1 / 99

CCNA Security

CCNA Security. Chapter Six Securing the Local Area Network. This lesson should take 3-4 hours to present The lesson should include lecture, demonstrations, discussions and assessments The lesson can be taught in person or using remote instruction. Lesson Planning.

Download Presentation

CCNA Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CCNA Security Chapter Six Securing the Local Area Network

  2. This lesson should take 3-4 hours to present The lesson should include lecture, demonstrations, discussions and assessments The lesson can be taught in person or using remote instruction Lesson Planning

  3. Describe endpoint vulnerabilities and protection methods Describe basic Catalyst switch vulnerabilities Configure and verify switch security features, including port security and storm control Describe the fundamental security considerations of Wireless, VoIP, and SANs Major Concepts

  4. Upon completion of this lesson, the successful participant will be able to: Describe endpoint security and the enabling technologies Describe how Cisco IronPort is used to ensure endpoint security Describe how Cisco NAC products are used to ensure endpoint security Describe how the Cisco Security Agent is used to ensure endpoint security Describe the primary considerations for securing the Layer 2 infrastructure Describe MAC address spoofing attacks and MAC address spoofing attack mitigation Lesson Objectives

  5. Lesson Objectives • Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation • Describe STP manipulation attacks and STP manipulation attack mitigation • Describe LAN Storm attacks and LAN Storm attack mitigation • Describe VLAN attacks and VLAN attack mitigation • Describe how to configure port security • Describe how to verify port security • Describe how to configure and verify BPDU Guard and Root Guard • Describe how to configure and verify storm control • Describe and configure Cisco SPAN • Describe and configure Cisco RSPAN

  6. Lesson Objectives • Describe the best practices for Layer 2 security • Describe the fundamental aspects of enterprise security for advanced technologies • Describe the fundamental aspects of wireless security and the enabling technologies • Describe wireless security solutions • Describe the fundamental aspects of VoIP security and the enabling technologies   Reference: CIAG course on VoIP security. • Describe VoIP security solutions • Describe the fundamental aspects of SAN security and the enabling technologies • Describe SAN security solutions

  7. Securing the LAN Perimeter MARS ACS • Areas of concentration: • Securing endpoints • Securing network infrastructure Firewall Internet VPN IPS Iron Port Hosts Web Server Email Server DNS LAN

  8. Addressing Endpoint Security Policy Compliance Infection Containment SecureHost • Based on three elements: • Cisco Network Admission Control (NAC) • Endpoint protection • Network infection containment Threat Protection

  9. Operating Systems Basic Security Services • Trusted code and trusted path – ensures that the integrity of the operating system is not violated • Privileged context of execution – provides identity authentication and certain privileges based on the identity • Process memory protection and isolation – provides separation from other users and their data • Access control to resources – ensures confidentiality and integrity of data

  10. Types of Application Attacks I have gained direct access to this application’s privileges Direct I have gained access to this system which is trusted by the other system, allowing me to access it. Indirect

  11. Cisco Systems Endpoint Security Solutions IronPort Cisco Security Agent Cisco NAC

  12. Cisco IronPort Products • IronPort products include: • E-mail security appliances for virus and spam control • Web security appliance for spywarefiltering, URL filtering, and anti-malware • Security management appliance

  13. IronPort C-Series Before IronPort After IronPort Internet Internet Firewall Firewall Encryption Platform DLP Scanner DLP Policy Manager MTA Antispam Antivirus Policy Enforcement Mail Routing IronPort E-mail Security Appliance Groupware Groupware Users Users

  14. IronPort S-Series Before IronPort After IronPort Internet Internet Firewall Firewall Web Proxy Antispyware Antivirus Antiphishing URL Filtering Policy Management IronPort S-Series Users Users

  15. Cisco NAC • The purpose of NAC: • Allow only authorized and compliant systems to access the network • To enforce network security policy NAC Framework Cisco NAC Appliance • Software module embedded within NAC-enabled products • Integrated framework leveraging multiple Cisco and NAC-aware vendor products • In-band Cisco NAC Appliance solution can be used on any switch or router platform • Self-contained, turnkey solution

  16. The NAC Framework Network Access Devices Policy Server Decision Points and Remediation Hosts Attempting Network Access Enforcement Vendor Servers AAA Server Credentials Credentials Credentials EAP/UDP, EAP/802.1x HTTPS RADIUS Access Rights Cisco Trust Agent Comply? Notification

  17. M G R NAC Components • Cisco NAS Serves as an in-band or out-of-band device for network access control • Cisco NAM Centralizes management for administrators, support personnel, and operators • Cisco NAA Optional lightweight client for device-based registry scans in unmanaged environments • Rule-set updates Scheduled automatic updates for antivirus, critical hotfixes, and other applications

  18. M G R 3b. • Device is “clean”. • Machine gets on “certified devices list” and is granted access to network. Cisco NAC Appliance Process THE GOAL 1. • Host attempts to access a web page or uses an optional client. • Network access is blocked until wired or wireless host provides login information. Authentication Server Cisco NAM 2. • Host is redirected to a login page. • Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device. Cisco NAS Intranet/Network The host is authenticated and optionallyscanned for posture compliance 3. 3a. • Device is noncompliant or login is incorrect. • Host is denied access and assigned to a quarantine role with access to online remediation resources. Quarantine Role

  19. Access Windows Scan is performed (types of checks depend on user role) Login Screen Scan fails Remediate 4.

  20. CSA Architecture Server Protected by Cisco Security Agent Administration Workstation Alerts Events SSL SecurityPolicy Management Center for Cisco Security Agent with Internal or External Database

