Cisco 3750 protection against ip spoofing

Similar Messages

• Security Against ARP Spoofing

  Hi,
  I  am planning to create two DHCP servers for DHCP load balancing. Since  ARP Spoofing is one of major threats while configuring DHCP, I want to  know what are the ways to prevent ARP spoofing.
  Regards,
  Prasad Bait

  The best is to go with DHCP snooping + Dynamic ARP inspection. This would help against ARP spoofing:
  http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html
  Regards,
  Deepak

• Cisco ASA 5505/Cisco 3750

  I have a Cisco 5505(base license) and a Cisco 3750(48 port). I want to be able to connect to the 3750 on different vlans(for home lab),but I'm no able to ping the "outside" IP of the ASA. I can ping the different vlans from the ASA once I created the routes from the ASA.
  3750 config:
  version 12.2
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname SwitchA
  no aaa new-model
  switch 1 provision ws-c3750-48p
  ip subnet-zero
  ip routing
  no file verify auto
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface FastEthernet1/0/1
  description Uplink to Cisco ASA 5505
  switchport access vlan 100
  switchport mode access
  spanning-tree portfast
  interface FastEthernet1/0/2
  no switchport
  no ip address
  interface FastEthernet1/0/3
  interface FastEthernet1/0/4
  interface FastEthernet1/0/5
  switchport access vlan 10
  interface FastEthernet1/0/6
  interface Vlan1
  no ip address
  interface Vlan2
  ip address 10.10.0.1 255.255.255.0
  interface Vlan3
  ip address 10.10.1.254 255.255.255.0
  interface Vlan10
  no ip address
  interface Vlan100
  description SW-to-ASA
  ip address 172.16.100.2 255.255.255.0
  interface Vlan172
  no ip address
  interface Vlan182
  no ip address
  interface Vlan192
  no ip address
  ip classless
  ip route 0.0.0.0 0.0.0.0 172.16.100.1
  ip http server
  ip http secure-server
  ASA Config:
  interface Vlan1
  shutdown
  no nameif
  no security-level
  no ip address
  interface Vlan10
  nameif users
  security-level 100
  ip address 172.16.10.254 255.255.255.0
  interface Vlan172
  no nameif
  security-level 100
  ip address 172.16.100.1 255.255.255.0
  interface Vlan192
  nameif OUTSIDE
  security-level 0
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 192
  interface Ethernet0/1
  description Trunk to Switch
  switchport access vlan 172
  Is this even doable?

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• Each time I start Firefox it says: "URGENT! Your version of Firefox is no longer protected against online attacks. Get the upgrade - it's fast and free!" I am using ver. 3.6.13 and upgrading "successfully" only stays on 3.6.13 with same URGENT message.

  Each time I start Firefox it says:
  "URGENT! Your version of Firefox is no longer protected against online attacks. Get the upgrade - it’s fast and free!"
  I am using ver. 3.6.13 and upgrading "successfully" only stays on 3.6.13 with same URGENT message.

  Your UserAgent string in Firefox is messed up and needs to be reset. <br />
  [http://en.wikipedia.org/wiki/User_Agent]
  type '''about:config''' in the URL bar and hit Enter <br />
  ''If you see the warning, you can confirm that you want to access that page.'' <br />
  Filter ='''general.useragent.''' <br />
  Right-click the preferences that are '''bold''', one line at a time, and select ''' ''Reset'' ''', <br />
  Then restart Firefox

• Itunes error. the data execution prevention pops up and says "to protect your computer, windows has closed this program. Data execution prevention helps protect against damage from viruses and other threat.

  I have a windows Xp computer. and i needed to download the newest itunes to support my ipod touch. but now my computer doesn't let me open itunes. The the data execution prevention pops up and says "to protect your computer, windows has closed this program. Data execution prevention (DEP) helps protect against damage from viruses and other threat." I tried excluding itunes from DEP on settings but it still doesn't work. I don't know what to do. please help me!!!
  thanks 

  try to select the computer cd/dvd autorun off.
  I had the same problem, then Kaspersky software found a conflict suggesting me this solution.
  Itunes now works...even if it always asks to set the cd/dvd autorun on when lunched.

