Network Security. Topology. Spring This is the logical topology of the network environment used for testing.
|
|
- Jesse Moore
- 8 years ago
- Views:
Transcription
1 Course: 1DV447 Advanced LAN Technologies Network Security Spring 2014 Topology This is the logical topology of the network environment used for testing. 1/
2 Introduction The area i want to focus on is network related security, or more specifically to what extent can we secure a network given the equipment we have. I want to research about what different security issues and measures are common, configure the network equipment in a secure manner and try to find a way to test all of the security related configuration that will be used. The questions i want answered is what can be done when the security requirements for a network is very high, do the steps taken really work, how can they be tested and what are the potential pitfalls when securing a network. The scenario i want to work on is a small network with one router and one switch that i want to lock down as hard as i can without rendering it completely unusable. On the network i will have one RADIUS server, one DHCP server, one client (expected to be there, behaves fine), one more client (expected to be there, behaves badly and can t be trusted) and one client that shouldn t be there at all but it wants to get in. I want to try things like port security, 802.1X, IP source guard, dynamic ARP inspection and DHCP spoofing prevention. Simply everything i can think of that could improve the security of the network. Almost all of the different tests i want to do will be performed on a virtual machine running Ubuntu Desktop. For example after enabling IP source guard and dynamic ARP inspection i will try to create traffic that under normal circumstances could fool other hosts on the network and see what happens. For every security feature i am going to try out i will follow these steps: 1. Do some tests before anything is configured to see how things work under normal circumstances. 2. Configure the security features on the network devices (either on the router or the switch). 3. Do tests to see if the enabled security features works as one would expect them to or not. 4. See what happens when a successful test of a security feature is performed, what are the consequences of triggering the newly enabled restriction(s). One would expect that a security feature works as expected but how can you know before you try it out? Or more realistically, how can you be certain that you really did secure the network and not just think that you did it? There is a lot of questions and uncertainties that i want to clear up. Does the equipment support the things i want to try, will i encounter something that does not 2/
3 quite work as expected and how is it possible to create specific network traffic (for example traffic that contains a different source IP address or answer ARP requests with fake ARP replies). Tests There are several tests i want to perform and because they are all unrelated to each other i have one section for each subject. All of the sections contains tests performed before, detailed configuration of a feature and the results of tests performed afterwards (end results). Port Security The first thing i want to try out is putting limits on which machines can be used to access specific ports on the switch. By using what is called as port security i can configure a specific interface on the switch to only accept access to a machine with a specific MAC hardware address, if the switch encounters traffic on the port that has a different MAC hardware address specified as source then the switch will immediately notice it and an action is triggered [1]. In this scenario we want high security and therefor we configure the switch to completely shutdown an interface when the security feature is triggered. Tests Before Under normal circumstances there are no restrictions on what MAC hardware address can be used on different interfaces. Most of the time it is simple not something you want to have enabled. Because of this there is not much to test except using different machines (or change the MAC hardware address on just one machine through software) on one port just to make sure that it really does work no matter what. Configuration interface FastEthernet0/1 switchport port-security switchport port-security mac-address c4e.2067.fe0 switchport port-security violation shutdown interface FastEthernet0/13 switchport port-security switchport port-security mac-address 000c.22a.4415 switchport port-security violation shutdown interface FastEthernet0/14 3/
4 switchport port-security switchport port-security mac-address 000c.2f3.055 switchport port-security violation shutdown The command switchport port-security enables the port security feature, switchport portsecurity mac-address <MAC> specifies which MAC hardware address is allowed on the interface and switchport port-security violation shutdown specifies that when another MAC hardware address is encountered on the port then the interface should immediately be disabled. Tests After To make sure that the port security feature really does work as expected i plugged in one client on the interface fa0/13 that has a MAC hardware address that is allowed and another client on the interface fa0/14 that has a MAC hardware address that is not allowed. The client on interface fa0/13 can use the network as one would expect but the client on interface fa0/14 cannot. The interface fa0/14 has immediately been disabled and marked as Errdisable which means that the only way for that port to start working again is if you manually turn the interface on and off on the switch by running shutdown and no shutdown on it. DHCP snooping In this specific network scenario there exist one legitimate DHCP server that all of the clients on the network can use the get IP address configuration. Under normal circumstances any machine on a network can act as a DHCP server which can create potential problems. If a malicious user on the network starts a DHCP server then the other clients can start using it and get IP address configuration that is not correct. A malicious user can for example send out IP address configuration that does not work at all or even worse send out working IP address configuration that says that the malicious user s machine is the gateway for the network [2]. We want all DHCP replies that comes from untrusted ports to be dropped by the switch. Tests Before Before enabling the DHCP snooping feature on the switch i made sure that the legitimate DHCP server was up and running and could be used by all of the clients on the network. Configuration ip dhcp snooping ip dhcp snooping vlan 10 4/
5 no ip dhcp snooping information option interface FastEthernet0/1 switchport mode access switchport access vlan 10 ip dhcp snooping trust interface FastEthernet0/2 switchport mode access switchport access vlan 10 interface FastEthernet0/13 switchport mode access switchport access vlan 10 ip dhcp snooping limit rate 3 interface FastEthernet0/14 switchport mode access switchport access vlan 10 ip dhcp snooping limit rate 3 The command ip dhcp snooping turns on the feature, ip dhcp snooping vlan 10 specifies the VLAN that should be protected, no ip dhcp snooping information option prevents the switch from manipulating DHCP packets that makes the legitimate DHCP service stop working, ip dhcp snooping trust specifies on which port the legitimate DHCP server is located and ip dhcp snooping limit rate 3 specifies a limit for how many DHCP requests are allowed on a port under a specific time (prevents flooding). Tests After We got one legitimate DHCP server connected to the interface fa0/1 that is supposed to work and to make sure it still does we can run sudo dhclient eth0 on one of the clients connected to interface fa0/13 or fa0/14. After we have made sure the service still works on a trusted port we can move the host that is connected to port fa0/1 to the untrusted port fa0/2 and run dhclient once more on the client to see what happens. It will no longer work because the switch will silently drop the DHCP packets coming from the untrusted port. To test the flooding prevention we move the DHCP service back to interface fa0/1 and run sudo dhclient eth0 && sudo dhclient -r more than 3 times in a row under a short time. The switch will immediately disable the interface and put it in Errdisable state. 5/
6 IP Source Guard To prevent hosts on the network from lying about the IP source address that is put inside of network packets we can make use of the DHCP snooping database that we conveniently already have on the switch (it contains the MAC hardware address and IP address of hosts connected to different ports). This security feature knows what IP address is supposed to be inside of packets coming in from all of the different ports. [3] Tests Before To try out a network connection and at the same time also fake the IP source address we can use a program called hping3 on one of the clients. With hping3 we can very easily ping another host and at the same time lie about the IP source address. To do both things all we need to do is run the command hping3 -a and see what happens ( is a fake IP address and is the DHCP server). The communication works just fine. Configuration interface FastEthernet0/1 ip verify source port-security interface FastEthernet0/13 ip verify source port-security interface FastEthernet0/14 ip verify source port-security ip source binding C3E.2067.FE0 vlan fa0/1 The command ip source binding C3E.2067.FE0 vlan fa0/1 creates a static entry for the gateway (DHCP server) because it does not exist in the DHCP snooping database, ip verify source port-security enable the feature. Tests After To test the IP source guard feature all we need to do is run the exact same test as before enabling it. More specifically we run the command hping3 -a once again. This time the communication will not work because the switch will silently drop all packets containing fake IP source addresses. 6/
7 Dynamic ARP Inspection When a host on a network wants to find out the MAC hardware address of another host with a specific IP address it asks everyone on the network and everyone can answer the question. The host who answers the question first might be a malicious user with bad intentions. For example if a new host arrives to the network and asks for the MAC hardware address of the host with IP address (our gateway) another host (for example ) might answer the question and from now on the new host will think that the host who has the IP address is the gateway even though it is not. This is a typical man-in-the-middle attack [4]. Tests Before To test this we need to try and send out fake ARP replies and see if we can trick another host to believe we are someone else on the network. We can use a program called arpspoof to continuously to flood our network with ARP replies. First we run the command arpspoof -i eth0 -t (we target host and tell it we are ) on the host with IP address and on the host with IP address we simple run the command traceroute to see how traffic travels to the IP address From the results we can see that the host (our target) believes that the attacker is indeed the host that have the IP address Configuration ip arp inspection vlan 10 ip arp inspection validate src-mac dst-mac ip The command ip arp inspection vlan 10 enables the dynamic ARP inspection on VLAN 10, ip arp inspection validate src-mac dst-mac ip makes the function check the source and destination MAC hardware address and the IP address to make sure everything looks legitimate. Tests After To perform testing on the dynamic ARP inspection feature we do exactly the same thing as we did in the test before. The results will be that the host who sends our fake ARP replies ( ) can no longer trick the target ( ) to believe it is in fact the host The switch immediately notice that fake ARP replies arrives on a port and all of the packets are dropped and the switch prints out error messages every time it happens. The attack can no longer work. 7/
8 Reflection When i started working on this project i wanted to do more than what i ended up eventually doing. I had plans that was a little bit too big, time was running out and the essay was supposed to be quite short which i noticed early on mine would not be. In the introduction i talk about things like RADIUS and about common security problems etc which i ended up skipping. I leave the introduction and topology intact so the reader at least can understand what i wanted to do and what i wanted to achieve. At least most of the projects goals was met. The port security feature works but it is in reality little more than security by obscurity. A user that wants to gain access to the network can under certain circumstances easily find out what MAC hardware address works on different ports. Lets say that we got two stationary workstations connected to the ports fa0/13 and fa0/14, the malicious user could just unplug one of them and listen to the traffic that it sends out to find out what MAC hardware address the workstations has and later on use the same one on another computer. Port authentication with 802.1X and RADIUS could be used as a solution to this weakness. The DHCP snooping feature was the only one i had any real problems with. Turning it on was not a problem but making the legitimate DHCP server work was a big problem. It was not working quite as one would expect it to, saying that a port was to be trusted was not enough for the legitimate DHCP server to work again. After a lot of wasted hours i fixed the problem with the command no ip dhcp snooping information option, without it the switch will add information in the option field inside of the DHCP header when it encounters DHCP packets and that creates problems for some reason which i do not fully understand. The IP source guard feature worked like a charm. Thanks to the already existing DHCP snooping database little configuration is needed and it will continue to work in a dynamic fashion. I did have to add information about one host but that was only because the host is the same one that is running the DHCP server and it will therefor never use it which in turn makes it not end up in the dynamic DHCP snooping database. The host will simply not ask itself for IP network configuration settings and even if it did that information would not cross the switch and it would continue to be unaware of it no matter what. I think the dynamic ARP inspection feature is the most important security feature of the different ones i tested out. A malicious user on the network can do a lot of bad things if it can pretend to be someone else on the network on such a low level (layer 2). Someone with more experience could easily wreak havoc on a network while continuing to go unnoticed in most circumstances. 8/
9 References [1] D. Huckaby, "Securing Switch Access" in CCNP Switch : Official Certification Guide, Indianapolis: Cisco Press, 2011, pp [2] D. Huckaby, Securing Switch Access" in CCNP Switch : Official Certification Guide, Indianapolis: Cisco Press, 2011, pp [3] D. Huckaby, Securing Switch Access" in CCNP Switch : Official Certification Guide, Indianapolis: Cisco Press, 2011, pp [4] D. Huckaby, Securing Switch Access" in CCNP Switch : Official Certification Guide, Indianapolis: Cisco Press, 2011, pp /
Security Considerations in IP Telephony Network Configuration
Security Considerations in IP Telephony Network Configuration Abstract This Technical Report deals with fundamental security settings in networks to provide secure VoIP services. Example configurations
More informationConfiguring DHCP Snooping
CHAPTER 19 This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on Catalyst 4500 series switches. It provides guidelines, procedures, and configuration examples.
