Expl sw chapter_02_switches_part_2

CCNA3-1 Chapter 2-2

Switch Concepts and ConfigurationSwitch Concepts and Configuration

Configuring Switch SecurityConfiguring Switch Security

PasswordsPasswordsPasswordsPasswords

EncryptionEncryptionEncryptionEncryption

ConsoleConsoleConsoleConsole

Telnet / SSHTelnet / SSHTelnet / SSHTelnet / SSHPassword RecoveryPassword RecoveryPassword RecoveryPassword Recovery

MAC Address FloodingMAC Address FloodingMAC Address FloodingMAC Address Flooding

Spoofing AttacksSpoofing AttacksSpoofing AttacksSpoofing Attacks

CDP AttacksCDP AttacksCDP AttacksCDP Attacks

Telnet AttacksTelnet AttacksTelnet AttacksTelnet AttacksSecurity ToolsSecurity ToolsSecurity ToolsSecurity Tools

Port SecurityPort SecurityPort SecurityPort Security

CCNA3-2 Chapter 2-2

• HostnameHostname: : Pemberian Nama SwitchPemberian Nama SwitchSwitch#configure terminal Switch#configure terminal

Switch(config)#hostname SW1Switch(config)#hostname SW1

SW1(config)#endSW1(config)#end

• Securing Console AccessSecuring Console Access: : Agar saat mengakses router Agar saat mengakses router melalui console lebih aman dengan adanya password.melalui console lebih aman dengan adanya password.SW1#configure terminal SW1#configure terminal

SW1(config)#line console 0SW1(config)#line console 0

SW1(config-line)#password webmediaSW1(config-line)#password webmedia

SW1(config-line)#loginSW1(config-line)#login

SW1(config-line)#endSW1(config-line)#end

Configuring Basic & Password OptionsConfiguring Basic & Password Options

CCNA3-3 Chapter 2-2

• Securing Virtual Terminal Access:Securing Virtual Terminal Access:• There are 16 available default Telnet sessions as set up There are 16 available default Telnet sessions as set up

for a switch.for a switch.SW1#configure terminal

SW1(config)#line vty 0 15

SW1(config-line)#password webmedia

SW1(config-line)#login

SW1(config-line)#end

Configuring Password OptionsConfiguring Password Options

CCNA3-4 Chapter 2-2

• Securing Privileged EXEC Access:Securing Privileged EXEC Access:• Selalu gunakan Selalu gunakan enable secretenable secret agar password di agar password di

encryptions.encryptions.

SW1#configure terminal SW1#configure terminal

SW1(config)#enable secret webmediaSW1(config)#enable secret webmedia


• Encrypting Switch Passwords:Encrypting Switch Passwords: Kita dapat meng-encrypt Kita dapat meng-encrypt semua passwords yang kita buat di switch, dengan command semua passwords yang kita buat di switch, dengan command service password-encryptionservice password-encryption..SW1#configure terminal SW1#configure terminal

SW1(config)#service password-encryptionSW1(config)#service password-encryption


Configuring Password OptionsConfiguring Password Options

CCNA3-5 Chapter 2-2

• Login Banner:Login Banner:SW1#configure terminal SW1#configure terminal

SW1(config)#banner login “Member Only”SW1(config)#banner login “Member Only”


• Message-Of-The-Day (MOTD) Banner: Message-Of-The-Day (MOTD) Banner: SW1#configure terminal SW1#configure terminal

SW1(config)#banner motd “Sedang Diperbaiki”SW1(config)#banner motd “Sedang Diperbaiki”


Configuring BannerConfiguring Banner

CCNA3-6 Chapter 2-2

• Telnet:Telnet:• Most common method.Most common method.• Virtual Terminal application.Virtual Terminal application.• Send in clear text.Send in clear text.• Not secure.Not secure.

• Secure Shell (SSH):Secure Shell (SSH):• Virtual Terminal application.Virtual Terminal application.• Sends an encrypted data stream.Sends an encrypted data stream.• Is secure.Is secure.

