• Share
  • Email
  • Embed
  • Like
  • Private Content
Securing the Access Layer (IOS Advantage Webinar)
 

Securing the Access Layer (IOS Advantage Webinar)

on

  • 3,542 views

Different techniques can be used to secure the access layer, from establishing a perimeter and blocking known attack vectors to enhancing your ability to monitor rogue activity on your network. By ...

Different techniques can be used to secure the access layer, from establishing a perimeter and blocking known attack vectors to enhancing your ability to monitor rogue activity on your network. By implementing the right combination of features, you can greatly enhance your ability provide secure network access.

Statistics

Views

Total Views
3,542
Views on SlideShare
1,700
Embed Views
1,842

Actions

Likes
3
Downloads
106
Comments
1

3 Embeds 1,842

http://www.preparena.com 1817
http://preparena.com 24
http://www.linkedin.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Securing the Access Layer (IOS Advantage Webinar) Securing the Access Layer (IOS Advantage Webinar) Presentation Transcript

    • Cisco IOS Advantage Webinars Securing the Access Layer Jason Frazier / Andrew Yourtchenko / Ralph Schmieder We’ll get started a few minutes past the top of the hour. Note: you may not hear any audio until we get started.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
    • Speakers Panelists Jason Frazier Shelly Cadora Ralph Schmieder Ken Hook Andrew Yourtchenko Eric Vyncke© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
    • • Submit questions in Q&A panel and send to “All Panelists” Avoid CHAT window for better access to panelists• For Webex audio, select COMMUNICATE > Join Audio Broadcast• For Webex call back, click ALLOW Phone button at the bottom of Participants side panel• Where can I get the presentation? https://communities.cisco.com/docs/DOC-29149 Or send email to: ask_iosadvantage@cisco.com• Please fill in Survey at end of event• Join us on June 6 for our next IOS Advantage Webinar: Deploying Application Visibility and Control Policies© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
    • Risk and Exposure • Exposed to end users, the access layer is inherently vulnerable Infrastructure Protection • Security at the network edge protects the network infrastructure Network Intelligence • Key data can only be gathered at the access layer© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
    • Enforce Monitor • Establish perimeter • Make L2 and L3 Flows • Block Known Attack Centrally Visible Vectors • Collect Detailed Telemetry • Apply Best Practices of Endpoints© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
    •  Intro Establish the Perimeter Monitor IPv6 Refresher SeND Distributed vs. Centralized IPv6 Vulnerabilities and Attack Vectors Enforce Conclusion© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
    • IEEE 802.1X Is Like a Port FirewallNo Access For ACUnknown Users Employee Customizable Access for Authenticated Users and Devices © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
    • Single Host (802.1X) Switch Multi-Domain Auth (MDA) Switch Only one MAC Address is Each domain (Voice or Data) allowed. 2nd MAC Address authenticates one MAC causes Security Violation address. 2nd MAC address on Hub each domain causes security Voice violation VLAN dACL VLAN dACL Data Endpoint 1 Endpoint 2 Endpoint 1 Endpoint 2 Multi-Authentication Switch Multi-Host Switch 1stMAC Address is Voice domain authenticates authenticated. 2nd endpoint one MAC address. Data piggybacks on 1st MAC Address domain authenticates multiple Hub authentication and bypass MAC addresses. dACL or Voice authentication single VLAN Assignment for all devices are supported Authenticated Piggyback Data Data VLAN* dACL VLAN* Endpoint 1 Endpoint 2 Endpoint 1 Endpoint 2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    • Known Attack Vectors: • Spoofing and MITM • Bypassing NAC Requirements Sophisticated, commercial Tools available (Example: Pwn Plug Elite) How to address this?© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    • Downlink Uplink MACSec MACSec AC 3 Employee Even with physical access, rogue users cannot monitor or spoof encrypted traffic© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
    • CORPORATE RESOURCES Insecure Secure Industry first Si Si Si Si ISE Perimeter Demarcation *Network Edge Authentication Topology  Extend Trust into physically unsecured locations (e.g., conference rooms, cubicles, etc.  Prevent unauthorized network extensions  Secure access control for shared media access© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
