Documente Academic
Documente Profesional
Documente Cultură
Network
network clients.
Endpoint devices include:
Laptops
Desktops
IP phones
Personal digital assistants (PDAs)
Servers
Printers
endpoint devices.
Non-endpoint LAN devices:
Switches
Wireless devices
IP telephony devices
Storage area networking (SAN) devices
including:
MAC address spoofing attacks
STP manipulation attacks
MAC address table overflow attacks
LAN storm attacks
VLAN attacks
IronPort
IronPort is a leading provider of anti-spam, anti-virus, and anti-
spyware appliances.
Cisco acquired IronPort Systems in 2007.
Network
Admission
Control
NAC
NAC Framework
The NAC framework uses the existing Cisco network
NAC Framework
Different devices in the network, not necessarily one device, can
10
11
12
Cisco NAA
Scan is performed
Login
Screen
Scan fails
Remediate
4.
13
Layer 2 Security
14
Types of Attacks
Layer 2 and Layer 3 switches are susceptible to many of the
network.
15
Types of Attacks
MAC address spoofing
MAC address table overflows
STP manipulation
LAN storms
VLAN attacks
16
17
18
19
Mitigation
Mitigation techniques
techniques include
include configuring
configuring port
port security.
security.
2012 Cisco and/or its affiliates. All rights reserved.
20
VLAN 10
21
22
STP Attack
An STP attack typically involves the creation of a bogus Root
bridge.
This can be accomplished using available software from the
Mitigation
Mitigation techniques
techniques include
include enabling
enabling PortFast,
PortFast, root
root guard
guard and
and BPDU
BPDU guard.
guard.
2012 Cisco and/or its affiliates. All rights reserved.
23
STP Attack
The attacking host broadcasts
24
Mis-configurations
Mitigation
Mitigation techniques
techniques include
include configuring
configuring storm
storm control.
control.
2012 Cisco and/or its affiliates. All rights reserved.
25
VLAN Attacks
Trunk ports pass traffic for all VLANs using either IEEE 802.1Q or
DTP enables trunking to access all the VLANs on the target switch.
The attacker can then send traffic tagged with the target VLAN, and the switch then
delivers the packets to the destination.
26
27
Mitigation
Mitigation techniques
techniques include
include ensuring
ensuring that
that the
the native
native VLAN
VLAN of
of the
the trunk
trunk ports
ports is
is
different
different from
from the
the native
native VLAN
VLAN of
of the
the user
user ports.
ports.
2012 Cisco and/or its affiliates. All rights reserved.
28
29
Mitigating MAC
Spoofing and
MAC Table
Overflow Attacks
30
31
Port Security
Once MAC addresses are assigned to a secure port, the port
does not forward frames with source MAC addresses outside the
group of defined addresses.
Secure source addresses can be:
Manually configured
Autoconfigured (learned)
32
Port Security
When a MAC address differs from the list of secure addresses,
security violation.
Shutdown is the recommended security violation.
33
34
Configure Parameters
Set the maximum number of secure MAC addresses for the
interface. (optional)
The range is 1 to 132. The default is 1.
Switch(config-if)#
switchport port-security maximum value
35
Description
maximum value
(Optional) Set the maximum number of secure MAC addresses for the
interface.
The default setting is 1.
mac-address mac-address
vlan vlan-id
(Optional) On a trunk port only, specify the VLAN ID and the MAC address.
If no VLAN ID is specified, the native VLAN is used.
vlan access
vlan voice
vlan [vlan-list]
(Optional) For trunk ports, you can set the maximum number of secure MAC
addresses on a VLAN. If the vlan keyword is not entered, the default value is
used.
vlan: set a per-VLAN maximum value.
vlan vlan-list: set a per-VLAN maximum value on a range of VLANs
separated by a hyphen or a series of VLANs separated by commas.
36
37
Violation Parameters
Parameter
Description
protect
When the number of secure MAC addresses reaches the limit allowed on the
port, packets with unknown source addresses are dropped until you remove a
sufficient number of secure MAC addresses or increase the number of
maximum allowable addresses.
