If you are working in a strict security environment then switch port security is a must. Configuring switch port security could become a tidious task. However, if you can control the environment when you setup the network, this little trick can help you save a lot of work.
Instead of configuring port security and manually enter MAC address for the port, you could plug all your hosts in then issue the following commands:
Switch(config)#int range f0/1-xx
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation restrict
Switch(config-if-range)#switchport port-security mac-address sticky
Switch(config-if-range)#end
The first command takes you to the interface range configuration mode; the next two turn on the port security and set a maximum number of mac addresses to 1. "Violation restrict" will not allow traffic for any host whose mac address is different than what the switch has learned for the port in question. After that, the "mac-address sticky" commands instruct the switch to learn the mac address dynamically and remembers it for the each port.
Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts
Monday, March 17, 2008
Thursday, December 20, 2007
Protecting Your Network Edge with TTL
Protecting your network by authenticating every EBGP session is a good measure to keep the bad guys out. While this approach can keep attackers from getting inside your network, it can't keep them from launching attacks by flooding packets at BGP port (TCP port 179) and causing tremendous authentication failures which can lead to legistimate BGP connections at the target interface to fail, BGP process failure or even system crash due to spike in system resources & CPU spike.
Fortunately, you can use TTL (Time To Live) as an additional measure to reduce such DoS attacks against BGP. The default behavior of most BGP implementations is that it will send packets to external neighbors with a TTL value of 1 and accepts packets from external neighbors with TTL of 0 or higher.
You can tighten up your network by changing this default behavior by having BGP originated packets with a TTL value of 255 and only accepting packets with TTL of 254 (measured after the local router has decremented the TTL of the packet it received) or higher.
Now even if the attackers originate packets with a maximum TTL value of 255, the packets can't get to your BGP network if the attackers are not directly connected to the target interface. This is because each router hop decrements the TTL value by 1. If they are two hops away, by the time the packets reach the port TTL will be decremented to 253 and will be rejected.
You can configure the TTL value by issuing the statement:
neighbor-address ttl-security hops 254
This will instruct your router to discard incoming BGP packets with TTL value below 254 and also set outgoing packets TTL value to 255. You will need to make sure that both neighbors are configure with the same statement.
Fortunately, you can use TTL (Time To Live) as an additional measure to reduce such DoS attacks against BGP. The default behavior of most BGP implementations is that it will send packets to external neighbors with a TTL value of 1 and accepts packets from external neighbors with TTL of 0 or higher.
You can tighten up your network by changing this default behavior by having BGP originated packets with a TTL value of 255 and only accepting packets with TTL of 254 (measured after the local router has decremented the TTL of the packet it received) or higher.
Now even if the attackers originate packets with a maximum TTL value of 255, the packets can't get to your BGP network if the attackers are not directly connected to the target interface. This is because each router hop decrements the TTL value by 1. If they are two hops away, by the time the packets reach the port TTL will be decremented to 253 and will be rejected.
You can configure the TTL value by issuing the statement:
neighbor-address ttl-security hops 254
This will instruct your router to discard incoming BGP packets with TTL value below 254 and also set outgoing packets TTL value to 255. You will need to make sure that both neighbors are configure with the same statement.
Subscribe to:
Posts (Atom)
