Happy new year !

To all my readers wishing you all the best in 2013 !

Thank you for all your support and comments and suggestions during 2012 lets see what 2013 brings to the technology and network security world

My predictions ;

More mobile exploits/maleware
More hacktivists group attacks
a rise advanced maleware
A rise in Mac maleware/viruses
Cloud based security growth

just some predictions on the top of my head

Lets see what happens

Till next time stay secure !

Preventing unathorized devices from connecting to cisco switch

Hello all,

In this post I want to cover ways to mitigate against unauthorized devices connecting to a switch
for instance in a public library or a internet cafe where the access switch can be access by the public

just to set the stage for this example there is a internet cafe called bobs internet cafe bob has 1 single 24 port Cisco 2950 switch that provides lan access for all of his desktop pc’s not all ports are in use and each pc is provided an ip address via dhcp if no protection is in use if Mr hacker comes into bobs cafe with a laptop and Ethernet cable and plugs into bobs switch and now  Mr hacker can now use his own laptop on bobs network to wreck all kinds of havoc lets dig in and ruin Mr hackers day

Here is the layout of bobs network

Screenshot from 2012-12-28 18:13:19

As we can see this is a simple enough network but there are many security concerns that bob needs to take into account example bob is only using 8 out of the switches 24 ports which leave 16 ports that are an attack vector lets secure these ports

First thing we will do is enable Cisco port security on all ports and then we will lock-down all ports that are not in use and for the ports that are in use we will lock-down deny any mac address that is not the mac address of bobs pc’s on his network

Lets begin

First determine what ports are in use

Switch#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/1        unassigned      YES manual up                    up

FastEthernet0/2        unassigned      YES manual up                    up

FastEthernet0/3        unassigned      YES manual up                    up

FastEthernet0/4        unassigned      YES manual  up                up

FastEthernet0/5        unassigned      YES manual up                    up

FastEthernet0/6        unassigned      YES manual up                    up

FastEthernet0/7        unassigned      YES manual up                    up

FastEthernet0/8        unassigned      YES manual up                    up

 

Now we can see we are using ports 1-8 so lets lock down port 9-24

CODE
_____

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int ra
Switch(config)#int range f0/9-24
Switch(config-if-range)#shut
______

you will see an output from the switch like this

%LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down

%LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down

Now Lets disallow any mac addresses that are not on the pc’s that bob owns

Code
____

Switch(config-if-range)#switchport port-security mac-address sticky
Switch(config-if-range)#

______

the above command will assign the mac addresses that are currently assigned to each interface to be the only mac address allowed to connect to the interface

Now make all ports static access instead of dynamic access ports

code

__

Switch(config-if-range)#switchport mode access
Switch(config-if-range)#

__

Now we will configure the interfaces so that if someone does put another device in the port the port will auto shutdown or go into what is called error disable mode

code

__

The below code disables the port if a different mac address is detected on the interface

Switch(config-if-range)#switchport port-security violation shutdown
Switch(config-if-range)#

Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if-range)#

lets look at what our config looks like now

Switch#sh run
Building configuration…

Current configuration : 3095 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0001.6364.A202
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0005.5ED2.059

We can now see the only mac address is is allowed to be connected to f0/2 is 0005.5ED2.059

lets see what happens if another device with a different mac address is used to connect to this port

Switch#sh int f0/2
FastEthernet0/2 is down, line protocol is down (err-disabled)
Hardware is Lance, address is 0090.0cd8.0302 (bia 0090.0cd8.0302)
BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set

We can see that the port has auto shutdown because the disallowed mac address is connected to the port  now mr hacker gets no ip 🙁

In this Post i covered how we can restrict access to physical ports on cisco switches that can be access by the public this can also apply to networks such as a voip network where only phones are supposed to be attached to the switch you would follow the above steps to accomplish this

if you have any questions,comments,suggestions

please leave them !

 

Till then stay secure !

Applying bogon access list Cisco IOS

Hello all,

Here is a little snippet of information on the importance of applying an access list to your edge router to IP blocks that are listed on the bogon list

What is the bogon list?

The bogon list is a list of ip subnets that are either invalid non routable ip blocks such as 192.168.0.0 or ip blocks that are not assigned

it is important to block these ip blocks from accessing your network as it eliminates the chance of a hacker spoofing his/her source ip address for an internal ip address for instance with nmap we can issue the following command to spoof our source ip address when scanning a target

nmap -S 192.168.0.1 192.168.1.1 -e eth0 -PN

now if you did not have a access list to block incoming traffic from this non routerable ip 192.168.0.1 the spoofed ip packet will then be able to pass through your router

here is a current bogon list that can be copied and pasted into a Cisco IOS device

copy from below the line

______

conf t

no access-list 101

access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 100.64.0.0 0.63.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.0.0 0.0.0.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 198.51.100.0 0.0.0.255 any
access-list 101 deny ip 203.0.113.0 0.0.0.255 any
access-list 101 deny ip 224.0.0.0 31.255.255.255 any
access-list 101 permit ip any any

end

conf t
int f0/0
ip access-group 101 in
end

write

_______

The above access list will block all the ip blocks on the bogon list
this small step should be apart of network security best practices
for any sized network its simple to apply and can stop many types of attacks

Till next time stay secure !

Sean Mancini

Recent Presentation on Systems and Network Security

Hello Everyone,

So lately I’ve been busy focusing on WI-FI security I plan on doing a series of posts on the subject very soon,

I wanted to share a presentation that I put together while attending a course at Sheridan college here in Ontario the subject of the class was about Linux administration I was asked to present about network security and some best practices that we should all following in any environment

Network Security Presentation Google Doc

The presentation is not extensive due to the time restraints that I had for the presentation and I will post a video of the demo I did at a later time

Please let me know what you all think

and of course all suggestions are welcome

Till next time

Stay secure !

About me

Hello everyone

My name is Sean Mancini

I currently work as a network specialist at a major communications provider in Ontario,Canada
I hold a diploma in Network and Internet Security
I have attended continuing education programs in the network security field
As well as years of self learning

My goal for my blog is to provide information on how to secure your network
and I hope to provide information to both home user and businesses to better understand
what network security is all about

I hope you all enjoy the content of this site and please pardon any grammar errors
Grammar is not my strong point lol

If you would like to contact me do so by leaving a comment or through the blog

you can follow me on twitter @mancinitech

If you have any suggestions or need a question answer please leave a comment !

Thank everyone for taking the time to read my blog

Sean Mancini

“You cant be a white hat before you learn the black hat ways”