Download - Cisco security
Implementing Cisco Edge
Network Security Solutions (300-
206)
Module 1
Securing the Local Area Network
Lesson Planning
• This lesson should take 3-4 hours to present
• The lesson should include lecture, demonstrations,
discussions and assessments
• The lesson can be taught in person or using
remote instruction
2
Major Concepts
• Describe endpoint vulnerabilities and protection
methods
• Describe basic Catalyst switch vulnerabilities
• Configure and verify switch security features,
including port security and storm control
• Describe the fundamental security considerations
of Wireless, VoIP, and SANs
3
Lesson Objectives
Upon completion of this lesson, the successful participant
will be able to:
1. Describe endpoint security and the enabling technologies
2. Describe how Cisco IronPort is used to ensure endpoint
security
3. Describe how Cisco NAC products are used to ensure endpoint
security
4. Describe how the Cisco Security Agent is used to ensure
endpoint security
5. Describe the primary considerations for securing the Layer 2
infrastructure
6. Describe MAC address spoofing attacks and MAC address
spoofing attack mitigation
4
Lesson Objectives
7. Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation
8. Describe STP manipulation attacks and STP manipulation attack mitigation
9. Describe LAN Storm attacks and LAN Storm attack mitigation
10. Describe VLAN attacks and VLAN attack mitigation
11. Describe how to configure port security
12. Describe how to verify port security
13. Describe how to configure and verify BPDU Guard and Root Guard
14. Describe how to configure and verify storm control
15. Describe and configure Cisco SPAN
16. Describe and configure Cisco RSPAN
5
Lesson Objectives
17. Describe the best practices for Layer 2
18. Describe the fundamental aspects of enterprise security for advanced technologies
19. Describe the fundamental aspects of wireless security and the enabling technologies
20. Describe wireless security solutions
21. Describe the fundamental aspects of VoIP security and the enabling technologies Reference: CIAG course on VoIP security.
22. Describe VoIP security solutions
23. Describe the fundamental aspects of SAN security and the enabling technologies
24. Describe SAN security solutions
6
Securing the LAN
IPS
MARS
VPN
ACS
Iron Port
Firewall
Web Server
Email Server DNS
LAN
Hosts
Perimeter
Internet
Areas of concentration:• Securing endpoints• Securing network
infrastructure
7
Threat Protection
Policy Compliance
Infection Containment
SecureHost
Addressing Endpoint Security
Based on three elements:• Cisco Network Admission Control (NAC)• Endpoint protection• Network infection containment
8
Operating Systems
Basic Security Services• Trusted code and trusted path – ensures that the
integrity of the operating system is not violated
• Privileged context of execution – provides identity
authentication and certain privileges based on the
identity
• Process memory protection and isolation – provides
separation from other users and their data
• Access control to resources – ensures confidentiality
and integrity of data
9
Types of Application Attacks
I have gained direct access to this
application’s privileges
I have gained access to this system which is trusted by the other
system, allowing me to access it. Indirect
Direct
10
Cisco Systems Endpoint
Security Solutions
Cisco NAC
IronPortCisco Security Agent
11
Cisco IronPort Products
IronPort products include:• E-mail security appliances for virus
and spam control• Web security appliance for spyware
filtering, URL filtering, and anti-malware• Security management appliance
12
IronPort C-Series
InternetInternet
Antispam
Antivirus
Policy Enforcement
Mail Routing
Before IronPort
IronPort E-mail Security Appliance
Firewall
Groupware
Users
After IronPort
Users
Groupware
Firewall
Encryption Platform MTA
DLP Scanner
DLP Policy Manager
13
IronPort S-Series
Web Proxy
Antispyware
Antivirus
Antiphishing
URL Filtering
Policy Management
Firewall
UsersUsers
Firewall
IronPort S-Series
Before IronPort After IronPort
InternetInternet
14
Cisco NAC
NAC Framework
• Software module embedded within NAC-enabled products
• Integrated framework leveraging multiple Cisco and NAC-aware vendor products
• In-band Cisco NAC Appliance solution can be used on any switch or router platform
• Self-contained, turnkey solution
The purpose of NAC:
Allow only authorized and compliant systems to access the network
To enforce network security policy
Cisco NAC Appliance
15
The NAC Framework
AAA Server
Credentials
Credentials
EAP/UDP,
EAP/802.1x
RADIUS
Credentials
HTTPS
Access Rights
Notification
Cisco Trust Agent
Comply?
Vendor Servers
Hosts Attempting Network Access
Network Access Devices Policy Server
Decision Points and Remediation
Enforcement
16
NAC Components
• Cisco NAS
Serves as an in-band or out-
of-band device for network
access control
• Cisco NAM
Centralizes management for
administrators, support
personnel, and operators
• Cisco NAA
Optional lightweight client for
device-based registry scans in
unmanaged environments
• Rule-set updates
Scheduled automatic updates
for antivirus, critical hotfixes,
and other applications
MGR
17
Cisco NAC Appliance Process
THE GOAL
Intranet/Network
2. Host is redirected to a login page.
Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device.
Device is noncompliant or login is incorrect.
Host is denied access and assigned to a quarantine role with access to online remediation resources.
3a.3b. Device is “clean”.
Machine gets on “certified devices list” and is granted access to network.
Cisco NAS
Cisco NAM
1. Host attempts to access a web page or uses an optional client.
Network access is blocked until wired or wireless host provides login information. Authentication
Server
MGR
QuarantineRole
3. The host is authenticated and optionallyscanned for posture compliance
18
Access Windows
4.
