Le vendredi 25 mai 2007 à 19:02 +0530, saudi sans a écrit :
> What are the steps to be done on the switch to secure it ?
First, you may want to refer to theses two documents for further details
and command reference:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap
er09186a008013159f.shtml
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note
09186a0080094713.shtml
Now, what you need to do:
1. Don't use VLAN 1, for any station port or 802.1q port (trunk). VLAN 1
is for administrative protocols and purposes, use it only for this.
This will allow you to restrict switch configuration interface access
as well to this sole VLAN.
2. set DTP (default: auto) to Off for station ports and Nonegotiate for
802.1q ports. This will prevent DTP frames to be sent on the network
and port mode modification.
3. Use a dedicated VLAN number as native VLAN for 802.1q ports.
Now, VLAN hoping technics are of two kinds. The first relies on DTP to
change a station port into trunk and access more VLANs. Measure 2 blocks
this attack. The second one consists into sending frames with two 802.1q
headers. Measure 2 and 3 block this attack, making impossible for a
station to send 802.1q traffic.
Use the same constraints in your AP. No VLAN 1, dedicated VLAN number as
native VLAN for trunk.
In addition to this, I would deactivate VTP if not used, as well as STP.
To go a bit deeper into you setup, as you plan to use 802.1x
authentication, you could take advantage of "guest mode" that allows a
non authenticating user to be associated in a guest VLAN, where
authenticated users are set in different one(s). This allows you to have
only one SSID available. However, guest VLAN would be open.
Or you can use authentication based VLAN assignment. Your users will be
associated to one specific VLAN when authenticated, and a specific
group, guests, will be affected another one.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
> What are the steps to be done on the switch to secure it ?
First, you may want to refer to theses two documents for further details
and command reference:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap
er09186a008013159f.shtml
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note
09186a0080094713.shtml
Now, what you need to do:
1. Don't use VLAN 1, for any station port or 802.1q port (trunk). VLAN 1
is for administrative protocols and purposes, use it only for this.
This will allow you to restrict switch configuration interface access
as well to this sole VLAN.
2. set DTP (default: auto) to Off for station ports and Nonegotiate for
802.1q ports. This will prevent DTP frames to be sent on the network
and port mode modification.
3. Use a dedicated VLAN number as native VLAN for 802.1q ports.
Now, VLAN hoping technics are of two kinds. The first relies on DTP to
change a station port into trunk and access more VLANs. Measure 2 blocks
this attack. The second one consists into sending frames with two 802.1q
headers. Measure 2 and 3 block this attack, making impossible for a
station to send 802.1q traffic.
Use the same constraints in your AP. No VLAN 1, dedicated VLAN number as
native VLAN for trunk.
In addition to this, I would deactivate VTP if not used, as well as STP.
To go a bit deeper into you setup, as you plan to use 802.1x
authentication, you could take advantage of "guest mode" that allows a
non authenticating user to be associated in a guest VLAN, where
authenticated users are set in different one(s). This allows you to have
only one SSID available. However, guest VLAN would be open.
Or you can use authentication based VLAN assignment. Your users will be
associated to one specific VLAN when authenticated, and a specific
group, guests, will be affected another one.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
[ reply ]