Configuration Part II
Configuring Password Options
Securing Console Access:
Securing Virtual Terminal Access:
There are 16 available default Telnet sessions as o pposed to the 5 sessions set up for a router.
Securing Privileged EXEC Access:
Always use enable secret for password encryption.
Encrypting Switch Passwords:
You can encrypt all passwords assigned to a switch using the service password-encryption command.
Password Recovery:
To recover a switch password:
Power up the switch with the Mode button pressed.
Initialize flash.
Load helper files
Rename the current configuration file.
Reboot the system.
Reinstate the name of the configuration file and co py it into RAM.
Change the password.
Copy to start up configuration
Reload the switch.
Login Banners
Login Banner:
Message-Of-The-Day (MOTD) Banner:
Configure Telnet and SSH
Telnet:
Most common method.
Virtual Terminal application.
Send in clear text.
Not secure.
Secure Shell (SSH):
Virtual Terminal application.
Sends an encrypted data stream.
Is secure.
Configuring Telnet:
Telnet is the default transport for the vty lines.
No need to specify it after the initial configurati on of the switch has been performed.
If you have switched the transport protocol on the vty lines to permit only SSH, you need to enable the
Telnet protocol to permit Telnet access.
Configuring Secure Shell (SSH):
SSH is a cryptographic security feature that is sub ject to export restrictions. To use this feature, a cryptographic
image must be installed on your switch.
Perform the following to configure SSH ONLY Access:
Common Security Attacks
MAC Address Flooding:
Recall that the MAC address table in a switch:
Contains the MAC addresses available on a given phy sical port of a switch.
Contains the associated VLAN parameters for each.
Is searched for the destination address of a frame.
If it IS in the table, it is forwarded out the proper port.
If it IS NOT in the table, the frame is forwarded out all ports of the switch except the port that received the fr ame.
The MAC address table is limited in size.
An intruder will use a network attack tool that con tinually sends bogus MAC addresses to the switch.
(e.g. 155,000 MAC addresses per minute)
The switch learns each bogus address and in a short span of time, the table becomes full.
When a switch MAC table becomes full and stays full , it has no choice but to forward each frame it receives out of
every port – just like a hub.
The intruder can now see all the traffic on the swi tch.
Spoofing Attacks:
Man-In-The-Middle:
Intercepting network traffic.
DHCP or DNS spoofing.
The attacking device responds to DHCP or DNS reques ts with IP configuration or address information that points the
user to the intruder’s destination.
DHCP Starvation:
The attacking device continually requests IP addres ses from a real DHCP server with continually changi ng MAC
addresses.
Eventually the pool of addresses is used up and act ual users cannot access the network.
CDP Attacks:
Cisco Discovery Protocol (CDP) is a proprietary pro tocol that exchanges information among Cisco device s.
IP address
Software version
Platform
Capabilities
Native VLAN (Trunk Links – Chapter 3).
With a free network sniffer (Wireshark) an intruder could obtain this information.
It can be used to find ways to perform Denial Of Se rvice (DoS) attacks and others.
Telnet Attacks:
Recall that Telnet transmits in plain text and is n ot secure. While you may have set passwords, the f ollowing types
of attacks are possible.
Brute force (password guessing)
DoS (Denial of Service)
With a free network sniffer (Wireshark) an intruder could obtain this information.
Use strong passwords and change them frequently.
Use SSH.
Network Security Tools
Help you test your network for various weaknesses. They are tools that allow you to play the roles of a hacker and a
network security analyst.
Network Security Audits:
Reveals what sort of information an attacker can ga ther simply by monitoring network traffic.
Determine MAC address table limits and age-out peri od.
Continue reading on your phone by scaning this QR Code
Tip: The current page has been bookmarked automatically. If you wish to continue reading later, just open the
Dertz Homepage, and click on the 'continue reading' link at the bottom of the page.