Transcript CCNA Security 1.1 Instructional Resource

CCNA Security 1.1
Instructional Resource
Chapter 6 – Securing the Local Area Network
© 2012 Cisco and/or its affiliates. All rights reserved.
1
• Describe endpoint vulnerabilities and protection methods.
• Describe the vulnerabilities of the Layer 2 infrastructure.
• Describe the mitigation techniques for securing the Layer 2
infrastructure.
• Describe MAC address spoofing attacks, STP manipulation
attacks, MAC address overflow attacks, LAN storm attacks, and
VLAN attacks.
• Configure and verify port security, BPDU guard, root guard, storm
control, and PVLAN Edge.
• Describe endpoint security with IronPort.
• Describe endpoint security with Network Admission Control.
• Describe wireless, VoIP, and SAN security considerations.
• Describe wireless, VoIP, and SAN security solutions.
© 2012 Cisco and/or its affiliates. All rights reserved.
2
6.0 Mitigating Common Layer 2 Attacks
6.1 Describe Layer 2 Security Using Cisco Switches
6.1.1 STP attacks
6.1.2 ARP spoofing
6.1.3 MAC spoofing
6.1.4 CAM overflows
6.1.5 CDP/LLDP
6.2 Describe VLAN Security
6.2.1 Voice VLAN
6.2.2 PVLAN
6.2.3 VLAN hopping
6.2.4 Native VLAN
6.4 Implement Spanning Tree
6.4.1 Potential issues with redundant switch topologies
6.4.2 STP operations
6.4.3 Resolving issues with STP
© 2012 Cisco and/or its affiliates. All rights reserved.
3
• Layer 2 is generally the point-of-entry to the network and so is
especially vulnerable to attacks.
• Keeping user/data, voice, native, management, and default VLANs
distinct is a best practice for providing a secure Layer 2
environment.
• VLANs should be pruned manually or dynamically on trunk links to
deterministically permit appropriate VLAN traffic.
• Spanning tree is susceptible to attacks which alter the proper
selection of the root bridge. BPDU guard, BPDU filter, and root
guard help to mitigate these attacks.
• Layer 2 “storms” can occur inadvertently or as a result of an
attack. Technologies such as port security and storm control can
help to prevent these storms.
• Cisco SPAN is used in conjunction with protocol analyzers and
IDS devices.
© 2012 Cisco and/or its affiliates. All rights reserved.
4
• The PVLAN Edge feature helps to control traffic between
protected ports in the same VLAN.
• IronPort uses SenderBase to provide anti-spam, anti-virus, and
anti-spyware functionality.
• Cisco NAC Framework and Cisco NAC appliance are two
approaches to allow only authorized and compliant systems
(whether managed or unmanaged) to access the network, and to
enforce network security policy.
• Wireless, VoIP, and SAN technologies have their own set of
security issues and mitigation techniques.
© 2012 Cisco and/or its affiliates. All rights reserved.
5
• Chapter 6 Lab A: Securing Layer 2 Switches
–
–
–
–
Part 1: Configure Basic Switch Settings
Part 2: Configure SSH Access to the Switch
Part 3: Secure Trunks and Access Ports
Part 4: Configure SPAN and Monitor Traffic
© 2012 Cisco and/or its affiliates. All rights reserved.
6
Absolute Timeout
Port security timer which specifies the aging time after which
secure addresses on the port are deleted.
Application Server
Provide services such as voice mail and unified messaging,
such as Cisco Unity.
Atomic Alert
IPS alert generated every time a signature triggers.
Atomic Signature
Simplest type of signature, consisting of a single packet,
activity, or event that is examined.
BPDU Filter
Cisco switch feature that prevents interfaces that are in a
PortFast-operational state from sending or receiving BPDUs. If
a BPDU is received on a PortFast-enabled interface, the
interface loses its PortFast-operational status, and BPDU
filtering is disabled.
BPDU Guard
Cisco switch feature that allows network designers to keep the
active spanning tree topology predictable. BPDU guard
protects the switched network from problems caused by
receipt of BPDUs on ports that should not be receiving them.
Call Agent
Provides call control for IP phones, CAC, bandwidth control
and management, and address translation. Cisco Unified
Communications Managers function as call agents.
© 2012 Cisco and/or its affiliates. All rights reserved.
7
Double-tagging
Method employed in a certain VLAN hopping attack whereby
an attacker embeds a hidden 802.1Q tag inside an Ethernet
frame. This tag allows the frame to go to a VLAN that the
original 802.1Q tag did not specify. This type of attack can
work on ports that are not configured as trunk ports.
DTP
Dynamic Trunking Protocol (DTP) is a Cisco-proprietary
protocol that enables the automatic negotiation of trunk links.
Gatekeeper
Provides Call Admission Control (CAC), bandwidth control and
management, and address translation.
FCIP
Fibre Channel over IP (FCIP) is a popular SAN-to-SAN
transport used over a WAN or MAN.
Fibre Channel
Primary SAN transport for host-to-SAN connectivity.
Gateway
Provides translation between VoIP and non-VoIP networks,
such as the PSTN. Gateways also provide physical access for
local analog and digital voice devices, such as telephones, fax
machines, key sets, and PBXs.
HBA
A Host Bus Adapter (HBA) is an I/O adapter that sits between
the bus of the host computer and the Fibre Channel loop and
manages the transfer of information between the two
channels.
© 2012 Cisco and/or its affiliates. All rights reserved.
8
Inactivity Timeout
Port security timer which specifies the idle/inactive time after
which secure addresses on the port are deleted.
IP Phone
Phone that provides voice communication over a data
network.
IronPort
Anti-spam, antivirus, and anti-spyware appliances. IronPort
uses SenderBase, the world's largest threat detection
database, to help provide preventive and reactive security
measures.
iSCSI
A host-to-SAN transport in the form of SCSI over TCP/IP.
LAN Storm
Condition whereby packets flood the LAN, creating excessive
traffic and degrading network performance.
Least Privileged Concept
To better protect en endpoint, a process should never be given
more privilege than is necessary to perform a job.
Lightweight AP
Access point that depends on a centralize wireless LAN
controller (WLC) for its configuration.
LUN
A logical unit number (LUN) is a 4-bit address for an individual
disk drive and, by extension, the disk device itself.
LUN Masking
Authorization process that makes a LUN available to some
hosts and unavailable to other hosts.
© 2012 Cisco and/or its affiliates. All rights reserved.
9
MAC Address Spoofing Attack
A host masquerades or poses as another via the MAC
address to receive otherwise inaccessible data or to
circumvent security configurations.
MAC Address Table Overflow
Attack
A switch is bombarded with fake source MAC addresses until
the switch MAC address table is full and no new entries can
be accepted. When this occurs, the switch begins to flood all
incoming traffic to all ports because there is no room in the
table to learn any legitimate MAC addresses.
macof
Tool used, among other things, to flood a switch with frames
containing randomly generated source and destination MAC
and IP addresses.
Multipoint Control Unit (MCU)
Provides real-time connectivity for participants in multiple
locations to attend the same videoconference or meeting.
NAC
Network admission control (NAC) uses the network
infrastructure to enforce security policy compliance on all
devices seeking to access network computing resources. With
NAC, network security professionals can authenticate,
authorize, evaluate, and remediate wired, wireless, and
remote users and their machines prior to network access.
NAC identifies whether networked devices are compliant with
the network security policies and repairs any vulnerability
before permitting access to the network.
© 2012 Cisco and/or its affiliates. All rights reserved.
10
NAC Agent
Cisco NAC Agent (NAA) is an optional lightweight agent
running on an endpoint device. It performs deep inspection of
the device's security profile by analyzing registry settings,
services, and files.
NAC Manager
Cisco NAC Manager (NAM) is the policy and management
center for an appliance-based NAC deployment environment.
Cisco NAC Manager defines role-based user access and
endpoint security policies.
NAC Guest Server
Manages guest network access, including provisioning,
notification, management, and reporting of all guest user
accounts and network activities.
NAC Profiler
Helps to deploy policy-based access control by providing
discovery, profiling, policy-based placement, and postconnection monitoring of all endpoint devices.
NAC Server
Cisco NAC Server (NAC) assesses and enforces security
policy compliance in an appliance-based NAC deployment
environment.
© 2012 Cisco and/or its affiliates. All rights reserved.
11
PortFast
A Cisco switch feature that causes an interface configured as
a Layer 2 access port to transition from the IEEE 802.1D STP
blocking state to the forwarding state immediately, bypassing
the listening and learning states.
Port Security
A Cisco switch feature which allows an administrator to
statically specify MAC addresses for a port or to permit the
switch to dynamically learn a limited number of MAC
addresses.
Privileged Context of
Execution
Provides identity authentication and certain privileges based
on the identity.
PVLAN Edge
Cisco feature, also known as Protected Port, that ensures
there is no exchange of unicast, broadcast, or multicast traffic
between specified ports on the switch.
Reference Monitor
Access control concept that refers to a mechanism or process
that mediates all access to objects. It provides a central point
for all policy decisions, typically implementing auditing
functions to keep track of access.
SAN
A Storage Area Network (SAN) s a specialized network that
enables fast, reliable access among servers and external
storage resources.
© 2012 Cisco and/or its affiliates. All rights reserved.
12
SIP
Session Initiation Protocol (SIP) is a signaling protocol widely
used for controlling communication sessions such as VoIP
sessions.
SPAN
Cisco Switched Port Analyzer copies (or mirrors) traffic
received, sent, or both on source ports or source VLANs on a
switch to a destination port on the same switch for analysis.
SPIT
Spam over Internet Telephony (SPIT) is unsolicited and
unwanted bulk messages broadcast over VoIP to the endusers
of an enterprise network. In addition to being annoying, highvolume bulk calls can significantly affect the availability and
productivity of the endpoints.
Storm Control
Cisco switch feature which prevents traffic on a LAN from
being disrupted by a broadcast, multicast, or unicast storm on
one of the physical interfaces.
Toll Fraud
Theft of long-distance telephone service by unauthorized
access to a PSTN trunk (an outside line) on a PBX or voicemail system.
Trigger
Traffic behavior that signals an intrusion or policy violation.
VACL
A VLAN ACL (VACL) is an ACL that can filter traffic at both
Layer 2 and Layer 3.
© 2012 Cisco and/or its affiliates. All rights reserved.
13
Vishing
Vishing (voice phishing) uses telephony to glean information,
such as account details directly from users.
VLAN Hopping Attack
Attack whereby access to all VLANs is obtained by leveraging
the default automatic trunking configuration on most switches.
VSAN
A Virtual SAN (VSAN) is a collection of ports from a set of
connected Fibre Channel switches that form a virtual fabric.
Ports can be partitioned within a single switch into multiple
VSANs. Additionally, multiple switches can join any number of
ports to form a single VSAN.
WLC
A Wireless LAN Controller (WLC) handles system-wide
wireless LAN functions, such as intrusion prevention, RF
management, QoS, and mobility.
WWN
A World Wide Name (WWN) is a 64-bit address that Fibre
Channel networks use to uniquely identify each element in a
Fibre Channel network.
Zone
Partition of a Fibre Channel fabric into smaller subsets.
© 2012 Cisco and/or its affiliates. All rights reserved.
14
• Cisco Security Agent content was removed.
• Remote SPAN content was removed.
• BPDU filtering content was added.
• PVLAN Edge content was added.
© 2012 Cisco and/or its affiliates. All rights reserved.
15
• Chapter 6 is a fairly even combination of theory and practice.
• This chapter covers the gamut of network security options for Cisco
Layer 2 switches (e.g., Catalyst 2960), so it is quite a handful for
students – if time permits, take your time on the content. The other nine
chapters in this course are focused security features on Cisco routers.
• Be sure to download the appropriate images for the switches in your lab
environment. If it is at all possible, use the same images as are
recommended in the lab: Cisco IOS Release 12.2(46)SE, C2960LANBASEK9-M image. It is frustrating to students when commands are
not present that are key to completing the lab.
• If 3550 or 3560 switches are used, keep in mind there will be some
subtle differences in the implementations, but for the most part they will
coincide with the configuration sequences for Catalyst 2960 switches.
Remember that when you configure trunking on 3550 and 3560
switches, both ISL and IEEE 802.1Q trunking are supported, so an extra
command is required each time you configure a trunk port.
© 2012 Cisco and/or its affiliates. All rights reserved.
16
• The 2960 switches support Auto-MDIX, so you do not have to spend
time checking whether a cable is straight-through or cross-over.
• There is GUI-based software for configuring Catalyst switches from your
PC web browser, called Cisco Network Assistant. The course does not
discuss this option, but it is well worth exploring. Students going into the
industry would benefit from being basically familiar with this software.
– It can be downloaded at
http://www.cisco.com/cisco/software/release.html?mdfid=279963505&flowid=2550
&softwareid=280775097&release=5.7.0&rellifecycle=&relind=AVAILABLE&reltype
=latest. (Cisco.com account required.)
• The recent 12.2.x and 15.x Cisco IOS images for the 2960 switches
include a LAN Base version and a LAN Base with Web-based
Development Manager option. The latter image provides another GUIbased option for switch configuration not covered in the course; again, it
is useful for students to explore this option; students will learn how to
extract archives on the switches in the process. Note that there is a
/force /recursive option for deleting files and folders that is VERY useful.
