Contenu connexe
Similaire à CCNA Security - Chapter 6
Similaire à CCNA Security - Chapter 6 (20)
Plus de Irsandi Hasan (20)
CCNA Security - Chapter 6
- 1. CCNA Security
Chapter Six
Securing the Local Area Network
© 2009 Cisco Learning Institute. 1
- 2. Lesson Planning
• This lesson should take 3-4 hours to present
• The lesson should include lecture,
demonstrations, discussions and assessments
• The lesson can be taught in person or using
remote instruction
© 2009 Cisco Learning Institute. 2
- 3. Major Concepts
• Describe endpoint vulnerabilities and protection
methods
• Describe basic Catalyst switch vulnerabilities
• Configure and verify switch security features,
including port security and storm control
• Describe the fundamental security
considerations of Wireless, VoIP, and SANs
© 2009 Cisco Learning Institute. 3
- 4. Lesson Objectives
Upon completion of this lesson, the successful participant
will be able to:
1. Describe endpoint security and the enabling technologies
2. Describe how Cisco IronPort is used to ensure endpoint security
3. Describe how Cisco NAC products are used to ensure endpoint
security
4. Describe how the Cisco Security Agent is used to ensure
endpoint security
5. Describe the primary considerations for securing the Layer 2
infrastructure
6. Describe MAC address spoofing attacks and MAC address
spoofing attack mitigation
© 2009 Cisco Learning Institute. 4
- 5. Lesson Objectives
7. Describe MAC Address table overflow attacks and MAC Address
table overflow attack mitigation
8. Describe STP manipulation attacks and STP manipulation attack
mitigation
9. Describe LAN Storm attacks and LAN Storm attack mitigation
10. Describe VLAN attacks and VLAN attack mitigation
11. Describe how to configure port security
12. Describe how to verify port security
13. Describe how to configure and verify BPDU Guard and Root Guard
14. Describe how to configure and verify storm control
15. Describe and configure Cisco SPAN
16. Describe and configure Cisco RSPAN
© 2009 Cisco Learning Institute. 5
- 6. Lesson Objectives
17. Describe the best practices for Layer 2 security
18. Describe the fundamental aspects of enterprise security for
advanced technologies
19. Describe the fundamental aspects of wireless security and the
enabling technologies
20. Describe wireless security solutions
21. Describe the fundamental aspects of VoIP security and the
enabling technologies Reference: CIAG course on VoIP security.
22. Describe VoIP security solutions
23. Describe the fundamental aspects of SAN security and the
enabling technologies
24. Describe SAN security solutions
© 2009 Cisco Learning Institute. 6
- 7. Securing the LAN
Perimeter MARS
ACS
Areas of concentration:
Firewall
•Securing endpoints
•Securing network
Internet
VPN
IPS
infrastructure
Iron Port
Hosts
Web Email
Server Server DNS
LAN
© 2009 Cisco Learning Institute. 7
- 8. Addressing Endpoint Security
Policy
Compliance
Infection
Containment
Secure
Host
Based on three elements:
Threat •Cisco Network Admission Control (NAC)
Protection •Endpoint protection
•Network infection containment
© 2009 Cisco Learning Institute. 8
- 9. Operating Systems
Basic Security Services
• Trusted code and trusted path – ensures that the integrity
of the operating system is not violated
• Privileged context of execution – provides identity
authentication and certain privileges based on the identity
• Process memory protection and isolation – provides
separation from other users and their data
• Access control to resources – ensures confidentiality and
integrity of data
© 2009 Cisco Learning Institute. 9
- 10. Types of Application Attacks
I have gained direct
Direct access to this
application’s privileges
I have gained access to
this system which is
trusted by the other
system, allowing me to
Indirect access it.
