206) Module 1 Securing the Local Area Network Lesson Planning This lesson should take 3-4 hours to present The lesson should include lecture, demonstrations, discussions and assessments The lesson can be taught in person or using remote instruction 2 Major Concepts Describe endpoint vulnerabilities and protection methods Describe basic Catalyst switch vulnerabilities Configure and verify switch security features, including port security and storm control Describe the fundamental security considerations of Wireless, VoIP, and SANs 3 Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe endpoint security and the enabling technologies 2. Describe how Cisco IronPort is used to ensure endpoint security 3. Describe how Cisco NAC products are used to ensure endpoint security 4. Describe how the Cisco Security Agent is used to ensure endpoint security 5. Describe the primary considerations for securing the Layer 2 infrastructure 6. Describe MAC address spoofing attacks and MAC address spoofing attack mitigation 4 Lesson Objectives 7. Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation 8. Describe STP manipulation attacks and STP manipulation attack mitigation 9. Describe LAN Storm attacks and LAN Storm attack mitigation 10. Describe VLAN attacks and VLAN attack mitigation 11. Describe how to configure port security 12. Describe how to verify port security 13. Describe how to configure and verify BPDU Guard and Root Guard 14. Describe how to configure and verify storm control 15. Describe and configure Cisco SPAN 16. Describe and configure Cisco RSPAN 5 Lesson Objectives 17. Describe the best practices for Layer 2 18. Describe the fundamental aspects of enterprise security for advanced technologies 19. Describe the fundamental aspects of wireless security and the enabling technologies 20. Describe wireless security solutions 21. Describe the fundamental aspects of VoIP security and the enabling technologies Reference: CIAG course on VoIP security. 22. Describe VoIP security solutions 23. Describe the fundamental aspects of SAN security and the enabling technologies 24. Describe SAN security solutions 6 Securing the LAN IPS MARS VPN ACS Iron Port Firewall Web Server Email Server DNS LAN Hosts Perimeter Internet Areas of concentration: Securing endpoints Securing network infrastructure 7 Threat Protection Policy Compliance Infection Containment Secure Host Addressing Endpoint Security Based on three elements: Cisco Network Admission Control (NAC) Endpoint protection Network infection containment 8 Operating Systems Basic Security Services Trusted code and trusted path ensures that the integrity of the operating system is not violated Privileged context of execution provides identity authentication and certain privileges based on the identity Process memory protection and isolation provides separation from other users and their data Access control to resources ensures confidentiality and integrity of data 9 Types of Application Attacks I have gained direct access to this applications privileges I have gained access to this system which is trusted by the other system, allowing me to access it. Indirect Direct 10 Cisco Systems Endpoint Security Solutions Cisco NAC IronPort Cisco Security Agent 11 Cisco IronPort Products IronPort products include: E-mail security appliances for virus and spam control Web security appliance for spyware filtering, URL filtering, and anti-malware Security management appliance 12 IronPort C-Series Internet Internet Antispam Antivirus Policy Enforcement Mail Routing Before IronPort IronPort E-mail Security Appliance Firewall Groupware Users After IronPort Users Groupware Firewall Encryption Platform MTA DLP Scanner DLP Policy Manager 13 IronPort S-Series Web Proxy Antispyware Antivirus Antiphishing URL Filtering Policy Management Firewall Users Users Firewall IronPort S- Series Before IronPort After IronPort Internet Internet 14 Cisco NAC NAC Framework Software module embedded within NAC- enabled products Integrated framework leveraging multiple Cisco and NAC-aware vendor products In-band Cisco NAC Appliance solution can be used on any switch or router platform Self-contained, turnkey solution The purpose of NAC: Allow only authorized and compliant systems to access the network To enforce network security policy Cisco NAC Appliance 15 The NAC Framework AAA Server Credentials Credentials EAP/UDP, EAP/802.1x RADIUS Credentials HTTPS Access Rights Notification Cisco Trust Agent Comply? Vendor Servers Hosts Attempting Network Access Network Access Devices Policy Server Decision Points and Remediation Enforcement 16 NAC Components Cisco NAS Serves as an in-band or out- of-band device for network access control Cisco NAM Centralizes management for administrators, support personnel, and operators Cisco NAA Optional lightweight client for device-based registry scans in unmanaged environments Rule-set updates Scheduled automatic updates for antivirus, critical hotfixes, and other applications M G R 17 Cisco NAC Appliance Process THE GOAL Intranet/ Network 2. Host is redirected to a login page. Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device. Device is noncompliant or login is incorrect. Host is denied access and assigned to a quarantine role with access to online remediation resources. 3a. 3b. Device is clean. Machine gets on certified devices list and is granted access to network. Cisco NAS Cisco NAM 1. Host attempts to access a web page or uses an optional client. Network access is blocked until wired or wireless host provides login information. Authentication Server M G R Quarantine Role 3. The host is authenticated and optionally scanned for posture compliance 18 Access Windows 4. Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate 19 CSA Architecture Management Center for Cisco Security Agent with Internal or External Database Security Policy Server Protected by Cisco Security Agent Administration Workstation SSL Events Alerts 20 CSA Overview State Rules and Policies Rules Engine Correlation Engine File System Interceptor Network Interceptor Configuration Interceptor Execution Space Interceptor Application Allowed Request Blocked Request 21 CSA Functionality Security Application Network Interceptor File System Interceptor Configuratio n Interceptor Execution Space Interceptor Distributed Firewall X Host Intrusion Prevention X X Application Sandbox X X X Network Worm Prevention X X File Integrity Monitor X X Attack Phases File system interceptor Network interceptor Configuration interceptor Execution space interceptor Server Protected by Cisco Security Agent Probe phase Ping scans Port scans Penetrate phase Transfer exploit code to target Persist phase Install new code Modify configuration Propagate phase Attack other targets Paralyze phase Erase files Crash system Steal data CSA Log Messages IPS MARS VPN ACS Iron Port Firewall Web Server Email Server DNS Hosts Perimeter Internet Layer 2 Security 25 OSI Model MAC Addresses When it comes to networking, Layer 2 is often a very weak link. Physical Links IP Addresses Protocols and Ports Application Stream Application Presentation Session Transport Network Data Link Physical C o m p r o m i s e d Application Presentation Session Transport Network Data Link Physical Initial Compromise 26 MAC Address Spoofing Attack MAC Address: AABBcc AABBcc 12AbDd Switch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 MAC Address: 12AbDd I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another hostin this case, AABBcc 27 MAC Address Spoofing Attack MAC Address: AABBcc AABBcc Switch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 AABBcc 1 2 I have changed the MAC address on my computer to match the server. The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly. 28 MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs. MAC Address Table Overflow Attack A B C D VLAN 10 VLAN 10 Intruder runs macof to begin sending unknown bogus MAC addresses. 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood MAC Port X 3/25 Y 3/25 C 3/25 Bogus addresses are added to the CAM table. CAM table is full. Host C The switch floods the frames. Attacker sees traffic to servers B and D. VLAN 10 1 2 3 4 STP Manipulation Attack Spanning tree protocol operates by electing a root bridge STP builds a tree topology STP manipulation changes the topology of a networkthe attacking host appears to be the root bridge F F F F F B Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234 31 STP Manipulation Attack Root Bridge Priority = 8192 Root Bridge F F F F F B F B F F F F Attacker The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations. 32 LAN Storm Attack Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network. Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Storm Control Total number of broadcast packets or bytes VLAN Attacks VLAN = Broadcast Domain = Logical Network (Subnet) Segmentatio n Flexibility Security VLAN Attacks 802.1Q Server Attacker sees traffic destined for servers Server Trunk VLAN 20 VLAN 10 A VLAN hopping attack can be launched in two ways: Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode Introducing a rogue switch and turning trunking on The second switch receives the packet, on the native VLAN Double-Tagging VLAN Attack Attacker on VLAN 10, but puts a 20 tag in the packet Victim (VLAN 20) Note: This attack works only if the trunk has the same native VLAN as the attacker. The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2. 20 Trunk (Native VLAN = 10) 802.1Q, Frame 1 2 3 4 The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly. Port Security Overview MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C Attacker 1 Attacker 2 0/1 0/2 0/3 MAC F Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses 38 CLI Commands switchport mode access Switch(config-if)# Sets the interface mode as access switchport port-security Switch(config-if)# Enables port security on the interface switchport port-security maximum value Switch(config-if)# Sets the maximum number of secure MAC addresses for the interface (optional) 39 Switchport Port-Security Parameters Parameter Description mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured. vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. vlan access (Optional) On an access port only, specify the VLAN as an access VLAN. vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN mac-address sticky [mac-address] (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. n vlan: set a per-VLAN maximum value. n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used. Port Security Violation Configuration switchport port-security mac-address sticky Switch(config-if)# Enables sticky learning on the interface (optional) switchport port-security violation {protect | restrict | shutdown} Switch(config-if)# Sets the violation mode (optional) switchport port-security mac-address mac-address Switch(config-if)# Enters a static secure MAC address for the interface (optional) 41 Switchport Port-Security Violation Parameters Parameter Description protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure- violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown vlan Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled. Port Security Aging Configuration switchport port-security aging {static | time time | type {absolute | inactivity}} Switch(config-if)# Enables or disables static aging for the secure port or sets the aging time or type 43 Switchport Port-Security Aging Parameters Parameter Description static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period. Typical Configuration switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120 Switch(config-if)# S 2 PC B 45 CLI Commands sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/12 