CCNA SECURITY

Topics to be covered
1. Network Foundation Protection
2. Management Plane Protection
3. Data Plane Protection
4. Control Plane Protection
5. Zone-based Firewall
6. Firewall Fundamentals
7. Basic Firewall Policies on cisco ASA
8. Fundamentals of VPN Technology and Cryptography
9. Fundamentals of IP Security
10. Implementing IPSEC Site-to-Site VPN
11. Implementing SSL VPN
12. Securing Layer 2 Technologies
13. Cisco IPS/IDS Fundamentals
14. Bring Your Own Device
15. Mitigation Technologies for E-mail-Based and Web-based Threats
What is Network Security?
 Network security is the process of taking physical and software
preventive measure to protect the networking infrastructure from
unauthorized access, misuse, malfunction, modification, destruction,
or improper disclosure, thereby creating a secure platform for
computers, users.
What approach should be followed to protect the network?
 Layered approach
Before starting you should be familiar with well known ports and
protocol numbers
Principles of Security—The CIA Model
Confidentiality
Prevents unauthorized disclosure of sensitive information
When it comes to security, confidentiality is perhaps the most obvious aspect of the CIA triad
Cryptography and encryption methods are examples of attempts to ensure the confidentiality of data
transferred from one computer to another.
Integrity
Prevents unauthorized modification of data, systems, and information
If your data has integrity, you can be sure that it is an accurate and unchanged representation of the
original secure information
A common type of a security attack is man-in-the-middle attack
Availability
It is the prevention of loss of access to resources and information to ensure that information is available
for use when it is needed
Denial of service (DoS) is one of several types of security attacks that attempts to deny access to a
particular service
Network Foundation Protection
All about breaking the infrastructure down into smaller components
Systematically focus on how to secure each of those components

Broken down into three basic planes:

1. Management Plane
2. Control Plane
3. Data Plane

Management Plane:
Includes all the protocols and traffic that an administrator uses between his
workstation and the router or switch.
An example is using a remote management protocol such as SSH
Network Foundation Protection
Control Plane:
Includes all the protocols and traffic that the network devices uses on
their own without direct interaction with administrator
An example is routing protocol
Can say it includes all the traffic that uses CPU processing

Data Plane:
Includes all the traffic that is being forwarded through the network
Represents the traffic that is either being switched or forwarded by the
network device between the client and the server
Network Foundation Protection
Securing the Management Plane:
Controlling interactive access
Enforce password policy, including features such as maximum
number of login attempts and minimum password length
Implement Role Based Access Control
Use AAA services with local database and with ACS server
Control which IP addresses are allowed to initiate management
sessions with the network device
Keep accurate time across all network devices such as secure NTP
Network Foundation Protection
Interactive Access Methods:
 To gain access to a device for administrative purpose
Three basic methods:
 Console Port, VTY Port, Auxiliary Ports
1. Console Port
 Default access method for device management and configuration
 By default, it is not password protected
 No Exec-timeout set
2. VTY Ports:
 IOS can support multiple remote sessions serviced by a logical vty line
 Can support up to 100 vty lines depending on IOS version
 By default, five lines (0 to 4) are available using the line vty 0 4 command
 By default, it is not password protected
 No Exec-timeout set
 An ACL can also be used optionally to further secure access control to authorized users
Network Foundation Protection
Passwords:
A password is a protected string of characters that is used to authenticate a user
Three types of password protection schemes in Cisco IOS
1. Clear-text passwords:
Most insecure because they have no encryption
Passwords are viewable in the device configuration in clear text
2. Type 7 passwords:
 Use the Cisco proprietary encryption algorithm and are known to be weak
 Used by the enable password, username, and line password commands
3. Types 5 password:
Use MD5 hashing algorithm (one-way hash)
Used by the enable secret and username secret command
Network Foundation Protection
Strong Password:
At least eight to ten characters
Includes a combination of letters (uppercase and lowercase combination)
Numbers and special symbols
Use passphrase to create a strong password
How many times do I need to change my password? = hmtd!n2cmp?
service password-encryption command is used to encrypt all the passwords in the
configuration
security passwords min-length command is used to set the minimum character
length for all password
Login block for command is used to set authentication failure rate
Network Foundation Protection
Privilege Levels:
Cisco IOS provides 16 privileges levels ranging from 0 to 15
By default, there are three predefined user level are enabled
1. Privilege level 0 includes the disable, enable, exit, help, and logout
commands.