Configure Telnet and SSHConfigure Telnet and SSH

CCNA3-7 Chapter 2-2

• Configuring Telnet:Configuring Telnet:• Telnet is the Telnet is the default transportdefault transport for the vty lines. for the vty lines.• No need to specify it after the initial configuration of the No need to specify it after the initial configuration of the

switch has been performed.switch has been performed.

SW1#configure terminal SW1#configure terminal

SW1(config)#line vty 0 15SW1(config)#line vty 0 15

SW1(config-line)#password SW1(config-line)#password webmediawebmedia

SW1(config-line)#loginSW1(config-line)#login

SW1(config-line)#transport input telnetSW1(config-line)#transport input telnet



CCNA3-8 Chapter 2-2

• Configuring Secure Shell (SSH):Configuring Secure Shell (SSH):• SSH is a cryptographic security feature that is subject to export SSH is a cryptographic security feature that is subject to export

restrictions. To use this feature, a cryptographic image must be restrictions. To use this feature, a cryptographic image must be installed on your switch.installed on your switch.

• Perform the following to configure Perform the following to configure SSH ONLYSSH ONLY Access: Access:SW1#configure terminalSW1#configure terminalSW1(config)#username SW1(config)#username userwebmediauserwebmedia password password webmediawebmedia

SW1#configure terminalSW1#configure terminalSW1(config)#ip domain-name webmedia.comSW1(config)#ip domain-name webmedia.comSW1(config)#crypto key generate rsaSW1(config)#crypto key generate rsaSW1(config)#ip ssh version 2SW1(config)#ip ssh version 2

SW1(config)#line vty 0 15SW1(config)#line vty 0 15SW1(config-line)#login localSW1(config-line)#login localSW1(config-line)#transport input sshSW1(config-line)#transport input sshSW1(config-line)#endSW1(config-line)#end


CCNA3-9 Chapter 2-2

• MAC Address Flooding:Pada pembahasan sebelumnya, kita sudah mengetahui ;

• MAC address table dari switch terdiri dari:

• Berisi alamat MAC yang tersedia pada port fisik yang diberikan ke switch.

• Berisi VLAN parameter yang terkait untuk masing-masing port.

• Dalam pengiriman data akan mencari destination address dari tujuan data frame yang dikirim.• Jika terdapat dalam table mac, akan di forwarded ke port

yang dituju.• Jika tidak terdapat dalam table mac, data frame akan di

forwarded ke semua ports switch kecuali port sumber frame.

Common Security AttacksCommon Security Attacks

CCNA3-10 Chapter 2-2

• Contoh MAC Address Flooding:• Karena MAC address table kapasitasnya terbatas/limited

in size. (misalnya : switch cisco 2950, max 8000 mac-address)

• Maka seorang intruder/penyusup dapat melakukan flooding menggunakan network attack tool yang dapat secara kontiniu mengirim bogus MAC addresses/alamat palsu ke switch.• (e.g. 155,000 MAC addresses per minute)

• When a switch MAC table becomes full and stays full, maka switch akan memforward setiap frame yang diterima ke semua port switch – just like a hub.

• Sehingga intruder/penyusup dapat melihat semua traffic yang ada pada switch.



• Spoofing Attacks:• Man-In-The-Middle (MITM):

• Intercepting/mencegah network traffic.• DHCP or DNS spoofing.• The attacking device responds to DHCP or DNS

requests with IP configuration or address information that points the user to the intruder’s destination.

• DHCP Starvation:• The attacking device continually requests IP

addresses from a real DHCP server with continually changing MAC addresses.

• Eventually the pool of addresses is used up and actual users cannot access the network.



• CDP Attacks:CDP Attacks:• Cisco Discovery Protocol (CDP) is a proprietary protocol Cisco Discovery Protocol (CDP) is a proprietary protocol

that exchanges information among Cisco devices.that exchanges information among Cisco devices.• IP addressIP address• Software versionSoftware version• PlatformPlatform• CapabilitiesCapabilities• Native VLAN Native VLAN (Trunk Links – Chapter 3)(Trunk Links – Chapter 3)..

• With a free network sniffer (Wireshark) an intruder could With a free network sniffer (Wireshark) an intruder could obtain this information.obtain this information.

• It can be used to find ways to perform Denial Of Service It can be used to find ways to perform Denial Of Service (DoS) attacks and others.(DoS) attacks and others.


Usually on by default.Usually on by default.If you don’t need it, turn it off.If you don’t need it, turn it off.

Usually on by default.Usually on by default.If you don’t need it, turn it off.If you don’t need it, turn it off.


• Telnet Attacks:Telnet Attacks:• Recall that Telnet transmits in plain text and is not Recall that Telnet transmits in plain text and is not

secure. While you may have set passwords, the secure. While you may have set passwords, the following types of attacks are possible.following types of attacks are possible.• Brute force (password guessing)Brute force (password guessing)• DoS (Denial of Service)DoS (Denial of Service)• With a free network sniffer (Wireshark) an intruder With a free network sniffer (Wireshark) an intruder

could obtain this information.could obtain this information.• Use strong passwords and change them frequently.Use strong passwords and change them frequently.• Use SSH.Use SSH.



• Membantu Membantu aanda nda untuk untuk menguji jaringan menguji jaringan aanda nda daridari berbagai berbagai kelemahan. kelemahan. Dengan cara menggunakan toolsDengan cara menggunakan tools yang memungkinkan yang memungkinkan aanda untuk memainkan peran seorang hacker dan seorang analis nda untuk memainkan peran seorang hacker dan seorang analis keamanan jaringankeamanan jaringan. Pengetestan yang dilakukan adalah:

a) Network Security Audits:

• Mengumpulkan information Attacker, dengan melakukan monitoring network traffic.

• Tentukan MAC address table limits and age-out period.

b) Network Penetration Testing:

• Identifikasi kelemahan-kelemahan dari security network kita.

• Rencanakan dan buatlah security pada network anda yang tidak akan mempengaruhi performance network tersebut.

Network Security ToolsNetwork Security Tools


c) Common Features:• Service Identification:

• IANA port numbers, discover FTP and HTTP servers, test all of the services running on a host.

• Support of SSL Service:• Testing services that use SSL Level security.• HTTPS, SMTPS, IMAPS and security certificates.

• Non-destructive and Destructive Testing:• Security audits that can degrade performance.

• Database of Vulnerabilities (kerentanan database):• Compile a database that can be updated over time.



• Dengan tools tersebut, kita dapat melakukan:Dengan tools tersebut, kita dapat melakukan:• Capture chat messages.Capture chat messages.• Capture files from NFS traffic.Capture files from NFS traffic.• Capture HTTP requests.Capture HTTP requests.• Capture mail messages.Capture mail messages.• Capture passwords.Capture passwords.• Display captured URLs in a browser in real-time.Display captured URLs in a browser in real-time.• Flood a switched LAN with random MAC addresses.Flood a switched LAN with random MAC addresses.• Forge replies to DNS addresses.Forge replies to DNS addresses.• Intercept packets.Intercept packets.



• Implement Port Security to:• Port security is disabled by default.• Limit the number of valid MAC addresses allowed on a

port.• Ketika mac address port security diaktifkan pada port

switch, maka port tidak akan mem-forward packets jika source addresses bukanlah address yang telah kita defenisikan/tentukan.• Specify a group of valid MAC addresses allowed on a

port.• Or Allow only one MAC address access to the port.

• Specify that the port automatically shuts down (Security Violation Modes) if an invalid MAC address is detected.

Configuring Port SecurityConfiguring Port Security


• Secure MAC Address types:

1. Static:• Manually specify that a specific MAC address is the

ONLY address allowed to connect to that port.• They are added to the MAC address table and stored

in the running configuration.

