• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
424
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
74
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • OK, Here’s the agenda for the session. We’ll start with the fundamental chassis architecture. After that, we’ll look at the sup engines, specifically Supervisor 2 and Supervisor 720 and the corresponding PFC daughter cards, and also we’ll look at the crossbar switch fabrics Then we look at the switching module architecture, and then move into the fundamental operations of the forwarding engine—Layer 2 forwarding, IPv4 forwarding, IPv4 multicast forwarding, security ACLs, QoS, and NetFlow These are the core functions of the box — sure, we have lots of other features and functionality, and Supervisor 720 even adds some additional hardware capabilities in the forwarding engine, like IPv6 and MPLS, but given that we only have 2 hours, I am just going to focus on these core functions listed here - that said, if you have questions on any of these other features and functions, feel free to ask them, but I reserve the right to defer those or take them offline if I feel it will take too much time to explain or is not of general interest. Also, I’d like to point out the acronym decoder in the back of your handout, in case some terms come up that you don’t understand, it should be decoded in the back
  • OK, Here’s the agenda for the session. We’ll start with the fundamental chassis architecture. After that, we’ll look at the sup engines, specifically Supervisor 2 and Supervisor 720 and the corresponding PFC daughter cards, and also we’ll look at the crossbar switch fabrics Then we look at the switching module architecture, and then move into the fundamental operations of the forwarding engine—Layer 2 forwarding, IPv4 forwarding, IPv4 multicast forwarding, security ACLs, QoS, and NetFlow These are the core functions of the box — sure, we have lots of other features and functionality, and Supervisor 720 even adds some additional hardware capabilities in the forwarding engine, like IPv6 and MPLS, but given that we only have 2 hours, I am just going to focus on these core functions listed here - that said, if you have questions on any of these other features and functions, feel free to ask them, but I reserve the right to defer those or take them offline if I feel it will take too much time to explain or is not of general interest. Also, I’d like to point out the acronym decoder in the back of your handout, in case some terms come up that you don’t understand, it should be decoded in the back
  • Transcript : MAX ARDICA: I want to go to actually this one. So I was saying that the idea is that, and I am back to slide one, let me try again, maybe someone is not liking the presentation and the fact that... LAURIE: Again please do not advance through the deck; if anyone is advancing through the deck, please stop advancing through the deck. MAX ARDICA: Okay, so slide five, essentially the idea is to create closed user group for logical partition. Also called Virtual Network that are supported on top of the same physical infrastructure. So the look and feel of each Virtual Network is like having a separate physical network dedicated to each specific application. But the idea is that they're all consolidated on top of the same physical infrastructure okay. So virtualization is a one-to-many concept.
  • OK, Here’s the agenda for the session. We’ll start with the fundamental chassis architecture. After that, we’ll look at the sup engines, specifically Supervisor 2 and Supervisor 720 and the corresponding PFC daughter cards, and also we’ll look at the crossbar switch fabrics Then we look at the switching module architecture, and then move into the fundamental operations of the forwarding engine—Layer 2 forwarding, IPv4 forwarding, IPv4 multicast forwarding, security ACLs, QoS, and NetFlow These are the core functions of the box — sure, we have lots of other features and functionality, and Supervisor 720 even adds some additional hardware capabilities in the forwarding engine, like IPv6 and MPLS, but given that we only have 2 hours, I am just going to focus on these core functions listed here - that said, if you have questions on any of these other features and functions, feel free to ask them, but I reserve the right to defer those or take them offline if I feel it will take too much time to explain or is not of general interest. Also, I’d like to point out the acronym decoder in the back of your handout, in case some terms come up that you don’t understand, it should be decoded in the back
  • OK, Here’s the agenda for the session. We’ll start with the fundamental chassis architecture. After that, we’ll look at the sup engines, specifically Supervisor 2 and Supervisor 720 and the corresponding PFC daughter cards, and also we’ll look at the crossbar switch fabrics Then we look at the switching module architecture, and then move into the fundamental operations of the forwarding engine—Layer 2 forwarding, IPv4 forwarding, IPv4 multicast forwarding, security ACLs, QoS, and NetFlow These are the core functions of the box — sure, we have lots of other features and functionality, and Supervisor 720 even adds some additional hardware capabilities in the forwarding engine, like IPv6 and MPLS, but given that we only have 2 hours, I am just going to focus on these core functions listed here - that said, if you have questions on any of these other features and functions, feel free to ask them, but I reserve the right to defer those or take them offline if I feel it will take too much time to explain or is not of general interest. Also, I’d like to point out the acronym decoder in the back of your handout, in case some terms come up that you don’t understand, it should be decoded in the back
