Cisco Sg3008 Manual

							Security
Configuring Port Security
354 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
•Storm Control Mode—Select one of the modes: 
-Unknown Unicast, Multicast & Broadcast—Counts unknown Unicast, 
Broadcast, and Multicast traffic towards the bandwidth threshold.
-Multicast & Broadcast—Counts Broadcast and Multicast traffic towards 
the bandwidth threshold.
-Broadcast Only—Counts only Broadcast traffic towards the bandwidth 
threshold.
STEP  4Click Apply. Storm control is modified, and the Running Configuration file is 
updated.
Configuring Port Security 
Network security can be increased by limiting access on a port to users with 
specific MAC addresses. The MAC addresses can be either dynamically learned 
or statically configured.
Port security monitors received and learned packets. Access to locked ports is 
limited to users with specific MAC addresses. 
Port Security has four modes:
•Classic Lock—All learned MAC addresses on the port are locked, and the 
port does not learn any new MAC addresses. The learned addresses are 
not subject to aging or re-learning. 
•Limited Dynamic Lock—The device learns MAC addresses up to the 
configured limit of allowed addresses. After the limit is reached, the device 
does not learn additional addresses. In this mode, the addresses are 
subject to aging and re-learning.
•Secure Permanent—Keeps the current dynamic MAC addresses 
associated with the port and learns up to the maximum number of 
addresses allowed on the port (set by Max No. of Addresses Allowed). 
Relearning and aging are disabled. 
•Secure Delete on Reset—Deletes the current dynamic MAC addresses 
associated with the port after reset. New MAC addresses can be learned 
as Delete-On-Reset ones up to the maximum addresses allowed on the 
port. Relearning and aging are disabled.  
						

							Security
Configuring Port Security
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  355
18
 
When a frame from a new MAC address is detected on a port where it is not 
authorized (the port is classically locked, and there is a new MAC address, or the 
port is dynamically locked, and the maximum number of allowed addresses has 
been exceeded), the protection mechanism is invoked, and one of the following 
actions can take place:
•Frame is discarded
•Frame is forwarded
•Por t is shut down
When the secure MAC address is seen on another port, the frame is forwarded, 
but the MAC address is not learned on that port.
In addition to one of these actions, you can also generate traps, and limit their 
frequency and number to avoid overloading the devices.
NOTETo use 802.1X on a port, it must be in multiple host or multi session modes. Port 
security on a port cannot be set if the port is in single mode (see the 802.1x, Host 
and Session Authentication page). 
To configure port security:
STEP 1Click Security > Port Security.
STEP  2Select an interface to be modified, and click Edit.
STEP  3Enter the parameters.
•Interface—Select the interface name.
•Interface Status—Select to lock the port.
•Learning Mode—Select the type of port locking. To configure this field, the 
Interface Status must be unlocked. The Learning Mode field is enabled only 
if the Inter face Status field is locked. To change the Learning Mode, the Lock 
Interface must be cleared. After the mode is changed, the Lock Interface can 
be reinstated. The options are: 
-Classic Lock—Locks the port immediately, regardless of the number of 
addresses that have already been learned. 
-Limited Dynamic Lock—Locks the port by deleting the current dynamic 
MAC addresses associated with the port. The port learns up to the 
maximum addresses allowed on the port. Both re-learning and aging of 
MAC addresses are enabled.  
						

							Security
802.1X
356 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
-Secure Permanent—Keeps the current dynamic MAC addresses 
associated with the port and learns up to the maximum number of 
addresses allowed on the port (set by Max No. of Addresses Allowed). 
Relearning and aging are enabled. 
-Secure Delete on Reset—Deletes the current dynamic MAC addresses 
associated with the port after reset. New MAC addresses can be learned 
as Delete-On-Reset ones up to the maximum addresses allowed on the 
port. Relearning and aging are disabled. 
•Max No. of Addresses Allowed—Enter the maximum number of MAC 
addresses that can be learned on the port if Limited Dynamic Lock learning 
mode is selected. The number 0 indicates that only static addresses are 
supported on the interface.
•Action on Violation—Select an action to be applied to packets arriving on a 
locked port. The options are:
-Discard—Discards packets from any unlearned source.
-For ward—Forwards packets from an unknown source without learning 
the MAC address.
-Shutdown—Discards packets from any unlearned source, and shuts 
down the port. The port remains shut down until reactivated, or until the 
device is rebooted.
•Trap—Select to enable traps when a packet is received on a locked port. 
This is relevant for lock violations. For Classic Lock, this is any new address 
received. For Limited Dynamic Lock, this is any new address that exceeds 
the number of allowed addresses. 
•Trap Frequency—Enter minimum time (in seconds) that elapses between 
traps. 
STEP  4Click Apply. Port security is modified, and the Running Configuration file is 
updated.
802.1X
See the Security: 802.1X Authentication chapter for information about 802.1X 
authentication. This includes MAC-based and web-based authentication. 
						

							Security
Denial of Service Prevention
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  357
18
 
Denial of Service Prevention 
A Denial of Service (DoS) attack is a hacker attempt to make a device unavailable 
to its users. 
DoS attacks saturate the device with external communication requests, so that it 
cannot respond to legitimate traffic. These attacks usually lead to a device CPU 
overload.
Secure Core Technology (SCT ) 
One method of resisting DoS attacks employed by the device is the use of SCT. 
SCT is enabled by default on the device and cannot be disabled. 
The Cisco device is an advanced device that handles management traffic, 
protocol traffic and snooping traffic, in addition to end-user (TCP) traffic.
SCT ensures that the device receives and processes management and protocol 
traffic, no matter how much total traffic is received. This is done by rate-limiting 
TCP traffic to the CPU.
There are no interactions with other features.
SCT can be monitored in the Denial of Service > Denial of Service Prevention > 
Security Suite Settings page (Details button).
Types of DoS Attacks
The following types of packets or other strategies might be involved in a Denial of 
Service attack: 
•TCP SYN Packets—These packets often have a false sender address. Each 
packets is handled like a connection request, causing the server to spawn a 
half-open connection, by sending back a TCP/SYN-ACK packet 
(Acknowledge), and waiting for a packet in response from the sender 
address (response to the ACK Packet). However, because the sender 
address is false, the response never comes. These half-open connections 
saturate the number of available connections that the device is able to 
make, keeping it from responding to legitimate requests.
•TCP SYN-FIN Packets—SYN packets are sent to create a new TCP 
connection. TCP FIN packets are sent to close a connection. A packet in 
which both SYN and FIN flags are set should never exist. Therefore these 
packets might signify an attack on the device and should be blocked. 
						

							Security
Denial of Service Prevention
358 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
•Martian Addresses—Martian addresses are illegal from the point of view of 
the IP protocol. See Martian Addresses for more details.
•ICMP Attack—Sending malformed ICMP packets or overwhelming number 
of ICMP packets to the victim that might lead to a system crash. 
•IP Fragmentation—Mangled IP fragments with overlapping, over-sized 
payloads are sent to the device. This can crash various operating systems 
due to a bug in their TCP/IP fragmentation re-assembly code. Windows 3.1x, 
Windows 95 and Windows NT operating systems, as well as versions of 
Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack.
•Stacheldraht Distribution—The attacker uses a client program to connect to 
handlers, which are compromised systems that issue commands to zombie 
agents, which in turn facilitate the DoS attack. Agents are compromised via 
the handlers by the attacker. 
Using automated routines to exploit vulnerabilities in programs that accept 
remote connections running on the targeted remote hosts. Each handler can 
control up to a thousand agents.
•Invasor Trojan—A trojan enables the attacker to download a zombie agent 
(or the trojan may contain one). Attackers can also break into systems using 
automated tools that exploit flaws in programs that listen for connections 
from remote hosts. This scenario primarily concerns the device when it 
serves as a server on the web.
•Back OrifaceTrojan—This is a variation of a trojan that uses Back Oriface 
software to implant the trojan.
Defense Against DoS Attacks
The Denial of Service (DoS) Prevention feature assists the system administrator 
in resisting such attacks in the following ways:
•Enable TCP SYN protection. If this feature is enabled, reports are issued 
when a SYN packet attack is identified, and the attacked port can be 
temporarily shut-down. A SYN attack is identified if the number of SYN 
packets per second exceeds a user-configured threshold.
•Block SYN-FIN packets.
•Block packets that contain reserved Martian addresses (Martian Addresses 
page) 
						

