DT Security
Security Model:
Three attack directions:
Classification of Network Attacks:
Cisco's specific classification of Network Attacks:
Reconnaissance attacks
Packet sniffer
Implementation conditions:
1. It can only be implemented in the broadcast domain of the attack object
2. The Hub or switch mechanism is not complete.
Solution:
1. 802.1x)
2. control user access on the switch device
3. Use antisnifer tools for detection (send a special packet in the network, and process slowly if the NIC is in the Mixed Mode)
4. encrypt data
Port scans and Ping sweeps
Problem: the scan traffic may come from administrators or attackers.
Solution: Use IDs to detect traffic
Internet information queries
Search Engine Vulnerability
Access attacks
Password attacks
Trust Exploitation
Problem: Many networks have configured domain environments for ease of management. Each domain has a domain control server. Hackers can use the trust relationship to control all machines in the domain as long as they break through the domain control server.
Solution: complete security mechanisms for domain control servers
Port redirection
Map a local port of the stepping stone to a function port of the Intranet server. When you access this local port of the stepping stone, the system automatically jumps to that function port.
Cause: the security device shields access traffic on this service port.
Man-in-the-middle attacks
Problem: Collect or even modify original information
Solution: Add a VPN communication tunnel during Wan Communication
Denial of Service attacks
The server cannot provide external services. It can only be mitigated and cannot be cured
IP spoofing is required.
Attack methods: ICMP and TCP (three handshakes are used)
Solution: Use a security device to monitor the TCP connection process, set the timer, and send an rst signal to the two parties when the timeout occurs.
Worms, viruses, and Trojan horses
IP plane Security (IP Security plane):
Data plane: user communication traffic
Control Plane: controls the traffic forwarded by traffic, such as the routing protocol.
Management plane: User-to-network device management traffic, network device-sent traffic for Network Management
Service plane: Carrying user traffic, such as VPN
Different security policies for different environments:
VTP: Cisco is not recommended because of imperfect development. If you want to use it, you can configure it in the networking phase. After the networking is complete, set all devices to the transparent mode.
References:
Security Features of Cisco Catalyst switches:
Security Features of Cisco ISR (integrated with multi-service routers:
Security goals:
Confidentiality, integrity, and reliability
Exchange network attack technology:
Exchange network security technology:
Pvlan
L2 VLAN technology. Pvlan is mainly deployed in DMZ to prevent cross-site attacks. The purpose of pvlan is to achieve segment protection for servers.
Pvlan can be configured across vswitches through the trunk link.
Pvlan is divided into the primary VLAN and the secondary VLAN. The secondary VLAN is also divided into group VLAN and isolated VLAN.
Port modes include group ports, isolated ports, and hybrid ports. Hybrid ports are mainly used to connect to gateways.
One VLAN isolation technology.
Pvlan Configuration:
Show VLAN private-VLAN
Pvlan jump Attack:
Cross-site access across pvlan restrictions. Such as mutual access between R2 and R3.
R2:
IP Route 172.16.0.3 255.255.255.255.255 172.16.0.254
R3:
IP Route 172.16.0.2 255.255.255.255 172.16.0.254
Point the other static route to the gateway.
Pvlan jump AttacK Defense:
GW (config) # access-list 101 permit IP any host 172.16.0.254
GW (config) # access-list 101 deny ip 172.16.0.0 0.0.255 172.16.0.0 0.0.255
GW (config) # access-list 101 permit IP any
GW (config) # interface fastethernet 0/0
GW (config-If) # IP Access-group 101 in
If a pvlan network contains multiple switches, the trunk between them must pass through the primary VLAN or the secondary VLAN.
Pvlan is only available for devices of 3560 or above. Previous devices used protective ports to implement some pvlan functions.
Configuration: switchport protected under the Port
Effect: users under ports deployed with protected ports cannot communicate with each other.
If you configure pvlan on a layer-3 switch and the layer-3 switch is still a DHCP server, you need to configure a multi-layer switch hybrid port (that is, int VLAN *).
When configuring a DHCP server on a multi-layer switch, you must configure the VLAN interface address of the VLAN where the host is located, because DHCP uses UDP, dhcp on the vswitch finds the DHCP network segment corresponding to the VLAN Interface and assigns it to the client. The gateway is not necessarily your own.
CCSP--SECURE-1 Security Theory