Submit Search
Upload
Chapter 6 overview
•
Download as PPT, PDF
•
2 likes
•
1,062 views
ali raza
Follow
Education
Technology
Report
Share
Report
Share
1 of 99
Download now
Recommended
Chapter 5 overview
Chapter 5 overview
ali raza
Â
Chapter 8 overview
Chapter 8 overview
ali raza
Â
Chapter 2 overview
Chapter 2 overview
ali raza
Â
Chapter 1 overview
Chapter 1 overview
ali raza
Â
Chapter 3
Chapter 3
ali raza
Â
Chapter 3 overview
Chapter 3 overview
ali raza
Â
CCNA4 Verson6 Chapter7
CCNA4 Verson6 Chapter7
Chaing Ravuth
Â
CCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
Â
Recommended
Chapter 5 overview
Chapter 5 overview
ali raza
Â
Chapter 8 overview
Chapter 8 overview
ali raza
Â
Chapter 2 overview
Chapter 2 overview
ali raza
Â
Chapter 1 overview
Chapter 1 overview
ali raza
Â
Chapter 3
Chapter 3
ali raza
Â
Chapter 3 overview
Chapter 3 overview
ali raza
Â
CCNA4 Verson6 Chapter7
CCNA4 Verson6 Chapter7
Chaing Ravuth
Â
CCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
Â
CCNA Security - Chapter 4
CCNA Security - Chapter 4
Irsandi Hasan
Â
Ccna security
Ccna security
dkaya
Â
CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1
Chaing Ravuth
Â
CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
Â
ASA Multiple Context Training
ASA Multiple Context Training
Tariq Bader
Â
CCNA (R & S) Module 02 - Connecting Networks - Chapter 8
CCNA (R & S) Module 02 - Connecting Networks - Chapter 8
Waqas Ahmed Nawaz
Â
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
Waqas Ahmed Nawaz
Â
VMware vShield - Overview
VMware vShield - Overview
Irsandi Hasan
Â
Exploration_Routing_Chapter_7
Exploration_Routing_Chapter_7
dinuk123
Â
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
Waqas Ahmed Nawaz
Â
Chapter 1 overview
Chapter 1 overview
shah_ril1512
Â
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 7
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 7
Waqas Ahmed Nawaz
Â
Ccna4
Ccna4
sizal1986
Â
Secure collab on prem hikmat
Secure collab on prem hikmat
Cisco Canada
Â
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
Waqas Ahmed Nawaz
Â
CCNA (R & S) Module 04 - Scaling Networks - Chapter 1
CCNA (R & S) Module 04 - Scaling Networks - Chapter 1
Waqas Ahmed Nawaz
Â
CCNA RS_ITN - Chapter 9
CCNA RS_ITN - Chapter 9
Irsandi Hasan
Â
Meraki powered services bell
Meraki powered services bell
Cisco Canada
Â
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
Cisco Canada
Â
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
Vuz Dở Hơi
Â
Chapter 5
Chapter 5
ali raza
Â
Chapter 7
Chapter 7
ali raza
Â
More Related Content
What's hot
CCNA Security - Chapter 4
CCNA Security - Chapter 4
Irsandi Hasan
Â
Ccna security
Ccna security
dkaya
Â
CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1
Chaing Ravuth
Â
CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
Â
ASA Multiple Context Training
ASA Multiple Context Training
Tariq Bader
Â
CCNA (R & S) Module 02 - Connecting Networks - Chapter 8
CCNA (R & S) Module 02 - Connecting Networks - Chapter 8
Waqas Ahmed Nawaz
Â
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
Waqas Ahmed Nawaz
Â
VMware vShield - Overview
VMware vShield - Overview
Irsandi Hasan
Â
Exploration_Routing_Chapter_7
Exploration_Routing_Chapter_7
dinuk123
Â
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
Waqas Ahmed Nawaz
Â
Chapter 1 overview
Chapter 1 overview
shah_ril1512
Â
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 7
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 7
Waqas Ahmed Nawaz
Â
Ccna4
Ccna4
sizal1986
Â
Secure collab on prem hikmat
Secure collab on prem hikmat
Cisco Canada
Â
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
Waqas Ahmed Nawaz
Â
CCNA (R & S) Module 04 - Scaling Networks - Chapter 1
CCNA (R & S) Module 04 - Scaling Networks - Chapter 1
Waqas Ahmed Nawaz
Â
CCNA RS_ITN - Chapter 9
CCNA RS_ITN - Chapter 9
Irsandi Hasan
Â
Meraki powered services bell
Meraki powered services bell
Cisco Canada
Â
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
Cisco Canada
Â
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
Vuz Dở Hơi