							Security
Denial of Service Prevention
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  359
18
 
•Prevent TCP connections from a specific interface (SYN Filtering page) and 
rate limit the packets (SYN Rate Protection page)
•Configure the blocking of certain ICMP packets (ICMP Filtering page)
•Discard fragmented IP packets from a specific interface (IP Fragments 
Filtering page)
•Deny attacks from Stacheldraht Distribution, Invasor Trojan, and Back 
Orifice Trojan (Security Suite Settings page). 
Dependencies Between Features
ACL and advanced QoS policies are not active when a port has DoS Protection 
enabled on it. An error message appears if you attempt to enable DoS Prevention 
when an ACL is defined on the interface or if you attempt to define an ACL on an 
interface on which DoS Prevention is enabled.
A SYN attack cannot be blocked if there is an ACL active on an interface.
Default Configuration
The DoS Prevention feature has the following defaults:
•The DoS Prevention feature is disabled by default.
•SYN-FIN protection is enabled by default (even if DoS Prevention is 
disabled).
•If SYN protection is enabled, the default protection mode is Block and 
Report. The default threshold is 30 SYN packets per second.
•All other DoS Prevention features are disabled by default.
Configuring DoS Prevention
The following pages are used to configure this feature.
Security Suite Settings
NOTEBefore activating DoS Prevention, you must unbind all Access Control Lists (ACLs) 
or advanced QoS policies that are bound to a port. ACL and advanced QoS policies 
are not active when a port has DoS Protection enabled on it. 
To configure DoS Prevention global settings and monitor SCT: 
						

							Security
Denial of Service Prevention
360 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
STEP 1Click Security > Denial of Service Prevention > Security Suite Settings. The 
Security Suite Settings displays.
CPU Protection Mechanism: Enabled indicates that SCT is enabled. 
STEP  2Click Details beside CPU Utilization to go to the CPU Utilization page and view 
CPU resource utilization information.
STEP  3Click Edit beside TCP SYN Protection to go to the SYN Protection page and 
enable this feature.
STEP  4Select DoS Prevention to enable the feature.
•Disable—Disable the feature.
•System-Level Prevention—Enable that part of the feature that prevents 
attacks from Stacheldraht Distribution, Invasor Trojan, and Back Orifice 
Tr o j a n .  
STEP  5If System-Level Prevention or System-Level and Interface-Level Prevention is 
selected, enable one or more of the following DoS Prevention options: 
•Stacheldraht Distribution—Discards TCP packets with source TCP port 
equal to 16660.
•Invasor Trojan—Discards TCP packets with destination TCP port equal to 
2140 and source TCP port equal to 1024.
•Back Orifice Trojan—Discards UDP packets with destination UDP port 
equal to 31337 and source UDP port equal to 1024.
STEP  6Click Apply. The Denial of Service prevention Security Suite settings are written to 
the Running Configuration file.
•If Interface-Level Prevention is selected, click the appropriate Edit button to 
configure the desired prevention.  
						

							Security
Denial of Service Prevention
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  361
18
 
