Discussion on:
View:
Show:
Has Layer 2 security been overlooked in your network protection scheme or have you implemented the necessary measures to eliminate risks? Has your organization been guilty of any of the security sins described here?
I've seen a lot of network implementations in my last career as an IT consultant. I would estimate based on what I've seen that the better enterprise networks implement 30% of these recommendations while most other networks implement 5% of the recommendations.
I have spent the last year learning what all these security measures are used for and how to implement them on new switches at our environment. Our company has been using these secure practices long before I came along as a Network apprentice over a year ago.
This is a Handy guide to keep and use when setting up any switch.
Thanks for the Great tool!
This is a Handy guide to keep and use when setting up any switch.
Thanks for the Great tool!
Thanks, I'm glad it's handy for you.
Your company is unfortunately the exception when it should be the rule. Every network I came across didn't implement most of these lock down procedures. Many security audits I've seen didn't even check this.
Your company is unfortunately the exception when it should be the rule. Every network I came across didn't implement most of these lock down procedures. Many security audits I've seen didn't even check this.
You suggest using a maximum of 5 in the port-security configuration. Realistically, you would want to set the number to 1 (default). In a cisco VOIP network, you set it to 3, because the cisco IP phones have 2 MAC addresses (computer + phone = 3)
Doing this will prevent users from attaching inexpensive hubs or switches without administrative assistance.
In addition, for offices where there is a potential for rogue users you can use the "sticky-mac" feature. Instead of having to manually acquire the MAC address of each device and then typing it into the switch, the switch will automatically record the MAC of the first device to connect to the switch and restrict the port to only that device.
switchport port-security mac-address sticky
PSC
Doing this will prevent users from attaching inexpensive hubs or switches without administrative assistance.
In addition, for offices where there is a potential for rogue users you can use the "sticky-mac" feature. Instead of having to manually acquire the MAC address of each device and then typing it into the switch, the switch will automatically record the MAC of the first device to connect to the switch and restrict the port to only that device.
switchport port-security mac-address sticky
PSC
Using 3 is fine if you want to be that restrictive about it. It all depends on your management policy.
As for sticky MACs, I don't want the management headache and all the tickets that need to be open because of this. If I want to restrict rogue users, I'd much rather implement 802.1x for superior security and less of a management burden. MAC addresses can easily be faked; 802.1x can't.
As for sticky MACs, I don't want the management headache and all the tickets that need to be open because of this. If I want to restrict rogue users, I'd much rather implement 802.1x for superior security and less of a management burden. MAC addresses can easily be faked; 802.1x can't.
In the main article, you suggest creating a login. I agree with that, but disagree with using password option instead of the secret.
Level 7 passwords are easily cracked, in fact there are several web based ones available. Using the secret option makes the password significantly more difficult to crack, if a sufficiently complex password is chosen.
username admin1 privilege 15 secret T#is1s@HardPassw0rd
This is a really good article. We actually implemented about 99% of your suggestions last year when we rebuilt our WAN.
Level 7 passwords are easily cracked, in fact there are several web based ones available. Using the secret option makes the password significantly more difficult to crack, if a sufficiently complex password is chosen.
username admin1 privilege 15 secret T#is1s@HardPassw0rd
This is a really good article. We actually implemented about 99% of your suggestions last year when we rebuilt our WAN.
I'll review that password issue.
If you've implemented 99% of the recommendations here, then your network team deserves a bit pat on the back. I've encountered too many networks large or small that don't implement most of these things.
If you've implemented 99% of the recommendations here, then your network team deserves a bit pat on the back. I've encountered too many networks large or small that don't implement most of these things.
I'm struggling to discover exactly what the network command covers, i know it's network services, but is that to or through the switch? ie why do i need this command?
curerntly i have:
aaa authentication login default group admins group radius
aaa authentication login aaa-fallback enable
aaa authentication dot1x default group lan group radius
aaa authorization exec default group radius if-authenticated
this prompts me for auth if i login via telnet (ssh is my next job), so what does network do?
curerntly i have:
aaa authentication login default group admins group radius
aaa authentication login aaa-fallback enable
aaa authentication dot1x default group lan group radius
aaa authorization exec default group radius if-authenticated
this prompts me for auth if i login via telnet (ssh is my next job), so what does network do?
Good thoughts
although SNMP, SSH and Telnet are layer 3, security is broad and each layer can protect/expose other layers,
these are mine
http://www.slideshare.net/samis/network-security-layer-2
although SNMP, SSH and Telnet are layer 3, security is broad and each layer can protect/expose other layers,
these are mine
http://www.slideshare.net/samis/network-security-layer-2
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