  21. CSA Overview Application RulesEngine Rules and Policies State CorrelationEngine Allowed Request Blocked Request

  22. CSA Functionality

  23. Attack Phases • Probe phase • Ping scans • Port scans • Penetrate phase • Transfer exploit code to target • Persist phase • Install new code • Modify configuration • Propagate phase • Attack other targets • Paralyze phase • Erase files • Crash system • Steal data Server Protected by Cisco Security Agent • File system interceptor • Network interceptor • Configuration interceptor • Execution space interceptor

  24. CSA Log Messages

  25. Layer 2 Security Perimeter MARS ACS Firewall Internet VPN IPS Iron Port Hosts Web Server Email Server DNS

  26. When it comes to networking, Layer 2 is often a very weak link. Application Presentation Session Transport Network Data Link Physical Initial Compromise OSI Model Application Stream Application Presentation Session Compromised Protocols and Ports Transport IP Addresses Network MAC Addresses Data Link Physical Links Physical

  27. MAC Address Spoofing Attack 1 2 The switch keeps track of theendpoints by maintaining a MAC address table. In MAC spoofing, the attacker posesas another host—in this case,AABBcc Switch Port AABBcc 12AbDd MAC Address: AABBcc MAC Address: 12AbDd Port 1 Port 2 MAC Address: AABBcc Attacker I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.

  28. 1 2 AABBcc MAC Address Spoofing Attack I have changed the MACaddress on my computer to match the server. Switch Port 1 2 AABBcc Attacker MAC Address: AABBcc MAC Address: AABBcc Port 1 Port 2 The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.

  29. MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.

  30. MAC Port X 3/25 Y 3/25 C 3/25 MAC Address Table Overflow Attack 2 1 Bogus addresses are added to the CAM table. CAM table is full. Intruder runs macof to begin sending unknown bogus MAC addresses. 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ 3/25 Host C VLAN 10 VLAN 10 VLAN 10 flood 3 The switch floods the frames. 4 Attacker sees traffic to servers B and D. A B C D

  31. STP Manipulation Attack • Spanning tree protocol operates by electing a root bridge • STP builds a tree topology • STP manipulation changes the topology of a network—the attacking host appears to be the root bridge Root BridgePriority = 8192MAC Address= 0000.00C0.1234 F F F F F B

  32. STP Manipulation Attack Root BridgePriority = 8192 F B F F F F F F F B F F Root Bridge STP BPDUPriority = 0 STP BPDU Priority = 0 The attacking host broadcasts out STPconfiguration and topology change BPDUs. This is an attempt to force spanning treerecalculations. Attacker

  33. Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast LAN Storm Attack • Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.

  34. Storm Control Total number ofbroadcast packets or bytes

  35. VLAN Attacks • Segmentation • Flexibility • Security VLAN = Broadcast Domain = Logical Network (Subnet)

  36. VLAN Attacks 802.1Q VLAN 10 Trunk Trunk VLAN 20 Server 802.1Q Attacker sees traffic destined for servers Server • A VLAN hopping attack can be launched in two ways: • Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode • Introducing a rogue switch and turning trunking on

  37. Double-Tagging VLAN Attack 1 Attacker onVLAN 10, but puts a 20 tag in the packet The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2. 2 20,10 The second switch receives the packet, on the native VLAN 802.1Q, 802.1Q 3 20 802.1Q, Frame Trunk(Native VLAN = 10) Frame 4 The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly. Victim(VLAN 20) Note: This attack works only if the trunk has the same native VLAN as the attacker.

  38. Port Security Overview Port 0/1 allows MAC APort 0/2 allows MAC BPort 0/3 allows MAC C MAC A 0/1 0/2 0/3 MAC A MAC F Attacker 1 Attacker 2 Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses

  39. CLI Commands Switch(config-if)# switchport mode access • Sets the interface mode as access Switch(config-if)# switchport port-security • Enables port security on the interface Switch(config-if)# switchport port-security maximum value • Sets the maximum number of secure MAC addresses for the interface (optional)

  40. Switchport Port-Security Parameters

  41. Port Security Violation Configuration Switch(config-if)# switchport port-security violation {protect | restrict | shutdown} • Sets the violation mode (optional) Switch(config-if)# switchport port-security mac-address mac-address • Enters a static secure MAC address for the interface (optional) Switch(config-if)# switchport port-security mac-address sticky • Enables sticky learning on the interface (optional)

  42. Switchport Port-Security ViolationParameters

  43. Port Security Aging Configuration Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}} • Enables or disables static aging for the secure port or sets the aging time or type • The aging command allows MAC-Addresses on the Secure switchport to be deleted after the set aging time • This helps to avoid a situation where obsolete MAC-Address occupy the table and saturates causing a violation (when the max number exceeds)

  44. Switchport Port-Security Aging Parameters

  45. Typical Configuration S2 PC B Switch(config-if)# switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120

  46. CLI Commands sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/12 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0

  47. View Secure MAC Addresses sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0000.ffff.aaaa SecureConfigured Fa0/12 - ------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024

  48. MAC Address Notification MAC B MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports. SNMP traps sent to NMS when new MAC addresses appear or when old ones time out. NMS F1/2 F1/1 Switch CAM Table F2/1 F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D(address ages out) MAC A MAC D is awayfrom the network.

  49. Configure Portfast Server Workstation

  50. BPDU Guard Root Bridge F F F F F B BPDU Guard Enabled STP BPDU Attacker Switch(config)# spanning-tree portfast bpduguard default • Globally enables BPDU guard on all ports with PortFast enabled

More Related