© 2009 Cisco Learning Institute. 10
- 12. Cisco IronPort Products
IronPort products include:
•E-mail security appliances for virus
and spam control
•Web security appliance for spyware
filtering, URL filtering, and anti-malware
•Security management appliance
© 2009 Cisco Learning Institute. 12
- 13. IronPort C-Series
Before IronPort After IronPort
Internet Internet
Firewall Firewall
Encryption Platform DLP
MTA Scanner
Antispam
Antivirus IronPort E-mail Security Appliance
DLP Policy
Manager
Policy Enforcement
Mail Routing
Groupware Groupware
Users
Users
© 2009 Cisco Learning Institute. 13
- 14. IronPort S-Series
Before IronPort After IronPort
Internet Internet
Firewall Firewall
Web Proxy
Antispyware
Antivirus IronPort S-
Series
Antiphishing
URL Filtering
Policy Management
Users
Users
© 2009 Cisco Learning Institute. 14
- 15. Cisco NAC
The purpose of NAC:
Allow only authorized and compliant systems to
access the network
To enforce network security policy
NAC Framework Cisco NAC Appliance
• Software module • In-band Cisco NAC
embedded within NAC- Appliance solution can
enabled products be used on any switch or
• Integrated framework router platform
leveraging multiple Cisco • Self-contained, turnkey
and NAC-aware vendor solution
products
© 2009 Cisco Learning Institute. 15
- 16. The NAC Framework
Network
Access
Devices Policy Server
Hosts Attempting Enforcement Decision Points
Network Access and Remediation
AAA Vendor
Server Credentials Servers
Credentials
Credentials
EAP/UDP, HTTPS
RADIUS
EAP/802.1x
Cisco Access Rights
Trust Comply?
Agent Notification
© 2009 Cisco Learning Institute. 16
- 17. NAC Components
• Cisco NAS • Cisco NAA
Serves as an in-band or out-of- Optional lightweight client for
band device for network access device-based registry scans in
control unmanaged environments
• Cisco NAM • Rule-set updates
Centralizes management for Scheduled automatic updates
administrators, support for antivirus, critical hotfixes,
personnel, and operators and other applications
M
G
R
© 2009 Cisco Learning Institute. 17
- 18. Cisco NAC Appliance Process
1. Host attempts to access a web page or uses THE GOAL
an optional client.
Network access is blocked until wired or wireless
host provides login information. Authentication
Server
M
G
R
Cisco NAM
2. Host is
redirected to a login page. Cisco NAS Intranet/
Cisco NAC Appliance validates Network
username and password, also
performs device and network scans 3. The host is authenticated and optionally
to assess vulnerabilities on device. scanned for posture compliance
3b. Device is “clean”.
3a. Device is noncompliant Quarantine Machine gets on “certified
or login is incorrect. Role devices list” and is granted
Host is denied access and assigned access to network.
to a quarantine role with access to online
remediation resources.
© 2009 Cisco Learning Institute. 18
- 19. Access Windows
Scan is performed
(types of checks depend on user role)
Login
Screen
Scan fails
Remediate
4.
© 2009 Cisco Learning Institute. 19
- 20. CSA Architecture
Administration Server Protected by
Workstation Cisco Security Agent
Alerts Events
SSL Security
Policy
Management Center for
Cisco Security Agent
with Internal or External
Database
© 2009 Cisco Learning Institute. 20
- 21. CSA Overview
Application
Execution
File System Network Configuration
Space
Interceptor Interceptor Interceptor
Interceptor
Rules
Engine
State Rules and
Policies
Correlation
Engine
Allowed
Request
Blocked
Request
© 2009 Cisco Learning Institute. 21
- 22. CSA Functionality
Execution
Network File System Configuration
Security Application Space
Interceptor Interceptor Interceptor
Interceptor
Distributed Firewall X ― ― ―
Host Intrusion
X ― ― X
Prevention
Application
― X X X
Sandbox
Network Worm
X ― ― X
Prevention
File Integrity Monitor ― X X ―
© 2009 Cisco Learning Institute. 22
- 23. Attack Phases
– Probe phase
• Ping scans
• Port scans
– Penetrate phase
• Transfer exploit Server
code to target Protected by
Cisco Security
– Persist phase Agent
• Install new code
• Modify
configuration – File system interceptor
– Propagate phase – Network interceptor
– Configuration interceptor
• Attack other – Execution space
targets interceptor
– Paralyze phase
• Erase files
• Crash system
• Steal data
© 2009 Cisco Learning Institute. 23
- 25. Layer 2 Security
Perimeter MARS
ACS
Firewall
Internet
VPN
IPS
Iron Port
Hosts
Web Email
Server Server DNS
© 2009 Cisco Learning Institute. 25
- 26. OSI Model
When it comes to networking, Layer 2 is often a very weak link.
