Professional Documents
Culture Documents
Objectives
DMZ (Demilitarised Zone)management
Server deployment: security needs according to server specification eg printer
access, file management, data management, email
Border systems: Intrusion Detection Systems (IDS) eg firewalls filters and rules,
email monitoring, application and packet monitoring, signature management,
trust, network behavioural norms; access control eg traffic filters, route
redirection
User access: user group eg group membership, user group allocation,
attribution of rights; user eg personal attribution of rights, continual review of
rights allocation; rights eg file, server, service, data, hardware, printer, email
Physical security: power resilience and supply; physical access control eg lock
and key, electronic access control, personnel based security, biometrics;
hardware and systems redundancy; backup eg data, configuration, imaging;
recovery policies
1
11/4/2015
2
11/4/2015
Syslog Client
e0/0
10.2.1.1 R3 e0/1 DMZ LAN 10.2.2.0/24
e0/2 10.2.2.1
10.2.3.1
Syslog
Server 10.2.3.2
5 Network Security
3
11/4/2015
Router>
Password Protection
Password Encryption
4
11/4/2015
Native Passwords
line console 0
login User Access Verification
password one4all Password: <one4all>
exec-timeout 1 30
router>
5
11/4/2015
Service Password-Encryption
6
11/4/2015
hostname Router
!
enable password 1forAll
!
hostname Router
!
enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1
Password of Caution
100101
7
11/4/2015
8
11/4/2015
Network Security 18
9
11/4/2015
MAC Address:
MAC AABBcc
Address: Port 1 Port 2
AABBcc
The device with MAC address
AABBcc has changed
locations to Port2. I must
adjust my MAC address table
accordingly.
Network Security 19
The switch can forward frames between PC1 and PC2 without flooding because
the MAC address table contains port-to-MAC-address mappings in the MAC
address table for these PCs.
Network Security 20
10
11/4/2015
2
Bogus addresses are 1
added to the CAM Intruder runs macof
table. CAM table is full. to begin sending
MAC Port unknown bogus MAC
addresses.
X 3/25
Y 3/25 3/25 MAC X
C 3/25 3/25 MAC Y
3/25 MAC Z
XYZ
3/25
Host C
VLAN 10 VLAN 10 VLAN 10
flood
3
The switch floods
the frames. 4
Attacker sees traffic
A B
to servers B and D.
C D
Network Security 21
F F
F B
Network Security 22
11
11/4/2015
Root Bridge
Priority = 8192
F F B
F
F
F F F
F B F F
Root
Bridge
Network Security 23
Broadcast Broadcast
Broadcast Broadcast
Broadcast Broadcast
Network Security 24
12
11/4/2015
Storm Control
Total
number of
broadcast
packets
or bytes
Network Security 25
VLAN Attacks
Segmentation
Flexibility
Security
13
11/4/2015
0/1
0/2
0/3
MAC A
MAC F
Attacker 1
Network Security 27
CLI Commands
Switch(config-if)#
switchport mode access
• Sets the interface mode as access
Switch(config-if)#
switchport port-security
• Enables port security on the interface
Switch(config-if)#
switchport port-security maximum value
• Sets the maximum number of secure MAC addresses for the
interface (optional)
Network Security 28
14
11/4/2015
Network Security 29
Network Security 30
15
11/4/2015
Switch(config-if)#
switchport port-security violation {protect |
restrict | shutdown}
• Sets the violation mode (optional)
Switch(config-if)#
switchport port-security mac-address mac-address
• Enters a static secure MAC address for the interface
(optional)
Switch(config-if)#
switchport port-security mac-address sticky
• Enables sticky learning on the interface (optional)
Network Security 31
shutdown Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN
vlan on which the violation occurred is error-disabled.
Network Security 32
16
11/4/2015
• Enables or disables static aging for the secure port or sets the aging
time or type
Parameter Description
static Enable aging for statically configured secure addresses on
this port.
time time Specify the aging time for this port. The range is 0 to 1440
minutes. If the time is 0, aging is disabled for this port.
type absolute Set absolute aging type. All the secure addresses on this
port age out exactly after the time (minutes) specified and
are removed from the secure address list.
type inactivity Set the inactivity aging type. The secure addresses on this
port age out only if there is no data traffic from the secure
source address for the specified time period.
Network Security 33
Typical Configuration
S2
PC B
Switch(config-if)#
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120
Network Security 34
17
11/4/2015
CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/12 2 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) : 1024
Network Security 35
Network Security 36
18
11/4/2015
MAC B
SNMP traps sent to
NMS when new MAC
NMS
addresses appear or
F1/2 when old ones time out.
F1/1
Switch CAM Table
F2/1
MAC A F1/1 = MAC A
F1/2 = MAC B
MAC D is away
F2/1 = MAC D from the network.
(address ages out)
Network Security 37
Configure Portfast
Server Workstation
Command Description
Switch(config-if)# spanning- Enables PortFast on a Layer 2 access port and forces it to
tree portfast enter the forwarding state immediately.
