960 likes | 1.42k Views
Cisco Security. Kevin King - Senior Technical Instructor ● Infrastructructure /Cloud Consulting
E N D
Cisco Security Kevin King - Senior Technical Instructor ● Infrastructructure/Cloud Consulting | MCT CCSI MCSE-Private Cloud MCSA MCSA-Server 2012 MCSE CCNA Data Center Cisco Quality Instructor 2014 New Horizons CLC| 6700 Jefferson, Building A | Albuquerque, NM 87109 p: 505.830.7100 |f: 505.830.2239 | kking@nhabq.com | www.nhabq.com Impenetrable Wall? or Hacker’s Delight?
Describe endpoint vulnerabilities and protection methods Describe basic Catalyst switch vulnerabilities Configure and verify switch security features, including port security and storm control Describe the fundamental security considerations of Wireless, VoIP, and SANs Major Concepts
Securing the LAN Perimeter MARS ACS • Areas of concentration: • Securing endpoints • Securing network infrastructure Firewall Internet VPN IPS Iron Port Hosts Web Server Email Server DNS LAN
Addressing Endpoint Security Policy Compliance Infection Containment SecureHost • Based on three elements: • Cisco Network Admission Control (NAC) • Endpoint protection • Network infection containment Threat Protection
Operating Systems Basic Security Services • Trusted code and trusted path – ensures that the integrity of the operating system is not violated • Privileged context of execution – provides identity authentication and certain privileges based on the identity • Process memory protection and isolation – provides separation from other users and their data • Access control to resources – ensures confidentiality and integrity of data
Types of Application Attacks I have gained direct access to this application’s privileges Direct I have gained access to this system which is trusted by the other system, allowing me to access it. Indirect
Cisco Systems Endpoint Security Solutions IronPort Cisco Security Agent Cisco NAC
Cisco NAC • The purpose of NAC: • Allow only authorized and compliant systems to access the network • To enforce network security policy NAC Framework Cisco NAC Appliance • Software module embedded within NAC-enabled products • Integrated framework leveraging multiple Cisco and NAC-aware vendor products • In-band Cisco NAC Appliance solution can be used on any switch or router platform • Self-contained, turnkey solution
M G R 3b. • Device is “clean”. • Machine gets on “certified devices list” and is granted access to network. Cisco NAC Appliance Process THE GOAL 1. • Host attempts to access a web page or uses an optional client. • Network access is blocked until wired or wireless host provides login information. Authentication Server Cisco NAM • Host is redirected to a login page. • Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device. 2. Cisco NAS Intranet/Network The host is authenticated and optionallyscanned for posture compliance 3. 3a. • Device is noncompliant or login is incorrect. • Host is denied access and assigned to a quarantine role with access to online remediation resources. Quarantine Role
CSA Architecture Server Protected by Cisco Security Agent Administration Workstation Alerts Events SecurityPolicy SSL Management Center for Cisco Security Agent with Internal or External Database
Attack Phases • Probe phase • Ping scans • Port scans • Penetrate phase • Transfer exploit code to target • Persist phase • Install new code • Modify configuration • Propagate phase • Attack other targets • Paralyze phase • Erase files • Crash system • Steal data Server Protected by Cisco Security Agent • File system interceptor • Network interceptor • Configuration interceptor • Execution space interceptor
Layer 2 Security Perimeter MARS ACS Firewall Internet VPN IPS Iron Port Hosts Web Server Email Server DNS
When it comes to networking, Layer 2 is often a very weak link. Application Presentation Session Transport Network Data Link Physical Initial Compromise OSI Model Application Stream Application Presentation Session Compromised Protocols and Ports Transport IP Addresses Network MAC Addresses Data Link Physical Links Physical
MAC Address Spoofing Attack 1 2 The switch keeps track of theendpoints by maintaining a MAC address table. In MAC spoofing, the attacker posesas another host—in this case,AABBcc Switch Port AABBcc 12AbDd MAC Address: AABBcc MAC Address: 12AbDd Port 1 Port 2 MAC Address: AABBcc Attacker I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
1 2 AABBcc MAC Address Spoofing Attack I have changed the MACaddress on my computer to match the server. Switch Port 1 2 AABBcc Attacker MAC Address: AABBcc MAC Address: AABBcc Port 1 Port 2 The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
MAC Port X 3/25 Y 3/25 C 3/25 MAC Address Table Overflow Attack 2 1 Bogus addresses are added to the CAM table. CAM table is full. Intruder runs macof to begin sending unknown bogus MAC addresses. 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ 3/25 Host C VLAN 10 VLAN 10 VLAN 10 flood 3 The switch floods the frames. 4 Attacker sees traffic to servers B and D. A B C D
STP Manipulation Attack • Spanning tree protocol operates by electing a root bridge • STP builds a tree topology • STP manipulation changes the topology of a network—the attacking host appears to be the root bridge Root BridgePriority = 8192MAC Address= 0000.00C0.1234 F F F F F B
STP Manipulation Attack Root BridgePriority = 8192 F B F F F F F F F B F F Root Bridge STP BPDUPriority = 0 STP BPDU Priority = 0 The attacking host broadcasts out STPconfiguration and topology change BPDUs. This is an attempt to force spanning treerecalculations. Attacker
Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast LAN Storm Attack • Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.
Storm Control Total number ofbroadcast packets or bytes
VLAN Attacks • Segmentation • Flexibility • Security VLAN = Broadcast Domain = Logical Network (Subnet)
VLAN Attacks 802.1Q VLAN 10 Trunk Trunk Server VLAN 20 802.1Q Attacker sees traffic destined for servers Server • A VLAN hopping attack can be launched in two ways: • Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode • Introducing a rogue switch and turning trunking on
Double-Tagging VLAN Attack 1 Attacker onVLAN 10, but puts a 20 tag in the packet The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2. 2 20,10 The second switch receives the packet, on the native VLAN 802.1Q, 802.1Q 3 20 802.1Q, Frame Trunk(Native VLAN = 10) Frame 4 The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly. Victim(VLAN 20) Note: This attack works only if the trunk has the same native VLAN as the attacker.
Port Security Overview Port 0/1 allows MAC APort 0/2 allows MAC BPort 0/3 allows MAC C MAC A 0/1 0/2 0/3 MAC A MAC F Attacker 1 Attacker 2 Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
CLI Commands Switch(config-if)# switchport mode access • Sets the interface mode as access Switch(config-if)# switchport port-security • Enables port security on the interface Switch(config-if)# switchport port-security maximum value • Sets the maximum number of secure MAC addresses for the interface (optional)
Port Security Violation Configuration Switch(config-if)# switchport port-security violation {protect | restrict | shutdown} • Sets the violation mode (optional) Switch(config-if)# switchport port-security mac-address mac-address • Enters a static secure MAC address for the interface (optional) Switch(config-if)# switchport port-security mac-address sticky • Enables sticky learning on the interface (optional)
Port Security Aging Configuration Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}} • Enables or disables static aging for the secure port or sets the aging time or type
Typical Configuration S2 PC B Switch(config-if)# switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120
CLI Commands sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/12 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0
View Secure MAC Addresses sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0000.ffff.aaaa SecureConfigured Fa0/12 - ------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024
MAC Address Notification MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports. MAC B SNMP traps sent to NMS when new MAC addresses appear or when old ones time out. NMS F1/2 F1/1 Switch CAM Table F2/1 F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D(address ages out) MAC A MAC D is awayfrom the network.
Configure Portfast Server Workstation
BPDU Guard Root Bridge F F F F F B BPDU Guard Enabled STP BPDU Attacker Switch(config)# spanning-tree portfast bpduguard default • Globally enables BPDU guard on all ports with PortFast enabled
Display the State of Spanning Tree Switch# show spanning-tree summary totals Root bridge for: none. PortFast BPDU Guard is enabled UplinkFast is disabled BackboneFast is disabled Spanning tree default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active -------------------- -------- --------- -------- ---------- ---------- 1 VLAN 0 0 0 1 1 <output omitted>
Root Guard Root BridgePriority = 0MAC Address = 0000.0c45.1a5d F F F F Root Guard Enabled F B F STP BPDUPriority = 0MAC Address = 0000.0c45.1234 Attacker Switch(config-if)# spanning-tree guard root • Enables root guard on a per-interface basis
Verify Root Guard Switch# show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ---------------------- ------------------ VLAN0001 FastEthernet3/1 Port Type Inconsistent VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent VLAN1002 FastEthernet3/2 Port Type Inconsistent VLAN1003 FastEthernet3/1 Port Type Inconsistent VLAN1003 FastEthernet3/2 Port Type Inconsistent VLAN1004 FastEthernet3/1 Port Type Inconsistent VLAN1004 FastEthernet3/2 Port Type Inconsistent VLAN1005 FastEthernet3/1 Port Type Inconsistent VLAN1005 FastEthernet3/2 Port Type Inconsistent Number of inconsistent ports (segments) in the system :10
Storm Control Methods • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received • Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.
Storm Control Configuration Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 2k 1k Switch(config-if)# storm-control action shutdown • Enables storm control • Specifies the level at which it is enabled • Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic
Verify Storm Control Settings Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ---------- --------- ---------Gi0/1 Forwarding 20 pps 10 pps 5 pps Gi0/2 Forwarding 50.00% 40.00% 0.00% <output omitted>
Mitigating VLAN Attacks Trunk(Native VLAN = 10) • Disable trunking on all access ports. • Disable auto trunking and manually enable trunking • Be sure that the native VLAN is used only for trunk lines and no where else
Controlling Trunking Switch(config-if)# switchport mode trunk • Specifies an interface as a trunk link . Switch(config-if)# switchport nonegotiate • Prevents the generation of DTP frames. Switch(config-if)# switchport trunk native vlanvlan_number • Set the native VLAN on the trunk to an unused VLAN
Traffic Analysis IDS RMON Probe Protocol Analyzer “Intruder Alert!” • A SPAN port mirrors traffic to another port where a monitoring device is connected. • Without this, it can be difficult to track hackers after they have entered the network. Attacker
Layer 2 Guidelines • Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) • Set all user ports to non-trunking mode (except if using Cisco VoIP) • Use port securitywhere possible for access ports • Enable STP attack mitigation (BPDU guard, root guard) • Use Cisco Discovery Protocol only where necessary – with phones it is useful • Configure PortFast on all non-trunking ports • Configure root guard on STP root ports • Configure BPDU guard on all non-trunking ports
VLAN Practices • Always use a dedicated, unused native VLAN ID for trunk ports • Do not use VLAN 1 for anything • Disable all unused ports and put them in an unused VLAN • Manually configure all trunk ports and disable DTP on trunk ports • Configure all non-trunking ports with switchport mode access