11/4/2015

LO2/2 : Be able to design network security solutions

LAN design: technical response eg STP (Spanning Tree Protocol) prioritisation,

MAC control, VLAN (Virtual Local Area Network) security, ARP (Address
Resolution Protocol) poisoning, client access, wireless, device trust; VLAN
design; trunk design; segregation of LAN segments
WAN design: technical response eg routing protocol authentication, access
control lists, route maps, passive interfaces, traffic filters, network segregation,

Objectives
DMZ (Demilitarised Zone)management
Server deployment: security needs according to server specification eg printer
access, file management, data management, email
Border systems: Intrusion Detection Systems (IDS) eg firewalls filters and rules,
email monitoring, application and packet monitoring, signature management,
trust, network behavioural norms; access control eg traffic filters, route
redirection
User access: user group eg group membership, user group allocation,
attribution of rights; user eg personal attribution of rights, continual review of
rights allocation; rights eg file, server, service, data, hardware, printer, email
Physical security: power resilience and supply; physical access control eg lock
and key, electronic access control, personnel based security, biometrics;
hardware and systems redundancy; backup eg data, configuration, imaging;
recovery policies

Internet Firewall with DMZ

Local Area Networking

2 Technologies

1
 11/4/2015

Internet Firewall with Multi DMZ

Local Area Networking

3 Technologies

Internet Firewall with Multi DMZ

Local Area Networking

4 Technologies

2
 11/4/2015

Public Web Mail Administrator

Server Server Server
10.2.2.3 10.2.2.4 10.2.2.5

Syslog Client
e0/0
10.2.1.1 R3 e0/1 DMZ LAN 10.2.2.0/24
e0/2 10.2.2.1
10.2.3.1
Syslog
Server 10.2.3.2

Protected LAN User 10.2.3.3

10.2.3.0/24

5 Network Security

3
 11/4/2015

 We Use switch / routers firewall (network components), and

hence we need to secure them.
 How many method can we access the routers, switches, firewall etc..
The administrative interfaces
o Console
o Telnet
o SNMP
Overload the
data interface
Overload the processor

The Administrative Interface

Router>

 Password Protection
 Password Encryption

4
 11/4/2015

Native Passwords

 The native passwords can be viewed by anyone logging in

with the enabled password

line console 0
login
password one4all
exec-timeout 1 30
User Access Verification
Password: <one4all>
router>

Service Password-Encryption (7)

 Will encrypt all passwords on the Cisco IOS™

with Cisco-defined encryption type “7”
 Use “enable password 7 <password>” for cut/paste
operations
 Cisco proprietary encryption method

5
 11/4/2015

Service Password-Encryption

hostname Router service password-encryption

! !
enable password one4all hostname Router
! !
enable password 7 15181E00F

Enable Secret (5)

Uses MD5 to produce a one-way hash

Cannot be decrypted
Use “enable secret 5 <password>”
to cut/paste another “enable secret” password

6
 11/4/2015

Enable Secret (5)

hostname Router
!
enable password 1forAll

!
hostname Router
!
enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1

Password of Caution

 Even passwords that are encrypted in the configuration are

not encrypted on the wire as an administrator logs into the
router

100101

7
11/4/2015

8
 11/4/2015

MAC Address Spoofing Attack

1 2
The switch keeps track of the
Switch Port AABBcc 12AbDd endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another host—in this case,
MAC AABBcc
Address:
AABBcc
MAC
Address:
Port 1
12AbDd
Port 2
MAC Address: Attacker
AABBcc

I have associated Ports 1 and 2 with

the MAC addresses of the devices
attached. Traffic destined for each
device will be forwarded directly.

Network Security 18

9
 11/4/2015

MAC Address Spoofing Attack

I have changed the MAC 1 2

Switch Port address on my computer
to match the server. AABBcc
1 2
AABBcc
Attacker

MAC Address:
MAC AABBcc
Address: Port 1 Port 2
AABBcc
The device with MAC address
AABBcc has changed
locations to Port2. I must
adjust my MAC address table
accordingly.

Network Security 19

MAC Address Table Overflow Attack

The switch can forward frames between PC1 and PC2 without flooding because
the MAC address table contains port-to-MAC-address mappings in the MAC
address table for these PCs.

Network Security 20

10
 11/4/2015

MAC Address Table Overflow Attack

2
Bogus addresses are 1
added to the CAM Intruder runs macof
table. CAM table is full. to begin sending
MAC Port unknown bogus MAC
addresses.
X 3/25
Y 3/25 3/25 MAC X
C 3/25 3/25 MAC Y
3/25 MAC Z

XYZ
3/25
Host C
VLAN 10 VLAN 10 VLAN 10
flood

3
The switch floods
the frames. 4
Attacker sees traffic
A B
to servers B and D.

C D
Network Security 21

STP Manipulation Attack

 Spanning tree protocol operates by electing a root bridge
 STP builds a tree topology
 STP manipulation changes the topology of a network—the
attacking host appears to be the root bridge
Root Bridge
Priority = 8192
MAC Address=
0000.00C0.1234
F F

F F

F B

Network Security 22

11
 11/4/2015

STP Manipulation Attack

Root Bridge
Priority = 8192
F F B
F

F
F F F

F B F F
Root
Bridge

Attacker The attacking host broadcasts out STP

configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.

Network Security 23

LAN Storm Attack

Broadcast Broadcast

Broadcast Broadcast

Broadcast Broadcast

• Broadcast, multicast, or unicast packets are flooded on all ports in the

same VLAN.
• These storms can increase the CPU utilization on a switch to 100%,
reducing the performance of the network.

Network Security 24

12
 11/4/2015

Storm Control

Total
number of
broadcast
packets
or bytes

Network Security 25

VLAN Attacks

 Segmentation
 Flexibility
 Security

VLAN = Broadcast Domain = Logical Network (Subnet)

Network Security 26

13
 11/4/2015

Port Security Overview

Port 0/1 allows MAC A

Port 0/2 allows MAC B
MAC A Port 0/3 allows MAC C

0/1

0/2
0/3
MAC A
MAC F

Attacker 1

Allows an administrator to statically specify MAC Addresses for Attacker 2

a port or to permit the switch to dynamically learn a limited
number of MAC addresses

Network Security 27

CLI Commands
Switch(config-if)#
switchport mode access
• Sets the interface mode as access
Switch(config-if)#
switchport port-security
• Enables port security on the interface
Switch(config-if)#
switchport port-security maximum value
• Sets the maximum number of secure MAC addresses for the
interface (optional)

Network Security 28

14
 11/4/2015

Switchport Port-Security Parameters

Parameter Description
mac-address (Optional) Specify a secure MAC address for the port by entering a 48-
mac-address bit MAC aaddress. You can add additional secure MAC addresses
up to the maximum value configured.
vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC
address. If no VLAN ID is specified, the native VLAN is used.
vlan access (Optional) On an access port only, specify the VLAN as an access
VLAN.
vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address (Optional) Enable the interface for sticky learning by entering only the
sticky mac-address sticky keywords. When sticky learning is enabled,
[mac- the interface adds all secure MAC addresses that are dynamically
address] learned to the running configuration and converts these addresses
to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address
sticky mac-address keywords..

Network Security 29

Switchport Port-Security Parameters

Parameter Description
maximum value (Optional) Set the maximum number of secure MAC addresses for the
interface. The maximum number of secure MAC addresses that you
can configure on a switch is set by the maximum number of
available MAC addresses allowed in the system. The active Switch
Database Management (SDM) template determines this number.
This number represents the total of available MAC addresses,
including those used for other Layer 2 functions and any other
secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan- (Optional) For trunk ports, you can set the maximum number of secure
list] MAC addresses on a VLAN. If the vlan keyword is not entered, the
default value is used.
n vlan: set a per-VLAN maximum value.
n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs
separated by a hyphen or a series of VLANs separated by commas.
For nonspecified VLANs, the per-VLAN maximum value is used.

