CCNA Security - Chapter 6


Published on

1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CCNA Security - Chapter 6

  1. 1. CCNA Security Chapter Six Securing the Local Area Network© 2009 Cisco Learning Institute. 1
  2. 2. Lesson Planning • This lesson should take 3-4 hours to present • The lesson should include lecture, demonstrations, discussions and assessments • The lesson can be taught in person or using remote instruction© 2009 Cisco Learning Institute. 2
  3. 3. Major Concepts • Describe endpoint vulnerabilities and protection methods • Describe basic Catalyst switch vulnerabilities • Configure and verify switch security features, including port security and storm control • Describe the fundamental security considerations of Wireless, VoIP, and SANs© 2009 Cisco Learning Institute. 3
  4. 4. Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe endpoint security and the enabling technologies 2. Describe how Cisco IronPort is used to ensure endpoint security 3. Describe how Cisco NAC products are used to ensure endpoint security 4. Describe how the Cisco Security Agent is used to ensure endpoint security 5. Describe the primary considerations for securing the Layer 2 infrastructure 6. Describe MAC address spoofing attacks and MAC address spoofing attack mitigation© 2009 Cisco Learning Institute. 4
  5. 5. Lesson Objectives 7. Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation 8. Describe STP manipulation attacks and STP manipulation attack mitigation 9. Describe LAN Storm attacks and LAN Storm attack mitigation 10. Describe VLAN attacks and VLAN attack mitigation 11. Describe how to configure port security 12. Describe how to verify port security 13. Describe how to configure and verify BPDU Guard and Root Guard 14. Describe how to configure and verify storm control 15. Describe and configure Cisco SPAN 16. Describe and configure Cisco RSPAN© 2009 Cisco Learning Institute. 5
  6. 6. Lesson Objectives 17. Describe the best practices for Layer 2 security 18. Describe the fundamental aspects of enterprise security for advanced technologies 19. Describe the fundamental aspects of wireless security and the enabling technologies 20. Describe wireless security solutions 21. Describe the fundamental aspects of VoIP security and the enabling technologies Reference: CIAG course on VoIP security. 22. Describe VoIP security solutions 23. Describe the fundamental aspects of SAN security and the enabling technologies 24. Describe SAN security solutions© 2009 Cisco Learning Institute. 6
  7. 7. Securing the LAN Perimeter MARS ACS Areas of concentration: Firewall •Securing endpoints •Securing network Internet VPN IPS infrastructure Iron Port Hosts Web Email Server Server DNS LAN© 2009 Cisco Learning Institute. 7
  8. 8. Addressing Endpoint Security Policy Compliance Infection Containment Secure Host Based on three elements: Threat •Cisco Network Admission Control (NAC) Protection •Endpoint protection •Network infection containment© 2009 Cisco Learning Institute. 8
  9. 9. Operating SystemsBasic Security Services • Trusted code and trusted path – ensures that the integrity of the operating system is not violated • Privileged context of execution – provides identity authentication and certain privileges based on the identity • Process memory protection and isolation – provides separation from other users and their data • Access control to resources – ensures confidentiality and integrity of data© 2009 Cisco Learning Institute. 9
  10. 10. Types of Application Attacks I have gained direct Direct access to this application’s privileges I have gained access to this system which is trusted by the other system, allowing me to Indirect access it.© 2009 Cisco Learning Institute. 10
  11. 11. Cisco Systems EndpointSecurity Solutions Cisco Security Agent IronPort Cisco NAC© 2009 Cisco Learning Institute. 11
  12. 12. Cisco IronPort Products IronPort products include: •E-mail security appliances for virus and spam control •Web security appliance for spyware filtering, URL filtering, and anti-malware •Security management appliance© 2009 Cisco Learning Institute. 12
  13. 13. IronPort C-Series Before IronPort After IronPort Internet Internet Firewall FirewallEncryption Platform DLP MTA Scanner Antispam Antivirus IronPort E-mail Security Appliance DLP Policy Manager Policy Enforcement Mail Routing Groupware Groupware Users Users© 2009 Cisco Learning Institute. 13
  14. 14. IronPort S-Series Before IronPort After IronPort Internet Internet Firewall Firewall Web Proxy Antispyware Antivirus IronPort S- Series Antiphishing URL Filtering Policy Management Users Users© 2009 Cisco Learning Institute. 14
  15. 15. Cisco NAC The purpose of NAC:  Allow only authorized and compliant systems to access the network  To enforce network security policy NAC Framework Cisco NAC Appliance • Software module • In-band Cisco NAC embedded within NAC- Appliance solution can enabled products be used on any switch or • Integrated framework router platform leveraging multiple Cisco • Self-contained, turnkey and NAC-aware vendor solution products© 2009 Cisco Learning Institute. 15
  16. 16. The NAC Framework Network Access Devices Policy Server Hosts Attempting Enforcement Decision Points Network Access and Remediation AAA Vendor Server Credentials Servers Credentials Credentials EAP/UDP, HTTPS RADIUS EAP/802.1x Cisco Access Rights Trust Comply? Agent Notification© 2009 Cisco Learning Institute. 16
  17. 17. NAC Components • Cisco NAS • Cisco NAA Serves as an in-band or out-of- Optional lightweight client for band device for network access device-based registry scans in control unmanaged environments • Cisco NAM • Rule-set updates Centralizes management for Scheduled automatic updates administrators, support for antivirus, critical hotfixes, personnel, and operators and other applications M G R© 2009 Cisco Learning Institute. 17
  18. 18. Cisco NAC Appliance Process 1. Host attempts to access a web page or uses THE GOAL an optional client. Network access is blocked until wired or wireless host provides login information. Authentication Server M G R Cisco NAM 2. Host is redirected to a login page. Cisco NAS Intranet/ Cisco NAC Appliance validates Network username and password, also performs device and network scans 3. The host is authenticated and optionally to assess vulnerabilities on device. scanned for posture compliance 3b. Device is “clean”. 3a. Device is noncompliant Quarantine Machine gets on “certified or login is incorrect. Role devices list” and is granted Host is denied access and assigned access to network. to a quarantine role with access to online remediation resources.© 2009 Cisco Learning Institute. 18
  19. 19. Access Windows Scan is performed (types of checks depend on user role) Login Screen Scan fails Remediate 4.© 2009 Cisco Learning Institute. 19
  20. 20. CSA Architecture Administration Server Protected by Workstation Cisco Security Agent Alerts Events SSL Security Policy Management Center for Cisco Security Agent with Internal or External Database© 2009 Cisco Learning Institute. 20
  21. 21. CSA Overview Application Execution File System Network Configuration Space Interceptor Interceptor Interceptor Interceptor Rules Engine State Rules and Policies Correlation Engine Allowed Request Blocked Request© 2009 Cisco Learning Institute. 21
  22. 22. CSA Functionality Execution Network File System Configuration Security Application Space Interceptor Interceptor Interceptor Interceptor Distributed Firewall X ― ― ― Host Intrusion X ― ― X Prevention Application ― X X X Sandbox Network Worm X ― ― X Prevention File Integrity Monitor ― X X ―© 2009 Cisco Learning Institute. 22
  23. 23. Attack Phases – Probe phase • Ping scans • Port scans – Penetrate phase • Transfer exploit Server code to target Protected by Cisco Security – Persist phase Agent • Install new code • Modify configuration – File system interceptor – Propagate phase – Network interceptor – Configuration interceptor • Attack other – Execution space targets interceptor – Paralyze phase • Erase files • Crash system • Steal data© 2009 Cisco Learning Institute. 23
  24. 24. CSA Log Messages© 2009 Cisco Learning Institute. 24
  25. 25. Layer 2 Security Perimeter MARS ACS Firewall Internet VPN IPS Iron Port Hosts Web Email Server Server DNS© 2009 Cisco Learning Institute. 25
  26. 26. OSI Model When it comes to networking, Layer 2 is often a very weak link. Application Stream Application Application Presentation Presentation Compromised Session Session Transport Protocols and Ports Transport Network IP Addresses Network Data Link Initial Compromise MAC Addresses Data Link Physical Links Physical Physical© 2009 Cisco Learning Institute. 26
  27. 27. MAC Address Spoofing Attack 1 2 The switch keeps track of the Switch Port AABBcc 12AbDd endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, MAC AABBcc Address: AABBcc MAC Address: Port 1 12AbDd Port 2 MAC Address: Attacker AABBcc I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.© 2009 Cisco Learning Institute. 27