Â
What's hot
(20)
CCNA Security - Chapter 4
CCNA Security - Chapter 4
Â
Ccna security
Ccna security
Â
CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1
Â
CCNA Security - Chapter 6
CCNA Security - Chapter 6
Â
ASA Multiple Context Training
ASA Multiple Context Training
Â
CCNA (R & S) Module 02 - Connecting Networks - Chapter 8
CCNA (R & S) Module 02 - Connecting Networks - Chapter 8
Â
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
Â
VMware vShield - Overview
VMware vShield - Overview
Â
Exploration_Routing_Chapter_7
Exploration_Routing_Chapter_7
Â
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
Â
Chapter 1 overview
Chapter 1 overview
Â
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 7
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 7
Â
Ccna4
Ccna4
Â
Secure collab on prem hikmat
Secure collab on prem hikmat
Â
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
Â
CCNA (R & S) Module 04 - Scaling Networks - Chapter 1
CCNA (R & S) Module 04 - Scaling Networks - Chapter 1
Â
CCNA RS_ITN - Chapter 9
CCNA RS_ITN - Chapter 9
Â
Meraki powered services bell
Meraki powered services bell
Â
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
Â
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
Â
Viewers also liked
Chapter 5
Chapter 5
ali raza
Â
Chapter 7
Chapter 7
ali raza
Â
Chapter 8
Chapter 8
ali raza
Â
Cisco orientation
Cisco orientation
ali raza
Â
Chapter 9 overview
Chapter 9 overview
ali raza
Â
Chapter 6
Chapter 6
ali raza
Â
Chapter 2
Chapter 2
ali raza
Â
Chapter 4
Chapter 4
ali raza
Â
Chapter 4 overview
Chapter 4 overview
ali raza
Â
VPN Security
VPN Security
dromerotrejo
Â
Chapter 1
Chapter 1
ali raza
Â
Chapter 7 overview
Chapter 7 overview
ali raza
Â
CCNA Discovery 4 - Chapter 7
CCNA Discovery 4 - Chapter 7
Irsandi Hasan
Â
Gigamon Systems GigaVUE-420 Hardware Tour
Gigamon Systems GigaVUE-420 Hardware Tour
gigamon_systems
Â
CCNA Security - Chapter 8
CCNA Security - Chapter 8
Irsandi Hasan
Â
Data Center Network Trends - Lin Nease
Data Center Network Trends - Lin Nease
HPDutchWorld
Â
CCNA Discovery 4 - Chapter 8
CCNA Discovery 4 - Chapter 8
Irsandi Hasan
Â
Viewers also liked
(17)
Chapter 5
Chapter 5
Â
Chapter 7
Chapter 7
Â
Chapter 8
Chapter 8
Â
Cisco orientation
Cisco orientation
Â
Chapter 9 overview
Chapter 9 overview
Â
Chapter 6
Chapter 6
Â
Chapter 2
Chapter 2
Â
Chapter 4
Chapter 4
Â
Chapter 4 overview
Chapter 4 overview
Â
VPN Security
VPN Security
Â
Chapter 1
Chapter 1
Â
Chapter 7 overview
Chapter 7 overview
Â
CCNA Discovery 4 - Chapter 7
CCNA Discovery 4 - Chapter 7
Â
Gigamon Systems GigaVUE-420 Hardware Tour
Gigamon Systems GigaVUE-420 Hardware Tour
Â
CCNA Security - Chapter 8
CCNA Security - Chapter 8
Â
Data Center Network Trends - Lin Nease
Data Center Network Trends - Lin Nease
Â
CCNA Discovery 4 - Chapter 8
CCNA Discovery 4 - Chapter 8
Â
Similar to Chapter 6 overview
Brkcrt 2214
Brkcrt 2214
Mac An
Â
Chapter08
Chapter08
Muhammad Ahad
Â
CCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
Â
CCNP Security-Secure
CCNP Security-Secure
mohannadalhanahnah
Â
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
ThangDang53
Â
Ccna security
Ccna security
umesh patil
Â
Ccna security
Ccna security
sanjay joshi
Â
CCNA4 Verson6 Chapter5
CCNA4 Verson6 Chapter5
Chaing Ravuth
Â
CCNA_RSE_Chp4 and their working principles.pptx
CCNA_RSE_Chp4 and their working principles.pptx
ParthaDas754073
Â
CCNA_Security_02.ppt
CCNA_Security_02.ppt
veracru1
Â
Nimesh Shah Resume
Nimesh Shah Resume
Blue Star Learning
Â
Nimesh shah resume
Nimesh shah resume
Blue Star Learning
Â
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
Eric Vanderburg
Â
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
ytrui
Â
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
Fab Fusaro
Â
BRKSEC-2494.pdf
BRKSEC-2494.pdf
JacksonGonzalez14
Â
ccna 4
ccna 4
AHMED HASSAN
Â
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
HansFarroCastillo1
Â
The right Wireless Architecture for you
The right Wireless Architecture for you
Cisco Canada
Â
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...
wosborne03
Â
Similar to Chapter 6 overview
(20)
Brkcrt 2214
Brkcrt 2214
Â
Chapter08
Chapter08
Â
CCNP Security-Firewall
CCNP Security-Firewall
Â
CCNP Security-Secure
CCNP Security-Secure
Â
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
Â
Ccna security
Ccna security
Â
Ccna security
Ccna security
Â
CCNA4 Verson6 Chapter5
CCNA4 Verson6 Chapter5
Â
CCNA_RSE_Chp4 and their working principles.pptx
CCNA_RSE_Chp4 and their working principles.pptx
Â
CCNA_Security_02.ppt
CCNA_Security_02.ppt
Â
Nimesh Shah Resume
Nimesh Shah Resume
Â
Nimesh shah resume
Nimesh shah resume
Â
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
Â
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
Â
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
Â
BRKSEC-2494.pdf
BRKSEC-2494.pdf
Â
ccna 4
ccna 4
Â
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
Â
The right Wireless Architecture for you
The right Wireless Architecture for you
Â
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...
Â
Recently uploaded
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
Celine George
Â
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
Â
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
UmakantAnnand
Â
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
GeoBlogs
Â
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
InMediaRes1
Â
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
dawncurless
Â
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
pboyjonauth
Â
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
Celine George
Â
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
JhengPantaleon
Â
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
FatimaKhan178732
Â
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Â
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Krashi Coaching
Â
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
pboyjonauth
Â
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
iammrhaywood
Â
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
EduSkills OECD
Â
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
GaneshChakor2
Â
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
akmcokerachita
Â
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
OH TEIK BIN
Â
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Sumit Tiwari
Â
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
Marc Dusseiller Dusjagr
Â
Recently uploaded
(20)
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
Â
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
Â
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
Â
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
Â
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
Â
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
Â
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
Â
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
Â
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
Â
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
Â
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Â
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Â
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
Â
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
Â
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Â
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
Â
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
Â
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
Â
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Â
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
Â
Chapter 6 overview
1.
1© 2009 Cisco
Learning Institute. CCNA Security Chapter Six Securing the Local Area Network
2.
222© 2009 Cisco
Learning Institute. Lesson Planning • This lesson should take 3-4 hours to present • The lesson should include lecture, demonstrations, discussions and assessments • The lesson can be taught in person or using remote instruction
3.
333© 2009 Cisco
Learning Institute. Major Concepts • Describe endpoint vulnerabilities and protection methods • Describe basic Catalyst switch vulnerabilities • Configure and verify switch security features, including port security and storm control • Describe the fundamental security considerations of Wireless, VoIP, and SANs
4.
444© 2009 Cisco
Learning Institute. Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe endpoint security and the enabling technologies 2. Describe how Cisco IronPort is used to ensure endpoint security 3. Describe how Cisco NAC products are used to ensure endpoint security 4. Describe how the Cisco Security Agent is used to ensure endpoint security 5. Describe the primary considerations for securing the Layer 2 infrastructure 6. Describe MAC address spoofing attacks and MAC address spoofing attack mitigation
5.
555© 2009 Cisco
Learning Institute. Lesson Objectives 7. Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation 8. Describe STP manipulation attacks and STP manipulation attack mitigation 9. Describe LAN Storm attacks and LAN Storm attack mitigation 10. Describe VLAN attacks and VLAN attack mitigation 11. Describe how to configure port security 12. Describe how to verify port security 13. Describe how to configure and verify BPDU Guard and Root Guard 14. Describe how to configure and verify storm control 15. Describe and configure Cisco SPAN 16. Describe and configure Cisco RSPAN
6.
666© 2009 Cisco
Learning Institute. Lesson Objectives 17. Describe the best practices for Layer 2 security 18. Describe the fundamental aspects of enterprise security for advanced technologies 19. Describe the fundamental aspects of wireless security and the enabling technologies 20. Describe wireless security solutions 21. Describe the fundamental aspects of VoIP security and the enabling technologies Reference: CIAG course on VoIP security. 22. Describe VoIP security solutions 23. Describe the fundamental aspects of SAN security and the enabling technologies 24. Describe SAN security solutions
7.
777© 2009 Cisco
Learning Institute. Securing the LAN IPS MARS VPN ACS Iron Port Firewall Web Server Email Server DNS LAN Hosts Perimeter Internet Areas of concentration: •Securing endpoints •Securing network infrastructure
8.
888© 2009 Cisco
Learning Institute. Threat Protection Policy Compliance Infection Containment Secure Host Addressing Endpoint Security Based on three elements: •Cisco Network Admission Control (NAC) •Endpoint protection •Network infection containment
9.
999© 2009 Cisco
Learning Institute. Operating Systems Basic Security Services • Trusted code and trusted path – ensures that the integrity of the operating system is not violated • Privileged context of execution – provides identity authentication and certain privileges based on the identity • Process memory protection and isolation – provides separation from other users and their data • Access control to resources – ensures confidentiality and integrity of data
10.
101010© 2009 Cisco
Learning Institute. Types of Application Attacks I have gained direct access to this application’s privileges I have gained access to this system which is trusted by the other system, allowing me to access it.Indirect Direct
11.
111111© 2009 Cisco
Learning Institute. Cisco Systems Endpoint Security Solutions Cisco NAC IronPortCisco Security Agent
12.
121212© 2009 Cisco
Learning Institute. Cisco IronPort Products IronPort products include: •E-mail security appliances for virus and spam control •Web security appliance for spyware filtering, URL filtering, and anti-malware •Security management appliance
13.
131313© 2009 Cisco
Learning Institute. IronPort C-Series InternetInternet Antispam Antivirus Policy Enforcement Mail Routing Before IronPort IronPort E-mail Security Appliance Firewall Groupware Users After IronPort Users Groupware Firewall Encryption Platform MTA DLP Scanner DLP Policy Manager
14.
141414© 2009 Cisco
Learning Institute. IronPort S-Series Web Proxy Antispyware Antivirus Antiphishing URL Filtering Policy Management Firewall Users Users Firewall IronPort S- Series Before IronPort After IronPort InternetInternet
15.
151515© 2009 Cisco
Learning Institute. Cisco NAC NAC Framework • Software module embedded within NAC- enabled products • Integrated framework leveraging multiple Cisco and NAC-aware vendor products • In-band Cisco NAC Appliance solution can be used on any switch or router platform • Self-contained, turnkey solution The purpose of NAC: Allow only authorized and compliant systems to access the network To enforce network security policy Cisco NAC Appliance
16.
161616© 2009 Cisco
Learning Institute. The NAC Framework AAA Server Credentials Credentials EAP/UDP, EAP/802.1x RADIUS Credentials HTTPS Access Rights Notification Cisco Trust Agent Comply? Vendor Servers Hosts Attempting Network Access Network Access Devices Policy Server Decision Points and Remediation Enforcement
17.
171717© 2009 Cisco
Learning Institute. NAC Components • Cisco NAS Serves as an in-band or out-of- band device for network access control • Cisco NAM Centralizes management for administrators, support personnel, and operators • Cisco NAA Optional lightweight client for device-based registry scans in unmanaged environments • Rule-set updates Scheduled automatic updates for antivirus, critical hotfixes, and other applications M G R
18.
181818© 2009 Cisco
Learning Institute. Cisco NAC Appliance Process THE GOAL Intranet/ Network 2. Host is redirected to a login page. Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device. Device is noncompliant or login is incorrect. Host is denied access and assigned to a quarantine role with access to online remediation resources. 3a. 3b. Device is “clean”. Machine gets on “certified devices list” and is granted access to network. Cisco NAS Cisco NAM 1. Host attempts to access a web page or uses an optional client. Network access is blocked until wired or wireless host provides login information. Authentication Server M G R Quarantine Role 3. The host is authenticated and optionally scanned for posture compliance
19.
191919© 2009 Cisco
Learning Institute. Access Windows 4. Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate
20.
202020© 2009 Cisco
Learning Institute. CSA Architecture Management Center for Cisco Security Agent with Internal or External Database Security Policy Server Protected by Cisco Security Agent Administration Workstation SSL EventsAlerts
21.
212121© 2009 Cisco
Learning Institute. CSA Overview State Rules and Policies Rules Engine Correlation Engine File System Interceptor Network Interceptor Configuration Interceptor Execution Space Interceptor Application Allowed Request Blocked Request
22.
222222© 2009 Cisco
Learning Institute. CSA Functionality Security Application Network Interceptor File System Interceptor Configuration Interceptor Execution Space Interceptor Distributed Firewall X ― ― ― Host Intrusion Prevention X ― ― X Application Sandbox ― X X X Network Worm Prevention X ― ― X File Integrity Monitor ― X X ―
23.
232323© 2009 Cisco
Learning Institute. Attack Phases – File system interceptor – Network interceptor – Configuration interceptor – Execution space interceptor Server Protected by Cisco Security Agent – Probe phase • Ping scans • Port scans – Penetrate phase • Transfer exploit code to target – Persist phase • Install new code • Modify configuration – Propagate phase • Attack other targets – Paralyze phase • Erase files • Crash system • Steal data
24.
242424© 2009 Cisco
Learning Institute. CSA Log Messages
25.
252525© 2009 Cisco
Learning Institute. IPS MARS VPN ACS Iron Port Firewall Web Server Email Server DNS Hosts Perimeter Internet Layer 2 Security
26.
262626© 2009 Cisco
Learning Institute. OSI Model MAC Addresses When it comes to networking, Layer 2 is often a very weak link. Physical Links IP Addresses Protocols and Ports Application Stream Application Presentation Session Transport Network Data Link Physical Compromised Application Presentation Session Transport Network Data Link Physical Initial Compromise
27.