Network Security 30

15
 11/4/2015

Port Security Violation Configuration

Switch(config-if)#
switchport port-security violation {protect |
restrict | shutdown}
• Sets the violation mode (optional)
Switch(config-if)#
switchport port-security mac-address mac-address
• Enters a static secure MAC address for the interface
(optional)
Switch(config-if)#
switchport port-security mac-address sticky
• Enables sticky learning on the interface (optional)

Network Security 31

Switchport Port-Security Violation Parameters

Parameter Description
protect (Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. You are not
notified that a security violation has occurred.
restrict (Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. In this mode,
you are notified that a security violation has occurred.
shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and increments the
violation counter. When a secure port is in the error-disabled state, you can bring it
out of this state by entering the errdisable recovery cause psecure-violation
global configuration command, or you can manually re-enable it by entering the
shutdown and no shut down interface configuration commands.

shutdown Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN
vlan on which the violation occurred is error-disabled.

Network Security 32

16
 11/4/2015

Port Security Aging Configuration /Parameters

Switch(config-if)#
switchport port-security aging {static | time time | type
{absolute | inactivity}}

• Enables or disables static aging for the secure port or sets the aging
time or type

Parameter Description
static Enable aging for statically configured secure addresses on
this port.
time time Specify the aging time for this port. The range is 0 to 1440
minutes. If the time is 0, aging is disabled for this port.
type absolute Set absolute aging type. All the secure addresses on this
port age out exactly after the time (minutes) specified and
are removed from the secure address list.
type inactivity Set the inactivity aging type. The secure addresses on this
port age out only if there is no data traffic from the secure
source address for the specified time period.

Network Security 33

Typical Configuration

S2

PC B
Switch(config-if)#
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120

Network Security 34

17
 11/4/2015

CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/12 2 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) : 1024

sw-class# show port-security interface f0/12

Port Security : Enabled
Port status : Secure-down
Violation mode : Shutdown
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Aging time : 120 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation Count : 0

Network Security 35

View Secure MAC Addresses

sw-class# show port-security address

Secure Mac Address Table

-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.ffff.aaaa SecureConfigured Fa0/12 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Network Security 36

18
 11/4/2015

MAC Address Notification

MAC address notification allows monitoring of the MAC
addresses, at the module and port level, added by the switch
or removed from the CAM table for secure ports.

MAC B
SNMP traps sent to
NMS when new MAC
NMS
addresses appear or
F1/2 when old ones time out.

F1/1
Switch CAM Table
F2/1
MAC A F1/1 = MAC A
F1/2 = MAC B
MAC D is away
F2/1 = MAC D from the network.
(address ages out)

Network Security 37

Configure Portfast

Server Workstation

Command
Switch(config-if)# spanning-
tree portfast
Switch(config-if)# no
spanning-tree portfast
Switch(config)# spanning-
tree portfast default
Switch# show running-config
interface type slot/port
Description
Enables PortFast on a Layer 2 access port and forces it to
enter the forwarding state immediately.
Disables PortFast on a Layer 2 access port. PortFast is
disabled by default.
Globally enables the PortFast feature on all non-trunking
ports.
Indicates whether PortFast has been configured on a port.

Network Security 38

19
 11/4/2015

BPDU Guard
Root
Bridge
F F

F
F

F B
BPDU
Guard
Enabled
STP
Attacker BPDU

Switch(config)#
spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast
enabled
Network Security 39

Display the State of Spanning Tree

Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
-------------------- -------- --------- -------- ---------- ----------
1 VLAN 0 0 0 1 1
<output omitted>

Network Security 40

20
 11/4/2015

Root Guard

Root Bridge
Priority = 0
F F
MAC Address =
0000.0c45.1a5d

F F
Root
Guard
Enabled
F B
F

Attacker
STP BPDU
Priority = 0
MAC Address = 0000.0c45.1234

Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis

Network Security 41

Verify Root Guard

Switch# show spanning-tree inconsistentports

Name Interface Inconsistency
-------------------- ---------------------- ------------------
VLAN0001 FastEthernet3/1 Port Type Inconsistent
VLAN0001 FastEthernet3/2 Port Type Inconsistent
VLAN1002 FastEthernet3/1 Port Type Inconsistent
VLAN1002 FastEthernet3/2 Port Type Inconsistent
VLAN1003 FastEthernet3/1 Port Type Inconsistent
VLAN1003 FastEthernet3/2 Port Type Inconsistent
VLAN1004 FastEthernet3/1 Port Type Inconsistent
VLAN1004 FastEthernet3/2 Port Type Inconsistent
VLAN1005 FastEthernet3/1 Port Type Inconsistent
VLAN1005 FastEthernet3/2 Port Type Inconsistent