  28. 28. MAC Address Spoofing Attack I have changed the MAC 1 2 Switch Port address on my computer to match the server. AABBcc 1 2 AABBcc Attacker MAC Address: MAC AABBcc Address: Port 1 Port 2 AABBcc The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.© 2009 Cisco Learning Institute. 28
  29. 29. MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC- address mappings in the MAC address table for these PCs.© 2009 Cisco Learning Institute. 29
  30. 30. MAC Address Table Overflow Attack 2 Bogus addresses are 1 added to the CAM Intruder runs macof table. CAM table is full. to begin sending MAC Port unknown bogus MAC addresses. X 3/25 Y 3/25 3/25 MAC X 3/25 MAC Y C 3/25 3/25 MAC Z XYZ 3/25 Host C VLAN 10 VLAN 10 VLAN 10 flood 3 The switch floods the frames. 4 Attacker sees traffic to servers B and D. A B C D© 2009 Cisco Learning Institute. 30
  31. 31. STP Manipulation Attack • Spanning tree protocol Root Bridge Priority = 8192 operates by electing a MAC Address= 0000.00C0.1234 root bridge F F • STP builds a tree topology F F • STP manipulation changes the topology of a network—the attacking F B host appears to be the root bridge© 2009 Cisco Learning Institute. 31
  32. 32. STP Manipulation Attack Root Bridge Priority = 8192 F F B F F F F F F B F F ST iority ity DU Pr =0 PB = Root Pr P BP Bridge PD 0 ior ST U Attacker The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.© 2009 Cisco Learning Institute. 32
  33. 33. LAN Storm Attack Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast • Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.© 2009 Cisco Learning Institute. 33
  34. 34. Storm ControlTotalnumber ofbroadcastpacketsor bytes© 2009 Cisco Learning Institute. 34
  35. 35. VLAN Attacks  Segmentatio n  Flexibility  Security VLAN = Broadcast Domain = Logical Network (Subnet)© 2009 Cisco Learning Institute. 35
  36. 36. VLAN Attacks 802.1Q VLAN 10 k Trunk un Tr Q VLAN Server 2.1 20 80 Attacker sees traffic destined for servers Server A VLAN hopping attack can be launched in two ways: • Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode • Introducing a rogue switch and turning trunking on© 2009 Cisco Learning Institute. 36
  37. 37. Double-Tagging VLAN Attack 1 Attacker on VLAN 10, but puts a 20 tag in the packet The first switch strips off the first tag and 2 does not retag it (native traffic is not 80 20 retagged). It then forwards the packet to 2. 1Q ,1 0 switch 2. , 80 The second switch 2. receives the packet, on 1Q 20 3 the native VLAN 802.1Q, Frame Trunk Fra (Native VLAN = 10) m e 4 The second switch examines the packet, Victim Note: This attack works only if the sees the VLAN 20 tag and (VLAN 20) forwards it accordingly. trunk has the same native VLAN as the attacker.© 2009 Cisco Learning Institute. 37
  38. 38. Port Security Overview Port 0/1 allows MAC A Port 0/2 allows MAC B MAC A Port 0/3 allows MAC C 0/1 0/2 0/3 MAC A MAC F Attacker 1 Attacker 2 Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses© 2009 Cisco Learning Institute. 38
  39. 39. CLI Commands Switch(config-if)# switchport mode access • Sets the interface mode as access Switch(config-if)# switchport port-security • Enables port security on the interface Switch(config-if)# switchport port-security maximum value • Sets the maximum number of secure MAC addresses for the interface (optional)© 2009 Cisco Learning Institute. 39
  40. 40. Switchport Port-Security ParametersParameter Descriptionmac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured.vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used.vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.vlan voice (Optional) On an access port only, specify the VLAN as a voice VLANmac-address sticky (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky [mac-address] learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1.vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. vlan: set a per-VLAN maximum value. vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used. © 2009 Cisco Learning Institute. 40
  41. 41. Port Security Violation Configuration Switch(config-if)# switchport port-security violation {protect | restrict | shutdown} • Sets the violation mode (optional) Switch(config-if)# switchport port-security mac-address mac-address • Enters a static secure MAC address for the interface (optional) Switch(config-if)# switchport port-security mac-address sticky • Enables sticky learning on the interface (optional)© 2009 Cisco Learning Institute. 41
  42. 42. Switchport Port-Security ViolationParameters Parameter Description protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on vlan which the violation occurred is error-disabled.© 2009 Cisco Learning Institute. 42
  43. 43. Port Security Aging Configuration Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}} • Enables or disables static aging for the secure port or sets the aging time or type • The aging command allows MAC-Addresses on the Secure switchport to be deleted after the set aging time • This helps to avoid a situation where obsolete MAC- Address occupy the table and saturates causing a violation (when the max number exceeds)© 2009 Cisco Learning Institute. 43
  44. 44. Switchport Port-SecurityAging Parameters Parameter Description static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.© 2009 Cisco Learning Institute. 44
  45. 45. Typical Configuration S2 PC B Switch(config-if)# switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120© 2009 Cisco Learning Institute. 45
  46. 46. CLI Commands sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/12 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) :0 Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0© 2009 Cisco Learning Institute. 46
  47. 47. View Secure MAC Addresses sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0000.ffff.aaaa SecureConfigured Fa0/12 - ------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024© 2009 Cisco Learning Institute. 47
  48. 48. MAC Address Notification MAC B SNMP traps sent to NMS NMS when new MAC addresses appear or F1/2 when old ones time out. F1/1 Switch CAM Table F2/1 MAC A F1/1 = MAC A F1/2 = MAC B MAC D is away F2/1 = MAC D from the (address ages out) network. MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.© 2009 Cisco Learning Institute. 48
  49. 49. Configure Portfast Server Workstatio n Command Description Switch(config-if)# spanning- Enables PortFast on a Layer 2 access port and forces it to tree portfast enter the forwarding stateimmediately. Switch(config-if)# no Disables PortFast on a Layer 2 access port. PortFast is spanning-tree portfast disabled by default. Switch(config)# spanning-tree Globally enables the PortFast feature on all nontrunking portfast default ports. Switch# show running-config Indicates whether PortFast has been configured on a port. interface type slot/port© 2009 Cisco Learning Institute. 49
  50. 50. BPDU Guard Root Bridge F F F F F B BPDU Guard Enabled STP Attacker BPDU Switch(config)# spanning-tree portfast bpduguard default • Globally enables BPDU guard on all ports with PortFast enabled© 2009 Cisco Learning Institute. 50
  51. 51. Display the State of Spanning TreeSwitch# show spanning-tree summary totalsRoot bridge for: none.PortFast BPDU Guard is enabledUplinkFast is disabledBackboneFast is disabledSpanning tree default pathcost method used is shortName Blocking Listening Learning Forwarding STP Active-------------------- -------- --------- -------- ---------- ---------- 1 VLAN 0 0 0 1 1<output omitted>© 2009 Cisco Learning Institute. 51
  52. 52. Root Guard Root Bridge Priority = 0 F F MAC Address = 0000.0c45.1a5d F F Root Guard Enabled F B F STP BPDU Attacker Priority = 0 MAC Address = 0000.0c45.1234 Switch(config-if)# spanning-tree guard root • Enables root guard on a per-interface basis© 2009 Cisco Learning Institute. 52
  53. 53. Verify Root Guard Switch# show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ---------------------- ------------------ VLAN0001 FastEthernet3/1 Port Type Inconsistent VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent VLAN1002 FastEthernet3/2 Port Type Inconsistent VLAN1003 FastEthernet3/1 Port Type Inconsistent VLAN1003 FastEthernet3/2 Port Type Inconsistent VLAN1004 FastEthernet3/1 Port Type Inconsistent VLAN1004 FastEthernet3/2 Port Type Inconsistent VLAN1005 FastEthernet3/1 Port Type Inconsistent VLAN1005 FastEthernet3/2 Port Type Inconsistent Number of inconsistent ports (segments) in the system :10© 2009 Cisco Learning Institute. 53
  54. 54. Storm Control Methods • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received • Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.© 2009 Cisco Learning Institute. 54
  55. 55. Storm Control Configuration Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 2k 1k Switch(config-if)# storm-control action shutdown • Enables storm control • Specifies the level at which it is enabled • Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic© 2009 Cisco Learning Institute. 55
  56. 56. Storm Control Parameters Parameter Description broadcast This parameter enables broadcast storm control on the interface. multicast This parameter enables multicast storm control on the interface. unicast This parameter enables unicast storm control on the interface. level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port. • level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached. • level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value. level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port. • bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. • bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port. • pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. • pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap. The keywords have these meanings: • shutdown: Disables the port during a storm • trap: Sends an SNMP trap when a storm occurs© 2009 Cisco Learning Institute. 56
  57. 57. Verify Storm Control Settings Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ---------- --------- ---------Gi0/1 Forwarding 20 pps 10 pps 5 pps Gi0/2 Forwarding 50.00% 40.00% 0.00% <output omitted>© 2009 Cisco Learning Institute. 57
  58. 58. Mitigating VLAN Attacks Trunk (Native VLAN = 10) 1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else© 2009 Cisco Learning Institute. 58
  59. 59. Controlling Trunking Switch(config-if)# switchport mode trunk • Specifies an interface as a trunk link . Switch(config-if)# switchport nonegotiate • Prevents the generation of DTP frames. Switch(config-if)# switchport trunk native vlan vlan_number • Set the native VLAN on the trunk to an unused VLAN© 2009 Cisco Learning Institute. 59
  60. 60. Traffic Analysis IDS RMON Probe Protocol Analyzer  A SPAN port mirrors traffic to “Intruder Alert!” another port where a monitoring device is connected.  Without this, it can be difficult to track hackers after they have entered the network. Attacker© 2009 Cisco Learning Institute. 60
  61. 61. CLI Commands Switch(config)# monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlan- id [, | -] [both | rx | tx]}| {remote vlan vlan-id} Switch(config)# monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id}© 2009 Cisco Learning Institute. 61
  62. 62. Verify SPAN Configuration© 2009 Cisco Learning Institute. 62
  63. 63. SPAN and IDS IDS F0/2 Use SPAN to mirror traffic in F0/1 and out of port F0/1 to port F0/2. Attacker© 2009 Cisco Learning Institute. 63
  64. 64. Overview of RSPAN “Intruder • An RSPAN port mirrors traffic Alert!” to another port on another IDS switch where a probe or IDS sensor is connected. • This allows more switches to Source VLAN be monitored with a single RSPAN VLAN probe or IDS. Source VLAN Attacker Source VLAN© 2009 Cisco Learning Institute. 64
  65. 65. Configuring RSPAN 1. Configure the RPSAN VLAN 2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit 2960-1 2960-2 2. Configure the RSPAN source ports and VLANs 2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan 100 reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk 3. Configure the RSPAN traffic to be forwarded2960-2(config)# monitor session 2 source remote vlan 1002960-2(config)# monitor session 2 destination interface FastEthernet 0/32960-2(config)# interface FastEthernet 0/22960-2(config-if)# switchport mode trunk © 2009 Cisco Learning Institute. 65
  66. 66. Verifying RSPAN Configuration 2960-1 2960-2 show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression]© 2009 Cisco Learning Institute. 66
  67. 67. Layer 2 Guidelines • Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) • Set all user ports to non-trunking mode (except if using Cisco VoIP) • Use port security where possible for access ports • Enable STP attack mitigation (BPDU guard, root guard) • Use Cisco Discovery Protocol only where necessary – with phones it is useful • Configure PortFast on all non-trunking ports • Configure root guard on STP root ports • Configure BPDU guard on all non-trunking ports© 2009 Cisco Learning Institute. 67
  68. 68. VLAN Practices • Always use a dedicated, unused native VLAN ID for trunk ports • Do not use VLAN 1 for anything • Disable all unused ports and put them in an unused VLAN • Manually configure all trunk ports and disable DTP on trunk ports • Configure all non-trunking ports with switchport mode access© 2009 Cisco Learning Institute. 68
  69. 69. Overview of Wireless, VoIP Security Wireless VoIP© 2009 Cisco Learning Institute. 69
  70. 70. Overview of SAN Security SAN© 2009 Cisco Learning Institute. 70
