ccna security 1.1 instructional...
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. 1
CCNA Security 1.1 Instructional Resource Chapter 6 – Securing the Local Area Network
© 2012 Cisco and/or its affiliates. All rights reserved. 2
• Describe endpoint vulnerabilities and protection methods.
• Describe the vulnerabilities of the Layer 2 infrastructure.
• Describe the mitigation techniques for securing the Layer 2 infrastructure.
• Describe MAC address spoofing attacks, STP manipulation attacks, MAC address overflow attacks, LAN storm attacks, and VLAN attacks.
• Configure and verify port security, BPDU guard, root guard, storm control, and PVLAN Edge.
• Describe endpoint security with IronPort.
• Describe endpoint security with Network Admission Control.
• Describe wireless, VoIP, and SAN security considerations.
• Describe wireless, VoIP, and SAN security solutions.
© 2012 Cisco and/or its affiliates. All rights reserved. 3
6.0 Mitigating Common Layer 2 Attacks 6.1 Describe Layer 2 Security Using Cisco Switches
6.1.1 STP attacks
6.1.2 ARP spoofing
6.1.3 MAC spoofing
6.1.4 CAM overflows
6.1.5 CDP/LLDP
6.2 Describe VLAN Security
6.2.1 Voice VLAN
6.2.2 PVLAN
6.2.3 VLAN hopping
6.2.4 Native VLAN
6.4 Implement Spanning Tree
6.4.1 Potential issues with redundant switch topologies
6.4.2 STP operations
6.4.3 Resolving issues with STP
© 2012 Cisco and/or its affiliates. All rights reserved. 4
• Layer 2 is generally the point-of-entry to the network and so is especially vulnerable to attacks.
• Keeping user/data, voice, native, management, and default VLANs distinct is a best practice for providing a secure Layer 2 environment.
• VLANs should be pruned manually or dynamically on trunk links to deterministically permit appropriate VLAN traffic.
• Spanning tree is susceptible to attacks which alter the proper selection of the root bridge. BPDU guard, BPDU filter, and root guard help to mitigate these attacks.
• Layer 2 “storms” can occur inadvertently or as a result of an attack. Technologies such as port security and storm control can help to prevent these storms.
• Cisco SPAN is used in conjunction with protocol analyzers and IDS devices.
© 2012 Cisco and/or its affiliates. All rights reserved. 5
• The PVLAN Edge feature helps to control traffic between protected ports in the same VLAN.
• IronPort uses SenderBase to provide anti-spam, anti-virus, and anti-spyware functionality.
• Cisco NAC Framework and Cisco NAC appliance are two approaches to allow only authorized and compliant systems (whether managed or unmanaged) to access the network, and to enforce network security policy.
• Wireless, VoIP, and SAN technologies have their own set of security issues and mitigation techniques.
© 2012 Cisco and/or its affiliates. All rights reserved. 6
• Chapter 6 Lab A: Securing Layer 2 Switches
– Part 1: Configure Basic Switch Settings
– Part 2: Configure SSH Access to the Switch
– Part 3: Secure Trunks and Access Ports
– Part 4: Configure SPAN and Monitor Traffic
© 2012 Cisco and/or its affiliates. All rights reserved. 7
Absolute Timeout Port security timer which specifies the aging time after which
secure addresses on the port are deleted.
Application Server Provide services such as voice mail and unified messaging,
such as Cisco Unity.
Atomic Alert IPS alert generated every time a signature triggers.
Atomic Signature Simplest type of signature, consisting of a single packet,
activity, or event that is examined.
BPDU Filter
Cisco switch feature that prevents interfaces that are in a
PortFast-operational state from sending or receiving BPDUs. If
a BPDU is received on a PortFast-enabled interface, the
interface loses its PortFast-operational status, and BPDU
filtering is disabled.
BPDU Guard
Cisco switch feature that allows network designers to keep the
active spanning tree topology predictable. BPDU guard
protects the switched network from problems caused by
receipt of BPDUs on ports that should not be receiving them.
Call Agent Provides call control for IP phones, CAC, bandwidth control
and management, and address translation. Cisco Unified
Communications Managers function as call agents.
© 2012 Cisco and/or its affiliates. All rights reserved. 8
Double-tagging
Method employed in a certain VLAN hopping attack whereby
an attacker embeds a hidden 802.1Q tag inside an Ethernet
frame. This tag allows the frame to go to a VLAN that the
original 802.1Q tag did not specify. This type of attack can
work on ports that are not configured as trunk ports.
DTP Dynamic Trunking Protocol (DTP) is a Cisco-proprietary
protocol that enables the automatic negotiation of trunk links.
Gatekeeper Provides Call Admission Control (CAC), bandwidth control and
management, and address translation.
FCIP Fibre Channel over IP (FCIP) is a popular SAN-to-SAN
transport used over a WAN or MAN.
Fibre Channel Primary SAN transport for host-to-SAN connectivity.
Gateway
Provides translation between VoIP and non-VoIP networks,
such as the PSTN. Gateways also provide physical access for
local analog and digital voice devices, such as telephones, fax
machines, key sets, and PBXs.
HBA
A Host Bus Adapter (HBA) is an I/O adapter that sits between
the bus of the host computer and the Fibre Channel loop and
manages the transfer of information between the two
channels.
© 2012 Cisco and/or its affiliates. All rights reserved. 9
Inactivity Timeout Port security timer which specifies the idle/inactive time after
which secure addresses on the port are deleted.
IP Phone Phone that provides voice communication over a data
network.
IronPort
Anti-spam, antivirus, and anti-spyware appliances. IronPort
uses SenderBase, the world's largest threat detection
database, to help provide preventive and reactive security
measures.
iSCSI A host-to-SAN transport in the form of SCSI over TCP/IP.
LAN Storm Condition whereby packets flood the LAN, creating excessive
traffic and degrading network performance.
Least Privileged Concept To better protect en endpoint, a process should never be given
more privilege than is necessary to perform a job.
Lightweight AP Access point that depends on a centralize wireless LAN
controller (WLC) for its configuration.
LUN A logical unit number (LUN) is a 4-bit address for an individual
disk drive and, by extension, the disk device itself.
LUN Masking Authorization process that makes a LUN available to some
hosts and unavailable to other hosts.
© 2012 Cisco and/or its affiliates. All rights reserved. 10
MAC Address Spoofing Attack A host masquerades or poses as another via the MAC
address to receive otherwise inaccessible data or to
circumvent security configurations.
MAC Address Table Overflow
Attack
A switch is bombarded with fake source MAC addresses until
the switch MAC address table is full and no new entries can
be accepted. When this occurs, the switch begins to flood all
incoming traffic to all ports because there is no room in the
table to learn any legitimate MAC addresses.
macof Tool used, among other things, to flood a switch with frames
containing randomly generated source and destination MAC
and IP addresses.
Multipoint Control Unit (MCU) Provides real-time connectivity for participants in multiple
locations to attend the same videoconference or meeting.
NAC
Network admission control (NAC) uses the network
infrastructure to enforce security policy compliance on all
devices seeking to access network computing resources. With
NAC, network security professionals can authenticate,
authorize, evaluate, and remediate wired, wireless, and
remote users and their machines prior to network access.
NAC identifies whether networked devices are compliant with
the network security policies and repairs any vulnerability
before permitting access to the network.
© 2012 Cisco and/or its affiliates. All rights reserved. 11
NAC Agent
Cisco NAC Agent (NAA) is an optional lightweight agent
running on an endpoint device. It performs deep inspection of
the device's security profile by analyzing registry settings,
services, and files.
NAC Manager
Cisco NAC Manager (NAM) is the policy and management
center for an appliance-based NAC deployment environment.
Cisco NAC Manager defines role-based user access and
endpoint security policies.
NAC Guest Server Manages guest network access, including provisioning,
notification, management, and reporting of all guest user
accounts and network activities.
NAC Profiler Helps to deploy policy-based access control by providing
discovery, profiling, policy-based placement, and post-
connection monitoring of all endpoint devices.
NAC Server Cisco NAC Server (NAC) assesses and enforces security
policy compliance in an appliance-based NAC deployment
environment.
© 2012 Cisco and/or its affiliates. All rights reserved. 12
PortFast
A Cisco switch feature that causes an interface configured as
a Layer 2 access port to transition from the IEEE 802.1D STP
blocking state to the forwarding state immediately, bypassing
the listening and learning states.
Port Security
A Cisco switch feature which allows an administrator to
statically specify MAC addresses for a port or to permit the
switch to dynamically learn a limited number of MAC
addresses.
Privileged Context of
Execution Provides identity authentication and certain privileges based
on the identity.
PVLAN Edge Cisco feature, also known as Protected Port, that ensures
there is no exchange of unicast, broadcast, or multicast traffic
between specified ports on the switch.
Reference Monitor
Access control concept that refers to a mechanism or process
that mediates all access to objects. It provides a central point
for all policy decisions, typically implementing auditing
functions to keep track of access.
SAN A Storage Area Network (SAN) s a specialized network that
enables fast, reliable access among servers and external
storage resources.
© 2012 Cisco and/or its affiliates. All rights reserved. 13
SIP Session Initiation Protocol (SIP) is a signaling protocol widely
used for controlling communication sessions such as VoIP
sessions.
SPAN Cisco Switched Port Analyzer copies (or mirrors) traffic
received, sent, or both on source ports or source VLANs on a
switch to a destination port on the same switch for analysis.
SPIT
Spam over Internet Telephony (SPIT) is unsolicited and
unwanted bulk messages broadcast over VoIP to the endusers
of an enterprise network. In addition to being annoying, high-
volume bulk calls can significantly affect the availability and
productivity of the endpoints.
Storm Control Cisco switch feature which prevents traffic on a LAN from
being disrupted by a broadcast, multicast, or unicast storm on
one of the physical interfaces.
Toll Fraud Theft of long-distance telephone service by unauthorized
access to a PSTN trunk (an outside line) on a PBX or voice-
mail system.
Trigger Traffic behavior that signals an intrusion or policy violation.
VACL A VLAN ACL (VACL) is an ACL that can filter traffic at both
Layer 2 and Layer 3.
© 2012 Cisco and/or its affiliates. All rights reserved. 14
Vishing Vishing (voice phishing) uses telephony to glean information,
such as account details directly from users.
VLAN Hopping Attack Attack whereby access to all VLANs is obtained by leveraging
the default automatic trunking configuration on most switches.
VSAN
A Virtual SAN (VSAN) is a collection of ports from a set of
connected Fibre Channel switches that form a virtual fabric.
Ports can be partitioned within a single switch into multiple
VSANs. Additionally, multiple switches can join any number of
ports to form a single VSAN.
WLC
A Wireless LAN Controller (WLC) handles system-wide
wireless LAN functions, such as intrusion prevention, RF
management, QoS, and mobility.
WWN
A World Wide Name (WWN) is a 64-bit address that Fibre
Channel networks use to uniquely identify each element in a
Fibre Channel network.
Zone Partition of a Fibre Channel fabric into smaller subsets.
© 2012 Cisco and/or its affiliates. All rights reserved. 15
• Cisco Security Agent content was removed.
• Remote SPAN content was removed.
• BPDU filtering content was added.
• PVLAN Edge content was added.
© 2012 Cisco and/or its affiliates. All rights reserved. 16
• Chapter 6 is a fairly even combination of theory and practice.
• This chapter covers the gamut of network security options for Cisco Layer 2 switches (e.g., Catalyst 2960), so it is quite a handful for students – if time permits, take your time on the content. The other nine chapters in this course are focused security features on Cisco routers.
• Be sure to download the appropriate images for the switches in your lab environment. If it is at all possible, use the same images as are recommended in the lab: Cisco IOS Release 12.2(46)SE, C2960-LANBASEK9-M image. It is frustrating to students when commands are not present that are key to completing the lab.
• If 3550 or 3560 switches are used, keep in mind there will be some subtle differences in the implementations, but for the most part they will coincide with the configuration sequences for Catalyst 2960 switches. Remember that when you configure trunking on 3550 and 3560 switches, both ISL and IEEE 802.1Q trunking are supported, so an extra command is required each time you configure a trunk port.
© 2012 Cisco and/or its affiliates. All rights reserved. 17
• The 2960 switches support Auto-MDIX, so you do not have to spend time checking whether a cable is straight-through or cross-over.
• There is GUI-based software for configuring Catalyst switches from your PC web browser, called Cisco Network Assistant. The course does not discuss this option, but it is well worth exploring. Students going into the industry would benefit from being basically familiar with this software.
– It can be downloaded at http://www.cisco.com/cisco/software/release.html?mdfid=279963505&flowid=2550&softwareid=280775097&release=5.7.0&rellifecycle=&relind=AVAILABLE&reltype=latest. (Cisco.com account required.)
• The recent 12.2.x and 15.x Cisco IOS images for the 2960 switches include a LAN Base version and a LAN Base with Web-based Development Manager option. The latter image provides another GUI-based option for switch configuration not covered in the course; again, it is useful for students to explore this option; students will learn how to extract archives on the switches in the process. Note that there is a /force /recursive option for deleting files and folders that is VERY useful.
© 2012 Cisco and/or its affiliates. All rights reserved. 18
• The lab for this chapter use Wireshark network analyzer and SuperScan (optional). It is truly worthwhile to have the SuperScan software installed on the PCs – the portions of the lab utilizing SuperScan are very informative.
• If you use NetLab to do the lab, be sure that your virtual machines have network adapters configured in the promiscuous mode; otherwise, the SPAN portion of the lab will not work correctly!
• Be sure that students try different terminal emulation programs over time. It is professionally to their advantage to be familiar with the various options. Often they are surprised to find how user-friendly different emulation software is compared what they are accustomed to using.
• Time permitting, have the students try the macof program or other simple Layer 2 “hacking” software in a secure environment.
© 2012 Cisco and/or its affiliates. All rights reserved. 19
• Compare and contrast the security features on the Catalyst switches and those on the ISR’s. The fact that nine chapters of this course focus on routers and one on switches is not a coincidence!
• Compare and contrast considerations relating to securing Layer 2 protocols with that of securing Layer 3 protocols.
• Compare the portions of the Internet comprised of Layer 2 LAN switches versus that comprised of Layer 3 networking devices. How does the answer affect the way security is implemented?
• Along the border of the Layer 2-to-Layer 3 exchange, what protocols are in play and what security considerations are specific to this crossover?
© 2012 Cisco and/or its affiliates. All rights reserved. 20
• Nowadays, it is common to install a switch module in a router and it is common for a switch to include a router processor. So in a way, most switches are routers and most routers are switches. How do router and switches differ?
• There is a clear trend toward pushing Layer 3 down to the user as a result of the decreasing cost for Layer 3 switches. The day will come when all switches are Layer 3 switches. Does this imply that VLANs will be unnecessary at some point? What are the implications of every port on every switch being configurable as a routed port?
• Is it easier to configure security in the Layer 2 domain or in the Layer 3 domain? Is network security more deterministic in a pure Layer 3 environment?
© 2012 Cisco and/or its affiliates. All rights reserved. 21
• What are the implications for Layer 2 security in the Borderless Network, with mobile devices pervading the network space?
• What devices require Layer 2 security solutions?
• What are some security policies specific to the Layer 2 environment? What are some rules that should be enforced?
• Several topics in the course do not have hands-on components to them, such as IronPort, Network Admission Control, wireless security, VoIP security, and SAN security. Ask the students to research one or more of these areas to gain a more applied understanding of these topics. If possible, arrange for site visits where some of these solutions are implemented.
© 2012 Cisco and/or its affiliates. All rights reserved. 22
• One of the easiest ways to optimize LAN security is ensuring that all VLANs with distinct functions are distinct. Separate the management VLAN, the native VLAN, the default VLAN, the voice VLAN(s), and the data VLAN(s). Configure trunk links to support only the necessary VLANs.
• Modern campus switched network design has Layer 2 switches only at the edge of the network, each with a redundant uplink, with only two or three VLANs per switch and with no Layer 2 loops possible (think about how this is mapped out). So technically STP is not required. It is a best practice to always ensure that STP remains enabled on the switches, just in case someone inadvertently creates a physical loop as a result of moving cables about in the wiring closet.
• There are only a handful of security features available at Layer 2. Almost all of these should be implemented to optimize network security. Upon first exposure the number of Layer 2 security options might be a bit overwhelming. Be sure to encourage students that they do not need to master them all the first time around and that in the scheme of things the gamut of security options at Layer 2 is relatively quite tractable.
© 2012 Cisco and/or its affiliates. All rights reserved. 23
• http://en.wikipedia.org/wiki/LAN_switching
• http://www.cisco.com/cisco/software/type.html?mdfid=279963505&flowid=2550
• http://www.nsa.gov/ia/_files/switches/switch-guide-version1_01.pdf
• http://www.ciscopress.com/bookstore/product.asp?isbn=1587052563
• http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/command/reference/2960cr.html
• http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/2960scg.html
© 2011 Cisco and/or its affiliates. All rights reserved. 24