LoginScreen
Scan is performed(types of checks depend on user role)
Scan fails
Remediate
19
CSA Architecture
Management Center for Cisco Security Agent
with Internal or External Database
SecurityPolicy
Server Protected by Cisco Security Agent
Administration Workstation
SSL
EventsAlerts
20
CSA Overview
State Rules and Policies
RulesEngine
CorrelationEngine
File System
Interceptor
Network
Interceptor
Configuration
Interceptor
Execution
Space
Interceptor
Application
Allowed Request
Blocked Request
21
CSA Functionality
Security ApplicationNetwork
Interceptor
File System
Interceptor
Configuratio
n
Interceptor
Execution
Space
Interceptor
Distributed Firewall X ― ― ―
Host Intrusion
PreventionX ― ― X
Application
Sandbox― X X X
Network Worm
PreventionX ― ― X
File Integrity Monitor ― X X ―
Attack Phases
– File system interceptor– Network interceptor– Configuration interceptor– Execution space
interceptor
Server Protected by
Cisco SecurityAgent
– Probe phase
• Ping scans
• Port scans
– Penetrate phase
• Transfer exploit code to target
– Persist phase
• Install new code
• Modify configuration
– Propagate phase
• Attack other targets
– Paralyze phase
• Erase files
• Crash system
• Steal data
CSA Log Messages
IPS
MARS
VPN
ACS
Iron Port
Firewall
Web Server
Email Server DNS
Hosts
Perimeter
Internet
Layer 2 Security
25
OSI Model
MAC Addresses
When it comes to networking, Layer 2 is often a very weak
link.
Physical Links
IP Addresses
Protocols and Ports
Application StreamApplication
Presentation
Session
Transport
Network
Data Link
Physical
Com
pro
mis
ed
Application
Presentation
Session
Transport
Network
Data Link
Physical
Initial Compromise
26
MAC Address Spoofing Attack
MAC Address: AABBcc
AABBcc 12AbDdSwitch Port
1 2
MAC Address: AABBcc
Attacker
Port 1
Port 2
MAC Address: 12AbDd
I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
The switch keeps track of theendpoints by maintaining aMAC address table. In MAC spoofing, the attacker posesas another host—in this case,AABBcc
27
MAC Address Spoofing Attack
MAC Address: AABBcc
AABBcc
Switch Port
1 2
MAC Address: AABBcc
Attacker
Port 1 Port 2
AABBcc
1 2I have changed the MACaddress on my computer to match the server.
The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
28
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
MAC Address Table Overflow Attack
A B
C D
VLAN 10 VLAN 10
Intruder runs macof to begin sending unknown bogus MAC addresses.
3/25
3/25 MAC X 3/25 MAC Y 3/25 MAC Z
XYZ
flood
MAC Port
X 3/25
Y 3/25
C 3/25
Bogus addresses are added to the CAM table. CAM table is full.
Host C
The switch floods the frames.
Attacker sees traffic to servers B and D.
VLAN 10
12
3
4
STP Manipulation Attack
• Spanning tree protocol
operates by electing a
root bridge
• STP builds a tree
topology
• STP manipulation
changes the topology of
a network—the attacking
host appears to be the
root bridge
F F
F F
F B
Root BridgePriority = 8192MAC Address=
0000.00C0.1234
31
STP Manipulation Attack
Root BridgePriority = 8192
Root Bridge
F F
F F
F B
F B
FF
F F
Attacker The attacking host broadcasts out STPconfiguration and topology change BPDUs.This is an attempt to force spanning treerecalculations.
32
LAN Storm Attack
• Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN.
• These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Storm Control
Total number ofbroadcastpacketsor bytes
VLAN Attacks
VLAN = Broadcast Domain = Logical Network (Subnet)
Segmentation
Flexibility
Security
VLAN Attacks
802.1Q
ServerAttacker sees traffic destined for servers
Server
Trunk
VLAN 20
VLAN 10
A VLAN hopping attack can be launched in two ways:• Spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode• Introducing a rogue switch and turning trunking on
The second switch receives
the packet, on the native
VLAN
Double-Tagging VLAN Attack
Attacker onVLAN 10, but puts a 20 tag in the packet
Victim(VLAN 20)Note: This attack works only if the
trunk has the same native VLAN as the attacker.
The first switch strips off the first tag and
does not retag it (native traffic is not
retagged). It then forwards the packet to
switch 2.
20
Trunk(Native VLAN = 10)
802.1Q, Frame
1
2
3
4
The second switch examines
the packet, sees the VLAN
20 tag and forwards it
accordingly.
Port Security Overview
MAC A
MAC A
Port 0/1 allows MAC APort 0/2 allows MAC BPort 0/3 allows MAC C
Attacker 1
Attacker 2
0/1
0/2
0/3
MAC F
Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MACaddresses
38
CLI Commands
switchport mode access
Switch(config-if)#
• Sets the interface mode as access
switchport port-security
Switch(config-if)#
• Enables port security on the interface
switchport port-security maximum value
Switch(config-if)#
• Sets the maximum number of secure MAC addresses for the interface (optional)
39
Switchport Port-Security Parameters
Parameter Description
mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional
secure MAC addresses up to the maximum value configured.
vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.
vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky
[mac-address]
(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky
learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer
2 functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
n vlan: set a per-VLAN maximum value.
n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
Port Security Violation Configuration
switchport port-security mac-address sticky
Switch(config-if)#
• Enables sticky learning on the interface (optional)
switchport port-security violation {protect |
restrict | shutdown}
Switch(config-if)#
• Sets the violation mode (optional)
switchport port-security mac-address mac-address
Switch(config-if)#
• Enters a static secure MAC address for the interface (optional)
41
Switchport Port-Security Violation
Parameters
Parameter Description
protect (Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. You are not
notified that a security violation has occurred.
restrict (Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. In this mode,
you are notified that a security violation has occurred.
shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off
the port LED. It also sends an SNMP trap, logs a syslog message, and increments
the violation counter. When a secure port is in the error-disabled state, you can
bring it out of this state by entering the errdisable recovery cause psecure-
violation global configuration command, or you can manually re-enable it by
entering the shutdown and no shut down interface configuration commands.
shutdown
vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN
on which the violation occurred is error-disabled.
