This document discusses IT network security topics including zone-based policy firewalls, VLAN hopping attacks, and high availability in data centers. It covers why zone-based firewalls are useful, the steps to configure them with an example. VLAN hopping attacks are explained as well as best practices to prevent them. Finally, it compares virtual switching systems and virtual port channels that are used to provide high availability in data centers. References are provided for further information on each topic.
NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza
ITNetworkSecurity_GabrielBorlean
1. IT NETWORK SECURITY
Prevention & Attacks
- A Study
Gabriel Emanuel Maagaard, Borlean
Datatekniker svendeprøve presentation
Syddansk Erhvervsskole, Odense C
December 17th, 2015 A.D.
3. IT NETWORK SECURITY
- 2 TOPICS
ZONE-BASED POLICY FIREWALL (Cisco ZFW, ZBF or ZPF)
Why, how
Example
LAYER 2 ATTACK: VLAN-HOPPING
What, how
Example
HIGH AVAILABILITY – DATA CENTER
VSS vs. vPC
5. ZONE-BASED POLICY FIREWALL
The four parts and relationships:
Step 1: Create the zones
Step 2: Identify traffic with a class-map
Step 3: Define an action with a policy-map
Step 4: Identify a zone pair and match it to a policy-map
Step 5: Assign zones to the appropriate interfaces
9. VLAN HOPPING
Disable auto-trunking on user facing ports (DTP off)
Disable unused ports and put them in a unused VLAN
Be paranoid: do not use VLAN 1 for anything (change native VLAN #)
Use all tagged mode for the Native VLAN on trunks
Disable autonegotiation on trunk ports
Explicitly configure trunking on infrastructure ports
Use PC Voice VLAN Access on phones that support it
Use 802.1q tag on trunk ports
Security Best Practices:
12. DATA CENTER TECHNOLOGIES
OvPC vs. VSS – Contrast & Comparison:
Both support multi-chassis ether-channel
vPC - Nexus, while VSS - Catalyst 6500s
vPC – separate control & management plane, while VSS - én logisk switch
13. LA FIN
Security – business case:
”Cisco Connect 2015” conference Keynote- ”Connect the Unconnected” Christian Heinel,
Security Evangelist, Cisco Danmark, Copenhagen
Networkworld.com ezine
Security– Zone-Based Policy Firewall:
CBTNuggets ”CCNA Security” with Keith Barker
CiscoPress ”Implementing Cisco IOS Network Security (IINS 640-554) Foundation
Learning Guide, 2nd Edition”
Security– VLAN Hopping:
Webopedia definition
Firewall.cx article
Data Center – High Availability:
VSS: Cisco.com catalyst-6500-virtual-switching-system-1440
vPC: mycciedatacenter.blogspot.com
OCRÉDITS: