Module 7: Secure Network Architecture and Management: PDF Created With Pdffactory Trial Version

Module 7: Secure Network
Architecture and Management
PDF created with pdfFactory trial version www.pdffactory.com

Overview

Layer 2 Security Best Practices

Factors affecting layer 2 mitigation techniques
• An example of case #1 could be a small business network using a

broadband connection behind a DSL router or firewall.
• An example of case #8 could be a large application service provider
data center. These cases are discussed in further detail in the following
sections.

1.Single security zone, one user group, single physical
switch
• An example of such a design would be a switch within a network DMZ

created between an edge router and a corporate firewall as shown in
Figure . In this design all systems within the security zone are on the
same VLAN.
• Vulnerabilities
The primary Layer 2 vulnerabilities in this design include the following:
– MAC spoofing
– CAM table overflow

switch
• Mitigation
Port security may be administratively appropriate in this case because
of the limited size of the design. The Layer 2 switches are a part of the
security perimeter between the zones of trust and should be managed
as securely as possible including the use of SSH for command line
management, Simple Network Management Protocol Version 3
(SNMPv3) for remote management, configuration audits and regular
penetration testing of each VLAN using tools capable of exploiting
Layer 2 vulnerabilities such as Dsniff. An equally effective and less
administratively taxing approach would be to use dynamic port security
through the application of DHCP snooping and Dynamic ARP
Inspection.

switch

Extra: Mitigating CAM table overflow attack

Extra: Mitigating CAM Table Overflow Attacks
• You can mitigate CAM table overflow attacks in

several ways. One of the primary ways is to
configure port security on the switch. You can
apply port security in three ways:
– Static secure MAC addresses
– Dynamic secure MAC addresses
– Sticky secure MAC addresses

Extra: Mitigating CAM Table Overflow Attacks
• The type of action taken when a port security violation occurs falls into
the following three categories:
– Protect If the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are
dropped until a number of MAC addresses are removed or the
number of allowable addresses is increased. You receive no
notification of the security violation in this type of instance.
– Restrict If the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are
dropped until some number of secure MAC addresses are removed
or the maximum allowable addresses is increased. In this mode, a
security notification is sent to the Simple Network Management
Protocol (SNMP) server (if configured) and a syslog message is
logged. The violation counter is also incremented.
– Shutdown If a port security violation occurs, the interface changes
to error-disabled and the LED is turned off. It sends an SNMP trap,
logs to a syslog message, and increments the violation counter.
10

switch
11

Extra: Using dynamic ARP inspection to mitigate MAC
spoofing attacks
12

2.Single security zone, one user group, multiple physical
switches
• This can be represented by a very large DMZ, or a DMZ with multiple VLANs
all existing within a single security zone of trust. Additionally, this could also be
represented as a Layer 3 switch within the DMZ to provide inter-VLAN routing.
• Vulnerabilities
The primary layer 2 vulnerabilities of this design include the following:
– MAC spoofing
– VLAN hopping
– Spanning tree attacks, in networks with multiple switches.
13

2.Single security zone, one user group, multiple physical
switches
• Mitigation
If the security zone is small enough, use port security to help mitigate
the CAM table overflow vulnerability as well as the MAC spoofing
vulnerability. BPDU guard and root guard can be used to mitigate
attacks against the Spanning Tree Protocol (STP).
• The Layer 2 switches are a part of the security perimeter between
zones of trust and should be managed as securely as possible
including the use of SSH for command line management, SNMPv3 for
remote management, configuration audits and regular penetration
testing of each VLAN using tools capable of exploiting Layer 2
vulnerabilities such as Dsniff.
14

Extra: Mitigating VLAN Hopping Attacks
• Mitigating VLAN hopping attacks requires the following configuration

modifications:
– Always use dedicated VLAN IDs for all trunk ports.
– Disable all unused ports and place them in an unused VLAN.
– Set all user ports to nontrunking mode by disabling DTP. Use the
switchport mode access command in the interface configuration mode.
– For backbone switch-to-switch connections, explicitly configure trunking.
– Do not use the user native VLAN as the trunk port native VLAN.
– Do not use VLAN 1 as the switch management VLAN.
15

3.Single security zone, multiple user groups, single
physical switch
• A typical example of such

a design would be an
application service
provider data center or
different departments
within a single corporate
enterprise that require
data segregation.
• Vulnerabilities
The primary layer 2
vulnerabilities of this
design include the
following:
– MAC spoofing
– VLAN hopping
16

3.Single security zone, multiple user groups, single
physical switch
• Mitigation
If the security zone is small enough, use port security to
help mitigate the CAM table overflow vulnerability as well
as the MAC spoofing vulnerability. Additionally, mitigation
of VLAN hopping can be accomplished by using the
following VLAN best practices as guidelines:
– Use dedicated VLAN IDs for all trunk ports.
– Disable all unused switch ports and place them in an
unused VLAN.
– Set all user ports to non-trunking mode by explicitly
turning off DTP on those ports.
17

4.Single security zone, multiple user groups, multiple
physical switches
• This design represents one

where high-availability is a
factor as well as the need to
trunk information between the
switch devices. In addition,
the direction of travel for the
network traffic as determined
through STP requires
additional considerations
when determining some of
the more specific mitigation
techniques. VLANs are used
to provide traffic
segmentation between the
various user groups.
• Vulnerabilities
The primary layer 2
vulnerabilities of this design
include the following:
– MAC spoofing
– VLAN hopping
– STP attacks
18

4.Single security zone, multiple user groups, multiple
physical switches
• Mitigation
If the security zone is small enough, use port security to
of VLAN hopping can be accomplished by following the
VLAN best practices outlined in this module. If necessary,
deploy 802.1x authentication to prevent unauthorized
access to the security zone from an attacker who may
physically connect to a switch in the design. As with the
previous cases, the switches must be managed as
securely as possible and tested on a regular basis.
19

5.Multiple security zones, one user group, single
physical switch
• Vulnerabilities
The primary layer 2 vulnerabilities of this design include the following:
– MAC spoofing, within VLANs
– CAM table overflow, through per VLAN traffic flooding
– VLAN hopping
20

physical switch
• Mitigation
If the security zones are small enough, use port security to
of VLAN hopping can be accomplished by following the
VLAN best practices outlined in this module. As with the
previous cases, the switches must be managed as
21

physical switch
• In the design shown in Figure ,

another mitigation approach would
be to split the Layer 2 functionality
of the switch to two separate
physical switches. If this is done,
the mitigation techniques
described in case #1 would apply
to both distinct security zones.
• If private VLANs (PVLANs) are
employed in any of the VLANs,
consideration must be given to the
possibility of private VLAN attacks.
If the VLANs utilize DHCP for
address assignment then DHCP
starvation by an attacker and
needs to be considered.
22

6.Multiple security zones, one user group, multiple
physical switches
• This design, shown in Figure ,
represents a large data center within
a single enterprise. However, the
need to segregate traffic as well as
data for various groups or
departments within the enterprise is
reflected by the separation of the
data center into security zones. This
can be accomplished securely
through the use of VLANs within the
data center, however, there are
considerations which must be
evaluated regarding some of the
potential vulnerabilities.
• Vulnerabilities
The primary layer 2 vulnerabilities of
this design include the following:
– MAC spoofing, within VLANs
– CAM table overflow, through per
VLAN traffic flooding
– VLAN hopping
– STP attacks
23

6.Multiple security zones, one user group, multiple
physical switches
• Mitigation
If the security zones are small
enough, use port security to help
mitigate CAM table overflow
vulnerabilities as well as the MAC
spoofing vulnerability. Additionally,
mitigation of VLAN hopping can
be accomplished by following the
VLAN best practices outlined in
this module. If necessary, deploy
802.1x authentication to prevent
unauthorized access to each of
the security zones from an
attacker who may physically
connect to a switch in the design.
Another possible mitigation
method would be to add a firewall
within the design, or add a Layer 3
switch with an integrated firewall.
24

7.Multiple security zones, multiple user groups, single
physical switch
• VLANs can be used to

provide traffic
segregation between
the security zones.
• Vulnerabilities
The primary layer 2
vulnerabilities of this
design include the
following:
– MAC spoofing,
within VLANs
– CAM table overflow,
through per VLAN
traffic flooding
– VLAN hopping
– Private VLAN
attacks, on a per
VLAN basis
25

7.Multiple security zones, multiple user groups, single
physical switch
• Mitigation
If the security zones are small enough, use port security to help
mitigate CAM table overflow vulnerabilities as well as the MAC
spoofing vulnerability. Additionally, mitigation of VLAN hopping can be
accomplished by following the VLAN best practices outlined within this
module. If necessary, deploy 802.1x authentication to prevent
unauthorized access to each of the security zones from an attacker
who may physically connect to a switch in the design. Another possible
mitigation method would be to add a firewall within the data center
design and integrate it into the central switch similar to that employed
in the previous design. The firewall enforces additional Layer 3 traffic
segregation between the various user groups. As with the previous
cases, the switches must be managed as securely as possible and
tested on a regular basis.
26

8.Multiple security zones, multiple user groups, multiple
physical switches
• VLANs can be used to

provide traffic segregation
between the security zones.
The need to provide high
security in some of the zones
may require additional
measures.
• Vulnerabilities
The primary layer 2
vulnerabilities of this design
include the following:
– MAC spoofing, within
VLANs
– CAM table overflow,
through per VLAN traffic
flooding
– VLAN hopping
– STP attacks
– VTP attacks
27

8.Multiple security zones, multiple user groups, multiple
physical switches
• Mitigation
If the security zones are small enough, use port security to help
mitigate CAM table overflow vulnerabilities as well as the MAC
spoofing vulnerability. Additionally, mitigation of VLAN hopping can be
accomplished by following the VLAN best practices outlined within this
module. If necessary, deploy 802.1x authentication to prevent
unauthorized access to each of the security zones from an attacker
who may physically connect to a switch in the design. Another
possible mitigation method would be to add a firewall within the data
center design and integrate it into the one or more of the switches,
similar to that employed in the case #6 design. The firewall enforces
additional Layer 3 traffic segregation between the various user groups.
As with the previous cases, the switches must be managed as
28

Layer 2 security best practices
29

SDM Security Audit
30

Using SDM to perform security audits
• The SDM security audit feature compares router

configurations to a predefined checklist of best practices
using ICSA and Cisco TAC recommendations.
31

Using SDM to perform security audits
• Security Audit contains two

modes:
– Security Audit –
Examines router
configuration, then
displays the Report
Card screen, which
shows a list of possible
security problems. The
administrator can then
pick and choose which
vulnerability to lock
down.
– One-step lockdown –
Initiates the automatic
lockdown using
recommended settings.
32

Using SDM monitor mode
• The monitor function includes the following elements :

– Overview – Displays the router status including a list of the error
log entries.
– Interface Status – Used to select the interface to monitor and the
conditions (for example, packets and errors, in or out) to view.
– Firewall Status – Displays a log showing the number of entry
attempts that were denied by the firewall.
– VPN Status – Displays statistics about active VPN connections on
the router.
– QoS Status – Display statistics on Quality of Service (QoS)
configured on router.
– Logging – Displays an event log categorized by severity level.
33

Using SDM monitor mode
34

Router Management Center (MC)
35

Introduction to the Router MC
• The CiscoWorks Router Management Center (Router MC), a

component of the CiscoWorks VPN/Management Solution (VMS),
provides scalable security management for the configuration and
deployment of VPN connections. One of the greatest challenges in
implementing large site-to-site and remote access VPNs is
management. The primary role of the Router MC is to manage site-to-
site VPNs .
36