    • Not all networks are alike – Cisco offers a solution that suits your needs!© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    • Solution • Securing the perimeter is part of TrustSec • This includes Policy Server and proven designs which span across multiple technologies Deployment Models • Pick what is best suited for your environment • Adapt the solution to changing security requirements Feature Rich Implementation • Successful implementation in Real World Networks goes way beyond basic authentication • Address all networked devices, known and unknown • BYOD as part of the solution Guidelines available • TrustSec Design & Implementation Guide (DIG, www.cisco.com/go/trustsec) • Whitepapers, Data Sheets and Presentations (www.cisco.com/go/ibns)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
    • • Can I identify network attacks on before impacting productivity?• Can I prevent loss of data and employee productivity in case of attacks?• Can I protect the company’s brand and reputation?© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
    • Know • Know the applications running in your network your • Know what devices are accessing what resources network • Perform capacity planning Flow Analysis • All flows available with greatest detail From the • Locate the source precisely: Get MAC- address and access port information wiring associated with the flow • Location Awareness: Map ports to closet location • Correlate Flow, Port and MAC • Mapping user identity to the flows is the next step And more • External Software to analyze, correlate and alarm. • Anomaly Detection and Reporting© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    • NetFlow Collector CountermeasureAttack Smart Logging/Telemetry Via Netflow v9 Visibility with Smart Logging • Is the access layer under attack? • What is the nature of the attack • Are my countermeasures working? http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10745/product_bulletin_c25-658743_ps6406_Products_Bulletin.html© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    • Netflow DHCP CDP LLDP ISE RADIUS SSC SSC Employee Guest Employee (bad credential) Rogue 802.1X Managed Assets Visibility With IOS Sensor • Correlate CDP, LLDP, DHCP, MAC OUI, RADIUS, NetFlow Data and Location • Centralized Profiling and Analysis at ISE http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/device_sensor/guide/sensor_guide.html© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    • RADIUS Authentication & Accounting Logs • Username, MAC Address, IP ISE Address, Switch, Port, Usage statistics – all in one place! • Passed/Failed 802.1X attempts SSC  Valid / invalid 802.1X-capable endpoints • Passed/Failed MAB attempts  Valid / unknown MACs What Why ‘Monitor Mode’ Leverage existing information Authenticate without authorizing Prepare for access control 802.1X / MAB reveal who / what The “easy button” for 802.1X Everyone still gets full access© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
    • Operations contained within the link boundaries, necessary for a node to communicate with its neighbors, including the link exit points. • It encompasses: • Address configuration parameters • Address initialization • Address resolution • Default gateway discovery • Local network configuration • Neighbor reachability tracking© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    • NDP (ARP replacement in IPv6) • Discover other hosts & routers on local network • Incorporates many features from older link-layer protocols • Makes extensive use of IPv6 multicast addresses • Operates using ICMPv6 NDP is also the protocol used to learn information: • About other hosts • About routers • Address Resolution* • Discovery • Duplicate Addresses • Network Prefix • Neighbor Unreachable • Network Parameters • Next Hop • Autoconfiguration© 2010 Cisco and/or its affiliates. All rights reserved. * Like we used to do with ARP Cisco Public 29
    • NUD Primary ICMPv6 NDP Messages DAD • Neighbor solicitation (NS) • Neighbor advertisements (NA) RS RA IPv6 • Router solicitation (RS) NDP • Router advertisements (RA) • Neighbor Unreachability Detection (NUD) Redirects • Duplicate Address Detection (DAD) NS NA • Redirects SLAAC • IPv6 Stateless Address Auto Configuration (SLAAC) All can be used as attack vectors! Defined in RFC 4861, “Neighbor Discovery for IP Version 6 (IPv6)” and RFC 4862 (“IPv6 Stateless Address Autoconfiguration”)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
