SlideShare a Scribd company logo

Wp ci securing_layer2

Amargo Durazno
Amargo Durazno
Technology
1 of 6
Download to read offline
Expert Reference Series of White Papers Securing Layer 2 1-800-COURSES www.globalknowledge.com
Securing Layer 2 Carol Kavalla, Global Knowledge Instructor Introduction For many years network administrators have expected security breaches to come from outside an organization or at the upper layers of the OSI model. For this purpose, firewalls are implemented at the edge of a network. While the default state of a firewall does not allow communication between an organization and networks beyond the organizational borders, routers and switches were designed to enable communication. A firewall needs to be configured specifically to allow IP packets to traverse it. By default, routers do not filter traffic; however, they can be configured to filter traffic based on inspecting values in layer 3 and layer 4 IP head- ers. Switches can also be configured to thwart attacks launched at the LAN layer. Copyright ©2010 Global Knowledge Training LLC. All rights reserved. 2
In recent years, Cisco has expanded its focus beyond a perimeter type of security that is obtained through fire- walls and Intrusion Detection (or Prevention) Systems (IDS or IPS) at the edge of the network. In addition to the Enterprise Edge, the access, distribution, and core layers of the enterprise campus or WAN need to be secured. Cisco calls this the self-defending network, where each piece of the network is secured independently as well as at the Enterprise Edge. This change of focus is because many attacks originate from the inside of the enterprise infrastructure. This paper will focus on securing layer 2 switching at the access layer through port security and preventing denial of service (DoS) attacks at layer 2. Risk Assessment Security implementation should start with a risk assessment and those risks need to be weighed against the need for data or information to be able to flow through a network. For example, for security reasons some orga- nizations make a decision to disable unused switch ports. For other organizations that might not be an appro- priate choice. A large news organization like CNN may choose to not disable unused ports. Sometimes a story needs to get to air at the last minute and it would be disastrous for a reporter to be unable to feed the news report to those newscasters already on air. Another aspect of security evaluated during the risk assessment is physical security. An example of physical security could be a badge reader. Each employee would have to swipe his or her badge before entering the building and would be required to wear the badge at all times. To enforce this, physical security could include guards at the entrance to the building and guards on every floor. The choices about how to secure layer 2 are all driven by the business objectives defined in an enterprise’s security policy. Port Security Port security allows a network administrator to limit the number of MAC addresses that are learned per switch port. A network administrator may further limit port access to a particular MAC address or set of MAC addresses. This serves two functions: • nsures sure end users don’t turn their cubicles into a network world by plugging in a switch or wireless E device and adding multiple end devices in their cubicle. • Prevents certain reconnaissance and denial-of-service (DoS) attacks. A reconnaissance attack is one where the intruder searches for information about the network; it’s similar to a military reconnaissance mission. The actual attack will take place later. A DoS attack is renders either a link or host unreachable. Copyright ©2010 Global Knowledge Training LLC. All rights reserved. 3
A MAC flooding attack is a type of reconnaissance attack. The attacker examines at the types of traffic on the LAN and may also looks for other information, such as details about default gateways. A MAC flooding attack may also be used as a DoS attack. Before looking at the MAC flooding attack, a review of how a switch populates the MAC-Address-Table (or CAM Table) and forwards traffic would be helpful. When an Ethernet frame travels through the switch there is both a Destination MAC Address and Source MAC Address field in the Ethernet header. The switch will populate the MAC-Address-Table based on the source MAC address and its associated port. It will make forwarding decisions based on the destination MAC address. By default, if a switch does not have the destination MAC in its MAC- Address-Table, it will flood the frame out all ports—except the port it came in on. It’s this behavior that the MAC flooding attack exploits. The attacking PC floods the switch with a large number of frames, each with an invalid source MAC address. Switches have a limited amount of memory for the MAC-address-table and eventually it will be populated with all of the invalid MAC addresses from the malicious PC. When legitimate traffic is forwarded through the switch, the destination MAC addresses will not reside in the MAC-address-table and will, therefore, be forwarded out all ports, except the port it came in on. The result is that the intruder will have the opportunity to capture a consid- erable amount of data from the network by using a protocol analyzer on one port of the switch and record the flooded frames. In addition, if enough legitimate traffic has to be flooded out of all ports, there is a possibility that the links could become saturated, leading to a denial of service for those hosts. Copyright ©2010 Global Knowledge Training LLC. All rights reserved. 4
One possible solution to this problem is port security. With port security a network administrator can limit the number of MAC addresses learned on a switch port. For example: if there were one PC per port the MAC addresses count would be limited to one. If there were an IP phone and PC, the MAC address count would be limited to two. Optionally, an administrator could restrict the port to a specific MAC address. When an administrator chooses to restrict the number of MAC addresses per port, the results of a violation can be: Protect Frames from a non-allowed address are dropped, but there is no log of the violation. Restrict Frames from a non-allowed address are dropped and a log message is created. Shut Down f any frames from a non-allowed address are seen, the interface is errdisabled (shutdown). I Manual intervention or errdisable recovery must be used to make the interface operational. Copyright ©2010 Global Knowledge Training LLC. All rights reserved. 5
Configuring Port Security on a switch enables port security and specifies the maximum number of MAC address- es that can be supported by this port. It also specifies allowable MAC addresses and defines violation actions. Switch(config-if)#switchport port-security [maximum value] violation {protect | restrict | shutdown} Conclusion Port security is just one way to help secure switches at the access layer. There are other security vulnerabities such as VLAN hopping, DHCP spoofing, Address Resolution Protocol (ARP) spoofing, Secure Shell Protocol (SSH) and Telnet attacks that also need to be addressed to more completely secure layer two. But those are subjects for another white paper or a network-security class. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses. IINS – Implementing Cisco IOS Network Security Security+ Prep Course Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 1,200 courses, delivered through Classrooms, e-Learn- ing, and On-site sessions, to meet your IT and business training needs. For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. About the Author Carol Kavalla’s background includes teaching at Rockland Community College in New York, managing networks and being a consultant for the NYS small business development center. For the last eight-and-a-half years, Carol has taught for Global Knowledge and is certified to teach nine Cisco Courses: ICND1; ICND2; CCDA; BSCI; BCMSN; TCN; ICMI; BGP; and ARCH. She also has a consulting firm in Charleston, South Carolina, where she works with small companies (100-200 nodes) installing, configuring routers and switches, and troubleshooting network problems. Copyright ©2010 Global Knowledge Training LLC. All rights reserved. 6