272727© 2009 Cisco
Learning Institute. MAC Address Spoofing Attack MAC Address: AABBcc AABBcc 12AbDdSwitch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 MAC Address: 12AbDd I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc
28.
282828© 2009 Cisco
Learning Institute. MAC Address Spoofing Attack MAC Address: AABBcc AABBcc Switch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 AABBcc 1 2I have changed the MAC address on my computer to match the server. The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
29.
292929© 2009 Cisco
Learning Institute. MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC- address mappings in the MAC address table for these PCs.
30.
303030© 2009 Cisco
Learning Institute. MAC Address Table Overflow Attack A B C D VLAN 10 VLAN 10 Intruder runs macof to begin sending unknown bogus MAC addresses. 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood MAC Port X 3/25 Y 3/25 C 3/25 Bogus addresses are added to the CAM table. CAM table is full. Host C The switch floods the frames. Attacker sees traffic to servers B and D. VLAN 10 1 2 3 4
31.
313131© 2009 Cisco
Learning Institute. STP Manipulation Attack • Spanning tree protocol operates by electing a root bridge • STP builds a tree topology • STP manipulation changes the topology of a network—the attacking host appears to be the root bridge F F F F F B Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234
32.
323232© 2009 Cisco
Learning Institute. STP Manipulation Attack Root Bridge Priority = 8192 Root Bridge F F F F F B STPBPDU Priority=0 STPBPDU Priority=0 F B F F F F Attacker The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.
33.
333333© 2009 Cisco
Learning Institute. LAN Storm Attack • Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network. Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast
34.
343434© 2009 Cisco
Learning Institute. Storm Control Total number of broadcast packets or bytes
35.
353535© 2009 Cisco
Learning Institute. VLAN Attacks VLAN = Broadcast Domain = Logical Network (Subnet)  Segmentatio n  Flexibility  Security
36.
363636© 2009 Cisco
Learning Institute. VLAN Attacks 802.1Q 802.1Q ServerAttacker sees traffic destined for servers Server Trunk Trunk VLAN 20 VLAN 10 A VLAN hopping attack can be launched in two ways: • Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode • Introducing a rogue switch and turning trunking on
37.
373737© 2009 Cisco
Learning Institute. The second switch receives the packet, on the native VLAN Double-Tagging VLAN Attack Attacker on VLAN 10, but puts a 20 tag in the packet Victim (VLAN 20)Note: This attack works only if the trunk has the same native VLAN as the attacker. The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2. 20,10 20 Trunk (Native VLAN = 10) 802.1Q, 802.1Q 802.1Q, Frame Frame 1 2 3 4 The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.
38.
383838© 2009 Cisco
Learning Institute. Port Security Overview MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C Attacker 1 Attacker 2 0/1 0/2 0/3 MAC F Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
39.
393939© 2009 Cisco
Learning Institute. CLI Commands switchport mode access Switch(config-if)# • Sets the interface mode as access switchport port-security Switch(config-if)# • Enables port security on the interface switchport port-security maximum value Switch(config-if)# • Sets the maximum number of secure MAC addresses for the interface (optional)
40.
404040© 2009 Cisco
Learning Institute. Switchport Port-Security Parameters Parameter Description mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured. vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. vlan access (Optional) On an access port only, specify the VLAN as an access VLAN. vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN mac-address sticky [mac-address] (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. vlan: set a per-VLAN maximum value. vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
41.
414141© 2009 Cisco
Learning Institute. Port Security Violation Configuration switchport port-security mac-address sticky Switch(config-if)# • Enables sticky learning on the interface (optional) switchport port-security violation {protect | restrict | shutdown} Switch(config-if)# • Sets the violation mode (optional) switchport port-security mac-address mac-address Switch(config-if)# • Enters a static secure MAC address for the interface (optional)
42.
424242© 2009 Cisco
Learning Institute. Switchport Port-Security Violation Parameters Parameter Description protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown vlan Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
43.
434343© 2009 Cisco
Learning Institute. Port Security Aging Configuration switchport port-security aging {static | time time | type {absolute | inactivity}} Switch(config-if)# • Enables or disables static aging for the secure port or sets the aging time or type • The aging command allows MAC-Addresses on the Secure switchport to be deleted after the set aging time • This helps to avoid a situation where obsolete MAC- Address occupy the table and saturates causing a violation (when the max number exceeds)
44.
444444© 2009 Cisco
Learning Institute. Switchport Port-Security Aging Parameters Parameter Description static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
45.
454545© 2009 Cisco
Learning Institute. Typical Configuration switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120 Switch(config-if)# S2 PC B
46.
464646© 2009 Cisco
Learning Institute. CLI Commands sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/12 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0
47.