Number of inconsistent ports (segments) in the system :10

Network Security 42

21
 11/4/2015

Storm Control Methods

 Bandwidth as a percentage of the total available
bandwidth of the port that can be used by the
broadcast, multicast, or unicast traffic
 Traffic rate in packets per second at which broadcast,
multicast, or unicast packets are received
 Traffic rate in bits per second at which broadcast,
multicast, or unicast packets are received
 Traffic rate in packets per second and for small frames.
This feature is enabled globally. The threshold for
small frames is configured for each interface.

Network Security 43

Storm Control Configuration

Switch(config-if)# storm-control broadcast level 75.5

Switch(config-if)# storm-control multicast level pps
2k 1k
Switch(config-if)# storm-control action shutdown

• Enables storm control

• Specifies the level at which it is enabled
• Specifies the action that should take place when the
threshold (level) is reached, in addition to filtering traffic

Network Security 44

22
 11/4/2015

Storm Control Parameters

Parameter Description
broadcast This parameter enables broadcast storm control on
the interface.
multicast This parameter enables multicast storm control on
the interface.
unicast This parameter enables unicast storm control on the
interface.
level level Rising and falling suppression levels as a percentage
[level-low] of total bandwidth of the port.
 level: Rising suppression level. The range is 0.00
to 100.00. Block the flooding of storm packets
when the value specified for level is reached.
 level-low: (Optional) Falling suppression level, up
to two decimal places. This value must be less
than or equal to the rising suppression value.

Network Security 45

Storm Control Parameters

Parameter Description
level bps bps Specify the rising and falling suppression levels as a rate in bits per
[bps-low] second at which traffic is received on the port.
 bps: Rising suppression level. The range is 0.0 to 10000000000.0.
Block the flooding of storm packets when the value specified for bps
is reached.
 bps-low: (Optional) Falling suppression level, up to one decimal
place. This value must be equal to or less than the rising suppression
value.
level pps pps Specify the rising and falling suppression levels as a rate in packets per
[pps-low] second at which traffic is received on the port.
 pps: Rising suppression level. The range is 0.0 to 10000000000.0.
Block the flooding of storm packets when the value specified for pps
is reached.
 pps-low: (Optional) Falling suppression level, up to one decimal
place. This value must be equal to or less than the rising
suppression value.
action The action taken when a storm occurs on a port. The default action is to
{shutdown|tr filter traffic and to not send an SNMP trap.
ap} The keywords have these meanings:
 shutdown: Disables the port during a storm
 trap:Network
SendsSecurity
an SNMP trap when a storm occurs 46

23
 11/4/2015

Verify Storm Control Settings

Switch# show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ---------- --------- ---------
Gi0/1 Forwarding 20 pps 10 pps 5 pps
Gi0/2 Forwarding 50.00% 40.00% 0.00%
<output omitted>

Network Security 47

Mitigating VLAN Attacks

Trunk
(Native VLAN = 10)

1. Disable trunking on all access ports.

2. Disable auto trunking and manually
enable trunking
3. Be sure that the native VLAN is used only
for trunk lines and no where else

Network Security 48

24
 11/4/2015

Controlling Trunking

Switch(config-if)#
switchport mode trunk
• Specifies an interface as a trunk link
.
Switch(config-if)#
switchport nonegotiate

• Prevents the generation of DTP frames.

Switch(config-if)#
switchport trunk native vlan vlan_number

• Set the native VLAN on the trunk to an unused VLAN

Network Security 49

Traffic Analysis

IDS
RMON Probe
 A SPAN port mirrors traffic to Protocol Analyzer
another port where a monitoring “Intruder
device is connected. Alert!”
 Without this, it can be difficult to
track hackers after they have
entered the network.