2. Dynamic:• MAC addresses are learned dynamically when a

device connects to the switch.• They are stored in the address table and are lost

when the switch reloads.



3. Sticky:• Specifies that MAC addresses are:

• Dynamically learned.• Added to the MAC address table.• Stored in the running configuration.

• You may also manually add a MAC address.



• Security Violation Modes:• Terjadi ketika:

• Host dengan MAC address yang tidak terdapat dalam mac address table mencoba untuk mengakses interface dan kondisi address table sudah full/penuh.

• Sebuah mac address yang digunakan pada 2 interface yang secure di VLAN yang sama.

• Modes:• Protect: drop frames – no notify• Restrict: drop frames - notify• Shutdown: disable port - notify



• Default/Static Port Security Configuration:Default/Static Port Security Configuration:Switch(config)#interface FastEthernet0/1Switch(config)#interface FastEthernet0/1

Switch(config-if)#description Port to PC1Switch(config-if)#description Port to PC1

Switch(config-if)#switchport access vlan 1Switch(config-if)#switchport access vlan 1

Switch(config-if)#switchport mode accessSwitch(config-if)#switchport mode access

Switch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security

Switch(config-if)#switchport port-security mac-address Switch(config-if)#switchport port-security mac-address

0003.E4A3.EC190003.E4A3.EC19



• Configure Dynamic Port Security:

• Dynamically learned when the device connects.

• Added to MAC table only.



Switch(config-if)#switchport port-security maximum 3 Switch(config-if)#switchport port-security maximum 3 (1-132)(1-132)

Switch(config-if)#switchport port-security mac-address Switch(config-if)#switchport port-security mac-address mac-ad1mac-ad1



Switch(config)#interface FastEthernet0/1Switch(config)#interface FastEthernet0/1

Switch(config-if)#description Port to PC1Switch(config-if)#description Port to PC1

Switch(config-if)#switchport access vlan 1Switch(config-if)#switchport access vlan 1

Switch(config-if)#switchport mode accessSwitch(config-if)#switchport mode access


• Configure Static Port Security with Dynamic LearningConfigure Static Port Security with Dynamic Learning

• Dynamically learned from list static mac-address when the device connects.Dynamically learned from list static mac-address when the device connects.

• Added Added ManuallyManually to MAC table and Running Configurations to MAC table and Running Configurations


• Configure Sticky Port Security:• Dynamically learn MAC addresses.• Added Auto to MAC table and save in Running Configuration.


Switch(config)#interface FastEthernet0/1

Switch(config-if)#description Port to PC1

Switch(config-if)#switchport access vlan 1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security

Switch(config-if)#switchport port-security maximum 3 (1-132)

Switch(config-if)#switchport port-security mac-address sticky

Jika port switch dihubungkan ke komputer, akan secara auto menambahkan configurasi sticky mac-addressnya, maksimum 3 mac-address, misalnya :

switchport port-security mac-address sticky 0007.EC74.2861




• Verify Port Security Settings:Verify Port Security Settings:

Verify Port SecurityVerify Port Security


• Verify Secure MAC Addresses:Verify Secure MAC Addresses:

Verify Port SecurityVerify Port Security


• Disable unused ports:Disable unused ports:

Securing Unused PortsSecuring Unused Ports

You can specify a range of interfaces.You can specify a range of interfaces.For example, to specify the first 10 interfaces:For example, to specify the first 10 interfaces:

interface range fastethernet 0/1 - 10interface range fastethernet 0/1 - 10

You can specify a range of interfaces.You can specify a range of interfaces.For example, to specify the first 10 interfaces:For example, to specify the first 10 interfaces:

interface range fastethernet 0/1 - 10interface range fastethernet 0/1 - 10


End Chapter 02End Chapter 02

Lab ActivityLab Activity

Expl sw chapter_02_switches_part_2

Technology

Transcript of Expl sw chapter_02_switches_part_2