Several solutions to prevent vswitch malicious attacks

There are several solutions to prevent vswitch malicious attacks. When using vswitches, you will often encounter problems with preventing vswitch malicious attacks. Here we will introduce how to configure the encrypted password, disable unnecessary or insecure services, secure deployment of the console and virtual terminals, and use SSH instead of Telnet to prevent vswitch malicious attacks.

Different from vrouters, vswitch security threats mainly come from within the LAN. Out of ignorance, curiosity, or even malicious means, some LAN users may attack vswitches. No matter what their motives are, administrators do not want to see them. To this end, in addition to regulations and regulations, administrators should make technical deployment to allow attackers to return without success. This article takes the secure deployment of Cisco switches as an example to share with you your experience.

Prevent vswitch malicious attacks: configure the encrypted password

Try to use the Enable Secret privilege to encrypt the Password instead of the Password created by the Enable Password.

Prevent vswitch malicious attacks: disable unnecessary or insecure services

Different vendors enable different services, features, and Protocols by default on vswitches, especially on layer-3 vswitches. To improve security, only the necessary parts should be enabled. Anything extra may become a security vulnerability. You can open some necessary services or close some unnecessary services based on your actual needs. The following services can usually be directly disabled.
Disable Http Server
No ip http server
Disable IP source routing to prevent route spoofing
No ip source route
Disable the Finger service
No service finger
Disable the Config Service
No service config
Disable the Hootp Service
No iP hootp server
Disable small UDP services
No service udp-small-s
Disable small TCP services
No service tcp-small-s

Protection against vswitch malicious attacks: Secure deployment of the console and virtual terminals

Configure authentication on the console and the Vty line. In addition, you also need to use a simple access control list for the Vty line.
Switch (config) # access-list 1 permit 192.168.1.1
Switch (config) # line vty 0 4
Switch (config-line) # access-class 1 in

Prevent vswitch malicious attacks: Use SSH instead of Telnet

Telnet is the main channel for administrators to connect to the vswitch. However, each byte entered in the Telnet session will be sent in plaintext, attackers can obtain sensitive information such as user names and passwords by using software like Sniffer. Therefore, stronger SSH encryption with higher security performance is undoubtedly more secure than Telnet.
Switch (config) # hostname test-ssh
Test-ssh (config) # ip domain-name net.ctocio.com
Test-ssh (config) # username test password 0 test
Test-ssh (config) # line vty 0 4
Test-ssh (config-line) # login local
Test-ssh (config) # crypto key generate rsaThe name for the keys will be: test-ssh.net.ctocio.com
Test-ssh (config) # ip ssh time-out 180
Test-ssh (config) # ip ssh authentication-retries 5

The above configuration named the switch test-ssh, the domain name is net.ctocio.com, create a user named test password as test, set the ssh keyword name to test-ssh.net.ctocio.com, ssh timeout is 180 seconds, and the maximum number of connections is 5.

Prevent vswitch malicious attacks: Disable all unused ports

I have seen a case about preventing vswitch malicious attacks: An employee in a certain organization "accidentally" connects two ports of the vswitch directly with a network cable (typical user ignorance ), the configuration data of the entire vswitch is cleared. In this case, I strongly recommend that my colleagues shut down unused ports. In addition, this method can prevent malicious users from connecting to the port and negotiate the relay mode to a certain extent.

Prevent vswitch malicious attacks: Ensure STP Security

The Spanning Tree protocol is used to prevent other branches from joining a new switch. Because the network administrators of each organization do not necessarily know the complete network topology, configuration errors make the new switch the root bridge, bring unexpected BPDU. Therefore, the core administrator needs to enable root protection and BPDU protection.
By default, root protection is disabled on the vswitch port. To enable it, run the following command:
Switch (config) # spanning-tree guard root
By default, BPDU protection is also disabled on the switch port. To enable it, run the following command:
Switch (config) # Spanning-tree Portfast bpduguard default
To enable BPDU protection on all ports, run the following command:
Switch (config) # Spanning-tree Portfast bpduguard enable