|
|
Re: Just say no to VLANS: msg#00082security.wireless
Le vendredi 25 mai 2007 à 19:02 +0530, saudi sans a écrit : > What are the steps to be done on the switch to secure it ? First, you may want to refer to theses two documents for further details and command reference: http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml Now, what you need to do: 1. Don't use VLAN 1, for any station port or 802.1q port (trunk). VLAN 1 is for administrative protocols and purposes, use it only for this. This will allow you to restrict switch configuration interface access as well to this sole VLAN. 2. set DTP (default: auto) to Off for station ports and Nonegotiate for 802.1q ports. This will prevent DTP frames to be sent on the network and port mode modification. 3. Use a dedicated VLAN number as native VLAN for 802.1q ports. Now, VLAN hoping technics are of two kinds. The first relies on DTP to change a station port into trunk and access more VLANs. Measure 2 blocks this attack. The second one consists into sending frames with two 802.1q headers. Measure 2 and 3 block this attack, making impossible for a station to send 802.1q traffic. Use the same constraints in your AP. No VLAN 1, dedicated VLAN number as native VLAN for trunk. In addition to this, I would deactivate VTP if not used, as well as STP. To go a bit deeper into you setup, as you plan to use 802.1x authentication, you could take advantage of "guest mode" that allows a non authenticating user to be associated in a guest VLAN, where authenticated users are set in different one(s). This allows you to have only one SSID available. However, guest VLAN would be open. Or you can use authentication based VLAN assignment. Your users will be associated to one specific VLAN when authenticated, and a specific group, guests, will be affected another one. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Just say no to VLANS: 00082, saudi sans |
|---|---|
| Next by Date: | karma patches for 0.9.3.1: 00082, Robin Wood |
| Previous by Thread: | Re: Just say no to VLANSi: 00082, saudi sans |
| Next by Thread: | Re: Just say no to VLANS: 00082, Dogten |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |