You are on page 1of 123

CCNA Security

Chapter Six Securing the Local Area Network

2009 Cisco Learning Institute.

Lesson Planning
This lesson should take 3-4 hours to present The lesson should include lecture, demonstrations, discussions and assessments The lesson can be taught in person or using remote instruction

2009 Cisco Learning Institute.

Major Concepts
Describe endpoint vulnerabilities and protection methods

Describe basic Catalyst switch vulnerabilities


Configure and verify switch security features, including port security and storm control Describe the fundamental security considerations of Wireless, VoIP, and SANs.

2009 Cisco Learning Institute.

Lesson Objectives
Upon completion of this lesson, the successful participant will be able to:
1. Describe endpoint security and the enabling technologies
2. Describe how Cisco IronPort is used to ensure endpoint security 3. Describe how Cisco NAC products are used to ensure endpoint security 4. Describe how the Cisco Security Agent is used to ensure endpoint security 5. Describe the primary considerations for securing the Layer 2 infrastructure 6. Describe MAC address spoofing attacks and MAC address spoofing attack mitigation
2009 Cisco Learning Institute.

Lesson Objectives
7. Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation 8. Describe STP manipulation attacks and STP manipulation attack mitigation 9. Describe LAN Storm attacks and LAN Storm attack mitigation 10. Describe VLAN attacks and VLAN attack mitigation 11. Describe how to configure port security 12. Describe how to verify port security 13. Describe how to configure and verify BPDU Guard and Root Guard 14. Describe how to configure and verify storm control

15. Describe and configure Cisco SPAN


16. Describe and configure Cisco RSPAN
2009 Cisco Learning Institute.

Lesson Objectives
17. Describe the best practices for Layer 2 18. Describe the fundamental aspects of enterprise security for advanced technologies 19. Describe the fundamental aspects of wireless security and the enabling technologies 20. Describe wireless security solutions 21. Describe the fundamental aspects of VoIP security and the enabling technologies Reference: CIAG course on VoIP security. 22. Describe VoIP security solutions 23. Describe the fundamental aspects of SAN security and the enabling technologies 24. Describe SAN security solutions

2009 Cisco Learning Institute.

Endpoint Security Considerations


Introducing Endpoint Security Endpoint Security with IronPort Endpoint Security with Network Admission Control Endpoint Security with Cisco Security Agent

2009 Cisco Learning Institute.

Introducing Endpoint Security


Securing the LAN Addressing Endpoint Security Operating Systems Basic Security Services Types of Application Attacks

Cisco Systems Endpoint Security Solutions

2009 Cisco Learning Institute.

Securing the LAN


Perimeter

MARS ACS

Firewall

Internet
VPN IPS

Areas of concentration: Securing endpoints Securing network infrastructure

Iron Port

Hosts
Web Server Email Server

DNS

LAN
2009 Cisco Learning Institute.

Addressing Endpoint Security


Policy Compliance Infection Containment Secure Host

Threat Protection
2009 Cisco Learning Institute.

Based on three elements: Cisco Network Admission Control (NAC) Endpoint protection Network infection containment
10

Operating Systems Basic Security Services


Trusted code and trusted path ensures that the integrity of the operating system is not violated Privileged context of execution provides identity authentication and certain privileges based on the identity Process memory protection and isolation provides separation from other users and their data

Access control to resources ensures confidentiality and integrity of data

2009 Cisco Learning Institute.

11

Types of Application Attacks


Direct I have gained direct access to this applications privileges

Indirect

I have gained access to this system which is trusted by the other system, allowing me to access it.

