IPv6 security

In previous posts I shown how to network on IPv4. IPv6 is a different world, IPv4 ACLs and approach will not work. IPv6 traffic runs in parallel to IPv4 and IPv4 ACLs/Firewall will not block IPv6 traffic. The main problem of IPv6 is that even when you don’t enable IPv6 on routers, some of customers[…]

L2 and STP security on switches

We were talking about 6 L2 attacks in topic about DHCP snooping. There are also different attacks on switching technologies.One of the main L2 technologies is VLAN. VLAN hopping 1) Spoofing of switch Attacker is connecting to access port and is changing it to trunk Mitigation is very simple – disable DTP negotiation on trunk[…]

IP dhcp snooping – first hop security on IPv4

When we connect customers to Access switch we immediately face these security threats : DHCP spoofing – some PC in the network will run DHCP server. It can be cause even by wrong configuration of Windows machine. In this case, some of computers inside LAN will connect to new DHCP server and will forward packets[…]

ACLs on Cisco

Cisco has different types of ACLs, below are most used types : 1. Standard ACL The oldest and simplest type is standard ACL – numbers are 1-99, 1300-1999 – wildcard masks are used – filters only based on SRC IP address/network – ACL can work with IP addresses only, no L4-L7 features example : we[…]

Zone based firewall on Cisco

Zone Based Firewall. Let’s say we have a router which is connected to Internet, LAN and also is connected to our office Server Farm. It has 3 interfaces and we create 3 zones — INTERNET, LAN, DMZ. We will have to create in total 6 policies: LAN → INTERNET INTERNET → LAN LAN → DMZ[…]

Mitigate TCP SYN flood with TCP intercept

In today world Ddos attacks are often and one of the simplest is TCP SYN flood. Prevent this attack is easy in Cisco environment. Cisco devices have a feature called “tcp intercept”. To prevent TCP Syn attacks on server we can deploy TCP intercept feature on router which is located between Internet and server. What[…]

Network security framework, types of DDoS

I’m using NFP concept in designing of security in networks. It consist of 3 elements – protecting of Data plane (forwarding of packets), Control plane (routing protocols management layer), Management plane (access to device, administration layer). Below is a basic mindmap where were put technologies I’m going to explain in further topics. Also it’s needed[…]