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0 46 View Secure MAC Addresses sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0000.ffff.aaaa SecureConfigured Fa0/12 - ------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 47 MAC Address Notification MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports. NMS MAC A MAC B F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D (address ages out) Switch CAM Table SNMP traps sent to NMS when new MAC addresses appear or when old ones time out. MAC D is away from the network. F1/2 F1/1 F2/1 48 Configure Portfast Command Description Switch(config-if)# spanning-tree portfast Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning- tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port. Server Workstatio n 49 BPDU Guard Switch(config)# spanning-tree portfast bpduguard default Globally enables BPDU guard on all ports with PortFast enabled F F F F F B Root Bridge BPDU Guard Enabled Attacker STP BPDU 50 Display the State of Spanning Tree Switch# show spanning-tree summary totals Root bridge for: none. PortFast BPDU Guard is enabled UplinkFast is disabled BackboneFast is disabled Spanning tree default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active -------------------- -------- --------- -------- ---------- --------- - 1 VLAN 0 0 0 1 1 <output omitted> 51 Root Guard Switch(config-if)# spanning-tree guard root Enables root guard on a per-interface basis Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d F F F F F B F STP BPDU Priority = 0 MAC Address = 0000.0c45.1234 Root Guard Enabled Attacker 52 Verify Root Guard Switch# show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ---------------------- ------------------ VLAN0001 FastEthernet3/1 Port Type Inconsistent VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent VLAN1002 FastEthernet3/2 Port Type Inconsistent VLAN1003 FastEthernet3/1 Port Type Inconsistent VLAN1003 FastEthernet3/2 Port Type Inconsistent VLAN1004 FastEthernet3/1 Port Type Inconsistent VLAN1004 FastEthernet3/2 Port Type Inconsistent VLAN1005 FastEthernet3/1 Port Type Inconsistent VLAN1005 FastEthernet3/2 Port Type Inconsistent Number of inconsistent ports (segments) in the system :10 53 Storm Control Methods Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface. 54 Storm Control Configuration Enables storm control Specifies the level at which it is enabled Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 2k 1k Switch(config-if)# storm-control action shutdown 55 Storm Control Parameters Parameter Description broadcast This parameter enables broadcast storm control on the interface. multicast This parameter enables multicast storm control on the interface. unicast This parameter enables unicast storm control on the interface. level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port. level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached. level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value. level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port. bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port. pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap. The keywords have these meanings: shutdown: Disables the port during a storm trap: Sends an SNMP trap when a storm occurs Verify Storm Control Settings Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ---------- --------- -------- -Gi0/1 Forwarding 20 pps 10 pps 5 pps Gi0/2 Forwarding 50.00% 40.00% 0.00% <output omitted> Trunk (Native VLAN = 10) 1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else Mitigating VLAN Attacks 58 switchport mode trunk switchport trunk native vlan vlan_number switchport nonegotiate . Switch(config-if)# Specifies an interface as a trunk link Switch(config-if)# Prevents the generation of DTP frames. Switch(config-if)# Set the native VLAN on the trunk to an unused VLAN Controlling Trunking 59 Traffic Analysis A SPAN port mirrors traffic to another port where a monitoring device is connected. Without this, it can be difficult to track hackers after they have entered the network. Intruder Alert! Attacker IDS RMON Probe Protocol Analyzer CLI Commands monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlan-id [, | -] [both | rx | tx]}| {remote vlan vlan-id} monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id} Switch(config)# Switch(config)# Verify SPAN Configuration SPAN and IDS Attacker IDS Use SPAN to mirror traffic in and out of port F0/1 to port F0/2. F0/1 F0/2 Overview of RSPAN An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. This allows more switches to be monitored with a single probe or IDS. Intruder Alert! Attacker IDS RSPAN VLAN Source VLAN Source VLAN Source VLAN Configuring RSPAN 2960-1 2960-2 2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit 2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan 100 reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk 2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface FastEthernet 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk 1. Configure the RPSAN VLAN 2. Configure the RSPAN source ports and VLANs 3. Configure the RSPAN traffic to be forwarded Verifying RSPAN Configuration show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression] 2960-1 2960-2 Layer 2 Guidelines Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) Set all user ports to non-trunking mode (except if using Cisco VoIP) Use port security where possible for access ports Enable STP attack mitigation (BPDU guard, root guard) Use Cisco Discovery Protocol only where necessary with phones it is useful Configure PortFast on all non-trunking ports Configure root guard on STP root ports Configure BPDU guard on all non-trunking ports VLAN Practices Always use a dedicated, unused native VLAN ID for trunk ports Do not use VLAN 1 for anything Disable all unused ports and put them in an unused VLAN Manually configure all trunk ports and disable DTP on trunk ports Configure all non-trunking ports with switchport mode access Overview of Wireless, VoIP Security Wireless VoIP 69 Overview of SAN Security SAN 70 Infrastructure-Integrated Approach Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them Comprehensive protection to safeguard confidential data and communications Simplified user management with a single user identity and policy Collaboration with wired security systems 71 Cisco IP Telephony Solutions Single-site deployment Centralized call processing with remote branches Distributed call- processing deployment Clustering over the IPWAN 72 Storage Network Solutions Investment protection Virtualization Security Consolidation Availability 73 Cisco Wireless LAN Controllers Responsible for system-wide wireless LAN functions Work in conjunction with Aps and the Cisco Wireless Control System (WCS) to support wireless applications Smoothly integrate into existing enterprise networks 74 Wireless Hacking War driving A neighbor hacks into another neighbors wireless network to get free Internet access or access information Free Wi-Fi provides an opportunity to compromise the data of users 75 Hacking Tools Network Stumbler Kismet AirSnort CoWPAtty ASLEAP Wireshark 76 Safety Considerations Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks. Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long. If an IPsec VPN is available, use it on any public wireless LAN. If wireless access is not needed, disable the wireless radio or wireless NIC. 77 VoIP Business Advantages Lower telecom call costs Productivity increases Lower costs to move, add, or change Lower ongoing service and maintenance costs Little or no training costs Mo major set-up fees Enables unified messaging Encryption of voice calls is supported Fewer administrative personnel required PSTN VoIP Gateway 78 VoIP Components Cisco Unified Communications Manager (Call Agent) MCU Cisco Unity IP Phone IP Phone Videoconference Station IP Backbone PSTN Router/ Gateway Router/ Gateway Router/ Gateway 79 VoIP Protocols VoIP Protocol Description H.323 ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex MGCP Emerging IETF standard for PSTN gateway control; thin device control Megaco/H.248 Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard SIP IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323 RTP ETF standard media-streaming protocol RTCP IETF protocol that provides out-of-band control information for an RTP flow SRTP IETF protocol that encrypts RTP traffic as it leaves the voice device SCCP Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones Threats Reconnaissance Directed attacks such as spam over IP telephony (SPIT) and spoofing DoS attacks such as DHCP starvation, flooding, and fuzzing Eavesdropping and man-in-the-middle attacks 81 VoIP SPIT If SPIT grows like spam, it could result in regular DoS problems for network administrators. Antispam methods do not block SPIT. Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices. Youve just won an all expenses paid vacation to the U.S. Virgin Islands !!! 82 Fraud Fraud takes several forms: VishingA voice version of phishing that is used to compromise confidentiality. Theft and toll fraudThe stealing of telephone services. Use features of Cisco Unified Communications Manager to protect against fraud. Partitions limit what parts of the dial plan certain phones have access to. Dial plans filter control access to exploitive phone numbers. FACs prevent unauthorized calls and provide a mechanism for tracking. 83 SIP Vulnerabilities Registration hijacking: Allows a hacker to intercept incoming calls and reroute them. Message tampering: Allows a hacker to modify data packets traveling between SIP addresses. Session tear-down: Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks. Registrar Registrar Location Database SIP Servers/Services SIP Proxy SIP User Agents SIP User Agents 84 Using VLANs Creates a separate broadcast domain for voice traffic Protects against eavesdropping and tampering Renders packet-sniffing tools less effective Makes it easier to implement VACLs that are specific to voice traffic Voice VLAN = 110 Data VLAN = 10 802.1Q Trunk IP phone 10.1.110.3 Desktop PC 171.1.1.1 5/1 85 Using Cisco ASA Adaptive Security Appliances Ensure SIP, SCCP, H.323, and MGCP requests conform to standards Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager Rate limit SIP requests Enforce policy of calls (whitelist, blacklist, caller/called party, SIP URI) Dynamically open ports for Cisco applications Enable only registered phones to make calls Enable inspection of encrypted phone calls Internet WAN Cisco Adaptive Security Appliance Cisco Adaptive Security Appliance 86 Using VPNs Use IPsec for authentication Use IPsec to protect all traffic, not just voice Consider SLA with service provider Terminate on a VPN concentrator or large router inside of firewall to gain these benefits: Performance Reduced configuration complexity Managed organizational boundaries IP WAN Telephony Servers SRST Router 87 Using Cisco Unified Communications Manager Signed firmware Signed configuration files Disable: PC port Setting button Speakerphone Web access 88 SAN Security Considerations SAN IP Network Specialized network that enables fast, reliable access among servers and external storage resources 89 SAN Transport Technologies Fibre Channel the primary SAN transport for host-to-SAN connectivity iSCSI maps SCSI over TCP/IP and is another host-to-SAN connectivity model FCIP a popular SAN- to-SAN connectivity model LAN 90 World Wide Name A 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network Zoning can utilize WWNs to assign security permissions The WWN of a device is a user-configurable parameter. Cisco MDS 9020 Fabric Switch 91 Zoning Operation Zone members see only other members of the zone. Zones can be configured dynamically based on WWN. Devices can be members of more than one zone. Switched fabric zoning can take place at the port or device level: based on physical switch port or based on device WWN or based on LUN ID. SAN Disk1 Host2 Disk4 Host1 Disk2 Disk3 Zone A ZoneB ZoneC An example of Zoning. Note that devices can be members of more than 1 zone. 92 Virtual Storage Area Network (VSAN) Physical SAN islands are virtualized onto common SAN infrastructure Cisco MDS 9000 Family with VSAN Service 93 Security Focus SAN Secure SAN IP Storage access Data Integrity and Secrecy Target Access SAN Protocol SAN Management Access Fabric Access 94 SAN Management Three main areas of vulnerability: 1. Disruption of switch processing 2. Compromised fabric stability 3. Compromised data integrity and confidentiality 95 Fabric and Target Access Three main areas of focus: Application data integrity LUN integrity Application performance 96 VSANs Two VSANs each with multiple zones. Disks and hosts are dedicated to VSANs although both hosts and disks can belong to multiple zones within a single VSAN. They cannot, however, span VSANs. VSAN 3 Physical Topology VSAN 2 Disk1 Host2 Disk4 Host1 Disk2 Disk3 Disk6 Disk5 Host4 Host3 ZoneA ZoneB ZoneC ZoneA ZoneD Relationship of VSANs to Zones 97 iSCSI and FCIP iSCSI leverages many of the security features inherent in Ethernet and IP ACLs are like Fibre Channel zones VLANs are like Fibre Channel VSANs 802.1X port security is like Fibre Channel port security FCIP security leverages many IP security features in Cisco IOS-based routers: IPsec VPN connections through public carriers High-speed encryption services in specialized hardware Can be run through a firewall 98 Implementing Cisco Edge Network Security Solutions (300-206) Module 2 Access Lists 100 Objectives Describe the usage and rules of access lists Establish standard IP access lists Produce extended IP access lists Apply access lists to interfaces Monitor and verify access lists 101 Objectives (continued) Create named access lists Use Security Device Manager to create standard and extended IP access lists Use Security Device Manager to create a router firewall 102 Access Lists: Usage and Rules Access lists Permit or deny statements that filter traffic based on the source address, destination address, protocol type, and port number of a packet Available for IP, IPX, AppleTalk, and many other protocols 103 Access List Usage You can create a standard access list that examines a packet for the packets source header information deny any statement Implicitly blocks all packets that do not meet the requirements of the access list Exists even though it is not shown as part of the access list With careful planning, you can create access lists that control which traffic crosses particular links And which segments of your network will have access to others 104 Access List Usage (continued) 105 Problems with Access Lists Lack of planning is one of the most common problems associated with access lists The need to enter the list sequentially into the router also presents problems You cannot move individual statements once they are entered When making changes, you must remove the list, using the no access-list [list number] command, and then retype the commands Access lists begin working the second they are applied to an interface 106 Access List Rules Example of the structure of a standard IP access list: RouterA(config)#access-list 1 deny 172.22.5.2 0.0.0.0 RouterA(config)#access-list 1 deny 172.22.5.3 0.0.0.0 RouterA(config)# access-list 1 permit any Router applies each line in the order in which you type it into the access list The no access-list [list #] command is used to remove an access list 107 Access List Rules (continued) 108 Access List Rules (continued) As a general rule, the lines with the most potential matches should be first in the list So that packets will not undergo unnecessary processing You should avoid unnecessarily long access lists After you create access lists, you must apply them to interfaces so they can begin filtering traffic You apply a list as either an outgoing or an incoming filter 109 Access List Rules (continued) In summary, all access lists follow these rules: Routers apply lists sequentially in the order in which you type them into the router Routers apply lists to packets sequentially, from the top down, one line at a time Packets are processed only until a match is made Lists always end with an implicit deny Access lists must be applied to an interface as either inbound or outbound traffic filters Only one list, per protocol, per direction can be applied to an interface Access lists are effective as soon as they are applied 110 Standard IP Access Lists Standard IP access lists Filter network traffic based on the source IP address only Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address Configure standard IP access lists: access-list [list #] [permit|deny] [source address] [source wildcard mask] Routers use wildcards to determine which bits in an address will be significant 111 Standard IP Access Lists (continued) 112 Standard IP Access Lists (continued) 113 Standard IP Access Lists (continued) 114 Standard IP Access Lists (continued) 115 Standard IP Access Lists (continued) 116 Standard IP Access List Examples Standard IP access lists permit or deny packets based only on the source address Addresses can be a single host address, a subnet address, or a full network address 117 118 Standard IP Access List Examples (continued) 119 Standard IP Access List Examples (continued) Correct placement of a list is imperative To view the access lists defined on your router, use the show access-lists command For IP access lists you could also use the show ip access-lists command If you decide that an access list needs to be removed from an interface You can remove it with the no ip access-group [list #] command 120 121 Standard IP Access List Examples (continued) 122 Standard IP Access List Examples (continued) 123 Standard IP Access List Examples (continued) 124 Standard IP Access List Examples (continued) 125 Standard IP Access List Examples (continued) Application of the list as an outbound filter on FastEthernet0/0 See Figure 10-15 Use the show access-lists or show ip access-lists command followed by the show ip interface command To verify that the list has been entered and applied correctly 126 Standard IP Access List Examples (continued) 127 128 Standard IP Access List Examples (continued) 129 Monitoring Standard IP Access Lists Three main commands are available for monitoring access lists on your router show access-lists show ip access-lists show interfaces or show ip interface Use the no access-list [list #] command to remove the list Use the no ip accessgroup [list #][direction] command to remove the application of the list 130 Extended IP Access Lists Extended IP access lists Can filter by source IP address, destination IP address, protocol type, and application port number This granularity allows you to design extended IP access lists that: Permit or deny a single type of IP protocol Filter by a particular port of a particular protocol 131 Extended IP Access Lists (continued) To configure extended IP access lists, you must create the list and then apply it to an interface using the following syntax access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [operator] [port] [destination IP address] [destination wildcard mask] [operator] [port] [log] 132 Extended IP Access List Examples 133 134 135 Extended IP Access List Examples (continued) 136 The Established Parameter Established parameter Permits traffic from any host on any network to any destination, as long as the traffic was in response to a request initiated inside the network Example: access-list 100 permit tcp any 15.0.0.0 0.255.255.255 established 137 Monitoring Extended IP Access Lists The same commands used to monitor standard IP access lists are used to monitor extended IP access lists Extended IP lists keep track of the number of packets that pass each line of an access list The clear access-list counters [list #] command clears the counters The no access-list [list#] command removes the list The no ip access-group [list#] [direction] command removes the application of the list 138 Monitoring Extended IP Access Lists 139 Monitoring Extended IP Access Lists 140 Using Named Lists Named access lists In Cisco IOS versions 11.2 and above, names instead of numbers can be used to identify lists To name a standard IP access list, use the following syntax: RouterC(config)#ip access-list standard [name] To name an extended IP access list, use the following syntax: RouterC(config)#ip access-list extended [name] 141 Using Named Lists (continued) Once the list is named, the permit or deny statement is entered The commands follow the same syntax as unnamed lists The beginning part of the command is not included To apply a standard IP named list to an interface, the syntax is: RouterC(config-if)#ip access-group [name] [in | out] 142 Using Named Lists (continued) Advantages: Allows you to maintain security by using an easily identifiable access list Removes the limit of 100 lists per filter type With named access lists lines can be selectively deleted in the ACL Named ACLs provide greater flexibility to network administrators who work in environments where large numbers of ACLs are needed 143 Controlling VTY Line Access Access lists are used for both traffic flow and security One useful security feature of access lists is restricting access to telnet on your router By controlling VTY line access You must first create a standard IP access list that permits the management workstation RouterA(config)#access-list 12 permit 192.168.12.12 0.0.0.0 Then, it must be applied to the VTY lines access-class [acl #] in | out 144 Controlling VTY Line Access (continued) To apply access list 12 to the VTY lines, use the following command: RouterA(config)#line vty 0 4 RouterA(config-line)#access-class 12 in The commands to restrict access to the VTY lines to network 192.168.12.0/24 only are: RouterA(config)#access-list 13 permit 192.168.12.0 0.0.0.255 RouterA(config)#line vty 0 4 RouterA(config-line)#access-class 13 in 145 Using Security Device Manager to Create Access Control Lists Using the SDM, an administrator can accomplish all the tasks that formerly required use of the CLI interface SDM allows you to easily create a standard or an extended access list or, as it is known in the SDM, an Access Control List (ACL) 146 147 148 149 150 151 152 Using Security Device Manager to Create a Router Firewall Unlike the CLI, the SDM allows a router to be configured as a firewall 153 154 155 156 Using Security Device Manager to Create a Router Firewall (continued) 157 Using Security Device Manager to Create a Router Firewall (continued) 158 159 Summary Access lists are one of the most important IOS tools for controlling network traffic and security Access lists are created in a two-step process All access lists are created sequentially and applied sequentially to all packets that enter an interface where the list is applied By default, access lists always end in an implicit deny any statement Only one access list per direction (inbound or outbound) per protocol can be applied to an interface 160 Summary (continued) Standard IP access lists allow you to filter traffic based on the source IP address of a packet Extended IP access lists filter traffic based on source, destination, protocol type, and application type Access lists can be used to restrict telnet by controlling VTY line access Ranges of numbers represent all access lists 161 Summary (continued) The SDM can be used to configure both standard and extended ACLs via the Additional Tasks configuration tab The SDM can be used to configure a router as either a Basic or Advanced firewall The main difference between a Basic and Advanced firewall is the ability to configure DMZ interfaces in the Advanced firewall setup wizard CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 14 Network Security 163 Objectives Distinguish between the different types of network security threats Explain how to mitigate network security threats Implement SSH on Cisco routers and switches Configure VPNs with the Cisco Security Device Manager 164 General Network Security Security policy An organizations set of rules regarding how to handle and protect sensitive data A security policy should include: Physical security Acceptable use of applications Safeguarding data Remote access to the network Data center Wireless security 165 General Network Security (continued) An effective security policy implements multiple layers of security A security policy should have three goals: To prevent the hacker from getting access to critical data To slow down the hacker enough to be caught To frustrate the hacker enough to cause him or her to quit the hacking attempt When designing a security policy, take care to specify exactly what you are trying to protect 166 Protecting the Hardware The first level of security in any network is physical security Critical nodes of an organization should be separated from the general workforce The nodes should be kept in a central location where only a select group of people are allowed If office space is limited and nodes must be located near employees The servers should at least be stored in a locked cabinet 167 Protecting the Hardware (continued) 168 Protecting Software The primary threats against software are malware and hackers Malware Refers to malicious programs that have many different capabilities Hackers are usually driven by greed, ego, and/or vengeance They look to make personal gains through system vulnerabilities 169 Malware Prevention The most important elements of a prevention plan Installing and maintaining virus prevention software, Conducting virus awareness training for network users Types of malware Virus Worm Macro Virus Polymorphic Virus Stealth Virus 170 Malware Prevention (continued) Types of malware (continued) Boot-Sector Virus Trojan or Trojan Horse Logic Bomb Virus prevention software Available for installation on entire networks Usually includes a version that will run on clients as well as servers Must be updated regularly to ensure your network is protected against all the latest malware threats 171 Malware Prevention (continued) User training Users must be trained to update their antivirus software daily or, at a bare minimum, weekly Users also must learn how viruses are transmitted between computers Teach users to scan removable devices with the virus scanning software before using them 172 Firewalls Firewall The primary method of keeping hackers out of a network Normally placed between a private LAN and the public Internet, where they act like gatekeepers Can be a hardware device or it can be software Types: personal and enterprise All data packets entering or exiting the network have to pass through an enterprise-level firewall Firewall filters (or analyzes) packets 173 Firewalls (continued) Four firewall topologies Packet-filtering router Single-homed bastion Dual-homed bastion Demilitarized zone (DMZ) 174 175 176 177 178 Firewalls (continued) Intrusion Detection Systems (IDS) A security device that can detect a hackers attempts to gain access to the network Can also detect virus outbreaks, worms, and distributed denial of service (DDoS) attacks Intrusion Prevention Systems (IPS) Like an IDS, except that it is placed in line so all packets coming in or going out of the network pass through it This allows an IPS to drop packets based on rules defined by the network administrator 179 Permissions, Encryption, and Authentication Permission An official approval that allows a user to access a specific network resource Encryption Often consists of using security algorithms to scramble and descramble data Types of algorithms Symmetric key Asymmetric key 180 Permissions, Encryption, and Authentication (continued) 181 Permissions, Encryption, and Authentication (continued) 182 Permissions, Encryption, and Authentication (continued) Secure Sockets Layer A means of encrypting a session between two hosts through the use of digital certificates, which are based on asymmetric key encryption Authentication The process by which users verify to a server that they are who they say they are There are several types of authentication Password authentication protocol (PAP) Challenge handshake authentication protocol (CHAP) 183 Permissions, Encryption, and Authentication (continued) Additional authentication services supported by Cisco: Remote Authentication Dial-in User Service (RADIUS) Terminal Access Controller Access Control System Plus (TACACS+) These two common security protocols are based on the Authentication, Authorization, and Accounting (AAA) model 184 Mitigating Security Threats The three basic strategies for mitigating security threats are: Using the SSH protocol to connect to your routers and switches rather than telnet Turning off unnecessary services Keeping up-to-date on security patches (software releases) with a patch management initiative 185 Secure Shell (SSH) Connections Secure Shell (SSH) protocol Sends all data encrypted The two version of SSH are SSH Version 1 and SSH Version 2 SSH Version 2 is the recommended version Some SSH commands are mandatory and others are optional You must also generate an RSA key pair (asymmetric key encryption) Which enables SSH 186 Secure Shell (SSH) Connections (continued) The preferred method is to implement SSH on all VTY lines Which ensures that all remote IP sessions to the router will be protected in the SSH tunnel The command sequence for enabling SSH is: Router(config)#hostname SshRouter SshRouter(config)#ip domain-name sshtest.com SshRouter(config)#crypto key generate rsa The name of the keys will be: SshRouter.sshtest.com 187 Disabling Unnecessary Services You should disable the services unless your organization uses them Methods Go through the CLI and enter a series of commands for each service Use the Security Audit Wizard in the Cisco Security Device Manager (SDM) The following services are unnecessary on most networks: Finger Service PAD Service 188 Disabling Unnecessary Services (continued) The following services are unnecessary on most networks: (continued) TCP Small Servers Service UDP Small Servers Service IP Bootp Server Service Cisco Discovery Protocol (CDP) IP Source Route Maintenance Operations Protocol (MOP) Directed Broadcast 189 Disabling Unnecessary Services (continued) The following services are unnecessary on most networks: (continued) ICMP Redirects Proxy ARP IDENT IPv6 190 Patch Management Your organizations patch management program should account for all software in the organization Including commercial applications as well as applications developed in-house A patch management program should take into account the major software vendors patch release schedules As well as your organizations business goals and needs Not all patches released by vendors are flawless 191 Virtual Private Networks (VPNs) Virtual Private Networks (VPNs) A popular technology for creating a connection between an external computer and a corporate site over the Internet To establish a VPN connection, you need VPN- capable components Client-to-site VPN (also known as remote user VPN) A VPN that allows designated users to have access to the corporate network from remote locations 192 Virtual Private Networks (VPNs) 193 Virtual Private Networks (VPNs) Site-to-site VPN A VPN that allows multiple corporate sites to be connected over low-cost Internet connections You can choose from several tunneling protocols to create secure, end-to-end tunnels Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) Generic Routing Encapsulation (GRE) 194 Virtual Private Networks (VPNs) 195 IPSec IPSec A suite of protocols, accepted as an industry standard, which provides secure data transmission over layer 3 of the OSI model An IP standard and will only encrypt IP-based data IPSec supports two modes of operation: transport mode and tunnel mode 196 IPSec (continued) Transport mode Primarily geared toward encrypting data that is being sent host-to-host Only encrypts and decrypts the individual data packets Which results in quite a bit of overhead on the processor Tunnel mode Encrypts all data in the tunnel and is the mode supported by Cisco components 197 IPSec Protocols Two IPSec protocols have been developed to provide packet-level security They include the following characteristics: Authentication Header (AH) Encapsulating Security Payload (ESP) 198 IPSec Authentication Algorithms Authentication algorithms use one of two Hashed Message Authentication Codes (HMAC) MD5 (message-digest algorithm 5) SHA-1 (secure hash algorithm) An HMAC is a secret key authentication algorithm that ensures data integrity and originality Based on the distribution of the secret key Cryptographic software keys are exchanged between hosts using an HMAC 199 IPSec Encryption Algorithms For encryption, the two most popular algorithms on IPSec networks are 3DES (tripleDES) and AES These protocols are used solely with the IPSec ESP protocol Remember, AH does not support encryption 200 IPSec Key Management You need to pay attention to how keys are handed from node to node during IPSec authentication Two options are available Deliver the secret keys to all parties involved via e- mail or on disk Utilize a key management protocol Key management is defined by the Internet Security Association and Key Management Protocol (ISAKMP) Governed by RFC 2407 and 2408 201 IPSec Transform Sets A transform set A configuration value (or simply stated, a command) that allows you to establish an IPSEC VPN on a Cisco firewall You can create a transform set through the CLI or you can simply use the SDM GUI When creating an IPSec VPN you must specify a protocol, the algorithm, and the method of key management 202 Creating VPNs with the Security Device Manager (SDM) Cisco supports VPNs with several different devices VPNs can be created on firewalls, routers, computers And even on a device specifically made for VPNs, called a VPN concentrator The following example focuses on using the Cisco Security Device Manager (SDM) Web utility to create a VPN on a Cisco router 203 204 205 206 207 208 209 210 211 212 Cisco Security Audit Wizard You can use the Cisco SDM to conduct security audits The SDMs Security Audit Wizard Can be used to verify your routers configuration And determine what security settings have and have not been configured Will also make recommendations as to which settings should be enabled Provides an easy to use GUI that allows you to make those changes 213 214 215 216 217 218 219 Cisco Security Audit Wizard (continued) 220 Summary Protecting the physical equipment where sensitive data resides is as important as protecting the data itself When securing an organizations network, you must be sure to protect it against external threats as well as internal threats User training is a key element to protecting the network and the data within it Using an SSH connection to a router is a much more secure method of connecting to a router than clear text telnet 221 Summary (continued) Disabling unnecessary services increases a routers security IPSec is an industry-standard suite of protocols and algorithms that allow for secure encrypted VPN tunnels Ciscos SDM is a multifunction Web utility that allows you to create VPNs and complete a security audit