2009 Cisco Learning Institute.

12

Cisco Systems Endpoint Security Solutions


Cisco Security Agent IronPort

Cisco NAC

2009 Cisco Learning Institute.

13

Endpoint Security with IronPort


Cisco IronPort Products IronPort C-Series Iron-Port S-Series

2009 Cisco Learning Institute.

14

Cisco IronPort Products


IronPort products include: E-mail security appliances for virus and spam control Web security appliance for spyware filtering, URL filtering, and anti-malware Security management appliance

2009 Cisco Learning Institute.

15

IronPort C-Series
Before IronPort
Internet

After IronPort
Internet

Firewall Encryption Platform MTA

Firewall

DLP Scanner

Antispam
Antivirus Policy Enforcement Mail Routing DLP Policy Manager

IronPort E-mail Security Appliance

Groupware

Groupware

Users

Users

2009 Cisco Learning Institute.

16

IronPort S-Series
Before IronPort
Internet

After IronPort
Internet

Firewall

Firewall

Web Proxy Antispyware Antivirus Antiphishing URL Filtering

IronPort SSeries

Policy Management

Users
Users

2009 Cisco Learning Institute.

17

Endpoint Security with Network Admission Control


Cisco NAC The NAC Framework NAC Components Cisco NAC Appliance Process

Access Windows

2009 Cisco Learning Institute.

18

Cisco NAC
The purpose of NAC: Allow only authorized and compliant systems to access the network To enforce network security policy
NAC Framework Software module embedded within NACenabled products Integrated framework leveraging multiple Cisco and NAC-aware vendor products Cisco NAC Appliance In-band Cisco NAC Appliance solution can be used on any switch or router platform

Self-contained, turnkey solution

2009 Cisco Learning Institute.

19

The NAC Framework


Network Access Devices Hosts Attempting Network Access
Enforcement

Policy Server Decision Points and Remediation

Credentials Credentials EAP/UDP, Cisco Trust Agent EAP/802.1x Notification RADIUS Access Rights

AAA Server Credentials

Vendor Servers

HTTPS

Comply?

2009 Cisco Learning Institute.

20

NAC Components
Cisco NAS
Serves as an in-band or out-ofband device for network access control

Cisco NAA
Optional lightweight client for device-based registry scans in unmanaged environments

Cisco NAM
Centralizes management for administrators, support personnel, and operators
M G R

Rule-set updates
Scheduled automatic updates for antivirus, critical hotfixes, and other applications

2009 Cisco Learning Institute.

21

Cisco NAC Appliance Process


1.
Host attempts to access a web page or uses an optional client.
Network access is blocked until wired or wireless host provides login information.

THE GOAL
Authentication Server

M G R

Cisco NAM

2.

Host is redirected to a login page.


Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device.

Cisco NAS

Intranet/ Network

3.

The host is authenticated and optionally scanned for posture compliance

3a.

Device is noncompliant or login is incorrect.


Host is denied access and assigned to a quarantine role with access to online remediation resources.

Quarantine Role

3b.

Device is clean.
Machine gets on certified devices list and is granted access to network.

2009 Cisco Learning Institute.

22

Access Windows
Scan is performed
Login Screen (types of checks depend on user role)

Scan fails Remediate

4.

2009 Cisco Learning Institute.

23

Endpoint Security with Cisco Security Agent


CSA Architecture Model CSA Overview CSA Functionality Attack Phases

CSA Log Messages

2009 Cisco Learning Institute.

24

CSA Architecture
Administration Workstation Server Protected by Cisco Security Agent

Alerts

Events

SSL

Security Policy Management Center for Cisco Security Agent with Internal or External Database

2009 Cisco Learning Institute.

25

CSA Overview
Application

File System Interceptor

Network Interceptor

Configuration Interceptor

Execution Space Interceptor

Rules Engine State Correlation Engine Rules and Policies

Allowed Request

Blocked Request

2009 Cisco Learning Institute.

26

CSA Functionality
Network Interceptor File System Configuration Interceptor Interceptor Execution Space Interceptor

Security Application

Distributed Firewall
Host Intrusion Prevention Application Sandbox Network Worm Prevention File Integrity Monitor

X X

X
X

2009 Cisco Learning Institute.

27

Attack Phases
Probe phase Ping scans Port scans Penetrate phase Transfer exploit code to target Persist phase Install new code Modify configuration Propagate phase Attack other targets Paralyze phase Erase files Crash system Steal data
2009 Cisco Learning Institute.

Server Protected by Cisco Security Agent

File system interceptor Network interceptor Configuration interceptor Execution space interceptor

28

CSA Log Messages

2009 Cisco Learning Institute.

29

Layer 2 Security Considerations


Introduction to Layer 2 Security

MAC Address Spoofing Attacks


MAC Address Table Overflow Attacks STP Manipulation Attacks LAN Storm Attacks VLAN Attacks

2009 Cisco Learning Institute.

30

Introduction to Layer2 Security


Layer 2 Security Overview of OSI Model

2009 Cisco Learning Institute.

31

Layer 2 Security

Perimeter

MARS ACS

Firewall

Internet
VPN IPS

Iron Port

Hosts
Web Server Email Server

DNS

2009 Cisco Learning Institute.

32

OSI Model
When it comes to networking, Layer 2 is often a very weak link.
Application Stream

Application Presentation Session Transport Network Data Link Physical

Application Presentation

Compromised

Session Protocols and Ports IP Addresses Initial MACCompromise Addresses Physical Links Transport Network Data Link Physical

2009 Cisco Learning Institute.

33

Layer 2 Vulnerabilities
MAC Address Spoofing Attacks MAC Address Table Overflow Attacks STP Manipulation Attacks Storm Attacks

VLAN Attacks

2009 Cisco Learning Institute.

34

MAC Address Spoofing Attack


1 2 12AbDd

Switch Port

AABBcc

MAC Address: AABBcc

The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another hostin this case, AABBcc

Port 1 Port 2

MAC Address: 12AbDd

MAC Address: AABBcc

Attacker

I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
2009 Cisco Learning Institute.

35

MAC Address Spoofing Attack


I have changed the MAC address on my computer to match the server.
1 2 AABBcc

Switch Port 1 AABBcc 2

Attacker

MAC Address: Port 1 AABBcc

Port 2

MAC Address: AABBcc

The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
2009 Cisco Learning Institute.

36

MAC Address Table Overflow Attack

The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MACaddress mappings in the MAC address table for these PCs.

2009 Cisco Learning Institute.

37

MAC Address Table Overflow Attack


2
Bogus addresses are added to the CAM table. CAM table is full. MAC X Y C 3/25 VLAN 10 VLAN 10 flood Port 3/25 3/25 3/25
XYZ

1
Intruder runs macof to begin sending unknown bogus MAC addresses.
3/25 MAC X 3/25 MAC Y 3/25 MAC Z

VLAN 10

Host C

The switch floods the frames.

4
Attacker sees traffic to servers B and D.

C
2009 Cisco Learning Institute.

D
38

STP Manipulation Attack


Spanning tree protocol operates by electing a root bridge
F F F

Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234

STP builds a tree topology STP manipulation changes the topology of a networkthe attacking host appears to be the root bridge

2009 Cisco Learning Institute.

39

STP Manipulation Attack


Root Bridge Priority = 8192

F F

F F F

F
Root Bridge

Attacker

The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.
40

2009 Cisco Learning Institute.

LAN Storm Attack


Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast

Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.
2009 Cisco Learning Institute.

41

Storm Control

Total number of broadcast packets or bytes

2009 Cisco Learning Institute.

42

VLAN Attacks

Segmentation Flexibility Security

VLAN = Broadcast Domain = Logical Network (Subnet)


2009 Cisco Learning Institute.

43

VLAN Attacks
802.1Q Trunk VLAN 20 Server VLAN 10

Attacker sees traffic destined for servers

Server

A VLAN hopping attack can be launched in two ways: Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode Introducing a rogue switch and turning trunking on
2009 Cisco Learning Institute.

44

Double-Tagging VLAN Attack


1
Attacker on VLAN 10, but puts a 20 tag in the packet

The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2.

802.1Q, Frame

20

The second switch receives the packet, on the native VLAN

Trunk (Native VLAN = 10)

4 Note: This attack works only if the trunk has the same native VLAN as the attacker.
2009 Cisco Learning Institute.

The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.

Victim (VLAN 20)

45

Configuring Switch Security


Configuring Port Security

Verifying Port Security


BPDU Guard and Root Guard Storm Control

VLAN Configuration
Cisco Switched Port Analyzer Cisco Remote Switched Port Analyzer Best Practices for Layer 2

2009 Cisco Learning Institute.

46

Configuring Port Security


Port Security Overview Port Security Configuration

Switchport Port-Security Parameters


Port-Security Violation Configuration Switchport Port-Security Violation Parameters Port Security Aging Configuration Switchport Port-Security Aging Parameters Typical Configuration

2009 Cisco Learning Institute.

47

Port Security Overview


MAC A

Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C

0/1 0/2 0/3


MAC A MAC F

Attacker 1

Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
2009 Cisco Learning Institute.

Attacker 2

48

CLI Commands
Switch(config-if)# switchport mode access

Sets the interface mode as access


Switch(config-if)# switchport port-security

Enables port security on the interface


Switch(config-if)# switchport port-security maximum value

Sets the maximum number of secure MAC addresses for the interface (optional)

2009 Cisco Learning Institute.

49

Switchport Port-Security Parameters


Parameter
mac-address mac-address vlan vlan-id vlan access vlan voice mac-address sticky [mac-address]

Description
(Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured. (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. (Optional) On an access port only, specify the VLAN as an access VLAN. (Optional) On an access port only, specify the VLAN as a voice VLAN (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. n vlan: set a per-VLAN maximum value. n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
50

maximum value

vlan [vlan-list]

2009 Cisco Learning Institute.

Port Security Violation Configuration


Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}

Sets the violation mode (optional)


Switch(config-if)# switchport port-security mac-address mac-address

Enters a static secure MAC address for the interface (optional)


Switch(config-if)# switchport port-security mac-address sticky

Enables sticky learning on the interface (optional)

2009 Cisco Learning Institute.

51

Switchport Port-Security Violation Parameters


Parameter
protect

Description
(Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.

restrict

shutdown

shutdown vlan
2009 Cisco Learning Institute.

52

Port Security Aging Configuration


Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}}

Enables or disables static aging for the secure port or sets the aging time or type

2009 Cisco Learning Institute.

53

Switchport Port-Security Aging Parameters


Parameter
static
time time

Description
Enable aging for statically configured secure addresses on this port.
Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.

type absolute

Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.
Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

type inactivity

2009 Cisco Learning Institute.

54

Typical Configuration
S2

Switch(config-if)# switchport switchport switchport switchport switchport switchport


2009 Cisco Learning Institute.

PC B

mode access port-security port-security port-security port-security port-security

maximum 2 violation shutdown mac-address sticky aging time 120


55

Verifying Port Security


CLI Commands View Secure MAC Addresses MAC Address Notification

2009 Cisco Learning Institute.

56

CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)

--------------------------------------------------------------------------Fa0/12 2 0 0 Shutdown

--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) :0

Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security Port Security : Port status : Violation mode : Maximum MAC Addresses : Total MAC Addresses : Configured MAC Addresses : Aging time : Aging type : SecureStatic address aging : Security Violation Count : interface f0/12 Enabled Secure-down Shutdown 2 1 0 120 mins Absolute Disabled 0

2009 Cisco Learning Institute.

57

View Secure MAC Addresses

sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------Vlan ---1 Mac Address ----------0000.ffff.aaaa Type ---SecureConfigured Ports ----Fa0/12 Remaining Age (mins) ------------: 0

------------------------------------------------------------------Total Addresses in System (excluding one mac per port)

Max Addresses limit in System (excluding one mac per port) : 1024

2009 Cisco Learning Institute.

58

MAC Address Notification


MAC B SNMP traps sent to NMS when new MAC addresses appear or when old ones time out.

NMS

F1/2 F1/1 F2/1 MAC A

Switch CAM Table F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D (address ages out) MAC D is away from the network.

MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.

2009 Cisco Learning Institute.

59

BPDU Guard and Root Guard


Configure Portfast BPDU Guard Display the State of Spanning Tree Root Guard

Verify Root Guard

2009 Cisco Learning Institute.

60

Configure Portfast

Server

Workstation

Command Switch(config-if)# spanningtree portfast Switch(config-if)# no spanning-tree portfast Switch(config)# spanning-tree portfast default Switch# show running-config interface type slot/port
2009 Cisco Learning Institute.

Description Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Globally enables the PortFast feature on all nontrunking ports. Indicates whether PortFast has been configured on a port.

61

BPDU Guard
Root Bridge

F F

B
BPDU Guard Enabled

Attacker

STP BPDU

Switch(config)# spanning-tree portfast bpduguard default

Globally enables BPDU guard on all ports with PortFast enabled


2009 Cisco Learning Institute.

62

Display the State of Spanning Tree


Switch# show spanning-tree summary totals Root bridge for: none. PortFast BPDU Guard is enabled UplinkFast is disabled BackboneFast is disabled Spanning tree default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active -------------------- -------- --------- -------- ---------- ---------1 VLAN 0 0 0 1 1 <output omitted>

2009 Cisco Learning Institute.

63

Root Guard
Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d

F F

F
Root Guard Enabled

Attacker

STP BPDU Priority = 0 MAC Address = 0000.0c45.1234

Switch(config-if)# spanning-tree guard root

Enables root guard on a per-interface basis


2009 Cisco Learning Institute.

64

Verify Root Guard


Switch# show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ---------------------- -----------------VLAN0001 FastEthernet3/1 Port Type Inconsistent VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent VLAN1002 FastEthernet3/2 Port Type Inconsistent VLAN1003 FastEthernet3/1 Port Type Inconsistent VLAN1003 FastEthernet3/2 Port Type Inconsistent VLAN1004 FastEthernet3/1 Port Type Inconsistent VLAN1004 FastEthernet3/2 Port Type Inconsistent VLAN1005 FastEthernet3/1 Port Type Inconsistent VLAN1005 FastEthernet3/2 Port Type Inconsistent Number of inconsistent ports (segments) in the system :10

2009 Cisco Learning Institute.

65

Storm Control
Methods Configuration Parameters Verifying Settings

2009 Cisco Learning Institute.

66

Storm Control Methods


Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.

2009 Cisco Learning Institute.

67

Storm Control Configuration


Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 2k 1k Switch(config-if)# storm-control action shutdown

Enables storm control


Specifies the level at which it is enabled Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic

2009 Cisco Learning Institute.

68

Storm Control Parameters


Parameter
broadcast multicast

Description
This parameter enables broadcast storm control on the interface. This parameter enables multicast storm control on the interface.

unicast
level level [level-low]

This parameter enables unicast storm control on the interface.


Rising and falling suppression levels as a percentage of total bandwidth of the port. level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached. level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value. Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port. bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port. pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap. The keywords have these meanings: shutdown: Disables the port during a storm trap: Sends an SNMP trap when a storm occurs
69

level bps bps [bps-low]

level pps pps [pps-low]

action {shutdown|trap}

2009 Cisco Learning Institute.

Verify Storm Control Settings


Switch# show storm-control

Interface
---------Gi0/1 Gi0/2

Filter State
------------Forwarding Forwarding

Upper
---------20 pps 50.00%

Lower
--------10 pps 40.00%

Current
-------5 pps 0.00%

<output omitted>

2009 Cisco Learning Institute.

70

VLAN Configuration
Mitigating VLAN Attacks Controlling Trunking

2009 Cisco Learning Institute.

71

Mitigating VLAN Attacks

Trunk (Native VLAN = 10)

1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else
2009 Cisco Learning Institute.

72

Controlling Trunking
Switch(config-if)# switchport mode trunk

Specifies an interface as a trunk link


. Switch(config-if)# switchport nonegotiate

Prevents the generation of DTP frames.


