Sie sind auf Seite 1von 99

CCNA Security

Chapter Six
Securing the Local Area Network

2009 Cisco Learning Institute.

Lesson Planning
This lesson should take 3-4 hours to present
The lesson should include lecture,
demonstrations, discussions and assessments
The lesson can be taught in person or using
remote instruction

2009 Cisco Learning Institute.

Major Concepts
Describe endpoint vulnerabilities and protection
methods
Describe basic Catalyst switch vulnerabilities
Configure and verify switch security features,
including port security and storm control
Describe the fundamental security
considerations of Wireless, VoIP, and SANs

2009 Cisco Learning Institute.

Lesson Objectives
Upon completion of this lesson, the successful participant will be
able to:
1. Describe endpoint security and the enabling technologies
2. Describe how Cisco IronPort is used to ensure endpoint security
3. Describe how Cisco NAC products are used to ensure endpoint
security
4. Describe how the Cisco Security Agent is used to ensure endpoint
security
5. Describe the primary considerations for securing the Layer 2
infrastructure
6. Describe MAC address spoofing attacks and MAC address spoofing
attack mitigation

2009 Cisco Learning Institute.

Lesson Objectives
7. Describe MAC Address table overflow attacks and MAC Address table
overflow attack mitigation
8. Describe STP manipulation attacks and STP manipulation attack
mitigation
9. Describe LAN Storm attacks and LAN Storm attack mitigation
10. Describe VLAN attacks and VLAN attack mitigation
11. Describe how to configure port security
12. Describe how to verify port security
13. Describe how to configure and verify BPDU Guard and Root Guard
14. Describe how to configure and verify storm control
15. Describe and configure Cisco SPAN
16. Describe and configure Cisco RSPAN

2009 Cisco Learning Institute.

Lesson Objectives
17. Describe the best practices for Layer 2
18. Describe the fundamental aspects of enterprise security for
advanced technologies
19. Describe the fundamental aspects of wireless security and the
enabling technologies
20. Describe wireless security solutions
21. Describe the fundamental aspects of VoIP security and the enabling
technologies Reference: CIAG course on VoIP security.
22. Describe VoIP security solutions
23. Describe the fundamental aspects of SAN security and the enabling
technologies
24. Describe SAN security solutions

2009 Cisco Learning Institute.

Securing the LAN


Perimeter

MARS
ACS

Areas of concentration:
Securing endpoints
Securing network
infrastructure

Firewall

Internet
VPN

IPS

Iron Port

Hosts
Web
Server

Email
Server

DNS

LAN
2009 Cisco Learning Institute.

Addressing Endpoint Security


Policy
Compliance
Infection
Containment
Secure
Host

Threat
Protection
2009 Cisco Learning Institute.

Based on three elements:


Cisco Network Admission Control (NAC)
Endpoint protection
Network infection containment
8

Operating Systems
Basic Security Services
Trusted code and trusted path ensures that the integrity
of the operating system is not violated
Privileged context of execution provides identity
authentication and certain privileges based on the identity
Process memory protection and isolation provides
separation from other users and their data
Access control to resources ensures confidentiality and
integrity of data

2009 Cisco Learning Institute.

Types of Application Attacks


Direct

Indirect

2009 Cisco Learning Institute.

I have gained direct


access to this
applications privileges

I have gained access to


this system which is
trusted by the other
system, allowing me to
access it.

10

Cisco Systems Endpoint


Security Solutions
Cisco Security Agent

IronPort

Cisco NAC

2009 Cisco Learning Institute.

11

Cisco IronPort Products


IronPort products include:
E-mail security appliances for virus
and spam control
Web security appliance for spyware
filtering, URL filtering, and anti-malware
Security management appliance

2009 Cisco Learning Institute.

12

IronPort C-Series
Before IronPort

After IronPort

Internet

Internet
Firewall

Firewall
Encryption Platform
MTA

DLP
Scanner

Antispam
Antivirus

DLP Policy
Manager

IronPort E-mail Security Appliance

Policy Enforcement
Mail Routing
Groupware

Users

2009 Cisco Learning Institute.

Groupware

Users

13

IronPort S-Series
Before IronPort

After IronPort

Internet

Firewall

Internet

Firewall

Web Proxy
Antispyware

IronPort SSeries

Antivirus
Antiphishing
URL Filtering
Policy Management

Users

2009 Cisco Learning Institute.

Users

14

Cisco NAC
The purpose of NAC:
Allow only authorized and compliant systems to
access the network
To enforce network security policy
NAC Framework
Software module
embedded within NACenabled products
Integrated framework
leveraging multiple Cisco
and NAC-aware vendor
products

2009 Cisco Learning Institute.

Cisco NAC Appliance


In-band Cisco NAC
Appliance solution can
be used on any switch or
router platform
Self-contained, turnkey
solution

15

The NAC Framework

Hosts Attempting
Network Access

Network
Access
Devices

Policy Server
Decision Points
and Remediation

Enforcement

Credentials

AAA
Server Credentials

Vendor
Servers

Credentials
EAP/UDP,
Cisco
Trust
Agent

2009 Cisco Learning Institute.

EAP/802.1x
Notification

HTTPS

RADIUS
Access Rights
Comply?

16

NAC Components
Cisco NAS

Cisco NAA

Serves as an in-band or out-ofband device for network access


control

Cisco NAM

Optional lightweight client for


device-based registry scans in
unmanaged environments

Rule-set updates

Centralizes management for


administrators, support
personnel, and operators

Scheduled automatic updates


for antivirus, critical hotfixes,
and other applications

M
G
R

2009 Cisco Learning Institute.

17

Cisco NAC Appliance Process


1.

Host attempts to access a web page or uses


an optional client.
Network access is blocked until wired or wireless
host provides login information.

M
G
R

2.

Host is
redirected to a login page.
Cisco NAC Appliance validates
username and password, also
performs device and network scans
to assess vulnerabilities on device.

3a.

Authentication
Server

Cisco NAM

Cisco NAS

3.

Intranet/
Network

The host is authenticated and optionally


scanned for posture compliance

Device is noncompliant
or login is incorrect.
Host is denied access and assigned
to a quarantine role with access to online
remediation resources.

2009 Cisco Learning Institute.

THE GOAL

Quarantine
Role

3b.

Device is clean.
Machine gets on certified
devices list and is granted
access to network.

18

Access Windows
Scan is performed
Login
Screen

(types of checks depend on user role)

Scan fails
Remediate

4.

2009 Cisco Learning Institute.

19

CSA Architecture
Server Protected by
Cisco Security Agent

Administration
Workstation

Alerts

Events

SSL

Security
Policy
Management Center for
Cisco Security Agent
with Internal or External
Database

2009 Cisco Learning Institute.

20

CSA Overview
Application

File System
Interceptor

Network
Interceptor

Configuration
Interceptor

Rules
Engine
State

Allowed
Request

2009 Cisco Learning Institute.

Execution
Space
Interceptor

Rules and
Policies

Correlation
Engine
Blocked
Request

21

CSA Functionality

Security Application
Distributed Firewall

Host Intrusion
Prevention

Application
Sandbox

Network Worm
Prevention

File Integrity Monitor

2009 Cisco Learning Institute.

File System Configuration


Interceptor
Interceptor

Execution
Space
Interceptor

Network
Interceptor

22

Attack Phases
Probe phase
Ping scans
Port scans
Penetrate phase
Transfer exploit
code to target
Persist phase
Install new code
Modify
configuration
Propagate phase
Attack other
targets
Paralyze phase
Erase files
Crash system
Steal data
2009 Cisco Learning Institute.

Server
Protected by
Cisco Security
Agent

File system interceptor


Network interceptor
Configuration interceptor
Execution space
interceptor

23

CSA Log Messages

2009 Cisco Learning Institute.

24

Layer 2 Security

Perimeter

MARS
ACS

Firewall

Internet
VPN

IPS

Iron Port

Hosts
Web
Server

2009 Cisco Learning Institute.

Email
Server

DNS

25

OSI Model
When it comes to networking, Layer 2 is often a very weak link.
Application Stream

Presentation
Session
Transport
Network
Data Link
Physical

2009 Cisco Learning Institute.

Compromised

Application

Application
Presentation
Session

Protocols and Ports

Transport

IP Addresses

Network

Initial
MACCompromise
Addresses

Data Link

Physical Links

Physical

26

MAC Address Spoofing Attack


1

Switch Port

The switch keeps track of the


endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another hostin this case,
AABBcc

AABBcc 12AbDd

MAC
Address:
AABBcc

MAC
Address:
12AbDd

Port 1
Port 2

MAC Address:
AABBcc

Attacker

I have associated Ports 1 and 2 with


the MAC addresses of the devices
attached. Traffic destined for each
device will be forwarded directly.
2009 Cisco Learning Institute.