Port Security Aging Configuration
switchport port-security aging {static | time time |
type {absolute | inactivity}}
Switch(config-if)#
• Enables or disables static aging for the secure port or sets the aging time or type
43
Switchport Port-Security
Aging Parameters
Parameter Description
static Enable aging for statically configured secure
addresses on this port.
time time Specify the aging time for this port. The range is 0
to 1440 minutes. If the time is 0, aging is disabled
for this port.
type absolute Set absolute aging type. All the secure addresses
on this port age out exactly after the time
(minutes) specified and are removed from the
secure address list.
type inactivity Set the inactivity aging type. The secure
addresses on this port age out only if there is no
data traffic from the secure source address for the
specified time period.
Typical Configuration
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120
Switch(config-if)#
S2
PC B
45
CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/12 2 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security interface f0/12
Port Security : Enabled
Port status : Secure-down
Violation mode : Shutdown
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Aging time : 120 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation Count : 0
46
View Secure MAC Addresses
sw-class# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.ffff.aaaa SecureConfigured Fa0/12 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
47
MAC Address Notification
MAC address notification allows monitoring of the MAC
addresses, at the module and port level, added by the switch
or removed from the CAM table for secure ports.
NMS
MAC A
MAC B
F1/1 = MAC AF1/2 = MAC B
F2/1 = MAC D(address ages out)
Switch CAM Table
SNMP traps sent to NMS when new MAC addresses appear or
when old ones time out.
MAC D is awayfrom the network.
F1/2
F1/1
F2/1
48
Configure Portfast
Command Description
Switch(config-if)#
spanning-tree portfast
Enables PortFast on a Layer 2 access port and forces it to
enter the forwarding stateimmediately.
Switch(config-if)# no
spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is
disabled by default.
Switch(config)# spanning-
tree portfast default
Globally enables the PortFast feature on all nontrunking
ports.
Switch# show running-config
interface type
slot/port
Indicates whether PortFast has been configured on a port.
Server Workstation
49
BPDU Guard
Switch(config)#
spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast enabled
F F
FF
F B
Root Bridge
BPDU Guard
Enabled
AttackerSTP
BPDU
50
Display the State of Spanning Tree
Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name Blocking Listening Learning Forwarding STP
Active
-------------------- -------- --------- -------- ---------- ---------
-
1 VLAN 0 0 0 1 1
<output omitted>
51
Root Guard
Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis
Root BridgePriority = 0
MAC Address = 0000.0c45.1a5d
F F
F F
F BF
STP BPDUPriority = 0
MAC Address = 0000.0c45.1234
Root Guard
Enabled
Attacker
52
Verify Root Guard
Switch# show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ---------------------- ------------------
VLAN0001 FastEthernet3/1 Port Type Inconsistent
VLAN0001 FastEthernet3/2 Port Type Inconsistent
VLAN1002 FastEthernet3/1 Port Type Inconsistent
VLAN1002 FastEthernet3/2 Port Type Inconsistent
VLAN1003 FastEthernet3/1 Port Type Inconsistent
VLAN1003 FastEthernet3/2 Port Type Inconsistent
VLAN1004 FastEthernet3/1 Port Type Inconsistent
VLAN1004 FastEthernet3/2 Port Type Inconsistent
VLAN1005 FastEthernet3/1 Port Type Inconsistent
VLAN1005 FastEthernet3/2 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10
53
Storm Control Methods
• Bandwidth as a percentage of the total available
bandwidth of the port that can be used by the
broadcast, multicast, or unicast traffic
• Traffic rate in packets per second at which broadcast,
multicast, or unicast packets are received
• Traffic rate in bits per second at which broadcast,
multicast, or unicast packets are received
• Traffic rate in packets per second and for small frames.
This feature is enabled globally. The threshold for small
frames is configured for each interface.
54
Storm Control Configuration
• Enables storm control
• Specifies the level at which it is enabled
• Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps
2k 1k
Switch(config-if)# storm-control action shutdown
55
Storm Control Parameters
Parameter Description
broadcast This parameter enables broadcast storm control on the interface.
multicast This parameter enables multicast storm control on the interface.
unicast This parameter enables unicast storm control on the interface.
level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port.
• level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.
• level-low: (Optional) Falling suppression level, up to two decimal places. This value
must be less than or equal to the rising suppression value.
level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
• bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
• bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
• pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
• pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and
to not send an SNMP trap.
The keywords have these meanings:
• shutdown: Disables the port during a storm
• trap: Sends an SNMP trap when a storm occurs
Verify Storm Control Settings
Switch# show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ---------- --------- --------
-Gi0/1 Forwarding 20 pps 10 pps 5 pps
Gi0/2 Forwarding 50.00% 40.00% 0.00%
<output omitted>
Trunk(Native VLAN = 10)
1. Disable trunking on all access ports.
2. Disable auto trunking and manually enable trunking
3. Be sure that the native VLAN is used only for trunk lines and no where else
Mitigating VLAN Attacks
58
switchport mode trunk
switchport trunk native vlan vlan_number
switchport nonegotiate
.
Switch(config-if)#
• Specifies an interface as a trunk link
Switch(config-if)#
• Prevents the generation of DTP frames.
Switch(config-if)#
• Set the native VLAN on the trunk to an unused VLAN
Controlling Trunking
59
Traffic Analysis
A SPAN port mirrors traffic to another port where a monitoring device is connected.
Without this, it can be difficult to track hackers after they have entered the network.
“Intruder Alert!”
Attacker
IDSRMON ProbeProtocol Analyzer
CLI Commands
monitor session session_number source {interface
interface-id [, | -] [both | rx | tx]} | {vlan
vlan-id [, | -] [both | rx | tx]}| {remote vlan
vlan-id}
monitor session session_number destination
{interface interface-id [, | -] [encapsulation
replicate] [ingress {dot1q vlan vlan-id | isl |
untagged vlan vlan-id | vlan vlan-id}]} | {remote
vlan vlan-id}
Switch(config)#
Switch(config)#
Verify SPAN Configuration
SPAN and IDS
Attacker
IDS
Use SPAN to mirror traffic in and out of port F0/1 to port F0/2.
F0/1
F0/2
Overview of RSPAN
• An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected.
• This allows more switches to be monitored with a single probe or IDS.
“Intruder Alert!”
Attacker
IDS
RSPAN VLAN
Source VLAN
Source VLAN
Source VLAN
Configuring RSPAN
2960-1 2960-2
2960-1(config)# vlan 100
2960-1(config-vlan)# remote-span
2960-1(config-vlan)# exit
2960-1(config)# monitor session 1 source interface FastEthernet 0/1
2960-1(config)# monitor session 1 destination remote vlan 100
reflector-port FastEthernet 0/24
2960-1(config)# interface FastEthernet 0/2
2960-1(config-if)# switchport mode trunk
2960-2(config)# monitor session 2 source remote vlan 100
2960-2(config)# monitor session 2 destination interface FastEthernet
0/3
2960-2(config)# interface FastEthernet 0/2
2960-2(config-if)# switchport mode trunk
1. Configure the RPSAN VLAN
2. Configure the RSPAN source ports and VLANs
3. Configure the RSPAN traffic to be forwarded
Verifying RSPAN Configuration
show monitor [session {session_number | all | local
| range list | remote} [detail]] [ | {begin | exclude
| include}expression]
2960-1 2960-2
Layer 2 Guidelines
• Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.)
• Set all user ports to non-trunking mode (except if using Cisco VoIP)
• Use port security where possible for access ports
• Enable STP attack mitigation (BPDU guard, root guard)
• Use Cisco Discovery Protocol only where necessary –with phones it is useful
• Configure PortFast on all non-trunking ports
• Configure root guard on STP root ports
• Configure BPDU guard on all non-trunking ports
VLAN Practices
• Always use a dedicated, unused native VLAN ID for trunk ports
• Do not use VLAN 1 for anything
• Disable all unused ports and put them in an unused VLAN
• Manually configure all trunk ports and disable DTP on trunk ports
• Configure all non-trunking ports with switchport mode access
Overview of Wireless, VoIP Security
Wireless VoIP
69
Overview of SAN Security
SAN
70
Infrastructure-Integrated Approach
• Proactive threat and intrusion
detection capabilities that do
not simply detect wireless
attacks but prevent them
• Comprehensive protection to
safeguard confidential data
and communications
• Simplified user management
with a single user identity and
policy
• Collaboration with wired
security systems
71
Cisco IP Telephony Solutions
• Single-site deployment
• Centralized call
processing with remote
branches
• Distributed call-
processing deployment
• Clustering over the
IPWAN
72
Storage Network Solutions
• Investment
protection
• Virtualization
• Security
• Consolidation
• Availability
73
Cisco Wireless LAN Controllers
• Responsible for system-wide wireless LAN
functions
• Work in conjunction with Aps and the Cisco
Wireless Control System (WCS) to support
wireless applications
• Smoothly integrate into existing enterprise
networks
74
Wireless Hacking
• War driving
• A neighbor hacks into
another neighbor’s
wireless network to get
free Internet access or
access information
• Free Wi-Fi provides an
opportunity to
compromise the data of
users
75
Hacking Tools
• Network Stumbler• Kismet• AirSnort• CoWPAtty• ASLEAP• Wireshark
76
Safety Considerations
• Wireless networks using WEP or WPA/TKIP are
not very secure and vulnerable to hacking attacks.
• Wireless networks using WPA2/AES should have
a passphrase of at least 21 characters long.
• If an IPsec VPN is available, use it on any public
wireless LAN.
• If wireless access is not needed, disable the
wireless radio or wireless NIC.
77
VoIP Business Advantages
• Lower telecom call costs
• Productivity increases
• Lower costs to move,
add, or change
• Lower ongoing service
and maintenance costs
• Little or no training costs
• Mo major set-up fees
• Enables unified
messaging
• Encryption of voice calls
is supported
• Fewer administrative
personnel required
PSTN VoIP
Gateway
78
VoIP Components
Cisco UnifiedCommunications
Manager(Call Agent)
MCU
CiscoUnity
IPPhone
IPPhone
VideoconferenceStation
IPBackbone
PSTN
Router/Gateway
Router/Gateway
Router/Gateway
79
VoIP Protocols
VoIP Protocol Description
H.323ITU standard protocol for interactive conferencing; evolved from H.320
ISDN standard; flexible, complex
MGCP Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248Joint IETF and ITU standard for gateway control with support for multiple
gateway types; evolved from MGCP standard
SIPIETF protocol for interactive and noninteractive conferencing; simpler but
less mature than H.323
RTPETF standard media-streaming protocol
RTCPIETF protocol that provides out-of-band control information for an RTP flow
SRTPIETF protocol that encrypts RTP traffic as it leaves the
voice device
SCCPCisco proprietary protocol used between Cisco Unified Communications
Manager and Cisco IP phones
Threats
• Reconnaissance
• Directed attacks such as spam over IP telephony
(SPIT) and spoofing
• DoS attacks such as DHCP starvation, flooding, and
fuzzing
• Eavesdropping and man-in-the-middle attacks
81
VoIP SPIT
• If SPIT grows like spam, it could result in
regular DoS problems for network
administrators.
• Antispam methods do not block SPIT.
• Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets
only from trusted devices.
You’ve just won an all expenses
paid vacation to the U.S.
Virgin Islands !!!
82
Fraud
• Fraud takes several forms:
– Vishing—A voice version of phishing that is used to compromise
confidentiality.
– Theft and toll fraud—The stealing of telephone services.
• Use features of Cisco Unified Communications Manager to protect
against fraud.
– Partitions limit what parts of the dial plan certain phones have access to.
– Dial plans filter control access to exploitive phone numbers.
– FACs prevent unauthorized calls and provide a mechanism for tracking.
83
SIP Vulnerabilities
• Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them.
• Message tampering:
Allows a hacker to
modify data packets
traveling between SIP
addresses.
• Session tear-down:
Allows a hacker to
terminate calls or carry
out VoIP-targeted DoS
attacks.
Registrar RegistrarLocationDatabase
SIP Servers/Services
SIP Proxy
SIP User Agents SIP User Agents
84
Using VLANs
• Creates a separate broadcast domain for voice traffic• Protects against eavesdropping and tampering• Renders packet-sniffing tools less effective• Makes it easier to implement VACLs that are specific to voice
traffic
Voice VLAN = 110 Data VLAN = 10
802.1Q Trunk
IP phone10.1.110.3
Desktop PC171.1.1.1
5/1
85
Using Cisco ASA Adaptive
Security Appliances
• Ensure SIP, SCCP, H.323, and MGCP requests conform to standards
• Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager
• Rate limit SIP requests
• Enforce policy of calls (whitelist, blacklist, caller/called party, SIP URI)
• Dynamically open ports for Cisco applications
• Enable only “registered phones” to make calls
• Enable inspection of encrypted phone calls
Internet
WAN
Cisco Adaptive Security
Appliance
Cisco Adaptive Security Appliance
86
Using VPNs
• Use IPsec for authentication
• Use IPsec to protect
all traffic, not just voice
• Consider SLA with service
provider
• Terminate on a VPN concentrator
or large router inside of firewall to
gain these benefits:
• Performance
• Reduced configuration complexity
• Managed organizational
boundaries
IP WAN
Telephony Servers
SRSTRouter
87
Using Cisco Unified Communications
Manager• Signed firmware
• Signed
configuration files
• Disable:
– PC port
– Setting button
– Speakerphone
– Web access
88
SAN Security Considerations
SANIP
Network
Specialized network that enables fast, reliable access among servers and external storage resources
89
SAN Transport Technologies
• Fibre Channel – the
primary SAN transport
for host-to-SAN
connectivity
• iSCSI – maps SCSI over
TCP/IP and is another
host-to-SAN connectivity
model
• FCIP – a popular SAN-
to-SAN connectivity
model
LAN
90
World Wide Name
• A 64-bit address that Fibre Channel networks use
to uniquely identify each element in a Fibre
Channel network
• Zoning can utilize WWNs to assign security
permissions
• The WWN of a device is a user-configurable
parameter.
Cisco MDS 9020 Fabric Switch
91
Zoning Operation
• Zone members see only
other members of the zone.
• Zones can be configured
dynamically based on WWN.
• Devices can be members of
more than one zone.
• Switched fabric zoning can
take place at the port or
device level: based on
physical switch port or based
on device WWN or based on
LUN ID.
SAN
Disk1
Host2Disk4
Host1
Disk2 Disk3
ZoneA
ZoneB
ZoneC
An example of Zoning. Note that devices can be members of more than 1 zone.
92
Virtual Storage Area Network (VSAN)
Physical SAN islands are virtualized onto
common SAN infrastructure
Cisco MDS 9000Family with VSAN Service
93
Security Focus
SAN
SecureSAN
IP Storage access
Data Integrity and Secrecy
Target Access
SAN Protocol
SAN Management Access
Fabric Access
94
SAN Management
Three main areas of vulnerability:
1. Disruption of switch processing
2. Compromised fabric stability
3. Compromised data integrity and confidentiality
95
Fabric and Target Access
Three main areas of focus:
• Application data integrity
• LUN integrity
• Application performance
96
VSANs
Two VSANs each with
multiple zones. Disks and
hosts are dedicated to
VSANs although both
hosts and disks can belong
to multiple zones within a
single VSAN. They cannot,
however, span VSANs.
VSAN 3
Physical Topology
VSAN 2
Disk1
Host2Disk4
Host1
Disk2 Disk3
Disk6
Disk5
Host4
Host3
ZoneA
ZoneB
ZoneC
ZoneA
ZoneD
Relationship of VSANs to Zones
97
iSCSI and FCIP
• iSCSI leverages many of the security features inherent
in Ethernet and IP
–ACLs are like Fibre Channel zones
–VLANs are like Fibre Channel VSANs
–802.1X port security is like Fibre Channel port security
• FCIP security leverages many IP security features in
Cisco IOS-based routers:
– IPsec VPN connections through public carriers
–High-speed encryption services in specialized hardware
–Can be run through a firewall
98
Implementing Cisco Edge
Network Security Solutions
(300-206)
Module 2
Access Lists
100
Objectives
• Describe the usage and rules of access lists
• Establish standard IP access lists
• Produce extended IP access lists
• Apply access lists to interfaces
• Monitor and verify access lists
101
Objectives (continued)
• Create named access lists
• Use Security Device Manager to create standard
and extended IP access lists
• Use Security Device Manager to create a router
firewall
102
Access Lists: Usage and Rules
• Access lists
– Permit or deny statements that filter traffic based on
the source address, destination address, protocol
type, and port number of a packet
– Available for IP, IPX, AppleTalk, and many other
protocols
103
Access List Usage
• You can create a standard access list that examines
a packet for the packet’s source header information
• deny any statement
– Implicitly blocks all packets that do not meet the
requirements of the access list
– Exists even though it is not shown as part of the
access list
• With careful planning, you can create access lists
that control which traffic crosses particular links
– And which segments of your network will have access
to others
104
Access List Usage (continued)
105
Problems with Access Lists
• Lack of planning is one of the most common
problems associated with access lists
• The need to enter the list sequentially into the router
also presents problems
– You cannot move individual statements once they are
entered
– When making changes, you must remove the list, using the no access-list [list number]
command, and then retype the commands
• Access lists begin working the second they are
applied to an interface
106
Access List Rules
• Example of the structure of a standard IP access
list:
RouterA(config)#access-list 1 deny
172.22.5.2 0.0.0.0
RouterA(config)#access-list 1 deny
172.22.5.3 0.0.0.0
RouterA(config)# access-list 1 permit any
• Router applies each line in the order in which you
type it into the access list
• The no access-list [list #] command is
used to remove an access list
107
Access List Rules (continued)
108
Access List Rules (continued)
• As a general rule, the lines with the most potential
matches should be first in the list
– So that packets will not undergo unnecessary
processing
• You should avoid unnecessarily long access lists
• After you create access lists, you must apply them
to interfaces so they can begin filtering traffic
– You apply a list as either an outgoing or an incoming
filter
109
Access List Rules (continued)
• In summary, all access lists follow these rules:
– Routers apply lists sequentially in the order in which
you type them into the router
– Routers apply lists to packets sequentially, from the
top down, one line at a time
– Packets are processed only until a match is made
– Lists always end with an implicit deny
– Access lists must be applied to an interface as either
inbound or outbound traffic filters
– Only one list, per protocol, per direction can be
applied to an interface
– Access lists are effective as soon as they are applied
110
Standard IP Access Lists
• Standard IP access lists
– Filter network traffic based on the source IP address
only
– Using a standard IP access list, you can filter traffic
by a host IP, subnet, or a network address
• Configure standard IP access lists:
– access-list [list #] [permit|deny]
[source address] [source wildcard mask]
• Routers use wildcards to determine which bits in an
address will be significant
111
Standard IP Access Lists (continued)
112
Standard IP Access Lists (continued)
113
Standard IP Access Lists (continued)
114
Standard IP Access Lists (continued)
115
Standard IP Access Lists (continued)
116
Standard IP Access List Examples
• Standard IP access lists permit or deny packets
based only on the source address
– Addresses can be a single host address, a subnet
address, or a full network address
117
118
Standard IP Access List Examples
(continued)
119
Standard IP Access List Examples
(continued)
• Correct placement of a list is imperative
• To view the access lists defined on your router, use the show access-lists command
– For IP access lists you could also use the show ip
access-lists command
• If you decide that an access list needs to be
removed from an interface
– You can remove it with the no ip access-group
[list #] command
120
121
Standard IP Access List Examples
(continued)
122
Standard IP Access List Examples
(continued)
123
Standard IP Access List Examples
(continued)
124
Standard IP Access List Examples
(continued)
125
Standard IP Access List Examples
(continued)
• Application of the list as an outbound filter on
FastEthernet0/0
– See Figure 10-15
• Use the show access-lists or show ip
access-lists command followed by the show
ip interface command
– To verify that the list has been entered and applied
correctly
126
Standard IP Access List Examples
(continued)
127
128
Standard IP Access List Examples
(continued)
129
Monitoring Standard IP Access Lists
• Three main commands are available for monitoring
access lists on your router
– show access-lists
– show ip access-lists
– show interfaces or show ip interface
• Use the no access-list [list #] command
to remove the list
• Use the no ip accessgroup [list
#][direction] command to remove the
application of the list
130
Extended IP Access Lists
• Extended IP access lists
– Can filter by source IP address, destination IP
address, protocol type, and application port number
– This granularity allows you to design extended IP
access lists that:
• Permit or deny a single type of IP protocol
• Filter by a particular port of a particular protocol
131
Extended IP Access Lists (continued)
• To configure extended IP access lists, you must
create the list and then apply it to an interface using
the following syntax
– access-list [list #] [permit|deny]
[protocol] [source IP address] [source
wildcard mask] [operator] [port]
[destination IP address] [destination
wildcard mask] [operator] [port] [log]
132
Extended IP Access List Examples
133
134
135
Extended IP Access List Examples
(continued)
136
The “Established” Parameter
• Established parameter
– Permits traffic from any host on any network to any
destination, as long as the traffic was in response to a
request initiated inside the network
• Example:
access-list 100 permit tcp any 15.0.0.0
0.255.255.255 established
137
Monitoring Extended IP Access Lists
• The same commands used to monitor standard IP
access lists are used to monitor extended IP access
lists
• Extended IP lists keep track of the number of packets
that pass each line of an access list
– The clear access-list counters [list #]
command clears the counters
– The no access-list [list#] command removes
the list
– The no ip access-group [list#] [direction]
command removes the application of the list
138
Monitoring Extended IP Access Lists
139
Monitoring Extended IP Access Lists
140
Using Named Lists
• Named access lists
– In Cisco IOS versions 11.2 and above, names instead
of numbers can be used to identify lists
• To name a standard IP access list, use the following
syntax:
RouterC(config)#ip access-list standard
[name]
• To name an extended IP access list, use the
following syntax:
RouterC(config)#ip access-list extended
[name]
141
Using Named Lists (continued)
• Once the list is named, the permit or deny
statement is entered
• The commands follow the same syntax as unnamed
lists
– The beginning part of the command is not included
• To apply a standard IP named list to an interface,
the syntax is:
RouterC(config-if)#ip access-group
[name] [in | out]
142
Using Named Lists (continued)
• Advantages:
– Allows you to maintain security by using an easily
identifiable access list
– Removes the limit of 100 lists per filter type
– With named access lists lines can be selectively
deleted in the ACL
– Named ACLs provide greater flexibility to network
administrators who work in environments where large
numbers of ACLs are needed
143
Controlling VTY Line Access
• Access lists are used for both traffic flow and
security
• One useful security feature of access lists is
restricting access to telnet on your router
– By controlling VTY line access
• You must first create a standard IP access list that
permits the management workstation
RouterA(config)#access-list 12 permit
192.168.12.12 0.0.0.0
• Then, it must be applied to the VTY lines
access-class [acl #] in | out
144
Controlling VTY Line Access
(continued)
• To apply access list 12 to the VTY lines, use the
following command:
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class 12 in
• The commands to restrict access to the VTY lines to
network 192.168.12.0/24 only are:
RouterA(config)#access-list 13 permit
192.168.12.0 0.0.0.255
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class 13 in
145
Using Security Device Manager to
Create Access Control Lists
• Using the SDM, an administrator can accomplish all
the tasks that formerly required use of the CLI
interface
• SDM allows you to easily create a standard or an
extended access list or, as it is known in the SDM,
an Access Control List (ACL)
146
147
148
149
150
151
152
Using Security Device Manager to
Create a Router Firewall
• Unlike the CLI, the SDM allows a router to be
configured as a firewall
153
154
155
156
Using Security Device Manager to
Create a Router Firewall (continued)
