Bab 1

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 53

BAB 1

KONFIGURASI DASAR SWITCH

Telkom University
School of Industrial Engineering
System Information Program
2024
BAB 2
2.0 Pendahuluan
2.1 Dasar Konfigurasi Switch
2.2 Switch Security: Manajemen dan Implementasi
BAB 2: TUJUAN
Setelah mempelajari bab ini, mahasiswa diharapkan dapat:
• Explain the advantages and disadvantages of static routing.
• Configure initial settings on a Cisco switch.
• Configure switch ports to meet network requirements.
• Configure the management switch virtual interface.
• Describe basic security attacks in a switched environment.
• Describe security best practices in a switched environment.
• Configure the port security feature to restrict network access.
BASIC SWITCH CONFIGURATION

URUTAN BOOTING SWITCH


1. Power-on self test (POST).
2. Run boot loader software.
3. Boot loader performs low-level CPU initialization.
4. Boot loader initializes the flash file system
5. Boot loader locates and loads a default IOS operating system software
image into memory and passes control of the switch over to the IOS.
BASIC SWITCH CONFIGURATION

SWITCH LED INDIKATOR


• Setiap port di Cisco Catalyst switch memiliki status indikator LED.
• Defaultnya, lampu LED menandakan aktivitas port, tetapi lampu LED
juga dapat memberikan informasi lain tentang switch melalui tombol
Mode.
• Berikut mode yang tersedia pada switch cisco catalys 2960:
• LED sistem
• Redundant Power System (RPS) LED
• Port Status LED
• Port Duplex LED
• Port Speed LED
• Power over Ethernet (PoE) Mode LED
BASIC SWITCH CONFIGURATION

CISCO CATALYST 2960 SWITCH MODES


BASIC SWITCH CONFIGURATION

LANGKAH2 PERSIAPAN UNTUK MANAJEMEN DASAR


SWITCH

• Untuk manajemen jarak jauh, dapat menggunakan jaringan untuk


mengkonfigurasinya
• IP address dan subnet mask harus di konfigurasi.
• Jika mengkonfigur switch dari jarak jauh, maka default gateway juga
harus di konfigurasi.
• Informasi IP mencakup (address, subnet mask, gateway) harus di
masukan ke dalam switch switch virtual interface (SVI).
• Meskipun pengaturan IP memungkinkan manajemen jarak jauh sebuah
switch, tapi itu tetap tidak mengijinkan beralih ke layer network/ layer3.
BASIC SWITCH CONFIGURATION

LANGKAH2 PERSIAPAN UNTUK MANAJEMEN DASAR


SWITCH (CONT.)
BASIC SWITCH CONFIGURATION

LANGKAH2 PERSIAPAN UNTUK MANAJEMEN DASAR


SWITCH (CONT.)
CONFIGURING SWITCH PORTS

JENIS KOMUNIKASI
CONFIGURING SWITCH PORTS

KONFIGURASI PORT SWITCH DI LAYER FISIK


CONFIGURING SWITCH PORTS

AUTO-MDIX FASILITAS

• Jenis kabel tertentu (straight-through or crossover) secara histori


diperlukan untuk menghubungkan perangkat.
• The automatic medium-dependent interface crossover (auto-MDIX)
memfasilitasi untuk mengeliminasi masalah tersebut.
• ketika auto-MDIX disetting aktif, interface otomatis mendeteksi dan akan
mengkonfigurasi dengan tepat sesuai jenis kabel nya.
• Ketika mengaktifkan auto-MDIX pada interface, kecepatan interface dan
duplex harus di setting auto.
CONFIGURING SWITCH PORTS

AUTO-MDIX FASILITAS (CONT.)


CONFIGURING SWITCH PORTS

AUTO-MDIX FASILITAS (CONT.)


CONFIGURING SWITCH PORTS

MEMVERIFIKASI KONFIGURASI PORT SWITCH


CONFIGURING SWITCH PORTS

NETWORK ACCESS LAYER ISSUES


CONFIGURING SWITCH PORTS

NETWORK ACCESS LAYER ISSUES (CONT.)


CONFIGURING SWITCH PORTS

TROUBLESHOOTING SWITCH MEDIA (CONNECTION)


ISSUES
SECURE REMOTE ACCESS

SSH OPERATION
• Secure Shell (SSH) is a protocol that provides a secure (encrypted),
command-line based connection to a remote device.
• SSH is commonly used in UNIX-based systems.
• The Cisco IOS software also supports SSH.
• A version of the IOS software, including cryptographic (encrypted)
features and capabilities, is required to enable SSH on Catalyst 2960
switches.
• Because its strong encryption features, SSH should replace Telnet for
management connections.
• SSH uses TCP port 22, by default. Telnet uses TCP port 23.
SECURE REMOTE ACCESS

SSH OPERATION (CONT.)


