Академический Документы
Профессиональный Документы
Культура Документы
Chapter Six
Securing the Local Area Network
Lesson Planning
This lesson should take 3-4 hours to present
The lesson should include lecture,
demonstrations, discussions and assessments
The lesson can be taught in person or using
remote instruction
Major Concepts
Describe endpoint vulnerabilities and protection
methods
Describe basic Catalyst switch vulnerabilities
Configure and verify switch security features,
including port security and storm control
Describe the fundamental security
considerations of Wireless, VoIP, and SANs
Lesson Objectives
Upon completion of this lesson, the successful participant will be
able to:
1. Describe endpoint security and the enabling technologies
2. Describe how Cisco IronPort is used to ensure endpoint security
3. Describe how Cisco NAC products are used to ensure endpoint
security
4. Describe how the Cisco Security Agent is used to ensure endpoint
security
5. Describe the primary considerations for securing the Layer 2
infrastructure
6. Describe MAC address spoofing attacks and MAC address spoofing
attack mitigation
Lesson Objectives
7. Describe MAC Address table overflow attacks and MAC Address table
overflow attack mitigation
8. Describe STP manipulation attacks and STP manipulation attack
mitigation
9. Describe LAN Storm attacks and LAN Storm attack mitigation
10. Describe VLAN attacks and VLAN attack mitigation
11. Describe how to configure port security
12. Describe how to verify port security
13. Describe how to configure and verify BPDU Guard and Root Guard
14. Describe how to configure and verify storm control
15. Describe and configure Cisco SPAN
16. Describe and configure Cisco RSPAN
Lesson Objectives
17. Describe the best practices for Layer 2
18. Describe the fundamental aspects of enterprise security for
advanced technologies
19. Describe the fundamental aspects of wireless security and the
enabling technologies
20. Describe wireless security solutions
21. Describe the fundamental aspects of VoIP security and the enabling
technologies Reference: CIAG course on VoIP security.
22. Describe VoIP security solutions
23. Describe the fundamental aspects of SAN security and the enabling
technologies
24. Describe SAN security solutions
MARS
ACS
Areas of concentration:
Securing endpoints
Securing network
infrastructure
Firewall
Internet
VPN
IPS
Iron Port
Hosts
Web
Server
Email
Server
DNS
LAN
2009 Cisco Learning Institute.
Threat
Protection
2009 Cisco Learning Institute.
Operating Systems
Basic Security Services
Trusted code and trusted path ensures that the integrity
of the operating system is not violated
Privileged context of execution provides identity
authentication and certain privileges based on the identity
Process memory protection and isolation provides
separation from other users and their data
Access control to resources ensures confidentiality and
integrity of data
Indirect
10
IronPort
Cisco NAC
11
12
IronPort C-Series
Before IronPort
After IronPort
Internet
Internet
Firewall
Firewall
Encryption Platform
MTA
DLP
Scanner
Antispam
Antivirus
DLP Policy
Manager
Policy Enforcement
Mail Routing
Groupware
Users
Groupware
Users
13
IronPort S-Series
Before IronPort
After IronPort
Internet
Firewall
Internet
Firewall
Web Proxy
Antispyware
IronPort SSeries
Antivirus
Antiphishing
URL Filtering
Policy Management
Users
Users
14
Cisco NAC
The purpose of NAC:
Allow only authorized and compliant systems to
access the network
To enforce network security policy
NAC Framework
Software module
embedded within NACenabled products
Integrated framework
leveraging multiple Cisco
and NAC-aware vendor
products
15
Hosts Attempting
Network Access
Network
Access
Devices
Policy Server
Decision Points
and Remediation
Enforcement
Credentials
AAA
Server Credentials
Vendor
Servers
Credentials
EAP/UDP,
Cisco
Trust
Agent
EAP/802.1x
Notification
HTTPS
RADIUS
Access Rights
Comply?
16
NAC Components
Cisco NAS
Cisco NAA
Cisco NAM
Rule-set updates
M
G
R
17
M
G
R
2.
Host is
redirected to a login page.
Cisco NAC Appliance validates
username and password, also
performs device and network scans
to assess vulnerabilities on device.
3a.
Authentication
Server
Cisco NAM
Cisco NAS
3.
Intranet/
Network
Device is noncompliant
or login is incorrect.
Host is denied access and assigned
to a quarantine role with access to online
remediation resources.
THE GOAL
Quarantine
Role
3b.
Device is clean.
Machine gets on certified
devices list and is granted
access to network.
18
Access Windows
Scan is performed
Login
Screen
Scan fails
Remediate
4.
19
CSA Architecture
Server Protected by
Cisco Security Agent
Administration
Workstation
Alerts
Events
SSL
Security
Policy
Management Center for
Cisco Security Agent
with Internal or External
Database
20
CSA Overview
Application
File System
Interceptor
Network
Interceptor
Configuration
Interceptor
Rules
Engine
State
Allowed
Request
Execution
Space
Interceptor
Rules and
Policies
Correlation
Engine
Blocked
Request
21
CSA Functionality
Security Application
Distributed Firewall
Host Intrusion
Prevention
Application
Sandbox
Network Worm
Prevention
Execution
Space
Interceptor
Network
Interceptor
22
Attack Phases
Probe phase
Ping scans
Port scans
Penetrate phase
Transfer exploit
code to target
Persist phase
Install new code
Modify
configuration
Propagate phase
Attack other
targets
Paralyze phase
Erase files
Crash system
Steal data
2009 Cisco Learning Institute.
Server
Protected by
Cisco Security
Agent
23
24
Layer 2 Security
Perimeter
MARS
ACS
Firewall
Internet
VPN
IPS
Iron Port
Hosts
Web
Server
Email
Server
DNS
25
OSI Model
When it comes to networking, Layer 2 is often a very weak link.
Application Stream
Presentation
Session
Transport
Network
Data Link
Physical
Compromised
Application
Application
Presentation
Session
Transport
IP Addresses
Network
Initial
MACCompromise
Addresses
Data Link
Physical Links
Physical
26
Switch Port
AABBcc 12AbDd
MAC
Address:
AABBcc
MAC
Address:
12AbDd
Port 1
Port 2
MAC Address:
AABBcc
Attacker
27
2
AABBcc
AABBcc
Attacker
MAC
Address: Port 1
AABBcc
Port 2
MAC Address:
AABBcc
28
The switch can forward frames between PC1 and PC2 without
flooding because the MAC address table contains port-to-MACaddress mappings in the MAC address table for these PCs.
29
MAC
X
Y
C
VLAN 10
flood
A
C
2009 Cisco Learning Institute.
Port
3/25
3/25
3/25
3/25 MAC X
3/25 MAC Y
3/25 MAC Z
XYZ
3/25
VLAN 10
VLAN 10
Host C
4
Attacker sees traffic
to servers B and D.
B
D
30
Root Bridge
Priority = 8192
MAC Address=
0000.00C0.1234
F
F
STP manipulation
changes the topology of a
networkthe attacking
host appears to be the
root bridge
31
ST
Pr P BP
ior
ity DU
=0
U
PD 0
PB =
ST iority
Pr
Attacker
F
Root
Bridge
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
o
Br
t
as
c
ad
o
Br
t
as
c
ad
t
as
dc
oa
Br
t
t
as
as
dc
dc
oa
oa
Br
Br
o
Br
t
as
c
ad
33
Storm Control
Total
number of
broadcast
packets
or bytes
34
VLAN Attacks
Segmentatio
n
Flexibility
Security
35
VLAN Attacks
802.1Q
nk
u
r
T
Q
2.1
0
8
VLAN
10
Trunk
VLAN
20
Server
Server
36
Attacker on
VLAN 10, but puts a 20
tag in the packet
20
,1
80
2.
1Q
,8
02
.1
Q
20
802.1Q, Frame
Trunk
(Native VLAN = 10)
4
Note: This attack works only if the
trunk has the same native
VLAN as the attacker.
2009 Cisco Learning Institute.
Victim
(VLAN 20)
37
0/1
0/2
MAC A
0/3
MAC F
Attacker 1
Attacker 2
38
CLI Commands
Switch(config-if)#
switchport mode access
39
Description
mac-address mac-address
(Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional
secure MAC addresses up to the maximum value configured.
vlan vlan-id
(Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.
vlan access
vlan voice
mac-address sticky
[mac-address]
(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky
learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value
(Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer 2
functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list]
(Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
vlan: set a per-VLAN maximum value.
vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
40
41
Description
protect
(Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
restrict
(Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred.
shutdown
(Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and increments the
violation counter. When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause psecure-violation global
configuration command, or you can manually re-enable it by entering the shutdown
and no shut down interface configuration commands.
shutdown
vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on
which the violation occurred is error-disabled.
42
43
Switchport Port-Security
Aging Parameters
Parameter
Description
static
time time
type absolute
type inactivity
44
Typical Configuration
S2
Switch(config-if)#
switchport
switchport
switchport
switchport
switchport
switchport
2009 Cisco Learning Institute.
mode access
port-security
port-security
port-security
port-security
port-security
PC B
maximum 2
violation shutdown
mac-address sticky
aging time 120
45
CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count)
(Count)
(Count)
--------------------------------------------------------------------------Fa0/12
Shutdown
:0
Max Addresses limit in System (excluding one mac per port) : 1024
interface f0/12
Enabled
Secure-down
Shutdown
2
1
0
120 mins
Absolute
Disabled
0
46
Mac Address
Type
Ports
Remaining Age
(mins)
---1
-----------
----
-----
0000.ffff.aaaa
SecureConfigured
Fa0/12
-------------
: 0
Max Addresses limit in System (excluding one mac per port) : 1024
47
F1/2
NMS
F1/1
F2/1
MAC A
MAC D is away
from the
network.
48
Configure Portfast
Server
Workstation
Command
Description
Switch(config-if)# no
spanning-tree portfast
Switch(config)# spanning-tree
portfast default
49
BPDU Guard
Root
Bridge
B
BPDU
Guard
Enabled
Attacker
STP
BPDU
Switch(config)#
spanning-tree portfast bpduguard default
50
51
Root Guard
Root Bridge
Priority = 0
MAC Address =
0000.0c45.1a5d
F
F
F
Root
Guard
Enabled
Attacker
STP BPDU
Priority = 0
MAC Address = 0000.0c45.1234
Switch(config-if)#
spanning-tree guard root
52
53
54
55
Description
broadcast
multicast
unicast
Rising and falling suppression levels as a percentage of total bandwidth of the port.
level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.
level-low: (Optional) Falling suppression level, up to two decimal places. This
value must be less than or equal to the rising suppression value.
Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
action {shutdown|trap}
The action taken when a storm occurs on a port. The default action is to filter traffic
and to not send an SNMP trap.
The keywords have these meanings:
shutdown: Disables the port during a storm
trap: Sends an SNMP trap when a storm occurs
56
Filter State
Upper
Lower
Current
Forwarding
50.00%
40.00%
0.00%
<output omitted>
57
Trunk
(Native VLAN = 10)
58
Controlling Trunking
Switch(config-if)#
switchport mode trunk
59
Traffic Analysis
IDS
RMON Probe
Protocol Analyzer
Intruder
Alert!
Attacker
60
CLI Commands
Switch(config)#
monitor session session_number source {interface
interface-id [, | -] [both | rx | tx]} | {vlan vlanid [, | -] [both | rx | tx]}| {remote vlan vlan-id}
Switch(config)#
monitor session session_number destination
{interface interface-id [, | -] [encapsulation
replicate] [ingress {dot1q vlan vlan-id | isl |
untagged vlan vlan-id | vlan vlan-id}]} | {remote
vlan vlan-id}
61
62
F0/2
F0/1
Use SPAN to
mirror traffic in
and out of port
F0/1 to port
F0/2.
Attacker
63
Overview of RSPAN
Intruder
Alert!
IDS
Source VLAN
RSPAN VLAN
Source VLAN
Attacker
Source VLAN
64
Configuring RSPAN
1. Configure the RPSAN VLAN
2960-1
2960-2
65
2960-2
66
Layer 2 Guidelines
Manage switches in as secure a manner as possible
(SSH, out-of-band management, ACLs, etc.)
Set all user ports to non-trunking mode (except if using
Cisco VoIP)
Use port security where possible for access ports
Enable STP attack mitigation (BPDU guard, root guard)
Use Cisco Discovery Protocol only where necessary
with phones it is useful
Configure PortFast on all non-trunking ports
Configure root guard on STP root ports
Configure BPDU guard on all non-trunking ports
67
VLAN Practices
Always use a dedicated, unused native VLAN ID for
trunk ports
Do not use VLAN 1 for anything
Disable all unused ports and put them in an unused
VLAN
Manually configure all trunk ports and disable DTP on
trunk ports
Configure all non-trunking ports with switchport mode
access
68
Wireless
2009 Cisco Learning Institute.
VoIP
69
SAN
2009 Cisco Learning Institute.
70
Infrastructure-Integrated Approach
Proactive threat and intrusion
detection capabilities that do
not simply detect wireless
attacks but prevent them
Comprehensive protection to
safeguard confidential data and
communications
Simplified user management
with a single user identity and
policy
Collaboration with wired
security systems
71
72
73
74
Wireless Hacking
War driving
A neighbor hacks into
another neighbors
wireless network to get
free Internet access or
access information
Free Wi-Fi provides an
opportunity to
compromise the data of
users
75
Hacking Tools
Network Stumbler
Kismet
AirSnort
CoWPAtty
ASLEAP
Wireshark
76
Safety Considerations
Wireless networks using WEP or WPA/TKIP are
not very secure and vulnerable to hacking attacks.
Wireless networks using WPA2/AES should have
a passphrase of at least 21 characters long.
If an IPsec VPN is available, use it on any public
wireless LAN.
If wireless access is not needed, disable the
wireless radio or wireless NIC.
77
VoIP
PSTN
Gateway
VoIP Components
PSTN
Cisco Unified
Communications
Manager
(Call Agent)
IP
Backbone
MCU
PBX
Cisco
Unity
IP
Phone
Router/
Gateway
Router/
Gateway
Router/
Gateway
IP
Phone
Videoconference
Station
79
VoIP Protocols
VoIP Protocol
Description
H.323
MGCP
Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248
Joint IETF and ITU standard for gateway control with support for multiple
gateway types; evolved from MGCP standard
SIP
RTP
RTCP
SRTP
SCCP
80
Threats
Reconnaissance
Directed attacks such as spam over IP telephony (SPIT)
and spoofing
DoS attacks such as DHCP starvation, flooding, and
fuzzing
Eavesdropping and man-in-the-middle attacks
2009 Cisco Learning Institute.
81
VoIP SPIT
If SPIT grows like spam, it could result in
regular DoS problems for network
administrators.
Antispam methods do not block SPIT.
Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets
only from trusted devices.
Youve just
won an all
expenses
paid vacation
to the U.S.
Virgin Islands
!!!
82
Fraud
83
SIP Vulnerabilities
Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them.
Message tampering:
Allows a hacker to
modify data packets
traveling between SIP
addresses.
Session tear-down:
Allows a hacker to
terminate calls or carry
out VoIP-targeted DoS
attacks.
Registrar
Registrar
Location
Database
SIP Servers/Services
SIP Proxy
84
Using VLANs
Voice VLAN = 110
Data VLAN = 10
5/1
802.1Q Trunk
IP phone
10.1.110.3
Desktop PC
171.1.1.1
85
Cisco Adaptive
Security Appliance
Cisco Adaptive
Security Appliance
WAN
Internet
86
Using VPNs
Use IPsec for authentication
Use IPsec to protect
all traffic, not just voice
Telephony
Servers
IP WAN
Performance
Reduced configuration complexity
SRST
Router
Managed organizational
boundaries
87
88
IP
Network
SAN
89
LAN
90
91
Zoning Operation
Zone members see only other
members of the zone.
Zones can be configured
dynamically based on WWN.
SAN
Disk2
ZoneA
Host1
ZoneB
Disk1
ZoneC
Disk3
Disk4
Host2
92
93
Security Focus
SAN Protocol
Fabric Access
IP Storage
access
Target Access
SAN
SAN Management
Access
Secure
SAN
SAN Management
Three main areas of vulnerability:
1. Disruption of switch processing
2. Compromised fabric stability
3. Compromised data integrity and confidentiality
95
96
VSANs
Relationship of VSANs to Zones
Physical Topology
VSAN 2
Disk2
ZoneA
ZoneB
VSAN 3
Host1
Disk3
Disk1
Disk4
Host2
ZoneC
ZoneD
Host4
ZoneA
Disk5
Host3
Disk6
97
98
99