© 2012 Cisco and/or its affiliates. All rights reserved.
17
• The lab for this chapter use Wireshark network analyzer and
SuperScan (optional). It is truly worthwhile to have the SuperScan
software installed on the PCs – the portions of the lab utilizing
SuperScan are very informative.
• If you use NetLab to do the lab, be sure that your virtual machines
have network adapters configured in the promiscuous mode;
otherwise, the SPAN portion of the lab will not work correctly!
• Be sure that students try different terminal emulation programs
over time. It is professionally to their advantage to be familiar with
the various options. Often they are surprised to find how userfriendly different emulation software is compared what they are
accustomed to using.
• Time permitting, have the students try the macof program or other
simple Layer 2 “hacking” software in a secure environment.
© 2012 Cisco and/or its affiliates. All rights reserved.
18
• Compare and contrast the security features on the Catalyst
switches and those on the ISR’s. The fact that nine chapters of
this course focus on routers and one on switches is not a
coincidence!
• Compare and contrast considerations relating to securing Layer 2
protocols with that of securing Layer 3 protocols.
• Compare the portions of the Internet comprised of Layer 2 LAN
switches versus that comprised of Layer 3 networking devices.
How does the answer affect the way security is implemented?
• Along the border of the Layer 2-to-Layer 3 exchange, what
protocols are in play and what security considerations are specific
to this crossover?
© 2012 Cisco and/or its affiliates. All rights reserved.
19
• Nowadays, it is common to install a switch module in a router and
it is common for a switch to include a router processor. So in a
way, most switches are routers and most routers are switches.
How do router and switches differ?
• There is a clear trend toward pushing Layer 3 down to the user as
a result of the decreasing cost for Layer 3 switches. The day will
come when all switches are Layer 3 switches. Does this imply
that VLANs will be unnecessary at some point? What are the
implications of every port on every switch being configurable as a
routed port?
• Is it easier to configure security in the Layer 2 domain or in the
Layer 3 domain? Is network security more deterministic in a pure
Layer 3 environment?
© 2012 Cisco and/or its affiliates. All rights reserved.
20
• What are the implications for Layer 2 security in the Borderless
Network, with mobile devices pervading the network space?
• What devices require Layer 2 security solutions?
• What are some security policies specific to the Layer 2
environment? What are some rules that should be enforced?
• Several topics in the course do not have hands-on components to
them, such as IronPort, Network Admission Control, wireless
security, VoIP security, and SAN security. Ask the students to
research one or more of these areas to gain a more applied
understanding of these topics. If possible, arrange for site visits
where some of these solutions are implemented.
© 2012 Cisco and/or its affiliates. All rights reserved.
21
• One of the easiest ways to optimize LAN security is ensuring that all
VLANs with distinct functions are distinct. Separate the management
VLAN, the native VLAN, the default VLAN, the voice VLAN(s), and the
data VLAN(s). Configure trunk links to support only the necessary
VLANs.
• Modern campus switched network design has Layer 2 switches only at
the edge of the network, each with a redundant uplink, with only two or
three VLANs per switch and with no Layer 2 loops possible (think about
how this is mapped out). So technically STP is not required. It is a best
practice to always ensure that STP remains enabled on the switches,
just in case someone inadvertently creates a physical loop as a result of
moving cables about in the wiring closet.
• There are only a handful of security features available at Layer 2. Almost
all of these should be implemented to optimize network security. Upon
first exposure the number of Layer 2 security options might be a bit
overwhelming. Be sure to encourage students that they do not need to
master them all the first time around and that in the scheme of things the
gamut of security options at Layer 2 is relatively quite tractable.
© 2012 Cisco and/or its affiliates. All rights reserved.
22
• http://en.wikipedia.org/wiki/LAN_switching
• http://www.cisco.com/cisco/software/type.html?mdfid=279963505
&flowid=2550
• http://www.nsa.gov/ia/_files/switches/switch-guide-
version1_01.pdf
• http://www.ciscopress.com/bookstore/product.asp?isbn=1587052
563
• http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst2
960/software/release/12.2_25_fx/command/reference/2960cr.html
• http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst2
960/software/release/12.2_25_fx/configuration/guide/2960scg.ht
ml
© 2012 Cisco and/or its affiliates. All rights reserved.
23
© 2011 Cisco and/or its affiliates. All rights reserved.
24