474747© 2009 Cisco
Learning Institute. View Secure MAC Addresses sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0000.ffff.aaaa SecureConfigured Fa0/12 - ------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024
48.
484848© 2009 Cisco
Learning Institute. MAC Address Notification MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports. NMS MAC A MAC B F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D (address ages out) Switch CAM Table SNMP traps sent to NMS when new MAC addresses appear or when old ones time out. MAC D is away from the network. F1/2 F1/1 F2/1
49.
494949© 2009 Cisco
Learning Institute. Configure Portfast Command Description Switch(config-if)# spanning- tree portfast Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning-tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port. Server Workstatio n
50.
505050© 2009 Cisco
Learning Institute. BPDU Guard Switch(config)# spanning-tree portfast bpduguard default • Globally enables BPDU guard on all ports with PortFast enabled F F F F F B Root Bridge BPDU Guard Enabled Attacker STP BPDU
51.
515151© 2009 Cisco
Learning Institute. Display the State of Spanning Tree Switch# show spanning-tree summary totals Root bridge for: none. PortFast BPDU Guard is enabled UplinkFast is disabled BackboneFast is disabled Spanning tree default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active -------------------- -------- --------- -------- ---------- ---------- 1 VLAN 0 0 0 1 1 <output omitted>
52.
525252© 2009 Cisco
Learning Institute. Root Guard Switch(config-if)# spanning-tree guard root • Enables root guard on a per-interface basis Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d F F F F F B F STP BPDU Priority = 0 MAC Address = 0000.0c45.1234 Root Guard Enabled Attacker
53.
535353© 2009 Cisco
Learning Institute. Verify Root Guard Switch# show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ---------------------- ------------------ VLAN0001 FastEthernet3/1 Port Type Inconsistent VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent VLAN1002 FastEthernet3/2 Port Type Inconsistent VLAN1003 FastEthernet3/1 Port Type Inconsistent VLAN1003 FastEthernet3/2 Port Type Inconsistent VLAN1004 FastEthernet3/1 Port Type Inconsistent VLAN1004 FastEthernet3/2 Port Type Inconsistent VLAN1005 FastEthernet3/1 Port Type Inconsistent VLAN1005 FastEthernet3/2 Port Type Inconsistent Number of inconsistent ports (segments) in the system :10
54.
545454© 2009 Cisco
Learning Institute. Storm Control Methods • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received • Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.
55.
555555© 2009 Cisco
Learning Institute. Storm Control Configuration • Enables storm control • Specifies the level at which it is enabled • Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 2k 1k Switch(config-if)# storm-control action shutdown
56.
565656© 2009 Cisco
Learning Institute. Storm Control Parameters Parameter Description broadcast This parameter enables broadcast storm control on the interface. multicast This parameter enables multicast storm control on the interface. unicast This parameter enables unicast storm control on the interface. level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port. • level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached. • level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value. level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port. • bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. • bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port. • pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. • pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap. The keywords have these meanings: • shutdown: Disables the port during a storm • trap: Sends an SNMP trap when a storm occurs
57.
575757© 2009 Cisco
Learning Institute. Verify Storm Control Settings Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ---------- --------- ---------Gi0/1 Forwarding 20 pps 10 pps 5 pps Gi0/2 Forwarding 50.00% 40.00% 0.00% <output omitted>
58.
585858© 2009 Cisco
Learning Institute. Trunk (Native VLAN = 10) 1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else Mitigating VLAN Attacks
59.
595959© 2009 Cisco
Learning Institute. switchport mode trunk switchport trunk native vlan vlan_number switchport nonegotiate . Switch(config-if)# • Specifies an interface as a trunk link Switch(config-if)# • Prevents the generation of DTP frames. Switch(config-if)# • Set the native VLAN on the trunk to an unused VLAN Controlling Trunking
60.
606060© 2009 Cisco
Learning Institute. Traffic Analysis  A SPAN port mirrors traffic to another port where a monitoring device is connected.  Without this, it can be difficult to track hackers after they have entered the network. “Intruder Alert!” Attacker IDS RMON Probe Protocol Analyzer
61.
616161© 2009 Cisco
Learning Institute. CLI Commands monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlan- id [, | -] [both | rx | tx]}| {remote vlan vlan-id} monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id} Switch(config)# Switch(config)#
62.
626262© 2009 Cisco
Learning Institute. Verify SPAN Configuration
63.
636363© 2009 Cisco
Learning Institute. SPAN and IDS Attacker IDS Use SPAN to mirror traffic in and out of port F0/1 to port F0/2. F0/1 F0/2
64.
646464© 2009 Cisco
Learning Institute. Overview of RSPAN • An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. • This allows more switches to be monitored with a single probe or IDS. “Intruder Alert!” Attacker IDS RSPAN VLAN Source VLAN Source VLAN Source VLAN
65.
656565© 2009 Cisco
Learning Institute. Configuring RSPAN 2960-1 2960-2 2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit 2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan 100 reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk 2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface FastEthernet 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk 1. Configure the RPSAN VLAN 2. Configure the RSPAN source ports and VLANs 3. Configure the RSPAN traffic to be forwarded
66.
666666© 2009 Cisco
Learning Institute. Verifying RSPAN Configuration show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression] 2960-1 2960-2
67.
676767© 2009 Cisco
Learning Institute. Layer 2 Guidelines • Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) • Set all user ports to non-trunking mode (except if using Cisco VoIP) • Use port security where possible for access ports • Enable STP attack mitigation (BPDU guard, root guard) • Use Cisco Discovery Protocol only where necessary – with phones it is useful • Configure PortFast on all non-trunking ports • Configure root guard on STP root ports • Configure BPDU guard on all non-trunking ports
68.
686868© 2009 Cisco
Learning Institute. VLAN Practices • Always use a dedicated, unused native VLAN ID for trunk ports • Do not use VLAN 1 for anything • Disable all unused ports and put them in an unused VLAN • Manually configure all trunk ports and disable DTP on trunk ports • Configure all non-trunking ports with switchport mode access
69.
696969© 2009 Cisco
Learning Institute. Overview of Wireless, VoIP Security Wireless VoIP
70.
707070© 2009 Cisco
Learning Institute. Overview of SAN Security SAN
71.
717171© 2009 Cisco
Learning Institute. Infrastructure-Integrated Approach • Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them • Comprehensive protection to safeguard confidential data and communications • Simplified user management with a single user identity and policy • Collaboration with wired security systems
72.
727272© 2009 Cisco
Learning Institute. Cisco IP Telephony Solutions • Single-site deployment • Centralized call processing with remote branches • Distributed call- processing deployment • Clustering over the IPWAN
73.
737373© 2009 Cisco
Learning Institute. Storage Network Solutions • Investment protection • Virtualization • Security • Consolidation • Availability
74.
747474© 2009 Cisco
Learning Institute. Cisco Wireless LAN Controllers • Responsible for system-wide wireless LAN functions • Work in conjunction with Aps and the Cisco Wireless Control System (WCS) to support wireless applications • Smoothly integrate into existing enterprise networks
75.
757575© 2009 Cisco
Learning Institute. Wireless Hacking • War driving • A neighbor hacks into another neighbor’s wireless network to get free Internet access or access information • Free Wi-Fi provides an opportunity to compromise the data of users
76.
767676© 2009 Cisco
Learning Institute. Hacking Tools • Network Stumbler • Kismet • AirSnort • CoWPAtty • ASLEAP • Wireshark
77.
777777© 2009 Cisco
Learning Institute. Safety Considerations • Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks. • Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long. • If an IPsec VPN is available, use it on any public wireless LAN. • If wireless access is not needed, disable the wireless radio or wireless NIC.
78.
787878© 2009 Cisco
Learning Institute. VoIP Business Advantages • Lower telecom call costs • Productivity increases • Lower costs to move, add, or change • Lower ongoing service and maintenance costs • Little or no training costs • Mo major set-up fees • Enables unified messaging • Encryption of voice calls is supported • Fewer administrative personnel required PSTN VoIP Gateway
79.
797979© 2009 Cisco
Learning Institute. VoIP Components Cisco Unified Communications Manager (Call Agent) MCU Cisco Unity IP Phone IP Phone Videoconference Station IP Backbone PSTN Router/ Gateway Router/ Gateway Router/ Gateway PBX
80.
808080© 2009 Cisco
Learning Institute. VoIP Protocols VoIP Protocol Description H.323 ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex MGCP Emerging IETF standard for PSTN gateway control; thin device control Megaco/H.248 Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard SIP IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323 RTP ETF standard media-streaming protocol RTCP IETF protocol that provides out-of-band control information for an RTP flow SRTP IETF protocol that encrypts RTP traffic as it leaves the voice device SCCP Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones
81.
818181© 2009 Cisco
Learning Institute. Threats • Reconnaissance • Directed attacks such as spam over IP telephony (SPIT) and spoofing • DoS attacks such as DHCP starvation, flooding, and fuzzing • Eavesdropping and man-in-the-middle attacks
82.
828282© 2009 Cisco
Learning Institute. VoIP SPIT • If SPIT grows like spam, it could result in regular DoS problems for network administrators. • Antispam methods do not block SPIT. • Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices. You’ve just won an all expenses paid vacation to the U.S. Virgin Islands !!!
83.
838383© 2009 Cisco
Learning Institute. Fraud • Fraud takes several forms: – Vishing—A voice version of phishing that is used to compromise confidentiality. – Theft and toll fraud—The stealing of telephone services. • Use features of Cisco Unified Communications Manager to protect against fraud. – Partitions limit what parts of the dial plan certain phones have access to. – Dial plans filter control access to exploitive phone numbers. – FACs prevent unauthorized calls and provide a mechanism for tracking.
