2. CCNA3-2 Chapter 2-2
• HostnameHostname:: Pemberian Nama SwitchPemberian Nama Switch
Switch#configure terminalSwitch#configure terminal
Switch(config)#hostname SW1Switch(config)#hostname SW1
SW1(config)#endSW1(config)#end
• Securing Console AccessSecuring Console Access:: Agar saat mengakses routerAgar saat mengakses router
melalui console lebih aman dengan adanya password.melalui console lebih aman dengan adanya password.
SW1#configure terminalSW1#configure terminal
SW1(config)#line console 0SW1(config)#line console 0
SW1(config-line)#password webmediaSW1(config-line)#password webmedia
SW1(config-line)#loginSW1(config-line)#login
SW1(config-line)#endSW1(config-line)#end
Configuring Basic & Password OptionsConfiguring Basic & Password Options
3. CCNA3-3 Chapter 2-2
• Securing Virtual Terminal Access:Securing Virtual Terminal Access:
• There are 16 available default Telnet sessions as set upThere are 16 available default Telnet sessions as set up
for a switch.for a switch.
SW1#configure terminal
SW1(config)#line vty 0 15
SW1(config-line)#password webmedia
SW1(config-line)#login
SW1(config-line)#end
Configuring Password OptionsConfiguring Password Options
4. CCNA3-4 Chapter 2-2
• Securing Privileged EXEC Access:Securing Privileged EXEC Access:
• Selalu gunakanSelalu gunakan enable secretenable secret agar password diagar password di
encryptions.encryptions.
SW1#configure terminalSW1#configure terminal
SW1(config)#enable secret webmediaSW1(config)#enable secret webmedia
SW1(config-line)#endSW1(config-line)#end
• Encrypting Switch Passwords:Encrypting Switch Passwords: Kita dapat meng-encryptKita dapat meng-encrypt
semua passwords yang kita buat di switch, dengan commandsemua passwords yang kita buat di switch, dengan command
service password-encryptionservice password-encryption..
SW1#configure terminalSW1#configure terminal
SW1(config)#service password-encryptionSW1(config)#service password-encryption
SW1(config)#endSW1(config)#end
Configuring Password OptionsConfiguring Password Options
6. CCNA3-6 Chapter 2-2
• Telnet:Telnet:
• Most common method.Most common method.
• Virtual Terminal application.Virtual Terminal application.
• Send in clear text.Send in clear text.
• Not secure.Not secure.
• Secure Shell (SSH):Secure Shell (SSH):
• Virtual Terminal application.Virtual Terminal application.
• Sends an encrypted data stream.Sends an encrypted data stream.
• Is secure.Is secure.
Configure Telnet and SSHConfigure Telnet and SSH
7. CCNA3-7 Chapter 2-2
• Configuring Telnet:Configuring Telnet:
• Telnet is theTelnet is the default transportdefault transport for the vty lines.for the vty lines.
• No need to specify it after the initial configuration of theNo need to specify it after the initial configuration of the
switch has been performed.switch has been performed.
SW1#configure terminalSW1#configure terminal
SW1(config)#line vty 0 15SW1(config)#line vty 0 15
SW1(config-line)#passwordSW1(config-line)#password webmediawebmedia
SW1(config-line)#loginSW1(config-line)#login
SW1(config-line)#transport input telnetSW1(config-line)#transport input telnet
SW1(config-line)#endSW1(config-line)#end
Configure Telnet and SSHConfigure Telnet and SSH
8. CCNA3-8 Chapter 2-2
• Configuring Secure Shell (SSH):Configuring Secure Shell (SSH):
• SSH is a cryptographic security feature that is subject to exportSSH is a cryptographic security feature that is subject to export
restrictions. To use this feature, a cryptographic image must berestrictions. To use this feature, a cryptographic image must be
installed on your switch.installed on your switch.