Recommended

Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blockerakila_mano
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniquesguest66dc5f
 
RAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARYRAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARYRazorpoint Security
 
L3 defense
L3 defenseL3 defense
L3 defenseRushdi Shams
 
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...IRJET Journal
 
Layered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsLayered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsEditor IJCATR
 
IRJET- Analysis of Router Poisoning using Network Attacks
IRJET- Analysis of Router Poisoning using Network AttacksIRJET- Analysis of Router Poisoning using Network Attacks
IRJET- Analysis of Router Poisoning using Network AttacksIRJET Journal
 

Recommended

Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blockerakila_mano
 
Ajit-Legiment_Techniques
Ajit-Legiment_TechniquesAjit-Legiment_Techniques
Ajit-Legiment_Techniquesguest66dc5f
 
RAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARYRAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARYRazorpoint Security
 
L3 defense
L3 defenseL3 defense
L3 defenseRushdi Shams
 
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...
Wireless Sensor Network: Internet Model Layer Based Security Attacks and thei...IRJET Journal
 
Layered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsLayered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsEditor IJCATR
 
IRJET- Analysis of Router Poisoning using Network Attacks
IRJET- Analysis of Router Poisoning using Network AttacksIRJET- Analysis of Router Poisoning using Network Attacks
IRJET- Analysis of Router Poisoning using Network AttacksIRJET Journal
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture designEnterpriseGRC Solutions, Inc.
 
Security suite brochure
Security suite brochureSecurity suite brochure
Security suite brochureNeil Brown
 
Wireless Communiction Security
Wireless Communiction SecurityWireless Communiction Security
Wireless Communiction SecurityMeet Soni
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Student
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackMountain States Engineering and Controls
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentSaikat Chaudhuri
 
UTM (unified threat management)
UTM (unified threat management)UTM (unified threat management)
UTM (unified threat management)military
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewallsMurali Mohan
 
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK IJNSA Journal
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesMiguel Ponce de Leon @ TSSG / Waterford Institute of Technology
 
Network security
Network security Network security
Network securityVikas Jagtap
 
Network Security
Network SecurityNetwork Security
Network SecurityVIKAS SINGH BHADOURIA
 
wireless communication security PPT, presentation
wireless communication security PPT, presentationwireless communication security PPT, presentation
wireless communication security PPT, presentationNitesh Dubey
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244Tom King
 
Abepoetra grace m. hopper (ibu kompiler)
Abepoetra grace m. hopper (ibu kompiler)Abepoetra grace m. hopper (ibu kompiler)
Abepoetra grace m. hopper (ibu kompiler)Phaza Hendra Kumara
 
Эссе
ЭссеЭссе
ЭссеTrofimova_Alexandra
 
RTB Professional Overview_non-editable
RTB Professional Overview_non-editableRTB Professional Overview_non-editable
RTB Professional Overview_non-editableG Allan Roberts
 
Mo Valley Presentation
Mo Valley PresentationMo Valley Presentation
Mo Valley Presentationryanmfinch
 
El euro, preguntas y respuestas
El euro, preguntas y respuestasEl euro, preguntas y respuestas
El euro, preguntas y respuestasOlga lázaro garcía
 
Promoting Literacy in Kindergarten
Promoting Literacy in KindergartenPromoting Literacy in Kindergarten
Promoting Literacy in Kindergartenmkurtak
 

More Related Content

What's hot

Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture designEnterpriseGRC Solutions, Inc.
 
Security suite brochure
Security suite brochureSecurity suite brochure
Security suite brochureNeil Brown
 
Wireless Communiction Security
Wireless Communiction SecurityWireless Communiction Security
Wireless Communiction SecurityMeet Soni
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Student
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentSaikat Chaudhuri
 
UTM (unified threat management)
UTM (unified threat management)UTM (unified threat management)
UTM (unified threat management)military
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewallsMurali Mohan
 
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK IJNSA Journal
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
wireless communication security PPT, presentation
wireless communication security PPT, presentationwireless communication security PPT, presentation
wireless communication security PPT, presentationNitesh Dubey
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244Tom King
 

What's hot (16)

Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 
Security suite brochure
Security suite brochureSecurity suite brochure
Security suite brochure
 
Wireless Communiction Security
Wireless Communiction SecurityWireless Communiction Security
Wireless Communiction Security
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
TACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN EnvironmentTACTiCS_WP Security_Addressing Security in SDN Environment
TACTiCS_WP Security_Addressing Security in SDN Environment
 
UTM (unified threat management)
UTM (unified threat management)UTM (unified threat management)
UTM (unified threat management)
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
 
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
A LIGHT WEIGHT SOLUTION FOR DETECTING DE-AUTHENTICATION ATTACK
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile Services
 
Network security
Network security Network security
Network security
 
Network Security
Network SecurityNetwork Security
Network Security
 
wireless communication security PPT, presentation
wireless communication security PPT, presentationwireless communication security PPT, presentation
wireless communication security PPT, presentation
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244
 

Viewers also liked

Abepoetra grace m. hopper (ibu kompiler)
Abepoetra grace m. hopper (ibu kompiler)Abepoetra grace m. hopper (ibu kompiler)
Abepoetra grace m. hopper (ibu kompiler)Phaza Hendra Kumara
 
RTB Professional Overview_non-editable
RTB Professional Overview_non-editableRTB Professional Overview_non-editable
RTB Professional Overview_non-editableG Allan Roberts
 
Mo Valley Presentation
Mo Valley PresentationMo Valley Presentation
Mo Valley Presentationryanmfinch
 
Promoting Literacy in Kindergarten
Promoting Literacy in KindergartenPromoting Literacy in Kindergarten
Promoting Literacy in Kindergartenmkurtak
 
