1、Minimizing Service Loss and Data Theft in a Campus Network,Understanding Switch Security Issues,Overview of Switch Security,Rogue Access Points,Rogue network devices can be: Wireless hubs Wireless routers Access switches Hubs These devices are typically connected at access level switches.,Switch Att
2、ack Categories,MAC layer attacks VLAN attacks Spoofing attacks Attacks on switch devices,MAC Flooding Attack,Port Security,Port security restricts port access by MAC address.,Configuring Port Security on a Switch,Enable port security Set MAC address limit Specify allowable MAC addresses Define viola
3、tion actions,Switch(config-if)#switchport port-security maximum value violation protect | restrict | shutdown,Enables port security and specifies the maximum number of MAC addresses that can be supported by this port.,Verifying Port Security,Switch#show port-security,Displays security information fo
4、r all interfaces,Switch#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) - Fa5/1 11 11 0 Shutdown Fa5/5 15 5 0 Restrict Fa5/11 5 4 0 Protect - Total Addresses in System: 21 Max Addresses limit in System: 128,Verifying Port Security (C
5、ont.),Switch#show port-security interface type mod/port,Displays security information for a specific interface,Switch#show port-security interface fastethernet 5/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses: 11 Total MAC Addresses: 11 Configured MAC A
6、ddresses: 3 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0,Verifying Port Security (Cont.),Switch#show port-security address,Displays MAC address table security information,Switch#show port-security address Secure Mac Address Table - Vlan M
7、ac Address Type Ports Remaining Age (mins) - - - - - 1 0001.0001.0001 SecureDynamic Fa5/1 15 (I) 1 0001.0001.0002 SecureDynamic Fa5/1 15 (I) 1 0001.0001.1111 SecureConfigured Fa5/1 16 (I) 1 0001.0001.1112 SecureConfigured Fa5/1 - 1 0001.0001.1113 SecureConfigured Fa5/1 - 1 0005.0005.0001 SecureConfi
8、gured Fa5/5 23 1 0005.0005.0002 SecureConfigured Fa5/5 23 1 0005.0005.0003 SecureConfigured Fa5/5 23 1 0011.0011.0001 SecureConfigured Fa5/11 25 (I) 1 0011.0011.0002 SecureConfigured Fa5/11 25 (I) - Total Addresses in System: 10 Max Addresses limit in System: 128,Port Security with Sticky MAC Addres
9、ses,Sticky MAC stores dynamically learned MAC addresses.,AAA Network Configuration,Authentication Verifies a user identify Authorization Specifies the permitted tasks for the userAccounting Provides billing, auditing, and monitoring,Authentication Methods,Enable password Kerberos 5 Kerberos 5-Telnet
10、 authentication Line password Local database,Local database with case sensitivity No authentication RADIUS TACACS+,Switch(config)#aaa authentication login default | list-name method1 method2.,Creates a local authentication list,Cisco IOS AAA supports these authentication methods:,802.1x Port-Based A
11、uthentication,Network access through switch requires authentication.,Configuring 802.1x,Switch(config)#aaa authentication dot1x default method1 method2,Creates an 802.1x port-based authentication method list,Switch(config)#dot1x system-auth-control,Globally enables 802.1x port-based authentication,Switch(config)#interface type slot/port,Enters interface configuration mode,Switch(config-if)#dot1x port-control auto,Enables 802.1x port-based authentication on the interface,Switch(config)#aaa new-model,Enables AAA,