    • End-nodes exposed to many threats • Address configuration parameters: Trickery on configuration parameters • Address initialization: Denial of address insertion • Address resolution: Address stealing • Default gateway discovery: Rogue routers • Local network configuration: Trickery on configuration parameters • Neighbor reachability tracking: Trickery on neighbor status Malicious nodes can hide on the link • To disrupt link-operations • To poison neighbor caches • To attack on-link or off-link victims • To highjack key roles such as routers or DHCP servers Malicious nodes can sit anywhere in the network • To launch DoS attacks on last-router and exploit link-operations security caveats© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
    • Threats are very much topology dependent: what is specific to IPv6 fromtopology standpoint? • More addresses! • More end-nodes allowed on the link (up to 264 !) • Bigger neighbor cache on end-nodes and on default-router • May lead to some dramatic topology evolution • Creates new opportunities for DoS attacksThreats are also dependent on the protocols in use: what is different? • More distributed and more autonomous operations • Nodes discover automatically their default router • Nodes auto-configure their addresses • Nodes defend themselves (SeND) • Distributed address assignment creates more challenges for address security© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
    • Self assign addressesSelf assign addresses DHCP-server Self assign addresses – Assign addresses DHCP-server – Announces link parameters – Announces default router IPv6 link model is essentiallymodel is very much DHCP-centricminor role Legacy IPv4 link distributed, with DHCP playing a © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
    • Distributed Security ≡ Secure Neighbor Discovery WHAT SEND PROVIDES • Each node on the link takes care of its own security • Verifies router legitimacy • Verifies address ownership WHAT SEND DOES NOT PROVIDE • It does not verify other key role legitimacy (DHCP server, NTP, etc.) • It only applies to link operations • It does not provide end-to-end security • It does not guarantee authorization (≠ 802.1X)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
    • Computes Address Prefix Interface-id = ND-message Src = Address My address! VERIFY SIGN© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
    • Certificate Authority CA0 Certificate Authority Certificate C0 1 Router certificate CR Router 3 certificate request 2 host Router R Router Advertisement 4 Certificate Path Solicit (CPS): I trust CA0, who are you ? 5 Certificate Path Advertize (CPA): I am R, this is my certificate CR 6 Verify CR against CA0 7 Start using R as default gateway© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    • ADMINISTRATIVE BOUNDARY CA CA CA Router Router Host Host  A chain of trust is “easy” to establish within the administrative boundaries, but very hard outside  To benefit fully from SeND, nodes must be:  Provisioned with CA certificate(s)  Time synchronized/have access to the NTP server  Have access to a CRL or OCSP server© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
    • • Due to transition realities and lack of pervasive support for SeND: At best there will be a mix of CGA, Router Auth. and “old” ND support More likely, a small number of SeND capable nodes lost in the middle of many non- capable.• This has almost no value because it’s a 2 player games: nodes with no SeND / CGA support can’t verify SeND / CGA credentials!© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
    • Trustee Move to a different deployment model?© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
    • attacker DHCP server/relay web server time server host un-trusted end-nodes router Trusted end-nodes • Distributed: security verified between any pair of nodes • Centralized: security verified between each node and the central switch© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
    • Internet• Advantages L2/link – No central administration, no central operation Infrastructure – No bottleneck, no single-point of failure Certificate Server – Intrinsic part of the link-operations – No tying up to the L2 infra Time – Load distribution Server DHCP• Disadvantages Server – Heavy provisioning of end-nodes – Only provisioned end-nodes are protected Configuration Server – Tied up to nodes capability – Bootstrapping issue – Complexity spread all over the domain Provisioning Hosts Infrastructure© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