27

MAC Address Spoofing Attack


Switch Port
1

I have changed the MAC


address on my computer
to match the server.

2
AABBcc

AABBcc
Attacker

MAC
Address: Port 1
AABBcc

Port 2

MAC Address:
AABBcc

The device with MAC


address AABBcc has
changed locations to Port2.
I must adjust my MAC
address table accordingly.
2009 Cisco Learning Institute.

28

MAC Address Table Overflow Attack

The switch can forward frames between PC1 and PC2 without
flooding because the MAC address table contains port-to-MACaddress mappings in the MAC address table for these PCs.

2009 Cisco Learning Institute.

29

MAC Address Table Overflow Attack


2

MAC
X
Y
C

VLAN 10

flood

A
C
2009 Cisco Learning Institute.

Intruder runs macof


to begin sending
unknown bogus MAC
addresses.

Port
3/25
3/25
3/25

3/25 MAC X
3/25 MAC Y
3/25 MAC Z
XYZ

3/25
VLAN 10

Bogus addresses are


added to the CAM
table. CAM table is full.

VLAN 10

The switch floods


the frames.

Host C

4
Attacker sees traffic
to servers B and D.

B
D

30

STP Manipulation Attack


Spanning tree protocol
operates by electing a
root bridge

Root Bridge
Priority = 8192
MAC Address=
0000.00C0.1234

F
F

2009 Cisco Learning Institute.

STP builds a tree topology

STP manipulation
changes the topology of a
networkthe attacking
host appears to be the
root bridge

31

STP Manipulation Attack


Root Bridge
Priority = 8192

ST
Pr P BP
ior
ity DU
=0

U
PD 0
PB =
ST iority
Pr

Attacker

2009 Cisco Learning Institute.

F
Root
Bridge

The attacking host broadcasts out STP


configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.
32

LAN Storm Attack


Broadcast

Broadcast

Broadcast

Broadcast

Broadcast

Broadcast

o
Br

t
as
c
ad

o
Br

t
as
c
ad

t
as
dc
oa
Br
t
t
as
as
dc
dc
oa
oa
Br
Br

o
Br

t
as
c
ad

Broadcast, multicast, or unicast packets are flooded on all ports in the


same VLAN.
These storms can increase the CPU utilization on a switch to 100%,
reducing the performance of the network.
2009 Cisco Learning Institute.

33

Storm Control

Total
number of
broadcast
packets
or bytes

2009 Cisco Learning Institute.

34

VLAN Attacks

Segmentatio
n
Flexibility
Security

VLAN = Broadcast Domain = Logical Network (Subnet)


2009 Cisco Learning Institute.

35

VLAN Attacks
802.1Q

nk
u
r
T
Q
2.1
0
8

VLAN
10

Trunk
VLAN
20

Attacker sees traffic destined for servers

Server

Server

A VLAN hopping attack can be launched in two ways:


Spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode
Introducing a rogue switch and turning trunking on
2009 Cisco Learning Institute.

36

Double-Tagging VLAN Attack


1

Attacker on
VLAN 10, but puts a 20
tag in the packet

20
,1

80
2.
1Q
,8
02
.1
Q

The first switch strips off the first tag and


does not retag it (native traffic is not
retagged). It then forwards the packet to
switch 2.

20

802.1Q, Frame

Trunk
(Native VLAN = 10)

The second switch


receives the packet, on
the native VLAN
Fra
me

4
Note: This attack works only if the
trunk has the same native
VLAN as the attacker.
2009 Cisco Learning Institute.

The second switch


examines the packet,
sees the VLAN 20 tag and
forwards it accordingly.

Victim
(VLAN 20)

37

Port Security Overview


MAC A

Port 0/1 allows MAC A


Port 0/2 allows MAC B
Port 0/3 allows MAC C

0/1
0/2
MAC A

0/3
MAC F

Attacker 1

Allows an administrator to statically specify MAC


Addresses for a port or to permit the switch to
dynamically learn a limited number of MAC
addresses
2009 Cisco Learning Institute.

Attacker 2

38

CLI Commands
Switch(config-if)#
switchport mode access

Sets the interface mode as access


Switch(config-if)#
switchport port-security

Enables port security on the interface


Switch(config-if)#
switchport port-security maximum value

Sets the maximum number of secure MAC addresses for


the interface (optional)

2009 Cisco Learning Institute.

39

Switchport Port-Security Parameters


Parameter

Description

mac-address mac-address

(Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional
secure MAC addresses up to the maximum value configured.

vlan vlan-id

(Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.

vlan access

(Optional) On an access port only, specify the VLAN as an access VLAN.

vlan voice

(Optional) On an access port only, specify the VLAN as a voice VLAN

mac-address sticky
[mac-address]

(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky
learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..

maximum value

(Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer 2
functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.

vlan [vlan-list]

(Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
vlan: set a per-VLAN maximum value.
vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.

2009 Cisco Learning Institute.

40

Port Security Violation Configuration


Switch(config-if)#
switchport port-security violation {protect |
restrict | shutdown}

Sets the violation mode (optional)


Switch(config-if)#
switchport port-security mac-address mac-address

Enters a static secure MAC address for the interface


(optional)
Switch(config-if)#
switchport port-security mac-address sticky

Enables sticky learning on the interface (optional)

2009 Cisco Learning Institute.

41

Switchport Port-Security Violation


Parameters
Parameter

Description

protect

(Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.

restrict

(Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred.

shutdown

(Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and increments the
violation counter. When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause psecure-violation global
configuration command, or you can manually re-enable it by entering the shutdown
and no shut down interface configuration commands.

shutdown
vlan

Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on
which the violation occurred is error-disabled.

2009 Cisco Learning Institute.

42

Port Security Aging Configuration


Switch(config-if)#
switchport port-security aging {static | time time |
type {absolute | inactivity}}

Enables or disables static aging for the secure port or


sets the aging time or type

2009 Cisco Learning Institute.

43

Switchport Port-Security
Aging Parameters
Parameter

Description

static

Enable aging for statically configured secure


addresses on this port.

time time

Specify the aging time for this port. The range is 0 to


1440 minutes. If the time is 0, aging is disabled for
this port.

type absolute

Set absolute aging type. All the secure addresses


on this port age out exactly after the time (minutes)
specified and are removed from the secure address
list.

type inactivity

Set the inactivity aging type. The secure addresses


on this port age out only if there is no data traffic
from the secure source address for the specified
time period.

2009 Cisco Learning Institute.

44

Typical Configuration
S2

Switch(config-if)#
switchport
switchport
switchport
switchport
switchport
switchport
2009 Cisco Learning Institute.

mode access
port-security
port-security
port-security
port-security
port-security

PC B

maximum 2
violation shutdown
mac-address sticky
aging time 120
45

CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count)

(Count)

(Count)

--------------------------------------------------------------------------Fa0/12

Shutdown

--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port)

:0

Max Addresses limit in System (excluding one mac per port) : 1024

sw-class# show port-security


Port Security
:
Port status
:
Violation mode
:
Maximum MAC Addresses
:
Total MAC Addresses
:
Configured MAC Addresses
:
Aging time
:
Aging type
:
SecureStatic address aging :
Security Violation Count
:

2009 Cisco Learning Institute.

interface f0/12
Enabled
Secure-down
Shutdown
2
1
0
120 mins
Absolute
Disabled
0

46

View Secure MAC Addresses

sw-class# show port-security address


Secure Mac Address Table
------------------------------------------------------------------Vlan

Mac Address

Type

Ports

Remaining Age
(mins)

---1

-----------

----

-----

0000.ffff.aaaa

SecureConfigured

Fa0/12

-------------

------------------------------------------------------------------Total Addresses in System (excluding one mac per port)

: 0

Max Addresses limit in System (excluding one mac per port) : 1024

2009 Cisco Learning Institute.

47

MAC Address Notification


MAC B

F1/2

SNMP traps sent to


NMS when new MAC
addresses appear or
when old ones time out.

NMS

F1/1
F2/1
MAC A

Switch CAM Table


F1/1 = MAC A
F1/2 = MAC B
F2/1 = MAC D
(address ages out)

MAC D is away
from the
network.

MAC address notification allows monitoring of the MAC


addresses, at the module and port level, added by the switch
or removed from the CAM table for secure ports.

2009 Cisco Learning Institute.

48

Configure Portfast

Server

Workstation

Command

Description

Switch(config-if)# spanningtree portfast

Enables PortFast on a Layer 2 access port and forces it to


enter the forwarding stateimmediately.

