cisco security

Implementing Cisco Edge

Network Security Solutions (300-

206)

Module 1

Securing the Local Area Network

Lesson Planning

• This lesson should take 3-4 hours to present

• The lesson should include lecture, demonstrations,

discussions and assessments

• The lesson can be taught in person or using

remote instruction

2

Major Concepts

• Describe endpoint vulnerabilities and protection

methods

• Describe basic Catalyst switch vulnerabilities

• Configure and verify switch security features,

including port security and storm control

• Describe the fundamental security considerations

of Wireless, VoIP, and SANs

3

Lesson Objectives

Upon completion of this lesson, the successful participant

will be able to:

1. Describe endpoint security and the enabling technologies

2. Describe how Cisco IronPort is used to ensure endpoint

security

3. Describe how Cisco NAC products are used to ensure endpoint

security

4. Describe how the Cisco Security Agent is used to ensure

endpoint security

5. Describe the primary considerations for securing the Layer 2

infrastructure

6. Describe MAC address spoofing attacks and MAC address

spoofing attack mitigation

4

Lesson Objectives

7. Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation

8. Describe STP manipulation attacks and STP manipulation attack mitigation

9. Describe LAN Storm attacks and LAN Storm attack mitigation

10. Describe VLAN attacks and VLAN attack mitigation

11. Describe how to configure port security

12. Describe how to verify port security

13. Describe how to configure and verify BPDU Guard and Root Guard

14. Describe how to configure and verify storm control

15. Describe and configure Cisco SPAN

16. Describe and configure Cisco RSPAN

5

Lesson Objectives

17. Describe the best practices for Layer 2

18. Describe the fundamental aspects of enterprise security for advanced technologies

19. Describe the fundamental aspects of wireless security and the enabling technologies

20. Describe wireless security solutions

21. Describe the fundamental aspects of VoIP security and the enabling technologies Reference: CIAG course on VoIP security.

22. Describe VoIP security solutions

23. Describe the fundamental aspects of SAN security and the enabling technologies

24. Describe SAN security solutions

6

Securing the LAN

IPS

MARS

VPN

ACS

Iron Port

Firewall

Web Server

Email Server DNS

LAN

Hosts

Perimeter

Internet

Areas of concentration:• Securing endpoints• Securing network

infrastructure

7

Threat Protection

Policy Compliance

Infection Containment

SecureHost

Addressing Endpoint Security

Based on three elements:• Cisco Network Admission Control (NAC)• Endpoint protection• Network infection containment

8

Operating Systems

Basic Security Services• Trusted code and trusted path – ensures that the

integrity of the operating system is not violated

• Privileged context of execution – provides identity

authentication and certain privileges based on the

identity

• Process memory protection and isolation – provides

separation from other users and their data

• Access control to resources – ensures confidentiality

and integrity of data

9

Types of Application Attacks

I have gained direct access to this

application’s privileges

I have gained access to this system which is trusted by the other

system, allowing me to access it. Indirect

Direct

10

Cisco Systems Endpoint

Security Solutions

Cisco NAC

IronPortCisco Security Agent

11

Cisco IronPort Products

IronPort products include:• E-mail security appliances for virus

and spam control• Web security appliance for spyware

filtering, URL filtering, and anti-malware• Security management appliance

12

IronPort C-Series

InternetInternet

Antispam

Antivirus

Policy Enforcement

Mail Routing

Before IronPort

IronPort E-mail Security Appliance

Firewall

Groupware

Users

After IronPort

Users

Groupware

Firewall

Encryption Platform MTA

DLP Scanner

DLP Policy Manager

13

IronPort S-Series

Web Proxy

Antispyware

Antivirus

Antiphishing

URL Filtering

Policy Management

Firewall

UsersUsers

Firewall

IronPort S-Series

Before IronPort After IronPort

InternetInternet

14

Cisco NAC

NAC Framework

• Software module embedded within NAC-enabled products

• Integrated framework leveraging multiple Cisco and NAC-aware vendor products

• In-band Cisco NAC Appliance solution can be used on any switch or router platform

• Self-contained, turnkey solution

The purpose of NAC:

Allow only authorized and compliant systems to access the network

To enforce network security policy

Cisco NAC Appliance

15

http://www.youtube.com/watch?v=MiWaHjeV3NQ

The NAC Framework

AAA Server

Credentials

Credentials

EAP/UDP,

EAP/802.1x

RADIUS

Credentials

HTTPS

Access Rights

Notification

Cisco Trust Agent

Comply?

Vendor Servers

Hosts Attempting Network Access

Network Access Devices Policy Server

Decision Points and Remediation

Enforcement

16

NAC Components

• Cisco NAS

Serves as an in-band or out-

of-band device for network

access control

• Cisco NAM

Centralizes management for

administrators, support

personnel, and operators

• Cisco NAA

Optional lightweight client for

device-based registry scans in

unmanaged environments

• Rule-set updates

Scheduled automatic updates

for antivirus, critical hotfixes,

and other applications

MGR

17

Cisco NAC Appliance Process

THE GOAL

Intranet/Network

2. Host is redirected to a login page.

Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device.

Device is noncompliant or login is incorrect.

Host is denied access and assigned to a quarantine role with access to online remediation resources.

3a.3b. Device is “clean”.

Machine gets on “certified devices list” and is granted access to network.

Cisco NAS

Cisco NAM

1. Host attempts to access a web page or uses an optional client.

Network access is blocked until wired or wireless host provides login information. Authentication

Server

MGR

QuarantineRole

3. The host is authenticated and optionallyscanned for posture compliance

18

Access Windows

4.

LoginScreen

Scan is performed(types of checks depend on user role)

Scan fails

Remediate

19

CSA Architecture

Management Center for Cisco Security Agent

with Internal or External Database

SecurityPolicy

Server Protected by Cisco Security Agent

Administration Workstation

SSL

EventsAlerts

20

CSA Overview

State Rules and Policies

RulesEngine

CorrelationEngine

File System

Interceptor

Network

Interceptor

Configuration

Interceptor

Execution

Space

Interceptor

Application

Allowed Request

Blocked Request

21

CSA Functionality

Security ApplicationNetwork

Interceptor

File System

Interceptor

Configuratio

n

Interceptor

Execution

Space

Interceptor

Distributed Firewall X ― ― ―

Host Intrusion

PreventionX ― ― X

Application

Sandbox― X X X

Network Worm

PreventionX ― ― X

File Integrity Monitor ― X X ―

Attack Phases

– File system interceptor– Network interceptor– Configuration interceptor– Execution space

interceptor

Server Protected by

Cisco SecurityAgent

– Probe phase

• Ping scans

• Port scans

– Penetrate phase

• Transfer exploit code to target

– Persist phase

• Install new code

• Modify configuration

– Propagate phase

• Attack other targets

– Paralyze phase

• Erase files

• Crash system

• Steal data

CSA Log Messages

IPS

MARS

VPN

ACS

Iron Port

Firewall

Web Server

Email Server DNS

Hosts

Perimeter

Internet

Layer 2 Security

25

OSI Model

MAC Addresses

When it comes to networking, Layer 2 is often a very weak

link.

Physical Links

IP Addresses

Protocols and Ports

Application StreamApplication

Presentation

Session

Transport

Network

Data Link

Physical

Com

pro

mis

ed

Application

Presentation

Session

Transport

Network

Data Link

Physical

Initial Compromise

26

MAC Address Spoofing Attack

MAC Address: AABBcc

AABBcc 12AbDdSwitch Port

1 2

MAC Address: AABBcc

Attacker

Port 1

Port 2

MAC Address: 12AbDd

I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.

The switch keeps track of theendpoints by maintaining aMAC address table. In MAC spoofing, the attacker posesas another host—in this case,AABBcc

27

MAC Address Spoofing Attack

MAC Address: AABBcc

AABBcc

Switch Port

1 2

MAC Address: AABBcc

Attacker

Port 1 Port 2

AABBcc

1 2I have changed the MACaddress on my computer to match the server.

The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.

28

MAC Address Table Overflow Attack

The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.

MAC Address Table Overflow Attack

A B

C D

VLAN 10 VLAN 10

Intruder runs macof to begin sending unknown bogus MAC addresses.

3/25

3/25 MAC X 3/25 MAC Y 3/25 MAC Z

XYZ

flood

MAC Port

X 3/25

Y 3/25

C 3/25

Bogus addresses are added to the CAM table. CAM table is full.

Host C

The switch floods the frames.

Attacker sees traffic to servers B and D.

VLAN 10

12

3

4

STP Manipulation Attack

• Spanning tree protocol

operates by electing a

root bridge

• STP builds a tree

topology

• STP manipulation

changes the topology of

a network—the attacking

host appears to be the

root bridge

F F

F F

F B

Root BridgePriority = 8192MAC Address=

0000.00C0.1234

31

STP Manipulation Attack

Root BridgePriority = 8192

Root Bridge

F F

F F

F B

F B

FF

F F

Attacker The attacking host broadcasts out STPconfiguration and topology change BPDUs.This is an attempt to force spanning treerecalculations.

32

LAN Storm Attack

• Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN.

• These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.

Broadcast

Broadcast

Broadcast

Broadcast

Broadcast

Broadcast

Storm Control

Total number ofbroadcastpacketsor bytes

VLAN Attacks

VLAN = Broadcast Domain = Logical Network (Subnet)

Segmentation

Flexibility

Security

VLAN Attacks

802.1Q

ServerAttacker sees traffic destined for servers

Server

Trunk

VLAN 20

VLAN 10

A VLAN hopping attack can be launched in two ways:• Spoofing DTP Messages from the attacking host to

cause the switch to enter trunking mode• Introducing a rogue switch and turning trunking on

The second switch receives

the packet, on the native

VLAN

Double-Tagging VLAN Attack

Attacker onVLAN 10, but puts a 20 tag in the packet

Victim(VLAN 20)Note: This attack works only if the

trunk has the same native VLAN as the attacker.

The first switch strips off the first tag and

does not retag it (native traffic is not

retagged). It then forwards the packet to

switch 2.

20

Trunk(Native VLAN = 10)

802.1Q, Frame

1

2

3

4

The second switch examines

the packet, sees the VLAN

20 tag and forwards it

accordingly.

Port Security Overview

MAC A

MAC A

Port 0/1 allows MAC APort 0/2 allows MAC BPort 0/3 allows MAC C

Attacker 1

Attacker 2

0/1

0/2

0/3

MAC F

Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MACaddresses

38

CLI Commands

switchport mode access

Switch(config-if)#

• Sets the interface mode as access

switchport port-security

Switch(config-if)#

• Enables port security on the interface

switchport port-security maximum value

Switch(config-if)#

• Sets the maximum number of secure MAC addresses for the interface (optional)

39

Switchport Port-Security Parameters

Parameter Description

mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional

secure MAC addresses up to the maximum value configured.

vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native

VLAN is used.

vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.

vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN

mac-address sticky

[mac-address]

(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky

learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running

configuration and converts these addresses to sticky secure MAC addresses.

Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..

maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure

MAC addresses that you can configure on a switch is set by the maximum number of available MAC

addresses allowed in the system. The active Switch Database Management (SDM) template determines this

number. This number represents the total of available MAC addresses, including those used for other Layer

2 functions and any other secure MAC addresses configured on interfaces.

The default setting is 1.

vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan

keyword is not entered, the default value is used.

n vlan: set a per-VLAN maximum value.

n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of

VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.

Port Security Violation Configuration

switchport port-security mac-address sticky

Switch(config-if)#

• Enables sticky learning on the interface (optional)

switchport port-security violation {protect |

restrict | shutdown}

Switch(config-if)#

• Sets the violation mode (optional)

switchport port-security mac-address mac-address

Switch(config-if)#

• Enters a static secure MAC address for the interface (optional)

41

Switchport Port-Security Violation

Parameters


protect (Optional) Set the security violation protect mode. When the number of secure MAC

addresses reaches the limit allowed on the port, packets with unknown source

addresses are dropped until you remove a sufficient number of secure MAC

addresses or increase the number of maximum allowable addresses. You are not

notified that a security violation has occurred.

restrict (Optional) Set the security violation restrict mode. When the number of secure MAC

addresses reaches the limit allowed on the port, packets with unknown source

addresses are dropped until you remove a sufficient number of secure MAC

addresses or increase the number of maximum allowable addresses. In this mode,

you are notified that a security violation has occurred.

shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security

violation causes the interface to immediately become error-disabled and turns off

the port LED. It also sends an SNMP trap, logs a syslog message, and increments

the violation counter. When a secure port is in the error-disabled state, you can

bring it out of this state by entering the errdisable recovery cause psecure-

violation global configuration command, or you can manually re-enable it by

entering the shutdown and no shut down interface configuration commands.

shutdown

vlan

Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN

on which the violation occurred is error-disabled.

Port Security Aging Configuration

switchport port-security aging {static | time time |

type {absolute | inactivity}}

Switch(config-if)#

• Enables or disables static aging for the secure port or sets the aging time or type

43

Switchport Port-Security

Aging Parameters


static Enable aging for statically configured secure

addresses on this port.

time time Specify the aging time for this port. The range is 0

to 1440 minutes. If the time is 0, aging is disabled

for this port.

type absolute Set absolute aging type. All the secure addresses

on this port age out exactly after the time

(minutes) specified and are removed from the

secure address list.

type inactivity Set the inactivity aging type. The secure

addresses on this port age out only if there is no

data traffic from the secure source address for the

specified time period.

Typical Configuration

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation shutdown

switchport port-security mac-address sticky

switchport port-security aging time 120

Switch(config-if)#

S2

PC B

45

CLI Commands

sw-class# show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/12 2 0 0 Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

sw-class# show port-security interface f0/12

Port Security : Enabled

Port status : Secure-down

Violation mode : Shutdown

Maximum MAC Addresses : 2

Total MAC Addresses : 1

Configured MAC Addresses : 0

Aging time : 120 mins

Aging type : Absolute

SecureStatic address aging : Disabled

Security Violation Count : 0

46

View Secure MAC Addresses

sw-class# show port-security address

Secure Mac Address Table

-------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

1 0000.ffff.aaaa SecureConfigured Fa0/12 -

-------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

47

MAC Address Notification

MAC address notification allows monitoring of the MAC

addresses, at the module and port level, added by the switch

or removed from the CAM table for secure ports.

NMS

MAC A

MAC B

F1/1 = MAC AF1/2 = MAC B

F2/1 = MAC D(address ages out)

Switch CAM Table

SNMP traps sent to NMS when new MAC addresses appear or

when old ones time out.

MAC D is awayfrom the network.

F1/2

F1/1

F2/1

48

Configure Portfast

Command Description

Switch(config-if)#

spanning-tree portfast

Enables PortFast on a Layer 2 access port and forces it to

enter the forwarding stateimmediately.

Switch(config-if)# no

spanning-tree portfast

Disables PortFast on a Layer 2 access port. PortFast is

disabled by default.

Switch(config)# spanning-

tree portfast default

Globally enables the PortFast feature on all nontrunking

ports.

Switch# show running-config

interface type

slot/port

Indicates whether PortFast has been configured on a port.

Server Workstation

49

BPDU Guard

Switch(config)#

spanning-tree portfast bpduguard default

• Globally enables BPDU guard on all ports with PortFast enabled

F F

FF

F B

Root Bridge

BPDU Guard

Enabled

AttackerSTP

BPDU

50

Display the State of Spanning Tree

Switch# show spanning-tree summary totals

Root bridge for: none.

PortFast BPDU Guard is enabled

UplinkFast is disabled

BackboneFast is disabled

Spanning tree default pathcost method used is short

Name Blocking Listening Learning Forwarding STP

Active

-------------------- -------- --------- -------- ---------- ---------

-

1 VLAN 0 0 0 1 1

<output omitted>

51

Root Guard

Switch(config-if)#

spanning-tree guard root

• Enables root guard on a per-interface basis

Root BridgePriority = 0

MAC Address = 0000.0c45.1a5d

F F

F F

F BF

STP BPDUPriority = 0

MAC Address = 0000.0c45.1234

Root Guard

Enabled

Attacker

52

Verify Root Guard

Switch# show spanning-tree inconsistentports

Name Interface Inconsistency

-------------------- ---------------------- ------------------

VLAN0001 FastEthernet3/1 Port Type Inconsistent










Number of inconsistent ports (segments) in the system :10

53

Storm Control Methods

• Bandwidth as a percentage of the total available

bandwidth of the port that can be used by the

broadcast, multicast, or unicast traffic

• Traffic rate in packets per second at which broadcast,

multicast, or unicast packets are received

• Traffic rate in bits per second at which broadcast,

multicast, or unicast packets are received

• Traffic rate in packets per second and for small frames.

This feature is enabled globally. The threshold for small

frames is configured for each interface.

54

Storm Control Configuration

• Enables storm control

• Specifies the level at which it is enabled

• Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic

Switch(config-if)# storm-control broadcast level 75.5

Switch(config-if)# storm-control multicast level pps

2k 1k

Switch(config-if)# storm-control action shutdown

55

Storm Control Parameters


broadcast This parameter enables broadcast storm control on the interface.

multicast This parameter enables multicast storm control on the interface.

unicast This parameter enables unicast storm control on the interface.

level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port.

• level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of

storm packets when the value specified for level is reached.

• level-low: (Optional) Falling suppression level, up to two decimal places. This value

must be less than or equal to the rising suppression value.

level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which

traffic is received on the port.

• bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the

flooding of storm packets when the value specified for bps is reached.

• bps-low: (Optional) Falling suppression level, up to one decimal place. This value

must be equal to or less than the rising suppression value.

level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at

which traffic is received on the port.

• pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the

flooding of storm packets when the value specified for pps is reached.

• pps-low: (Optional) Falling suppression level, up to one decimal place. This value

must be equal to or less than the rising suppression value.

action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and

to not send an SNMP trap.

The keywords have these meanings:

• shutdown: Disables the port during a storm

• trap: Sends an SNMP trap when a storm occurs

Verify Storm Control Settings

Switch# show storm-control

Interface Filter State Upper Lower Current

--------- ------------- ---------- --------- --------

-Gi0/1 Forwarding 20 pps 10 pps 5 pps

Gi0/2 Forwarding 50.00% 40.00% 0.00%

<output omitted>

Trunk(Native VLAN = 10)

1. Disable trunking on all access ports.

2. Disable auto trunking and manually enable trunking

3. Be sure that the native VLAN is used only for trunk lines and no where else

Mitigating VLAN Attacks

58

switchport mode trunk

switchport trunk native vlan vlan_number

switchport nonegotiate

.

Switch(config-if)#

• Specifies an interface as a trunk link

Switch(config-if)#

• Prevents the generation of DTP frames.

Switch(config-if)#

• Set the native VLAN on the trunk to an unused VLAN

Controlling Trunking

59

Traffic Analysis

A SPAN port mirrors traffic to another port where a monitoring device is connected.

Without this, it can be difficult to track hackers after they have entered the network.

“Intruder Alert!”

Attacker

IDSRMON ProbeProtocol Analyzer

CLI Commands

monitor session session_number source {interface

interface-id [, | -] [both | rx | tx]} | {vlan

vlan-id [, | -] [both | rx | tx]}| {remote vlan

vlan-id}

monitor session session_number destination

{interface interface-id [, | -] [encapsulation

replicate] [ingress {dot1q vlan vlan-id | isl |

untagged vlan vlan-id | vlan vlan-id}]} | {remote

vlan vlan-id}

Switch(config)#

Switch(config)#

Verify SPAN Configuration

SPAN and IDS

Attacker

IDS

Use SPAN to mirror traffic in and out of port F0/1 to port F0/2.

F0/1

F0/2

Overview of RSPAN

• An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected.

• This allows more switches to be monitored with a single probe or IDS.

“Intruder Alert!”

Attacker

IDS

RSPAN VLAN

Source VLAN

Source VLAN

Source VLAN

Configuring RSPAN

2960-1 2960-2

2960-1(config)# vlan 100

2960-1(config-vlan)# remote-span

2960-1(config-vlan)# exit

2960-1(config)# monitor session 1 source interface FastEthernet 0/1

2960-1(config)# monitor session 1 destination remote vlan 100

reflector-port FastEthernet 0/24

2960-1(config)# interface FastEthernet 0/2

2960-1(config-if)# switchport mode trunk

2960-2(config)# monitor session 2 source remote vlan 100

2960-2(config)# monitor session 2 destination interface FastEthernet

0/3

2960-2(config)# interface FastEthernet 0/2

2960-2(config-if)# switchport mode trunk

1. Configure the RPSAN VLAN

2. Configure the RSPAN source ports and VLANs

3. Configure the RSPAN traffic to be forwarded

Verifying RSPAN Configuration

show monitor [session {session_number | all | local

| range list | remote} [detail]] [ | {begin | exclude

| include}expression]

2960-1 2960-2

Layer 2 Guidelines

• Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.)

• Set all user ports to non-trunking mode (except if using Cisco VoIP)

• Use port security where possible for access ports

• Enable STP attack mitigation (BPDU guard, root guard)

• Use Cisco Discovery Protocol only where necessary –with phones it is useful

• Configure PortFast on all non-trunking ports

• Configure root guard on STP root ports

• Configure BPDU guard on all non-trunking ports

VLAN Practices

• Always use a dedicated, unused native VLAN ID for trunk ports

• Do not use VLAN 1 for anything

• Disable all unused ports and put them in an unused VLAN

• Manually configure all trunk ports and disable DTP on trunk ports

• Configure all non-trunking ports with switchport mode access

Overview of Wireless, VoIP Security

Wireless VoIP

69

Overview of SAN Security

SAN

70

Infrastructure-Integrated Approach

• Proactive threat and intrusion

detection capabilities that do

not simply detect wireless

attacks but prevent them

• Comprehensive protection to

safeguard confidential data

and communications

• Simplified user management

with a single user identity and

policy

• Collaboration with wired

security systems

71

Cisco IP Telephony Solutions

• Single-site deployment

• Centralized call

processing with remote

branches

• Distributed call-

processing deployment

• Clustering over the

IPWAN

72

Storage Network Solutions

• Investment

protection

• Virtualization

• Security

• Consolidation

• Availability

73

Cisco Wireless LAN Controllers

• Responsible for system-wide wireless LAN

functions

• Work in conjunction with Aps and the Cisco

Wireless Control System (WCS) to support

wireless applications

• Smoothly integrate into existing enterprise

networks

74

Wireless Hacking

• War driving

• A neighbor hacks into

another neighbor’s

wireless network to get

free Internet access or

access information

• Free Wi-Fi provides an

opportunity to

compromise the data of

users

75

Hacking Tools

• Network Stumbler• Kismet• AirSnort• CoWPAtty• ASLEAP• Wireshark

76

Safety Considerations

• Wireless networks using WEP or WPA/TKIP are

not very secure and vulnerable to hacking attacks.