84.
848484© 2009 Cisco
Learning Institute. SIP Vulnerabilities • Registration hijacking: Allows a hacker to intercept incoming calls and reroute them. • Message tampering: Allows a hacker to modify data packets traveling between SIP addresses. • Session tear-down: Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks. Registrar Registrar Location Database SIP Servers/Services SIP Proxy SIP User Agents SIP User Agents
85.
858585© 2009 Cisco
Learning Institute. Using VLANs • Creates a separate broadcast domain for voice traffic • Protects against eavesdropping and tampering • Renders packet-sniffing tools less effective • Makes it easier to implement VACLs that are specific to voice traffic Voice VLAN = 110 Data VLAN = 10 802.1Q Trunk IP phone 10.1.110.3 Desktop PC 171.1.1.1 5/1
86.
868686© 2009 Cisco
Learning Institute. Using Cisco ASA Adaptive Security Appliances • Ensure SIP, SCCP, H.323, and MGCP requests conform to standards • Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager • Rate limit SIP requests • Enforce policy of calls (whitelist, blacklist, caller/called party, SIP URI) • Dynamically open ports for Cisco applications • Enable only “registered phones” to make calls • Enable inspection of encrypted phone calls Internet WAN Cisco Adaptive Security Appliance Cisco Adaptive Security Appliance
87.
878787© 2009 Cisco
Learning Institute. Using VPNs • Use IPsec for authentication • Use IPsec to protect all traffic, not just voice • Consider SLA with service provider • Terminate on a VPN concentrator or large router inside of firewall to gain these benefits: • Performance • Reduced configuration complexity • Managed organizational boundaries IP WAN Telephony Servers SRST Router
88.
888888© 2009 Cisco
Learning Institute. Using Cisco Unified Communications Manager • Signed firmware • Signed configuration files • Disable: – PC port – Setting button – Speakerphone – Web access
89.
898989© 2009 Cisco
Learning Institute. SAN Security Considerations SAN IP Network Specialized network that enables fast, reliable access among servers and external storage resources
90.
909090© 2009 Cisco
Learning Institute. SAN Transport Technologies • Fibre Channel – the primary SAN transport for host-to-SAN connectivity • iSCSI – maps SCSI over TCP/IP and is another host-to-SAN connectivity model • FCIP – a popular SAN-to- SAN connectivity model LAN
91.
919191© 2009 Cisco
Learning Institute. World Wide Name • A 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network • Zoning can utilize WWNs to assign security permissions • The WWN of a device is a user-configurable parameter. Cisco MDS 9020 Fabric Switch
92.
929292© 2009 Cisco
Learning Institute. Zoning Operation • Zone members see only other members of the zone. • Zones can be configured dynamically based on WWN. • Devices can be members of more than one zone. • Switched fabric zoning can take place at the port or device level: based on physical switch port or based on device WWN or based on LUN ID. SAN Disk1 Host2Disk4 Host1 Disk2 Disk3 ZoneA ZoneB ZoneC An example of Zoning. Note that devices can be members of more than 1 zone.
93.
939393© 2009 Cisco
Learning Institute. Virtual Storage Area Network (VSAN) Physical SAN islands are virtualized onto common SAN infrastructure Cisco MDS 9000 Family with VSAN Service
94.
949494© 2009 Cisco
Learning Institute. Security Focus SAN Secure SAN IP Storage access Data Integrity and Secrecy Target AccessSAN Protocol SAN Management Access Fabric Access
95.
959595© 2009 Cisco
Learning Institute. SAN Management Three main areas of vulnerability: 1. Disruption of switch processing 2. Compromised fabric stability 3. Compromised data integrity and confidentiality
96.
969696© 2009 Cisco
Learning Institute. Fabric and Target Access Three main areas of focus: • Application data integrity • LUN integrity • Application performance
97.
979797© 2009 Cisco
Learning Institute. VSANs Two VSANs each with multiple zones. Disks and hosts are dedicated to VSANs although both hosts and disks can belong to multiple zones within a single VSAN. They cannot, however, span VSANs. VSAN 3 Physical Topology VSAN 2 Disk1 Host2Disk4 Host1 Disk2 Disk3 Disk6 Disk5 Host4 Host3 ZoneA ZoneB ZoneC ZoneA ZoneD Relationship of VSANs to Zones
98.
989898© 2009 Cisco
Learning Institute. iSCSI and FCIP • iSCSI leverages many of the security features inherent in Ethernet and IP – ACLs are like Fibre Channel zones – VLANs are like Fibre Channel VSANs – 802.1X port security is like Fibre Channel port security • FCIP security leverages many IP security features in Cisco IOS-based routers: – IPsec VPN connections through public carriers – High-speed encryption services in specialized hardware – Can be run through a firewall
99.
999999© 2009 Cisco
Learning Institute.
Download now