You are not notified that a security violation has occurred.
restrict
Does the same as protect but also sends an SNMP trap, a syslog message is
logged, and the violation counter increments.
shutdown
shutdown
vlan
In this mode, only the VLAN on which the violation occurred is error-disabled.
38
Port Aging
Port security aging can be used to set the aging time for static
39
Aging Parameters
Parameter
Description
static
time minutes
type absolute
type inactivity
40
S2(config-if)#
S2(config-if)#
S2(config-if)#
S2(config-if)#
S2(config-if)#
S2(config-if)#
switchport
switchport
switchport
switchport
switchport
switchport
mode access
port-security
port-security
port-security
port-security
port-security
maximum 2
violation shutdown
mac-address sticky
aging time 120
41
42
43
Mitigating STP
Manipulation
44
PortFast
Causes a Layer 2 interface to transition from the blocking to the
or server.
It allows those devices to connect to the network immediately, instead of
waiting for STP to converge.
45
PortFast
It should only be used on access ports!
If PortFast is enabled on a port connecting to another switch, there is a risk of
creating a spanning-tree loop.
46
Configure PortFast
Enable PortFast on a Layer 2 access port and force it to enter the
by default.
Switch(config-if)#
no spanning-tree portfast
47
BPDU Guard
The feature keeps the active network topology predictable.
It protects a switched network from receiving BPDUs on ports that should not
be receiving them.
Received BPDUs might be accidental or part of an attack.
BPDU, the switch will put the port into the disabled state.
BPDU guard is best deployed toward user-facing ports to prevent rogue
switch network extensions by an attacking host.
48
BPDU Guard
To enable BPDU guard on all PortFast enabled ports, use the
49
50
BPDU Filtering
The feature prevents interfaces that are in a PortFast-operational
51
52
53
Root Guard
Root guard enforces the placement of root bridges by limiting the
those that the current root bridge is sending, that port is moved to
a root-inconsistent state.
This effectively is equal to an STP listening state, and no data traffic is
forwarded across that port.
54
Root Guard
Root guard is best deployed toward ports that connect to switches
that should not be the root bridge using the interface configuration
command:
Switch(config-if)#
spanning-tree guard root
55
different.
BPDU guard disables the port upon BPDU reception if PortFast is
56
Inconsistency
-----------------Port Type Inconsistent
Port Type Inconsistent
Port Type Inconsistent
Port Type Inconsistent
Port Type Inconsistent
Port Type Inconsistent
Port Type Inconsistent
Port Type Inconsistent
Port Type Inconsistent
Port Type Inconsistent
57
Configuring
Storm Control
58
Storm Control
LAN storm attacks can be mitigated by using storm control to
activity:
Bandwidth as a percentage (%) of the total available bandwidth of the port.
Traffic rate in packets/sec or bits/sec at which packets are received.
Traffic rate in packets per second and for small frames.
59
Storm Control
With each method, the port blocks traffic when the predefined
enable storm control and set the threshold value for each type of
traffic.
60
Storm Control
When the traffic suppression level is specified as a percentage of
61
command.
If the:
trap action is configured, the switch sends SNMP log messages when a
storm occurs.
shutdown action is configured, the port is error-disabled during a storm.
Switch(config)#
storm-control {{broadcast | multicast | unicast} level {level [level-low]
| bps bps [bps-low] | pps pps [pps-low]}} | {action {shutdown | trap}}
62
63
Upper
---------20 pps
50.00%
Lower
--------10 pps
40.00%
Current
--------5 pps
0.00%
<output omitted>
64
Mitigating VLAN
Attacks
65
switch must look further into the frame to determine whether more
than one VLAN tag is attached to it.
Use a dedicated native VLAN for all trunk ports.
Also disable all unused switch ports and place them in an unused VLAN.
66
67
Configuring
Cisco Switch
Port Analyzer
68
SPAN
Network traffic passing through ports or VLANs can be analyzed
69
SPAN
SPAN can be used to mirror traffic to another port where a probe
70
SPAN
A SPAN session can be configured to monitor source port traffic
to a destination port.