Switch(config-if)# no Disables PortFast on a Layer 2 access port. PortFast is
spanning-tree portfast disabled by default.
Switch(config)# spanning- Globally enables the PortFast feature on all non-trunking
tree portfast default ports.
Switch# show running-config Indicates whether PortFast has been configured on a port.
interface type slot/port
Network Security 38
19
11/4/2015
BPDU Guard
Root
Bridge
F F
F
F
F B
BPDU
Guard
Enabled
STP
Attacker BPDU
Switch(config)#
spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast
enabled
Network Security 39
Network Security 40
20
11/4/2015
Root Guard
Root Bridge
Priority = 0
F F
MAC Address =
0000.0c45.1a5d
F F
Root
Guard
Enabled
F B
F
Attacker
STP BPDU
Priority = 0
MAC Address = 0000.0c45.1234
Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis
Network Security 41
Network Security 42
21
11/4/2015
Network Security 43
Network Security 44
22
11/4/2015
Network Security 45
23
11/4/2015
Network Security 47
Trunk
(Native VLAN = 10)
Network Security 48
24
11/4/2015
Controlling Trunking
Switch(config-if)#
switchport mode trunk
• Specifies an interface as a trunk link
.
Switch(config-if)#
switchport nonegotiate
Switch(config-if)#
switchport trunk native vlan vlan_number
Network Security 49
Traffic Analysis
IDS
RMON Probe
A SPAN port mirrors traffic to Protocol Analyzer
another port where a monitoring “Intruder
device is connected. Alert!”
Without this, it can be difficult to
track hackers after they have
entered the network.
Attacker
Network Security 50
25
11/4/2015
CLI Commands
Switch(config)#
monitor session session_number source {interface
interface-id [, | -] [both | rx | tx]} | {vlan vlan-id [,
| -] [both | rx | tx]}| {remote vlan vlan-id}
Switch(config)#
monitor session session_number destination {interface
interface-id [, | -] [encapsulation replicate] [ingress
{dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan
vlan-id}]} | {remote vlan vlan-id}
Network Security 51
Network Security 52
26
11/4/2015
IDS
Use SPAN to
F0/2
mirror traffic in
F0/1 and out of port
F0/1 to port
F0/2.
Attacker
Network Security 53
References
Bhaiji Y – Network Security Technologies and Solutions: CCIE
Professional Development (Cisco Press, 2008) ISBN-10: 1587052466
Bishop, M. (2003). What is computer security?. Security & Privacy,
IEEE, 1(1), 67-69.
Clem A – Network Management Fundamentals (Cisco Press, 2006)
ISBN-10: 1587201372
Kahate, A. (2013). Cryptography and network security. Tata McGraw-
Hill Education.
Kaufman, C., Perlman, R., & Speciner, M. (2002). Network security:
private communication in a public world. Prentice Hall Press.
Stallings W – Network Security Essentials: Applications and Standards
(Pearson, 2008) ISBN-10: 0132303787
White G et al – CompTIA Security+ All-in-One Exam Guide, Second
Edition (McGraw Hill, 2009) ISBN-10: 0071601279
Network Security
Network Security 54
54
27
11/4/2015
References
Router(Config-if)#
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree guard root
spanning-tree bpduguard enable
storm-control broadcast level 75.5
References
Blue Coat System (2007) Technology Primer: QoS and Bandwidth Management. USA
Cisco Inc (2009) CCNA Exploration Course Booklet: LAN Switching and Wireless Version 4.0. Cisco
Networking Academy Program. Cisco Press. ISBN-10:1587132540
Cisco Inc (2009) CCNA Exploration Course Booklet: Network Fundamentals 4.0. Cisco Networking
Academy Program. Cisco Press.
Stallings W – Network Security Essentials: Applications and Standards (Pearson, 2008) ISBN-10:
0132303787
Bishop, M. (2003). What is computer security?. Security & Privacy, IEEE, 1(1), 67-69.
Kaufman, C., Perlman, R., & Speciner, M. (2002). Network security: private communication in a public
world. Prentice Hall Press.
Bhaiji Y – Network Security Technologies and Solutions: CCIE Professional Development (Cisco
Press, 2008) ISBN-10: 1587052466
28
11/4/2015
Internet
Serial 0/0/0
200.5.5.5/24
F0/1 R1 F0/0
29
11/4/2015
Internet
Serial 0/0/0
200.5.5.5/24
F0/1 R1 F0/0
192.168.20.2/24
R1 PC A
Inbound on S0/0/0
R1(config)#access-list 112 permit icmp any any echo-reply
R1(config)#access-list 112 permit icmp any any source-quench
R1(config)#access-list 112 permit icmp any any unreachable
R1(config)#access-list 112 deny icmp any any
Outbound on S0/0/0
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any echo
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big
R1(config)#access-list 114 permit icmp 192.168.1.0 0.0.0.255 any source-quench
30