-trunking ports.
  4. Port-security: control learned MAC address volume on non-trunking ports.
  5. SNMP: Limit to the management Vlan if possible and treat community string as superuser password.
  6. STP: Used BPDU guard and root guard.
  7. CDP(Cisco Discovery Protocl): Use if necessary. CDP provide great deal of information about the device.
  8. Unused ports: Disable them and put them in an unused Vlan for extra security.
Advertisements
05
Jul
09

Change Windows RDP port

rdp port

By default, Windows listening on port 3389 f0r RDP (Remote Desktop Protocol), hence it has becomes a favor for attacker.

To change the port number, just go to windows registry:

Start -> Run -> regedit

Under the path:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp > PortNumber option

Change the port 3389 to the number you preferred.

Reference:
How to change the listening port for Remote Desktop