  71. 71. Infrastructure-Integrated Approach • Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them • Comprehensive protection to safeguard confidential data and communications • Simplified user management with a single user identity and policy • Collaboration with wired security systems© 2009 Cisco Learning Institute. 71
  72. 72. Cisco IP Telephony Solutions • Single-site deployment • Centralized call processing with remote branches • Distributed call- processing deployment • Clustering over the IPWAN© 2009 Cisco Learning Institute. 72
  73. 73. Storage Network Solutions • Investment protection • Virtualization • Security • Consolidation • Availability© 2009 Cisco Learning Institute. 73
  74. 74. Cisco Wireless LAN Controllers • Responsible for system-wide wireless LAN functions • Work in conjunction with Aps and the Cisco Wireless Control System (WCS) to support wireless applications • Smoothly integrate into existing enterprise networks© 2009 Cisco Learning Institute. 74
  75. 75. Wireless Hacking • War driving • A neighbor hacks into another neighbor’s wireless network to get free Internet access or access information • Free Wi-Fi provides an opportunity to compromise the data of users© 2009 Cisco Learning Institute. 75
  76. 76. Hacking Tools • Network Stumbler • Kismet • AirSnort • CoWPAtty • ASLEAP • Wireshark© 2009 Cisco Learning Institute. 76
  77. 77. Safety Considerations • Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks. • Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long. • If an IPsec VPN is available, use it on any public wireless LAN. • If wireless access is not needed, disable the wireless radio or wireless NIC.© 2009 Cisco Learning Institute. 77
  78. 78. VoIP Business Advantages PSTN VoIP • Little or no training costs Gateway • Mo major set-up fees • Lower telecom call costs • Enables unified • Productivity increases messaging • Lower costs to move, add, • Encryption of voice calls is or change supported • Lower ongoing service • Fewer administrative and maintenance costs personnel required© 2009 Cisco Learning Institute. 78
  79. 79. VoIP Components PSTN Cisco Unified Communications Manager (Call Agent) IP Backbone MCU PBX Cisco Router/ Router/ Unity Gateway Gateway Router/ IP Gateway Phone IP Phone Videoconference Station© 2009 Cisco Learning Institute. 79
  80. 80. VoIP Protocols VoIP Protocol Description ITU standard protocol for interactive conferencing; evolved from H.320 H.323 ISDN standard; flexible, complex MGCP Emerging IETF standard for PSTN gateway control; thin device control Joint IETF and ITU standard for gateway control with support for multiple Megaco/H.248 gateway types; evolved from MGCP standard IETF protocol for interactive and noninteractive conferencing; simpler but SIP less mature than H.323 ETF standard media-streaming protocol RTP IETF protocol that provides out-of-band control information for an RTP flow RTCP IETF protocol that encrypts RTP traffic as it leaves the SRTP voice device Cisco proprietary protocol used between Cisco Unified Communications SCCP Manager and Cisco IP phones© 2009 Cisco Learning Institute. 80
  81. 81. Threats • Reconnaissance • Directed attacks such as spam over IP telephony (SPIT) and spoofing • DoS attacks such as DHCP starvation, flooding, and fuzzing • Eavesdropping and man-in-the-middle attacks© 2009 Cisco Learning Institute. 81
  82. 82. VoIP SPIT • If SPIT grows like spam, it could result in regular DoS problems for network administrators. • Antispam methods do not block SPIT. • Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices. You’ve just won an all expenses paid vacation to the U.S. Virgin Islands !!!© 2009 Cisco Learning Institute. 82
  83. 83. Fraud • Fraud takes several forms: – Vishing—A voice version of phishing that is used to compromise confidentiality. – Theft and toll fraud—The stealing of telephone services. • Use features of Cisco Unified Communications Manager to protect against fraud. – Partitions limit what parts of the dial plan certain phones have access to. – Dial plans filter control access to exploitive phone numbers. – FACs prevent unauthorized calls and provide a mechanism for tracking.© 2009 Cisco Learning Institute. 83
  84. 84. SIP Vulnerabilities • Registration hijacking: Allows a hacker to intercept incoming calls and reroute them. Location SIP Servers/Services Registrar Registrar Database • Message tampering: Allows a hacker to modify data packets SIP Proxy traveling between SIP addresses. • Session tear-down: SIP User Agents SIP User Agents Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks.© 2009 Cisco Learning Institute. 84
