Chapter 6 Overview
Short Description
Cisco, CCNA, Security,...
Description
CCNA Security
Chapter Six Securing the Local Area Network
Lesson Planning • This lesson should take 3-4 hours to present • The lesson should include lecture, demonstrations, discussions and assessments • The lesson can be taught in person or using remote instruction
Major Concepts • Describe endpoint vulnerabilities and protection methods • Describe basic Catalyst switch vulnerabilities • Configure and verify switch security features, including port security and storm control • Describe the fundamental security considerations of Wireless, VoIP, and SANs
Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1.
Describe endpoint security and the enabling technologies
2.
Describe how Cisco IronPort is used to t o ensure endpoint security
3.
Describe how Cisco NAC products are used to ensure endpoint security
4.
Describe how the Cisco Security Agent is used to ensure endpoint security
5.
Describe the primary considerations for securing the Layer 2 infrastructure
6.
Describe MAC address spoofing attacks and MAC address spoofing attack mitigation
Lesson Objectives 7.
Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation
8.
Describe STP manipulation attacks and STP manipulation attack mitigation
9.
Describe LAN Storm attacks and LAN Storm attack mitigation
10. Describe VLAN attacks and VLAN attack mitigation 11. Describe how to configure port security 12. Describe how to verify port security 13. Describe how to configure and verify BPDU Guard and Root Guard 14. Describe how to configure and verify storm st orm control 15. Describe and configure Cisco SPAN 16. Describe and configure Cisco RSPAN
Lesson Objectives 17. Describe the best practices for Layer 2 security s ecurity 18. Describe the fundamental aspects of enterprise security for advanced technologies 19. Describe the fundamental aspects of wireless security and the enabling technologies 20. Describe wireless security solutions 21. Describe the fundamental aspects of VoIP security and the enab enabliling ng tech techno nolo logi gies es Refe Refere rence nce:: CIAG CIAG cours course e on VoIP VoIP secur security ity.. 22. Describe VoIP security solutions 23. Describe the fundamental aspects of SAN security s ecurity and the enabling technologies 24. Describe SAN security solutions
Securing the LAN Perimeter
MARS ACS
Areas of concentration: • Securing en endpoints • Securing network infrastructure
Firewall
Internet VPN
IPS
Iron Port
Hosts Web Server
Email Server
DNS
LAN
Addressing Endpoint Security Policy Compliance Infection Containment Secure Host
Threat Protection
Based on three elements: • Cisco Network Admission Control (NAC) • Endpoint protection • Network infection containment
Operating Systems Basic Security Services • Trusted Trusted code and trusted trusted path path – ensures ensures that the integrit integrity y of the operating system is not violated • Privileged Privileged context context of executi execution on – provides provides identit identity y authentication authentication and certain privileges based on the identity • Process Process memory memory protectio protection n and isolati isolation on – provides provides separation from other users and their data • Access control to resources resources – ensures confidentiality confidentiality and integrity of data
Types of Application Attacks Direct
Indirect
I have gained direct access to this application’s privileges
I have gained access to this system which is trusted by the other system, allowing me to access it.
Cisco Systems Endpoint Security Solutions Cisco Security Agent
IronPort
Cisco NAC
Cisco IronPort Products IronPo IronPort rt produc products ts includ include: e: • E-mail E-mail secur security ity appl applian iances ces for for virus virus and spam control • Web securi security ty appli applianc ance e for spywa spyware re filtering, URL filtering, and anti-malware • Securi Security ty mana managem gement ent applia appliance nce
IronPort C-Series Before IronPort
After IronPort
Internet
Internet
Firewall
Firewall Encryption Platform MTA
DLP Scanner
Antispam Antivirus
DLP Policy Manager
IronPort E-mail Security Appliance
Policy Enforcement Mail Routing
Groupware
Users
Groupware
Users
IronPort S-Series Before IronPort
After IronPort
Internet
Firewall
Internet
Firewall
Web Proxy Antispyware
IronPort SSeries
Antivirus Antiphishing URL Filtering Policy Management
Users
Users
Cisco NAC The purpose of NAC of NAC::
Allow only authorized and compliant compliant systems to access the network To enforce network security policy NAC Framework
• Software module embedded within NACenabled products • Integrated framework leveraging multiple Cisco and NAC-aware vendor products
Cisco NAC Appliance • In-band Cisco NAC Appliance solution can be used on any switch or router platform • Self-contained, turnkey solution
The NAC Framework Network Access Devices Hosts Attempting Network Access
Policy Server Decision Points and Remediation
Enforcement
Credentials
AAA Server Credentials
Credentials EAP/UDP, Cisco Trust Agent
EAP/802.1x Notification
HTTPS
RADIUS Access Rights Comply?
Vendor Servers
NAC Components • Cisco NAS
• Cisco NAA
Serves as an in-band or out-ofband device for network access control
• Cisco NAM
Optional lightweight client for device-based registry scans in unmanaged environments
• Rule-set updates
Centralizes management for administrators, support personnel, and operators M G R
Scheduled automatic updates for antivirus, critical hotfixes, and other applications
Cisco NAC Appliance Process 1.
THE GOAL
Host attempts to access a web page or uses us es an optional client. Network access is blocked until wired or wireless host provides login information.
Authentication Server
M G R
Cisco NAM
2.
Host is redirected to a login page. Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device.
3a.
Cisco NAS
3.
Intranet/ Network
The host is authenticated and optionally scanned for posture compliance
Device is noncompliant or login is incorrect. Host is denied access and assigned to a quarantine role with access to online remediation resources.
Quarantine Role
3b.
Device is “clean”. Machine gets on “certified devices list” and is granted access to network.
Access Windows Scan is performed Login Screen
(types of checks depend on user role)
Scan fails Remediate
4.
CSA Architecture Server Protected by Cisco Security Agent
Administration Workstation
Alerts
Events
SSL
Security Policy Management Center for Cisco Security Agent with Internal or External Database
CSA Overview Application
File System Interceptor
Network Interceptor
Configuration Interceptor
Execution Space Interceptor
Rules Engine Rules and Policies
State
Allowed Request
Correlation Engine Blocked Request
CSA Functionality
Security Application
Network File System Configuration Interceptor Interceptor Interceptor
Execution Space Interceptor
Distributed Firewall
X
―
―
―
Host Intrusion Prevention
X
―
―
X
Application Sandbox
―
X
X
X
Network Worm Prevention
X
―
―
X
File Integrity Monitor
―
X
X
―
Attack Phases – Probe phase • Ping scan cans • Port sca scans – Penetrate phase • Trans ransfe ferr expl exploi oitt code to target – Persist phase • Inst Instal alll new new code code • Modify configuration – Propagate phase phase • Attac ttack k othe other r targets – Paralyze phase • Erase files • Crash rash syst system em • Steal data
Server Protected by Cisco Security Agent
– File system interceptor – Network interceptor – Configuration interceptor – Execution space interceptor
CSA Log Messages
Layer 2 Security
Perimeter
MARS ACS
Firewall
Internet VPN
IPS
Iron Port
Hosts Web Server
Email Server
DNS
OSI Model When it comes to networking, Layer 2 is often a very weak link.
Application Stream
Application Presentation Session Transport Network Data Link Physical
d e s i m o r p m o C
Application Presentation Session
Protocols and Ports
Transport
IP Addresses
Network
Initial MACCompromise Addresses
Data Link
Physical Links
Physical
MAC Address Spoofing Attack Switch Port
1
2
AABBcc
12AbDd
The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc
MAC Address: AABBcc
MAC Address: 12AbDd
Port 1 Port 2
MAC Address: AABBcc
I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic Traffic destined for f or each device will be forwarded directly. directly.
Attacker
MAC Address Spoofing Attack
Switch Port 1
2
I have changed the MAC address on my computer to match the server.
1
2 AABBcc
AABBcc Attacker
MAC Address: Port 1 AABBcc
Port 2
MAC Address: AABBcc
The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MACaddress mappings in the MAC address table for these PCs.
MAC Address Table Overflow Attack 2
MAC X Y C
VLAN 10
flood
3
A
C
Intruder runs macof to begin sending unknown bogus MAC addresses.
Port 3/25 3/25 3/25
3/25 VLAN 10
1
Bogus addresses are added to the CAM table. CAM table is full.
The switch floods the frames.
3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ
VLAN 10
Host C
4 Attacker sees traffic traffic to servers B and D.
B
D
STP Manipulation Attack • Spanning tree protocol operates by electing a root bridge
Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234
F
F
• STP builds a tree topology F
F
F
B
• STP manipulation changes the topology of a network—the attacking host appears to be the root bridge
STP Manipulation Attack Root Bridge Priority = 8192
F
F
F
F
F
F
B
B
F F
F
F Root Bridge
Attacker
The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force f orce spanning tree recalculations.
LAN Storm Attack Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
• Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization utilizat ion on a switch to 100%, reducing the performance of the network.
Storm Control
Total number of broadcast packets or bytes
VLAN Attacks
Segmentation
Flexibility
Security
VLAN = Broadcast Domain = Logical Network (Subnet)
VLAN Attacks 802.1Q
VLAN 10
Trunk VLAN 20
Attacker sees traffic destined for servers
Server
Server
A VLAN hopping attack attack can be launched launched in two ways: • Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode • Introducing a rogue switch and turning trunking on
Double-Tagging VLAN Attack 1
Attacker on VLAN 10, but puts a 20 tag in the packet
2
The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2.
3
20
802.1Q, Frame
The second switch receives the packet, on the native VLAN
Trunk (Native VLAN = 10)
4 Note: This attack works only if the trunk has the same native VLAN as the attacker. attacker.
The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly accordingly..
Victim (VLAN 20)
Port Security Overview MAC A
Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C
0/1 0/2 0/3 MAC A
MAC F
Attacker 1
Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
Attacker 2
CLI Commands Switch(config-if)# switchport mode access
• Sets the interface mode as access Switch(config-if)# switchport port-security
• Enables port security on the interface Switch(config-if)# switchport port-security maximum value
• Sets the maximum number of secure MAC addresses for the interface (optional)
Switchport Port-Security Parameters Parameter mac-address mac-address
Description (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You You can add additional secure MAC addresses up to the maximum value configured.
vlan vlan-id
(Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used.
vlan access
(Optional) On an access port only, only, specify the VLAN as an access VLAN.
vlan voice
(Optional) On an access port only, only, specify the VLAN as a voice VLAN
mac-address sticky [mac-address] mac-address]
maximum value
vlan-list] vlan [vlan-list]
mac-address ss sticky stic ky keywords. When sticky (Optional) Enable the interface for sticky learning by entering only the mac-addre learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. vlan: set a per-VLAN maximum value. n vlan vlan-list : set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of n VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
Port Security Violation Configuration Switch(config-if)#
switchport port-security violation {protect | restrict | shutdown}
• Sets the violation mode (optional) Switch(config-if)#
switchport port-security mac-address mac-address
• Enters a static secure MAC address for the interface (optional) Switch(config-if)#
switchport port-security mac-address sticky
• Enables sticky learning on the interface (optional)
Switchport Port-Security Violation Parameters Parameter protect
Description (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You You are not notified that a security violation has occurred.
restrict
(Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, y ou are notified that a security violation has occurred.
shutdown
(Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, mess age, and increments the violation counter. counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.
shutdown vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
Port Security Aging Configuration Switch(config-if)#
switchport port-security aging {static | time time | type {absolute | inactivity}}
• Enables or disables static aging for the secure port or sets the aging time or type • The aging command allows MAC-Addresses on the Secure switchport to be deleted after the set aging time • This helps to avoid a situation where obsolete MAC Address occupy the table table and saturates causing a violation (when the max number exceeds)
Switchport Port-Security Aging Parameters Parameter
Description
static
Enable aging for statically configured secure addresses on this port.
time time
Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.
type absolute
Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.
type inactivity
Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
Typical Configuration S2
Switch(config-if)# switchport switchport switchport switchport switchport switchport
mode access port-security port-security port-security port-security port-security
PC B
maximum 2 violation shutdown mac-address sticky aging time 120
CLI Commands sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count)
(Count)
(Count)
--------------------------------------------------------------------------Fa0/12
2
0
0
Shutdown
--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
:0
Max Addresses limit in System (excluding (excluding one mac per port) : 1024 sw-class# show port-security interface f0/12 Port Security
: Enabled
Port status
: Secure-down
Violation mode mode
: Shutdown
Maximum MAC Addresses
: 2
Total MAC Addresses
: 1
Configured MAC Addresses
: 0
Aging time
: 120 mins
Aging type
: Absolute
SecureStatic SecureStatic address aging : Disabled Security Violation Count
: 0
View Secure MAC Addresses
sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------ Vlan
Mac Address
Type
Ports
Remaining Age (mins)
---1
-----------
----
- -- --
0000.ffff.aaaa
SecureConfigured
Fa0/12
-------------
------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 0
Max Addresses limit in System (excluding one mac per port) : 1024
MAC Address Notification MAC B
F1/2
SNMP traps sent to NMS when new MAC addresses appear or when old ones time out.
NMS
F1/1 F2/1 MAC A
Switch CAM Table Table F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D (address ages out)
MAC D is away from the network.
MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.
Configure Portfast
Server
Workstation
Command
Description
Switch(config-if)# spanning-
Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. stateimmediately.
tree portfast Switch(config-if)# no
spanning-tree portfast Switch(config)# spanning-tree
portfast default Switch# show running-config interface type slot/port
Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Globally enables the PortFast feature on all nontrunking ports. Indicates whether PortFast has been configured on a port.
BPDU Guard Root Bridge
F
F
F F
F
B BPDU Guard Enabled
Attacker
STP BPDU
Switch(config)#
spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast enabled
Display the State of Spanning Tree Switch# show spanning-tree summary totals Root bridge for: none. PortFast BPDU Guard is enabled UplinkFast is disabled BackboneFast is disabled Spanning tree default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active -------------------- -------- --------- -------- ---------- ---------1 VLAN 0 0 0 1 1
Root Guard Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d
F
F
F
F Root Guard Enabled
F
Attacker
F
B
STP BPDU Priority = 0 MAC Address = 0000.0c45.1234 0000.0c45.1234
Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis
Verify Root Guard Switch# show spanning-tree inconsistentports Name Interface Inconsistency ---------------------------------- ------------------------------------- -----------------------------VLAN0001 FastEthernet3/1 FastEthernet3 /1 Port Type Inconsistent VLAN0001 FastEthernet3/2 FastEthernet3 /2 Port Type Inconsistent VLAN1002 FastEthernet3/1 FastEthernet3 /1 Port Type Inconsistent VLAN1002 FastEthernet3/2 FastEthernet3 /2 Port Type Inconsistent VLAN1003 FastEthernet3/1 FastEthernet3 /1 Port Type Inconsistent VLAN1003 FastEthernet3/2 FastEthernet3 /2 Port Type Inconsistent VLAN1004 FastEthernet3/1 FastEthernet3 /1 Port Type Inconsistent VLAN1004 FastEthernet3/2 FastEthernet3 /2 Port Type Inconsistent VLAN1005 FastEthernet3/1 FastEthernet3 /1 Port Type Inconsistent VLAN1005 FastEthernet3/2 FastEthernet3 /2 Port Type Inconsistent Number of inconsistent ports (segments) in the system :10
Storm Control Methods • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received • Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.
Storm Control Configuration Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 2k 1k Switch(config-if)# storm-control action shutdown
• Enables storm control • Specifies the level at which it is enabled • Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic
Storm Control Parameters Parameter
Description
broadcast
This parameter enables broadcast storm control on the interface.
multicast
This parameter enables multicast storm control on the interface.
unicast
This parameter enables unicast storm control on the interface.
] level level [level-low
Rising and falling suppression levels as a percentage of total bandwidth of the port. • level : Rising suppression level. The range is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached. • level-low: (Optional) level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value.
] level bps bps [bps-low
Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port. • bps : Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. • bps-low : (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value.
[ pps-low ] level pps pps pps-low
Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port. • pps: Rising pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. • pps-low : (Optional) Falling Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value.
action {shutdown |trap}
The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap. The keywords have these meanings: • shutdown: Disables the port during a storm • trap: Sends an SNMP trap when a storm occurs
Verify Storm Control Settings Switch# show storm-control Interface
Filter State
Upper
Lower
Current
---------Gi0/1
------------Forwarding
---------20 pps
--------10 pps
-------5 pps
Gi0/2
Forwarding
50.00%
40.00%
0.00%
Mitigating VLAN Attacks
Trunk (Native VLAN = 10)
1. Disa Disabl ble e tru trunk nkin ing g on on all all acces access s ports. 2. Disa Disabl ble e auto auto tru trunk nkin ing g and and manu manual ally ly enable trunking 3. Be sure sure that that the the nat native ive VLAN VLAN is used only for trunk lines and no where else
Controlling Trunking Switch(config-if)# switchport mode trunk
• Specifies an interface as a trunk link . Switch(config-if)# switchport nonegotiate
• Prevents the generation of DTP frames. Switch(config-if)# switchport trunk native vlan vlan_number
• Set the native VLAN on the trunk to an unused VLAN
Traffic Analysis IDS RMON Probe Protocol Analyzer
“Intruder Alert!”
A SPAN SPAN port mirrors traffic to another port where a monitoring device is connected. Without this, it can be difficult to track hackers after they have entered the network.
Attacker
CLI Commands
Switch(config)#
monitor session session_number source {interface interface-id [ interface-id [, | -] both [both | rx | tx]} | {vlan vlan id [, id [, | -] both [both | rx | tx]}| {remote vlan vlan-id } Switch(config)#
monitor session session_number destination {interface interface-id [ interface-id [, | -] [encapsulation vlan-id | isl | replicate] [ingress {dot1q vlan vlan-id | vlan-id | vlan vlan-id }]} }]} | {remote untagged vlan vlan-id | } vlan vlan-id
Verify SPAN Configuration Configurat ion
SPAN and IDS IDS
F0/2
F0/1
Attacker
Use SPAN to mirror traffic in and out of port F0/1 to port F0/2.
Overview of RSPAN “Intruder Alert!”
• An RSPAN RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. • This allows more switches to be monitored with a single probe or IDS.
IDS
Source VLAN RSPAN VLAN
Source VLAN
Attacker
Source VLAN
Configuring RSPAN 1. Configure the RPSAN VLAN
2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit
2960-1
2960-2
2. Configure the t he RSPAN RSPAN source ports and VLANs interf ace FastEthernet 0/1 2960-1(config)# monitor session 1 source interface r emote vlan 100 2960-1(config)# monitor session 1 destination remote reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk
3. Configure the RSPAN RSPAN traffic to be forwarded 2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface in terface FastEthernet FastEther net 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk
Verifying RSPAN Configuration Configura tion
2960-1
2960-2
session_number | | all | local show monitor [session {session_number | range list | remote} [detail]] [ | { begin | exclude begin | include}expression] expression]
Layer 2 Guidelines • Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) • Set all user ports to non-trunking mode (except if using Cisco VoIP) • Use port security where possible for access ports • Enable STP attack mitigation (BPDU guard, root guard) • Use Cisco Discovery Protocol only where necessary – with phones it is useful • Configure PortFast on all non-trunking ports • Configure root guard on STP root ports • Configure BPDU guard on all non-trunking ports
VLAN Practices • Always use a dedicated, dedicated, unused native native VLAN ID for trunk ports • Do not use VLAN 1 for anything • Disable all unused ports and put them in an unused VLAN • Manually configure all trunk ports and disable DTP on trunk ports • Configure all non-trunking ports with switchport mode access
Overview of Wireless, VoIP Security
Wireless
VoIP
Overview of SAN Security
SAN
Infrastructure-Integrated Approach • Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them • Comprehensive protection to safeguard confidential data and communications • Simplified user management with a single user identity and policy • Collaboration with wired security systems
Cisco IP Telephony Solutions • Single-site deployment • Centralized call processing with remote branches • Distributed callprocessing deployment • Clustering over the IPWAN
Storage Network Solutions • Investment protection • Virtualization • Security • Consolidation • Availability
Cisco Wireless LAN Controllers
• Responsible for system-wide wireless LAN functions • Work in conjunction with Aps and the Cisco Wireless Control System (WCS) to support wireless applications • Smoothly integrate into existing enterprise networks
Wireless Hacking • War driving • A neighbor hacks into into another neighbor’s wireless network to get free Internet access or access information • Free Wi-Fi provides an opportunity to compromise the data of users
Hacking Tools
• • • • • •
Network Stumbler Kismet AirSnort CoWPAtty ASLEAP Wireshark
Safety Considerations • Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks. • Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long. • If an IPsec VPN is available, use it on any public wireless LAN. • If wireless access is not needed, disable the wireless radio or wireless NIC.
VoIP Business Advantages
VoIP
PSTN
Gateway
• Little or no training costs • Mo major set-up fees
• Lower telecom call costs • Productivity increases
• Enables unified messaging
• Lower costs to move, add, or change
• Encryption of voice calls is supported
• Lower ongoing service and maintenance costs
• Fewer administrative personnel required
VoIP Components
PSTN
Cisco Unified Communications Manager (Call Agent)
IP Backbone
MCU Cisco Unity IP Phone IP Phone Videoconference Station
Router/ Gateway
Router/ Gateway
Router/ Gateway
VoIP Protocols VoIP Protocol
Description
H.323
ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex
MGCP
Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248
Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard
SIP
IETF protocol for interactive and and noninteractive noninteractive conferencing; conferencing; simpler but but less mature than H.323
RTP RTCP
ETF standard media-streaming protocol IETF protocol that provides out-of-band control information for an RTP flow
SRTP
IETF protocol that encrypts RTP traffic as it leaves the voice device
SCCP
Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones
Threats
• Reconnaissance • Directed attacks such as spam over IP telephony (SPIT) and spoofing • DoS attacks such as DHCP starvation, flooding, and fuzzing • Eavesdropping and man-in-the-middle attacks
VoIP SPIT • If SPIT grows like spam, it could result in regular DoS problems for network administrators. • Antispam methods do not block SPIT. • Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices.
You’ve just won an all expenses paid vacation to the U.S. Virgin Islands !!!
Fraud
• Fraud takes several forms: – Vishing—A voice version of phishing that is used to compromise confidentiality. – Theft and toll fraud—The stealing of telephone services.
• Use features of Cisco Unified Communications Manager to protect against fraud. – Partitions limit what parts of the dial plan certain phones have access to. – Dial plans filter control access to exploitive phone numbers. – FACs prevent unauthorized calls and provide a mechanism for tracking.
SIP Vulnerabilities • Registration hijacking: Allows a hacker to intercept incoming calls and reroute them.
Registrar
• Message tampering: Allows a hacker to modify data packets traveling between SIP addresses. • Session tear-down: Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks.
Registrar
Location Database
SIP Servers/Services
SIP Proxy
SIP User Agents
SIP User Agents
Using VLANs Voice VLAN = 110
Data VLAN = 10
5/1
802.1Q Trunk
• • • •
IP phone 10.1.110.3
Desktop PC 171.1.1.1
Creates a separate broadcast domain for voice traffic Protects against eavesdropping and tampering Renders packet-sniffing tools less effective Makes it easier to implement VACLs VACLs that are specific to t o voice traffic
Using Cisco ASA Adaptive Security Appliances • Ensure SIP, SCCP, H.323, and MGCP requests conform to standards • Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager • Rate limit SIP requests • Enforce policy of calls (whitelist, blacklist, caller/called party, party, SIP URI) • Dynamically open ports for Cisco applications • Enable only “registered phones” to make calls • Enable inspection of encrypted phone calls
Cisco Adaptive Security Appliance Cisco Adaptive Security Appliance
Internet
WAN
Using VPNs • Use IPsec for authentication • Use IPsec to protect all traffic, not just voice
Telephony Servers
• Consider SLA with service provider • Terminate on a VPN concentrator or large router inside of firewall to gain these benefits:
IP WAN
• Performance • Reduced configuration complexity • Managed organizational boundaries
SRST Router
Using Cisco Unified Communications Manager • Signed firmware • Signed configuration files • Disable: – PC port – Setting button – Speakerphone – Web access
SAN Security Considerations
IP Network
SAN
Specialized network that enables fast, reliable access among servers and external storage resources
SAN Transport Technologies • Fibr Fibre e Chan Channe nell – the the primary SAN transport for host-to-SAN connectivity • iSCS iSCSII – maps maps SCSI SCSI over over TCP/IP and is another host-to-SAN connectivity model • FCIP FCIP – a popu popular lar SAN-to SAN-to-SAN connectivity model
LAN
World Wide Name • A 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network • Zoning can utilize WWNs to assign security permissions • The WWN of a device is a user-configurable parameter.
Cisco MDS 9020 Fabric Switch
Zoning Operation • Zone members see only other members of the zone. • Zones can be configured dynamically based on WWN.
SAN Disk2
ZoneA
Host1
Disk3 Disk1
ZoneC
• Devices can be members of more than one zone. Disk4
• Switched fabric zoning can take place at the port or device level: based on physical switch port or based on device WWN or based on LUN ID.
Host2
ZoneB
An example of Zoning. Note that devices can be members of more than 1 zone.
Virtual Storage Area Network (VSAN) Cisco MDS 9000 Family with VSAN Service
Physical SAN islands are virtualized virtualized onto common SAN infrastructure
Security Focus SAN Protocol
Fabric Access
IP Storage access
Target arget Access Access
SAN
SAN Management Access
Secure SAN
Data Integrity and Secrecy
SAN Management Three main areas of vulnerability: 1. Disruption of switch processing 2. Compromised fabric stability 3. Compromised data integrity and confidentiality
Fabric and Target Access Three main areas of focus: • Application data integrity integrity • LUN integrity • Application performance performance
VSANs Relationship of VSANs to Zones Physical Physica l Topology Topology VSAN 2 Disk2
Disk3 Disk1
Host1
ZoneA
ZoneC Host2
Disk4
ZoneB VSAN 3
ZoneD Host4
ZoneA Disk5 Host3 Disk6
Two VSANs each with multiple zones. Disks and hosts are dedicated to VSANs although both hosts and disks can belong to multiple zones within a single VSAN. They cannot, however, span VSANs.
iSCSI and FCIP • iSCSI leverages many of the security features inherent in Ethernet and IP – ACLs – ACLs are like Fibre Channel zones – VLANs are like Fibre Channel VSANs – 802.1X port security is like Fibre Channel port security
• FCIP security leverages many IP security s ecurity features in Cisco IOS-based routers: – IPsec VPN connections through public carriers – High-speed encryption services in specialized hardware – Can be run through a firewall
View more...
Comments