Switch(config-if)# no
spanning-tree portfast

Disables PortFast on a Layer 2 access port. PortFast is


disabled by default.

Switch(config)# spanning-tree
portfast default

Globally enables the PortFast feature on all nontrunking


ports.

Switch# show running-config


interface type slot/port

Indicates whether PortFast has been configured on a port.

2009 Cisco Learning Institute.

49

BPDU Guard
Root
Bridge

B
BPDU
Guard
Enabled

Attacker

STP
BPDU

Switch(config)#
spanning-tree portfast bpduguard default

Globally enables BPDU guard on all ports with PortFast


enabled
2009 Cisco Learning Institute.

50

Display the State of Spanning Tree


Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name
Blocking Listening Learning Forwarding STP Active
-------------------- -------- --------- -------- ---------- ---------1 VLAN
0
0
0
1
1
<output omitted>

2009 Cisco Learning Institute.

51

Root Guard
Root Bridge
Priority = 0
MAC Address =
0000.0c45.1a5d

F
F

F
Root
Guard
Enabled

Attacker

STP BPDU
Priority = 0
MAC Address = 0000.0c45.1234

Switch(config-if)#
spanning-tree guard root

Enables root guard on a per-interface basis


2009 Cisco Learning Institute.

52

Verify Root Guard


Switch# show spanning-tree inconsistentports
Name
Interface
Inconsistency
-------------------- ---------------------- -----------------VLAN0001
FastEthernet3/1
Port Type Inconsistent
VLAN0001
FastEthernet3/2
Port Type Inconsistent
VLAN1002
FastEthernet3/1
Port Type Inconsistent
VLAN1002
FastEthernet3/2
Port Type Inconsistent
VLAN1003
FastEthernet3/1
Port Type Inconsistent
VLAN1003
FastEthernet3/2
Port Type Inconsistent
VLAN1004
FastEthernet3/1
Port Type Inconsistent
VLAN1004
FastEthernet3/2
Port Type Inconsistent
VLAN1005
FastEthernet3/1
Port Type Inconsistent
VLAN1005
FastEthernet3/2
Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10

2009 Cisco Learning Institute.

53

Storm Control Methods


Bandwidth as a percentage of the total available
bandwidth of the port that can be used by the broadcast,
multicast, or unicast traffic
Traffic rate in packets per second at which broadcast,
multicast, or unicast packets are received
Traffic rate in bits per second at which broadcast,
multicast, or unicast packets are received
Traffic rate in packets per second and for small frames.
This feature is enabled globally. The threshold for small
frames is configured for each interface.

2009 Cisco Learning Institute.

54

Storm Control Configuration


Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps
2k 1k
Switch(config-if)# storm-control action shutdown

Enables storm control


Specifies the level at which it is enabled
Specifies the action that should take place when the
threshold (level) is reached, in addition to filtering traffic

2009 Cisco Learning Institute.

55

Storm Control Parameters


Parameter

Description

broadcast

This parameter enables broadcast storm control on the interface.

multicast

This parameter enables multicast storm control on the interface.

unicast

This parameter enables unicast storm control on the interface.

level level [level-low]

Rising and falling suppression levels as a percentage of total bandwidth of the port.
level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.
level-low: (Optional) Falling suppression level, up to two decimal places. This
value must be less than or equal to the rising suppression value.

level bps bps [bps-low]

Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.

level pps pps [pps-low]

Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.

action {shutdown|trap}

The action taken when a storm occurs on a port. The default action is to filter traffic
and to not send an SNMP trap.
The keywords have these meanings:
shutdown: Disables the port during a storm
trap: Sends an SNMP trap when a storm occurs

2009 Cisco Learning Institute.

56

Verify Storm Control Settings


Switch# show storm-control
Interface

Filter State

Upper

Lower

Current

--------------------- ---------- -----------------Gi0/1


Forwarding
20 pps
10 pps
5 pps
Gi0/2

Forwarding

50.00%

40.00%

0.00%

<output omitted>

2009 Cisco Learning Institute.

57

Mitigating VLAN Attacks

Trunk
(Native VLAN = 10)

1. Disable trunking on all access


ports.
2. Disable auto trunking and manually
enable trunking
3. Be sure that the native VLAN is
used only for trunk lines and no
where else
2009 Cisco Learning Institute.

