Cisco Port Security

Use port security to manage the ingress of traffic from dynamically learned and static MAC address.  When a secure MAC address is assigned to a secure port, the port will not forward traffic from any other MAC address outside the defined MAC Address.

There is a security violation if one of these infractions occur
1) When access is attempted by a MAC addresses that is different from any of the identified secure MAC addresses, port security applies the configured violation action or mode.

2) If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, port security applies the configured violation action or mode. It is a move violation!

Possible actions are:

switchport port-security violation {protect | restrict | shutdown}

protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict— the same, but causes the SecurityViolation counter to increment.

shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

To bring a secure port out of the error-disabled state, in global configuration mode
usage: errdisable recovery cause violation_mode command
or manually reenable it usage: shutdown and no shut down interface configuration commands

To prevent overtaxing the CPU, use the port security command with rate limiting

Methods of MAC address configuration

Static

How to statically configure all secure MAC addresses?

Use the switchport port-security mac-address mac_address interface configuration command.

Dynamic

Dynamiclly configure secure MAC addresses?

1) You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.

2) You can statically configure a number of addresses and allow the rest to be dynamically configured by sticky!

Sticky MAC addresses

These can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.

Remember to write memory (wr is the shortcut) or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file.  Theport does not have to learn addresses from ingress traffic after bootup or a restart.

Where does TV come from?

I had the same discussion with my child the other day, and I managed to explain about digital off the air and rabbit ear antennas, and the converter; plus since we're still old school, the good old CRT TV.

Now I'm contemplating the absurdity yet logic of a friend's post, "watching youtube on tv through HDMI to playbook wifi controlled by Blackberry Bold using bluetooth" That's impressive.

ICND2 Topic: Access Lists, Standard and Extended

A topic for the practical CCNA Exam, but it is only in the ICND2. This will be discussed in greater detail when the article is more complete. For starters,

Setting up an access list on a brand new Cisco router, here are a few key points to remember:

• Implicit deny at the end of access lists; you must permit administrative traffic or you will block yourself out of the router
• Order matters, place the most restrictive rules first, or the more restrictive rules will never get a hit
• Issue one access list per direction or interface
• Standard access lists are placed closest to the destination
• Extended access lists closest to the source, purpose being to eliminate undesirable traffic across network

REMEMBER: Specific statements at the start; general ones after. Assume deny all. Use a "permit any" statement at the end.

IMPORTANT: Create the ACL before applying to an interface. An empty ACL applied will permit all traffic.
Access Lists inspect criteria for permit or deny rules based on source address, destination address, protocols, and port numbers. They operate on the principle of inbound rules process packets before routing to outbound.

Special handling required to identify

• type of traffic to be encrypted on VPN
• identify a router
• route filtering, which route to include in updates
• policy based routing
• NAT

Standard Access List
Checks for the source on entire protocol suite
Standard IP ACL 1 to 99 & 1300 to 1999

Here is an example from Cisco Tests:
access-list 10 deny 172.16.3.10 0.0.0.0
access-list 10 permit any
access-list 10 remark Stop all traffic whose source IP is Bob

Extended Access List
Checks both source and destination address, protocols and port numbers.
Extended IP ACL 100 to 199 & 2000 to 2699

access-list 110 remark Stop Bob to FTP Server and Larry to WWW Server
access-list 110 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
access-list 110 deny tcp host 172.16.2.10 host 172.16.1.100 eq www
access-list 110 permit ip any any

Dynamic ACL - telnet

Reflexive ACL - allows outbound, limits inbound. These are defined as a extended by named IP ACL not a numbered one like the standard.

Time based ACL - can be used with standard and extended ACL

usage:
ip access-list standard TROUBLEMAKER
 permit ....
 deny ....
 remark .... a good idea to explain what the rule is for!

HOW TO Apply the IP Access List to an Interface
int eth 0
 ip access-group TROUBLEMAKER out

show access-lists
no ip access-list extended
access-list resequence

Removing the Access List
conf t
int eth 0
no ip access-group # in
exit
no access-list #

In  a lab setup, you'll have to really trust your neighbors not to lock you out.
Use the host keyword when  you are specifying a single machine.
host 172.16.10.2 means the same as 172.16.10.2 0.0.0.0
Use the any keyword to specify 0.0.0.0 255.255.255.255 wild card masking.
Use when you don't care about source or destination addresses because  you are filtering on other parameters.

me: access-list 1 permit host 10.10.10.8 (need to permit own wokstartion)
buddy1: access-list 1 permit host 10.0.0.101
buddy2: access-list 1 permit host 10.0.0.106
buddy1: access-list 1 permit 30.3.3.0 0.0.0.255
buddy2: access-list 1 permit host 80.8.8.0 255.255.255.255

How to apply the access-list on a vty interface
usage: access-class 1 in

How to create an IP named standard access-list?
usage: ip access-list standard name

syntax:
access-list [number] [permit or deny] [protocol] [source] [destination] [port]

Cyber Defense Engineering Rant

I read up on some recent SANS White papers and a topic caught my eye,  toting the weakness of Defense in Depth Alright, I'm taking notes.  Companies spend millions of dollars on ITS and they are still getting hacked, well the ones worth hacking into anyway. Sony PS3 customer credit card data, Citibank, US military drones, like really run targets! So what are some alternatives, what are the weaknesses and strengths of technologies today?

The author seems to promote the fact that Defense in Depth is not employed properly by governments and IT departments doing IT Security and Cyber Defence. The Layered defense approach works for the physical and kinetic world (as they call earth). Even an armed intruder cannot walk through walls of fire (clever). However all kinds of cyber threats can be "encapsulated" and shift silently through one layer to the next, both OSI Layer and Layers of Security I presume. Frequency of attack is increasing, and skill level required for success attack is decreasing. IT departments have limited people, process and technology. Hackers can launch attacks as effectively and quickly overseas as next door with limitless power, process and technology. Actions cross international boundaries and legal jurisdictions.

Analogies of common approaches
1) Fire prevention - more like the use of a fire extinguisher or incident handling when an intrusion occurs
2) Nuclear Energy - the core is highly reactive. Clarification please?
3) Engineering - many redundancies built in, failover and contingency plans
4) Online gaming - chance encounters, attack by attrition, using up resources until they're gone

Defense in Breadth was a complementary initiative, involving multiple vendors not competing but rather collaborating. Perhaps something as simple as preventing  the attackers from getting back out the internet with the stolen sensitive electronic information. Threat detection, intrusion detection, network baseline monitoring, anomalous behaviour tracking.

Cyber Siege Defense sounds cool but I couldn't quite capture it in notes. Rather I got out of it one really good idea about Managing the Attacker with strategies like

1) Understand the mindset and motivation
2) Feed false information by setting up honeypots or false data
3) Increase the attackers level of effort
4) Drive up their costs, combine defensive technologies to increase complexity
5) Deprive the profits they seek
6) Damage their reputation

What does this all mean? The whole point I got out of it was rather dismal, the hackers know everything that is commercially available and it's weaknesses. Some professionals have to take the SANS course to even learn what the weaknesses are. How do you know that hackers aren't on the same course and laughing at everyone in the back of the room?

Now it's too late, you're already under attack. I found some notebook ideas here useful for incident handling on Windows anyway. Here's a link to a CIRT Whitepaper. Well that is SAN safe link, but how do you know it's really safe, and it's not downloading malicious code? That's what I mean that the weakest security is the OSI Layer 8, the Between Chair and Monitor Error, desktop USER.

More fuel to the fire that IT Security is defenceless... even CEO's agree.