SECURE REMOTE ACCESS

CONFIGURING SSH
SECURE REMOTE ACCESS

VERIFYING SSH
SECURITY CONCERNS IN LANS

MAC ADDRESS FLOODING


 Switches automatically populate their CAM tables by watching traffic
entering their ports.
 Switches forward traffic trough all ports if it cannot find the destination
MAC in its CAM table.
 Under such circumstances, the switch acts as a hub. Unicast traffic can be
seen by all devices connected to the switch.
 An attacker could exploit this behavior to gain access to traffic normally
controlled by the switch by using a PC to run a MAC flooding tool.
 Such tool is a program created to generate and send out frames with
bogus source MAC addresses to the switch port.
 As these frames reach the switch, it adds the bogus MAC address to its
CAM table, taking note of the port the frames arrived.
SECURITY CONCERNS IN LANS

MAC ADDRESS FLOODING (CONT.)


 Eventually the CAM table fills out with bogus MAC addresses.
 The CAM table now has no room for legit devices present in the network
and, therefore, never finds their MAC addresses in the CAM table.
 All frames are now forwarded to all ports, allowing the attacker to access
traffic to other hosts.
SECURITY CONCERNS IN LANS

MAC ADDRESS FLOODING (CONT.)


An attacker flooding the CAM table with bogus entries.
SECURITY CONCERNS IN LANS

MAC ADDRESS FLOODING (CONT.)


The switch now behaves as a hub.
SECURITY CONCERNS IN LANS

DHCP SPOOFING
 DHCP is a network protocol used to automatically assign IP information.
 Two types of DHCP attacks are:
• DHCP spoofing
• DHCP starvation
 In DHCP spoofing attacks, a fake DHCP server is placed in the network
to issue DHCP addresses to clients.
 DHCP starvation is often used before a DHCP spoofing attack to deny
service to the legitimate DHCP server.
SECURITY CONCERNS IN LANS

DHCP SPOOF ATTACK


SECURITY CONCERNS IN LANS

LEVERAGING CISCO DISCOVERY PROTOCOL


 The Cisco Discovery Protocol is a Layer 2 Cisco proprietary protocol
used to discover other directly connected Cisco devices.
 The Cisco Discovery Protocol is designed to allow the devices to auto-
configure their connections.
 If an attacker is listening to Cisco Discovery Protocol messages, it could
learn important information about the device model and running software
version.
Note: Cisco recommends disabling CDP when not in use.
SECURITY CONCERNS IN LANS

LEVERAGING TELNET
 The Telnet protocol is insecure and should be replaced by SSH.
 An attacker can use Telnet as part of other attacks:
• Brute force password attack
• Telnet DOS attack
 When passwords cannot be captured, attackers will try as many
combinations of characters as possible. This attempt to guess the password
is known as brute force password attack.
 Telnet can be used to test the guessed password against the system.
SECURITY CONCERNS IN LANS

LEVERAGING TELNET (CONT.)


 In a Telnet DoS attack, the attacker exploits a flaw in the Telnet server
software running on the switch that renders the Telnet service
unavailable.
 This sort of attack prevents an administrator from remotely accessing
switch management functions.
 This can be combined with other direct attacks on the network as part of
a coordinated attempt to prevent the network administrator from
accessing core devices during the breach.
 Vulnerabilities in the Telnet service that permit DoS attacks to occur are
usually addressed in security patches that are included in newer Cisco
IOS revisions.
SECURITY BEST PRACTICES

10 BEST PRACTICES
 Develop a written security policy for the organization.
 Shut down unused services and ports.
 Use strong passwords and change them often.
 Control physical access to devices.
 Use HTTPS instead of HTTP.
 Perform backup operations on a regular basis.
 Educate employees about social engineering attacks.
 Encrypt and password-protect sensitive data.
 Implement firewalls.
 Keep software up-to-date.
SECURITY BEST PRACTICES

NETWORK SECURITY TOOLS: OPTIONS


 Network security tools are important to network administrators.
 Network security tools allow an administrator to test the strength of the
security measures implemented.
 An administrator can launch an attack against the network and analyze
the results. This is also to determine how to adjust security policies to
mitigate those types of attacks.
 Security auditing and penetration testing are two basic functions that
network security tools perform.
SECURITY BEST PRACTICES