58

Controlling Trunking
Switch(config-if)#
switchport mode trunk

Specifies an interface as a trunk link


.
Switch(config-if)#
switchport nonegotiate

Prevents the generation of DTP frames.


Switch(config-if)#
switchport trunk native vlan vlan_number

Set the native VLAN on the trunk to an unused VLAN

2009 Cisco Learning Institute.

59

Traffic Analysis
IDS
RMON Probe
Protocol Analyzer
Intruder
Alert!

A SPAN port mirrors traffic to


another port where a
monitoring device is
connected.
Without this, it can be difficult
to track hackers after they
have entered the network.

Attacker

2009 Cisco Learning Institute.

60

CLI Commands

Switch(config)#
monitor session session_number source {interface
interface-id [, | -] [both | rx | tx]} | {vlan vlanid [, | -] [both | rx | tx]}| {remote vlan vlan-id}
Switch(config)#
monitor session session_number destination
{interface interface-id [, | -] [encapsulation
replicate] [ingress {dot1q vlan vlan-id | isl |
untagged vlan vlan-id | vlan vlan-id}]} | {remote
vlan vlan-id}

2009 Cisco Learning Institute.

61

Verify SPAN Configuration

2009 Cisco Learning Institute.

62

SPAN and IDS


IDS

F0/2

F0/1

Use SPAN to
mirror traffic in
and out of port
F0/1 to port
F0/2.

Attacker

2009 Cisco Learning Institute.

63

Overview of RSPAN
Intruder
Alert!

An RSPAN port mirrors traffic


to another port on another
switch where a probe or IDS
sensor is connected.
This allows more switches to
be monitored with a single
probe or IDS.

IDS

Source VLAN
RSPAN VLAN

Source VLAN

Attacker

2009 Cisco Learning Institute.

Source VLAN

64

Configuring RSPAN
1. Configure the RPSAN VLAN
2960-1

2960-1(config)# vlan 100


2960-1(config-vlan)# remote-span
2960-1(config-vlan)# exit

2960-2

2. Configure the RSPAN source ports and VLANs


2960-1(config)# monitor session 1 source interface FastEthernet 0/1
2960-1(config)# monitor session 1 destination remote vlan 100
reflector-port FastEthernet 0/24
2960-1(config)# interface FastEthernet 0/2
2960-1(config-if)# switchport mode trunk

3. Configure the RSPAN traffic to be forwarded


2960-2(config)# monitor session 2 source remote vlan 100
2960-2(config)# monitor session 2 destination interface FastEthernet 0/3
2960-2(config)# interface FastEthernet 0/2
2960-2(config-if)# switchport mode trunk
2009 Cisco Learning Institute.

65

Verifying RSPAN Configuration


2960-1

2960-2

show monitor [session {session_number | all | local


| range list | remote} [detail]] [ | {begin | exclude
| include}expression]

2009 Cisco Learning Institute.

66

Layer 2 Guidelines
Manage switches in as secure a manner as possible
(SSH, out-of-band management, ACLs, etc.)
Set all user ports to non-trunking mode (except if using
Cisco VoIP)
Use port security where possible for access ports
Enable STP attack mitigation (BPDU guard, root guard)
Use Cisco Discovery Protocol only where necessary
with phones it is useful
Configure PortFast on all non-trunking ports
Configure root guard on STP root ports
Configure BPDU guard on all non-trunking ports

2009 Cisco Learning Institute.

67

VLAN Practices
Always use a dedicated, unused native VLAN ID for
trunk ports
Do not use VLAN 1 for anything
Disable all unused ports and put them in an unused
VLAN
Manually configure all trunk ports and disable DTP on
trunk ports
Configure all non-trunking ports with switchport mode
access

2009 Cisco Learning Institute.

68

Overview of Wireless, VoIP Security

Wireless
2009 Cisco Learning Institute.

VoIP
69

Overview of SAN Security

SAN
2009 Cisco Learning Institute.

70

Infrastructure-Integrated Approach
Proactive threat and intrusion
detection capabilities that do
not simply detect wireless
attacks but prevent them
Comprehensive protection to
safeguard confidential data and
communications
Simplified user management
with a single user identity and
policy
Collaboration with wired
security systems

2009 Cisco Learning Institute.

71

Cisco IP Telephony Solutions


Single-site deployment
Centralized call
processing with remote
branches
Distributed callprocessing deployment
Clustering over the
IPWAN

2009 Cisco Learning Institute.

72

Storage Network Solutions


Investment
protection
Virtualization
Security
Consolidation
Availability

2009 Cisco Learning Institute.

73

Cisco Wireless LAN Controllers

Responsible for system-wide wireless LAN


functions
Work in conjunction with Aps and the Cisco
Wireless Control System (WCS) to support
wireless applications
Smoothly integrate into existing enterprise
networks
2009 Cisco Learning Institute.