  • IP Phone requires 3 MAC’s because of the phone Internal MAC Set age and mac’s to a reasonable number. You will catch the gross anomalies with-out having to lock these down ‘tight’ Port Security limits MAC addresses allowed per physical port Available starting in 12.1(13)EW1 On each access port: switchport mode access switchport port-security switchport port-security maximum 128 switchport port-security violation {protect | restrict | shutdown } Secured ports generate address-security violations under these conditions: The address table of a secured port is full and a station whose MAC address is not in the address table attempts to access the interface. An incoming packet has a source address assigned as a secure address on another secure port (on the same device!). After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways: You can configure all secure MAC addresses by using the switchport port-security mac-address mac-address interface configuration command. You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices. You can configure a number of addresses and allow the rest to be dynamically configured. Set the violation mode, the action to be taken when a security violation is detected, as one of these: protect —When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value. restrict —A port security violation restricts data and causes the SecurityViolation counter to increment. shutdown —The interface is error-disabled when a security violation occurs. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.
  • IP Phone requires 3 MAC’s because of the phone Internal MAC Set age and mac’s to a reasonable number. You will catch the gross anomalies with-out having to lock these down ‘tight’ Port Security limits MAC addresses allowed per physical port Available starting in 12.1(13)EW1 On each access port: switchport mode access switchport port-security switchport port-security maximum 128 switchport port-security violation {protect | restrict | shutdown } Secured ports generate address-security violations under these conditions: The address table of a secured port is full and a station whose MAC address is not in the address table attempts to access the interface. An incoming packet has a source address assigned as a secure address on another secure port (on the same device!). After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways: You can configure all secure MAC addresses by using the switchport port-security mac-address mac-address interface configuration command. You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices. You can configure a number of addresses and allow the rest to be dynamically configured. Set the violation mode, the action to be taken when a security violation is detected, as one of these: protect —When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value. restrict —A port security violation restricts data and causes the SecurityViolation counter to increment. shutdown —The interface is error-disabled when a security violation occurs. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.
  • IP Phone requires 3 MAC’s because of the phone Internal MAC Set age and mac’s to a reasonable number. You will catch the gross anomalies with-out having to lock these down ‘tight’ Port Security limits MAC addresses allowed per physical port Available starting in 12.1(13)EW1 On each access port: switchport mode access switchport port-security switchport port-security maximum 128 switchport port-security violation {protect | restrict | shutdown } Secured ports generate address-security violations under these conditions: The address table of a secured port is full and a station whose MAC address is not in the address table attempts to access the interface. An incoming packet has a source address assigned as a secure address on another secure port (on the same device!). After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways: You can configure all secure MAC addresses by using the switchport port-security mac-address mac-address interface configuration command. You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices. You can configure a number of addresses and allow the rest to be dynamically configured. Set the violation mode, the action to be taken when a security violation is detected, as one of these: protect —When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value. restrict —A port security violation restricts data and causes the SecurityViolation counter to increment. shutdown —The interface is error-disabled when a security violation occurs. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.
  • IP Phone requires 3 MAC’s because of the phone Internal MAC Set age and mac’s to a reasonable number. You will catch the gross anomalies with-out having to lock these down ‘tight’ Port Security limits MAC addresses allowed per physical port Available starting in 12.1(13)EW1 On each access port: switchport mode access switchport port-security switchport port-security maximum 128 switchport port-security violation {protect | restrict | shutdown } Secured ports generate address-security violations under these conditions: The address table of a secured port is full and a station whose MAC address is not in the address table attempts to access the interface. An incoming packet has a source address assigned as a secure address on another secure port (on the same device!). After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways: You can configure all secure MAC addresses by using the switchport port-security mac-address mac-address interface configuration command. You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices. You can configure a number of addresses and allow the rest to be dynamically configured. Set the violation mode, the action to be taken when a security violation is detected, as one of these: protect —When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value. restrict —A port security violation restricts data and causes the SecurityViolation counter to increment. shutdown —The interface is error-disabled when a security violation occurs. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.