    • • Advantages L2/link Infrastructure – central administration, central operation Certificate Server – Complexity and provisioning limited to first hop – All nodes protected Time – Transitioning much easier Server DHCP Server • Disadvantages – Applicable only to certain topologies Configuration Server – Requires first-hop to learn about end-nodes – First-hop can be a bottleneck and single-point of failure Provisioning Hosts Infrastructure© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
    • WHAT IS IT? • Takes care of all nodes security, primarily from a link- operations standpoint • Leverages information gleaned by snooping link-operations • Arbitrates between different address assignment methods, different protocols, different nodes, different ports, etc. REQUIREMENTS • Must be “in the centre” or part of the security perimeter • Requires some provisioning • Must be versatile (NDP, SeND, DHCP, MLD, etc.)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
    • First Hop Security (FHS) FHS FHS FHS© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
    • • Find default/first-hop routers • Discover on-link prefixes => which destinations are neighbors •  Messages: Router Advertisements (RA), Router Solicitations (RS) A BICMP Type = 133 (Router Solicitation) RSSrc = UNSPEC (or Host link-local address)Dst = All-routers multicast address (FF02::2)Query = please send RA ICMP Type = 134 (Router Advertisement) RA Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Option = Prefix, lifetime Use B as default gateway© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
    • • Attacker tricks victim into accepting him as default router • Based on rogue Router Advertisements • The most frequent threat by non-malicious user  B A C RA Src = C’s link-local address Dst = All-nodes Data = router lifetime, autoconfig flag Options = subnet prefix, slla RA Src = B’s link-local address Dst = All-nodes Data = router lifetime=0 Node A sending off- link traffic to C© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
    • Stateless, based on prefix information delivered in Router Advertisements  Messages: Router Advertisements, Router Solicitations ICMP Type = 133 (Router Solicitation) Src = UNSPEC (or Host link-local address) Dst = All-routers multicast address (FF02::2) RS Query = please send RA ICMP Type = 134 (Router Advertisement) Src = Router link-local address RA Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Computes Options = Prefix X,Y,Z, lifetime X::x, Y::y, Z::z and DAD them NS Source traffic with X::x, Y::y, Z::z© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
    • • Attacker spoofs Router Advertisement with false on-link prefix • Victim generates IP address with this prefix • Access router drops outgoing packets from victim (ingress filtering) • Incoming packets cant reach victim  A C B Src = B’s link-local address Deprecates X::A RA Dst = All-nodes Options = prefix X Preferred lifetime = 0 Computes BAD::A Src = B’s link-local address and DAD it RA Dst = All-nodes Options = prefix BAD, Preferred lifetime Node A sourcing off-link traffic to B with BAD::A B filters out BAD::A© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
    • • Resolves IP address into MAC address • Creates neighbor cache entry  Messages: Neighbor Solicitation, Neighbor Advertisement A B CICMP type = 135 (Neighbor Solicitation)Src = ADst = Solicited-node multicast address of B NSData = BOption = link-layer address of AQuery = what is B’s link-layer address? ICMP type = 136 (Neighbor Advertisement) Src = one B’s IF address Dst = A NA Data = B Option = link-layer address of B A and B can now exchange packets on this link © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
    • • Attacker can claim victims IP address  A B C NSDst = Solicited-node multicast address of BQuery = what is B’s link-layer address? Src = B or any C’s IF address Dst = A NA Data = B Option = link-layer address of C© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
    • • Verify address uniqueness • Probe neighbors to verify nobody claims the address  Messages: Neighbor Solicitation, Neighbor Advertisement A B CICMP type = 135 (Neighbor Solicitation)Src = UNSPEC = 0::0 NSDst = Solicited-node multicast address of AData = AQuery = Does anybody use A already? Node A can start using address A© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
    • • Attacker hacks any victims DAD attempts • Victim cant configure IP address and cant communicate  A C Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NS Src = any C’s IF address NA “it’s mine !” Dst = A Data = A Option = link-layer address of C© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
    • DHCP Snooping Dynamic ARP Inspection IP Source Guard MiTMDHCP Attack DoSARP AttackIP Spoof Attack Control Plane PolicingRA Attack BPDU GuardSTP AttackCPU Attack RA Guard© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
