CCSP--SECURE-1 Security Theory

DT Security

 

Security Model:

 

Three attack directions:

 

Classification of Network Attacks:

 

Cisco's specific classification of Network Attacks:

 

 

Reconnaissance attacks

Packet sniffer

Implementation conditions:

1. It can only be implemented in the broadcast domain of the attack object

2. The Hub or switch mechanism is not complete.

Solution:

1. 802.1x)

2. control user access on the switch device

3. Use antisnifer tools for detection (send a special packet in the network, and process slowly if the NIC is in the Mixed Mode)

4. encrypt data

 

Port scans and Ping sweeps

Problem: the scan traffic may come from administrators or attackers.

Solution: Use IDs to detect traffic

 

Internet information queries

Search Engine Vulnerability

 

 

Access attacks

Password attacks

 

Trust Exploitation

Problem: Many networks have configured domain environments for ease of management. Each domain has a domain control server. Hackers can use the trust relationship to control all machines in the domain as long as they break through the domain control server.

Solution: complete security mechanisms for domain control servers

 

Port redirection

Map a local port of the stepping stone to a function port of the Intranet server. When you access this local port of the stepping stone, the system automatically jumps to that function port.

Cause: the security device shields access traffic on this service port.

 

Man-in-the-middle attacks

Problem: Collect or even modify original information

Solution: Add a VPN communication tunnel during Wan Communication

 

 

Denial of Service attacks

The server cannot provide external services. It can only be mitigated and cannot be cured

IP spoofing is required.

Attack methods: ICMP and TCP (three handshakes are used)

Solution: Use a security device to monitor the TCP connection process, set the timer, and send an rst signal to the two parties when the timeout occurs.

 

 

Worms, viruses, and Trojan horses

 

 

IP plane Security (IP Security plane):

Data plane: user communication traffic

Control Plane: controls the traffic forwarded by traffic, such as the routing protocol.

Management plane: User-to-network device management traffic, network device-sent traffic for Network Management

Service plane: Carrying user traffic, such as VPN

 

 

Different security policies for different environments:

 

VTP: Cisco is not recommended because of imperfect development. If you want to use it, you can configure it in the networking phase. After the networking is complete, set all devices to the transparent mode.

 

References:

 

Security Features of Cisco Catalyst switches:

 

Security Features of Cisco ISR (integrated with multi-service routers:

 

Security goals:

Confidentiality, integrity, and reliability

 

Exchange network attack technology:

 

Exchange network security technology:

 

 

Pvlan

L2 VLAN technology. Pvlan is mainly deployed in DMZ to prevent cross-site attacks. The purpose of pvlan is to achieve segment protection for servers.

Pvlan can be configured across vswitches through the trunk link.

Pvlan is divided into the primary VLAN and the secondary VLAN. The secondary VLAN is also divided into group VLAN and isolated VLAN.

Port modes include group ports, isolated ports, and hybrid ports. Hybrid ports are mainly used to connect to gateways.

One VLAN isolation technology.

 

Pvlan Configuration:

 

Show VLAN private-VLAN

 

Pvlan jump Attack:

Cross-site access across pvlan restrictions. Such as mutual access between R2 and R3.

R2:

IP Route 172.16.0.3 255.255.255.255.255 172.16.0.254

R3:

IP Route 172.16.0.2 255.255.255.255 172.16.0.254

Point the other static route to the gateway.

Pvlan jump AttacK Defense:

GW (config) # access-list 101 permit IP any host 172.16.0.254

GW (config) # access-list 101 deny ip 172.16.0.0 0.0.255 172.16.0.0 0.0.255

GW (config) # access-list 101 permit IP any

GW (config) # interface fastethernet 0/0

GW (config-If) # IP Access-group 101 in

 

If a pvlan network contains multiple switches, the trunk between them must pass through the primary VLAN or the secondary VLAN.

 

Pvlan is only available for devices of 3560 or above. Previous devices used protective ports to implement some pvlan functions.

Configuration: switchport protected under the Port

Effect: users under ports deployed with protected ports cannot communicate with each other.

 

 

If you configure pvlan on a layer-3 switch and the layer-3 switch is still a DHCP server, you need to configure a multi-layer switch hybrid port (that is, int VLAN *).

When configuring a DHCP server on a multi-layer switch, you must configure the VLAN interface address of the VLAN where the host is located, because DHCP uses UDP, dhcp on the vswitch finds the DHCP network segment corresponding to the VLAN Interface and assigns it to the client. The gateway is not necessarily your own.

CCSP--SECURE-1 Security Theory