Tweet
CHƯƠNG 6: Infrastructure Security
Hardening Network Devices — Cisco IOS
Management Plane Hardening:
ios
! Dùng SSH v2, disable Telnet
ip ssh version 2
line vty 0 15
transport input ssh
login local
! Encrypted enable password
enable secret <strong_password>
service password-encryption
! Disable unused services
no ip http server
no ip http secure-server ! (nếu không dùng web management)
no cdp run ! (nếu không cần)
no ip finger
no ip source-route
! Timeout
line vty 0 15
exec-timeout 10 0
! Login banner
banner motd ^
UNAUTHORIZED ACCESS PROHIBITED
^
Control Plane Policing (CoPP):
Rate-limit traffic đến CPU của router/switch.
Ngăn CPU exhaustion attacks (SYN flood, ICMP flood targeting control plane).
ios
! Ví dụ CoPP policy
policy-map CONTROL-PLANE-POLICY
class ICMP-CLASS
police rate 64000 bps
class ROUTING-PROTOCOLS
police rate 1000000 bps
class DEFAULT
police rate 128000 bps
Data Plane Hardening:
DHCP Snooping:
ios
ip dhcp snooping
ip dhcp snooping vlan 10,20
interface gi0/1 ! Uplink = trusted
ip dhcp snooping trust
Chỉ cho phép DHCP offers từ trusted ports. Ngăn rogue DHCP server.
Dynamic ARP Inspection (DAI):
ios
ip arp inspection vlan 10,20
Ngăn ARP poisoning bằng cách validate ARP packets với DHCP snooping binding table.
IP Source Guard:
Validate IP packets dựa trên DHCP snooping table. Ngăn IP spoofing từ hosts.
uRPF (Unicast Reverse Path Forwarding):
ios
interface gi0/0
ip verify unicast source reachable-via rx
Drop packets nếu source IP không có valid return path. Ngăn IP spoofing.
Port Security:
ios
interface fa0/1
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
SNMPv3 — Why It Matters
SNMPv1/v2c: Community string plaintext. Easy to sniff.
SNMPv3: Authentication + Encryption.
Security Levels:
- noAuthNoPriv: Không auth, không encrypt. Dùng với SNMP v1/v2 community.
- authNoPriv: Auth (MD5 hoặc SHA), không encrypt.
- authPriv: Auth + Encrypt (DES hoặc AES). ← Dùng cái này.
ios
snmp-server group ADMIN-GROUP v3 priv
snmp-server user admin ADMIN-GROUP v3 auth sha <auth-pass> priv aes 128 <priv-pass>
#InfrastructureSecurity #CiscoFirepower #NGFW #IPS #AMP
Hardening Network Devices — Cisco IOS
Management Plane Hardening:
ios
! Dùng SSH v2, disable Telnet
ip ssh version 2
line vty 0 15
transport input ssh
login local
! Encrypted enable password
enable secret <strong_password>
service password-encryption
! Disable unused services
no ip http server
no ip http secure-server ! (nếu không dùng web management)
no cdp run ! (nếu không cần)
no ip finger
no ip source-route
! Timeout
line vty 0 15
exec-timeout 10 0
! Login banner
banner motd ^
UNAUTHORIZED ACCESS PROHIBITED
^
Control Plane Policing (CoPP):
Rate-limit traffic đến CPU của router/switch.
Ngăn CPU exhaustion attacks (SYN flood, ICMP flood targeting control plane).
ios
! Ví dụ CoPP policy
policy-map CONTROL-PLANE-POLICY
class ICMP-CLASS
police rate 64000 bps
class ROUTING-PROTOCOLS
police rate 1000000 bps
class DEFAULT
police rate 128000 bps
Data Plane Hardening:
DHCP Snooping:
ios
ip dhcp snooping
ip dhcp snooping vlan 10,20
interface gi0/1 ! Uplink = trusted
ip dhcp snooping trust
Chỉ cho phép DHCP offers từ trusted ports. Ngăn rogue DHCP server.
Dynamic ARP Inspection (DAI):
ios
ip arp inspection vlan 10,20
Ngăn ARP poisoning bằng cách validate ARP packets với DHCP snooping binding table.
IP Source Guard:
Validate IP packets dựa trên DHCP snooping table. Ngăn IP spoofing từ hosts.
uRPF (Unicast Reverse Path Forwarding):
ios
interface gi0/0
ip verify unicast source reachable-via rx
Drop packets nếu source IP không có valid return path. Ngăn IP spoofing.
Port Security:
ios
interface fa0/1
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
SNMPv3 — Why It Matters
SNMPv1/v2c: Community string plaintext. Easy to sniff.
SNMPv3: Authentication + Encryption.
Security Levels:
- noAuthNoPriv: Không auth, không encrypt. Dùng với SNMP v1/v2 community.
- authNoPriv: Auth (MD5 hoặc SHA), không encrypt.
- authPriv: Auth + Encrypt (DES hoặc AES). ← Dùng cái này.
ios
snmp-server group ADMIN-GROUP v3 priv
snmp-server user admin ADMIN-GROUP v3 auth sha <auth-pass> priv aes 128 <priv-pass>
#InfrastructureSecurity #CiscoFirepower #NGFW #IPS #AMP
Attached Files