    • • For more info: http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
    • IPv6 FHS IPv6 IPv6 IPv6 IPv6 IPv6 Binding Integrity RA Guard DHCP Guard Source Guard Destination Guard Guard • Integrity protection • Protection against • Protection against • Validate source • Validates for FHS binding MiM Attacks MiM & DoS attacks address or prefix destination address table • Protection against • Rejects invalid • Protects against of IPv6 traffic • Protection against rouge or malicious DHCP Offers source address reaching the link IPv6 address theft Router spoofing • Protects against Advertisement scanning or DoS attacks© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
    • • If IPv6 RA Guard is not available... ipv6 access-list ACCESS_PORT remark Block all traffic DHCP server -> client deny udp any eq 547 any eq 546 remark Block Router Advertisements deny icmp any any router-advertisement permit any any Interface gigabitethernet 1/0/1 switchport ipv6 traffic-filter ACCESS_PORT in© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
    • host ? “I am the default gateway” Router Advertisement Option: prefix(s) • Configuration- based • Learning-based • Challenge-based Verification succeeded ? Bridge RA • Switch selectively accepts or rejects RAs based on various criteria • Can be ACL based, learning based or challenge (SeND) based • Hosts see only allowed RAs, and RAs with allowed content© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
    • • Extension headers chain can be so large that it is fragmented!• Finding the layer 4 information is not trivial in IPv6 Skip all known extension headers Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE Or end of extension headers => FAILURE IPv6 hdr HopByHop Routing Destination Destination Fragment1 IPv6 hdr HopByHop Fragment2 ICMP Data Layer 4 header is in 2nd fragment© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
    • Binding table host Address glean – Arbitrate collisions, check ownership – Check against max allowed per box/vlan/port – Record & report changes Valid? bridge© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
    • IPv6 MAC VLAN IF STATE A1 1 MACH1 H1 100 P1 REACH STALE H1 H2 H3 A21 21 MACH2 H2 100 P2 REACH A22 22 MACH2 H2 100 P2 REACH Address glean A3 MACH3 100 P3 STALE Binding table – Keep track of device state – Probe devices when becoming stale – Remove inactive devices from the binding table – Record binding creation/deletion/changes DAD NS [IP source=UNSPEC, target = A1] NA [target = A1LLA=MACH1] DAD NS [IP source=UNSPEC, target = A3]© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
    • Binding table DHCP- IPv6 MAC VLAN IF serverH1 H2 H3 A1 MACH1 100 P1 A21 MACH2 100 P2 A22 MACH2 100 P2 NS [IP source=A1, LLA=MACH1] A3 MACH3 100 P3 REQUEST [XID, SMAC = MACH2] REPLY[XID, IPA21, IPA22] data [IP source=A3, SMAC=MACH3] DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY NA [IP source=A1, LLA=MACH3] DHCP LEASEQUERY_REPLY© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
    • IPv6 MAC VLAN IF Binding table A1 MACA1 100 P1 H1 H2 H3 A21 MACA21 100 P2 A22 MACA22 100 P2 A3 MACA3 100 P3 Address glean DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY NA [target = A1LLA=MACA3] DHCP LEASEQUERY_REPLY P3 ::A3, MACA3 P1:: data, src= A1, SMAC = MACA1 P2:: data src= A21, SMAC = MACA21 – Allow traffic sourced P3:: data src= A3, SMAC = MACA3 with known IP/SMAC – Deny traffic sources with unknown IP/SMAC© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
    • L3 switch  host B Internet Binding table Neighbor cache Address glean Scanning {P/64} Src=D1 Src=Dn Lookup D1 NO found Forward packet• Mitigate prefix-scanning attacks and Protect ND cache• Useful at last-hop router and L3 distribution switch• Drops packets for destinations without a binding entry© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
    • DHCP- server host Binding table DHCP REQUEST DHCP REQUEST + Interface-ID option DHCP REPLY+ Interface-ID option Stores binding DHCP REPLY© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
    • • ~5,000 MAC addresses seen • ~75% MAC addresses dualstack: had both IPv4 and IPv6 • Multi-subnet CAPWAP: need multicast routing Else: no RA reaches the client, hence no IPv6 • Needed to tune the timers aggressively: 3 minutes iPad / iPhone create new address every time they join the net The limit of 8 addresses is not enough!© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
    • • IPv6 FHS• IPv4 FHS© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