74

Wireless Hacking
War driving
A neighbor hacks into
another neighbors
wireless network to get
free Internet access or
access information
Free Wi-Fi provides an
opportunity to
compromise the data of
users

2009 Cisco Learning Institute.

75

Hacking Tools

2009 Cisco Learning Institute.

Network Stumbler
Kismet
AirSnort
CoWPAtty
ASLEAP
Wireshark

76

Safety Considerations
Wireless networks using WEP or WPA/TKIP are
not very secure and vulnerable to hacking attacks.
Wireless networks using WPA2/AES should have
a passphrase of at least 21 characters long.
If an IPsec VPN is available, use it on any public
wireless LAN.
If wireless access is not needed, disable the
wireless radio or wireless NIC.

2009 Cisco Learning Institute.

77

VoIP Business Advantages

VoIP

PSTN

Gateway

Lower telecom call costs


Productivity increases
Lower costs to move, add, or
change
Lower ongoing service and
maintenance costs

2009 Cisco Learning Institute.

Little or no training costs


Mo major set-up fees
Enables unified
messaging
Encryption of voice calls is
supported
Fewer administrative
personnel required
78

VoIP Components

PSTN

Cisco Unified
Communications
Manager
(Call Agent)

IP
Backbone

MCU
PBX

Cisco
Unity
IP
Phone

Router/
Gateway

Router/
Gateway

Router/
Gateway

IP
Phone
Videoconference
Station

2009 Cisco Learning Institute.

79

VoIP Protocols
VoIP Protocol

Description

H.323

ITU standard protocol for interactive conferencing; evolved from H.320


ISDN standard; flexible, complex

MGCP

Emerging IETF standard for PSTN gateway control; thin device control

Megaco/H.248

Joint IETF and ITU standard for gateway control with support for multiple
gateway types; evolved from MGCP standard

SIP

IETF protocol for interactive and noninteractive conferencing; simpler but


less mature than H.323

RTP
RTCP

ETF standard media-streaming protocol


IETF protocol that provides out-of-band control information for an RTP flow

SRTP

IETF protocol that encrypts RTP traffic as it leaves the


voice device

SCCP

Cisco proprietary protocol used between Cisco Unified Communications


Manager and Cisco IP phones

2009 Cisco Learning Institute.

80

Threats

Reconnaissance
Directed attacks such as spam over IP telephony (SPIT)
and spoofing
DoS attacks such as DHCP starvation, flooding, and
fuzzing
Eavesdropping and man-in-the-middle attacks
2009 Cisco Learning Institute.

81

VoIP SPIT
If SPIT grows like spam, it could result in
regular DoS problems for network
administrators.
Antispam methods do not block SPIT.
Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets
only from trusted devices.

Youve just
won an all
expenses
paid vacation
to the U.S.
Virgin Islands
!!!

2009 Cisco Learning Institute.

82

Fraud

Fraud takes several forms:


VishingA voice version of phishing that is used to compromise
confidentiality.
Theft and toll fraudThe stealing of telephone services.

Use features of Cisco Unified Communications Manager to protect


against fraud.
Partitions limit what parts of the dial plan certain phones have access to.
Dial plans filter control access to exploitive phone numbers.
FACs prevent unauthorized calls and provide a mechanism for tracking.
2009 Cisco Learning Institute.

83

SIP Vulnerabilities
Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them.
Message tampering:
Allows a hacker to
modify data packets
traveling between SIP
addresses.
Session tear-down:
Allows a hacker to
terminate calls or carry
out VoIP-targeted DoS
attacks.

2009 Cisco Learning Institute.

Registrar

Registrar

Location
Database

SIP Servers/Services

SIP Proxy

SIP User Agents

SIP User Agents

84

Using VLANs
Voice VLAN = 110

Data VLAN = 10

5/1

802.1Q Trunk

IP phone
10.1.110.3

Desktop PC
171.1.1.1

Creates a separate broadcast domain for voice traffic


Protects against eavesdropping and tampering
Renders packet-sniffing tools less effective
Makes it easier to implement VACLs that are specific to voice
traffic

2009 Cisco Learning Institute.

85

Using Cisco ASA Adaptive


Security Appliances
Ensure SIP, SCCP, H.323, and
MGCP requests conform to
standards
Prevent inappropriate SIP
methods from being sent to Cisco
Unified Communications Manager
Rate limit SIP requests
Enforce policy of calls (whitelist,
blacklist, caller/called party, SIP
URI)
Dynamically open ports for Cisco
applications
Enable only registered phones to
make calls
Enable inspection of encrypted
phone calls
2009 Cisco Learning Institute.

Cisco Adaptive
Security Appliance
Cisco Adaptive
Security Appliance

WAN

Internet

86

Using VPNs
Use IPsec for authentication
Use IPsec to protect
all traffic, not just voice

Telephony
Servers

Consider SLA with service provider


Terminate on a VPN concentrator
or large router inside of firewall to
gain these benefits:

IP WAN

Performance
Reduced configuration complexity

SRST
Router

Managed organizational
boundaries

2009 Cisco Learning Institute.

87

Using Cisco Unified Communications


Manager
Signed firmware
Signed
configuration files
Disable:
PC port
Setting button
Speakerphone
Web access

2009 Cisco Learning Institute.

88

SAN Security Considerations

IP
Network

SAN

Specialized network that


enables fast, reliable access
among servers and external
storage resources

2009 Cisco Learning Institute.

89

SAN Transport Technologies


Fibre Channel the
primary SAN transport for
host-to-SAN connectivity
iSCSI maps SCSI over
TCP/IP and is another
host-to-SAN connectivity
model

LAN

FCIP a popular SAN-toSAN connectivity model

2009 Cisco Learning Institute.

90

World Wide Name


A 64-bit address that Fibre Channel networks
use to uniquely identify each element in a Fibre
Channel network
Zoning can utilize WWNs to assign security
permissions
The WWN of a device is a user-configurable
parameter.

Cisco MDS 9020 Fabric Switch

2009 Cisco Learning Institute.

91

Zoning Operation
Zone members see only other
members of the zone.
Zones can be configured
dynamically based on WWN.

SAN
Disk2

ZoneA

Host1

2009 Cisco Learning Institute.

ZoneB

Disk1

ZoneC

Devices can be members of


more than one zone.
Switched fabric zoning can take
place at the port or device
level: based on physical switch
port or based on device WWN
or based on LUN ID.

Disk3

Disk4

Host2

An example of Zoning. Note that


devices can be members of more
than 1 zone.

92

Virtual Storage Area Network (VSAN)


Cisco MDS 9000
Family with VSAN Service

Physical SAN islands


are virtualized onto
common SAN
infrastructure

2009 Cisco Learning Institute.

93

Security Focus
SAN Protocol

Fabric Access

IP Storage
access

2009 Cisco Learning Institute.

Target Access

SAN

SAN Management
Access

Secure
SAN

Data Integrity and


Secrecy
94

SAN Management
Three main areas of vulnerability:
1. Disruption of switch processing
2. Compromised fabric stability
3. Compromised data integrity and confidentiality

2009 Cisco Learning Institute.

95

Fabric and Target Access


Three main areas of focus:
Application data integrity
LUN integrity
Application performance

2009 Cisco Learning Institute.

96

VSANs
Relationship of VSANs to Zones
Physical Topology
VSAN 2
Disk2
ZoneA

ZoneB
VSAN 3

Host1

Disk3
Disk1

Disk4

Host2

ZoneC

ZoneD
Host4

ZoneA

Two VSANs each with


multiple zones. Disks and
hosts are dedicated to
VSANs although both hosts
and disks can belong to
multiple zones within a
single VSAN. They cannot,
however, span VSANs.

Disk5
Host3
Disk6

2009 Cisco Learning Institute.

97

iSCSI and FCIP


iSCSI leverages many of the security features inherent in
Ethernet and IP
ACLs are like Fibre Channel zones
VLANs are like Fibre Channel VSANs
802.1X port security is like Fibre Channel port security

FCIP security leverages many IP security features in Cisco


IOS-based routers:
IPsec VPN connections through public carriers
High-speed encryption services in specialized hardware
Can be run through a firewall

2009 Cisco Learning Institute.

98

2009 Cisco Learning Institute.

99