Professional Documents
Culture Documents
CCNA Security 06
CCNA Security 06
CCNA Security 06
Lesson Planning
This lesson should take 3-4 hours to present The lesson should include lecture, demonstrations, discussions and assessments The lesson can be taught in person or using remote instruction
Major Concepts
Describe endpoint vulnerabilities and protection methods
Lesson Objectives
Upon completion of this lesson, the successful participant will be able to:
1. Describe endpoint security and the enabling technologies
2. Describe how Cisco IronPort is used to ensure endpoint security 3. Describe how Cisco NAC products are used to ensure endpoint security 4. Describe how the Cisco Security Agent is used to ensure endpoint security 5. Describe the primary considerations for securing the Layer 2 infrastructure 6. Describe MAC address spoofing attacks and MAC address spoofing attack mitigation
2009 Cisco Learning Institute.
Lesson Objectives
7. Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation 8. Describe STP manipulation attacks and STP manipulation attack mitigation 9. Describe LAN Storm attacks and LAN Storm attack mitigation 10. Describe VLAN attacks and VLAN attack mitigation 11. Describe how to configure port security 12. Describe how to verify port security 13. Describe how to configure and verify BPDU Guard and Root Guard 14. Describe how to configure and verify storm control
Lesson Objectives
17. Describe the best practices for Layer 2 18. Describe the fundamental aspects of enterprise security for advanced technologies 19. Describe the fundamental aspects of wireless security and the enabling technologies 20. Describe wireless security solutions 21. Describe the fundamental aspects of VoIP security and the enabling technologies Reference: CIAG course on VoIP security. 22. Describe VoIP security solutions 23. Describe the fundamental aspects of SAN security and the enabling technologies 24. Describe SAN security solutions
MARS ACS
Firewall
Internet
VPN IPS
Iron Port
Hosts
Web Server Email Server
DNS
LAN
2009 Cisco Learning Institute.
Threat Protection
2009 Cisco Learning Institute.
Based on three elements: Cisco Network Admission Control (NAC) Endpoint protection Network infection containment
10
11
Indirect
I have gained access to this system which is trusted by the other system, allowing me to access it.
12
Cisco NAC
13
14
15
IronPort C-Series
Before IronPort
Internet
After IronPort
Internet
Firewall
DLP Scanner
Antispam
Antivirus Policy Enforcement Mail Routing DLP Policy Manager
Groupware
Groupware
Users
Users
16
IronPort S-Series
Before IronPort
Internet
After IronPort
Internet
Firewall
Firewall
IronPort SSeries
Policy Management
Users
Users
17
Access Windows
18
Cisco NAC
The purpose of NAC: Allow only authorized and compliant systems to access the network To enforce network security policy
NAC Framework Software module embedded within NACenabled products Integrated framework leveraging multiple Cisco and NAC-aware vendor products Cisco NAC Appliance In-band Cisco NAC Appliance solution can be used on any switch or router platform
19
Credentials Credentials EAP/UDP, Cisco Trust Agent EAP/802.1x Notification RADIUS Access Rights
Vendor Servers
HTTPS
Comply?
20
NAC Components
Cisco NAS
Serves as an in-band or out-ofband device for network access control
Cisco NAA
Optional lightweight client for device-based registry scans in unmanaged environments
Cisco NAM
Centralizes management for administrators, support personnel, and operators
M G R
Rule-set updates
Scheduled automatic updates for antivirus, critical hotfixes, and other applications
21
THE GOAL
Authentication Server
M G R
Cisco NAM
2.
Cisco NAS
Intranet/ Network
3.
3a.
Quarantine Role
3b.
Device is clean.
Machine gets on certified devices list and is granted access to network.
22
Access Windows
Scan is performed
Login Screen (types of checks depend on user role)
4.
23
24
CSA Architecture
Administration Workstation Server Protected by Cisco Security Agent
Alerts
Events
SSL
Security Policy Management Center for Cisco Security Agent with Internal or External Database
25
CSA Overview
Application
Network Interceptor
Configuration Interceptor
Allowed Request
Blocked Request
26
CSA Functionality
Network Interceptor File System Configuration Interceptor Interceptor Execution Space Interceptor
Security Application
Distributed Firewall
Host Intrusion Prevention Application Sandbox Network Worm Prevention File Integrity Monitor
X X
X
X
27
Attack Phases
Probe phase Ping scans Port scans Penetrate phase Transfer exploit code to target Persist phase Install new code Modify configuration Propagate phase Attack other targets Paralyze phase Erase files Crash system Steal data
2009 Cisco Learning Institute.
File system interceptor Network interceptor Configuration interceptor Execution space interceptor
28
29
30
31
Layer 2 Security
Perimeter
MARS ACS
Firewall
Internet
VPN IPS
Iron Port
Hosts
Web Server Email Server
DNS
32
OSI Model
When it comes to networking, Layer 2 is often a very weak link.
Application Stream
Application Presentation
Compromised
Session Protocols and Ports IP Addresses Initial MACCompromise Addresses Physical Links Transport Network Data Link Physical
33
Layer 2 Vulnerabilities
MAC Address Spoofing Attacks MAC Address Table Overflow Attacks STP Manipulation Attacks Storm Attacks
VLAN Attacks
34
Switch Port
AABBcc
The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another hostin this case, AABBcc
Port 1 Port 2
Attacker
I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
2009 Cisco Learning Institute.
35
Attacker
Port 2
The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
2009 Cisco Learning Institute.
36
The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MACaddress mappings in the MAC address table for these PCs.
37
1
Intruder runs macof to begin sending unknown bogus MAC addresses.
3/25 MAC X 3/25 MAC Y 3/25 MAC Z
VLAN 10
Host C
4
Attacker sees traffic to servers B and D.
C
2009 Cisco Learning Institute.
D
38
STP builds a tree topology STP manipulation changes the topology of a networkthe attacking host appears to be the root bridge
39
F F
F F F
F
Root Bridge
Attacker
The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.
40
Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.
2009 Cisco Learning Institute.
41
Storm Control
42
VLAN Attacks
43
VLAN Attacks
802.1Q Trunk VLAN 20 Server VLAN 10
Server
A VLAN hopping attack can be launched in two ways: Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode Introducing a rogue switch and turning trunking on
2009 Cisco Learning Institute.
44
The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2.
802.1Q, Frame
20
4 Note: This attack works only if the trunk has the same native VLAN as the attacker.
2009 Cisco Learning Institute.
The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.
45
VLAN Configuration
Cisco Switched Port Analyzer Cisco Remote Switched Port Analyzer Best Practices for Layer 2
46
47
Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C
Attacker 1
Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
2009 Cisco Learning Institute.
Attacker 2
48
CLI Commands
Switch(config-if)# switchport mode access
Sets the maximum number of secure MAC addresses for the interface (optional)
49
Description
(Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured. (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. (Optional) On an access port only, specify the VLAN as an access VLAN. (Optional) On an access port only, specify the VLAN as a voice VLAN (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. n vlan: set a per-VLAN maximum value. n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
50
maximum value
vlan [vlan-list]
51
Description
(Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
restrict
shutdown
shutdown vlan
2009 Cisco Learning Institute.
52
Enables or disables static aging for the secure port or sets the aging time or type
53
Description
Enable aging for statically configured secure addresses on this port.
Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.
type absolute
Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.
Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
type inactivity
54
Typical Configuration
S2
PC B
56
CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)
--------------------------------------------------------------------------Fa0/12 2 0 0 Shutdown
Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security Port Security : Port status : Violation mode : Maximum MAC Addresses : Total MAC Addresses : Configured MAC Addresses : Aging time : Aging type : SecureStatic address aging : Security Violation Count : interface f0/12 Enabled Secure-down Shutdown 2 1 0 120 mins Absolute Disabled 0
57
sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------Vlan ---1 Mac Address ----------0000.ffff.aaaa Type ---SecureConfigured Ports ----Fa0/12 Remaining Age (mins) ------------: 0
Max Addresses limit in System (excluding one mac per port) : 1024
58
NMS
Switch CAM Table F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D (address ages out) MAC D is away from the network.
MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.
59
60
Configure Portfast
Server
Workstation
Command Switch(config-if)# spanningtree portfast Switch(config-if)# no spanning-tree portfast Switch(config)# spanning-tree portfast default Switch# show running-config interface type slot/port
2009 Cisco Learning Institute.
Description Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Globally enables the PortFast feature on all nontrunking ports. Indicates whether PortFast has been configured on a port.
61
BPDU Guard
Root Bridge
F F
B
BPDU Guard Enabled
Attacker
STP BPDU
62
63
Root Guard
Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d
F F
F
Root Guard Enabled
Attacker
64
65
Storm Control
Methods Configuration Parameters Verifying Settings
66
67
68
Description
This parameter enables broadcast storm control on the interface. This parameter enables multicast storm control on the interface.
unicast
level level [level-low]
action {shutdown|trap}
Interface
---------Gi0/1 Gi0/2
Filter State
------------Forwarding Forwarding
Upper
---------20 pps 50.00%
Lower
--------10 pps 40.00%
Current
-------5 pps 0.00%
<output omitted>
70
VLAN Configuration
Mitigating VLAN Attacks Controlling Trunking
71
1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else
2009 Cisco Learning Institute.
72
Controlling Trunking
Switch(config-if)# switchport mode trunk
73
74
Traffic Analysis
IDS RMON Probe Protocol Analyzer
A SPAN port mirrors traffic to another port where a monitoring device is connected.
Intruder Alert!
Without this, it can be difficult to track hackers after they have entered the network.
Attacker
75
CLI Commands
Switch(config)# monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlanid [, | -] [both | rx | tx]}| {remote vlan vlan-id} Switch(config)# monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id}
76
77
F0/2
F0/1
Use SPAN to mirror traffic in and out of port F0/1 to port F0/2.
Attacker
78
79
Overview
An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. This allows more switches to be monitored with a single probe or IDS.
Source VLAN RSPAN VLAN
Source VLAN
Attacker
Source VLAN
80
Configuring RSPAN
1. Configure the RPSAN VLAN
2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit
2960-1
2960-2
81
2960-1
2960-2
show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression]
82
Best Practices
Layer 2 Guidelines VLAN Practices
83
Layer 2 Guidelines
Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) Set all user ports to non-trunking mode (except if using Cisco VoIP) Use port security where possible for access ports Enable STP attack mitigation (BPDU guard, root guard) Use Cisco Discovery Protocol only where necessary with phones it is useful Configure PortFast on all non-trunking ports Configure root guard on STP root ports Configure BPDU guard on all non-trunking ports
84
VLAN Practices
Always use a dedicated, unused native VLAN ID for trunk ports Do not use VLAN 1 for anything Disable all unused ports and put them in an unused VLAN Manually configure all trunk ports and disable DTP on trunk ports Configure all non-trunking ports with switchport mode access
85
86
87
Overview
Wireless
2009 Cisco Learning Institute.
VoIP
88
Overview
SAN
2009 Cisco Learning Institute.
89
Infrastructure-Integrated Approach
Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them Comprehensive protection to safeguard confidential data and communications Simplified user management with a single user identity and policy Collaboration with wired security systems
90
91
Virtualization
Security
Consolidation
Availability
92
93
94
Wireless Hacking
War driving A neighbor hacks into another neighbors wireless network to get free Internet access or access information
95
Hacking Tools
96
Safety Considerations
Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks. Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long. If an IPsec VPN is available, use it on any public wireless LAN.
If wireless access is not needed, disable the wireless radio or wireless NIC.
2009 Cisco Learning Institute.
97
Fraud
98
PSTN
VoIP
Gateway
Little or no training costs Mo major set-up fees Enables unified messaging Encryption of voice calls is supported
Productivity increases
Lower costs to move, add, or change
VoIP Components
Cisco Unified Communications Manager (Call Agent) MCU Cisco Unity IP Phone Router/ Gateway
PSTN
IP Backbone
Router/ Gateway
Router/ Gateway
IP Phone
Videoconference Station
100
VoIP Protocols
VoIP Protocol H.323 MGCP Megaco/H.248 SIP RTP RTCP SRTP SCCP Description
ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex
Emerging IETF standard for PSTN gateway control; thin device control Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323 ETF standard media-streaming protocol IETF protocol that provides out-of-band control information for an RTP flow IETF protocol that encrypts RTP traffic as it leaves the voice device Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones
101
Threats
Reconnaissance
102
VoIP SPIT
If SPIT grows like spam, it could result in regular DoS problems for network administrators. Antispam methods do not block SPIT. Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices.
Youve just won an all expenses paid vacation to the U.S. Virgin Islands !!!
103
Fraud
104
SIP Vulnerabilities
Registration hijacking: Allows a hacker to intercept incoming calls and reroute them. Message tampering: Allows a hacker to modify data packets traveling between SIP addresses. Session tear-down: Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks.
SIP User Agents
Registrar
Registrar
Location Database
SIP Servers/Services
SIP Proxy
105
106
Using VLANs
Voice VLAN = 110 Data VLAN = 10
5/1
802.1Q Trunk
IP phone 10.1.110.3
Desktop PC 171.1.1.1
Creates a separate broadcast domain for voice traffic Protects against eavesdropping and tampering Renders packet-sniffing tools less effective Makes it easier to implement VACLs that are specific to voice traffic
107
WAN
Internet
108
Using VPNs
Use IPsec for authentication Use IPsec to protect all traffic, not just voice Consider SLA with service provider Terminate on a VPN concentrator or large router inside of firewall to gain these benefits: Performance Reduced configuration complexity Managed organizational boundaries
SRST Router Telephony Servers
IP WAN
109
110
111
Overview
IP Network
SAN
Specialized network that enables fast, reliable access among servers and external storage resources
112
113
114
Zoning Operation
Zone members see only other members of the zone. Zones can be configured dynamically based on WWN. Devices can be members of more than one zone. Switched fabric zoning can take place at the port or device level: based on physical switch port or based on device WWN or based on LUN ID.
Disk4 Host2
SAN
Disk2 Disk3 Disk1
ZoneA
Host1
ZoneC
ZoneB
An example of Zoning. Note that devices can be members of more than 1 zone.
115
116
117
Security Focus
SAN Protocol Target Access
Fabric Access
IP Storage access
SAN Management
Three main areas of vulnerability:
1. Disruption of switch processing
119
120
VSANs
Relationship of VSANs to Zones
Physical Topology
VSAN 2 Disk2 ZoneA Host1 Disk3 Disk1 ZoneC Disk4 Host2
ZoneB VSAN 3
ZoneD Host4
Two VSANs each with multiple zones. Disks and hosts are dedicated to VSANs although both hosts and disks can belong to multiple zones within a single VSAN. They cannot, however, span VSANs.
121
122
123