Transcript

  • 1. Defense-in-Depth using Network Virtualization and Network Admission Control Steven Carter – stevenca@cisco.com Susan Stewart – sustewar@cisco.com
  • 2. Agenda
    • Background/Overview
    • Network Virtualization Techniques
    • Network Access Control
    • Securing the Wild, Wild, West
    • Q&A
  • 3. Background
    • The term “Defense-in-Depth” refers to leveraging the defensive capability of every device in the network from the border of the network through the core, distribution, and access portions of the network and into the host itself.
    • This can be done by combining the following capabilities:
      • Firewall/IDS at the border to ward of threats before they enter the network
      • Network virtualization to segregate the physical network into multiple virtual networks to support multiple security levels and services
      • Network Access Control to authenticate user/hosts onto the network, check their security posture, and place them into the network that matches their requirements
  • 4. Agenda
    • Background/Overview
    • Network Virtualization Techniques
    • Network Access Control
    • Securing the Wild, Wild, West
    • Q&A
  • 5. Network Virtualization
    • Provide several networks to support varying security postures, applications, etc.
    • One physical network supports many virtual networks
    • End-user perspective is that of being connected to a dedicated network (independent security policies, routing decisions, etc.)
    Virtual Network Internal Actual Physical Infrastructure Visitor Virtual Network Virtual Network Voice
  • 6. Network Device Virtualization
    • Switch Virtualization:
      • Data Plane – 802.1q VLANs
      • Control Plane – Per VLAN Spanning Tree
  • 7. Network Device Virtualization (Cont.)
    • Router Virtualization:
      • Data Plane - Virtual Routing/Forwarding (VRFs)
      • Control Plane – Multiple instances of routing protocols (OSPF, EIGRP, etc) per routed plane.
    802.1q, GRE, LSP, Physical Int, Others 802.1q or Others Global VRF VRF
  • 8. Data Path Virtualization
    • Tags:
      • 802.1q
    • Tunnels (connection oriented)
      • GRE/mGRE
      • Label Switched Paths—LSP (MPLS)
    Multi-Hop Data Path Virtualization IP Single Hop Data Path Virtualization 802.1q Tags Tags
  • 9. Putting it Together
  • 10. Agenda
    • Background/Overview
    • Network Virtualization Techniques
    • Network Access Control
    • Securing the Wild, Wild, West
    • Q&A
  • 11. Network Access Control (NAC)
    • NAC can mean different things to different people, but for the purposes of this presentation, it should provide three important functions:
      • User/Host Authentication – The network should be able to authenticate the user (or at least the host) onto the network.
      • Host Posture Verification – The ability to make sure that the host posture (virus definitions, patches, firewalls, etc.) match the policy of the network for which it is destined.
      • Host Remediation – The placement of the host into the correct network
    • NAC provides that connection between Network Security and Host Security
  • 12. Network Access Control (NAC) (Cont.) First, establish ACCESS POLICIES. Then: LIMITED COMPLIANCE = LIMITED NETWORK ACCESS Authenticate & Authorize
    • Enforces authorization policies and privileges
    • Supports multiple user roles
    Update & Remediate
    • Network-based tools for vulnerability and threat remediation
    • Help-desk integration
    Quarantine & Enforce
    • Isolate non-compliant devices from rest of network
    • MAC and IP-based quarantine effective at a per-user level
    Scan & Evaluate
    • Agent scan for required versions of hotfixes, AV, etc
    • Network scan for virus and worm infections and port vulnerabilities
  • 13. What about the exceptions?
