ASA Features licenses

Certificates

Стандарты
PKCS #7 - определяет формат подписи сертификата CA
PKCS#10 - определяет формат запроса
RSA keys - используются для генерации public/private keys
X.509 - определяет формат сертификата

Layer 2 security basics

L2 attacks

1. Переполнение CAM-таблицы

 Злоумышленник переполняет таблицу MAC-адресов коммутатора и свитч преврашается в hub

2. Gratuitous  ARP

Злоумышленник спуфит свой IP посредством  Gratuitous  arp, утверждая что целевой IP принадлежит его машине. Например, можно представиться default gw

Справка:

Gratuitous ARP could mean both gratuitous ARP request or gratuitous ARP reply. Gratuitous in this case means a request/reply that is not normally needed according to the ARP specification (RFC 826) but could be used in some cases. A gratuitous ARP request is an AddressResolutionProtocol request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. A gratuitous ARP reply is a reply to which no request has been made.

Gratuitous ARPs are useful for four reasons:

• They can help detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.

• They assist in the updating of other machines' ARP tables. Clustering solutions utilize this when they move an IP from one NIC to another, or from one machine to another. Other machines maintain an ARP table that contains the MAC associated with an IP. When the cluster needs to move the IP to a different NIC, be it on the same machine or a different one, it reconfigures the NICs appropriately then broadcasts a gratuitous ARP reply to inform the neighboring machines about the change in MAC for the IP. Machines receiving the ARP packet then update their ARP tables with the new MAC.

• They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.

• Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces.

3. VLAN hopping

From Wikipedia, the free encyclopedia

VLAN hopping is a computer security exploit, a method of attacking networked resources on a Virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing anddouble tagging. Both attack vectors can be easily mitigated with proper switchport configuration.

Contents   [hide]  1 Switch spoofing 1.1 Mitigation 2 Double tagging 2.1 Mitigation 2.2 Example 3 See also 4 Notes 5 References

Switch spoofing

In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and trunking protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q,VLAN Trunking Protocol) used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.

Mitigation

Switch spoofing can only be exploited when interfaces are set to negotiate a trunk. To prevent this attack on Cisco IOS, use one of the following methods^[1]:

1. Ensure that ports are not set to negotiate trunks automatically.

Switch(config-if)# switch trunk nonegotiate

2. Ensure that ports that are not meant to be trunks are explicitly configured as access ports

Switch(config-if)# switch mode access

Double tagging

In a double tagging attack, an attacking host connected on a dot1q interace prepends two VLAN tags to packets that it transmits. The packet (which corresponds to the VLAN that the attacker is really a member of) is forwarded without the first tag, because it is the native VLAN. The second (false) tag is then visible to the second switch that the packet encounters. This false VLAN tag indicates that the packet is destined for a target host on a second switch. The packet is then sent to the target host as though it originated on the target VLAN bypassing the network mechanisms that logically isolate VLANs from one another. However, this attack allows to send packets toward the second switch, but possible answers are not forwarded to the attacking host.

Mitigation

Double Tagging can only be exploited when switches use "Native VLANs"^[2]. Ports with a specific access VLAN (the native VLAN) don't apply a VLAN tag when sending frames, allowing the attacker's fake VLAN tag to be read by the next switch. It is always good practice to do one of the following (With sample IOS interface configuration):

1. Simply do not put any hosts on VLAN 1 (The default VLAN). i.e, assign an access VLAN other than VLAN 1 to every access port

 Switch(config-if)# switch access vlan 2

2. Change the native VLAN on all trunk ports to an unused VLAN ID.

Switch(config-if)# switchport trunk native vlan 999

3. Explicit tagging of the native VLAN on all trunk ports.

Switch(config-if)# switchport trunk native vlan tag

[edit]Example

As an example of a double tagging attack, consider a secure web server on a VLAN called VLAN1. Hosts on VLAN1 are allowed access to the web server; hosts from outside the VLAN are blocked by layer 3 filters. An attacking host on a separate VLAN, called VLAN2, creates a specially formed packet to attack the web server. It places a header tagging the packet as belonging to VLAN2 on top of another header tagging the packet as belonging to VLAN1. When the packet is sent, the switch on VLAN2 sees the VLAN2 header and removes it, and forwards the packet. The VLAN2 switch expects that the packet will be treated as a standard TCP packet by the switch on VLAN1. However, when the packet reaches VLAN1, the switch sees a tag indicating that the packet is part of VLAN1, and so bypasses the layer 3 handling, treating it as a layer 2 packet on the same logical VLAN. The packet thus arrives at the target server as though it was sent from another host on VLAN1, ignoring any layer 3 filtering that might be in place.

4. Spanning-Tree Attacks

Злоумышленник может заспуфить root bridge и затем снять весь проходящий через его свитч трафик с помощью SPAN-порта

Mitigation

Root Guard - фиксирует порт, куда подключен root bridge

BPDU Guard  - если на указанном порту обнаружится BPDU пакет, порт блокируется.

(config)# spanning-tree portfast bpduguard default

5. DHCP spoofing

C помощью спуфинга dhcp-ответов можно выдать пользователям default gw на свою машину и тем самым перенаправить весь трафик на себя.

Mitigation

DHCP snooping - разрешает dhcp response только с определенных портов (или vlan)

IOS CLI VIEWS

#enable view
(config)#parser view VIEW_1
(config-view)#secret cisco
(config-view)#commands exec include all show
(config-view)#commands exec include ping

(config)#username helpdesk view VIEW_1 secret cisco

Superview
(config)#parser view SV superview
(config-view)#view VIEW_1 //add view to superview. Superview combines commands from several views
(config-view)#view VIEW_2

AAA

radius udp:1645 udp:1812
tacacs+ tcp:49

ssh config

(config)# ip domain-name xxx.com
(config)#crypto key generate rsa
(config-line)#transport input ssh
(config)#ip s sh version 2
(config)#ip ssh time-out <1-120secs> //default 120
(config)#ip ssh authentication-retries <0-5> //default 3

sh users

SNMP

snmp 1/2c
config)#snmp-server community ro 

snmp 3