Asian Carp: An Invasive Species
Asian Carp: An Invasive SpeciesAsian Carp: An Invasive Species
Asian Carp: An Invasive Specieshoconnell
 
FarMark: Winning B-Plan at the C2P-SIFE Social Business Plan Competition
FarMark: Winning B-Plan at the C2P-SIFE Social Business Plan CompetitionFarMark: Winning B-Plan at the C2P-SIFE Social Business Plan Competition
FarMark: Winning B-Plan at the C2P-SIFE Social Business Plan CompetitionSayali Saoji
 
Social CRM in the Swiss Banking Sector
Social CRM in the Swiss Banking SectorSocial CRM in the Swiss Banking Sector
Social CRM in the Swiss Banking SectorNatalie Huong
 
Real World Techniques for Enterprise Agile Adoption
Real World Techniques for Enterprise Agile AdoptionReal World Techniques for Enterprise Agile Adoption
Real World Techniques for Enterprise Agile AdoptionScott Richardson
 
An Executive Insider's Guide to Enterprise Agile Transformation
An Executive Insider's Guide to Enterprise Agile TransformationAn Executive Insider's Guide to Enterprise Agile Transformation
An Executive Insider's Guide to Enterprise Agile TransformationScott Richardson
 
AgileDC 2014: Achieving Enduring Agile Success in Large Organizations
AgileDC 2014: Achieving Enduring Agile Success in Large OrganizationsAgileDC 2014: Achieving Enduring Agile Success in Large Organizations
AgileDC 2014: Achieving Enduring Agile Success in Large OrganizationsScott Richardson
 

Viewers also liked (14)

Abepoetra grace m. hopper (ibu kompiler)
Abepoetra grace m. hopper (ibu kompiler)Abepoetra grace m. hopper (ibu kompiler)
Abepoetra grace m. hopper (ibu kompiler)
 
Эссе
ЭссеЭссе
Эссе
 
RTB Professional Overview_non-editable
RTB Professional Overview_non-editableRTB Professional Overview_non-editable
RTB Professional Overview_non-editable
 
Mo Valley Presentation
Mo Valley PresentationMo Valley Presentation
Mo Valley Presentation
 
El euro, preguntas y respuestas
El euro, preguntas y respuestasEl euro, preguntas y respuestas
El euro, preguntas y respuestas
 
Promoting Literacy in Kindergarten
Promoting Literacy in KindergartenPromoting Literacy in Kindergarten
Promoting Literacy in Kindergarten
 
мой любимый вид спорта
мой любимый вид спортамой любимый вид спорта
мой любимый вид спорта
 
Asian Carp: An Invasive Species
Asian Carp: An Invasive SpeciesAsian Carp: An Invasive Species
Asian Carp: An Invasive Species
 
FarMark: Winning B-Plan at the C2P-SIFE Social Business Plan Competition
FarMark: Winning B-Plan at the C2P-SIFE Social Business Plan CompetitionFarMark: Winning B-Plan at the C2P-SIFE Social Business Plan Competition
FarMark: Winning B-Plan at the C2P-SIFE Social Business Plan Competition
 
вов. катюша. .
вов. катюша. .вов. катюша. .
вов. катюша. .
 
Social CRM in the Swiss Banking Sector
Social CRM in the Swiss Banking SectorSocial CRM in the Swiss Banking Sector
Social CRM in the Swiss Banking Sector
 
Real World Techniques for Enterprise Agile Adoption
Real World Techniques for Enterprise Agile AdoptionReal World Techniques for Enterprise Agile Adoption
Real World Techniques for Enterprise Agile Adoption
 
An Executive Insider's Guide to Enterprise Agile Transformation
An Executive Insider's Guide to Enterprise Agile TransformationAn Executive Insider's Guide to Enterprise Agile Transformation
An Executive Insider's Guide to Enterprise Agile Transformation
 
AgileDC 2014: Achieving Enduring Agile Success in Large Organizations
AgileDC 2014: Achieving Enduring Agile Success in Large OrganizationsAgileDC 2014: Achieving Enduring Agile Success in Large Organizations
AgileDC 2014: Achieving Enduring Agile Success in Large Organizations
 

Similar to Wp ci securing_layer2

Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Firewall protection
Firewall protectionFirewall protection
Firewall protectionVC Infotech
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewallskkkseld
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam NotesVijayanand Yadla
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallVishal Kumar
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.RAVI RAJ
 
A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)Tuan Yang
 
Ccna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 AnswersCcna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 Answersccna4discovery
 
Top 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfTop 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfinfosec train
 

Similar to Wp ci securing_layer2 (20)

Firewall configuration
Firewall configurationFirewall configuration
Firewall configuration
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
 
Firewall
Firewall Firewall
Firewall
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
 
ANS_Ch_04_Handouts.pdf
ANS_Ch_04_Handouts.pdfANS_Ch_04_Handouts.pdf
ANS_Ch_04_Handouts.pdf
 
CompTIA Security Plus Mini Bootcamp Session
CompTIA Security Plus Mini Bootcamp Session CompTIA Security Plus Mini Bootcamp Session
CompTIA Security Plus Mini Bootcamp Session
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
 
Firewalls
FirewallsFirewalls
Firewalls
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About Firewall
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.
 
Net Defender
Net DefenderNet Defender
Net Defender
 
A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)
 
Netdefender
NetdefenderNetdefender
Netdefender
 
Firewall
FirewallFirewall
Firewall
 
Ccna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 AnswersCcna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 Answers
 
Network & security startup
Network & security startupNetwork & security startup
Network & security startup
 
Top 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfTop 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdf
 
The mfn 3
The mfn 3The mfn 3
The mfn 3
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Wp ci securing_layer2

  • 1. Expert Reference Series of White Papers Securing Layer 2 1-800-COURSES www.globalknowledge.com
  • 2. Securing Layer 2 Carol Kavalla, Global Knowledge Instructor Introduction For many years network administrators have expected security breaches to come from outside an organization or at the upper layers of the OSI model. For this purpose, firewalls are implemented at the edge of a network. While the default state of a firewall does not allow communication between an organization and networks beyond the organizational borders, routers and switches were designed to enable communication. A firewall needs to be configured specifically to allow IP packets to traverse it. By default, routers do not filter traffic; however, they can be configured to filter traffic based on inspecting values in layer 3 and layer 4 IP head- ers. Switches can also be configured to thwart attacks launched at the LAN layer. Copyright ©2010 Global Knowledge Training LLC. All rights reserved. 2
  • 3. In recent years, Cisco has expanded its focus beyond a perimeter type of security that is obtained through fire- walls and Intrusion Detection (or Prevention) Systems (IDS or IPS) at the edge of the network. In addition to the Enterprise Edge, the access, distribution, and core layers of the enterprise campus or WAN need to be secured. Cisco calls this the self-defending network, where each piece of the network is secured independently as well as at the Enterprise Edge. This change of focus is because many attacks originate from the inside of the enterprise infrastructure. This paper will focus on securing layer 2 switching at the access layer through port security and preventing denial of service (DoS) attacks at layer 2. Risk Assessment Security implementation should start with a risk assessment and those risks need to be weighed against the need for data or information to be able to flow through a network. For example, for security reasons some orga- nizations make a decision to disable unused switch ports. For other organizations that might not be an appro- priate choice. A large news organization like CNN may choose to not disable unused ports. Sometimes a story needs to get to air at the last minute and it would be disastrous for a reporter to be unable to feed the news report to those newscasters already on air. Another aspect of security evaluated during the risk assessment is physical security. An example of physical security could be a badge reader. Each employee would have to swipe his or her badge before entering the building and would be required to wear the badge at all times. To enforce this, physical security could include guards at the entrance to the building and guards on every floor. The choices about how to secure layer 2 are all driven by the business objectives defined in an enterprise’s security policy. Port Security Port security allows a network administrator to limit the number of MAC addresses that are learned per switch port. A network administrator may further limit port access to a particular MAC address or set of MAC addresses. This serves two functions: • nsures sure end users don’t turn their cubicles into a network world by plugging in a switch or wireless E device and adding multiple end devices in their cubicle. • Prevents certain reconnaissance and denial-of-service (DoS) attacks. A reconnaissance attack is one where the intruder searches for information about the network; it’s similar to a military reconnaissance mission. The actual attack will take place later. A DoS attack is renders either a link or host unreachable. Copyright ©2010 Global Knowledge Training LLC. All rights reserved. 3
  • 4. A MAC flooding attack is a type of reconnaissance attack. The attacker examines at the types of traffic on the LAN and may also looks for other information, such as details about default gateways. A MAC flooding attack may also be used as a DoS attack. Before looking at the MAC flooding attack, a review of how a switch populates the MAC-Address-Table (or CAM Table) and forwards traffic would be helpful. When an Ethernet frame travels through the switch there is both a Destination MAC Address and Source MAC Address field in the Ethernet header. The switch will populate the MAC-Address-Table based on the source MAC address and its associated port. It will make forwarding decisions based on the destination MAC address. By default, if a switch does not have the destination MAC in its MAC- Address-Table, it will flood the frame out all ports—except the port it came in on. It’s this behavior that the MAC flooding attack exploits. The attacking PC floods the switch with a large number of frames, each with an invalid source MAC address. Switches have a limited amount of memory for the MAC-address-table and eventually it will be populated with all of the invalid MAC addresses from the malicious PC. When legitimate traffic is forwarded through the switch, the destination MAC addresses will not reside in the MAC-address-table and will, therefore, be forwarded out all ports, except the port it came in on. The result is that the intruder will have the opportunity to capture a consid- erable amount of data from the network by using a protocol analyzer on one port of the switch and record the flooded frames. In addition, if enough legitimate traffic has to be flooded out of all ports, there is a possibility that the links could become saturated, leading to a denial of service for those hosts. Copyright ©2010 Global Knowledge Training LLC. All rights reserved. 4
  • 5. One possible solution to this problem is port security. With port security a network administrator can limit the number of MAC addresses learned on a switch port. For example: if there were one PC per port the MAC addresses count would be limited to one. If there were an IP phone and PC, the MAC address count would be limited to two. Optionally, an administrator could restrict the port to a specific MAC address. When an administrator chooses to restrict the number of MAC addresses per port, the results of a violation can be: Protect Frames from a non-allowed address are dropped, but there is no log of the violation. Restrict Frames from a non-allowed address are dropped and a log message is created. Shut Down f any frames from a non-allowed address are seen, the interface is errdisabled (shutdown). I Manual intervention or errdisable recovery must be used to make the interface operational. Copyright ©2010 Global Knowledge Training LLC. All rights reserved. 5
  • 6. Configuring Port Security on a switch enables port security and specifies the maximum number of MAC address- es that can be supported by this port. It also specifies allowable MAC addresses and defines violation actions. Switch(config-if)#switchport port-security [maximum value] violation {protect | restrict | shutdown} Conclusion Port security is just one way to help secure switches at the access layer. There are other security vulnerabities such as VLAN hopping, DHCP spoofing, Address Resolution Protocol (ARP) spoofing, Secure Shell Protocol (SSH) and Telnet attacks that also need to be addressed to more completely secure layer two. But those are subjects for another white paper or a network-security class. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses. IINS – Implementing Cisco IOS Network Security Security+ Prep Course Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 1,200 courses, delivered through Classrooms, e-Learn- ing, and On-site sessions, to meet your IT and business training needs. For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. About the Author Carol Kavalla’s background includes teaching at Rockland Community College in New York, managing networks and being a consultant for the NYS small business development center. For the last eight-and-a-half years, Carol has taught for Global Knowledge and is certified to teach nine Cisco Courses: ICND1; ICND2; CCDA; BSCI; BCMSN; TCN; ICMI; BGP; and ARCH. She also has a consulting firm in Charleston, South Carolina, where she works with small companies (100-200 nodes) installing, configuring routers and switches, and troubleshooting network problems. Copyright ©2010 Global Knowledge Training LLC. All rights reserved. 6