2. Privilege level 1 is the User EXEC mode. This is normal level on Telnet and
includes all user-level commands at the Router> prompt
3. Privilege level 15 is the Privileged EXEC mode (enable mode). It includes all
enable-level commands at the Router# prompt
Key points:
Excluding any command from any privilege level is not possible
Higher privilege level will always inherit all the lower level commands
Network Foundation Protection
Role Based Access Control:
Implemented either via CLI(parser view) or GUI(ACS server)
Parser View:
Same as privilege level
Only one parser view is default configured Root view which is same as privilege level 15
To create any parser view:
1. Make sure you are logged in to the Root view
2. AAA must be enabled with aaa new-model command
3. Enable password for level 15 must be configured
Overcomes the limitation of privilege level:
1. Excluding any command is possible
2. Any parser view will not inherit any command from other parser view
Network Foundation Protection
AAA:
1. Authentication: who is the user(identity)
2. Authorization: what can user do(services)
3. Accounting: what did the user do(audit)
AAA can be used in two ways:
1. Local database
2. AAA server
Two authentication protocols used if using a AAA server
1. RADIUS
2. TACACS+
Network Foundation Protection
Simple Network Management Protocol
An application layer protocol that provides communication between SNMP manager and
SNMP agent
Provides a standardized framework that is used for monitoring and managing devices in
the network
SNMP framework consists of three parts:
1. SNMP Manager:
Can be any machine that can send query request to SNMP agents
2. SNMP Agent:
Responsible for gathering information about the local system and storing them in a
format that can be queried
3. Management Information Base:
 A database that follows a standard that manager and agents understand and use to
communicate with each other
Simple Network Management Protocol
Main SNMP message types:
1. Get
 Used to retrieve information from a SNMP agent
2. Set
 Used to set variables in a managed device or to trigger an action on a managed device
3. Trap
 An unsolicited message sent from the SNMP agent to the SNMP server
SNMP protocol versions(V1, V2, V3)
 SNMP v1 and v2 uses a community string for authentication(no security)
 SNMP v3 provides secure communication using users and groups
SNMPv3 security level
1. noAuthnoPriv: no authentication no privacy
2. AuthnoPriv: authentication using HMAC with md5 or SHA but no encryption
3. AuthPriv: authentication using md5 or SHA and encryption using DES algorithm
Network Foundation Protection
Network Time Protocol:
Designed to synchronize time on machine
Uses UDP port 123 for communication
Uses the concept of stratum number to describe how many NTP
hops away a machine is
NTP will never synchronize its time to a machine that is not in turn
synchronized
NTP is disabled on all interfaces by default
NTP authentication should be used and it is the client who will
authenticate the NTP server
Protecting the Data Plane
 ACLs used for filtering
 IOS firewall(ZBF)
 TCP intercept
 Unicast reverse path forwarding(URPF)
Firewall Methodologies
 Stateful inspection, Application inspection, Packet filtering, Application Layer Gateway, Transparent firewall
IOS Based Firewall:
1. Reflexive Access-list
2. Context Based Access Control
3. Zone-based firewall
Zone-based Firewall:
 Introduced in cisco IOS Software Release 12.4(6) T.
 Added to overcome the limitations of CBAC
 Limitation was that all traffic passing through the interface was subjected to the same inspection policy
Zone-based Firewall
Features of ZBF:
 Stateful inspection, packet filtering, URL filtering, Transparent firewall
Steps to configure Zone-based Firewall:
1. Define zones
2. Define zone-pair
3. Define class-map
4. Define policy-map
5. Apply policy-map to zone-pair
6. Assign interfaces to zones
Zone-based Firewall
Zone:
A zone is a logical area where devices with similar trust level reside.
Mostly defined zones are DMZ, INSIDE, OUTSIDE.
Self Zone:
Only default zone configured on the router
Includes all traffic that is to the directed to the device
Zone-based Firewall
Self zone traffic behavior
Zone-based Firewall
Inter and Intra Zone traffic behavior
Zone-based Firewall
Cisco uses Cisco Common Classification Policy Language(C3PL)
Three primary components:
1. Class-map:
Must be of type inspect in ZBF
Used to identify traffic(match protocol and match ACL)
Match-all vs. Match-any
2. Policy-map:
Used to define the action on the class-map
Can call multiple class-map into a single policy-map and can take
different action on each class-map
Zone-based Firewall
Zone-based Firewall
Service policies:
Policies are applied here and applied to a zone pair
Zone-pair represent a unidirectional flow of traffic between two
zone.
Cisco ASA
Firewall:
A firewall is a hardware or software solution implemented within
the network to enforce security policies by controlling network
access
A firewall is often seen as first step towards a network security
solution
Software firewall has underlying dependency on the OS they run on
Should use hardware firewall as they are robust and built
specifically for the purpose of firewalling
Cisco ASA
Cisco ASA
ASA Hardware Family
Cisco ASA
ASA Features and Services
1. Packet filtering
 Represents an access list
 Supports both standard and extended access list
2. Stateful filtering
 Maintains the state of packet passing through the ASA to allow reply traffic.
3. Application inspection
 ASA can listen conversation b/w devices on one side and devices on other side and can pay attention on the application layer information
 For example FTP
4. Network Address Translation(NAT)
5. DHCP
 Can act as DHCP server or client or both
6. Routing
 Support routing protocols
 Also supports static routing
Cisco ASA
7. Layer 3 or Layer 2 implementation
Can be implemented in Routed mode or Transparent mode
8. VPN support
Can operate as head-end or remote-end device for VPN tunnels
Site-to-Site VPN, Remote VPN
9. High availability
10. AAA support
11. Modular Policy Framework
12. Security Context
Cisco ASA
Firewall modes
1. Routed firewall mode
2. Transparent firewall mode
Routed Firewall mode
Default mode of cisco ASA
ASA is considered to a router hop in the network
Almost support all the features of ASA such as NAT and Dynamic routing protocol
Transparent mode:
Introduced after software version 7.0
Can be deployed as secure bridging mode, as a layer 2
Acts like bump in the wire and is not considered as router hop
Static routes are only used for traffic originating from the appliance
Only layer 3 addressing required is management IP address and must be of same subnet as connected
network
Cisco ASA
Configuring an ASA interface:
1. Enable the interface with no shutdown command
2. Configure an IP address with ip address command
3. Give a logical name with nameif command
4. Define a security level with security-level command
Security-level
 it a number b/w 0 to 100 that defines the trustworthiness of the interface
Default behavior of cisco ASA
Higher S.L. to lower S.L. Everything is allowed
Lower S.L. to higher S.L everything is denied; can be permitted by applying access-list on interface
Same-security-traffic is denied by default
By default ASA inspect all TCP and UDP traffic passing through the firewall
TCP and UDP reply traffic is always permitted through the firewall
Cisco ASA
Packet flow(before ASA 8.3)
Whenever a packet comes to an ingress interface
1. ASA checks its connection table
2. If it is an existing connection, Access-list and security-level check is bypassed
3. If it is new connection, TCP state of the packet is verified and processed for
Access-list check
4. Packet is processed as per interface Access-list. If no access-list is configured
on interface then packet is processed as per default behavior
5. Packet is verified for translation on NAT rules
6. Packet is subjected to inspection check
7. IP header information is changed as per NAT/PAT rule
8. Packet is forwarded to egress interface
Cisco ASA
Access list on ASA
Supports two types; standard and extended access list
ACLs have many applications
1. To control traffic flow and network access through the ASA
2. To identify addresses for NAT exemption or policy NAT
3. To identify traffic for AAA rules
4. To identify traffic for a class map for MPF
5. To control route redistribution
6. To define traffic for IPsec VPN encryption
Note:
 If an access list is configured on an interface, then all the initiating traffic from that
interface will be checked as per access list
Cisco ASA
Network Address Translation
 Performs translation of an IP address that is used within one network to a different IP address known within another network
 Can be used for security purpose
 Can be used for communication b/w overlapping subnets
 Can be used to preserve IP address
Types of NAT:
1. Dynamic NAT
2. Dynamic PAT
3. Static NAT
4. Static PAT
Dynamic NAT
 Translates a group of real(private) addresses to public IP address drawn from a pool of registered(public) addresses that are routable to destination
network
 Address are handed out on first come, first server basis
 Used for unidirectional communication only
 Default timeout is 3 hours can be changed
Cisco ASA
Dynamic PAT
 Translates a group of real(private) addresses that are mapped to a single mapped IP address by using a combination of mapped
IP address and source port number
 Unidirectional communication only
 Default timeout is 30 seconds and cannot be changed
Static NAT
 Creates a fixed translation(one-to-one) of real address to mapped address
 Allows bi-directional communication
 Entry will remain permanent in nat translation table
Static PAT
 Static PAT is similar to static NAT, with exception that it allows for specifying the layer 4 port information for the real and
mapped address
 Entry will remain permanent in nat translation table
Policy NAT
 Similar to static NAT, but it allow for defining a conditional criterion to check for source address and destination address to
determine address translation
Cisco ASA
ASA can be configured as DHCP server
ASA1(config)# dhcpd address 10.0.0.101-10.0.0.132 inside
ASA1(config)# dhcpd enable inside
ASA1(config)# dhcpd dns 10.8.8.8 interface inside
ASA1(config)# dhcpd domain example.org interface inside

ASA can be accessed via

1. CLI: Command-line interface
2. ASDM: ASA Security Device Manager
3. CSM: Cisco Security Manager

Using Packet tracer command:

Packet tracer command is used to logically check what action ASA would take on a particular packet and
going to a specific destination if passing through the firewall
Virtual Private Network
Cryptography
Kryptos(hidden) + graphein(writing)
Is the practice and study of techniques for secure communication in presence of third parties
Cryptography terminology:
Encryption
It use of an algorithmic process that uses a secret key to transform plain data into a secret code
Encryption provides a means of secure communication over an insecure communication medium
Decryption
The reverse process of encryption, converting encrypted data back into its original form
Plain Text
The original unencrypted data
Cipher text
The product of the encryption process -- the data that has been encrypted.
Virtual Private Network
Hash
A hash value, also known as a message digest value that is a mathematically generated unique number from a sequence of text
by applying a mathematical formula
Cryptographic algorithms:
Three types of cryptography algorithms:
1. Symmetric key cryptography
2. Asymmetric key cryptography
3. Hash algorithm
Symmetric key cryptography
 Also known as secret-key or pre-shared key
 Uses a single key for both encryption and decryption
 The key must be known to both ends
Symmetric key cryptography are categorized in two modes
1. Stream cipher
2. Block cipher
Virtual Private Network
Stream cipher
A symmetric cipher that encrypts that encrypts the plaintext digits (bits or bytes) one by one
The transformation of encrypted output varies during the encryption cycle
Block cipher
A symmetric key cipher that encrypts the plaintext on a fixed-length group of bits
Block ciphers encrypt blocks of data by using the same key on each block
Symmetric key cryptography is less computationally intensive and therefore much faster,
especially for bulk data encryption
Symmetric key cryptography algorithms
1. Data Encryption Standard (DES)
2. Triple-DES(3DES)
3. AES
Virtual Private Network
2. Asymmetric key cryptography
 Mostly used in PKI infrastructure
 Uses a two-key pair; one key is used to encrypt the plain text and other key is used to decrypt the plain text
 Two parties can communicate securely over an insecure channel without having to share a secret key
 It is used typically used in digital certification and key management
Examples of Asymmetrical Algorithms
1. RSA
 Named after Rivest, Shamir, and Adleman
 The primary use of this asymmetrical algorithm today is for authentication
 The key length may be from 512 to 2048
2. DH
 Also known as key-exchange protocol
 DH is an asymmetrical algorithm that allow two devices to negotiate and establish shared secret keying material (keys) over an
untrusted network
Virtual Private Network
Hash algorithm
Uses a mathematical formula to compute a fixed-length hash value based on
the original plain text
Using a hash value, the original message cannot be reconstituted even with the
knowledge of the hash algorithm
Three mostly used hash algorithm
1. Message digest 5 (MD5)
This creates a 128-bit digest
2. Secure Hash Algorithm 1 (SHA-1)
This creates a 160-bit digest
3. Secure Hash Algorithm 2 (SHA-2)
 Additional variants of SHA -- SHA-224, SHA-256, SHA-384, SHA-512
Virtual Private Network
Virtual Private Network
 A VPN carries private traffic over a public network such as internet
 VPN at the network layer is transparent to intermediate network devices and independent of network topology
Goal of IPSEC VPN
1. Data confidentiality
 This is done via encryption to protect data from eavesdropping attacks
 Encryption Algorithm includes DES, 3DES, and AES
2. Data integrity and Data authentication
 This is done by using hashing functions
 HMAC functions include MD5 and SHA-1
3. Anti-replay detection
 done by including encrypted sequence numbers in data packets to ensure that a replay attack doesn't occur
4. Peer authentication
 Peer authentication is done before transmitting the data
 Can use either PSK or RSA
Virtual Private Network
Internet Security Association and Key Management Protocol (ISAKMP)
Describes the framework for key management and defines the procedure and packet
format necessary to establish, negotiate, modify, and define security association (SA)
IKE (internet Key Exchange)
IKE defines a proper key exchange
IKE defines the mechanism for creating and exchanging keys. IKE uses UDP port 500
There are two phases in IKE
1. Phase 1
Used to negotiate the proposal and authenticate each other
2. Phase 2
Negotiate keyring material and algorithm for the encryption of the data being
transferred over the IPSEC tunnel
Virtual Private Network
IKE Phase 1
Step1: Negotiate the IKEv1 Phase 1 tunnel
 Both peer exchange the proposal
 Proposal includes
1. Hash algorithm: MD5 or SHA
2. Encryption algorithm: DES, 3DES, AES
3. Diffie-Hellman group: Group1, Group2, Group5
4. Authentication method: Pre-shared-key or RSA
5. Lifetime: lifetime of phase 1 tunnel
Step2: Run the DH key exchange
 Exchange symmetrical keying material generated after running DH
Step3: Authenticate the Peer
 Authenticate the peer using PSK or certificate
These messages can be exchanged either in main mode or aggressive mode
Virtual Private Network
IKE Phase 2 negotiates the following
1. Protection suite
 Encapsulation Security payload (50) or
 Authentication Header (51)
2. Algorithms used
 DES, 3DES, AES, SHA
3. Network or IP traffic that is being protected, called proxy identities
To negotiate these parameter IKE phase 2 uses Quick mode
Nat-traversal: performs two task
1. Detects if both ends support NAT-T
2. Detects NAT devices along the transmission path(NAT-Discovery)
 NAT-Discovery payload sent is a hash of the original IP address and port
 Devices exchange two NAT-D packet; one with source IP and port, another with destination IP and port
NAT-T encapsulates ESP packet inside UPD and assigns both source and destination port as 4500
Virtual Private Network
Perfect Forward Secrecy
Ensures that the same key will not be generated again, so forcing a
new DH key exchange
Both peer must support PFS in order for PFS to work
When PFS is turned on, for every phase 2 negotiation, both
gateways must generate a new set of phase 1 keys
Public Key Infrastructure
PKI is a framework that provides a mechanism to securely issue and distribute public keys
PKI enables the transmission of secure data over insecure public networks such as internet
using trusted public and private cryptographic key pairs, which are obtained through a trusted
authority
PKI provides a digital certificate that can identify an individual or an organization by binding of
public keys to users
Certificate Authority
A certificate authority is an entity that creates and issues digital certificate
Inside of a digital certificate is information about the identity of a device, such as its IP address,
FQDN, and the public key of that device
CA takes public key, the name, and the IP address and creates an individual digital certificate
and also signs each certificate
Creating a Digital Signature
 A takes some data and generates a hash and then encrypts the hash with A's Private key. This
encrypted hash is the digital signature of A
Public Key Infrastructure
Root Certificate:
A root certificate contains the public key of the CA server and the other details about the CA
server like:
1. Serial number: Issued and tracked by CA that issued the certificate
2. Issuer: The CA that issued this certificate
3. Validity dates: the time window during which the certificate may be considered valid
4. Subject of certificate: this includes the Organizational Unit (OU), Organization (O), Country
C), and other details which are commonly found in X.500 structured directory
5. Public key: the contents of the public key and the length of the key are often both shown
6. Thumbprint: this is the hash for the certificate
Out of band management
 On a new root certificate, you could use a phone to call and ask for the hash value and
compare it to the hash value you see on the certificate
Public Key Infrastructure
Identity Certificate
It is similar to root certificate, but it describes the client and contains the public key of an individual client
X.500 certificates
Creates a hierarchical system of Certificate Authorities for issuing the certificates. Some elements are CN,
OU, and O
Most digital certificates contains the following information
Serial number, subject
Signature algorithm, signature
Issuer, valid from, valid to
Key usage, public key
Thumbprint algorithm
Thumbprint
Certificate revocation list
Public Key Infrastructure
SCEP: simple certificate enrollment protocol
 A protocol used for authenticating a CA server, generating a public-private key pair, requesting an identity certificate and then
verifying the identity certificate
 A protocol used for enrollment and other public key operation
Revoked certificates
 A digital certificate contains information on where an updated list of revoked certificates can be obtained
 The revoked certificates are listed based on the serial number of the certificates
Three basic ways to check whether certificate has been revoked
1. CRL
 This is a list of certificates, based on serial number issued by a CA
 A CRL can be accessed by several protocols, including LDAP and HTTP
2. Online Certificate Status Protocol:
 Client simply sends a request to find the status of a certificate and gets a response without having to know the complete list of
revoked certificates
3. AAA
 AAA can also be used for validating the certificates
Public Key Infrastructure
Digital certificates can be used to authenticate a web server using HTTPS, TLS, SSL
Simple example would be when you are doing online banking from you PC
PKI Topologies:
Single root CA
Only one CA server who will be creating and issuing the identity certificates to the
clients
Hierarchical CA with Subordinate CA
To increase the capacity and support fault tolerance
Root CA signs the certificate of subordinate CA
Root certificate is required to verify the digital certificate of the subordinate CA
Subordinate CA’s certificate is required to verify the signature of the subordinate CA
SSL: Secure Socket Layer
SSL VPN solution offers network access at any time and any place, thereby providing the possibility of
increasing productivity
It also offers greater flexibility for the remote workforce
SSL is an application layer cryptographic protocol that provides secure communication over the Internet
for web browsing, e-mail, instant messaging, and any other data traffic
By default, SSL uses TCP port 443
Comparison of SSL and IPSEC VPN
SSL VPN
 Can access web-based application, file sharing, email
If fully AnyConnect client, then all IP based applications similar to Ipsec
Enables access from any internet enabled computer having web browser
Initiated through a web browser
Requires no special purpose desktop VPN client software, only a web browser is required
Uses PKI and digital certificate for authentication of the VPN endpoints
SSL: Secure Socket Layer
IPSEC VPN
All IP-based application are available to users
The experience is being like connected on the local network
Enables access primarily from company-managed desktops
Initiated using a preinstalled VPN client software
Requires proprietary preinstalled client software
Can use either PSK or PKI for authentication of user
SSL: Secure Socket Layer
SSL: Secure Socket Layer
SSL: Secure Socket Layer
Three types of SSL VPN
1. Clientless SSL VPN
2. Clientless SSL VPN with port forwarding
3. Full AnyConnect SSL VPN client
Clientless SSL VPN
 It is also known as web VPN
 No client required
 Access resources through a web browser
 Traffic is proxied (PAT) by the SSL server
 SSL capable computers
Clientless SSL VPN with port forwarding
 Also known as Thin client
 Some applications can be run
 Traffic is proxied (PAT) by SSL server
 Computers that support SSL and java
SSL: Secure Socket Layer
Full AnyConnect SSL VPN client
Full installation of AnyConnect is required
Full access to corporate network
Clients are assigned their own virtual IP address to use while
accessing the corporate network
SSL capable computers
VLAN HOPPING ATTACK
• Attacking host attached to Ethernet network sends 802.1Q tagged frames into switched network in order
to hop over VLAN barriers.
• Two variations
- Hosts runs Dynamic Trunking Protocol (DTP) to actually form a trunk link with adjacent switch.
- Hosts sends frames double tagged with 802.1q headers.
- Outside header is padding.
- Inside header is tagged with destination VLAN of victim.
Mitigation
• Hosts facing interfaces should not be dynamic ports
- Manually disable DTP.
- Access ports have DTP disabled implicitly.
Don’t use VLAN 1 ever
- Unused ports should be assigned to a designated unused VLAN.
- Native VLAN should be changed to a designated administrative VLAN.
CAM TABLE ATTACKS
• Switch’s Content Addressable Memory (CAM) table associates destination MAC address with
outgoing interface.
• If CAM table is full all unknown entries are treated like broadcast traffic.
• Forward out all ports in all VLANs except the one it was received on.
• Attacker floods frames with random source MAC addresses until CAM table fills up.
• Switch essentially turns into a hub.
CAM table mitigation
Port Security
- Limit the amount of source MAC addresses on a port.
- Limit the specific MAC address allowed on a port.
Static defined MAC or dynamically learned.
- Works for both access and trunk ports
Not dynamic ports.
CAM ATTACK MITIGATION
- Errdisable the port or filter traffic if a violation occurs.
or generates a syslog / SNMP trap for notification.
- Once port goes into err-disable it doesn’t come out unless
Manual shutdown / no shutdown.
Err-disable recovery configured
Violation modes
- Shutdown (default)
Send port to err-disable
- Protect
Violators cannot send traffic in and switch silently drop the traffic
- Restrict
Violators cannot send traffic in and send a syslog message
MAC Address Spoofing Attack
DHCP spoofing
DHCP Snooping
• If DHCP Snooping is enabled all the ports become untrusted
• Listens/intercepts for DHCP traffic between client and server
• Builds IP to MAC mapping on a per interface basis
• Port connected to DHCP server should be a trusted port
• DHCP server replies denied in all other ports
• Additional DHCP request are dropped on interface that already have
IP to MAC binding in the snooping table
• DHCP request uses UDP port 67 and DHCP reply uses UDP port 68
ARP spoofing
ARP SPOOFING MITIGATION
• DHCP Snooping & Dynamic ARP inspection
DHCP snooping builds IP and MAC binding table
When ARP replies are received the DHCP snooping table is checked
to see if IP and MAC addresses from ARP payload are in the table
Malformed replies are dropped
Static ARP entries are possible for host with static IP address, e.g.
the default gateway
BPDU Guard
Ensures that unauthorized switches cannot be plugged in to the
network
An interface running BPDU guard receives BPDU, the interface is
transitioned into err-disable state
Can be enabled either globally or on a particular interface
1. Globally
spanning-tree portfast bpduguard default
2. On interface level
 spanning-tree bpduguard enable
Root Guard
Used to protect the root bridge role in STP topology from being
taken away
In this case, if a root guard enabled interface receives a superior
BPDU, the interface is only disabled( via root-inconsistent state)
A superior BPDU carries information about the root bridge that is
better than one currently stored
Port is automatically recovered if superior BDPUs are no longer
received
Can be enabled with below interface level command
spanning-tree guard root
Loop Guard
Prevents a non-designated port(alternate or root) from becoming
designated
Should be used on non-designated ports and ensures that these do
not transition to designated
Can be enabled globally or on interface level
1. Globally
spanning-tree loop guard default
2. Interface level
spanning-tree guard loop
Intrusion Prevention System/Intrusion
Detection System
 IPS is also known as inline mode
IDS is also known as promiscuous mode
The device needs to be installed before firewall facing public facing interface
Automatic bypass is enabled by default
 Ips can have only one IP address, just for management purpose
IPS is a device and we can deploy it either in IPS mode or IDS mode or both modes
together
IPS can detect and prevent any kind of attack whereas IDS can only detect and
generate log or alert
Used to prevent layer 4 to layer 7 attacks and when a higher level of security is
needed, where firewall is not sufficient
 Ips is not a routing device, it is a transit device, so it behaves as a transparent device
Intrusion Prevention System/Intrusion
Detection System
Types of ips
1. Host-ips
it is a software based ips which can be installed on a device like server and it is known as cisco
security agent
2. Network ips
it is a physical hardware ips or a full ips module to be implemented to the security of network
IPS interface
1. Management interface
Used for remote access of ips
Initiates blocking connections and it must be a part of management vlan
2. Sensor interface
Used to monitor and analyse traffic
It can be configured for various ips modes of deployment
Intrusion Prevention System/Intrusion
Detection System
IPS Terminology
1. True Positive
2. True Negative
3. False Positive
4. False Negative
Sensor deployment modes
1. Promiscuous mode
2. Inline interface pair mode
3. Inline vlan pair mode
Promiscuous mode
By default, all the sensor interface of IPS are in promiscuous mode