• SCC4 - Protection against SAP upgrade

  Hello guys,
  i have a question regarding to the "Protection against SAP upgrade" flag in SCC4 for the client settings.
  I know that this flag will make a client unusable in case of an upgrade (for example from ERP2004 to ERP2005), but what is about applying support packages?
  Is this flag also valid for support packages?
  The documentation about this parameter does not make a statement to this point:
  > If this flag is set, the client is no longer supplied with data during SAP upgrades. After an SAP upgrade, it is not possible to work actively in the client. The flag can only be set for a test client or an SAP reference client (Early Watch).
  Does SAP understand "applying support packages" as an upgrade?
  Answers will be rewarded.
  Regards
  Stefan

  No.
  Applying SP is not SAP upgrade.
  -Pinkle

• What are the most common/important DB firewall intrusion methods Security Admins need to protect against?

  Hi everyone,
  I was curious about the top methods attackers are using to breach Oracle DB firewalls.  We are running Oracle 11.2.0.4 DB running on RedHat Linux 5.3 and using the standard IP tables/firewall for Linux turned on.  We have all the ports closed that were recommended by our security auditing company.  However, we just wanted to know if there were specific attack methods that are commonly being used which we should additionally protect against.
  Thanks in advance for any info.

  Anybody? Bueller?  Bueller?

• Etherchannel two cisco 3750 stacks for iscsi?

  I have two sites connected by 96 strands of fibre. At each site I have an IBMv7000 relicating to the other one. For iSCSI traffic I have two Cisco 3750 switches, each are in 2 switch stack. 
  SAN A                         Fibre Link                          SAN B
          |                                                                        |
  Cisco Stack A =========================Cisco Stack B
          |                                                                        |
          |                                                                        |
  iSCSI Clients                                                       iSCSI Clients
  My question: Is it ok to connect the the two stacks with etherchannel using the fibre links? Will is provide the necessary redundancy, if one of the interfaces goes down?

  What model numbers of 3750 are you using?
  What is the distance between the stacks as this will dictate your fiber run modules.

• ISCSI traffic running across Cisco 3750 Switches

  My customer has a small shop with 2 servers runnig iSCSI to a SAN device. They are looking for a switch recommendation and I would like to use a pair of Cisco 3750's, to take advantage of the VSS technology for redundancy,L3 and some other Core requirements, but I am concerned about performance.
  I thought my other option is to use 3750E's but concerned about the added costs.

  The fabric and pps ratings for the 3750Gs don't support wire-rate for more than 16 gig ports. (Max performance for 3750G models is 38.7 Mpps and 32 Gbps fabric; for 3750-E it's 101.2 Mpps and 128 Gbps fabric [NB: pps is enough, slightly insufficent fabric bandwidth for 48 port models - similar 4948 offers 102 Mpps, 136 Gbps].)
  Another performance limitation of the 3750s (and to lessor extent the 3750-Es) is stack ring bandwidth. As best I can tell, the 32 Gbps is really dual 8 Gbps duplex (dual 16 Gbps duplex for -Es). An important distinction between the original StackWise technology and the later StackWise+, the former puts a copy of all traffic on the stack, the latter suppresses unnecessary unicast. The former also requires the sender to remove the traffic from the stack ring, the latter the destination removes the traffic. (I.e. the "+" technology, really is plus.)
  For really, really demanding performance, a stack ring isn't the same as a chassis fabric (e.g. 4500s), and within a single switch, the lower end switch models, they can't always provide wire-rate for all their ports. However, the real question is whether you need this performance in a small shop even though iSCSI is being used.
  In other words, its rare to see all ports demanding full bandwidth, so a stack of 48 port 3750Gs migtht work just fine for your customer if the actual need doesn't require more than the device can supply.
  In similar situations, I present the customer with such facts. Based on what the expected load is, device "A" might work fine, but it can't guarantee performance beyond a certain level. If customer wants the capability for more performance, for growth or "just to be safe", can do too, here's your options (and extra cost) for that too.
  BTW, if SAN devices can support 10gig, then you'll need something better than the 3750G since the model with a single 10gig port has been discontinued.

