Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security Configuring Port Security 354 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 •Storm Control Mode—Select one of the modes: -Unknown Unicast, Multicast & Broadcast—Counts unknown Unicast, Broadcast, and Multicast traffic towards the bandwidth threshold. -Multicast & Broadcast—Counts Broadcast and Multicast traffic towards the bandwidth threshold. -Broadcast Only—Counts only Broadcast traffic towards the bandwidth threshold. STEP 4Click Apply. Storm control is modified, and the Running Configuration file is updated. Configuring Port Security Network security can be increased by limiting access on a port to users with specific MAC addresses. The MAC addresses can be either dynamically learned or statically configured. Port security monitors received and learned packets. Access to locked ports is limited to users with specific MAC addresses. Port Security has four modes: •Classic Lock—All learned MAC addresses on the port are locked, and the port does not learn any new MAC addresses. The learned addresses are not subject to aging or re-learning. •Limited Dynamic Lock—The device learns MAC addresses up to the configured limit of allowed addresses. After the limit is reached, the device does not learn additional addresses. In this mode, the addresses are subject to aging and re-learning. •Secure Permanent—Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port (set by Max No. of Addresses Allowed). Relearning and aging are disabled. •Secure Delete on Reset—Deletes the current dynamic MAC addresses associated with the port after reset. New MAC addresses can be learned as Delete-On-Reset ones up to the maximum addresses allowed on the port. Relearning and aging are disabled.
Security Configuring Port Security Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 355 18 When a frame from a new MAC address is detected on a port where it is not authorized (the port is classically locked, and there is a new MAC address, or the port is dynamically locked, and the maximum number of allowed addresses has been exceeded), the protection mechanism is invoked, and one of the following actions can take place: •Frame is discarded •Frame is forwarded •Por t is shut down When the secure MAC address is seen on another port, the frame is forwarded, but the MAC address is not learned on that port. In addition to one of these actions, you can also generate traps, and limit their frequency and number to avoid overloading the devices. NOTETo use 802.1X on a port, it must be in multiple host or multi session modes. Port security on a port cannot be set if the port is in single mode (see the 802.1x, Host and Session Authentication page). To configure port security: STEP 1Click Security > Port Security. STEP 2Select an interface to be modified, and click Edit. STEP 3Enter the parameters. •Interface—Select the interface name. •Interface Status—Select to lock the port. •Learning Mode—Select the type of port locking. To configure this field, the Interface Status must be unlocked. The Learning Mode field is enabled only if the Inter face Status field is locked. To change the Learning Mode, the Lock Interface must be cleared. After the mode is changed, the Lock Interface can be reinstated. The options are: -Classic Lock—Locks the port immediately, regardless of the number of addresses that have already been learned. -Limited Dynamic Lock—Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both re-learning and aging of MAC addresses are enabled.
Security 802.1X 356 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 -Secure Permanent—Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port (set by Max No. of Addresses Allowed). Relearning and aging are enabled. -Secure Delete on Reset—Deletes the current dynamic MAC addresses associated with the port after reset. New MAC addresses can be learned as Delete-On-Reset ones up to the maximum addresses allowed on the port. Relearning and aging are disabled. •Max No. of Addresses Allowed—Enter the maximum number of MAC addresses that can be learned on the port if Limited Dynamic Lock learning mode is selected. The number 0 indicates that only static addresses are supported on the interface. •Action on Violation—Select an action to be applied to packets arriving on a locked port. The options are: -Discard—Discards packets from any unlearned source. -For ward—Forwards packets from an unknown source without learning the MAC address. -Shutdown—Discards packets from any unlearned source, and shuts down the port. The port remains shut down until reactivated, or until the device is rebooted. •Trap—Select to enable traps when a packet is received on a locked port. This is relevant for lock violations. For Classic Lock, this is any new address received. For Limited Dynamic Lock, this is any new address that exceeds the number of allowed addresses. •Trap Frequency—Enter minimum time (in seconds) that elapses between traps. STEP 4Click Apply. Port security is modified, and the Running Configuration file is updated. 802.1X See the Security: 802.1X Authentication chapter for information about 802.1X authentication. This includes MAC-based and web-based authentication.
Security Denial of Service Prevention Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 357 18 Denial of Service Prevention A Denial of Service (DoS) attack is a hacker attempt to make a device unavailable to its users. DoS attacks saturate the device with external communication requests, so that it cannot respond to legitimate traffic. These attacks usually lead to a device CPU overload. Secure Core Technology (SCT ) One method of resisting DoS attacks employed by the device is the use of SCT. SCT is enabled by default on the device and cannot be disabled. The Cisco device is an advanced device that handles management traffic, protocol traffic and snooping traffic, in addition to end-user (TCP) traffic. SCT ensures that the device receives and processes management and protocol traffic, no matter how much total traffic is received. This is done by rate-limiting TCP traffic to the CPU. There are no interactions with other features. SCT can be monitored in the Denial of Service > Denial of Service Prevention > Security Suite Settings page (Details button). Types of DoS Attacks The following types of packets or other strategies might be involved in a Denial of Service attack: •TCP SYN Packets—These packets often have a false sender address. Each packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is false, the response never comes. These half-open connections saturate the number of available connections that the device is able to make, keeping it from responding to legitimate requests. •TCP SYN-FIN Packets—SYN packets are sent to create a new TCP connection. TCP FIN packets are sent to close a connection. A packet in which both SYN and FIN flags are set should never exist. Therefore these packets might signify an attack on the device and should be blocked.
Security Denial of Service Prevention 358 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 •Martian Addresses—Martian addresses are illegal from the point of view of the IP protocol. See Martian Addresses for more details. •ICMP Attack—Sending malformed ICMP packets or overwhelming number of ICMP packets to the victim that might lead to a system crash. •IP Fragmentation—Mangled IP fragments with overlapping, over-sized payloads are sent to the device. This can crash various operating systems due to a bug in their TCP/IP fragmentation re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack. •Stacheldraht Distribution—The attacker uses a client program to connect to handlers, which are compromised systems that issue commands to zombie agents, which in turn facilitate the DoS attack. Agents are compromised via the handlers by the attacker. Using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents. •Invasor Trojan—A trojan enables the attacker to download a zombie agent (or the trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns the device when it serves as a server on the web. •Back OrifaceTrojan—This is a variation of a trojan that uses Back Oriface software to implant the trojan. Defense Against DoS Attacks The Denial of Service (DoS) Prevention feature assists the system administrator in resisting such attacks in the following ways: •Enable TCP SYN protection. If this feature is enabled, reports are issued when a SYN packet attack is identified, and the attacked port can be temporarily shut-down. A SYN attack is identified if the number of SYN packets per second exceeds a user-configured threshold. •Block SYN-FIN packets. •Block packets that contain reserved Martian addresses (Martian Addresses page)
Security Denial of Service Prevention Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 359 18 •Prevent TCP connections from a specific interface (SYN Filtering page) and rate limit the packets (SYN Rate Protection page) •Configure the blocking of certain ICMP packets (ICMP Filtering page) •Discard fragmented IP packets from a specific interface (IP Fragments Filtering page) •Deny attacks from Stacheldraht Distribution, Invasor Trojan, and Back Orifice Trojan (Security Suite Settings page). Dependencies Between Features ACL and advanced QoS policies are not active when a port has DoS Protection enabled on it. An error message appears if you attempt to enable DoS Prevention when an ACL is defined on the interface or if you attempt to define an ACL on an interface on which DoS Prevention is enabled. A SYN attack cannot be blocked if there is an ACL active on an interface. Default Configuration The DoS Prevention feature has the following defaults: •The DoS Prevention feature is disabled by default. •SYN-FIN protection is enabled by default (even if DoS Prevention is disabled). •If SYN protection is enabled, the default protection mode is Block and Report. The default threshold is 30 SYN packets per second. •All other DoS Prevention features are disabled by default. Configuring DoS Prevention The following pages are used to configure this feature. Security Suite Settings NOTEBefore activating DoS Prevention, you must unbind all Access Control Lists (ACLs) or advanced QoS policies that are bound to a port. ACL and advanced QoS policies are not active when a port has DoS Protection enabled on it. To configure DoS Prevention global settings and monitor SCT:
Security Denial of Service Prevention 360 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 STEP 1Click Security > Denial of Service Prevention > Security Suite Settings. The Security Suite Settings displays. CPU Protection Mechanism: Enabled indicates that SCT is enabled. STEP 2Click Details beside CPU Utilization to go to the CPU Utilization page and view CPU resource utilization information. STEP 3Click Edit beside TCP SYN Protection to go to the SYN Protection page and enable this feature. STEP 4Select DoS Prevention to enable the feature. •Disable—Disable the feature. •System-Level Prevention—Enable that part of the feature that prevents attacks from Stacheldraht Distribution, Invasor Trojan, and Back Orifice Tr o j a n . STEP 5If System-Level Prevention or System-Level and Interface-Level Prevention is selected, enable one or more of the following DoS Prevention options: •Stacheldraht Distribution—Discards TCP packets with source TCP port equal to 16660. •Invasor Trojan—Discards TCP packets with destination TCP port equal to 2140 and source TCP port equal to 1024. •Back Orifice Trojan—Discards UDP packets with destination UDP port equal to 31337 and source UDP port equal to 1024. STEP 6Click Apply. The Denial of Service prevention Security Suite settings are written to the Running Configuration file. •If Interface-Level Prevention is selected, click the appropriate Edit button to configure the desired prevention.