• Wireless networks using WPA2/AES should have

a passphrase of at least 21 characters long.

• If an IPsec VPN is available, use it on any public

wireless LAN.

• If wireless access is not needed, disable the

wireless radio or wireless NIC.

77

VoIP Business Advantages

• Lower telecom call costs

• Productivity increases

• Lower costs to move,

add, or change

• Lower ongoing service

and maintenance costs

• Little or no training costs

• Mo major set-up fees

• Enables unified

messaging

• Encryption of voice calls

is supported

• Fewer administrative

personnel required

PSTN VoIP

Gateway

78

VoIP Components

Cisco UnifiedCommunications

Manager(Call Agent)

MCU

CiscoUnity

IPPhone

IPPhone

VideoconferenceStation

IPBackbone

PSTN

Router/Gateway

Router/Gateway

Router/Gateway

79

VoIP Protocols

VoIP Protocol Description

H.323ITU standard protocol for interactive conferencing; evolved from H.320

ISDN standard; flexible, complex

MGCP Emerging IETF standard for PSTN gateway control; thin device control

Megaco/H.248Joint IETF and ITU standard for gateway control with support for multiple

gateway types; evolved from MGCP standard

SIPIETF protocol for interactive and noninteractive conferencing; simpler but

less mature than H.323

RTPETF standard media-streaming protocol

RTCPIETF protocol that provides out-of-band control information for an RTP flow

SRTPIETF protocol that encrypts RTP traffic as it leaves the

voice device

SCCPCisco proprietary protocol used between Cisco Unified Communications

Manager and Cisco IP phones

Threats

• Reconnaissance

• Directed attacks such as spam over IP telephony

(SPIT) and spoofing

• DoS attacks such as DHCP starvation, flooding, and

fuzzing

• Eavesdropping and man-in-the-middle attacks

81

VoIP SPIT

• If SPIT grows like spam, it could result in

regular DoS problems for network

administrators.

• Antispam methods do not block SPIT.

• Authenticated TLS stops most SPIT attacks

because TLS endpoints accept packets

only from trusted devices.

You’ve just won an all expenses

paid vacation to the U.S.

Virgin Islands !!!

82

Fraud

• Fraud takes several forms:

– Vishing—A voice version of phishing that is used to compromise

confidentiality.

– Theft and toll fraud—The stealing of telephone services.

• Use features of Cisco Unified Communications Manager to protect

against fraud.

– Partitions limit what parts of the dial plan certain phones have access to.

– Dial plans filter control access to exploitive phone numbers.

– FACs prevent unauthorized calls and provide a mechanism for tracking.

83

SIP Vulnerabilities

• Registration hijacking:

Allows a hacker to

intercept incoming calls

and reroute them.

• Message tampering:

Allows a hacker to

modify data packets

traveling between SIP

addresses.

• Session tear-down:

Allows a hacker to

terminate calls or carry

out VoIP-targeted DoS

attacks.

Registrar RegistrarLocationDatabase

SIP Servers/Services

SIP Proxy

SIP User Agents SIP User Agents

84

Using VLANs

• Creates a separate broadcast domain for voice traffic• Protects against eavesdropping and tampering• Renders packet-sniffing tools less effective• Makes it easier to implement VACLs that are specific to voice

traffic

Voice VLAN = 110 Data VLAN = 10

802.1Q Trunk

IP phone10.1.110.3

Desktop PC171.1.1.1

5/1

85

Using Cisco ASA Adaptive

Security Appliances

• Ensure SIP, SCCP, H.323, and MGCP requests conform to standards

• Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager

• Rate limit SIP requests

• Enforce policy of calls (whitelist, blacklist, caller/called party, SIP URI)

• Dynamically open ports for Cisco applications

• Enable only “registered phones” to make calls

• Enable inspection of encrypted phone calls

Internet

WAN

Cisco Adaptive Security

Appliance

Cisco Adaptive Security Appliance

86

Using VPNs

• Use IPsec for authentication

• Use IPsec to protect

all traffic, not just voice

• Consider SLA with service

provider

• Terminate on a VPN concentrator

or large router inside of firewall to

gain these benefits:

• Performance

• Reduced configuration complexity

• Managed organizational

boundaries

IP WAN

Telephony Servers

SRSTRouter

87

Using Cisco Unified Communications

Manager• Signed firmware

• Signed

configuration files

• Disable:

– PC port

– Setting button

– Speakerphone

– Web access

88

SAN Security Considerations

SANIP

Network

Specialized network that enables fast, reliable access among servers and external storage resources

89

SAN Transport Technologies

• Fibre Channel – the

primary SAN transport

for host-to-SAN

connectivity

• iSCSI – maps SCSI over

TCP/IP and is another

host-to-SAN connectivity

model

• FCIP – a popular SAN-

to-SAN connectivity

model

LAN

90

World Wide Name

• A 64-bit address that Fibre Channel networks use

to uniquely identify each element in a Fibre

Channel network

• Zoning can utilize WWNs to assign security

permissions

• The WWN of a device is a user-configurable

parameter.

Cisco MDS 9020 Fabric Switch

91

Zoning Operation

• Zone members see only

other members of the zone.

