Topic 1: System Hardening and Availability
1.3 Limit Access to the Network with Infrastructure ACLs
Devised to prevent unauthorized direct communication to network devices, infrastructure access control lists (iACLs) are one of the most critical security controls that can be implemented in networks. Infrastructure ACLs leverage the idea that nearly all network traffic traverses the network and is not destined to the network itself.
An iACL is constructed and applied in order to specify connections from hosts or networks that need to be allowed to network devices. Common examples of these types of connections are eBGP, SSH, and SNMP. After the required connections have been permitted, all other traffic to the infrastructure is explicitly denied. All transit traffic that crosses the network and is not destined to infrastructure devices is then explicitly permitted.
The protections provided by iACLs are relevant to both the management and control planes. The implementation of iACLs can be made easier through the use of distinct addressing for network infrastructure devices.
This example iACL configuration illustrates the structure that must be used as a starting point when you begin the iACL implementation process:
! ip access-list extended ACL-INFRASTRUCTURE-IN ! !--- Permit required connections for routing protocols and !--- network management ! permit tcp host <trusted-ebgp-peer> host <local-ebgp-address> eq 179 permit tcp host <trusted-ebgp-peer> eq 179 host <local-ebgp-address> permit tcp host <trusted-management-stations> any eq 22 permit udp host <trusted-netmgmt-servers> any eq 161 ! !--- Deny all other IP traffic to any network device ! deny ip any <infrastructure-address-space> <mask> ! !--- Permit transit traffic ! permit ip any any !
Once created, the iACL must be applied to all interfaces that face non-infrastructure devices. This includes interfaces that connect to other organizations, remote access segments, user segments, and segments in data centers.
ICMP Packet Filtering
The Internet Control Message Protocol (ICMP) is designed as an IP control protocol. As such, the messages it conveys can have far-reaching ramifications to the TCP and IP protocols in general. While the network troubleshooting tools ping and traceroute use ICMP, external ICMP connectivity is rarely needed for the proper operation of a network.
Cisco IOS software provides functionality in order to specifically filter ICMP messages by name or type and code. This example ACL, which must be used with the access control entries (ACEs) from previous examples, allows pings from trusted management stations and NMS servers and blocks all other ICMP packets:
! ip access-list extended ACL-INFRASTRUCTURE-IN ! !--- Permit ICMP Echo (ping) from trusted management stations and servers ! permit icmp host <trusted-management-stations> any echo permit icmp host <trusted-netmgmt-servers> any echo ! !--- Deny all other IP traffic to any network device ! deny ip any <infrastructure-address-space> <mask> ! !--- Permit transit traffic ! permit ip any any !
Filter IP Fragments
The filter process for fragmented IP packets can pose a challenge to security devices. This is because the Layer 4 information that is used in order to filter TCP and UDP packets is only present in the initial fragment. Cisco IOS software uses a specific method in order to check non-initial fragments against configured access lists. Cisco IOS software evaluates these non-initial fragments against the ACL and ignores any Layer 4 filtering information. This causes non-initial fragments to be evaluated solely on the Layer 3 portion of any configured ACE.
In this example configuration, if a TCP packet destined to 192.168.1.1 on port 22 is fragmented in transit, the initial fragment is dropped as expected by the second ACE based on the Layer 4 information within the packet. However, all remaining (non-initial) fragments are allowed by the first ACE based completely on the Layer 3 information in the packet and ACE. This scenario is shown in this configuration:
! ip access-list extended ACL-FRAGMENT-EXAMPLE permit tcp any host 192.168.1.1 eq 80 deny tcp any host 192.168.1.1 eq 22 !>
Due to the nonintuitive nature of fragment handling, IP fragments are often inadvertently permitted by ACLs. Fragmentation is also often used in attempts to evade detection by intrusion detection systems. It is for these reasons that IP fragments are often used in attacks, and why they must be explicitly filtered at the top of any configured iACLs. This example ACL includes comprehensive filtering of IP fragments. The functionality from this example must be used in conjunction with the functionality of the previous examples.
! ip access-list extended ACL-INFRASTRUCTURE-IN ! !--- Deny IP fragments using protocol-specific ACEs to aid in !--- classification of attack traffic ! deny tcp any any fragments deny udp any any fragments deny icmp any any fragments deny ip any any fragments ! !--- Deny all other IP traffic to any network device ! deny ip any <infrastructure-address-space> <mask> ! !--- Permit transit traffic ! permit ip any any !
ACL Support for Filtering IP Options
Cisco IOS Software Release 12.3(4)T added support for the use of ACLs to filter IP packets based on the IP options that are contained in the packet. IP options present a security challenge for network devices because these options must be processed as exception packets. This requires a level of CPU effort that is not required for typical packets that traverse the network. The presence of IP options within a packet can also indicate an attempt to subvert security controls in the network or otherwise alter the transit characteristics of a packet. It is for these reasons that packets with IP options must be filtered at the edge of the network.
This example must be used with the ACEs from previous examples in order to include complete filtering of IP packets that contain IP options:
! ip access-list extended ACL-INFRASTRUCTURE-IN ! !--- Deny IP packets containing IP options ! deny ip any any option any-options ! !--- Deny all other IP traffic to any network device ! deny ip any <infrastructure-address-space> <mask> ! !--- Permit transit traffic ! permit ip any any !
ACL Support to Filter on TTL Value
Cisco IOS Software Release 12.4(2)T added ACL support to filter IP packets based on the Time to Live (TTL) value. The TTL value of an IP datagram is decremented by each network device as a packet flows from source to destination. Although initial values vary by operating system, when the TTL of a packet reaches zero, the packet must be dropped. The device that decrements the TTL to zero, and therefore drops the packet, is required in order to generate and send an ICMP Time Exceeded message to the source of the packet.
The generation and transmission of these messages is an exception process. Routers can perform this function when the number of IP packets that are due to expire is low, but if the number of packets due to expire is high, generation and transmission of these messages can consume all available CPU resources. This presents a DoS attack vector. It is for this reason that devices need to be hardened against DoS attacks that utilize a high rate of IP packets that are due to expire.
It is recommended that organizations filter IP packets with low TTL values at the edge of the network. Completely filtering packets with TTL values insufficient to traverse the network mitigates the threat of TTL-based attacks.
This example ACL filters packets with TTL values less than six. This provides protection against TTL expiry attacks for networks up to five hops in width.
! ip access-list extended ACL-INFRASTRUCTURE-IN ! !--- Deny IP packets with TTL values insufficient to traverse the network ! deny ip any any ttl lt 6 ! !--- Deny all other IP traffic to any network device ! deny ip any <infrastructure-address-space> <mask> ! !--- Permit transit traffic ! permit ip any any !
Note: Some protocols make legitimate use of packets with low TTL values. eBGP is one such protocol.
Next Topic: Secure Interactive Management Sessions
Topic 1: System Hardening and Availability
1.2 Understanding Management Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Management Plane.
The management plane consists of functions that achieve the management goals of the network. This includes interactive management sessions that use SSH, as well as statistics-gathering with SNMP or NetFlow. When you consider the security of a network device, it is critical that the management plane be protected. If a security incident is able to undermine the functions of the management plane, it can be impossible for you to recover or stabilize the network.
General Management Plane Hardening
The management plane is used in order to access, configure, and manage a device, as well as monitor its operations and the network on which it is deployed. The management plane is the plane that receives and sends traffic for operations of these functions. You must secure both the management plane and control plane of a device, because operations of the control plane directly affect operations of the management plane. This list of protocols is used by the management plane:
- Simple Network Management Protocol
- Secure Shell Protocol
- File Transfer Protocol
- Trivial File Transfer Protocol
- Secure Copy Protocol
- Network Time Protocol
Steps must be taken to ensure the survival of the management and control planes during security incidents. If one of these planes is successfully exploited, all planes can be compromised.
A) Password Management
Passwords control access to resources or devices. As a security best practice, passwords must be managed with a TACACS+ or RADIUS authentication server. However, note that a locally configured password for privileged access is still needed in the event of failure of the TACACS+ or RADIUS services. A device can also have other password information present within its configuration, such as an NTP key, SNMP community string, or Routing Protocol key.
enable secret: The enable secret command is used in order to set the password that grants privileged administrative access to the Cisco IOS system. The enable secret command must be used, rather than the older enable password command. The enable password command uses a weak encryption algorithm.
If no enable secret is set and a password is configured for the console tty line, the console password can be used in order to receive privileged access, even from a remote virtual tty (vty) session. This action is almost certainly unwanted and is another reason to ensure configuration of an enable secret.
service password-encryption:The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they look at the screen over the muster of an administrator.
The enable secret command and the Enhanced Password Security feature use Message Digest 5 (MD5) for password hashing. This algorithm has had considerable public review and is not known to be reversible. However, the algorithm is subject to dictionary attacks.
B) Enhanced Password Security
The feature Enhanced Password Security, introduced in Cisco IOS Software Release 12.2(8)T, allows an administrator to configure MD5 hashing of passwords for the username command. Prior to this feature, there were two types of passwords: Type 0, which is a cleartext password, and Type 7, which uses the algorithm from the Vigen re cipher. The Enhanced Password Security feature cannot be used with protocols that require the cleartext password to be retrievable, such as CHAP.
In order to encrypt a user password with MD5 hashing, issue the username secret global configuration command.
! username <name> secret <password> !
C) Login Password Retry Lockout
The Login Password Retry Lockout feature, added in Cisco IOS Software Release 12.3(14)T, allows you to lock out a local user account after a configured number of unsuccessful login attempts. Once a user is locked out, their account is locked until you unlock it. An authorized user who is configured with privilege level 15 cannot be locked out with this feature. The number of users with privilege level 15 must be kept to a minimum.
Note that authorized users can lock themselves out of a device if the number of unsuccessful login attempts is reached. Additionally, a malicious user can create a denial of service (DoS) condition with repeated attempts to authenticate with a valid username.
This example shows how to enable the Login Password Retry Lockout feature:
! aaa new-model aaa local authentication attempts max-fail <max-attempts> aaa authentication login default local ! username <name> secret <password> !
This feature also applies to authentication methods such as CHAP and Password Authentication Protocol (PAP).
D) No Service Password-Recovery
In Cisco IOS Software Release 12.3(14)T and later, the No Service Password-Recovery feature does not allow anyone with console access to insecurely access the device configuration and clear the password. It also does not allow malicious users to change the configuration register value and access NVRAM.
! no service password-recovery !
The current password recovery procedure enables anyone with console access to access the device and its network. The No Service Password-Recovery feature prevents the completion of the Break key sequence and the entering of ROMMON during system startup.
If no service password-recovery is enabled on a device, it is recommended that an offline copy of the device configuration be saved and that a configuration archiving solution be implemented. If it is necessary to recover the password of a Cisco IOS device once this feature is enabled, the entire configuration is deleted.
E) Disable Unused Services
As a security best practice, any unnecessary service must be disabled. These unneeded services, especially those that use User Datagram Protocol (UDP), are infrequently used for legitimate purposes, but can be used in order to launch DoS and other attacks that are otherwise prevented by packet filtering.
The TCP and UDP small services must be disabled. These services include:
- echo (port number 7)
- discard (port number 9)
- daytime (port number 13)
- chargen (port number 19)
Although abuse of the small services can be avoided or made less dangerous by anti-spoofing access lists, the services must be disabled on any device accessible within the network. The small services are disabled by default in Cisco IOS Software Releases 12.0 and later. In earlier software, the no service tcp-small-servers and no service udp-small-servers global configuration commands can be issued in order to disable them.
This is a list of additional services that must be disabled if not in use:
- Issue the no ip finger global configuration command in order to disable Finger service. Cisco IOS software releases later than 12.1(5) and 12.1(5)T disable this service by default.
- Issue the no ip bootp server global configuration command in order to disable Bootstrap Protocol (BOOTP).
- In Cisco IOS Software Release 12.2(8)T and later, issue the ip dhcp bootp ignore command in global configuration mode in order to disable BOOTP. This leaves Dynamic Host Configuration Protocol (DHCP) services enabled.
- DHCP services can be disabled if DHCP relay services are not required. Issue the no service dhcp command in global configuration mode.