  85. 85. Using VLANs Voice VLAN = 110 Data VLAN = 10 5/1 IP phone Desktop PC 802.1Q Trunk • Creates a separate broadcast domain for voice traffic • Protects against eavesdropping and tampering • Renders packet-sniffing tools less effective • Makes it easier to implement VACLs that are specific to voice traffic© 2009 Cisco Learning Institute. 85
  86. 86. Using Cisco ASA AdaptiveSecurity Appliances • Ensure SIP, SCCP, H.323, and MGCP requests conform to standards • Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager • Rate limit SIP requests Cisco Adaptive • Enforce policy of calls (whitelist, Security Appliance WAN blacklist, caller/called party, SIP URI) Cisco Adaptive Security Appliance • Dynamically open ports for Cisco Internet applications • Enable only “registered phones” to make calls • Enable inspection of encrypted phone calls© 2009 Cisco Learning Institute. 86
  87. 87. Using VPNs • Use IPsec for authentication Telephony • Use IPsec to protect Servers all traffic, not just voice • Consider SLA with service provider • Terminate on a VPN concentrator or large router inside of firewall to IP WAN gain these benefits: • Performance SRST • Reduced configuration complexity Router • Managed organizational boundaries© 2009 Cisco Learning Institute. 87
  88. 88. Using Cisco Unified CommunicationsManager • Signed firmware • Signed configuration files • Disable: – PC port – Setting button – Speakerphone – Web access© 2009 Cisco Learning Institute. 88
  89. 89. SAN Security Considerations IP Network SAN Specialized network that enables fast, reliable access among servers and external storage resources© 2009 Cisco Learning Institute. 89
  90. 90. SAN Transport Technologies • Fibre Channel – the primary SAN transport for host-to-SAN connectivity • iSCSI – maps SCSI over LAN TCP/IP and is another host-to-SAN connectivity model • FCIP – a popular SAN-to- SAN connectivity model© 2009 Cisco Learning Institute. 90
  91. 91. World Wide Name • A 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network • Zoning can utilize WWNs to assign security permissions • The WWN of a device is a user-configurable parameter. Cisco MDS 9020 Fabric Switch© 2009 Cisco Learning Institute. 91
  92. 92. Zoning Operation • Zone members see only other members of the zone. SAN • Zones can be configured Disk2 Disk3 dynamically based on WWN. ZoneA Host1 Disk1 ZoneC • Devices can be members of more than one zone. Disk4 Host2 • Switched fabric zoning can take ZoneB place at the port or device level: based on physical switch An example of Zoning. Note that port or based on device WWN devices can be members of more or based on LUN ID. than 1 zone.© 2009 Cisco Learning Institute. 92
  93. 93. Virtual Storage Area Network (VSAN) Cisco MDS 9000 Family with VSAN Service Physical SAN islands are virtualized onto common SAN infrastructure© 2009 Cisco Learning Institute. 93
  94. 94. Security Focus SAN Protocol Target Access SAN Management SAN Access Fabric Access Secure SAN IP Storage access Data Integrity and Secrecy© 2009 Cisco Learning Institute. 94
  95. 95. SAN Management Three main areas of vulnerability: 1. Disruption of switch processing 2. Compromised fabric stability 3. Compromised data integrity and confidentiality© 2009 Cisco Learning Institute. 95
  96. 96. Fabric and Target Access Three main areas of focus: • Application data integrity • LUN integrity • Application performance© 2009 Cisco Learning Institute. 96
  97. 97. VSANs Relationship of VSANs to Zones Physical Topology VSAN 2 Two VSANs each with Disk2 Disk3 multiple zones. Disks and Host1 Disk1 ZoneA ZoneC hosts are dedicated to Host2 VSANs although both hosts Disk4 ZoneB and disks can belong to multiple zones within a VSAN 3 ZoneD Host4 single VSAN. They cannot, however, span VSANs. ZoneA Host3 Disk5 Disk6© 2009 Cisco Learning Institute. 97
  98. 98. iSCSI and FCIP • iSCSI leverages many of the security features inherent in Ethernet and IP – ACLs are like Fibre Channel zones – VLANs are like Fibre Channel VSANs – 802.1X port security is like Fibre Channel port security • FCIP security leverages many IP security features in Cisco IOS-based routers: – IPsec VPN connections through public carriers – High-speed encryption services in specialized hardware – Can be run through a firewall© 2009 Cisco Learning Institute. 98
  99. 99. © 2009 Cisco Learning Institute. 99