Application Stream
Application Application
Presentation Presentation
Compromised
Session Session
Transport Protocols and Ports Transport
Network IP Addresses Network
Data Link Initial Compromise
MAC Addresses Data Link
Physical Links
Physical Physical
© 2009 Cisco Learning Institute. 26
- 27. MAC Address Spoofing Attack
1 2
The switch keeps track of the
Switch Port AABBcc 12AbDd endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another host—in this case,
MAC AABBcc
Address:
AABBcc
MAC
Address:
Port 1
12AbDd
Port 2
MAC Address: Attacker
AABBcc
I have associated Ports 1 and 2 with
the MAC addresses of the devices
attached. Traffic destined for each
device will be forwarded directly.
© 2009 Cisco Learning Institute. 27
- 28. MAC Address Spoofing Attack
I have changed the MAC 1 2
Switch Port address on my computer
to match the server. AABBcc
1 2
AABBcc
Attacker
MAC Address:
MAC AABBcc
Address: Port 1 Port 2
AABBcc
The device with MAC
address AABBcc has
changed locations to Port2.
I must adjust my MAC
address table accordingly.
© 2009 Cisco Learning Institute. 28
- 29. MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without
flooding because the MAC address table contains port-to-MAC-
address mappings in the MAC address table for these PCs.
© 2009 Cisco Learning Institute. 29
- 30. MAC Address Table Overflow Attack
2
Bogus addresses are 1
added to the CAM Intruder runs macof
table. CAM table is full. to begin sending
MAC Port unknown bogus MAC
addresses.
X 3/25
Y 3/25 3/25 MAC X
3/25 MAC Y
C 3/25 3/25 MAC Z
XYZ
3/25
Host C
VLAN 10 VLAN 10 VLAN 10
flood
3
The switch floods
the frames. 4
Attacker sees traffic
to servers B and D.
A B
C D
© 2009 Cisco Learning Institute. 30
- 31. STP Manipulation Attack
• Spanning tree protocol
Root Bridge
Priority = 8192 operates by electing a
MAC Address=
0000.00C0.1234 root bridge
F F
• STP builds a tree topology
F F • STP manipulation
changes the topology of a
network—the attacking
F B
host appears to be the
root bridge
© 2009 Cisco Learning Institute. 31
- 32. STP Manipulation Attack
Root Bridge
Priority = 8192
F F B
F
F
F F F
F B F F
ST iority
ity DU
Pr
=0
PB =
Root
Pr P BP
Bridge
PD 0
ior
ST
U
Attacker The attacking host broadcasts out STP
configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.
© 2009 Cisco Learning Institute. 32
- 33. LAN Storm Attack
Broadcast Broadcast
Broadcast Broadcast
Broadcast Broadcast
Broadcast
Broadcast Broadcast
Broadcast
Broadcast
Broadcast
• Broadcast, multicast, or unicast packets are flooded on all ports in the
same VLAN.
• These storms can increase the CPU utilization on a switch to 100%,
reducing the performance of the network.
© 2009 Cisco Learning Institute. 33
- 35. VLAN Attacks
Segmentatio
n
Flexibility
Security
VLAN = Broadcast Domain = Logical Network (Subnet)
© 2009 Cisco Learning Institute. 35
- 36. VLAN Attacks
802.1Q VLAN
10
k Trunk
un
Tr
Q VLAN Server
2.1 20
80
Attacker sees traffic destined for servers Server
A VLAN hopping attack can be launched in two ways:
• Spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode
• Introducing a rogue switch and turning trunking on
© 2009 Cisco Learning Institute. 36
- 37. Double-Tagging VLAN Attack
1 Attacker on
VLAN 10, but puts a 20
tag in the packet
The first switch strips off the first tag and
2 does not retag it (native traffic is not
80 20 retagged). It then forwards the packet to
2.
1Q
,1 0 switch 2.
, 80 The second switch
2. receives the packet, on
1Q
20 3 the native VLAN
802.1Q, Frame
Trunk Fra
(Native VLAN = 10) m e
4
The second switch
examines the packet, Victim
Note: This attack works only if the sees the VLAN 20 tag and (VLAN 20)
forwards it accordingly.
trunk has the same native
VLAN as the attacker.
© 2009 Cisco Learning Institute. 37
- 38. Port Security Overview
Port 0/1 allows MAC A
Port 0/2 allows MAC B
MAC A Port 0/3 allows MAC C
0/1
0/2
0/3
MAC A
MAC F
Attacker 1
Attacker 2
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to
dynamically learn a limited number of MAC
addresses
© 2009 Cisco Learning Institute. 38
- 39. CLI Commands
Switch(config-if)#
switchport mode access
• Sets the interface mode as access
Switch(config-if)#
switchport port-security
• Enables port security on the interface
Switch(config-if)#
switchport port-security maximum value
• Sets the maximum number of secure MAC addresses for
the interface (optional)
© 2009 Cisco Learning Institute. 39
- 40. Switchport Port-Security Parameters
Parameter Description
mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional
secure MAC addresses up to the maximum value configured.
vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.
vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky
[mac-address] learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer 2
functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
vlan: set a per-VLAN maximum value.
vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
© 2009 Cisco Learning Institute. 40
- 41. Port Security Violation Configuration
Switch(config-if)#
switchport port-security violation {protect |
restrict | shutdown}
• Sets the violation mode (optional)
Switch(config-if)#
switchport port-security mac-address mac-address
• Enters a static secure MAC address for the interface
(optional)
Switch(config-if)#
switchport port-security mac-address sticky
• Enables sticky learning on the interface (optional)
© 2009 Cisco Learning Institute. 41
- 42. Switchport Port-Security Violation
Parameters
Parameter Description
protect (Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
restrict (Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred.
shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and increments the
violation counter. When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause psecure-violation global
configuration command, or you can manually re-enable it by entering the shutdown
and no shut down interface configuration commands.
shutdown Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on
vlan which the violation occurred is error-disabled.
© 2009 Cisco Learning Institute. 42
- 43. Port Security Aging Configuration
Switch(config-if)#
switchport port-security aging {static | time time |
type {absolute | inactivity}}
• Enables or disables static aging for the secure port or
sets the aging time or type
• The aging command allows MAC-Addresses on the
Secure switchport to be deleted after the set aging time
• This helps to avoid a situation where obsolete MAC-
Address occupy the table and saturates causing a
violation (when the max number exceeds)
© 2009 Cisco Learning Institute. 43
- 44. Switchport Port-Security
Aging Parameters
Parameter Description
static Enable aging for statically configured secure
addresses on this port.
time time Specify the aging time for this port. The range is 0 to
1440 minutes. If the time is 0, aging is disabled for
this port.
type absolute Set absolute aging type. All the secure addresses
on this port age out exactly after the time (minutes)
specified and are removed from the secure address
list.
type inactivity Set the inactivity aging type. The secure addresses
on this port age out only if there is no data traffic
from the secure source address for the specified
time period.
© 2009 Cisco Learning Institute. 44
- 45. Typical Configuration
S2
PC B
Switch(config-if)#
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120
© 2009 Cisco Learning Institute. 45
- 46. CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/12 2 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security interface f0/12
Port Security : Enabled
Port status : Secure-down
Violation mode : Shutdown
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Aging time : 120 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation Count : 0
© 2009 Cisco Learning Institute. 46
- 47. View Secure MAC Addresses
sw-class# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.ffff.aaaa SecureConfigured Fa0/12 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
© 2009 Cisco Learning Institute. 47
- 48. MAC Address Notification
MAC B
SNMP traps sent to NMS
NMS when new MAC
addresses appear or
F1/2 when old ones time out.
F1/1
Switch CAM Table
F2/1
MAC A F1/1 = MAC A
F1/2 = MAC B
MAC D is away
F2/1 = MAC D from the
(address ages out) network.
MAC address notification allows monitoring of the MAC
addresses, at the module and port level, added by the switch
or removed from the CAM table for secure ports.
© 2009 Cisco Learning Institute. 48
- 49. Configure Portfast
Server Workstatio
n
Command Description
Switch(config-if)# spanning- Enables PortFast on a Layer 2 access port and forces it to
tree portfast enter the forwarding stateimmediately.
Switch(config-if)# no Disables PortFast on a Layer 2 access port. PortFast is
spanning-tree portfast disabled by default.
Switch(config)# spanning-tree Globally enables the PortFast feature on all nontrunking
portfast default ports.
Switch# show running-config Indicates whether PortFast has been configured on a port.
interface type slot/port
© 2009 Cisco Learning Institute. 49
- 50. BPDU Guard
Root
Bridge
F F
F
F
F B
BPDU
Guard
Enabled
STP
Attacker BPDU
Switch(config)#
spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast
enabled
© 2009 Cisco Learning Institute. 50
- 51. Display the State of Spanning Tree
Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
-------------------- -------- --------- -------- ---------- ----------
1 VLAN 0 0 0 1 1
<output omitted>
© 2009 Cisco Learning Institute. 51
- 52. Root Guard
Root Bridge
Priority = 0
F F
MAC Address =
0000.0c45.1a5d
F F
Root
Guard
Enabled
F B
F
STP BPDU
Attacker Priority = 0
MAC Address = 0000.0c45.1234
Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis
© 2009 Cisco Learning Institute. 52
- 53. Verify Root Guard
Switch# show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ---------------------- ------------------
VLAN0001 FastEthernet3/1 Port Type Inconsistent
VLAN0001 FastEthernet3/2 Port Type Inconsistent
VLAN1002 FastEthernet3/1 Port Type Inconsistent
VLAN1002 FastEthernet3/2 Port Type Inconsistent
VLAN1003 FastEthernet3/1 Port Type Inconsistent
VLAN1003 FastEthernet3/2 Port Type Inconsistent
VLAN1004 FastEthernet3/1 Port Type Inconsistent
VLAN1004 FastEthernet3/2 Port Type Inconsistent
VLAN1005 FastEthernet3/1 Port Type Inconsistent
VLAN1005 FastEthernet3/2 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10
© 2009 Cisco Learning Institute. 53
- 54. Storm Control Methods
• Bandwidth as a percentage of the total available
bandwidth of the port that can be used by the broadcast,
multicast, or unicast traffic
• Traffic rate in packets per second at which broadcast,
multicast, or unicast packets are received
• Traffic rate in bits per second at which broadcast,
multicast, or unicast packets are received
• Traffic rate in packets per second and for small frames.
This feature is enabled globally. The threshold for small
frames is configured for each interface.
© 2009 Cisco Learning Institute. 54
- 55. Storm Control Configuration
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps
2k 1k
Switch(config-if)# storm-control action shutdown
• Enables storm control
• Specifies the level at which it is enabled
• Specifies the action that should take place when the
threshold (level) is reached, in addition to filtering traffic
© 2009 Cisco Learning Institute. 55
- 56. Storm Control Parameters
Parameter Description
broadcast This parameter enables broadcast storm control on the interface.
multicast This parameter enables multicast storm control on the interface.
unicast This parameter enables unicast storm control on the interface.
level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port.
• level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.
• level-low: (Optional) Falling suppression level, up to two decimal places. This
value must be less than or equal to the rising suppression value.
level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
• bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
• bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
• pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
• pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic
and to not send an SNMP trap.
The keywords have these meanings:
• shutdown: Disables the port during a storm
• trap: Sends an SNMP trap when a storm occurs
© 2009 Cisco Learning Institute. 56
- 57. Verify Storm Control Settings
Switch# show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ---------- ---------
---------Gi0/1 Forwarding 20 pps 10 pps
5 pps
Gi0/2 Forwarding 50.00% 40.00% 0.00%
<output omitted>
© 2009 Cisco Learning Institute. 57
- 58. Mitigating VLAN Attacks
Trunk
(Native VLAN = 10)
1. Disable trunking on all access
ports.
2. Disable auto trunking and manually
enable trunking
3. Be sure that the native VLAN is
used only for trunk lines and no
where else
© 2009 Cisco Learning Institute. 58
- 59. Controlling Trunking
Switch(config-if)#
switchport mode trunk
• Specifies an interface as a trunk link
.
Switch(config-if)#
switchport nonegotiate
• Prevents the generation of DTP frames.
Switch(config-if)#
switchport trunk native vlan vlan_number
• Set the native VLAN on the trunk to an unused VLAN
© 2009 Cisco Learning Institute. 59
- 60. Traffic Analysis
IDS
RMON Probe
Protocol Analyzer
A SPAN port mirrors traffic to “Intruder
Alert!”
another port where a
monitoring device is
connected.
Without this, it can be difficult
to track hackers after they
have entered the network.
Attacker
© 2009 Cisco Learning Institute. 60
- 61. CLI Commands
Switch(config)#
monitor session session_number source {interface
interface-id [, | -] [both | rx | tx]} | {vlan vlan-
id [, | -] [both | rx | tx]}| {remote vlan vlan-id}
Switch(config)#
monitor session session_number destination
{interface interface-id [, | -] [encapsulation
replicate] [ingress {dot1q vlan vlan-id | isl |
untagged vlan vlan-id | vlan vlan-id}]} | {remote
vlan vlan-id}
© 2009 Cisco Learning Institute. 61
- 63. SPAN and IDS
IDS
F0/2
Use SPAN to
mirror traffic in
F0/1 and out of port
F0/1 to port
F0/2.
Attacker
© 2009 Cisco Learning Institute. 63
- 64. Overview of RSPAN
“Intruder
• An RSPAN port mirrors traffic Alert!”
to another port on another IDS
switch where a probe or IDS
sensor is connected.
• This allows more switches to Source VLAN
be monitored with a single
RSPAN VLAN
probe or IDS.
Source VLAN
Attacker Source VLAN
© 2009 Cisco Learning Institute. 64
- 65. Configuring RSPAN
1. Configure the RPSAN VLAN 2960-1(config)# vlan 100
2960-1(config-vlan)# remote-span
2960-1(config-vlan)# exit
2960-1 2960-2
2. Configure the RSPAN source ports and VLANs
2960-1(config)# monitor session 1 source interface FastEthernet 0/1
2960-1(config)# monitor session 1 destination remote vlan 100
reflector-port FastEthernet 0/24
2960-1(config)# interface FastEthernet 0/2
2960-1(config-if)# switchport mode trunk
3. Configure the RSPAN traffic to be forwarded
2960-2(config)# monitor session 2 source remote vlan 100
2960-2(config)# monitor session 2 destination interface FastEthernet 0/3
2960-2(config)# interface FastEthernet 0/2
2960-2(config-if)# switchport mode trunk
© 2009 Cisco Learning Institute. 65
- 66. Verifying RSPAN Configuration
2960-1 2960-2
show monitor [session {session_number | all | local
| range list | remote} [detail]] [ | {begin | exclude
| include}expression]
© 2009 Cisco Learning Institute. 66
- 67. Layer 2 Guidelines
• Manage switches in as secure a manner as possible
(SSH, out-of-band management, ACLs, etc.)
• Set all user ports to non-trunking mode (except if using
Cisco VoIP)
• Use port security where possible for access ports
• Enable STP attack mitigation (BPDU guard, root guard)
• Use Cisco Discovery Protocol only where necessary –
with phones it is useful
• Configure PortFast on all non-trunking ports
• Configure root guard on STP root ports
• Configure BPDU guard on all non-trunking ports
© 2009 Cisco Learning Institute. 67
- 68. VLAN Practices
• Always use a dedicated, unused native VLAN ID for
trunk ports
• Do not use VLAN 1 for anything
• Disable all unused ports and put them in an unused
VLAN
• Manually configure all trunk ports and disable DTP on
trunk ports
• Configure all non-trunking ports with switchport mode
access
© 2009 Cisco Learning Institute. 68
- 71. Infrastructure-Integrated Approach
• Proactive threat and intrusion
detection capabilities that do
not simply detect wireless
attacks but prevent them
• Comprehensive protection to
safeguard confidential data and
communications
• Simplified user management
with a single user identity and
policy
• Collaboration with wired
security systems
© 2009 Cisco Learning Institute. 71
- 72. Cisco IP Telephony Solutions
• Single-site deployment
• Centralized call
processing with remote
branches
• Distributed call-
processing deployment
• Clustering over the
IPWAN
© 2009 Cisco Learning Institute. 72
- 73. Storage Network Solutions
• Investment
protection
• Virtualization
• Security
• Consolidation
• Availability
© 2009 Cisco Learning Institute. 73
- 74. Cisco Wireless LAN Controllers
• Responsible for system-wide wireless LAN
functions
• Work in conjunction with Aps and the Cisco
Wireless Control System (WCS) to support
wireless applications
• Smoothly integrate into existing enterprise
networks
© 2009 Cisco Learning Institute. 74
- 75. Wireless Hacking
• War driving
• A neighbor hacks into
another neighbor’s
wireless network to get
free Internet access or
access information
• Free Wi-Fi provides an
opportunity to
compromise the data of
users
© 2009 Cisco Learning Institute. 75
- 76. Hacking Tools
• Network Stumbler
• Kismet
• AirSnort
• CoWPAtty
• ASLEAP
• Wireshark
© 2009 Cisco Learning Institute. 76
- 77. Safety Considerations
• Wireless networks using WEP or WPA/TKIP are
not very secure and vulnerable to hacking
attacks.
• Wireless networks using WPA2/AES should
have a passphrase of at least 21 characters
long.
• If an IPsec VPN is available, use it on any public
wireless LAN.
• If wireless access is not needed, disable the
wireless radio or wireless NIC.
© 2009 Cisco Learning Institute. 77
- 78. VoIP Business Advantages
PSTN VoIP
• Little or no training costs
Gateway
• Mo major set-up fees
• Lower telecom call costs
• Enables unified
• Productivity increases messaging
• Lower costs to move, add, • Encryption of voice calls is
or change supported
• Lower ongoing service • Fewer administrative
and maintenance costs personnel required
© 2009 Cisco Learning Institute. 78
- 79. VoIP Components
PSTN
Cisco Unified
Communications
Manager
(Call Agent) IP
Backbone
MCU
PBX
Cisco Router/ Router/
Unity Gateway Gateway
Router/
IP Gateway
Phone
IP
Phone
Videoconference
Station
© 2009 Cisco Learning Institute. 79
- 80. VoIP Protocols
VoIP Protocol Description
ITU standard protocol for interactive conferencing; evolved from H.320
H.323 ISDN standard; flexible, complex
MGCP Emerging IETF standard for PSTN gateway control; thin device control
Joint IETF and ITU standard for gateway control with support for multiple
Megaco/H.248 gateway types; evolved from MGCP standard
IETF protocol for interactive and noninteractive conferencing; simpler but
SIP less mature than H.323
ETF standard media-streaming protocol
RTP
IETF protocol that provides out-of-band control information for an RTP flow
RTCP
IETF protocol that encrypts RTP traffic as it leaves the
SRTP voice device
Cisco proprietary protocol used between Cisco Unified Communications
SCCP Manager and Cisco IP phones
© 2009 Cisco Learning Institute. 80
- 81. Threats
• Reconnaissance
• Directed attacks such as spam over IP telephony
(SPIT) and spoofing
• DoS attacks such as DHCP starvation, flooding, and
fuzzing
• Eavesdropping and man-in-the-middle attacks
© 2009 Cisco Learning Institute. 81
- 82. VoIP SPIT
• If SPIT grows like spam, it could result in
regular DoS problems for network
administrators.
• Antispam methods do not block SPIT.
• Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets
only from trusted devices.
You’ve just
won an all
expenses
paid vacation
to the U.S.
Virgin Islands
!!!
© 2009 Cisco Learning Institute. 82
- 83. Fraud
• Fraud takes several forms:
– Vishing—A voice version of phishing that is used to compromise
confidentiality.
– Theft and toll fraud—The stealing of telephone services.
• Use features of Cisco Unified Communications Manager to protect
against fraud.
– Partitions limit what parts of the dial plan certain phones have access to.
– Dial plans filter control access to exploitive phone numbers.
– FACs prevent unauthorized calls and provide a mechanism for tracking.
© 2009 Cisco Learning Institute. 83
- 84. SIP Vulnerabilities
• Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them. Location SIP Servers/Services
Registrar Registrar Database
• Message tampering:
Allows a hacker to
modify data packets SIP Proxy
traveling between SIP
addresses.
• Session tear-down: SIP User Agents SIP User Agents
Allows a hacker to
terminate calls or carry
out VoIP-targeted DoS
attacks.