157
Using Security Device Manager to
Create a Router Firewall (continued)
158
159
Summary
• Access lists are one of the most important IOS
tools for controlling network traffic and security
• Access lists are created in a two-step process
• All access lists are created sequentially and
applied sequentially to all packets that enter an
interface where the list is applied
• By default, access lists always end in an implicit deny any statement
• Only one access list per direction (inbound or
outbound) per protocol can be applied to an
interface
160
Summary (continued)
• Standard IP access lists allow you to filter traffic
based on the source IP address of a packet
• Extended IP access lists filter traffic based on
source, destination, protocol type, and application
type
• Access lists can be used to restrict telnet by
controlling VTY line access
• Ranges of numbers represent all access lists
161
Summary (continued)
• The SDM can be used to configure both standard
and extended ACLs via the Additional Tasks
configuration tab
• The SDM can be used to configure a router as
either a Basic or Advanced firewall
• The main difference between a Basic and
Advanced firewall is the ability to configure DMZ
interfaces in the Advanced firewall setup wizard
CCNA Guide to Cisco
Networking Fundamentals Fourth Edition
Chapter 14
Network Security
163
Objectives
• Distinguish between the different types of network
security threats
• Explain how to mitigate network security threats
• Implement SSH on Cisco routers and switches
• Configure VPNs with the Cisco Security Device
Manager
164
General Network Security
• Security policy
– An organization’s set of rules regarding how to handle
and protect sensitive data
• A security policy should include:
– Physical security
– Acceptable use of applications
– Safeguarding data
– Remote access to the network
– Data center
– Wireless security
165
General Network Security (continued)
• An effective security policy implements multiple
layers of security
• A security policy should have three goals:
– To prevent the hacker from getting access to critical
data
– To slow down the hacker enough to be caught
– To frustrate the hacker enough to cause him or her to
quit the hacking attempt
• When designing a security policy, take care to
specify exactly what you are trying to protect
166
Protecting the Hardware
• The first level of security in any network is physical
security
• Critical nodes of an organization should be
separated from the general workforce
• The nodes should be kept in a central location
where only a select group of people are allowed
• If office space is limited and nodes must be located
near employees
– The servers should at least be stored in a locked
cabinet
167
Protecting the Hardware (continued)
168
Protecting Software
• The primary threats against software are malware
and hackers
• Malware
– Refers to malicious programs that have many
different capabilities
• Hackers are usually driven by greed, ego, and/or
vengeance
– They look to make personal gains through system
vulnerabilities
169
Malware Prevention
• The most important elements of a prevention plan
– Installing and maintaining virus prevention software,
– Conducting virus awareness training for network
users
• Types of malware
– Virus
– Worm
– Macro Virus
– Polymorphic Virus
– Stealth Virus
170
Malware Prevention (continued)
• Types of malware (continued)
– Boot-Sector Virus
– Trojan or Trojan Horse
– Logic Bomb
• Virus prevention software
– Available for installation on entire networks
– Usually includes a version that will run on clients as
well as servers
– Must be updated regularly to ensure your network is
protected against all the latest malware threats
171
Malware Prevention (continued)
• User training
– Users must be trained to update their antivirus
software daily or, at a bare minimum, weekly
– Users also must learn how viruses are transmitted
between computers
– Teach users to scan removable devices with the virus
scanning software before using them
172
Firewalls
• Firewall
– The primary method of keeping hackers out of a
network
– Normally placed between a private LAN and the
public Internet, where they act like gatekeepers
– Can be a hardware device or it can be software
– Types: personal and enterprise
• All data packets entering or exiting the network
have to pass through an enterprise-level firewall
– Firewall filters (or analyzes) packets
173
Firewalls (continued)
• Four firewall topologies
– Packet-filtering router
– Single-homed bastion
– Dual-homed bastion
– Demilitarized zone (DMZ)
174
175
176
177
178
Firewalls (continued)
• Intrusion Detection Systems (IDS)
– A security device that can detect a hacker’s attempts
to gain access to the network
– Can also detect virus outbreaks, worms, and
distributed denial of service (DDoS) attacks
• Intrusion Prevention Systems (IPS)
– Like an IDS, except that it is placed in line so all
packets coming in or going out of the network pass
through it
– This allows an IPS to drop packets based on rules
defined by the network administrator
179
Permissions, Encryption, and
Authentication
• Permission
– An official approval that allows a user to access a
specific network resource
• Encryption
– Often consists of using security algorithms to
scramble and descramble data
– Types of algorithms
• Symmetric key
• Asymmetric key
180
Permissions, Encryption, and
Authentication (continued)
181
Permissions, Encryption, and
Authentication (continued)
182
Permissions, Encryption, and
Authentication (continued)
• Secure Sockets Layer
– A means of encrypting a session between two hosts
through the use of digital certificates, which are
based on asymmetric key encryption
• Authentication
– The process by which users verify to a server that
they are who they say they are
– There are several types of authentication
• Password authentication protocol (PAP)
• Challenge handshake authentication protocol (CHAP)
183
Permissions, Encryption, and
Authentication (continued)
• Additional authentication services supported by
Cisco:
– Remote Authentication Dial-in User Service (RADIUS)
– Terminal Access Controller Access Control System
Plus (TACACS+)
• These two common security protocols are based on
the Authentication, Authorization, and
Accounting (AAA) model
184
Mitigating Security Threats
• The three basic strategies for mitigating security
threats are:
– Using the SSH protocol to connect to your routers and
switches rather than telnet
– Turning off unnecessary services
– Keeping up-to-date on security patches (software
releases) with a patch management initiative