Security Denial of Service Prevention Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 361 18 SYN Protection The network ports might be used by hackers to attack the device in a SYN attack, which consumes TCP resources (buffers) and CPU power. Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if one or more ports are attacked with a high rate of SYN packets, the CPU receives only the attacker packets, thus creating Denial-of-Service. When using the SYN protection feature, the CPU counts the SYN packets ingressing from each network port to the CPU per second. If the number is higher than the specific, user-defined threshold, a deny SYN with MAC-to-me rule is applied on the port. This rule is unbound from the port every user-defined interval (SYN Protection Period). To configure SYN protection: STEP 1Click Security > Denial of Service Prevention > SYN Protection. STEP 2Enter the parameters. •Block SYN-FIN Packets—Select to enable the feature. All TCP packets with both SYN and FIN flags are dropped on all ports. •SYN Protection Mode—Select between three modes: -Disable—The feature is disabled on a specific interface. -Repor t—Generates a SYSLOG message.The status of the port is changed to Attacked when the threshold is passed. -Block and Repor t—When a TCP SYN attack is identified, TCP SYN packets destined for the system are dropped and the status of the port is changed to Blocked. •SYN Protection Threshold—Number of SYN packets per second before SYN packets will be blocked (deny SYN with MAC-to-me rule will be applied on the port). •SYN Protection Period—Time in seconds before unblocking the SYN packets (the deny SYN with MAC-to-me rule is unbound from the port). STEP 3Click Apply. SYN protection is defined, and the Running Configuration file is updated. The SYN Protection Interface Table displays the following fields for every port or LAG (as requested by the user)
Security Denial of Service Prevention 362 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 •Current Status—Interface status. The possible values are: -Normal—No attack was identified on this interface. -Blocked—Traffic is not forwarded on this interface. -Attacked—Attack was identified on this interface. •Last Attack—Date of last SYN-FIN attack identified by the system and the system action (Reported or Blocked and Reported). Martian Addresses The Martian Addresses page enables entering IP addresses that indicate an attack if they are seen on the network. Packets from these addresses are discarded. The device supports a set of reserved Martian addresses that are illegal from the point of view of the IP protocol. The supported reserved Martian addresses are: •Addresses defined to be illegal in the Martian Addresses page. •Addresses that are illegal from the point of view of the protocol, such as loopback addresses, including addresses within the following ranges: -0.0.0.0/8 (Except 0.0.0.0/32 as a Source Address)—Addresses in this block refer to source hosts on this network. -127.0.0.0/8—Used as the Internet host loopback address. -192.0.2.0/24—Used as the TEST-NET in documentation and example codes. -224.0.0.0/4 (As a Source IP Address)—Used in IPv4 Multicast address assignments, and was formerly known as Class D Address Space. -240.0.0.0/4 (Except 255.255.255.255/32 as a Destination Address)—Reserved address range, and was formerly known as Class E Address Space. You can also add new Martian Addresses for DoS prevention. Packets that have a Martian addresses are discarded. To define Martian addresses: STEP 1Click Security > Denial of Service Prevention > Martian Addresses. STEP 2Select Reserved Martian Addresses and click Apply to include the reserved Martian Addresses in the System Level Prevention list.
Security Denial of Service Prevention Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 363 18 STEP 3To add a Martian address click Add. STEP 4Enter the parameters. •IP Version—Indicates the supported IP version. Currently, support is only of fere d for IP v4. •IP Address—Enter an IP addresses to reject. The possible values are: - From Reserved List—Select a well-known IP address from the reserved list. - New IP Address—Enter an IP address. •Mask—Enter the mask of the IP address to define a range of IP addresses to reject . The values are: - Network Mask—Network mask in dotted decimal format. - Prefix Length—Enter the prefix of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled. STEP 5Click Apply. The Martian addresses are written to the Running Configuration file. SYN Filtering The SYN Filtering page enables filtering TCP packets that contain a SYN flag, and are destined for one or more ports. To define a SYN filter: STEP 1Click Security > Denial of Service Prevention > SYN Filtering. STEP 2Click Add. STEP 3Enter the parameters. •Interface—Select the interface on which the filter is defined. •IPv4 Address—Enter the IP address for which the filter is defined, or select All Addresses. •Network Mask—Enter the network mask for which the filter is enabled in IP address format. •TCP Por t—Select the destination TCP port being filtered: -Known Por ts—Select a port from the list.