ccna security 1.1 instructional...

© 2012 Cisco and/or its affiliates. All rights reserved. 1

CCNA Security 1.1 Instructional Resource Chapter 6 – Securing the Local Area Network


• Describe endpoint vulnerabilities and protection methods.

• Describe the vulnerabilities of the Layer 2 infrastructure.

• Describe the mitigation techniques for securing the Layer 2 infrastructure.

• Describe MAC address spoofing attacks, STP manipulation attacks, MAC address overflow attacks, LAN storm attacks, and VLAN attacks.

• Configure and verify port security, BPDU guard, root guard, storm control, and PVLAN Edge.

• Describe endpoint security with IronPort.

• Describe endpoint security with Network Admission Control.

• Describe wireless, VoIP, and SAN security considerations.

• Describe wireless, VoIP, and SAN security solutions.


6.0 Mitigating Common Layer 2 Attacks 6.1 Describe Layer 2 Security Using Cisco Switches

6.1.1 STP attacks

6.1.2 ARP spoofing

6.1.3 MAC spoofing

6.1.4 CAM overflows

6.1.5 CDP/LLDP

6.2 Describe VLAN Security

6.2.1 Voice VLAN

6.2.2 PVLAN

6.2.3 VLAN hopping

6.2.4 Native VLAN

6.4 Implement Spanning Tree

6.4.1 Potential issues with redundant switch topologies

6.4.2 STP operations

6.4.3 Resolving issues with STP


• Layer 2 is generally the point-of-entry to the network and so is especially vulnerable to attacks.

• Keeping user/data, voice, native, management, and default VLANs distinct is a best practice for providing a secure Layer 2 environment.

• VLANs should be pruned manually or dynamically on trunk links to deterministically permit appropriate VLAN traffic.

• Spanning tree is susceptible to attacks which alter the proper selection of the root bridge. BPDU guard, BPDU filter, and root guard help to mitigate these attacks.

• Layer 2 “storms” can occur inadvertently or as a result of an attack. Technologies such as port security and storm control can help to prevent these storms.

• Cisco SPAN is used in conjunction with protocol analyzers and IDS devices.


• The PVLAN Edge feature helps to control traffic between protected ports in the same VLAN.

• IronPort uses SenderBase to provide anti-spam, anti-virus, and anti-spyware functionality.

• Cisco NAC Framework and Cisco NAC appliance are two approaches to allow only authorized and compliant systems (whether managed or unmanaged) to access the network, and to enforce network security policy.

• Wireless, VoIP, and SAN technologies have their own set of security issues and mitigation techniques.


• Chapter 6 Lab A: Securing Layer 2 Switches

– Part 1: Configure Basic Switch Settings

– Part 2: Configure SSH Access to the Switch

– Part 3: Secure Trunks and Access Ports

– Part 4: Configure SPAN and Monitor Traffic


Absolute Timeout Port security timer which specifies the aging time after which

secure addresses on the port are deleted.

Application Server Provide services such as voice mail and unified messaging,

such as Cisco Unity.

Atomic Alert IPS alert generated every time a signature triggers.

Atomic Signature Simplest type of signature, consisting of a single packet,

activity, or event that is examined.

BPDU Filter

Cisco switch feature that prevents interfaces that are in a

PortFast-operational state from sending or receiving BPDUs. If

a BPDU is received on a PortFast-enabled interface, the

interface loses its PortFast-operational status, and BPDU

filtering is disabled.

BPDU Guard

Cisco switch feature that allows network designers to keep the

active spanning tree topology predictable. BPDU guard

protects the switched network from problems caused by

receipt of BPDUs on ports that should not be receiving them.

Call Agent Provides call control for IP phones, CAC, bandwidth control

and management, and address translation. Cisco Unified

Communications Managers function as call agents.


Double-tagging

Method employed in a certain VLAN hopping attack whereby

an attacker embeds a hidden 802.1Q tag inside an Ethernet

frame. This tag allows the frame to go to a VLAN that the

original 802.1Q tag did not specify. This type of attack can

work on ports that are not configured as trunk ports.

DTP Dynamic Trunking Protocol (DTP) is a Cisco-proprietary

protocol that enables the automatic negotiation of trunk links.

Gatekeeper Provides Call Admission Control (CAC), bandwidth control and

management, and address translation.

FCIP Fibre Channel over IP (FCIP) is a popular SAN-to-SAN

transport used over a WAN or MAN.

Fibre Channel Primary SAN transport for host-to-SAN connectivity.

Gateway

Provides translation between VoIP and non-VoIP networks,

such as the PSTN. Gateways also provide physical access for

local analog and digital voice devices, such as telephones, fax

machines, key sets, and PBXs.

HBA

A Host Bus Adapter (HBA) is an I/O adapter that sits between

the bus of the host computer and the Fibre Channel loop and

manages the transfer of information between the two

channels.


Inactivity Timeout Port security timer which specifies the idle/inactive time after

which secure addresses on the port are deleted.

IP Phone Phone that provides voice communication over a data

network.

IronPort

Anti-spam, antivirus, and anti-spyware appliances. IronPort

uses SenderBase, the world's largest threat detection

database, to help provide preventive and reactive security

measures.

iSCSI A host-to-SAN transport in the form of SCSI over TCP/IP.

LAN Storm Condition whereby packets flood the LAN, creating excessive

traffic and degrading network performance.

Least Privileged Concept To better protect en endpoint, a process should never be given

more privilege than is necessary to perform a job.

Lightweight AP Access point that depends on a centralize wireless LAN

controller (WLC) for its configuration.

LUN A logical unit number (LUN) is a 4-bit address for an individual

disk drive and, by extension, the disk device itself.

LUN Masking Authorization process that makes a LUN available to some

hosts and unavailable to other hosts.


MAC Address Spoofing Attack A host masquerades or poses as another via the MAC

address to receive otherwise inaccessible data or to

circumvent security configurations.

MAC Address Table Overflow

Attack

A switch is bombarded with fake source MAC addresses until

the switch MAC address table is full and no new entries can

be accepted. When this occurs, the switch begins to flood all

incoming traffic to all ports because there is no room in the

table to learn any legitimate MAC addresses.

macof Tool used, among other things, to flood a switch with frames

containing randomly generated source and destination MAC

and IP addresses.

Multipoint Control Unit (MCU) Provides real-time connectivity for participants in multiple

locations to attend the same videoconference or meeting.

NAC

Network admission control (NAC) uses the network

infrastructure to enforce security policy compliance on all

devices seeking to access network computing resources. With

NAC, network security professionals can authenticate,

authorize, evaluate, and remediate wired, wireless, and

remote users and their machines prior to network access.

NAC identifies whether networked devices are compliant with

the network security policies and repairs any vulnerability

before permitting access to the network.


NAC Agent

Cisco NAC Agent (NAA) is an optional lightweight agent

running on an endpoint device. It performs deep inspection of

the device's security profile by analyzing registry settings,

services, and files.

NAC Manager

Cisco NAC Manager (NAM) is the policy and management

center for an appliance-based NAC deployment environment.

Cisco NAC Manager defines role-based user access and

endpoint security policies.

NAC Guest Server Manages guest network access, including provisioning,

notification, management, and reporting of all guest user

accounts and network activities.

NAC Profiler Helps to deploy policy-based access control by providing

discovery, profiling, policy-based placement, and post-

connection monitoring of all endpoint devices.

NAC Server Cisco NAC Server (NAC) assesses and enforces security

policy compliance in an appliance-based NAC deployment

environment.


PortFast

A Cisco switch feature that causes an interface configured as

a Layer 2 access port to transition from the IEEE 802.1D STP

blocking state to the forwarding state immediately, bypassing

the listening and learning states.

Port Security

A Cisco switch feature which allows an administrator to

statically specify MAC addresses for a port or to permit the

switch to dynamically learn a limited number of MAC

addresses.

Privileged Context of

Execution Provides identity authentication and certain privileges based

on the identity.

PVLAN Edge Cisco feature, also known as Protected Port, that ensures

there is no exchange of unicast, broadcast, or multicast traffic

between specified ports on the switch.

Reference Monitor

Access control concept that refers to a mechanism or process

that mediates all access to objects. It provides a central point

for all policy decisions, typically implementing auditing

functions to keep track of access.

SAN A Storage Area Network (SAN) s a specialized network that

enables fast, reliable access among servers and external

storage resources.


SIP Session Initiation Protocol (SIP) is a signaling protocol widely

used for controlling communication sessions such as VoIP

sessions.

SPAN Cisco Switched Port Analyzer copies (or mirrors) traffic

received, sent, or both on source ports or source VLANs on a

switch to a destination port on the same switch for analysis.

SPIT

Spam over Internet Telephony (SPIT) is unsolicited and

unwanted bulk messages broadcast over VoIP to the endusers

of an enterprise network. In addition to being annoying, high-

volume bulk calls can significantly affect the availability and

productivity of the endpoints.

Storm Control Cisco switch feature which prevents traffic on a LAN from

being disrupted by a broadcast, multicast, or unicast storm on

one of the physical interfaces.

Toll Fraud Theft of long-distance telephone service by unauthorized

access to a PSTN trunk (an outside line) on a PBX or voice-

mail system.

Trigger Traffic behavior that signals an intrusion or policy violation.

VACL A VLAN ACL (VACL) is an ACL that can filter traffic at both

Layer 2 and Layer 3.


Vishing Vishing (voice phishing) uses telephony to glean information,

such as account details directly from users.

VLAN Hopping Attack Attack whereby access to all VLANs is obtained by leveraging

the default automatic trunking configuration on most switches.

VSAN

A Virtual SAN (VSAN) is a collection of ports from a set of

connected Fibre Channel switches that form a virtual fabric.

Ports can be partitioned within a single switch into multiple

VSANs. Additionally, multiple switches can join any number of

ports to form a single VSAN.

WLC

A Wireless LAN Controller (WLC) handles system-wide

wireless LAN functions, such as intrusion prevention, RF

management, QoS, and mobility.

WWN

A World Wide Name (WWN) is a 64-bit address that Fibre

Channel networks use to uniquely identify each element in a

Fibre Channel network.

Zone Partition of a Fibre Channel fabric into smaller subsets.


• Cisco Security Agent content was removed.

• Remote SPAN content was removed.

• BPDU filtering content was added.

• PVLAN Edge content was added.


• Chapter 6 is a fairly even combination of theory and practice.

• This chapter covers the gamut of network security options for Cisco Layer 2 switches (e.g., Catalyst 2960), so it is quite a handful for students – if time permits, take your time on the content. The other nine chapters in this course are focused security features on Cisco routers.

• Be sure to download the appropriate images for the switches in your lab environment. If it is at all possible, use the same images as are recommended in the lab: Cisco IOS Release 12.2(46)SE, C2960-LANBASEK9-M image. It is frustrating to students when commands are not present that are key to completing the lab.

• If 3550 or 3560 switches are used, keep in mind there will be some subtle differences in the implementations, but for the most part they will coincide with the configuration sequences for Catalyst 2960 switches. Remember that when you configure trunking on 3550 and 3560 switches, both ISL and IEEE 802.1Q trunking are supported, so an extra command is required each time you configure a trunk port.


• The 2960 switches support Auto-MDIX, so you do not have to spend time checking whether a cable is straight-through or cross-over.

• There is GUI-based software for configuring Catalyst switches from your PC web browser, called Cisco Network Assistant. The course does not discuss this option, but it is well worth exploring. Students going into the industry would benefit from being basically familiar with this software.

– It can be downloaded at http://www.cisco.com/cisco/software/release.html?mdfid=279963505&flowid=2550&softwareid=280775097&release=5.7.0&rellifecycle=&relind=AVAILABLE&reltype=latest. (Cisco.com account required.)

• The recent 12.2.x and 15.x Cisco IOS images for the 2960 switches include a LAN Base version and a LAN Base with Web-based Development Manager option. The latter image provides another GUI-based option for switch configuration not covered in the course; again, it is useful for students to explore this option; students will learn how to extract archives on the switches in the process. Note that there is a /force /recursive option for deleting files and folders that is VERY useful.

http://www.cisco.com/cisco/software/release.html?mdfid=279963505&flowid=2550&softwareid=280775097&release=5.7.0&rellifecycle=&relind=AVAILABLE&reltype=latest





• The lab for this chapter use Wireshark network analyzer and SuperScan (optional). It is truly worthwhile to have the SuperScan software installed on the PCs – the portions of the lab utilizing SuperScan are very informative.

• If you use NetLab to do the lab, be sure that your virtual machines have network adapters configured in the promiscuous mode; otherwise, the SPAN portion of the lab will not work correctly!

• Be sure that students try different terminal emulation programs over time. It is professionally to their advantage to be familiar with the various options. Often they are surprised to find how user-friendly different emulation software is compared what they are accustomed to using.

• Time permitting, have the students try the macof program or other simple Layer 2 “hacking” software in a secure environment.


• Compare and contrast the security features on the Catalyst switches and those on the ISR’s. The fact that nine chapters of this course focus on routers and one on switches is not a coincidence!

• Compare and contrast considerations relating to securing Layer 2 protocols with that of securing Layer 3 protocols.

• Compare the portions of the Internet comprised of Layer 2 LAN switches versus that comprised of Layer 3 networking devices. How does the answer affect the way security is implemented?

• Along the border of the Layer 2-to-Layer 3 exchange, what protocols are in play and what security considerations are specific to this crossover?


• Nowadays, it is common to install a switch module in a router and it is common for a switch to include a router processor. So in a way, most switches are routers and most routers are switches. How do router and switches differ?

• There is a clear trend toward pushing Layer 3 down to the user as a result of the decreasing cost for Layer 3 switches. The day will come when all switches are Layer 3 switches. Does this imply that VLANs will be unnecessary at some point? What are the implications of every port on every switch being configurable as a routed port?

• Is it easier to configure security in the Layer 2 domain or in the Layer 3 domain? Is network security more deterministic in a pure Layer 3 environment?


• What are the implications for Layer 2 security in the Borderless Network, with mobile devices pervading the network space?

• What devices require Layer 2 security solutions?

• What are some security policies specific to the Layer 2 environment? What are some rules that should be enforced?

• Several topics in the course do not have hands-on components to them, such as IronPort, Network Admission Control, wireless security, VoIP security, and SAN security. Ask the students to research one or more of these areas to gain a more applied understanding of these topics. If possible, arrange for site visits where some of these solutions are implemented.


• One of the easiest ways to optimize LAN security is ensuring that all VLANs with distinct functions are distinct. Separate the management VLAN, the native VLAN, the default VLAN, the voice VLAN(s), and the data VLAN(s). Configure trunk links to support only the necessary VLANs.

• Modern campus switched network design has Layer 2 switches only at the edge of the network, each with a redundant uplink, with only two or three VLANs per switch and with no Layer 2 loops possible (think about how this is mapped out). So technically STP is not required. It is a best practice to always ensure that STP remains enabled on the switches, just in case someone inadvertently creates a physical loop as a result of moving cables about in the wiring closet.

• There are only a handful of security features available at Layer 2. Almost all of these should be implemented to optimize network security. Upon first exposure the number of Layer 2 security options might be a bit overwhelming. Be sure to encourage students that they do not need to master them all the first time around and that in the scheme of things the gamut of security options at Layer 2 is relatively quite tractable.


• http://en.wikipedia.org/wiki/LAN_switching

• http://www.cisco.com/cisco/software/type.html?mdfid=279963505&flowid=2550

• http://www.nsa.gov/ia/_files/switches/switch-guide-version1_01.pdf

• http://www.ciscopress.com/bookstore/product.asp?isbn=1587052563

• http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/command/reference/2960cr.html

• http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/2960scg.html

http://en.wikipedia.org/wiki/LAN_switching




http://www.cisco.com/cisco/software/type.html?mdfid=279963505&flowid=2550








http://www.nsa.gov/ia/_files/switches/switch-guide-version1_01.pdf










http://www.nist.gov/computer-security-portal.cfm







http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/command/reference/2960cr.html











http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/2960scg.html





ccna security 1.1 instructional...

Documents