• Zones can be configured

dynamically based on WWN.

• Devices can be members of

more than one zone.

• Switched fabric zoning can

take place at the port or

device level: based on

physical switch port or based

on device WWN or based on

LUN ID.

SAN

Disk1

Host2Disk4

Host1

Disk2 Disk3

ZoneA

ZoneB

ZoneC

An example of Zoning. Note that devices can be members of more than 1 zone.

92

Virtual Storage Area Network (VSAN)

Physical SAN islands are virtualized onto

common SAN infrastructure

Cisco MDS 9000Family with VSAN Service

93

Security Focus

SAN

SecureSAN

IP Storage access

Data Integrity and Secrecy

Target Access

SAN Protocol

SAN Management Access

Fabric Access

94

SAN Management

Three main areas of vulnerability:

1. Disruption of switch processing

2. Compromised fabric stability

3. Compromised data integrity and confidentiality

95

Fabric and Target Access

Three main areas of focus:

• Application data integrity

• LUN integrity

• Application performance

96

VSANs

Two VSANs each with

multiple zones. Disks and

hosts are dedicated to

VSANs although both

hosts and disks can belong

to multiple zones within a

single VSAN. They cannot,

however, span VSANs.

VSAN 3

Physical Topology

VSAN 2

Disk1

Host2Disk4

Host1

Disk2 Disk3

Disk6

Disk5

Host4

Host3

ZoneA

ZoneB

ZoneC

ZoneA

ZoneD

Relationship of VSANs to Zones

97

iSCSI and FCIP

• iSCSI leverages many of the security features inherent

in Ethernet and IP

–ACLs are like Fibre Channel zones

–VLANs are like Fibre Channel VSANs

–802.1X port security is like Fibre Channel port security

• FCIP security leverages many IP security features in

Cisco IOS-based routers:

– IPsec VPN connections through public carriers

–High-speed encryption services in specialized hardware

–Can be run through a firewall

98

Implementing Cisco Edge

Network Security Solutions

(300-206)

Module 2

Access Lists

100

Objectives

• Describe the usage and rules of access lists

• Establish standard IP access lists

• Produce extended IP access lists

• Apply access lists to interfaces

• Monitor and verify access lists

101

Objectives (continued)

• Create named access lists

• Use Security Device Manager to create standard

and extended IP access lists

• Use Security Device Manager to create a router

firewall

102

Access Lists: Usage and Rules

• Access lists

– Permit or deny statements that filter traffic based on

the source address, destination address, protocol

type, and port number of a packet

– Available for IP, IPX, AppleTalk, and many other

protocols

103

Access List Usage

• You can create a standard access list that examines

a packet for the packet’s source header information

• deny any statement

– Implicitly blocks all packets that do not meet the

requirements of the access list

– Exists even though it is not shown as part of the

access list

• With careful planning, you can create access lists

that control which traffic crosses particular links

– And which segments of your network will have access

to others

104

Access List Usage (continued)

105

Problems with Access Lists

• Lack of planning is one of the most common

problems associated with access lists

• The need to enter the list sequentially into the router

also presents problems

– You cannot move individual statements once they are

entered

– When making changes, you must remove the list, using the no access-list [list number]

command, and then retype the commands

• Access lists begin working the second they are

applied to an interface

106

Access List Rules

• Example of the structure of a standard IP access

list:

RouterA(config)#access-list 1 deny

172.22.5.2 0.0.0.0

RouterA(config)#access-list 1 deny

172.22.5.3 0.0.0.0

RouterA(config)# access-list 1 permit any

• Router applies each line in the order in which you

type it into the access list

• The no access-list [list #] command is

used to remove an access list

107

Access List Rules (continued)

108


• As a general rule, the lines with the most potential

matches should be first in the list

– So that packets will not undergo unnecessary

processing

• You should avoid unnecessarily long access lists

• After you create access lists, you must apply them

to interfaces so they can begin filtering traffic

– You apply a list as either an outgoing or an incoming

filter

109


• In summary, all access lists follow these rules:

– Routers apply lists sequentially in the order in which

you type them into the router

– Routers apply lists to packets sequentially, from the

top down, one line at a time

– Packets are processed only until a match is made

– Lists always end with an implicit deny

– Access lists must be applied to an interface as either

inbound or outbound traffic filters

– Only one list, per protocol, per direction can be

applied to an interface

– Access lists are effective as soon as they are applied

110

Standard IP Access Lists

• Standard IP access lists

– Filter network traffic based on the source IP address

only

– Using a standard IP access list, you can filter traffic

by a host IP, subnet, or a network address

• Configure standard IP access lists:

– access-list [list #] [permit|deny]

[source address] [source wildcard mask]

• Routers use wildcards to determine which bits in an

address will be significant

111

Standard IP Access Lists (continued)

112


113


114


115


116

Standard IP Access List Examples

• Standard IP access lists permit or deny packets

based only on the source address

– Addresses can be a single host address, a subnet

address, or a full network address

118


(continued)

119


(continued)

• Correct placement of a list is imperative

• To view the access lists defined on your router, use the show access-lists command

– For IP access lists you could also use the show ip

access-lists command

• If you decide that an access list needs to be

removed from an interface

– You can remove it with the no ip access-group

[list #] command

121


(continued)

122


(continued)

123


(continued)

124


(continued)

125


(continued)

• Application of the list as an outbound filter on

FastEthernet0/0

– See Figure 10-15

• Use the show access-lists or show ip

access-lists command followed by the show

ip interface command

– To verify that the list has been entered and applied

correctly

126


(continued)

128


(continued)