More informationSession Title: Exploring Packet Tracer v5.3 IP Telephony & CME. Scenario
Session Title: Exploring Packet Tracer v5.3 IP Telephony & CME Scenario With the scheduled release of Packet Tracer v5.3 in the near future, this case study is designed to provide you with an insight into
More informationCCNA Exploration: Accessing the WAN Chapter 7 Case Study
Objectives: Mitigate attacks based on DHCP rogue servers. Intro: ChurchBells Inc. is having connectivity issues and needs your help. The Scenario: According to the reports, some user PCs within the company
More informationSecurity Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
More informationWhat is VLAN Routing?
Application Note #38 February 2004 What is VLAN Routing? This Application Notes relates to the following Dell product(s): 6024 and 6024F 33xx Abstract Virtual LANs (VLANs) offer a method of dividing one
More informationLAB THREE STATIC ROUTING
LAB THREE STATIC ROUTING In this lab you will work with four different network topologies. The topology for Parts 1-4 is shown in Figure 3.1. These parts address router configuration on Linux PCs and a
More informationInvestigation of DHCP Packets using Wireshark
Investigation of DHCP Packets using Wireshark Mohsin khan Faculty of Telecommunication Engineering and Environment Birmingham City University England Saleh Alshomrani Faculty of Computing and IT King Abdulaziz
More informationConfiguring Port Security
CHAPTER 62 This chapter describes how to configure the port security feature. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master List, at this URL:
More informationAlliedWare TM OS How To. Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks. Introduction. Related How To Notes
AlliedWare TM OS How To Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks Introduction When you use DHCP servers to allocate IP addresses to clients on a LAN, you can also configure DHCP
More informationConfiguring Port Security
32 CHAPTER This chapter describes how to configure port security on Catalyst 4500 series switches. It provides guidelines, procedures, and configuration examples. Note For complete syntax and usage information
More informationConfiguring DHCP Snooping and IP Source Guard
CHAPTER 19 This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping and IP Source Guard on Catalyst 4500 series switches. It provides guidelines, procedures, and configuration
More informationThe Trivial Cisco IP Phones Compromise
Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002
More informationSecuring end devices
Securing end devices Securing the network edge is already covered. Infrastructure devices in the LAN Workstations Servers IP phones Access points Storage area networking (SAN) devices. Endpoint Security
More informationConfigure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example
Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example Document ID: 69632 Introduction Prerequisites Requirements Components Used Conventions Background Information Configure
More informationNetwork security includes the detection and prevention of unauthorized access to both the network elements and those devices attached to the network.
By: Ziad Zubidah CCNP Security IT Security Officer National Information Technology Center Network security includes the detection and prevention of unauthorized access to both the network elements and
More informationCS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs
CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs Tasks: 1 (10 min) Verify that TCP/IP is installed on each of the computers 2 (10 min) Connect the computers together via a switch 3 (10 min)
More informationNote: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.
Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. CHAPTER 5 OBJECTIVES Configure a router with an initial configuration. Use the
More informationIP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.