Switch(config-if)# switchport trunk native vlan vlan_number

Set the native VLAN on the trunk to an unused VLAN

2009 Cisco Learning Institute.

73

Cisco Switched Port Analyzer


Traffic Analysis CLI Commands SPAN and IDS

2009 Cisco Learning Institute.

74

Traffic Analysis
IDS RMON Probe Protocol Analyzer

A SPAN port mirrors traffic to another port where a monitoring device is connected.

Intruder Alert!

Without this, it can be difficult to track hackers after they have entered the network.

Attacker

2009 Cisco Learning Institute.

75

CLI Commands
Switch(config)# monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlanid [, | -] [both | rx | tx]}| {remote vlan vlan-id} Switch(config)# monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id}

2009 Cisco Learning Institute.

76

Verify SPAN Configuration

2009 Cisco Learning Institute.

77

SPAN and IDS


IDS

F0/2

F0/1

Use SPAN to mirror traffic in and out of port F0/1 to port F0/2.

Attacker

2009 Cisco Learning Institute.

78

Cisco Remote Switched Port Analyzer


Overview Configuring RSPAN Verifying RSPAN Configuration

2009 Cisco Learning Institute.

79

Overview
An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. This allows more switches to be monitored with a single probe or IDS.
Source VLAN RSPAN VLAN

Intruder Alert! IDS

Source VLAN

Attacker

Source VLAN

2009 Cisco Learning Institute.

80

Configuring RSPAN
1. Configure the RPSAN VLAN
2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit

2960-1

2960-2

2. Configure the RSPAN source ports and VLANs


2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan 100 reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk

3. Configure the RSPAN traffic to be forwarded


2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface FastEthernet 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk
2009 Cisco Learning Institute.

81

Verifying RSPAN Configuration

2960-1

2960-2

show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression]

2009 Cisco Learning Institute.

82

Best Practices
Layer 2 Guidelines VLAN Practices

2009 Cisco Learning Institute.

83

Layer 2 Guidelines
Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) Set all user ports to non-trunking mode (except if using Cisco VoIP) Use port security where possible for access ports Enable STP attack mitigation (BPDU guard, root guard) Use Cisco Discovery Protocol only where necessary with phones it is useful Configure PortFast on all non-trunking ports Configure root guard on STP root ports Configure BPDU guard on all non-trunking ports

2009 Cisco Learning Institute.

84

VLAN Practices
Always use a dedicated, unused native VLAN ID for trunk ports Do not use VLAN 1 for anything Disable all unused ports and put them in an unused VLAN Manually configure all trunk ports and disable DTP on trunk ports Configure all non-trunking ports with switchport mode access

2009 Cisco Learning Institute.

85

Wireless, VoIP, and SAN Security


Enterprise Advanced Technology Security Considerations Wireless Security Considerations Wireless Security Solutions VoIP Security Considerations VoIP Security Solutions

SAN Security Considerations


SAN Security Solutions
2009 Cisco Learning Institute.

86

Enterprise Advanced Technology Security Considerations


Topology Overview Infrastructure-Integrated Approach Cisco IP Telephony Solutions Storage Network Solutions

2009 Cisco Learning Institute.

87

Overview

Wireless
2009 Cisco Learning Institute.

VoIP
88

Overview

SAN
2009 Cisco Learning Institute.

89

Infrastructure-Integrated Approach
Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them Comprehensive protection to safeguard confidential data and communications Simplified user management with a single user identity and policy Collaboration with wired security systems

2009 Cisco Learning Institute.

90

Cisco IP Telephony Solutions


Single-site deployment Centralized call processing with remote branches Distributed callprocessing deployment

Clustering over the IPWAN

2009 Cisco Learning Institute.

91

Storage Network Solutions


Investment protection

Virtualization
Security

Consolidation
Availability

2009 Cisco Learning Institute.

92

Wireless Security Considerations


Cisco Wireless LAN Controllers Wireless Hacking Hacking Tools Security Considerations

2009 Cisco Learning Institute.

93

Cisco Wireless LAN Controllers

Responsible for system-wide wireless LAN functions


Work in conjunction with Aps and the Cisco Wireless Control System (WCS) to support wireless applications

Smoothly integrate into existing enterprise networks


2009 Cisco Learning Institute.

94

Wireless Hacking
War driving A neighbor hacks into another neighbors wireless network to get free Internet access or access information

Free Wi-Fi provides an opportunity to compromise the data of users

2009 Cisco Learning Institute.

95

Hacking Tools

Network Stumbler Kismet AirSnort CoWPAtty ASLEAP Wireshark

2009 Cisco Learning Institute.

96

Safety Considerations
Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks. Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long. If an IPsec VPN is available, use it on any public wireless LAN.