• The Router MC can be defined as follows:

– A Web-based application for the setup and maintenance of VPN
connections using Cisco VPN Routers
– Centralizes the configuration of IKE and tunnel policies for multiple devices
– Scalable to a large number of VPN routers
– Router MC is a web-based application designed for large-scale
management of virtual private network (VPN) and firewall configurations on
Cisco routers. Router MC 1.2.1 provides the following features:
• Enables the setup and maintenance of VPN connections among
multiple Cisco VPN routers, in a hub-and-spoke topology.
• Enables the provisioning of the critical connectivity, security, and
performance parameters of a site-to-site VPN, quickly and easily.
• Allows for efficient migration from leased line connections to Internet or
intranet-based VPN connections.
• Allows for the overlay of a VPN over a Frame Relay network for added
security.
• Enables the configuration of Cisco IOS routers to function as firewalls.
37

• Router MC is integrated with CiscoWorks Common Services, which

supplies core server-side components required by Router MC, such as
Apache Web server, Secure Sockets Layer (SSL) libraries, Secure
Shell (SSH) libraries, embedded SQL database, Tomcat servlet
engine, the CiscoWorks desktop, and others.
38

• Before installing Router MC 1.2.1,

CiscoWorks Common Services 2.2
must be installed and operational.
CiscoWorks Common Services
provides centralized management of
certain functions for all the
CiscoWorks VMS products that are
installed.
• These functions include:
– Backup and restore of data
– Integration with Access Control
Server (ACS) or Common
Management Framework (CMF)
for user authentication and
permissions
– Licensing
– Starting/stopping the database
– Logging of administration tasks
39

Key concepts in the Router MC
40

41

42

Supported tunneling technologies
• The Router MC supports the following tunneling technologies:

– IPSec
– IPSec with GRE
– IPSec with GRE over a frame relay network
– IPSec with GRE and DMVPN – Dynamic Multipoint VPN (DMVPN)
combines GRE tunnels .
43

Router MC installation
• The Router MC requires VMS 2.1 Common Services or

CiscoWorks 2000 . VMS Common Services provides the
CiscoWorks 2000 Server based components, software
libraries, and software packages developed for the Router
MC.
44

Router MC installation
• Before beginning the installation of the Router MC, verify that the
server meets the requirements shown in Figure1 .
• Also, verify that the client machine being used meets the requirements
shown in Figure2 .
45

Installation process
46

Getting started with the Router MC
• Log in to the CiscoWorks Web page and complete the following steps to launch the
Router MC:
– Open a browser and point the browser to the IP address of the CiscoWorks server
with a port number of 1741. If the CiscoWorks server is local, type the following
address in the browser: http://127.0.0.1:1741
– If this is the first time that CiscoWorks has been used, enter the username admin
and the password admin.
47

Router MC interface
• The Router MC main window is the first window that is encountered in the
Router MC user interface. The Router MC user interface contains four tabs as
shown in Figure
– Devices
– Configuration
– Deployment
– Reports
– Admin
48

Router MC interface
• The Router MC interface is the environment administrators work with

when using the Router MC application .
49

• The Devices tab, shown in Figure is used to import and manage the inventory of routers
to be configured using the Router MC.
– Device hierarchy – Use this option to view the device hierarchy and to manage the
routers within the hierarchy by creating device groups, moving or deleting
devices/groups, editing router parameters, and adding unmanaged spokes.
– Device import – Use this option to import the routers to be configured into Router
MC, and to re-import routers when necessary.
– Credentials – Use this option to edit router credentials or synchronize the
credentials of multiple routers from a comma-separated value (CSV) file. Device
credentials include the username, password, and enable password.
50

• Use the options in the Configuration tab, shown in Figure

to configure VPN and firewall settings and policies for
deployment to the routers. Settings and policies can be
configured globally for all routers, for groups of routers, or
for individual routers.
51

• Select the configuration context using the Object Selector,

shown in Figure along the left-hand side of the page.
52

• Select the configuration context using the Object Selector,

shown in Figure along the left-hand side of the page.
53

• Deployment of VPN and firewall configurations is always done within

the context of a deployment job, shown in Figure .
54

• The deployment tab offers the administrator the following

options, shown in Figure .
55

• The Reports tab,

shown in Figure
is used to view
reports on various
Router MC
functions. This tab
presents the
following options:
– Deployment
– Activities
– Audit
– Hub-Spoke
Assignment
56

• Administrators use the

Admin tab, shown in
Figure to define various
Router MC application
settings, and to define
Auto Update Server
(AUS) settings.
• This tab presents the
following options:
– Application Settings
– Auto Update Server
Settings
57

Basic work flow and tasks
• Common configuration tasks include:

– Configuring general Cisco IOS Firewall settings
– Building access rules
– Using Building Blocks
– Using Upload
58

Simple Network Management Protocol
(SNMP)
59

SNMP introduction
• Another technique that the administrator can use to manage and monitor the
network is to employ the Simple Network Management Protocol (SNMP).
SNMP is an application-layer protocol that facilitates the exchange of
management information between network devices. It is part of the TCP/IP
protocol suite. SNMP enables network administrators to manage network
performance, find and solve network problems, and plan for network growth.
SNMP can be used to manage Cisco routers, switches, wireless access points,
firewalls, printers, servers and other SNMP capable devices .
60

SNMP introduction
• There are 3 versions of SNMP, as shown in Figure . SNMPv1 and

SNMPv2 have features in common, but SNMPv2 offers enhancements,
such as additional protocol operations. SNMPv3 adds administration
and security features. This section provides descriptions of the
SNMPv3 protocol operations. Cisco recommends disabling SNMP if
not in use or use version 3.
61

SNMP introduction
• SNMP Key Terms

In order to understand SNMP support in Cisco devices, it is important
to understand the SNMP-related terminology discussed in Figure .
62

SNMP introduction
• SNMP Key Terms

In order to understand SNMP support in Cisco devices, it is important
to understand the SNMP-related terminology discussed in Figure .
63

SNMP introduction
• SNMP Basic Components

An SNMP managed network consists of three key components:
– Managed devices
– Agents
– Network management systems (NMSs)
64

Extra: Components of SNMP
65

SNMP introduction
• An NMS executes applications that monitor and control managed

devices . NMSs provide the bulk of the processing and memory
resources required for network management. One or more NMSs must
exist on any managed network. SNMP management applications, such
as CiscoWorks2000, communicate with agents to get statistics and
alerts from the managed devices.
66

SNMP introduction
• SNMP Basic Commands

Managed devices are monitored and controlled using basic SNMP commands, as shown in Figure :
– The read command is used by an NMS to monitor managed devices. The NMS examines
different variables that are maintained by managed devices.
– The write command is used by an NMS to control managed devices. The NMS changes the
values of variables stored within managed devices.
– Managed devices to asynchronously report events to the NMS use the trap command. When
certain types of events occur, a managed device sends a trap to the NMS.
– Traversal operations are used by the NMS to determine which variables a managed device
supports and to sequentially gather information in variable tables, such as a routing table.
67

Extra: SNMP Notifications
68

Extra: SNMPv1
69

Extra: SNMPv2
70

SNMP security
• SNMP is often used to gather statistics and remotely

monitor network infrastructure devices. It is a simple
protocol which contains inadequate security in early
versions.
• In SNMPv1, community strings, or passwords, are sent in
clear text and can easily be stolen by someone
eavesdropping on the wire.
– These community strings are used to authenticate
messages sent between the SNMP manager and the
agent.
• SNMPv2 addresses some of the known security
weaknesses of SNMPv1. Specifically, version 2 uses the
MD5 algorithm to authenticate messages between the
SNMP server and the agent.
71

Extra: SNMP security
72

SNMP security
• SNMPv1 lacks any authentication capabilities, which results in vulnerability to a

variety of security threats. These include the following:
– Masquerading
– Modification of information
– Message sequence and timing modifications
– Disclosure
73

SNMP Version 3 (SNMPv3)
• SNMPv3 is an interoperable standards-based protocol for network management.

SNMPv3 provides secure access to devices by a combination of authenticating and
encrypting packets over the network. The security features provided in SNMPv3 are:
– Message integrity – Ensuring that a packet has not been tampered with in-transit.
– Authentication – Determining the message is from a valid source.
– Encryption – Scrambling the contents of a packet prevent it from being seen by an
unauthorized source.
74

Extra: SNMPv3
• Data integrity
Provided by the MD5 message digest algorithm. A 128-bit digest is
calculated over the designated portion of a SNMPv3 message and
included as part of the message sent to the recipient.
• Data origin authentication
Provided by prefixing each message with a secret value shared by the
originator of that message and its intended recipient before digesting.
• Message delay or replay
Provided by including a timestamp value in each message.
• Data confidentiality
Provided by the symmetric privacy protocol which encrypts an
appropriate portion of the message according to a secret key known
only to the originator and recipient of the message. This protocol is
used in conjunction with the symmetric encryption algorithm, in the
cipher block chaining mode, which is part of the Data Encryption
Standard (DES). The designated portion of an SNMPv3 message is
encrypted and included as part of the message sent to the recipient.
75

• Cisco devices such as router and switches support

SNMPv3 message types and the increased security
capabilities, but many management software applications
do not support SNMPv3.
76

• Applications which support version 3 include MG-Soft MIB

Browser and SNMP Research International’s CiAgent or
Enterpol. HP Openview can support version 3 with the help
of SNMP Research International extensions.
77

SNMP management applications
• SNMP is a distributed management protocol. A system can operate exclusively

as either an NMS or an agent, or it can perform the functions of both. When a
system operates as both an NMS and an agent, another NMS might require
that the system query managed devices and provide a summary of the
information learned, or that it reports locally-stored management information.
78

SNMP management applications
• CiscoView is a graphical SNMP-based device management tool that provides

real-time views of networked Cisco devices. These views deliver a
continuously updated physical picture of device configuration and performance
conditions, with simultaneous views available for multiple device sessions.
Additionally, CiscoView is designed for integration with leading network
management platforms, such as HP OpenView Network Node Manager, to
provide seamless and powerful methods of managing Cisco devices such as
routers, switches, hubs, concentrators, and adapters.
79

Configure SNMP support on an IOS router
• SNMP can form the backbone of a network monitoring

system as well as be an important tool for network security.
There are 4 basic tasks to configure IOS SNMPv3.
– Configure SNMP-Server EngineID
– Configure SNMP-Server Group Names
– Configure SNMP-Server Hosts
– Configure SNMP-Server Users
• To display information about SNMP commands, use one of
the following commands in EXEC mode :
– show snmp engineID [local | remote]
– show snmp groups
– show snmp user
• Other: (config)# logging on
80

81

82

83

84

85

86

87

88

89

90

Configure SNMP support on a PIX Security Appliance
• SNMP Example
In Figure , the NMS uses a Get operation to request management information
contained in an agent on host 172.18.0.15. Within the Get request, the NMS
includes a complete Object Identifier (OID) so that the agent knows exactly
what is being sought. The response from the agent contains a variable binding
containing the same OID and the data associated with it. The NMS then uses a
Set request to tell the agent to change a piece of information. In an unrelated
communication, host 172.16.0.2 sends a trap to the NMS because some
urgent condition has occurred.
91

• Enable SNMP
The SNMP agent that runs on the PIX Security Appliance performs two
functions:
– Replies to SNMP requests from NMSs.
– Sends traps to NMSs.
• To enable the SNMP agent and identify an NMS that can connect to
the PIX Security Appliance, follow these steps:
• Step 1
Identify the IP address of the NMS that can connect to the PIX Security
Appliance with the snmp-server host interface_name ip_address [trap
| poll] [community text] [version 1 | 2c] [udp-port port] global
configuration command. Specify trap or poll to limit the NMS to
receiving traps only or browsing only. By default, the NMS can use
both functions.
• SNMP traps are sent on UDP port 162 by default. The port number can
be changed by using the udp-port keyword.
92

• Step 2
Specify the community string with the snmp-server community key
global configuration command. The SNMP community string is a
shared secret between the PIX Security Appliance and the NMS. The
key is a case-sensitive value up to 32 characters in length. Spaces are
not permitted.
• Step 3
(Optional) Set the SNMP server location or contact information with the
snmp-server {contact | location} text global configuration command.
• Step 4
Enable the PIX Security Appliance to send traps to the NMS with the
snmp-server enable [traps [all | feature [trap1] [trap2]] [...]] global
configuration command. By default, SNMP core traps are enabled. If a
trap type is not entered in the command, syslog is the default. To
enable or disable all traps, enter the all option. For snmp, each trap
type can be identified separately.
93

• Step 5
Enable system messages to be sent as traps to the
NMSwith the logging history level global configuration
command. Syslog traps must also be enabled using the
preceding snmp-server enable traps command.
• Step 6
Enable logging, so system messages are generated and
can then be sent to an NMS, with the logging enable
global configuration command.
94

Summary
• Upon completing this lesson, the student will be able to recommend an
appropriate approach to threat mitigation for network topologies
containing either single or multiple switches. The Student will also be
able to discuss the use of the SDM Security Audit wizard to provide a
comprehensive Router Security Audit.
• The enterprise management of VPNs was discussed. One of the
greatest challenges to implementing large-scale Site-to-Site and
Remote Access VPNs is management. The primary role of the Router
MC is to manage Site-to-Site VPNs. The key topics associated with
VPNs were explored, to give the student a broad understanding of how
Router MC operates to better manage large-scale VPNs.
• Finally, the student learned about the SNMP. The student learned how
SNMP enables network administrators to manage network
performance, find and solve network problems, and plan for network
growth. The student learned how SNMP, although simplistic, can be
used effectively to assist the administrator in monitoring the network
through its information gathering capabilities.
95

Module 7: Secure Network Architecture and Management: PDF Created With Pdffactory Trial Version

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Module 7: Secure Network Architecture and Management: PDF Created With Pdffactory Trial Version

Загружено:

Авторское право:

Доступные форматы

Module 7: Secure Network

Architecture and Management

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• An example of case #1 could be a small business network using a

PDF created with pdfFactory trial version www.pdffactory.com

• An example of such a design would be a switch within a network DMZ

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• You can mitigate CAM table overflow attacks in

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• Mitigating VLAN hopping attacks requires the following configuration

PDF created with pdfFactory trial version www.pdffactory.com

• A typical example of such

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• This design represents one

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• In the design shown in Figure ,

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• VLANs can be used to

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• VLANs can be used to

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• The SDM security audit feature compares router

PDF created with pdfFactory trial version www.pdffactory.com

• Security Audit contains two

PDF created with pdfFactory trial version www.pdffactory.com

• The monitor function includes the following elements :

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• The CiscoWorks Router Management Center (Router MC), a

PDF created with pdfFactory trial version www.pdffactory.com

• The Router MC can be defined as follows:

PDF created with pdfFactory trial version www.pdffactory.com

• Router MC is integrated with CiscoWorks Common Services, which

PDF created with pdfFactory trial version www.pdffactory.com

• Before installing Router MC 1.2.1,

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• The Router MC supports the following tunneling technologies:

PDF created with pdfFactory trial version www.pdffactory.com