Selected Network Security Technologies

Similar documents
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

FiberstoreOS. Security Configuration Guide

Configuring IEEE 802.1X Port-Based Authentication

FSOS Security Configuration Guide

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

802.1x Port Based Authentication

User Handbook. Switch Series. Default Login Details. Version 1.0 Edition

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN

Table of Contents X Configuration 1-1

Configuring IEEE 802.1x Port-Based Authentication

Configuring ARP attack protection 1

Operation Manual Security. Table of Contents

Controlled/uncontrolled port and port authorization status

CCNP Switch Questions/Answers Securing Campus Infrastructure

Configuring 802.1X Port-Based Authentication

Cisco Networking Academy CCNP

Table of Contents X Configuration 1-1

802.1x Configuration. FSOS 802.1X Configuration

Chapter 4 Configuring 802.1X Port Security

ICS 451: Today's plan

Implementing X Security Solutions for Wired and Wireless Networks

Configuring ARP attack protection 1

Configuring Dynamic ARP Inspection

Configuring 802.1X Port-Based Authentication

Configuring IPv6 First-Hop Security

802.1x Configuration. Page 1 of 11

Mobile IP. rek. Petr Grygárek Petr Grygarek, Advanced Computer Networks Technologies 1

SecBlade Firewall Cards Attack Protection Configuration Example

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Nortel Ethernet Routing Switch 5000 Series Configuration Security. Release: 6.1 Document Revision:

Configuring 802.1X Port-Based Authentication

HPE FlexFabric 5940 Switch Series

CS475 Networks Lecture 8 Chapter 3 Internetworking. Ethernet or Wi-Fi).

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Configuring Dynamic ARP Inspection

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

HP Load Balancing Module

Written by Alexei Spirin Wednesday, 02 January :06 - Last Updated Wednesday, 02 January :24

HP 3600 v2 Switch Series

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Operation Manual 802.1x. Table of Contents

HP High-End Firewalls

HP High-End Firewalls

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Attack Prevention Technology White Paper

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

TABLE OF CONTENTS CHAPTER TITLE PAGE

Configuring IPv4. Finding Feature Information. This chapter contains the following sections:

With 802.1X port-based authentication, the devices in the network have specific roles.

Table of Contents 1 AAA Overview AAA Configuration 2-1

HP 6125 Blade Switch Series

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Lecture 8. Basic Internetworking (IP) Outline. Basic Internetworking (IP) Basic Internetworking (IP) Service Model

Configuring DHCP Snooping

H

Index. Numerics. Index 1

GS-2610G L2+ Managed GbE Switch

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

ICS 351: Networking Protocols

Lecture 8. Reminder: Homework 3, Programming Project 2 due on Thursday. Questions? Tuesday, September 20 CS 475 Networks - Lecture 8 1

Operation Manual Security. Table of Contents

Configuring 802.1X. Finding Feature Information. Information About 802.1X

Understanding and Configuring Dynamic ARP Inspection

Ruijie Anti-ARP Spoofing

CompTIA Network+ Study Guide Table of Contents

Configuring Network Admission Control

PSGS-2610F L2+ Managed GbE PoE Switch

HP Unified Wired-WLAN Products

Network Security. Thierry Sans

Configuration Security

With 802.1X port-based authentication, the devices in the network have specific roles.

Overriding the Default DHCP Relay Configuration Settings

Cisco Certified Network Associate ( )

FGS-2616X L2+ Managed GbE Fiber Switches

JetStream T2500G Series L2 Managed Switches

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8

24-Port: 20 x (100/1000M) SFP + 4 x Combo (10/100/1000T or 100/1000M SFP)

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CCNA Routing and Switching (NI )

ELEC5616 COMPUTER & NETWORK SECURITY

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Configuring DHCP Features and IP Source Guard

Operation Manual IP Addressing and IP Performance H3C S5500-SI Series Ethernet Switches. Table of Contents

Configuring DHCP Features and IP Source Guard

JetStream T2500G Series L2 Managed Switches

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Web and MAC Authentication

Chapter 8 roadmap. Network Security

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Routing (ROUTE v2.0) Version: Demo

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

H3C S5560S-EI & S5130S-HI[EI] & S5110V2 & S3100V3-EI Switch Series

T1700X-16TS Datasheet

Transcription:

Selected Network Security Technologies Petr Grygárek rek Agenda: Security in switched networks Control Plane Policing 1

Security in Switched Networks 2

Switch Port Security Static MAC addresses assigned to ports various violation actions Limited number of MAC addresses per port broadcast/muticast storm control Disable/reenable limits (hysteresis) 3

DHCP Snooping Protects against non-authorized DHCP servers Intentional attacks (man-in-the-middle) plug&play devices Trusted and untrusted ports Per-VLAN configuration Creates DHCP binding table for ARP inspection 4

DHCP Snooping Additional Features DHCP requests rate limitation Protect against exhaustion of DHCP pool DHCP option 82 Switch attaches its MAC address and client port to the DHCP request DHCP Offer (broadcast) sent directly to the client 5

Related Protection Mechanisms Additional protection mechanisms may utilize the binding table ARP inspection Filtering of fake ARP replies Filtering of invalid bindings in ARP requests Filtering of ARP replies from non-matching MAC address Source IP+MAC+port verification Static entries may be inserted into the binding table Servers with static IP addresses etc. 6

Private VLANs and Protected Ports Communication is disallowed between ports that are configured as protected Private VLANs Primary VLAN and secondary VLANs Secondary VLANs: Community VLANs Isolated VLAN Promiscuous port 7

802.1x Authentication 8

What is 802.1x? Port-based authentication Securing office outlets, public hotplug places Authorized and unauthorized port state Operates on L2 Utilizes EAP and various authentication protocols Client-to-the-network or mutual authentication Authentication using user passwords or certificates (PKI) 9

802.1x Architecture Supplicant Components PC OS component, subordinate switch Authenticator 802.1x-enabled switch, access point Authentication server RADIUS protocol 10

802.1x Operation (1) Authenticator acts as proxy between supplicant and authentication server bridges between EAPOL and RADIUS encapsulations Authentication reacts on RADIUS authentication reply messages allows or disallows the client to access the network Single host mode Single authenticated client, other thraffic is dropped Multiple host mode After any client is successfully authenticated, all the other traffic is passed 11

802.1x Operation (2) 12

Extensible Authentication Protocol (EAP) General framework for exchange of authentication information between supplicant and authentication server Various authentication algorithms may be applied EAP-MD5 EAP-TLS PEAP... 13

EAP Messages EAPoL Start (from supplicant) Identity Request (from authenticator) Identity Response from supplicant, relayed to authentication server Success / Failure EAPoL Logoff (from supplicant) 14

Transmission of EAP Messages Supplicant-authenticator EAP over LAN (EAPoL) authenticator-authentication server attributes of RADIUS protocol messages UDP 15

Remote Access Dial-In User Service (RADIUS) Protocol Authentication - UDP/1812 Accounting - UDP/1813 start, stop events Protocol messages Access-request Access-accept, Access-reject Access-challenge Accounting-request, Accounting- response 16

EAP and RADIUS 17

Optional 802.1x Configuration Authentication server may pass additional information to the authenticator (Attribute-Value Pairs) Client-to-VLAN assignment ACL... Fallback VLAN for client that failed to authenticate or are not 802.1x-capable Numbers of authentication retries, minimum intervals between retries,... 18

EAPoL and RADIUS Messages in Action 19

Authentication of Supplicant-less Clients 20

Securing of the Control Plane 21

Control Plane Vulnerabilities (1) Routers/switches optimized to high volumes of handle data-plane traffic Not intended to handle heavy control plane traffic either related to unexpectedly increased protocol activity, abnormal traffic or DoS attacks IP options Wrong header parameters TCP floods, fragmentation, TTL=0, ICMP ping, unreachables, redirects Traffic logging 22

Control Plane Vulnerabilities (2) May result to unacceptable increase of CPU utilization Memory consumption 23

Control Plane Protection Mechanisms Rate limiting of ICMP message generation (redirects, unreachables) Rate limiting and selective filtering of routing protocol messages Rate limiting and and selective filtering of of STP and other L2 control protocol messages Control protocol authentication Receive ACLs Relates to traffic destined to any router's interface 2005 Petr Grygarek, address Advanced Computer Networks Technologies 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback