chapter 5: network security and monitoring - cnacad.comcnacad.com/assets/ccna4 connecting...
TRANSCRIPT
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Chapter 5: Network Security and Monitoring
Connecting Networks
Presentation_ID 2© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Chapter 5 - Sections & Objectives
5.1 LAN Security
• Explain how to mitigate common LAN security.
5.2 SNMP
• Configure SNMP to monitor network operations in a small to medium-sized business network.
5.3 Cisco Switch Port Analyzer (SPAN)
• Troubleshoot a network problem using SPAN.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
5.1 LAN Security
Presentation_ID 4© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
LAN Security
LAN Security Physical Damage
• Dropping, ESD, Lightning, UPS use, Theft
• Physically securing devices
• Environmental threats
Common attacks against the Layer 2 LAN infrastructure include:
• CDP Reconnaissance Attacks (shut down CDP)
• Telnet Attacks (Close telnet access, complex passwords, ssh, acl)
• MAC Address Table Flooding Attacks (shutdown unused ports, configure port security)
• VLAN Attacks (put unused ports in unused vlan, hardcode access, change default vlan, port security)
• DHCP Attacks (DHCP snooping, port security)
Presentation_ID 5© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
This topic covers several Layer 2 security solutions:• Mitigating MAC address table flooding attacks
o using port security
o Limit mac address numbers allowed
• Mitigating VLAN attacks (don’t use default native vlan1)
• Mitigating DHCP attacks using DHCP spoofing
o Uses ip-helper address across networks
o DHCP snooping command – restricts replies from untrusted switch ports
o Limit number of DHCP requests
• Securing administrative access using AAA
o authentication, authorization, accounting – local or remote server
o Configure aaa server, either: Radius or TACACS+
• Securing device access using 802.1X port-based authentication
o Radius (open/UDP/one-way), TACACS+ (Cisco/TCP/two-way): username/password server
o EAP encryption (optional)
LAN Security
LAN Security Best Practices
Presentation_ID 6© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Review - There are several strategies to help secure Layer 2 of a network:• Always use secure variants of these protocols such as SSH, SCP, SSL,
SNMPv3, and Secure FTP (SFTP).
• Always use strong passwords and change them often.
o Can be configured/enforced
• Enable CDP on select ports only.
o Or LLDP (Link Layer Discovery Protocol IEEE 802.1AB)
• Secure Telnet access.
• Use a dedicated management VLAN where nothing but management traffic resides.
• Use ACLs to filter unwanted access to management vlan/access ports
• Hard code Access or Trunk ports
LAN Security
LAN Security Best Practices
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
5.2 SNMP
Presentation_ID 8© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
SNMP
SNMP Operation
SNMP allows administrators to manage and monitor devices on an IP network.
SNMP Elements
• SNMP Manager (server polls)
• SNMP Agent (network device reports)
• MIB (device management info base saved locally)
SNMP Operation
• Trap (trap notification to mngr)
• Get (collects information)
• Set (change configurations)
• Ports UDP 161 & 162
Presentation_ID 9© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
SNMP
SNMP Operation
SNMP Security Model and Levels
Presentation_ID 10© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
SNMP
Configuring SNMP
Configuration steps
• Configure community string
• Document location of device
• Document system contact
• Restrict SNMP Access
• Specify recipient of SNMP Traps
• Enable traps on SNMP agent
Presentation_ID 11© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
SNMP
Configuring SNMP
Securing SNMPv3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
5.3 Cisco Switch Port Analyzer (SPAN)
Presentation_ID 13© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco Switch Port Analyzer
SPAN Overview
Port mirroring
• The port mirroring feature allows a switch to copy and send Ethernet frames from specific ports to the destination port connected to a packet analyzer. The original frame is still forwarded in the usual manner.
Presentation_ID 14© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco Switch Port Analyzer
SPAN Overview
SPAN terminology
Could also be an
IPS/IDS
Remote Span is part of security
course
Presentation_ID 15© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco Switch Port Analyzer
SPAN Configuration
Use monitor session global configuration command
Presentation_ID 16© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco Switch Port Analyzer
SPAN as a Troubleshooting Tool
SPAN allows administrators to troubleshoot network issues
Administrator can use SPAN to duplicate and redirect traffic to a packet analyzer
Administrator can analyze traffic from all devices to troubleshoot sub-optimal operation of network applications
Presentation_ID 17© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Presentation_ID 18© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential