Professional Documents
Culture Documents
CCNA Security: Chapter Six Securing The Local Area Network
CCNA Security: Chapter Six Securing The Local Area Network
Chapter Six
Securing the Local Area Network
7. Describe MAC Address table overflow attacks and MAC Address table
overflow attack mitigation
8. Describe STP manipulation attacks and STP manipulation attack mitigation
9. Describe LAN Storm attacks and LAN Storm attack mitigation
10. Describe VLAN attacks and VLAN attack mitigation
11. Describe how to configure port security
12. Describe how to verify port security
13. Describe how to configure and verify BPDU Guard and Root Guard
14. Describe how to configure and verify storm control
15. Describe and configure Cisco SPAN
16. Describe and configure Cisco RSPAN
Perimeter MARS
ACS
Areas of concentration:
Firewall
Securing endpoints
Securing network
Internet
VPN
IPS
infrastructure
Iron Port
Hosts
Web Email
Server Server DNS
LAN
2009 Cisco Learning Institute. 7
Addressing Endpoint Security
Policy
Compliance
Infection
Containment
Secure
Host
Cisco NAC
Firewall Firewall
Antispam
Antivirus
DLP Policy IronPort E-mail Security Appliance
Manager
Policy Enforcement
Mail Routing
Groupware Groupware
Users
Users
Internet Internet
Firewall Firewall
Web Proxy
Antispyware
Antivirus
IronPort S-
Series
Antiphishing
URL Filtering
Policy Management
Users
Users
Network
Access
Devices Policy Server
Hosts Attempting Enforcement Decision Points
Network Access and Remediation
AAA Vendor
Server Credentials Servers
Credentials
Credentials
EAP/UDP, HTTPS
RADIUS
EAP/802.1x
Cisco Access Rights
Trust Comply?
Notification
Agent
M
G
R
THE GOAL
1. Host attempts to access a web page or uses
an optional client.
Network access is blocked until wired or wireless
host provides login information. Authentication
Server
M
G
R
Cisco NAM
2. Host is
Cisco NAS Intranet/
redirected to a login page.
Cisco NAC Appliance validates Network
username and password, also
performs device and network scans 3. The host is authenticated and optionally
to assess vulnerabilities on device. scanned for posture compliance
Scan is performed
(types of checks depend on user role)
Login
Screen
Scan fails
Remediate
4.
Alerts Events
SSL Security
Policy
Execution
File System Network Configuration
Space
Interceptor Interceptor Interceptor
Interceptor
Rules
Engine
State Rules and
Policies
Correlation
Engine
Allowed
Request
Blocked
Request
Execution
Network File System Configuration
Security Application Space
Interceptor Interceptor Interceptor
Interceptor
Distributed Firewall X
Host Intrusion
X X
Prevention
Application
X X X
Sandbox
Network Worm
X X
Prevention
Probe phase
Ping scans
Port scans
Penetrate phase
Transfer exploit Server
code to target Protected by
Cisco Security
Persist phase Agent
Install new code
Modify
configuration File system interceptor
Network interceptor
Propagate phase
Configuration interceptor
Attack other Execution space
targets interceptor
Paralyze phase
Erase files
Crash system
Steal data
2009 Cisco Learning Institute. 23
CSA Log Messages
Perimeter MARS
ACS
Firewall
Internet
VPN
IPS
Iron Port
Hosts
Web Email
Server Server DNS
Application Stream
Application Application
Presentation Presentation
Compromised
Session Session
Physical Links
Physical Physical
MAC Address:
MAC AABBcc
Address: Port 1 Port 2
AABBcc
The switch can forward frames between PC1 and PC2 without
flooding because the MAC address table contains port-to-MAC-
address mappings in the MAC address table for these PCs.
2
Bogus addresses are 1
added to the CAM Intruder runs macof
table. CAM table is full. to begin sending
unknown bogus MAC
MAC Port
addresses.
X 3/25
Y 3/25 3/25 MAC X
3/25 MAC Y
C 3/25 3/25 MAC Z
XYZ
3/25
Host C
VLAN 10 VLAN 10 VLAN 10
flood
3
The switch floods
the frames. 4
Attacker sees traffic
to servers B and D.
A B
C D
2009 Cisco Learning Institute. 30
STP Manipulation Attack
F F STP manipulation
changes the topology of a
networkthe attacking
F B
host appears to be the
root bridge
Root Bridge
Priority = 8192
F F B
F
F
F F F
F B F F
ST iority
ity DU
Pr
=0
PB =
Root
Pr P BP
Bridge
PD 0
ior
ST
U
Broadcast Broadcast
Broadcast Broadcast
t t
Br
as as
oa
c c
Br
ad ad
dc
oa
o o
Br Br
as
dc
t
as
t
Br
t
as
oa
c
ad
dc
o
Br
as
t
Broadcast, multicast, or unicast packets are flooded on all ports in the
same VLAN.
These storms can increase the CPU utilization on a switch to 100%,
reducing the performance of the network.
Total
number of
broadcast
packets
or bytes
Segmentatio
n
Flexibility
Security
802.1Q VLAN
10
Trunk
ru nk
T
Q VLAN Server
0 2.1 20
8
Trunk Fra
(Native VLAN = 10) m e
4
The second switch
examines the packet, Victim
Note: This attack works only if the sees the VLAN 20 tag and (VLAN 20)
forwards it accordingly.
trunk has the same native
VLAN as the attacker.
0/1
0/2
0/3
MAC A
MAC F
Attacker 1
Attacker 2
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to
dynamically learn a limited number of MAC
addresses
Switch(config-if)#
switchport mode access
Sets the interface mode as access
Switch(config-if)#
switchport port-security
Enables port security on the interface
Switch(config-if)#
switchport port-security maximum value
Sets the maximum number of secure MAC addresses for
the interface (optional)
vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.
vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky
[mac-address] learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer 2
functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
vlan: set a per-VLAN maximum value.
vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
Switch(config-if)#
switchport port-security violation {protect |
restrict | shutdown}
Sets the violation mode (optional)
Switch(config-if)#
switchport port-security mac-address mac-address
Enters a static secure MAC address for the interface
(optional)
Switch(config-if)#
switchport port-security mac-address sticky
Enables sticky learning on the interface (optional)
restrict (Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred.
shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and increments the
violation counter. When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause psecure-violation global
configuration command, or you can manually re-enable it by entering the shutdown
and no shut down interface configuration commands.
shutdown Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on
vlan which the violation occurred is error-disabled.
Switch(config-if)#
switchport port-security aging {static | time time |
type {absolute | inactivity}}
Enables or disables static aging for the secure port or
sets the aging time or type
Parameter Description
S2
PC B
Switch(config-if)#
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120
MAC B
SNMP traps sent to NMS
NMS when new MAC
addresses appear or
F1/2 when old ones time out.
F1/1
Switch CAM Table
F2/1
MAC A F1/1 = MAC A
F1/2 = MAC B
MAC D is away
F2/1 = MAC D from the
(address ages out) network.
Server Workstation
Command Description
Switch(config-if)# spanning- Enables PortFast on a Layer 2 access port and forces it to
tree portfast enter the forwarding stateimmediately.
Switch(config-if)# no Disables PortFast on a Layer 2 access port. PortFast is
spanning-tree portfast disabled by default.
Switch(config)# spanning-tree Globally enables the PortFast feature on all nontrunking
portfast default ports.
Switch# show running-config Indicates whether PortFast has been configured on a port.
interface type slot/port
F
F
F B
BPDU
Guard
Enabled
STP
Attacker BPDU
Switch(config)#
spanning-tree portfast bpduguard default
Globally enables BPDU guard on all ports with PortFast
enabled
2009 Cisco Learning Institute. 50
Display the State of Spanning Tree
F F
Root
Guard
Enabled
F B
F
STP BPDU
Attacker Priority = 0
MAC Address = 0000.0c45.1234
Switch(config-if)#
spanning-tree guard root
Enables root guard on a per-interface basis
level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic
and to not send an SNMP trap.
The keywords have these meanings:
shutdown: Disables the port during a storm
trap: Sends an SNMP trap when a storm occurs
Trunk
(Native VLAN = 10)
Switch(config-if)#
switchport trunk native vlan vlan_number
Set the native VLAN on the trunk to an unused VLAN
IDS
RMON Probe
Protocol Analyzer
Attacker
Switch(config)#
monitor session session_number source {interface
interface-id [, | -] [both | rx | tx]} | {vlan vlan-
id [, | -] [both | rx | tx]}| {remote vlan vlan-id}
Switch(config)#
IDS
F0/2
Use SPAN to
mirror traffic in
F0/1 and out of port
F0/1 to port
F0/2.
Attacker
Source VLAN
2960-1 2960-2
Wireless VoIP
2009 Cisco Learning Institute. 69
Overview of SAN Security
SAN
Single-site deployment
Centralized call
processing with remote
branches
Distributed call-
processing deployment
Clustering over the
IPWAN
Investment
protection
Virtualization
Security
Consolidation
Availability
War driving
A neighbor hacks into
another neighbors
wireless network to get
free Internet access or
access information
Free Wi-Fi provides an
opportunity to
compromise the data of
users
Network Stumbler
Kismet
AirSnort
CoWPAtty
ASLEAP
Wireshark
PSTN VoIP
Little or no training costs
Gateway
Mo major set-up fees
Lower telecom call costs
Enables unified
Productivity increases
messaging
Lower costs to move, add, or
change Encryption of voice calls is
Lower ongoing service and
supported
maintenance costs Fewer administrative
personnel required
2009 Cisco Learning Institute. 78
VoIP Components
PSTN
Cisco Unified
Communications
Manager
(Call Agent) IP
Backbone
MCU
PBX
Cisco Router/ Router/
Unity Gateway Gateway
Router/
IP Gateway
Phone
IP
Phone
Videoconference
Station
Joint IETF and ITU standard for gateway control with support for multiple
Megaco/H.248 gateway types; evolved from MGCP standard
IETF protocol for interactive and noninteractive conferencing; simpler but
SIP less mature than H.323
ETF standard media-streaming protocol
RTP
IETF protocol that provides out-of-band control information for an RTP flow
RTCP
Reconnaissance
Directed attacks such as spam over IP telephony (SPIT)
and spoofing
DoS attacks such as DHCP starvation, flooding, and
fuzzing
Eavesdropping and man-in-the-middle attacks
Youve just
won an all
expenses
paid vacation
to the U.S.
Virgin Islands
!!!
Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them. Registrar Registrar
Location
Database
SIP Servers/Services
Message tampering:
Allows a hacker to
modify data packets SIP Proxy
5/1
IP phone Desktop PC
802.1Q Trunk 10.1.110.3 171.1.1.1
Performance
SRST
Reduced configuration complexity Router
Managed organizational
boundaries
Signed firmware
Signed
configuration files
Disable:
PC port
Setting button
Speakerphone
Web access
IP
Network SAN
ZoneC
Devices can be members of
more than one zone.
Disk4 Host2
Switched fabric zoning can take ZoneB
SAN Management
SAN Access
Fabric Access
Secure
SAN
IP Storage
access
Data Integrity and
Secrecy