• Perform the following to configurePerform the following to configure SSH ONLYSSH ONLY Access:Access:
SW1#configure terminalSW1#configure terminal
SW1(config)#usernameSW1(config)#username userwebmediauserwebmedia passwordpassword webmediawebmedia
SW1#configure terminalSW1#configure terminal
SW1(config)#ip domain-name webmedia.comSW1(config)#ip domain-name webmedia.com
SW1(config)#crypto key generate rsaSW1(config)#crypto key generate rsa
SW1(config)#ip ssh version 2SW1(config)#ip ssh version 2
SW1(config)#line vty 0 15SW1(config)#line vty 0 15
SW1(config-line)#login localSW1(config-line)#login local
SW1(config-line)#transport input sshSW1(config-line)#transport input ssh
SW1(config-line)#endSW1(config-line)#end
Configure Telnet and SSHConfigure Telnet and SSH
9. CCNA3-9 Chapter 2-2
• MAC Address Flooding:
Pada pembahasan sebelumnya, kita sudah mengetahui ;
• MAC address table dari switch terdiri dari:
• Berisi alamat MAC yang tersedia pada port fisik yang
diberikan ke switch.
• Berisi VLAN parameter yang terkait untuk masing-masing
port.
• Dalam pengiriman data akan mencari destination address
dari tujuan data frame yang dikirim.
• Jika terdapat dalam table mac, akan di forwarded ke port
yang dituju.
• Jika tidak terdapat dalam table mac, data frame akan di
forwarded ke semua ports switch kecuali port sumber frame.
Common Security AttacksCommon Security Attacks
10. CCNA3-10 Chapter 2-2
• Contoh MAC Address Flooding:
• Karena MAC address table kapasitasnya terbatas/limited
in size. (misalnya : switch cisco 2950, max 8000 mac-
address)
• Maka seorang intruder/penyusup dapat melakukan
flooding menggunakan network attack tool yang dapat
secara kontiniu mengirim bogus MAC addresses/alamat
palsu ke switch.
• (e.g. 155,000 MAC addresses per minute)
• When a switch MAC table becomes full and stays full,
maka switch akan memforward setiap frame yang
diterima ke semua port switch – just like a hub.
• Sehingga intruder/penyusup dapat melihat semua traffic
yang ada pada switch.
Common Security AttacksCommon Security Attacks
11. CCNA3-11 Chapter 2-2
• Spoofing Attacks:
• Man-In-The-Middle (MITM):
• Intercepting/mencegah network traffic.
• DHCP or DNS spoofing.
• The attacking device responds to DHCP or DNS
requests with IP configuration or address information
that points the user to the intruder’s destination.
• DHCP Starvation:
• The attacking device continually requests IP
addresses from a real DHCP server with continually
changing MAC addresses.
• Eventually the pool of addresses is used up and
actual users cannot access the network.
Common Security AttacksCommon Security Attacks
12. CCNA3-12 Chapter 2-2
• CDP Attacks:CDP Attacks:
• Cisco Discovery Protocol (CDP) is a proprietary protocolCisco Discovery Protocol (CDP) is a proprietary protocol
that exchanges information among Cisco devices.that exchanges information among Cisco devices.
• IP addressIP address
• Software versionSoftware version
• PlatformPlatform
• CapabilitiesCapabilities
• Native VLANNative VLAN (Trunk Links – Chapter 3)(Trunk Links – Chapter 3)..
• With a free network sniffer (Wireshark) an intruder couldWith a free network sniffer (Wireshark) an intruder could
obtain this information.obtain this information.
• It can be used to find ways to perform Denial Of ServiceIt can be used to find ways to perform Denial Of Service
(DoS) attacks and others.(DoS) attacks and others.
Common Security AttacksCommon Security Attacks
Usually on by default.Usually on by default.
If you don’t need it, turn it off.If you don’t need it, turn it off.
Usually on by default.Usually on by default.
If you don’t need it, turn it off.If you don’t need it, turn it off.
13. CCNA3-13 Chapter 2-2
• Telnet Attacks:Telnet Attacks:
• Recall that Telnet transmits in plain text and is notRecall that Telnet transmits in plain text and is not
secure. While you may have set passwords, thesecure. While you may have set passwords, the
following types of attacks are possible.following types of attacks are possible.
• Brute force (password guessing)Brute force (password guessing)
• DoS (Denial of Service)DoS (Denial of Service)
• With a free network sniffer (Wireshark) an intruderWith a free network sniffer (Wireshark) an intruder
could obtain this information.could obtain this information.
• Use strong passwords and change them frequently.Use strong passwords and change them frequently.
• Use SSH.Use SSH.
Common Security AttacksCommon Security Attacks
14. CCNA3-14 Chapter 2-2
• MembantuMembantu aandanda untukuntuk menguji jaringanmenguji jaringan aandanda daridari berbagaiberbagai
kelemahan.kelemahan. Dengan cara menggunakan toolsDengan cara menggunakan tools yang memungkinkanyang memungkinkan
aanda untuk memainkan peran seorang hacker dan seorang analisnda untuk memainkan peran seorang hacker dan seorang analis
keamanan jaringankeamanan jaringan. Pengetestan yang dilakukan adalah:
a) Network Security Audits:
• Mengumpulkan information Attacker, dengan melakukan
monitoring network traffic.
• Tentukan MAC address table limits and age-out period.
a) Network Penetration Testing:
• Identifikasi kelemahan-kelemahan dari security network
kita.
• Rencanakan dan buatlah security pada network anda yang
tidak akan mempengaruhi performance network tersebut.
Network Security ToolsNetwork Security Tools
15. CCNA3-15 Chapter 2-2
c) Common Features:
• Service Identification:
• IANA port numbers, discover FTP and HTTP servers,
test all of the services running on a host.
• Support of SSL Service:
• Testing services that use SSL Level security.
• HTTPS, SMTPS, IMAPS and security certificates.
• Non-destructive and Destructive Testing:
• Security audits that can degrade performance.
• Database of Vulnerabilities (kerentanan database):
• Compile a database that can be updated over time.
Network Security ToolsNetwork Security Tools
16. CCNA3-16 Chapter 2-2
• Dengan tools tersebut, kita dapat melakukan:Dengan tools tersebut, kita dapat melakukan:
• Capture chat messages.Capture chat messages.
• Capture files from NFS traffic.Capture files from NFS traffic.
• Capture HTTP requests.Capture HTTP requests.
• Capture mail messages.Capture mail messages.
• Capture passwords.Capture passwords.
• Display captured URLs in a browser in real-time.Display captured URLs in a browser in real-time.
• Flood a switched LAN with random MAC addresses.Flood a switched LAN with random MAC addresses.
• Forge replies to DNS addresses.Forge replies to DNS addresses.
• Intercept packets.Intercept packets.
Network Security ToolsNetwork Security Tools
17. CCNA3-17 Chapter 2-2
• Implement Port Security to:
• Port security is disabled by default.
• Limit the number of valid MAC addresses allowed on a
port.
• Ketika mac address port security diaktifkan pada port
switch, maka port tidak akan mem-forward packets jika
source addresses bukanlah address yang telah kita
defenisikan/tentukan.
• Specify a group of valid MAC addresses allowed on a
port.
• Or Allow only one MAC address access to the port.
• Specify that the port automatically shuts down
(Security Violation Modes) if an invalid MAC address
is detected.
Configuring Port SecurityConfiguring Port Security
18. CCNA3-18 Chapter 2-2
• Secure MAC Address types:
1. Static:
• Manually specify that a specific MAC address is the
ONLY address allowed to connect to that port.
• They are added to the MAC address table and stored
in the running configuration.
2. Dynamic:
• MAC addresses are learned dynamically when a
device connects to the switch.
• They are stored in the address table and are lost
when the switch reloads.
Configuring Port SecurityConfiguring Port Security
19. CCNA3-19 Chapter 2-2
3. Sticky:
• Specifies that MAC addresses are:
• Dynamically learned.
• Added to the MAC address table.
• Stored in the running configuration.
• You may also manually add a MAC address.
Configuring Port SecurityConfiguring Port Security
20. CCNA3-20 Chapter 2-2
• Security Violation Modes:
• Terjadi ketika:
• Host dengan MAC address yang tidak terdapat dalam
mac address table mencoba untuk mengakses
interface dan kondisi address table sudah full/penuh.
• Sebuah mac address yang digunakan pada 2
interface yang secure di VLAN yang sama.
• Modes:
• Protect: drop frames – no notify
• Restrict: drop frames - notify
• Shutdown: disable port - notify
Configuring Port SecurityConfiguring Port Security
21. CCNA3-21 Chapter 2-2
• Default/Static Port Security Configuration:Default/Static Port Security Configuration:
Switch(config)#interface FastEthernet0/1Switch(config)#interface FastEthernet0/1
Switch(config-if)#description Port to PC1Switch(config-if)#description Port to PC1
Switch(config-if)#switchport access vlan 1Switch(config-if)#switchport access vlan 1
Switch(config-if)#switchport mode accessSwitch(config-if)#switchport mode access
Switch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-addressSwitch(config-if)#switchport port-security mac-address
0003.E4A3.EC190003.E4A3.EC19
Configuring Port SecurityConfiguring Port Security
22. CCNA3-22 Chapter 2-2
• Configure Dynamic Port Security:
• Dynamically learned when the device connects.
• Added to MAC table only.
Configuring Port SecurityConfiguring Port Security
Switch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 3Switch(config-if)#switchport port-security maximum 3 (1-132)(1-132)
Switch(config-if)#switchport port-security mac-addressSwitch(config-if)#switchport port-security mac-address mac-ad1mac-ad1
Switch(config-if)#switchport port-security mac-addressSwitch(config-if)#switchport port-security mac-address mac-ad2mac-ad2
Switch(config-if)#switchport port-security mac-addressSwitch(config-if)#switchport port-security mac-address mac-ad3mac-ad3
Switch(config)#interface FastEthernet0/1Switch(config)#interface FastEthernet0/1
Switch(config-if)#description Port to PC1Switch(config-if)#description Port to PC1
Switch(config-if)#switchport access vlan 1Switch(config-if)#switchport access vlan 1
Switch(config-if)#switchport mode accessSwitch(config-if)#switchport mode access
Switch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security
• Configure Static Port Security with Dynamic LearningConfigure Static Port Security with Dynamic Learning
• Dynamically learned from list static mac-address when the device connects.Dynamically learned from list static mac-address when the device connects.
• AddedAdded ManuallyManually to MAC table and Running Configurationsto MAC table and Running Configurations
23. CCNA3-23 Chapter 2-2
• Configure Sticky Port Security:
• Dynamically learn MAC addresses.
• Added Auto to MAC table and save in Running Configuration.
Configuring Port SecurityConfiguring Port Security
Switch(config)#interface FastEthernet0/1
Switch(config-if)#description Port to PC1
Switch(config-if)#switchport access vlan 1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 3 (1-132)
Switch(config-if)#switchport port-security mac-address sticky
Jika port switch dihubungkan ke komputer, akan secara auto menambahkan
configurasi sticky mac-addressnya, maksimum 3 mac-address, misalnya :
switchport port-security mac-address sticky 0007.EC74.2861
switchport port-security mac-address sticky 0007.EC74.2862
switchport port-security mac-address sticky 0007.EC74.2863
24. CCNA3-24 Chapter 2-2
• Verify Port Security Settings:Verify Port Security Settings:
Verify Port SecurityVerify Port Security
25. CCNA3-25 Chapter 2-2
• Verify Secure MAC Addresses:Verify Secure MAC Addresses:
Verify Port SecurityVerify Port Security
26. CCNA3-26 Chapter 2-2
• Disable unused ports:Disable unused ports:
Securing Unused PortsSecuring Unused Ports
You can specify a range of interfaces.You can specify a range of interfaces.
For example, to specify the first 10 interfaces:For example, to specify the first 10 interfaces:
interface range fastethernet 0/1 - 10interface range fastethernet 0/1 - 10
You can specify a range of interfaces.You can specify a range of interfaces.
For example, to specify the first 10 interfaces:For example, to specify the first 10 interfaces:
interface range fastethernet 0/1 - 10interface range fastethernet 0/1 - 10