IP Addressing and Subnetting 2002, Cisco Systems, Inc. All rights reserved. 1 Objectives Upon completion, you will be able to: Discuss the Types of Network Addressing Explain the Form of an IP Address
More informationThreats to be considered (1) ERSTE GROUP
VoIP-Implementation Lessons Learned Philipp Schaumann Erste Group Bank AG Group IT-Security philipp.schaumann@erstegroup.com http://sicherheitskultur.at/ Seite 1 Threats to be considered (1) Eavesdropping
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationProtecting and controlling Virtual LANs by Linux router-firewall
Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia
More informationConfiguring the Transparent or Routed Firewall
5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing
More informationLAYER 2 ATTACKS & MITIGATION TECHNIQUES
LAYER 2 ATTACKS & MITIGATION TECHNIQUES SANOG8 Karachi 1 st August 2006 Yusuf Bhaiji Cisco Systems 1 Agenda Layer 2 Attack Landscape Attacks and Countermeasures Spanning Tree Attack VLAN Hopping MAC Attacks
More informationChapter 2 Lab 2-2, Configuring EtherChannel Instructor Version
Chapter 2 Lab 2-2, Configuring EtherChannel Instructor Version Topology Objective Background Configure EtherChannel. Four switches have just been installed. The distribution layer switches are Catalyst
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationPacket Tracer - Subnetting Scenario 1 (Instructor Version)
(Instructor Version) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Optional activities are designed to enhance understanding and/or to provide
More informationFelix Rohrer. PT Activity 7.5.3: Troubleshooting Wireless WRT300N. Topology Diagram
Felix Rohrer PT Activity 7.5.3: Troubleshooting Wireless WRT300N Topology Diagram All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
More informationConfiguring Network Load Balancing for vethernet
Configuring Network Load Balancing for vethernet This chapter contains the following sections: Information About Microsoft Network Load Balancing, page 1 Guidelines and Limitations, page 1 Configuring
More informationARP Poisoning (Man-in-the-Middle) Attack and Mitigation Techniques
Layer 2 Attacks and Mitigation Techniques for the Cisco Catalyst 6500 Series Switches Running Cisco IOS Software ARP Poisoning (Man-in-the-Middle) Attack and Mitigation Techniques A CSSTG SE Residency
More information1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router
1 Basic Configuration of Cisco 2600 Router Basic Configuration Cisco 2600 Router I decided to incorporate the Cisco 2600 into my previously designed network. This would give me two seperate broadcast domains
More informationPacket Sniffing on Layer 2 Switched Local Area Networks
Packet Sniffing on Layer 2 Switched Local Area Networks Ryan Spangler ryan@packetwatch.net Packetwatch Research http://www.packetwatch.net December 2003 Abstract Packet sniffing is a technique of monitoring
More informationConfiguring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
CHAPTER 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive
More information1 PC to WX64 direction connection with crossover cable or hub/switch
1 PC to WX64 direction connection with crossover cable or hub/switch If a network is not available, or if it is desired to keep the WX64 and PC(s) completely separated from other computers, a simple network
More informationProject 2: Firewall Design (Phase I)
Project 2: Firewall Design (Phase I) CS 161 - Joseph/Tygar November 12, 2006 1 Edits If we need to make clarifications or corrections to this document after distributing it, we will post a new version
More informationInternet Control Protocols Reading: Chapter 3
Internet Control Protocols Reading: Chapter 3 ARP - RFC 826, STD 37 DHCP - RFC 2131 ICMP - RFC 0792, STD 05 1 Goals of Today s Lecture Bootstrapping an end host Learning its own configuration parameters
More informationICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration
ICS 351: Today's plan IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration IP address exhaustion IPv4 addresses are 32 bits long so there
More informationLocal Area Networks. LAN Security and local attacks. TDC 363 Winter 2008 John Kristoff - DePaul University 1
Local Area Networks LAN Security and local attacks TDC 363 Winter 2008 John Kristoff - DePaul University 1 Overview Local network attacks target an internal network Some attacks can be launched remotely
More informationConfiguration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Firewall. June 2011 Revision 1.0
Configuration Guide for RFMS 3.0 Initial Configuration XXX-XXXXXX-XX WiNG 5 How-To Guide Firewall June 2011 Revision 1.0 MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office.
More informationIPv6 Security Analysis
CENTER FOR CONVERGENCE AND EMERGING NETWORK TECHNOLOGIES CCENT School of Information Studies Syracuse University IPv6 Security Analysis TECHNICAL REPORT: T.R. 2014-002 Authored by: Jose Gonzalo Bejar (revised
More informationLab 5.5.3 Developing ACLs to Implement Firewall Rule Sets
Lab 5.5.3 Developing ACLs to Implement Firewall Rule Sets All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 8 Device Interface
More informationBuilding Secure Network Infrastructure For LANs
Building Secure Network Infrastructure For LANs Yeung, K., Hau; and Leung, T., Chuen Abstract This paper discusses the building of secure network infrastructure for local area networks. It first gives
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationProcedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch
University of Jordan Faculty of Engineering & Technology Computer Engineering Department Computer Networks Laboratory 907528 Lab. 2 Network Devices & Packet Tracer Objectives 1. To become familiar with
More informationLAYER 2 ATTACKS & MITIGATION TECHNIQUES
LAYER 2 ATTACKS & MITIGATION TECHNIQUES Yusuf Bhaiji Cisco Systems 1 Agenda Layer 2 Attack Landscape Attacks and Countermeasures VLAN Hopping MAC Attacks DHCP Attacks ARP Attack Spoofing Attacks Summary
More informationConfiguring Network Address Translation (NAT)
8 Configuring Network Address Translation (NAT) Contents Overview...................................................... 8-3 Translating Between an Inside and an Outside Network........... 8-3 Local and
More informationExercise 4 MPLS router configuration
Exercise 4 MPLS router configuration Computer Network Technologies and Services (CNTS) Tecnologie e Servizi di Rete (TSR) Preliminary note For this exercise you have to use the virtual routing laboratory.
More informationProCurve Networking. Hardening ProCurve Switches. Technical White Paper
ProCurve Networking Hardening ProCurve Switches Technical White Paper Executive Summary and Purpose... 3 Insecure Protocols and Secure Alternatives... 3 Telnet vs. Secure Shell... 3 HTTP vs. HTTPS... 3
More informationLab 2 - Basic Router Configuration
CS326 Fall 2001 Room: PAI 5.48 Name: Lab 2 - Basic Router Configuration In this lab you will learn: the various configuration modes of Cisco 2621 routers how to set up IP addresses for such routers how
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More informationLab 8.4.2 Configuring Access Policies and DMZ Settings
Lab 8.4.2 Configuring Access Policies and DMZ Settings Objectives Log in to a multi-function device and view security settings. Set up Internet access policies based on IP address and application. Set
More informationCTS2134 Introduction to Networking. Module 8.4 8.7 Network Security
CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by
More informationDynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes
Dynamic Host Configuration Protocol (DHCP) 1 1 Dynamic Assignment of IP addresses Dynamic assignment of IP addresses is desirable for several reasons: IP addresses are assigned on-demand Avoid manual IP
More informationConfigure ISDN Backup and VPN Connection
Case Study 2 Configure ISDN Backup and VPN Connection Cisco Networking Academy Program CCNP 2: Remote Access v3.1 Objectives In this case study, the following concepts are covered: AAA authentication Multipoint
More informationLab 4.5.2 Diagramming Intranet Traffic Flows
Lab 4.5.2 Diagramming Intranet Traffic Flows Objective Device Designation Device Name Address Subnet Mask Discovery Server Business Services 172.17.1.1 255.255.0.0 R1 FC-CPE-1 Fa0/1 172.17.0.1 Fa0/0 10.0.0.1
More informationCCNA R&S: Introduction to Networks. Chapter 5: Ethernet
CCNA R&S: Introduction to Networks Chapter 5: Ethernet 5.0.1.1 Introduction The OSI physical layer provides the means to transport the bits that make up a data link layer frame across the network media.