• CS3/CS4 protecting against SQL Injection

  Hi:
  I was wondering if the newer versions of Dreamweaver like CS3/CS4 do a good enough job to protect against SQL Injection when using the built in Insert/Update/Delete behaviors or should I use Commands with Stored Procedures (MS SQL)?
  Thanks!
  Mitch

  David , Günter - many thanks for your help !
  In my ignorance I appear to have been misled by my website host who, in response to a related problem, informed me as follows:
  "your website's scripting does appear to be highly vulnerable to SQL  injection attack, this can be easily seen via the following example:
  /s-sub_detail.php?cat_id=TEST
  As  you can see, arbitrary data entered as the cat_id variable of the shopping cart  script is being passed unchecked to the SQL server, which is then returning a  notice relevant to the data passed (in the above example case this is an  "unknown column" error) - This effectively demonstrates that your shopping cart  script performs no validation on variables used within the script and passes  them directly to the SQL server, which means arbitrary commands can potentially  be added as variable data for the SQL server to execute.
  In order to  correct this all variables and any other posted data used by the shopping cart  script must be fully validated by the script itself before being passed to the  SQL server so that SQL commands cannot be executed by simply manually entering  these as a script variable".
  Thanks to David I understand the issue with the need for data validation but the response above appears to indicate that they believe there is more to it.
  David and Günter - I would welcome your response to the above and perhaps recommendations for SQL injection vulnerability testing.
  Kind regards
  J

• "FRM-40200: Field is protected against update"

  "FRM-40200: Field is protected against update" ...
  hi guru,
  when im about to check the checkbox in transaction statuses in receiving-> transaction status summary . to  resolve the pending receiving transaction in PO, this error occurs "FRM-40200: Field is protected against update" ...
  Thanks

  Hi,
  In this form you may delete the record but won't be able to update it.
  Thanks,
  PS.

• Lightswitch Security, Protection against SQL Injection attacks etc.

  Hi all,
  I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
  In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
  issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
  Is anyone aware of such documentation? I found this but it barely scratches the surface:
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  Thanks for any help, I am amazed that it is so difficult to find?

  LS is a tool built in top of other technologies including Entity Framework.
  Here is a security doc about EF.
  http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
  LS uses Linq to Entities and therefore is not susceptible to SQL injection.
  HTH,
  Josh
  PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier.  In that case, the web.config which contains connection strings is on the client machine, which is a risk.  Here is a discussion related
  to db security & 2 vs 3-tier.
  https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch

• CFInsert/Update: protection against SQL injection?

  Hello,
  I'm trying to find out if the use of CFInsert or CFUpdate
  offers any protection against a SQL Injection attack. We are on a
  project that uses many CFInserts and Updates, and lack the time to
  rewrite new queries using CFQueryParam. Will a CFInsert or Update
  handle the situation?

  Validate every field before you get to the cfinsert/cfupdate
  tag, something you should have been doing anyway.

• How can I mirror all ports on CISCO 3750 switches to one Gigabyte port?

  Hi,
  I have a requirement to mirror all the ports on my 7 CISCO 3750 switches, which are in 3 separate stacks, to one single Gigabyte Ethernet port.
  Does anyone know how I can do that?
  Thanks in advance.

  Vlad, thanks a heap for your response.
  I want to apply to my sitation. Please let me know if I get them right in the following:
  Catalyst A
  vlan 901
  remote-span
  monitor session 1 source interface fastethernet 1-48 (I want to monitor all ports on the CISCO 3725)
  monitor session 1 destination remote vlan 901
  Catalyst B
  vlan 901
  remote-span (If I don't need to monitor this switch, do I still need to put anything into this switch at all?)
  Catalyst C
  vlan 901
  remote-span
  monitor session 1 source interface fastethernet 1-48 (I want to monitor all ports on this switch as well)
  monitor session 1 source remote vlan 901
  monitor session 1 destination interface gigabitethernet 3 (There are 4 Gigabit Ethernet Uplink in CISCO 3750, I want all the traffic to go to port 3, is this the right way to do?)
  Thanks in advance.