It receives a copy of network traffic to verify the state of the packet whether it is malicious or genuine
traffic
Network performance is not effected by the IPS because it is not inline to the traffic flow
Intrusion Prevention System/Intrusion
Detection System
There are two ways to send a copy of network traffic to the IPS sensor ports
1. Switch Port Analyzer(SPAN)
Source and Destination port must be on same switch
A copy of traffic which is sent on a source port or source VLAN is forwarded to a destination port
The destination port can only receive or forward the SPAN traffic, it cannot forward the normal traffic
2. Remote SPAN(RSPAN)
Used when source and destination ports/VLANs are on different switch
To carry SPAN traffic b/w switches a special VLAN known as Remote VLAN is used to carry the RSPAN
traffic
Inline Interface Pair
In this mode IPS is inline to the traffic
A pair of interfaces created in this mode
Whenever traffic enters one paired interface it is exited out to the other paired interface
In this mode, VLAN tagging and untagging is not done by the IPS
Intrusion Prevention System/Intrusion
Detection System
Inline VLAN pair mode
Device is inline to the traffic
Only one physical interface is used and acts as a trunk port and a
pair VLAN is created
Whenever traffic enters one paired VLAN it forwarded out to the
other paired VLAN
IPS is the one, who actually tags and untags the VLAN id in 802.1q
header
Bring Your Own Device
Refers to the policy of permitting employees to bring personally
owned mobile device(laptops, tablets, smartphone) and access the
privileged company information and application to use those devices
Bring Your Own Device
Bring Your Own Device
BYOD components
1. BYOD devices
Personal or company owned endpoints that require access to corporate network from any
where(office or any public location)
2. Wireless access point(AP):
Provides network connectivity to BYOD devices
Can be located in corporate campus, branch office, or home office
3. Wireless LAN Controller(WLC)
Centralized point for configuration, management, and monitoring of Wireless LAN
Works with ISE to enforce authentication and authorization policies on each BYOD endpoints
4. Identity Service Engine(ISE)
 Provide Authentication, Authorization, Accounting services
Bring Your Own Device
5. Cisco AnyConnect Secure Mobility Client
Provides connectivity for end user who need access to corporate network
6. Integrated Service Routers(ISR)
Used to provide WAN and internet access for branch offices and internet access
for home office environments
7. Aggregation Services Routers(ASR)
Provide WAN and internet access at the corporate campus
Serve as a aggregation points for all branch and home office network
connecting to corporate campus
8. Cloud Web Security(CWA)
 Provides enhanced security for BYOD endpoints while they access internet
websites using publically available wireless hotspot
Bring Your Own Device
9. Adaptive Security Appliance
Provides all security functions for BYOD at the internet edge
Server as VPN termination point for mobile devices connecting over internet
10. RSA SecureID
Provides one-time password(OTP) generation and logging for users that access
network devices and other application
11. Active Directory
Enforces access control to the network, to server, and to application
12. Certificate Authority
 Provides onboarding of endpoints that meet certificate requirements for
access to the corporate network
Mobile Device Management
Function is to deploy, manage, and monitor the mobile devices that make up the cisco
BYOD solution
Some of the functions include the following
1. Enforcement a PIN lock
2. Enforcement of strong password
3. Detection of attempt to jailbreak or root BYOD and restrict a device’s access to the
network
4. Enforcement of data encryption requirements based on organization’s security
policy
5. Provide the ability to remotely wipe a stolen or lost BYOD device
MDM Deployment options
1. On-Premise MDM Deployment
2. Cloud-Based MDM Deployment
Mobile Device Management
On-Premise MDM Deployment
MDM application software is installed on server that are located within
the corporate data center
Completely supported and maintained by the network staff of the
corporation
Cloud-Based MDM Deployment
MDM application software is hosted by a managed service provider
Service provider is responsible for deployment, management, and
maintenance of BYOD solution
Brings with greater scalability, flexibility, and speed of deployment over
an on-premise MDM solution
E-mail-Based Threats
1. Spam
Unsolicited e-mail messages that can be advertising a service or (typically) a scam or a message with
malicious intent
Remove junk mail before you download it to your PC
Do not post your email address in newsgroups or on web page
2. Malware attachments
These emails can often contain links to malicious web sites or have attachments containing malicious
software
The subject line or the email body typically contains a “special one-time offer” or a "call to action" to
induce the recipient to open the attachment
 Immediately disconnect the computer from the internet and scan your machine with up-to-date Anti-
Virus Software
3. Phishing
Used to acquire information such as username, passwords, and credit card details.
Typically carried out by email spoofing and direct user to enter details on fake website.
E-mail-Based Threats
Spear phishing
An email that appears to be from an individual or business that you know
But it isn't. It's from the same criminal hackers who want your credit card and
bank account numbers, passwords, and the financial information on your PC
These attacks specifically target executives and high-profile users within a
given organization
Cisco Cloud Email Security
 Cisco cloud e-mail security provides a cloud-based solution that allows
companies to outsource the management of their e-mail security management
 Today’s email security threats consist of viruses, spam, false positives,
distributed denial of service (DDoS) attacks, spyware, and phishing (fraud)
Cisco email security technology blocks all types of threats so that companies
receive only legitimate messages
Cisco Hybrid E-mail Security
This hybrid service gives customers the ability to retain access to—and visibility
of—both their on-premises and their cloud infrastructure
Cisco Hybrid Email Security simplifies the adoption of cloud services and
reduces the onsite data footprint, yet customers maintain control of
confidential information
Features supported by the Cisco ESA
Access control
Control access for inbound senders according to the sender’s IP address or
domain name
Spam filter
A program that is used to detect unsolicited and unwanted email and prevent
those messages from getting to a user's inbox
Features supported by the Cisco ESA
Advanced malware protection (AMP)
 AMP correlates files, telemetry data, and file behavior against context-rich knowledge base to proactively defend against known
and emerging threats
 Block malware trying to enter your network in real time
 Once a file enters your network, AMP continues to watch, analyze, and record its activity, regardless of the file’s disposition
Data Loss Prevention(DLP)
 A strategy for making sure that end users do not send sensitive or critical information outside the corporate network
 Cisco has partnered with RSA, a leading DLP solution provider, to provide integrated DLP technology on Cisco IronPort email
security appliances
E-mail encryption
 If a sensitive message requires encryption, the message can be automatically encrypted using the Cisco IronPort Email
Encryption feature
E-mail authentication
 In order to prevent users from forging, ESA AsyncOS Version 6.5 and later now contain a message filter condition that permits
comparisons against the authenticated SMTP user username and the mail From email address
Cisco ESA
Acts as the e-mail gateway to the organization, handling all e-mail
connections, accepting messages, and relaying them to the appropriate
systems
E-mail connections use Simple Mail Transfer Protocol (SMTP) and ESA
services all SMTP connections by default acting as the SMTP gateway
The Cisco ESA uses listeners to handle incoming SMTP connection
requests
The following listeners can be configured
1. Public listeners for e-mail coming in from the Internet
2. Private listeners for e-mail coming from hosts in the corporate (inside)
network
Cisco CWS & Cisco WSA
Cisco Cloud Web Security(CWS)
A cloud-based security service from Cisco that provides worldwide threat intelligence,
advanced threat defense capabilities, and roaming user protection
Uses web proxies in Cisco’s cloud environment that scan traffic for malware and policy
enforcement
It uses the Cisco AnyConnect Secure Mobility Client 3.0 to provide remote workers the
same level of security as onsite employees
Enforces, and monitors web usage policies by applying real-time, rule-based filters and
checking an up-to-date and accurate database for categorizing websites
Cisco Web Security Appliance(WSA)
Uses cloud-based intelligence from Cisco to help protect the organization before,
during, and after an attack
Can be deployed in explicit proxy mode or as a transparent proxy using the Web Cache
Communication Protocol (WCCP)
Cisco WSA
Web Cache Communication Protocol (WCCP) is a protocol which is
designed and developed to transparently redirect users to cache
server, without them having to configure proxy settings in their
browsers
WCCP client sends a registration announcement (“Here I am”)
every 10 seconds.
The WCCP server accepts the registration request and
acknowledges it with an “I See You” WCCP message
 WCCP server waits 30 seconds before it declares the client as
“inactive”
Securing the Control Plane
Control Plane Policing
Can configure this as a filter for any traffic destined to an ip address on the router itself
Can specify the management traffic, such as SSH/HTTPS, and can be rate limited down to a specific level
Control Plane Protection
More detailed classification of traffic that is going to use the CPU for handling by dividing Route
Processor(RP) into three sub interfaces
1. Control plane host
All control-plane IP traffic that is directly destined for one of the router interfaces
Example includes management traffic and routing protocols
2. Control plane CEF exception
This includes non-IP router destined traffic such as CDP, L2 keepalives messages or ARP packets
3. Control plane transit
 All control-plane IP traffic that is not directly destined to the router itself but rather traffic traversing
through the router