More informationNetwork Security IPv4 + IPv6
Network Security IPv4 + IPv6 by Managing Director SuperInternet Overview Confidentiality? Integrity? Availability! IPv6 Issues (Compared with IPv4) Physical Security of the Network Assumptions: Generally
More informationHow To Configure InterVLAN Routing on Layer 3 Switches
How To Configure InterVLAN Routing on Layer 3 Switches Document ID: 41860 Contents Introduction Prerequisites Requirements Components Used Conventions Configure InterVLAN Routing Task Step by Step Instructions
More informationCCNA Discovery 4.0.3.0 Networking for Homes and Small Businesses Student Packet Tracer Lab Manual
4.0.3.0 Networking for Homes and Small Businesses Student Packet Tracer Lab Manual This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial
More informationConfiguring IPS High Bandwidth Using EtherChannel Load Balancing
Configuring IPS High Bandwidth Using EtherChannel Load Balancing This guide helps you to understand and deploy the high bandwidth features available with IPS v5.1 when used in conjunction with the EtherChannel
More informationGeschreven door Administrator woensdag 13 februari 2013 17:37 - Laatst aangepast woensdag 13 februari 2013 18:05
Nexus 1000V returns the control of networking back to network administrators so that there is a clear boundary between server administrators and network administrators. For small businesses, one administrator
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationChapter 25 DHCP Snooping
Chapter 25 DHCP Snooping Introduction...25-2 The Binding Database... 25-2 DHCP Filtering... 25-4 DHCP Option 82... 25-4 DHCP Snooping ARP Security... 25-5 Configuration Examples...25-5 Command Reference...25-6
More informationDigicom Remote Control for the SRT
Digicom Remote Control for the SRT To operate the SRT remotely, use Remote Desktop; this is available free for Linux, Mac OS-X (from Microsoft), and is included with Windows XP and later. As RD uses a
More informationLocal DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright c 2006 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation s Course,
More informationPredictability of Windows DNS resolver. ing. Roberto Larcher - http://webteca.altervista.org - robertolarcher@hotmail.com
Predictability of Windows DNS resolver ing. Roberto Larcher - http://webteca.altervista.org - robertolarcher@hotmail.com rev. 1 - March 11, 2004 Abstract The main DNS security issues have very often focused
More informationLab Objectives & Turn In
Firewall Lab This lab will apply several theories discussed throughout the networking series. The routing, installing/configuring DHCP, and setting up the services is already done. All that is left for
More informationConfiguring EtherChannels
25 CHAPTER This chapter describes how to configure EtherChannel interfaces. For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command
More informationCatalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example
Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example Document ID: 91672 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information
More informationLab 3.10.2 Use Network Inspector to Observe STP Behavior
Lab 3.10.2 Use Network Inspector to Observe STP Behavior Objective The purpose of this lab is to observe STP behavior with the Network Inspector switch trace feature. Scenario A new switched network has
More informationTools for Attacking Layer 2 Network Infrastructure
Tools for Attacking Layer 2 Network Infrastructure Kai-Hau Yeung, Dereck Fung, and Kin-Yeung Wong Abstract Data Link layer is considered as the weakest link in a secured network. If an initial attack comes
More informationCCT vs. CCENT Skill Set Comparison
Operation of IP Data Networks Recognize the purpose and functions of various network devices such as Routers, Switches, Bridges and Hubs Select the components required to meet a given network specification
More informationNetwork Security. Ensuring Information Availability. Security
Ensuring Information Availability Security - Ensuring Information Availability Introduction The advent of the Internet and the huge array of connected devices has led to an insatiable demand for access
More informationOverview. Firewall Security. Perimeter Security Devices. Routers
Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security
More informationIntegration with IP Phones
Copyright 2010 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in retrieval system, or transmitted, in any form or by any means electronic, mechanical, photocopying,
More informationLecture 17 - Network Security
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat
More informationRouting Protocols and Concepts Chapter 2 Conceitos de protocolos de Encaminhamento Cap 2
Static Routing Routing Protocols and Concepts Chapter 2 1 1 Objectives Define the general role a router plays in networks. Describe the directly connected networks, different router interfaces Examine
More informationConfiguring WAN Failover with a Cisco 881 Router and an AirLink ES440
Configuring WAN Failover with a Cisco 881 Router and an AirLink ES440 When the AirLink ES440 is combined with a third-party router, the combined solution supports business continuity by providing primary
More informationCisco Networking Academy CCNP Multilayer Switching
CCNP3 v5 - Chapter 5 Cisco Networking Academy CCNP Multilayer Switching Implementing High Availability in a Campus Environment Routing issues Hosts rely on a router to find the best path Issues with established
More informationVLAN und MPLS, Firewall und NAT,
Internet-Technologien (CS262) VLAN und MPLS, Firewall und NAT, 15.4.2015 Christian Tschudin Departement Mathematik und Informatik, Universität Basel 6-1 Wiederholung Unterschied CSMA/CD und CSMA/CA? Was
More informationCSE331: Introduction to Networks and Security. Lecture 12 Fall 2006
CSE331: Introduction to Networks and Security Lecture 12 Fall 2006 Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on
More informationCampus LAN at NKN Member Institutions
Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 1/7/2015 3 rd Annual workshop 1 Efficient utilization Come from: Good Campus LAN Speed Segregation of LANs QoS Resilient Access Controls ( L2 and
More informationIntroduction to Routing and Packet Forwarding. Routing Protocols and Concepts Chapter 1
Introduction to Routing and Packet Forwarding Routing Protocols and Concepts Chapter 1 1 1 Objectives Identify a router as a computer with an OS and hardware designed for the routing process. Demonstrate
More informationIntroduction. What is a Remote Console? What is the Server Service? A Remote Control Enabled (RCE) Console
Contents Introduction... 3 What is a Remote Console?... 3 What is the Server Service?... 3 A Remote Control Enabled (RCE) Console... 3 Differences Between the Server Service and an RCE Console... 4 Configuring
More informationFirewall Introduction Several Types of Firewall. Cisco PIX Firewall
Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls
More information100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)
100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1) Course Overview This course provides students with the knowledge and skills to implement and support a small switched and routed network.
More informationACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0
ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationExhibit n.2: The layers of a hierarchical network
3. Advanced Secure Network Design 3.1 Introduction You already know that routers are probably the most critical equipment piece in today s networking. Without routers, internetwork communication would
More informationVoice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005
Voice over IP VoIP (In) Security Presented by Darren Bilby NZISF 14 July 2005 Security-Assessment.com Who We Are NZ s only pure-play security firm Largest team of security professionals in NZ Offices in
More informationClearPass Policy manager Cisco Switch Setup with CPPM. Technical Note
ClearPass Policy manager Cisco Switch Setup with CPPM Technical Note Copyright 2012 Aruba Networks, Inc. Aruba Networks trademarks include, Aruba Networks, Aruba Wireless Networks, the registered Aruba
More informationQuick Installation Guide Network Management Card
Rev.1.1 www.cyberpowersystems.com Quick Installation Guide Network Management Card Intelligent Network Management Card allows UPS to be managed, monitored, and configured via SNMP Card Configuration Tool
More informationConfiguring Triple Play Security with CLI
Triple Play Service Delivery Architecture Configuring Triple Play Security with CLI xvpls This section provides information to configure Residential Broadband Aggregation services using the command line
More informationPacket Sniffing: What it s Used for, its Vulnerabilities, and How to Uncover Sniffers
Packet Sniffing: What it s Used for, its Vulnerabilities, and How to Uncover Sniffers Mathurshan Vimalesvaran Tufts University Abstract Packets are the base of all data sent on the internet, yet they are
More informationNetwork Address Translation (NAT)
Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT. Taken from http://www.cs.virginia.edu/~itlab/ book/slides/module17-nat.ppt 1 Private Network Private IP network
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationInternet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
More informationGuideline for setting up a functional VPN
Guideline for setting up a functional VPN Why do I want a VPN? VPN by definition creates a private, trusted network across an untrusted medium. It allows you to connect offices and people from around the
More informationHow To Understand and Configure Your Network for IntraVUE
How To Understand and Configure Your Network for IntraVUE Summary This document attempts to standardize the methods used to configure Intrauve in situations where there is little or no understanding of
More informationLab 8.5.3 Configuring the PIX Firewall as a DHCP Server
Lab 8.5.3 Configuring the PIX Firewall as a DHCP Server Objective Scenario Estimated Time: 15 minutes Number of Team Members: Two teams with four students per team. In this lab, students will learn the
More information