Switch(config)#
monitor session session_number source {interface interface-id [, | -]
[both | rx | tx]} | {vlan vlan-id [, | -] [both | rx | tx]}| {remote vlan
vlan-id}
Switch(config)#
monitor session session_number destination {interface interface-id [, |
-][encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged
vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id}
71
72
73
Verifying SPAN
Use the show monitor session session-number
command.
74
Private VLAN
Edge
75
PVLAN Edge
The PVLAN Edge feature, also known as protected ports,
76
77
Layer 2 Best
Practices
78
Cisco VoIP).
Use port security where possible for access ports.
Use CDP only where necessary with phones it is useful.
Configure PortFast on all non-trunking ports.
Configure BPDU guard on all non-trunking ports.
Configure root guard on STP root ports.
79
80
Advanced Technology
Security Considerations
81
Modern Networks
Converged networks have increasing challenged modern network
design.
New services to support include:
Wireless
VoIP
SANs
82
Wireless Networks
83
VoIP Networks
84
SAN Networks
85
Wireless
Networks
86
Wireless Deployments
Autonomous
Each access point must be individually configured.
Infrastructure (Lightweight)
Modern enterprise wireless now include:
Lightweight APs
87
Lightweight Wireless
Lightweight APs depend on
Security policies
Intrusion prevention
RF management
QoS
Mobility
88
Wireless
An infrastructure-integrated approach has a number of benefits:
A single user identity and policy simplifies user management and protects
against unauthorized access.
Proactive threat and intrusion detection capabilities detect wireless attacks
and prevent them.
Comprehensive protection safeguards confidential data and communications.
Collaboration with wired security systems enables a superset of wireless
security functionality and protection.
89
90
their SSIDs.
AirSnort software sniffs and cracks WEP keys.
CoWPAtty cracks WPA-PSK (WPA1).
ASLEAP gathers authentication data.
Wireshark can scan wireless Ethernet data and 802.11 SSIDs.
91
Reconnaissance
Reconnaissance is the unauthorized discovery and mapping of
92
Wardriving
93
Wardriving
94
Wardriving Maps
95
Reconnaissance
Commercial wireless protocol analyzers like AiroPeek (by
passive.
Passive tools, like Kismet, transmit no information while they are detecting
wireless networks.
96
Securing Wireless
WPA2,
WPA2, an
an
interoperable
interoperable
implementation
implementation of
of
802.11i,
is
802.11i, is
currently
currently the
the state
state
of
the
art
in
of the art in
wireless
wireless security.
security.
Default
settings
Less secure
2012 Cisco and/or its affiliates. All rights reserved.
Unique
SSID with
broadcast
SSID
disabled
Wired
Equivalent
Privacy
(WEP)
WEP with
Temporal
Key Integrity
Protocol
(TKIP)
Wi-Fi
Protected
Access
(WPA) with
TKIP
WPA2 with
Advanced
Encryption
Standard
(AES)
Most secure
97
Securing Wireless
Keep several security considerations in mind:
Wireless networks using WEP or WPA/TKIP are not very secure and are
vulnerable to hacking attacks.
Wireless networks using WPA2/AES should have a pass phrase of at least 21
characters.
If an IPsec VPN is available, use it on any public wireless LAN.
If wireless access is not needed, disable the wireless radio or wireless NIC.
98
VoIP
Networks
99
VoIP
The success in data networking has led to its adaptation to voice
traffic.
VoIP has become popular largely because of the cost savings
100
VoIP Advantages
VoIP service providers charge up to 50% less than telecom.
Feature rich environment can increase productivity.
Features include Find Me/Follow Me, Remote Office, Click-to-Call, Outlook
101
VoIP Components
Call
Call Agents
Agents
Provides
Provides call
call control
control for
for IP
IP phones,
phones, Call
Call Admission
Admission Control
Control (CAC),
(CAC), bandwidth
bandwidth control
control and
and management,
management, and
and address
address translation.
translation.
Cisco
Cisco Unified
Unified Communications
Communications Managers
Managers and
and Cisco
Cisco Unified
Unified Communications
Communications Manager
Manager Business
Business Edition
Edition both
both function
function as
as the
the call
call agents.
agents.
Gateways
Gateways
Multipoint
Multipoint Control
Control Unit
Unit (MCU)
(MCU)
Provides
Provides real-time
real-time connectivity
connectivity for
for
participants
participants attending
attending aa
videoconference.
videoconference.
Provides
Provides translation
translation between
between VoIP
VoIP
and
and non-VoIP
non-VoIP networks.
networks.
ItIt also
also provides
provides physical
physical access
access for
for
local
local analog
analog and
and digital
digital voice
voice devices,
devices,
such
such as
as telephones,
telephones, fax
fax machines,
machines,
and
and PBXs.
PBXs.
Application
Application Servers
Servers (Cisco
(Cisco
Unity)
Unity)
Provides
Provides services
services such
such as
as voice
voice
mail
mail and
and unified
unified messaging.
messaging.
IP
IPphones
phones
Provide
Provide IP
IP voice
voice to
to the
the
desktop.
desktop.
Videoconference
Videoconference Station
Station
Provides
Provides access
access for
for end-user
end-user participation
participation in
in videoconferencing.
videoconferencing.
The
The station
station contains
contains aa video
video capture
capture device
device for
for video
video input
input and
and aa
microphone
microphone for
for audio
audio input.
input.
102
VoIP Protocols
103
Network resource (bandwidth) overload, host resource starvation, and out-ofbounds attacks (using illegal packet structure and unexpected data)
104
Authenticated
Authenticated Transport
Transport Layer
Layer Security
Security (TLS)
(TLS) stops
stops most
most SPIT
SPIT attacks,
attacks, because
because endpoints
endpoints
only
only accept
accept packets
packets from
from trusted
trusted devices.
devices.
2012 Cisco and/or its affiliates. All rights reserved.
105
106
Toll Fraud
Is the theft of long-distance telephone service by unauthorized
107
SIP
SIP is a relatively new, but increasingly popular protocol that
108
109
SAN
Networks
110
111
112
iSCSI:
Maps SCSI over TCP/IP and is typically used in the LAN.
Leverages existing IP networks to build and extend SANs by using TCP/IP to
transport SCSI commands, data, and status between hosts or initiators and storage
devices or targets, such as storage subsystems and tape devices.
Uses a logical unit number (LUN) which is a 64-bit address as a way to differentiate
individual disk drives within a common SCSI target device such as a disk array.
FCIP:
Popular SAN-to-SAN connectivity model that is used over the WAN or MAN.
SAN designers can use the open-standard FCIP protocol to break the distance
barrier of current Fiber Channel solutions and enable interconnection of SAN
islands over extended distances.
2012 Cisco and/or its affiliates. All rights reserved.
113
Zoning rules:
Zone members see only other members of the zone.
Zones can be configured dynamically based on WWN.
Devices can be members of more than one zone.
114
VSANs
A virtual storage area network (VSAN) is a collection of ports from
115
Encrypt
Encrypt data
data as
as itit crosses
crosses networks
networks as
as well
well as
as when
when stored
stored on
on disks.
disks.
SAN
SAN Protocols:
Protocols:
Secure
Secure the
the protocols
protocols that
that are
are
used
used in
in switch-to-switch
switch-to-switch
communication.
communication.
Fabric
Fabric Access:
Access:
Secure
Secure access
access to
to the
the fabric.
fabric.
The
The SAN
SAN fabric
fabric refers
refers to
to the
the
hardware
hardware that
that connects
connects
servers
servers to
to storage
storage devices.
devices.
Target
Target Access:
Access:
Secure
Secure access
access to
to storage
storage
devices
(targets).
devices (targets).
Use
Use VSANs
VSANs and
and zoning.
zoning.
SAN
SAN management:
management:
Secure
Secure the
the management
management services
services that
that are
are used
used to
to administer
administer
the
SAN.
the SAN.
IP
IP Storage
Storage Access:
Access:
Secure
Secure FCIP
FCIP and
and iSCSI.
iSCSI.
116
117