    • • Control Plane Policing (CoPP): Protect the Control Plane of a network device from DoS attacks • STP toolkit (Root Guard, BPDU Guard). Safeguard the STP from misconfiguration and malicious attacks • Best Practices about Infrastructure Security available http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
    • Enforce Enforce And Monitor Dynamic ARP Monitor Inspection MACSec IPv6 Src/Dst Guard IOS Sensor NetFlow IP Source Guard IEEE 802.1X IPv6 DHCP Guard Monitor Mode IPv6 RA Guard DHCP Snooping Smart Logging IPv6 Binding Integrity Guard© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
    • Thank you.
    • • Thank you! • Please complete the post-event survey. • Join us June 6 for our next webinar: Deploying Application Visibility and Control Policies To register, go to www.cisco.com/go/iosadvantage© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
    • © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
    • 2K IOS LAN Cisco IOS Software Platforms Catalyst 6500 Catalyst 4000 Catalyst 2K/3K Lite IEEE 802.1Xauthentication 12.1(13)SE 12.2(40)SG 12.2(25)SEA 12.2(25)SEA MAC Authentication Bypass 12.2(33)SXH 12.2(44)SG 12.2(25)SEE 12.2(37)EY Local Web Authentication 12.2(33)SXH 12.2(40)SG 12.2(35)SEE No Flexible authentication Combine these 12.2(33)SXI 12.2(50)SG 12.2(50)SE No 802.1X with Open Access features for easier12.2(33)SXI 12.2(40)SG 12.2(50)SE No Multi-auth deployments with12.2(33)SXI 12.2(40)SG 12.2(50)SE No Multi-domain Auth (MDA) “Monitor Mode” 12.2(33)SXI 12.2(44)SG 12.2(35)SEE No NEAT 12.2(33)SXJ 12.2(54)SG 12.2(52)SE No MACSec endpoint (downlink) encryption No Sup7E + 4748LC 12.2(53)SE1 (3K-X) No MACSec uplink encryption VLAN assignment 12.1(13)E Most competitive12.2(25)SEA lack 12.2(44)SG switches 12.2(37)EY MDA with dynamic Voice VLAN No these features that make 802.1XNo 12.2(52)SG 12.2(40)SE assignment Guest VLAN, Auth-Fail VLAN 12.2(33)SXH deployable. Make sure your 12.2(37)EY 12.2(40)SG 12.2(25)SED User Distribution 12.2(33)SXI1 customer includes them in RFP. No 12.2(54)SG 12.2(52)SE Downloadable ACL 12.2(33)SXI 12.2(40)SG 12.2(50)SE No RADIUS Change of Authorization 12.2(33)SXI4 12.2(54)SG 12.2(52)SE No Multiauth with VLAN assignment ? 15.0(2)SG 12.2(55)SE No Wake-on-LAN (WoL) 12.2(33)SXI 12.2(40)SG 12.2(25)SEC No Inactivity timer (MAB and 802.1x) 12.2(33)SXI 12.2(40)SG 12.2(50)SE nd CDP 2 port disconnect 12.2(33)SXI 12.2(40)SG 12.2(50)SE No Integration with DAI, IPSG, port security 12.2(33)SXI 12.2(40)SG 12.2(25)SEA 12.2(37)EY MAC Move/MAC Replace 12.2(33)SXI4 12.2(54)SG 12.2(55)SE No Critical Data VLAN (IAB) 12.2(33)SXH 12.2(40)SG 12.2(50)SE No Critical Voice VLAN 12.2(33)SXJ1 15.0(2)SG 15.0(1)SE No© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
    • 2K 3K 4K 6K DHCP Y Y Y Y Snooping Dynamic Arp Y Y Y Y Inspection IP Source Y Y Y Y Guard BPDU Guard Y Y Y Y RA Guard 15.0(2)SE 15.0(2)SE 12.2(54)SG 12.2(33)SXI4 ‘Nile’, 2960S ‘Nile’ (E and only X) Control N N Y Y Plane Policing© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
    • 2K 3K 4K 6K Smart No 12.2(58)SE Logging IOS Sensor 15.0(1)SE* 15.0(1)SE* Oct 2011 No Netflow No With uplink Sup 7 module Monitor 12.2(50)SG 12.2(50)SG 12.2(50)SE 12.2(33)SXI Mode *Full functionality requires ISE 1.1© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
    • What is specific with IPv6 in the layer-2 domain?More addresses! • More end-nodes allowed on the link (up to 264 !) • More states (neighbor cache, etc.) on hosts routers and switches. • May lead to some dramatic topology evolution. • Creates new opportunities for DoS & MiM attacksWhat else? Link-operations protocol(s): IPv6 =Neighbor Discovery • More distributed and more autonomous operations • Nodes discover automatically their default router. • Nodes auto-configure their addresses • Nodes can defend themselves (SeND)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
    • • SeND is NOT a new protocol • SeND is “just” an extension to NDP with new messages (CPS/CPA) and more options (Signature, etc.) • Therefore ND+SeND remains a protocol operating on the link • SeND is a distributed mitigation mechanism • SeND does not provide any “end-to-end” security • SeND specified in RFC3971 and RFC3972© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
    • • Very powerful, the RA guard multicast group is built with ports which have the RA guard feature configured and a device-role of "router" or "monitor”. Only switch only ports belonging to the RA guard multicast group will receive RS messages. Interface Ethernet0/0 ipv6 nd router-preference high switch(config)# ipv6 nd raguard limited-broadcast© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 93