129

Monitoring Standard IP Access Lists

• Three main commands are available for monitoring

access lists on your router

– show access-lists

– show ip access-lists

– show interfaces or show ip interface

• Use the no access-list [list #] command

to remove the list

• Use the no ip accessgroup [list

#][direction] command to remove the

application of the list

130

Extended IP Access Lists

• Extended IP access lists

– Can filter by source IP address, destination IP

address, protocol type, and application port number

– This granularity allows you to design extended IP

access lists that:

• Permit or deny a single type of IP protocol

• Filter by a particular port of a particular protocol

131

Extended IP Access Lists (continued)

• To configure extended IP access lists, you must

create the list and then apply it to an interface using

the following syntax

– access-list [list #] [permit|deny]

[protocol] [source IP address] [source

wildcard mask] [operator] [port]

[destination IP address] [destination

wildcard mask] [operator] [port] [log]

132

Extended IP Access List Examples

135

Extended IP Access List Examples

(continued)

136

The “Established” Parameter

• Established parameter

– Permits traffic from any host on any network to any

destination, as long as the traffic was in response to a

request initiated inside the network

• Example:

access-list 100 permit tcp any 15.0.0.0

0.255.255.255 established

137

Monitoring Extended IP Access Lists

• The same commands used to monitor standard IP

access lists are used to monitor extended IP access

lists

• Extended IP lists keep track of the number of packets

that pass each line of an access list

– The clear access-list counters [list #]

command clears the counters

– The no access-list [list#] command removes

the list

– The no ip access-group [list#] [direction]

command removes the application of the list

138


139


140

Using Named Lists

• Named access lists

– In Cisco IOS versions 11.2 and above, names instead

of numbers can be used to identify lists

• To name a standard IP access list, use the following

syntax:

RouterC(config)#ip access-list standard

[name]

• To name an extended IP access list, use the

following syntax:

RouterC(config)#ip access-list extended

[name]

141

Using Named Lists (continued)

• Once the list is named, the permit or deny

statement is entered

• The commands follow the same syntax as unnamed

lists

– The beginning part of the command is not included

• To apply a standard IP named list to an interface,

the syntax is:

RouterC(config-if)#ip access-group

[name] [in | out]

142

Using Named Lists (continued)

• Advantages:

– Allows you to maintain security by using an easily

identifiable access list

– Removes the limit of 100 lists per filter type

– With named access lists lines can be selectively

deleted in the ACL

– Named ACLs provide greater flexibility to network

administrators who work in environments where large

numbers of ACLs are needed

143

Controlling VTY Line Access

• Access lists are used for both traffic flow and

security

• One useful security feature of access lists is

restricting access to telnet on your router

– By controlling VTY line access

• You must first create a standard IP access list that

permits the management workstation

RouterA(config)#access-list 12 permit

192.168.12.12 0.0.0.0

• Then, it must be applied to the VTY lines

access-class [acl #] in | out

144

Controlling VTY Line Access

(continued)

• To apply access list 12 to the VTY lines, use the

following command:

RouterA(config)#line vty 0 4

RouterA(config-line)#access-class 12 in

• The commands to restrict access to the VTY lines to

network 192.168.12.0/24 only are:

RouterA(config)#access-list 13 permit

192.168.12.0 0.0.0.255

RouterA(config)#line vty 0 4

RouterA(config-line)#access-class 13 in

145

Using Security Device Manager to

Create Access Control Lists

• Using the SDM, an administrator can accomplish all

the tasks that formerly required use of the CLI

interface

• SDM allows you to easily create a standard or an

extended access list or, as it is known in the SDM,

an Access Control List (ACL)

152


Create a Router Firewall

• Unlike the CLI, the SDM allows a router to be

configured as a firewall

156


Create a Router Firewall (continued)

157


Create a Router Firewall (continued)

159

Summary

• Access lists are one of the most important IOS

tools for controlling network traffic and security

• Access lists are created in a two-step process

• All access lists are created sequentially and

applied sequentially to all packets that enter an

interface where the list is applied

• By default, access lists always end in an implicit deny any statement

• Only one access list per direction (inbound or

outbound) per protocol can be applied to an

interface

160

Summary (continued)

• Standard IP access lists allow you to filter traffic

based on the source IP address of a packet

• Extended IP access lists filter traffic based on

source, destination, protocol type, and application

type

• Access lists can be used to restrict telnet by

controlling VTY line access

• Ranges of numbers represent all access lists

161

Summary (continued)

• The SDM can be used to configure both standard

and extended ACLs via the Additional Tasks

configuration tab

• The SDM can be used to configure a router as

either a Basic or Advanced firewall

• The main difference between a Basic and

Advanced firewall is the ability to configure DMZ

interfaces in the Advanced firewall setup wizard

CCNA Guide to Cisco

Networking Fundamentals Fourth Edition

Chapter 14

Network Security

163

Objectives

• Distinguish between the different types of network

security threats

• Explain how to mitigate network security threats

• Implement SSH on Cisco routers and switches

• Configure VPNs with the Cisco Security Device

Manager

164

General Network Security

• Security policy

– An organization’s set of rules regarding how to handle

and protect sensitive data

• A security policy should include:

– Physical security

– Acceptable use of applications

– Safeguarding data

– Remote access to the network

– Data center

– Wireless security

165

General Network Security (continued)

• An effective security policy implements multiple

layers of security

• A security policy should have three goals:

– To prevent the hacker from getting access to critical

data

– To slow down the hacker enough to be caught

– To frustrate the hacker enough to cause him or her to

quit the hacking attempt

• When designing a security policy, take care to

specify exactly what you are trying to protect

166

Protecting the Hardware

• The first level of security in any network is physical

security

• Critical nodes of an organization should be

separated from the general workforce

• The nodes should be kept in a central location

where only a select group of people are allowed

• If office space is limited and nodes must be located

near employees

– The servers should at least be stored in a locked

cabinet

167

Protecting the Hardware (continued)