    • Hosts that do not support the mechanisms can be dealt with in various ways (external scanning, web authentication, etc.), but in general garner a lower level of trust and can be segregated from the general population
    • Because of their very nature, Research and Education networks have a number of hosts (upwards of 25%) that do not fit a supported configuration
    • There must be a credible option for these hosts, otherwise, you diminish much of the effect of implementing NAC in the first place
  • 14. Addressing the Outliers
    • One option is to put a firewall in front of each and every host that cannot comply. This can be done with physical firewalls (i.e. a small firewall in front of every host):
      • Pros - Straight-forward and easy for the policy people to understand and buy into; Depending on the situation, could be more cost-effective
      • Cons – Logistically difficult and hard to administer; not scalable to large number
  • 15. Addressing the Outliers (Cont.)
    • You can also do it (yes, you guessed it) VIRTUALLY
    • Difficult to do with a standard 802.1q VLANs because it is not scalable and difficult to avoid needing proper subset addresses per VLAN
    • Difficult to do with ACLs because of the shear number needed. Also not scalable and is difficult to maintain
    • Solution: Use sufficient security techniques to obviate the need for real firewalls
  • 16. Agenda
    • Background/Overview
    • Network Virtualization Techniques
    • Network Access Control
    • Securing the Wild, Wild, West
    • Q&A
  • 17. Securing the Wild, Wild, West
    • Overview:
      • Private VLANs to separate broadcast domains
      • Port Security prevents MAC spoofing
      • DHCP snooping prevents client attack on the switch and server
      • Dynamic ARP Inspection adds security to ARP using DHCP snooping table
      • IP Source Guard adds security to IP source address using DHCP snooping table
  • 18. Securing the Wild, Wild, West (Cont.)
    • Private VLANs
      • PVLANs allow segregating broadcast segment into a non-broadcast multi-access-like segment.
      • Traffic that comes to a switch from a promiscuous port is able to go out on all the ports that belong to the same primary VLAN.
      • Traffic that comes to a switch from a port mapped to a secondary VLAN (it can be either an isolated, a community, or a two-way community VLAN) can be forwarded to a promiscuous port or a port belonging to the same community VLAN.
    Distribution Access Secondary VLAN (isolated) Secondary VLAN (community) Primary VLAN Secondary VLANs
  • 19. Securing the Wild, Wild, West (Cont.)
    • Port Security
      • Restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port
      • Number of address on the port is configurable
      • Dynamically learned MAC address cuts down on administrative overhead
      • “ sticky” and non-”sticky” variants give the option of retaining learned address across port-down events
    Only 1 MAC Address Allowed on the Port: Shutdown
  • 20. Securing the Wild, Wild, West (Cont.)
    • DHCP Snooping
      • Acts like a firewall between untrusted hosts and trusted DHCP servers
      • Validates and Rate-Limits DHCP messages received from untrusted sources and filters out invalid messages.
      • Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses to validate subsequent requests from untrusted hosts
    DHCP Server DHCP Responses Trusted Untrusted DHCP Snooping Unauthorized DHCP Response DHCP Requests
  • 21. Securing the Wild, Wild, West (Cont.)
    • Dynamic Arp Inspection
      • Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
      • Valid ARP packets based upon DHCP snooping binding database or from user-configured ARP access control lists (ACLs)
      • Configurable to drop ARP packets when either the IP address or the the MAC address in the body does not match the Ethernet header
    DHCP Server DHCP Responses Trusted Untrusted DHCP Snooping Unauthorized DHCP Response DHCP Requests I’m your GW: 10.1.1.1 Not by my binding table
  • 22. Securing the Wild, Wild, West (Cont.)
    • IP Source Guard
      • IP source guard prevents IP spoofing by allowing only the IP addresses that are obtained through DHCP snooping on a particular port.
      • This process restricts the client IP traffic to those source IP addresses that are obtained from the DHCP server; any IP traffic with a source IP address other than that in the PACLs permit list is filtered out
    DHCP Server DHCP Responses Trusted Untrusted DHCP Snooping Unauthorized DHCP Response DHCP Requests I’m your GW: 10.1.1.1 Not by my Port ACL
  • 23. The End
    • Questions? Comments? Criticisms?
    • For more information:
    Steven Carter – stevenca@cisco.com Susan Stewart – sustewar@cisco.com
  • 24.