Lab 1.4.5 Identifying Network Vulnerabilities
Step 1: Open the SANS Top 20 ListUsing a web browser, go to http://www.sans.org/. On the resources menu, choose top 20 list.
The SANS Top-20 Internet Security Attack Targets list is organized by category. An identifying letter
indicates the category type, and numbers separate category topics. Router and switch topics fall under the
Network Devices category, N. There are two major hyperlink topics:
N1. VoIP Servers and Phones
N2. Network and Other Devices Common Configuration Weaknesses
Step 2: Review common configuration weaknesses
a. Click hyperlink N2. Network and Other Devices Common Configuration Weaknesses.
b. List the four headings in this topic.
Deskripsi
Common Default Configuration Issues
Kerentanan pada printer
Bagaimana mengantisipasi kerentanan tersebut
Step 3: Review common default configuration issues
Review the contents of N2.2 Common Default Configuration Issues. As an example, N.2.2.2 (in January
2007) contains information about threats associated with default accounts and values. A Google search on
“wireless router passwords” returns links to multiple sites that publish a list of wireless router default
administrator account names and passwords. Failure to change the default password on these devices can
lead to compromised security and vulnerability to attackers.
Step 4: Note the CVE references
The last line under several topics cites references to CVE or Common Vulnerability Exposure. The CVE name
is linked to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD),
sponsored by the United States Department of Homeland Security (DHS) National Cyber Security Division
and US-CERT, which contains information about the vulnerability.
Step 5: Investigate a topic and associated CVE hyperlink
The remainder of this lab walks you through a vulnerability investigation and solution.
Choose a topic to investigate, and click on an associated CVE hyperlink. The link should open a new web
browser connected to http://nvd.nist.gov/ and the vulnerability summary page for the CVE.
NOTE: Because the CVE list changes, the current list may not contain the same vulnerabilities as
those in January 2007.
Step 6: Record vulnerability information
Complete the information about the vulnerability. Answers vary
Original release date:
Last revised:
Source:
Overview:
Step 7: Record the vulnerability impact
Under Impact, there are several values. The Common Vulnerability Scoring System (CVSS) severity is
displayed and contains a value between 1 and 10.
Complete the information about the vulnerability impact. Answers vary
CVSS Severity:
Access Complexity:
Authentication:
Impact Type:
Step 8: Record the solution
The References to Advisories, Solutions, and Tools section contains links with information about the
vulnerability and possible solutions.
Using the hyperlinks, write a brief description of the solution found on those pages.
Step 9: Reflection
The number of vulnerabilities to computers, networks, and data, continues to increase. Many national
governments have dedicated significant resources to coordinating and disseminating information about
security vulnerability and possible solutions. It remains the responsibility of the end user to implement the
solution. Think of ways that users can help strengthen security. Write down some user habits that create
security risks.
Penggunaan kata sandi yang lemah
Penulisan kata sandi
Tidak mengubah kata sandi secara teratur
Tidak mengamankan workstation ketika tidak dipakai
Tidak mengikuti prosedur ketika membocorkan informasi jaringan
Lab 1.4.6B Implementing Port Security
Task 1: Configure and Test the Switch ConnectivityStep 1: Prepare the switch for configuration
a. Referring to the topology diagram, connect the console (or rollover) cable to the console port on the
switch and the other cable end to the host computer with a DB-9 or DB-25 adapter to the COM 1 port.
Ensure that power has been applied to both the host computer and switch.
b. Establish a console terminal session from PC1 to switch S1.
c. Prepare the switch for lab configuration by ensuring that all existing VLAN and general configurations
are removed.
1) Remove the switch startup configuration file from NVRAM.
Switch#erase startup-config
Erasing the nvram filesystem will remove all files! Continue? [confirm]
2) Press Enter to confirm.
The response should be:
Erase of nvram: complete
d. Power cycle the switch and exit the initial configuration setup when the switch restarts.
Step 2: Configure the switch
Configure the hostname and VLAN 1 interface IP address as shown in the table.
Step 3: Configure the hosts attached to the switch
a. Configure the two PCs to use the same IP subnet for the address and mask as shown in the table.
b. Connect PC1 to switch port Fa0/1 and PC2 to switch port Fa0/4. The Linksys device is not connected
at this stage of the lab.
Step 4: Verify host connectivity
Ping between all PCs and the switch to verify correct configuration. If any ping was not successful,
troubleshoot the hosts and switch configurations.
Step 5: Record the host MAC addresses
Determine and record the Layer 2 addresses of the PC network interface cards.
(For Windows 2000, XP, or Vista, check by using Start > Run > cmd > ipconfig /all.)
PC1 MAC Address: _______________________________ e.g., 00-07-EC-93-3CD1
PC2 MAC Address: _______________________________ e.g., 00-01-C7-E4-ED-E6
Step 6: Determine what MAC addresses the switch has learned
a. At the privileged EXEC mode prompt, issue the show mac-address-table command to display
the PC MAC addresses that the switch has learned.
FC-ASW-1#show mac-address-table
Record the details displayed in the table.
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
1 0001.c7e4.ede6 DYNAMIC Fa0/1
1 0007.ec93.3cd1 DYNAMIC Fa0/4
b. Note the MAC addresses shown and the associated switch ports. Confirm that these addresses and
ports match the connected PCs.
How were these MAC addresses and port associations learned?
Sumber alamat MAC dari ping echo permintaan dan balasan ping (gema) dicatat terhadap port masuk.
Task 2 Configure and Test the Switch for Dynamic Port Security
Step 1: Set port security options
a. Disconnect all PCs Ethernet cables from the switch ports.
b. Ensure that the MAC address table is clear of entries. To confirm this, issue the clear macaddress-
table dynamic and show mac-address-table commands.
a. Clear the MAC address table entries.
FC-ASW-1#clear mac-address-table dynamic
b. Issue the show mac-address-table command.
Record the table entries.
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
c. Determine the options for setting port security on interface FastEthernet 0/4. From the global
configuration mode, enter interface fastethernet 0/4.
FC-ASW-1(config)#interface fa 0/4
Enabling switch port security provides options, such as specifying what happens when a security
setting is violated.
d. To configure the switch port FastEthernet 0/4 to accept only the first device connected to the port,
issue the following commands from the configuration mode:
FC-ASW-1(config-if)#switchport mode access
FC-ASW-1(config-if)#switchport port-security
e. In the event of a security violation, the interface should be shut down. Set the port security action to
shutdown:
FC-ASW-1(config-if)#switchport port-security violation shutdown
FC-ASW-1(config-if)#switchport port-security mac-address sticky
What other action options are available with port security?
protect, restrict
f. Exit the configuration mode.
Step 2: Verify the configuration
a. Display the running configuration.
What statements in the configuration directly reflect the security implementation?
interface FastEthernet0/4
switchport mode access
switchport port-security
switchport port-security mac-address sticky
b. Show the port security settings.
FC-ASW-1#show port-security interface fastethernet 0/4
Record the details displayed in the table.
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
Step 3: Verify the port security
a. Connect PC1 to switch port Fa0/1 and PC2 to switch port Fa0/4.
b. From the command prompt ping from PC1 to PC2.
Was this successful? Ya
c. From the command prompt ping from PC2 to PC1.
Was this successful? Ya
d. From the console terminal session, issue the show mac-address-table command.
Record the details displayed in the table.
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
1 0001.c7e4.ede6 DYNAMIC Fa0/1
1 0007.ec93.3cd1 STATIC Fa0/4
e. Show the port security settings.
FC-ASW-1#show port-security interface fastethernet 0/4
Record the details displayed in the table.
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0001.c7e4.ede6:1 [pc2]
Security Violation Count : 0
Note the difference in entries recorded in Step 2 b.
- Status port sekarang aman (PC terkoneksi)
- Ada 1 alamat MAC yang lekat
- Alamat sumber terakhir tampak
f. Confirm the status of the switch port.
ALSwitch#show interface fastethernet 0/4
What is the state of this interface?
FastEthernet0/4 is up and line protocol is up.
Step 4: Test the port security
a. Disconnect PC2 from Fa0/4
b. Connect PC2 to the Linksys using one of the ports on the Linksys LAN switch.
c. Use the Basic Setup tab to configure the Internet IP address on the Linksys device to the address
and mask, as shown in the table.
d. Configure PC2 to get an IP address using DHCP. Verify that PC2 receives an IP address from the
Linksys device.
e. Connect the Internet port on the Linksys to Fa0/4.
f. Ping from PC1 to PC2.
Was this successful? Tidak
g. Ping from PC2 to PC1.
Was this successful? Tidak
Record the output displayed on the console screen at the switch command line.
ERR_DISABLE: psecure-violation error detected on Fa0/4, putting Fa0/4
in err-disable state
%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to
administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4,
changed state to down
h. Issue the show mac-address-table command.
Record the details displayed in the table.
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
1 0001.c7e4.ede6 DYNAMIC Fa0/1
i. Show the port security settings.
FC-ASW-1#show port-security interface fastethernet 0/4
Record the details displayed in the table.
Port Security : Enabled
Port Status : Secure-shutdown
d. Configure PC2 to get an IP address using DHCP. Verify that PC2 receives an IP address from the
Linksys device.
e. Connect the Internet port on the Linksys to Fa0/4.
f. Ping from PC1 to PC2.
Was this successful? Tidak
g. Ping from PC2 to PC1.
Was this successful? Tidak
Record the output displayed on the console screen at the switch command line.
ERR_DISABLE: psecure-violation error detected on Fa0/4, putting Fa0/4
in err-disable state
%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to
administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4,
changed state to down
h. Issue the show mac-address-table command.
Record the details displayed in the table.
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
1 0001.c7e4.ede6 DYNAMIC Fa0/1
i. Show the port security settings.
FC-ASW-1#show port-security interface fastethernet 0/4
Record the details displayed in the table.
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0800.4606.fbb6:1
Security Violation Count : 1
Note the difference in entries recorded in Step 3 e.
- Status port sekarang shutdown
- Ada 1 security violation
- Sumber terakhir diubah terhadap perangkat Linksys
Confirm the status of the switch port.
FC-ASW-1#show interface fastethernet 0/4
What is the state of this interface?
FastEthernet0/4 is down and line protocol is down.
Step 5: Reactivate the port
a. If a security violation occurs and the port is shut down, enter interface Fa0/4 configuration mode,
disconnect the offending device, and use the shutdown command to temporarily disable the port.
b. Disconnect the Linksys and reconnect PC2 to port Fa0/4. Issue the no shutdown command on the
interface.
c. Ping from PC1 to PC2. This may have to be repeated multiple times before success.
List reasons why multiple ping attempts may be necessary before success is achieved.
- Spanning Tree Protocol perlu dijalankan
- Permintaan ARP harus dikirim dan diterima.
- Switch harus mempelajari port asosiasi MAC address
Step 6: Discuss switch port security using dynamic MAC address assignment
Advantages:
Alamat Host pada MAC tidak harus dicatat dan ditulis ketika saklar dikonfigurasi.
Ada fleksibilitas saat menghubungkan sejumlah besar host, menyediakan port yang digunakan dalam VLAN yang benar.
Disadvantages:
Jika host yang salah dihubungkan ke switch sebelum host yang benar, keamanan jaringan masih bisa dilanggar.
Host dapat dihubungkan ke VLAN yang salah.
Ketika sebuah NIC berubah di PC, atau ketika PC diganti, administrator jaringan secara manual harus mereset keamanan port.
Step 7: Clean up
Erase the configurations and reload the switches. Disconnect and store the cabling. For PC hosts that are
normally connected to other networks (such as the school LAN or to the Internet), reconnect the appropriate cabling and restore the TCP/IP settings.
Task 3: Reflection
When considering designing a typical enterprise network, it is necessary to think about points of security
vulnerability at the Access Layer. Discuss which Access Layer switches should have port security and those for which it may not be appropriate. Include possible future issues in regard to wireless and guest access to the network.
• Jenis host yang dihubungkan ke switch.
• Jenis pengguna – karyawan atau tamu
• Di mana akses dilakukan – di kantor yang aman atau di tempat umum
• Jenis akses – kabel atau nirkabel
• Investigasi keamanan fitur yang tersedia pada platform switch yang berbeda
• Bagaimana kebijakan keamanan port dapat diimplementasikan dan dikelola.
• statis dinamis versus keamanan port
0 komentar:
Posting Komentar