185
Secure Shell (SSH) Connections
• Secure Shell (SSH) protocol
– Sends all data encrypted
• The two version of SSH are SSH Version 1 and SSH
Version 2
– SSH Version 2 is the recommended version
• Some SSH commands are mandatory and others
are optional
• You must also generate an RSA key pair
(asymmetric key encryption)
– Which enables SSH
186
Secure Shell (SSH) Connections
(continued)
• The preferred method is to implement SSH on all
VTY lines
– Which ensures that all remote IP sessions to the
router will be protected in the SSH tunnel
• The command sequence for enabling SSH is:Router(config)#hostname SshRouter
SshRouter(config)#ip domain-name sshtest.com
SshRouter(config)#crypto key generate rsa
The name of the keys will be:
SshRouter.sshtest.com
187
Disabling Unnecessary Services
• You should disable the services unless your
organization uses them
• Methods
– Go through the CLI and enter a series of commands
for each service
– Use the Security Audit Wizard in the Cisco Security
Device Manager (SDM)
• The following services are unnecessary on most
networks:
– Finger Service
– PAD Service
188
Disabling Unnecessary Services
(continued)
• The following services are unnecessary on most
networks: (continued)
– TCP Small Servers Service
– UDP Small Servers Service
– IP Bootp Server Service
– Cisco Discovery Protocol (CDP)
– IP Source Route
– Maintenance Operations Protocol (MOP)
– Directed Broadcast
189
Disabling Unnecessary Services
(continued)
• The following services are unnecessary on most
networks: (continued)
– ICMP Redirects
– Proxy ARP
– IDENT
– IPv6
190
Patch Management
• Your organization’s patch management program
should account for all software in the organization
– Including commercial applications as well as
applications developed in-house
• A patch management program should take into
account the major software vendor’s patch release
schedules
– As well as your organization’s business goals and
needs
• Not all patches released by vendors are flawless
191
Virtual Private Networks (VPNs)
• Virtual Private Networks (VPNs)
– A popular technology for creating a connection
between an external computer and a corporate site
over the Internet
• To establish a VPN connection, you need VPN-
capable components
• Client-to-site VPN (also known as remote user
VPN)
– A VPN that allows designated users to have access to
the corporate network from remote locations
192
Virtual Private Networks (VPNs)
193
Virtual Private Networks (VPNs)
• Site-to-site VPN
– A VPN that allows multiple corporate sites to be
connected over low-cost Internet connections
• You can choose from several tunneling protocols to
create secure, end-to-end tunnels
– Point-to-Point Tunneling Protocol (PPTP)
– Layer 2 Tunneling Protocol (L2TP)
– Generic Routing Encapsulation (GRE)
194
Virtual Private Networks (VPNs)
195
IPSec
• IPSec
– A suite of protocols, accepted as an industry
standard, which provides secure data transmission
over layer 3 of the OSI model
– An IP standard and will only encrypt IP-based data
• IPSec supports two modes of operation: transport
mode and tunnel mode
196
IPSec (continued)
• Transport mode
– Primarily geared toward encrypting data that is being
sent host-to-host
– Only encrypts and decrypts the individual data
packets
• Which results in quite a bit of overhead on the
processor
• Tunnel mode
– Encrypts all data in the tunnel and is the mode
supported by Cisco components
197
IPSec Protocols
• Two IPSec protocols have been developed to
provide packet-level security
• They include the following characteristics:
– Authentication Header (AH)
– Encapsulating Security Payload (ESP)
198
IPSec Authentication Algorithms
• Authentication algorithms use one of two Hashed
Message Authentication Codes (HMAC)
– MD5 (message-digest algorithm 5)
– SHA-1 (secure hash algorithm)
• An HMAC is a secret key authentication algorithm
that ensures data integrity and originality
– Based on the distribution of the secret key
• Cryptographic software keys are exchanged
between hosts using an HMAC
199
IPSec Encryption Algorithms
• For encryption, the two most popular algorithms on
IPSec networks are 3DES (tripleDES) and AES
– These protocols are used solely with the IPSec ESP
protocol
• Remember, AH does not support encryption
200
IPSec Key Management
• You need to pay attention to how keys are handed
from node to node during IPSec authentication
• Two options are available
– Deliver the secret keys to all parties involved via e-
mail or on disk
– Utilize a key management protocol
• Key management is defined by the Internet
Security Association and Key Management
Protocol (ISAKMP)
– Governed by RFC 2407 and 2408
201
IPSec Transform Sets
• A transform set
– A configuration value (or simply stated, a command)
that allows you to establish an IPSEC VPN on a Cisco
firewall
• You can create a transform set through the CLI or
you can simply use the SDM GUI
• When creating an IPSec VPN you must specify a
protocol, the algorithm, and the method of key
management
202
Creating VPNs with the Security
Device Manager (SDM)
• Cisco supports VPNs with several different devices
• VPNs can be created on firewalls, routers,
computers
– And even on a device specifically made for VPNs,
called a VPN concentrator
• The following example focuses on using the Cisco
Security Device Manager (SDM) Web utility to
create a VPN on a Cisco router
203
204
205
206
207
208
209
210
211
212
Cisco Security Audit Wizard
• You can use the Cisco SDM to conduct security
audits
• The SDM’s Security Audit Wizard
– Can be used to verify your router’s configuration
• And determine what security settings have and have
not been configured
– Will also make recommendations as to which settings
should be enabled
– Provides an easy to use GUI that allows you to make
those changes
213
214
215
216
217
218
219
Cisco Security Audit Wizard
(continued)
220
Summary
• Protecting the physical equipment where sensitive
data resides is as important as protecting the data
itself
• When securing an organization’s network, you
must be sure to protect it against external threats
as well as internal threats
• User training is a key element to protecting the
network and the data within it
• Using an SSH connection to a router is a much
more secure method of connecting to a router than
clear text telnet
221
Summary (continued)
• Disabling unnecessary services increases a
router’s security
• IPSec is an industry-standard suite of protocols
and algorithms that allow for secure encrypted
VPN tunnels
• Cisco’s SDM is a multifunction Web utility that
allows you to create VPNs and complete a security
audit