IPv6 security

In previous posts I shown how to network on IPv4. IPv6 is a different world, IPv4 ACLs and approach will not work. IPv6 traffic runs in parallel to IPv4 and IPv4 ACLs/Firewall will not block IPv6 traffic. The main problem of IPv6 is that even when you don’t enable IPv6 on routers, some of customers[…]

L2 and STP security on switches

We were talking about 6 L2 attacks in topic about DHCP snooping. There are also different attacks on switching technologies.One of the main L2 technologies is VLAN. VLAN hopping 1) Spoofing of switch Attacker is connecting to access port and is changing it to trunk Mitigation is very simple – disable DTP negotiation on trunk[…]

IP dhcp snooping – first hop security on IPv4

When we connect customers to Access switch we immediately face these security threats : DHCP spoofing – some PC in the network will run DHCP server. It can be cause even by wrong configuration of Windows machine. In this case, some of computers inside LAN will connect to new DHCP server and will forward packets[…]

ACLs on Cisco

Cisco has different types of ACLs, below are most used types : 1. Standard ACL The oldest and simplest type is standard ACL – numbers are 1-99, 1300-1999 – wildcard masks are used – filters only based on SRC IP address/network – ACL can work with IP addresses only, no L4-L7 features example : we[…]

Zone based firewall on Cisco

Zone Based Firewall. Let’s say we have a router which is connected to Internet, LAN and also is connected to our office Server Farm. It has 3 interfaces and we create 3 zones — INTERNET, LAN, DMZ. We will have to create in total 6 policies: LAN → INTERNET INTERNET → LAN LAN → DMZ[…]