© 2009 Cisco Learning Institute. 84
- 85. Using VLANs
Voice VLAN = 110 Data VLAN = 10
5/1
IP phone Desktop PC
802.1Q Trunk 10.1.110.3 171.1.1.1
• Creates a separate broadcast domain for voice traffic
• Protects against eavesdropping and tampering
• Renders packet-sniffing tools less effective
• Makes it easier to implement VACLs that are specific to voice
traffic
© 2009 Cisco Learning Institute. 85
- 86. Using Cisco ASA Adaptive
Security Appliances
• Ensure SIP, SCCP, H.323, and
MGCP requests conform to
standards
• Prevent inappropriate SIP
methods from being sent to Cisco
Unified Communications Manager
• Rate limit SIP requests
Cisco Adaptive
• Enforce policy of calls (whitelist, Security Appliance WAN
blacklist, caller/called party, SIP
URI) Cisco Adaptive
Security Appliance
• Dynamically open ports for Cisco Internet
applications
• Enable only “registered phones” to
make calls
• Enable inspection of encrypted
phone calls
© 2009 Cisco Learning Institute. 86
- 87. Using VPNs
• Use IPsec for authentication
Telephony
• Use IPsec to protect Servers
all traffic, not just voice
• Consider SLA with service provider
• Terminate on a VPN concentrator
or large router inside of firewall to
IP WAN
gain these benefits:
• Performance
SRST
• Reduced configuration complexity Router
• Managed organizational
boundaries
© 2009 Cisco Learning Institute. 87
- 88. Using Cisco Unified Communications
Manager
• Signed firmware
• Signed
configuration files
• Disable:
– PC port
– Setting button
– Speakerphone
– Web access
© 2009 Cisco Learning Institute. 88
- 89. SAN Security Considerations
IP
Network SAN
Specialized network that
enables fast, reliable access
among servers and external
storage resources
© 2009 Cisco Learning Institute. 89
- 90. SAN Transport Technologies
• Fibre Channel – the
primary SAN transport for
host-to-SAN connectivity
• iSCSI – maps SCSI over LAN
TCP/IP and is another
host-to-SAN connectivity
model
• FCIP – a popular SAN-to-
SAN connectivity model
© 2009 Cisco Learning Institute. 90
- 91. World Wide Name
• A 64-bit address that Fibre Channel networks
use to uniquely identify each element in a Fibre
Channel network
• Zoning can utilize WWNs to assign security
permissions
• The WWN of a device is a user-configurable
parameter.
Cisco MDS 9020 Fabric Switch
© 2009 Cisco Learning Institute. 91
- 92. Zoning Operation
• Zone members see only other
members of the zone. SAN
• Zones can be configured Disk2 Disk3
dynamically based on WWN. ZoneA Host1
Disk1
ZoneC
• Devices can be members of
more than one zone.
Disk4 Host2
• Switched fabric zoning can take ZoneB
place at the port or device
level: based on physical switch An example of Zoning. Note that
port or based on device WWN devices can be members of more
or based on LUN ID. than 1 zone.
© 2009 Cisco Learning Institute. 92
- 93. Virtual Storage Area Network (VSAN)
Cisco MDS 9000
Family with VSAN Service
Physical SAN islands
are virtualized onto
common SAN
infrastructure
© 2009 Cisco Learning Institute. 93
- 94. Security Focus
SAN Protocol Target Access
SAN Management
SAN Access
Fabric Access
Secure
SAN
IP Storage
access
Data Integrity and
Secrecy
© 2009 Cisco Learning Institute. 94
- 95. SAN Management
Three main areas of vulnerability:
1. Disruption of switch processing
2. Compromised fabric stability
3. Compromised data integrity and confidentiality
© 2009 Cisco Learning Institute. 95
- 96. Fabric and Target Access
Three main areas of focus:
• Application data integrity
• LUN integrity
• Application performance
© 2009 Cisco Learning Institute. 96
- 97. VSANs
Relationship of VSANs to Zones
Physical Topology
VSAN 2 Two VSANs each with
Disk2 Disk3 multiple zones. Disks and
Host1 Disk1
ZoneA
ZoneC hosts are dedicated to
Host2
VSANs although both hosts
Disk4
ZoneB and disks can belong to
multiple zones within a
VSAN 3 ZoneD
Host4
single VSAN. They cannot,
however, span VSANs.
ZoneA
Host3 Disk5
Disk6
© 2009 Cisco Learning Institute. 97
- 98. iSCSI and FCIP
• iSCSI leverages many of the security features inherent in
Ethernet and IP
– ACLs are like Fibre Channel zones
– VLANs are like Fibre Channel VSANs
– 802.1X port security is like Fibre Channel port security
• FCIP security leverages many IP security features in
Cisco IOS-based routers:
– IPsec VPN connections through public carriers
– High-speed encryption services in specialized hardware
– Can be run through a firewall
© 2009 Cisco Learning Institute. 98