- Issue the no mop enabled command in interface configuration mode in order to disable the Maintenance Operation Protocol (MOP) service.
- Issue the no ip domain-lookup global configuration command in order to disable Domain Name System (DNS) resolution services.
- Issue the no service pad command in global configuration mode in order to disable Packet Assembler/Disassembler (PAD) service, which is used for X.25 networks.
- The HTTP server can be disabled with the no ip http server command in global configuration mode, and Secure HTTP (HTTPS) server can be disabled with the no ip http secure-server global configuration command.
- Unless Cisco IOS devices retrieve configurations from the network during startup, the no service config global configuration command must be used. This prevents the Cisco IOS device from an attempt to locate a configuration file on the network with TFTP.
- Cisco Discovery Protocol (CDP) is a network protocol that is used in order to discover other CDP enabled devices for neighbor adjacency and network topology. CDP can be used by Network Management Systems (NMS) or during troubleshooting. CDP must be disabled on all interfaces that are connected to untrusted networks. This is accomplished with the no cdp enable interface command. Alternatively, CDP can be disabled globally with the no cdp run global configuration command. Note that CDP can be used by a malicious user for reconnaissance and network mapping.
- Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is similar to CDP. However, this protocol allows interoperability between other devices that do not support CDP. LLDP must be treated in the same manner as CDP and disabled on all interfaces that connect to untrusted networks. In order to accomplish this, issue the no lldp transmit and no lldp receive interface configuration commands. Issue the no lldp run global configuration command in order to disable LLDP globally. LLDP can also be used by a malicious user for reconnaissance and network mapping.
F) EXEC Timeout
In order to set the interval that the EXEC command interpreter waits for user input before it terminates a session, issue the exec-timeout line configuration command. The exec-timeout command must be used in order to logout sessions on vty or tty lines that are left idle. By default, sessions are disconnected after 10 minutes of inactivity.
! line con 0 exec-timeout <minutes> [seconds] line vty 0 4 exec-timeout <minutes> [seconds] !
G) Keepalives for TCP Sessions
The service tcp-keepalives-in and service tcp-keepalives-out global configuration commands enable a device to send TCP keepalives for TCP sessions. This configuration must be used in order to enable TCP keepalives on inbound connections to the device and outbound connections from the device. This ensures that the device on the remote end of the connection is still accessible and that half-open or orphaned connections are removed from the local Cisco IOS device.
! service tcp-keepalives-in service tcp-keepalives-out !
H) Management Interface Use
The management plane of a device is accessed in-band or out-of-band on a physical or logical management interface. Ideally, both in-band and out-of-band management access exists for each network device so that the management plane can be accessed during network outages.
One of the most common interfaces that is used for in-band access to a device is the logical loopback interface. Loopback interfaces are always up, whereas physical interfaces can change state, and the interface can potentially not be accessible. It is recommended to add a loopback interface to each device as a management interface and that it be used exclusively for the management plane. This allows the administrator to apply policies throughout the network for the management plane. Once the loopback interface is configured on a device, it can be used by management plane protocols, such as SSH, SNMP, and syslog, in order to send and receive traffic.
! interface Loopback0 ip address 192.168.1.1 255.255.255.0 !
I) Memory Threshold Notifications
The feature Memory Threshold Notification, added in Cisco IOS Software Release 12.3(4)T, allows you to mitigate low-memory conditions on a device. This feature uses two methods in order to accomplish this: Memory Threshold Notification and Memory Reservation.
Memory Threshold Notification generates a log message in order to indicate that free memory on a device has fallen lower than the configured threshold. This configuration example shows how to enable this feature with the memory free low-watermark global configuration command. This enables a device to generate a notification when available free memory falls lower than the specified threshold, and again when available free memory rises to five percent higher than the specified threshold.
! memory free low-watermark processor <threshold> memory free low-watermark io <threshold> !
Memory Reservation is used so that sufficient memory is available for critical notifications. This configuration example demonstrates how to enable this feature. This ensures that management processes continue to function when the memory of the device is exhausted.
! memory reserve critical <value> !
J) CPU Thresholding Notification
Introduced in Cisco IOS Software Release 12.3(4)T, the CPU Thresholding Notification feature allows you to detect and be notified when the CPU load on a device crosses a configured threshold. When the threshold is crossed, the device generates and sends an SNMP trap message. Two CPU utilization thresholding methods are supported on Cisco IOS software: Rising Threshold and Falling Threshold.
This example configuration shows how to enable the Rising and Falling Thresholds that trigger a CPU threshold notification message:
! snmp-server enable traps cpu threshold ! snmp-server host <host-address> <community-string> cpu ! process cpu threshold type <type> rising <percentage> interval <seconds> [falling <percentage> interval <seconds>] process cpu statistics limit entry-percentage <number> [size <seconds>] !
K) Reserve Memory for Console Access
In Cisco IOS Software Release 12.4(15)T and later, the Reserve Memory for Console Access feature can be used in order to reserve enough memory to ensure console access to a Cisco IOS device for administrative and troubleshooting purposes. This feature is especially beneficial when the device runs low on memory. You can issue the memory reserve console global configuration command in order to enable this feature. This example configures a Cisco IOS device to reserve 4096 kilobytes for this purpose.
! memory reserve console 4096 !
L) Memory Leak Detector
Introduced in Cisco IOS Software Release 12.3(8)T1, the Memory Leak Detector feature allows you to detect memory leaks on a device. Memory Leak Detector is able to find leaks in all memory pools, packet buffers, and chunks. Memory leaks are static or dynamic allocations of memory that do not serve any useful purpose. This feature focuses on memory allocations that are dynamic. You can use the show memory debug leaks EXEC command in order to detect if a memory leak exists.
M) Buffer Overflow: Detection and Correction of Redzone Corruption
In Cisco IOS Software Release 12.3(7)T and later, the Buffer Overflow: Detection and Correction of Redzone Corruption feature can be enabled by on a device in order to detect and correct a memory block overflow and to continue operations.
These global configuration commands can be used in order to enable this feature. Once configured, the show memory overflow command can be used in order to display the buffer overflow detection and correction statistics.
! exception memory ignore overflow io exception memory ignore overflow processor !
N) Enhanced Crashinfo File Collection
The Enhanced Crashinfo File Collection feature automatically deletes old crashinfo files. This feature, added in Cisco IOS Software Release 12.3(11)T, allows a device to reclaim space in order to create new crashinfo files when the device crashes. This feature also allows configuration of the number of crashinfo files to be saved.
! exception crashinfo maximum files <number-of-files> !
O) Network Time Protocol
The Network Time Protocol (NTP) is not an especially dangerous service, but any unneeded service can represent an attack vector. If NTP is used, it is important to explicitly configure a trusted time source and to use proper authentication. Accurate and reliable time is required for syslog purposes, such as during forensic investigations of potential attacks, as well as for successful VPN connectivity when depending on certificates for Phase 1 authentication.
- NTP Time Zone – When you configure NTP, the time zone needs to be configured so that timestamps can be accurately correlated. There are usually two approaches to configure the time zone for devices in a network with a global presence. One method is to configure all network devices with the Coordinated Universal Time (UTC) (previously Greenwich Mean Time (GMT)). The other approach is to configure network devices with the local time zone. More information on this feature can be found in ?clock timezone? in the Cisco product documentation.
- NTP Authentication – If you configure NTP authentication, it provides assurance that NTP messages are exchanged between trusted NTP peers.
Next Topic: Understanding Management Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Management Plane:- Limit Access to the Network with Infrastructure ACLs
I know, every Network Security Engineer has a dream of completing CCIE Security certification. But the fact is it’s really a pain in vain. So i am trying to prepare all the CCIE security V4 topics here one-by-one for easy reading and preparation.
Your comments and suggestions are really appreciated.
Topic 1: System Hardening and Availability
1.1 Understanding Types of Traffic Planes on a Cisco Router (Control, Management and Data)
This article contains information to help you secure your Cisco IOS® system devices, which increases the overall security of your network. Structured around the three planes into which functions of a network device can be categorized, this document provides an overview of each included feature and references to related documentation.
The three functional planes of a network – the management plane, control plane, and data plane – each provide different functionality that needs to be protected.
- Management Plane – The management plane manages traffic that is sent to the Cisco IOS device and is made up of applications and protocols such as Secure Shell (SSH) and Simple Network Management Protocol (SNMP).
- Control Plane – The control plane of a network device processes the traffic that is paramount to maintain the functionality of the network infrastructure. The control plane consists of applications and protocols between network devices, which includes the Border Gateway Protocol (BGP), as well as the Interior Gateway Protocols (IGPs) such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF).
- Data Plane – The data plane forwards data through a network device. The data plane does not include traffic that is sent to the local Cisco IOS device.
Next Topic: Understanding Management Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Management Plane.
Recently, a major security vulnerability named “Heartbleed” has made headlines around the world. This is a severe vulnerability stemming from a coding mistake in a widely-used security utility called OpenSSL.
The bug affects the encryption technology designed to protect your sensitive data on the Internet, like usernames, passwords and emails.
This is a flaw in the OpenSSL encryption code, not a virus that can be stopped by McAfee or other consumer security software. Because this vulnerability takes advantage of servers, and not consumer devices, businesses need to update to the latest version of OpenSSL to mitigate and address the dangers posed.
The severity of the Heartbleed vulnerability cannot be overstated: several major enterprises use OpenSSL, and are likely affected by this vulnerability as well. The dangers posed by this vulnerability are very real and could affect you if exploited.
So what do you need to do?
- Right now, the best thing you can do is wait to be notified about affected services and patches or you can.
- If you’d like to investigate whether or not a website you frequent has been affected, you can use this tool.
- Reset your password for every online service affected by Heartbleed. But beware:you should only change your password after the afflicted business has fixed its servers to remove the Heartbleed vulnerability. Changing your passwords before a company’s servers are updated will not protect your credentials from being leaked.
You’re likely affected either directly or indirectly by the bug, which was found by a member of Google’s security team and a software firm named Codenomicon.
The bad news: There’s not a lot you can do about it now. It’s the responsibility of Internet companies to update their servers to deal with Heartbleed, and once they do, you can take action.
The issue involves network software called OpenSSL, which is an open-source set of libraries for encrypting online services. In theory, a cybercriminal could have exploited Heartbleed by making network requests that could piece together your sensitive data.
The good news: There isn’t any indication that a hacker caught wind of this; it seems the researchers were the first to locate the problem.
But the scary part is that attackers could have infiltrated these websites, extracted the information they wanted and left no trace of their presence. Thus, it’s hard to determine whether someone ever exploited the bug, or if your account information was compromised.
What to do
First, check which sites you use are affected. If you don’t want to read through the long list of websites with the security flaw, the password security firm LastPass has set up a Heartbleed Checker, which lets you enter the URL of any website to check its vulnerability to the bug and if the site has issued a patch.
Next, change your passwords for major accounts — email, banking and social media logins — on sites that were affected by Heartbleed but patched the problem. That patch should also include reissuing any digital certificates that might be vulnerable. However, if the site or service hasn’t patched the flaw yet, there’s no point to changing your password. Instead, ask the company when it expects to push out a fix to deal with Heartbleed.
A big cause for concern is related to sites that have your sensitive information, such as Yahoo and OKCupid (most people aren’t logging into NASA.gov with private data). Both companies have since issued a patch to fix the security hole, so users with accounts with those companies — including Yahoo Mail, Flickr and so on — should update their passwords immediately.
It’s important to wait to get the “all clear” sign from a company or service before changing, especially now that this bug is out in the open. Changing a password before the bug is fully patched wont’ make things any better.
Facebook and Twitter use OpenSSL web servers, though it’s still unclear whether or not they were vulnerable to the issue.Facebook reportedly issued a security patch, as did Google.
Other websites that have issued an OpenSSL software security update include WordPress, Amazon Web Services and Akamai.
Some websites not considered vulnerable include AOL, Foursquare and Evernote, among others.
“It’s a big deal for Internet users, especially when it comes to protecting financial information,” Joe Siegrist, CEO and cofounder of LastPass, told. “Some financial organizations are using more conservative web security choices like Microsoft, which is not vulnerable to the bug, so users should check and see if their bank has been affected.”
Make sure to keep an eye on sensitive online accounts, especially banking and email, for suspicious activity for the next week or so.
Heartbleed checker tools:
lets hope for the best. 🙂
IP source guard is a security feature that restricts IP traffic on non-routed, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.
You can enable IP source guard when DHCP snooping is enabled on an untrusted interface. After IP source guard is enabled on an interface, the switch blocks all IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings). An entry in this table has an IP address, its associated MAC address, and its associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.
IP source guard is supported only on Layer 2 ports, including access and trunk ports.You can configure IP source guard with source IP address filtering or with source IP and MAC address filtering.
These sections contain this information:
•Source IP Address Filtering
•Source IP and MAC Address Filtering
Source IP Address Filtering
When IP source guard is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
When a DHCP snooping binding or static IP source binding is added, changed, or deleted on an interface, the switch modifies the port ACL using the IP source binding changes, and re-applies the port ACL to the interface.
If you enable IP source guard on an interface on which IP source bindings (dynamically learned by DHCP snooping or manually configured) are not configured, the switch creates and applies a port ACL that denies all IP traffic on the interface. If you disable IP source guard, the switch removes the port ACL from the interface.
Source IP and MAC Address Filtering
When IP source guard is enabled with this option, IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table.
When IP source guard with source IP and MAC address filtering is enabled, the switch filters IP and non-IP traffic. If the source MAC address of an IP or non-IP packet matches a valid IP source binding, the switch forwards the packet. The switch drops all other types of packets except DHCP packets.
The switch uses port security to filter source MAC addresses. The interface can shut down when a port-security violation occurs.
Default IP Source Guard Configuration
By default, IP source guard is disabled.
IP Source Guard Configuration Guidelines
These are the configuration guides for IP source guard:
•You can configure static IP bindings only on nonrouted ports. If you enter the ip source binding mac-address vlan vlan-id ip-address interface interface-id global configuration command on a routed interface, this error message appears:
•Static IP source binding can only be configured on switch port.
•When IP source guard with source IP filtering is enabled on a VLAN, DHCP snooping must be enabled on the access VLAN to which the interface belongs.
•If you are enabling IP source guard on a trunk interface with multiple VLANs and DHCP snooping is enabled on all the VLANs, the source IP address filter is applied on all the VLANs
•When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and port security must be enabled on the interface.
•When configuring IP source guard on interfaces on which a private VLAN is configured, port security is not supported.
•IP source guard is not supported on EtherChannels.
•You can enable this feature when IEEE 802.1x port-based authentication is enabled.
•If the number of ternary content addressable memory (TCAM) entries exceeds the maximum available, the CPU usage increases.
This example shows how to enable IP source guard with source IP and MAC filtering.
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip verify source port-security Switch(config-if)# exit Switch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.2 interface gigabitethernet1/0/1 Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface gigabitethernet1/0/1 Switch(config)# end
Commands for Displaying IP Source Guard Information
show ip source binding --> Display the IP source bindings on a switch show ip verify source --> Display the IP source guard configuration on the switch
If you feel this article helped you to get some learning, please support by clicking below.
What is a denial-of-service (DoS) attack?
In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer.
The most common and obvious type of DoS attack occurs when an attacker “floods” a network with information. When you type a URL for a particular website into your browser, you are sending a request to that site’s computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it can’t process your request. This is a “denial of service” because you can’t access that site.
An attacker can use spam email messages to launch a similar attack on your email account. Whether you have an email account supplied by your employer or one available through a free service such as Yahoo or Hotmail, you are assigned a specific quota, which limits the amount of data you can have in your account at any given time. By sending many, or large, email messages to the account, an attacker can consume your quota, preventing you from receiving legitimate messages.
What is a distributed denial-of-service (DDoS) attack?
In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is “distributed” because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.
How do you avoid being part of the problem?
Unfortunately, there are no effective ways to prevent being the victim of a DoS or DDoS attack, but there are steps you can take to reduce the likelihood that an attacker will use your computer to attack other computers:
- Install and maintain anti-virus software
- Install a firewall, and configure it to restrict traffic coming into and leaving your computer
- Follow good security practices for distributing your email address. Applying email filters may help you manage unwanted traffic.
How do you know if an attack is happening?
Not all disruptions to service are the result of a denial-of-service attack. There may be technical problems with a particular network, or system administrators may be performing maintenance. However, the following symptoms could indicate a DoS or DDoS attack:
- unusually slow network performance (opening files or accessing websites)
- unavailability of a particular website
- inability to access any website
- dramatic increase in the amount of spam you receive in your account
What do you do if you think you are experiencing an attack?
Even if you do correctly identify a DoS or DDoS attack, it is unlikely that you will be able to determine the actual target or source of the attack. Contact the appropriate technical professionals for assistance.
- If you notice that you cannot access your own files or reach any external websites from your work computer, contact your network administrators. This may indicate that your computer or your organization’s network is being attacked.
- If you are having a similar experience on your home computer, consider contacting your internet service provider (ISP). If there is a problem, the ISP might be able to advise you of an appropriate course of action.
You may have heard of denial-of-service attacks launched against websites, but you can also be a victim of these attacks. Be up to date and have a pleasant computing.
If you feel this article helped you to get some learning, please support by clicking below.
Simply the best..!!!
In this Micro Nugget, trainer Keith Barker provides a brief overview of how the Internet works together with BGP (Border Gateway Protocol), and how BGP chooses the best route when presented with multiple paths.
( Copyright is owned by CBT Nuggets)
An interesting narration which helps you to understand the basics of junos.
Copyright (if any) owned by CBT Nuggets.
BatchWiper is a Trojan that can delete every file and user profiles on the hard drive of compromised users. This Trojan uses an extremely simple attack vector of creating BAT files and then using them to delete files on different drivers at predefined times.
Infection and Propagation Vectors
The Trojan comes in a dropper with the filename “GrooveMonitor.exe” which is a self-extracting RAR file. We don’t have details about the infection vector, but based on the dropper it could be deployed using USB drives or phishing emails.
Users are requested to exercise caution while opening unsolicited emails and unknown links. Users are advised to update Windows and third-party application security patches and virus definitions on a regular basis and have proper filtering rules.
Characteristics and Symptoms
Upon execution, the Trojan (GrooveMonitor.exe) drops several files like SLEEP.EXE, juboot.exe, jucheck.exe in the %system32% folder.
The GrooveMonitor.exe then creates a process for juboot.exe. This process drops juboot.bat in the %Temp% folder and opens cmd.exe which runs the juboot.bat file.
The juboot.bat file adds registry entry for jucheck.exe and also creates a thread for jucheck.exe. The contents of juboot.bat are as below.
@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d
start “” /D”%systemroot%\system32\” “jucheck.exe”
The following registry keys have been added to the system:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “jucheck.exe”
- HKEY_CURRENT_USER\Software\WinRAR SFX “C%%WINDOWS%system32%”
As can be seen from the registry changes the malware maintains persistence by executing the jucheck.exe file every time the system boots. No external connections to any IP address or URLs were observed. After jucheck.exe is executed it creates jucheck.bat.
The jucheck.bat deletes juboot.exe and GrooveMonitor.exe from the Start Menu folder. Then the bat files checks the system date and if it matches one of the predefined dates it executes the wiping routine. This routine checks for system drives and it then deletes every file on those drives with the drive letters D,E,F,G,H or I, along with files on a logged-in user’s Desktop.
Some of the dates the malware checks for are listed below.
Clearly the malware author was thinking ahead and this might have been stage one of a targeted attack waiting to happen in the future. MD5s of some files that are dropped.
\WINDOWS\system32\SLEEP.EXE, Md5: ea7ed6b50a9f7b31caeea372a327bd37 ( non-Malicious, clean file)
\WINDOWS\system32\jucheck.exe, Md5: c4cd216112cbc5b8c046934843c579f6
\WINDOWS\system32\juboot.exe, Md5: fa0b300e671f73b3b0f7f415ccbe9d41
Keep your antivirus software up-to-date.
The below registry entry would enable the Trojan to execute every time when windows starts.
Always keep a backup of all the files on the system. Use of backup and restore software is recommended.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives.
Please disable any such Run keys manually of using Access Protection Rules.
(c) Above article is based on the report from Mcafee security Labs