NETWORK SECURITY TOOLS: AUDITS


 Network security tools can be used to audit the network.
 By monitoring the network, an administrator can assess what type of
information an attacker would be able to gather. For example, by attacking
and flooding the CAM table of a switch, an administrator learn which switch
ports are vulnerable to MAC flooding and can correct the issue.
 Network security tools can also be used as penetration test tools. Penetration
testing is a simulated attack and helps to determine how vulnerable the
network is when under a real attack.
 Weaknesses within the configuration of networking devices can be identified
based on penetration test results.
 Changes can be made to make the devices more resilient to attacks.
 Such tests can damage the network and should be carried out under very
controlled conditions.
 An offline test bed network that mimics the actual production network is
ideal.
SWITCH PORT SECURITY

SECURE UNUSED PORTS


Disabling unused ports is a simple, yet efficient security guideline.
SWITCH PORT SECURITY

DHCP SNOOPING
DHCP Snooping specifies which switch ports can respond to DHCP
requests
SWITCH PORT SECURITY

PORT SECURITY: OPERATION


 Port security limits the number of valid MAC addresses allowed on a
port.
 The MAC addresses of legitimate devices are allowed access, while other
MAC addresses are denied.
 Any additional attempts to connect by unknown MAC addresses generate
a security violation.
 Secure MAC addresses can be configured in a number of ways:
• Static secure MAC addresses
• Dynamic secure MAC addresses
• Sticky secure MAC addresses
SWITCH PORT SECURITY

PORT SECURITY: VIOLATION MODES


 IOS considers a security violation when either of these situations occurs:
• The maximum number of secure MAC addresses for that interface
have been added to the CAM, and a station whose MAC address is
not in the address table attempts to access the interface.
• An address learned or configured on one secure interface is seen on
another secure interface in the same VLAN.
 There are three possible actions to take when a violation is detected:
• Protect
• Restrict
• Shutdown
SWITCH PORT SECURITY

DYNAMIC PORT SECURITY DEFAULTS


SWITCH PORT SECURITY

CONFIGURING DYNAMIC PORT SECURITY


SWITCH PORT SECURITY

CONFIGURING PORT SECURITY STICKY


SWITCH PORT SECURITY

VERIFYING PORT SECURITY STICKY


SWITCH PORT SECURITY

VERIFYING PORT SECURITY STICK – RUNNING


CONFIGURATION
SWITCH PORT SECURITY

VERIFYING PORT SECURITY – SECURE MAC ADDRESSES


SWITCH PORT SECURITY

PORTS IN ERROR DISABLED STATE


 A port security violation can put a switch in error disabled state.
 A port in error disabled is effectively shutdown.
 The switch communicates these events through console messages.
SWITCH PORT SECURITY

PORTS IN ERROR DISABLED STATE (CONT.)


The show interface command also reveals a switch port on error
disabled state.
SWITCH PORT SECURITY

PORTS IN ERROR DISABLED STATE (CONT.)


A shutdown or no shutdown interface configuration mode
command must be issued to re-enable the port.
SWITCH PORT SECURITY

NETWORK TIME PROTOCOL


 The Network Time Protocol (NTP) is used to synchronize the clocks of
computer systems data networks.
 NTP can get the correct time from an internal or external time source.
 Time sources can be:
• Local master clock
• Master clock on the Internet
• GPS or atomic clock
 A network device can be configured as either an NTP server or an NTP
client.
 See slide notes for more information on NTP.
SWITCH PORT SECURITY

CONFIGURING NTP
SWITCH PORT SECURITY

VERIFYING NTP
CHAPTER 2: SUMMARY
In this chapter, you learned:
• Cisco LAN switch boot sequence.
• Cisco LAN switch LED modes.
• How to remotely access and manage a Cisco LAN switch through a secure
connection.
• Cisco LAN switch port duplex modes.
• Cisco LAN switch port security, violation modes, and actions.
• Best practices for switched networks.
PENUTUP

Tidak ada Kata TERLAMBAT dalam hidup ini.

Lebih baik BERUSAHA daripada tidak sama sekali.

Membangun KEPERCAYAAN lebih mudah daripada


mengembalikan KEPERCAYAAN itu kembali.

04/19/2024
TERIMA KASIH

Thank you very much for your kind attention

You might also like