Cisco Security

From HackerNet
Revision as of 15:42, 14 May 2016 by Helikopter (talk | contribs) (Created page with "Cisco IOS har stöd för många säkerhetsmekanismer och protokoll. =Device= Login enhancements login block-for [seconds] attempts [attempts] within [seconds]...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Cisco IOS har stöd för många säkerhetsmekanismer och protokoll.

Device

Login enhancements 

login block-for [seconds] attempts [attempts] within [seconds]

login quiet-mode access-class TRUSTED_HOSTS
ip access-list standard TRUSTED_HOSTS
 permit host 10.0.0.10

Password recovery är på default men går att stänga av. 

no service password-recovery

Management Plane Protection 

control-plane host
 management-interface GigabitEthernet 0/1 allow ssh https

SSH 

ip ssh version 2
crypto key generate rsa modulus 2048

Verify 

show ssh
show ip ssh
show control-plane host open-ports

AAA

The aaa new-model command causes the local username and password on the router to be used in the absence of other AAA statements. 

aaa new-model
show aaa

Fallback user account 

username fallback privilege 15 secret SECRETS

TACACS

All trafik är krypterad. Tacacs kommunicerar på TCP port 49. 

aaa group server tacacs+ TACACS_SERVER
 server 10.0.0.10
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local

Verify 

show tacacs

Radius 

radius-server host 10.0.0.10 auth-port 1812 acct-port 1813 key RadiusKey
show radius

L2 Security

Se även Private VLANs och DHCP Snooping.

Ändra beteende på en switch. Fungerar som säkerhetsmekansim om CAM går fullt för alla frames floodas inte. 

switchport block unicast
switchport block multicast

Port Security 

interface [interface]
 switchport mode access
 switchport port-security
 switchport port-security maximum 1
 switchport port-security mac-address sticky
 switchport port-security violation shutdown

VACL

VLAN ACL 

access-list 100 permit ip any host 10.0.0.10
vlan access-map BLOCK-TO-SERVER 10
 match ip address 100
 action drop
vlan access-map BLOCK-TO-SERVER 20
 action forward

Apply to vlan 

vlan filter BLOCK-TO-SERVER vlan-list 10

VACL funkar också med non-IP traffic.

Storm Control

Storm control är teknik för att låta administratörer dämpa unicast-, multicast- eller broadcast-trafik på L2-interface. Det kan användas för att reducera skadan vid broadcast-stormar. Man måste ange gränsvärde (rising) men falling är optional. 

interface gi0/7
 storm-control broadcast level bps 1m 500k

Ange vad som ska hända när tröskelvärde överskrids, t.ex. droppa frames eller skicka syslog-trap. 

 storm-control action trap

Verify 

show storm-control

802.1x 

show dot1x

IPv6

RA guard 

interface GigabitEthernet0/1
 ipv6 nd raguard

Verify 

show ipv6 snooping features
show ipv6 nd raguard

DHCP guard, Binding table, Device tracking, ND inspection/snooping, Source guard, PACL

Retrieved from "https://hackernet.se/index.php?title=Cisco_Security&oldid=1778"