SYN Protection
The network ports might be used by hackers to attack the device in a SYN attack, 
which consumes TCP resources (buffers) and CPU power. 
Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if 
one or more ports are attacked with a high rate of SYN packets, the CPU receives 
only the attacker packets, thus creating Denial-of-Service.
When using the SYN protection feature, the CPU counts the SYN packets 
ingressing from each network port to the CPU per second.
If the number is higher than the specific, user-defined threshold, a deny SYN with 
MAC-to-me rule is applied on the port. This rule is unbound from the port every 
user-defined interval (SYN Protection Period).
To configure SYN protection:
STEP 1Click Security > Denial of Service Prevention > SYN Protection.
STEP  2Enter the parameters.
•Block SYN-FIN Packets—Select to enable the feature. All TCP packets with 
both SYN and FIN flags are dropped on all ports.
•SYN Protection Mode—Select between three modes:
-Disable—The feature is disabled on a specific interface.
-Repor t—Generates a SYSLOG message.The status of the port is 
changed to Attacked when the threshold is passed.
-Block and Repor t—When a TCP SYN attack is identified, TCP SYN 
packets destined for the system are dropped and the status of the port is 
changed to Blocked.
•SYN Protection Threshold—Number of SYN packets per second before 
SYN packets will be blocked (deny SYN with MAC-to-me rule will be applied 
on the port).
•SYN Protection Period—Time in seconds before unblocking the SYN 
packets (the deny SYN with MAC-to-me rule is unbound from the port).
STEP  3Click Apply. SYN protection is defined, and the Running Configuration file is 
updated.
The SYN Protection Interface Table displays the following fields for every port or 
LAG (as requested by the user) 
						

							Security
Denial of Service Prevention
362 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
•Current Status—Interface status. The possible values are:
-Normal—No attack was identified on this interface.
-Blocked—Traffic is not forwarded on this interface.
-Attacked—Attack was identified on this interface.
•Last Attack—Date of last SYN-FIN attack identified by the system and the 
system action (Reported or Blocked and Reported).
Martian Addresses
The Martian Addresses page enables entering IP addresses that indicate an 
attack if they are seen on the network. Packets from these addresses are 
discarded.
The device supports a set of reserved Martian addresses that are illegal from the 
point of view of the IP protocol. The supported reserved Martian addresses are:
•Addresses defined to be illegal in the Martian Addresses page. 
•Addresses that are illegal from the point of view of the protocol, such as 
loopback addresses, including addresses within the following ranges: 
-0.0.0.0/8 (Except 0.0.0.0/32 as a Source Address)—Addresses in 
this block refer to source hosts on this network.
-127.0.0.0/8—Used as the Internet host loopback address.
-192.0.2.0/24—Used as the TEST-NET in documentation and example 
codes.
-224.0.0.0/4 (As a Source IP Address)—Used in IPv4 Multicast address 
assignments, and was formerly known as Class D Address Space.
-240.0.0.0/4 (Except 255.255.255.255/32 as a Destination 
Address)—Reserved address range, and was formerly known as Class 
E Address Space.
You can also add new Martian Addresses for DoS prevention. Packets that have a 
Martian addresses are discarded.
To define Martian addresses: 
STEP 1Click Security > Denial of Service Prevention > Martian Addresses.
STEP  2Select Reserved Martian Addresses and click Apply to include the reserved 
Martian Addresses in the System Level Prevention list. 
						

							Security
Denial of Service Prevention
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  363
18
 
STEP  3To add a Martian address click Add.
STEP  4Enter the parameters.
•IP Version—Indicates the supported IP version. Currently, support is only 
of fere d for IP v4.
•IP Address—Enter an IP addresses to reject. The possible values are:
-
From Reserved List—Select a well-known IP address from the reserved 
list.
-
New IP Address—Enter an IP address.
•Mask—Enter the mask of the IP address to define a range of IP addresses to 
reject . The values are:
-
Network Mask—Network mask in dotted decimal format.
-
Prefix Length—Enter the prefix of the IP address to define the range of IP 
addresses for which Denial of Service prevention is enabled.
STEP  5Click Apply. The Martian addresses are written to the Running Configuration file.
SYN Filtering
The SYN Filtering page enables filtering TCP packets that contain a SYN flag, and 
are destined for one or more ports. 
To define a SYN filter:
STEP 1Click Security > Denial of Service Prevention > SYN Filtering.
STEP  2Click Add.
STEP  3Enter the parameters.
•Interface—Select the interface on which the filter is defined.
•IPv4 Address—Enter the IP address for which the filter is defined, or select 
All Addresses.
•Network Mask—Enter the network mask for which the filter is enabled in IP 
address format.
•TCP Por t—Select the destination TCP port being filtered:
-Known Por ts—Select a port from the list.