If wireless access is not needed, disable the wireless radio or wireless NIC.
2009 Cisco Learning Institute.

97

VoIP Security Considerations


VoIP Business Advantages VoIP Components and Protocols Threats VoIP SPIT

Fraud

2009 Cisco Learning Institute.

98

VoIP Business Advantages

PSTN

VoIP

Gateway

Little or no training costs Mo major set-up fees Enables unified messaging Encryption of voice calls is supported

Lower telecom call costs

Productivity increases
Lower costs to move, add, or change

Lower ongoing service and maintenance costs


2009 Cisco Learning Institute.

Fewer administrative personnel required


99

VoIP Components

Cisco Unified Communications Manager (Call Agent) MCU Cisco Unity IP Phone Router/ Gateway

PSTN

IP Backbone

Router/ Gateway

Router/ Gateway

IP Phone
Videoconference Station

2009 Cisco Learning Institute.

100

VoIP Protocols
VoIP Protocol H.323 MGCP Megaco/H.248 SIP RTP RTCP SRTP SCCP Description

ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex
Emerging IETF standard for PSTN gateway control; thin device control Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323 ETF standard media-streaming protocol IETF protocol that provides out-of-band control information for an RTP flow IETF protocol that encrypts RTP traffic as it leaves the voice device Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones
101

2009 Cisco Learning Institute.

Threats

Reconnaissance

Directed attacks such as spam over IP telephony (SPIT) and spoofing


DoS attacks such as DHCP starvation, flooding, and fuzzing Eavesdropping and man-in-the-middle attacks
2009 Cisco Learning Institute.

102

VoIP SPIT
If SPIT grows like spam, it could result in regular DoS problems for network administrators. Antispam methods do not block SPIT. Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices.

Youve just won an all expenses paid vacation to the U.S. Virgin Islands !!!

2009 Cisco Learning Institute.

103

Fraud

Fraud takes several forms:


VishingA voice version of phishing that is used to compromise confidentiality. Theft and toll fraudThe stealing of telephone services.

Use features of Cisco Unified Communications Manager to protect against fraud.


Partitions limit what parts of the dial plan certain phones have access to. Dial plans filter control access to exploitive phone numbers. FACs prevent unauthorized calls and provide a mechanism for tracking.
2009 Cisco Learning Institute.

104

SIP Vulnerabilities
Registration hijacking: Allows a hacker to intercept incoming calls and reroute them. Message tampering: Allows a hacker to modify data packets traveling between SIP addresses. Session tear-down: Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks.
SIP User Agents

Registrar

Registrar

Location Database

SIP Servers/Services

SIP Proxy

SIP User Agents

2009 Cisco Learning Institute.

105

VoIP Security Solutions


Using VLANs Using Cisco ASA Adaptive Security Appliances Using VPNs Using Cisco Unified Communications Manager

2009 Cisco Learning Institute.

106

Using VLANs
Voice VLAN = 110 Data VLAN = 10

5/1

802.1Q Trunk

IP phone 10.1.110.3

Desktop PC 171.1.1.1

Creates a separate broadcast domain for voice traffic Protects against eavesdropping and tampering Renders packet-sniffing tools less effective Makes it easier to implement VACLs that are specific to voice traffic

2009 Cisco Learning Institute.

107

Using Cisco ASA Adaptive Security Appliances


Ensure SIP, SCCP, H.323, and MGCP requests conform to standards Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager Rate limit SIP requests Enforce policy of calls (whitelist, blacklist, caller/called party, SIP URI) Dynamically open ports for Cisco applications Enable only registered phones to make calls Enable inspection of encrypted phone calls
2009 Cisco Learning Institute.