Attacker

Network Security 50

25
 11/4/2015

CLI Commands

Switch(config)#
monitor session session_number source {interface
interface-id [, | -] [both | rx | tx]} | {vlan vlan-id [,
| -] [both | rx | tx]}| {remote vlan vlan-id}

Switch(config)#
monitor session session_number destination {interface
interface-id [, | -] [encapsulation replicate] [ingress
{dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan
vlan-id}]} | {remote vlan vlan-id}

Network Security 51

Verify SPAN Configuration

Network Security 52

26
 11/4/2015

SPAN and IDS

IDS

Use SPAN to
F0/2

mirror traffic in
F0/1 and out of port
F0/1 to port
F0/2.

Attacker

Network Security 53

References
 Bhaiji Y – Network Security Technologies and Solutions: CCIE
Professional Development (Cisco Press, 2008) ISBN-10: 1587052466
 Bishop, M. (2003). What is computer security?. Security & Privacy,
IEEE, 1(1), 67-69.
 Clem A – Network Management Fundamentals (Cisco Press, 2006)
ISBN-10: 1587201372
 Kahate, A. (2013). Cryptography and network security. Tata McGraw-
Hill Education.
 Kaufman, C., Perlman, R., & Speciner, M. (2002). Network security:
private communication in a public world. Prentice Hall Press.
 Stallings W – Network Security Essentials: Applications and Standards
(Pearson, 2008) ISBN-10: 0132303787
 White G et al – CompTIA Security+ All-in-One Exam Guide, Second
Edition (McGraw Hill, 2009) ISBN-10: 0071601279

Network Security
Network Security 54
54

27
 11/4/2015

References

 Router(Config-if)#
 switchport mode access
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree guard root
 spanning-tree bpduguard enable
 storm-control broadcast level 75.5

55 Network Security Network Security 55

References
 Blue Coat System (2007) Technology Primer: QoS and Bandwidth Management. USA

 Cisco Inc (2009) CCNA Exploration Course Booklet: LAN Switching and Wireless Version 4.0. Cisco
Networking Academy Program. Cisco Press. ISBN-10:1587132540

 Cisco Inc (2009) CCNA Exploration Course Booklet: Network Fundamentals 4.0. Cisco Networking
Academy Program. Cisco Press.

 Dean T (2009) CompTIA Network + 2009 in Depth. Delmar. ISBN-10: 1598638785

 Stallings W – Network Security Essentials: Applications and Standards (Pearson, 2008) ISBN-10:
0132303787

 Bishop, M. (2003). What is computer security?. Security & Privacy, IEEE, 1(1), 67-69.

 Clem A – Network Management Fundamentals (Cisco Press, 2006) ISBN-10: 1587201372

 Kahate, A. (2013). Cryptography and network security. Tata McGraw-Hill Education.

 Kaufman, C., Perlman, R., & Speciner, M. (2002). Network security: private communication in a public
world. Prentice Hall Press.

 Bhaiji Y – Network Security Technologies and Solutions: CCIE Professional Development (Cisco
Press, 2008) ISBN-10: 1587052466

28
 11/4/2015

Allowing Common Services

Internet

Serial 0/0/0

200.5.5.5/24
F0/1 R1 F0/0

DNS, SMTP, FTP

R1
PC A
192.168.20.2/24

R1(config)#access-list 122 permit udp any host 192.168.20.2 eq domain

R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq smtp
R1(config)#access-list 122 permit tcp any host 192.168.20.2 eq ftp

R1(config)#access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq telnet

R1(config)#access-list 180 permit tcp host 200.5.5.5 host 10.0.1.1 eq 22
R1(config)#access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq syslog
R1(config)#access-list 180 permit udp host 200.5.5.5 host 10.0.1.1 eq snmptrap

29
 11/4/2015

Controlling ICMP Messages

Internet

Serial 0/0/0

200.5.5.5/24
F0/1 R1 F0/0

192.168.20.2/24
R1 PC A
Inbound on S0/0/0
R1(config)#access-list 112 permit icmp any any echo-reply
R1(config)#access-list 112 permit icmp any any source-quench
R1(config)#access-list 112 permit icmp any any unreachable
R1(config)#access-list 112 deny icmp any any

Outbound on S0/0/0
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any echo
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any source-quench

30