Cisco Adaptive Security Appliance Cisco Adaptive Security Appliance

WAN

Internet

108

Using VPNs
Use IPsec for authentication Use IPsec to protect all traffic, not just voice Consider SLA with service provider Terminate on a VPN concentrator or large router inside of firewall to gain these benefits: Performance Reduced configuration complexity Managed organizational boundaries
SRST Router Telephony Servers

IP WAN

2009 Cisco Learning Institute.

109

Using Cisco Unified Communications Manager


Signed firmware Signed configuration files Disable:
PC port Setting button Speakerphone Web access

2009 Cisco Learning Institute.

110

SAN Security Considerations


Overview SAN Transport Technologies World Wide Name Zoning Operation

Virtual Storage Area Network

2009 Cisco Learning Institute.

111

Overview

IP Network

SAN

Specialized network that enables fast, reliable access among servers and external storage resources

2009 Cisco Learning Institute.

112

SAN Transport Technologies


Fibre Channel the primary SAN transport for host-to-SAN connectivity iSCSI maps SCSI over TCP/IP and is another host-to-SAN connectivity model FCIP a popular SAN-toSAN connectivity model
LAN

2009 Cisco Learning Institute.

113

World Wide Name


A 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network Zoning can utilize WWNs to assign security permissions

The WWN of a device is a user-configurable parameter.

Cisco MDS 9020 Fabric Switch

2009 Cisco Learning Institute.

114

Zoning Operation
Zone members see only other members of the zone. Zones can be configured dynamically based on WWN. Devices can be members of more than one zone. Switched fabric zoning can take place at the port or device level: based on physical switch port or based on device WWN or based on LUN ID.
Disk4 Host2

SAN
Disk2 Disk3 Disk1

ZoneA

Host1

ZoneC

ZoneB

An example of Zoning. Note that devices can be members of more than 1 zone.

2009 Cisco Learning Institute.

115

Virtual Storage Area Network (VSAN)


Cisco MDS 9000 Family with VSAN Service

Physical SAN islands are virtualized onto common SAN infrastructure

2009 Cisco Learning Institute.

116

SAN Security Solutions


Security Focus SAN Management Fabric and Target Access VSANs

iSCSI and FCIP

2009 Cisco Learning Institute.

117

Security Focus
SAN Protocol Target Access

Fabric Access

SAN Secure SAN

SAN Management Access

IP Storage access

Data Integrity and Secrecy


118

2009 Cisco Learning Institute.

SAN Management
Three main areas of vulnerability:
1. Disruption of switch processing

2. Compromised fabric stability


3. Compromised data integrity and confidentiality

2009 Cisco Learning Institute.

119

Fabric and Target Access


Three main areas of focus:
Application data integrity LUN integrity Application performance

2009 Cisco Learning Institute.

120

VSANs
Relationship of VSANs to Zones

Physical Topology
VSAN 2 Disk2 ZoneA Host1 Disk3 Disk1 ZoneC Disk4 Host2

ZoneB VSAN 3

ZoneD Host4

ZoneA Disk5 Host3 Disk6

Two VSANs each with multiple zones. Disks and hosts are dedicated to VSANs although both hosts and disks can belong to multiple zones within a single VSAN. They cannot, however, span VSANs.

2009 Cisco Learning Institute.

121

iSCSI and FCIP


iSCSI leverages many of the security features inherent in Ethernet and IP.
ACLs are like Fibre Channel zones VLANs are like Fibre Channel VSANs 802.1X port security is like Fibre Channel port security

FCIP security leverages many IP security features in Cisco IOS-based routers:


IPsec VPN connections through public carriers High-speed encryption services in specialized hardware

Can be run through a firewall

2009 Cisco Learning Institute.

122

2009 Cisco Learning Institute.

123