168

Protecting Software

• The primary threats against software are malware

and hackers

• Malware

– Refers to malicious programs that have many

different capabilities

• Hackers are usually driven by greed, ego, and/or

vengeance

– They look to make personal gains through system

vulnerabilities

169

Malware Prevention

• The most important elements of a prevention plan

– Installing and maintaining virus prevention software,

– Conducting virus awareness training for network

users

• Types of malware

– Virus

– Worm

– Macro Virus

– Polymorphic Virus

– Stealth Virus

170

Malware Prevention (continued)

• Types of malware (continued)

– Boot-Sector Virus

– Trojan or Trojan Horse

– Logic Bomb

• Virus prevention software

– Available for installation on entire networks

– Usually includes a version that will run on clients as

well as servers

– Must be updated regularly to ensure your network is

protected against all the latest malware threats

171

Malware Prevention (continued)

• User training

– Users must be trained to update their antivirus

software daily or, at a bare minimum, weekly

– Users also must learn how viruses are transmitted

between computers

– Teach users to scan removable devices with the virus

scanning software before using them

172

Firewalls

• Firewall

– The primary method of keeping hackers out of a

network

– Normally placed between a private LAN and the

public Internet, where they act like gatekeepers

– Can be a hardware device or it can be software

– Types: personal and enterprise

• All data packets entering or exiting the network

have to pass through an enterprise-level firewall

– Firewall filters (or analyzes) packets

173

Firewalls (continued)

• Four firewall topologies

– Packet-filtering router

– Single-homed bastion

– Dual-homed bastion

– Demilitarized zone (DMZ)

178

Firewalls (continued)

• Intrusion Detection Systems (IDS)

– A security device that can detect a hacker’s attempts

to gain access to the network

– Can also detect virus outbreaks, worms, and

distributed denial of service (DDoS) attacks

• Intrusion Prevention Systems (IPS)

– Like an IDS, except that it is placed in line so all

packets coming in or going out of the network pass

through it

– This allows an IPS to drop packets based on rules

defined by the network administrator

179

Permissions, Encryption, and

Authentication

• Permission

– An official approval that allows a user to access a

specific network resource

• Encryption

– Often consists of using security algorithms to

scramble and descramble data

– Types of algorithms

• Symmetric key

• Asymmetric key

180


Authentication (continued)

181



182



• Secure Sockets Layer

– A means of encrypting a session between two hosts

through the use of digital certificates, which are

based on asymmetric key encryption

• Authentication

– The process by which users verify to a server that

they are who they say they are

– There are several types of authentication

• Password authentication protocol (PAP)

• Challenge handshake authentication protocol (CHAP)

183



• Additional authentication services supported by

Cisco:

– Remote Authentication Dial-in User Service (RADIUS)

– Terminal Access Controller Access Control System

Plus (TACACS+)

• These two common security protocols are based on

the Authentication, Authorization, and

Accounting (AAA) model

184

Mitigating Security Threats

• The three basic strategies for mitigating security

threats are:

– Using the SSH protocol to connect to your routers and

switches rather than telnet

– Turning off unnecessary services

– Keeping up-to-date on security patches (software

releases) with a patch management initiative

185

Secure Shell (SSH) Connections

• Secure Shell (SSH) protocol

– Sends all data encrypted

• The two version of SSH are SSH Version 1 and SSH

Version 2

– SSH Version 2 is the recommended version

• Some SSH commands are mandatory and others

are optional

• You must also generate an RSA key pair

(asymmetric key encryption)

– Which enables SSH

186

Secure Shell (SSH) Connections

(continued)

• The preferred method is to implement SSH on all

VTY lines

– Which ensures that all remote IP sessions to the

router will be protected in the SSH tunnel

• The command sequence for enabling SSH is:Router(config)#hostname SshRouter

SshRouter(config)#ip domain-name sshtest.com

SshRouter(config)#crypto key generate rsa

The name of the keys will be:

SshRouter.sshtest.com

187

Disabling Unnecessary Services

• You should disable the services unless your

organization uses them

• Methods

– Go through the CLI and enter a series of commands

for each service

– Use the Security Audit Wizard in the Cisco Security

Device Manager (SDM)

• The following services are unnecessary on most

networks:

– Finger Service

– PAD Service

188


(continued)


networks: (continued)

– TCP Small Servers Service

– UDP Small Servers Service

– IP Bootp Server Service

– Cisco Discovery Protocol (CDP)

– IP Source Route

– Maintenance Operations Protocol (MOP)

– Directed Broadcast

189


(continued)


networks: (continued)

– ICMP Redirects

– Proxy ARP

– IDENT

– IPv6

190

Patch Management

• Your organization’s patch management program

should account for all software in the organization

– Including commercial applications as well as

applications developed in-house

• A patch management program should take into

account the major software vendor’s patch release

schedules

– As well as your organization’s business goals and

needs

• Not all patches released by vendors are flawless

191

Virtual Private Networks (VPNs)

• Virtual Private Networks (VPNs)

– A popular technology for creating a connection

between an external computer and a corporate site

over the Internet

• To establish a VPN connection, you need VPN-

capable components

• Client-to-site VPN (also known as remote user

VPN)

– A VPN that allows designated users to have access to

the corporate network from remote locations

192


193


• Site-to-site VPN

– A VPN that allows multiple corporate sites to be

connected over low-cost Internet connections

• You can choose from several tunneling protocols to

create secure, end-to-end tunnels

– Point-to-Point Tunneling Protocol (PPTP)

– Layer 2 Tunneling Protocol (L2TP)

– Generic Routing Encapsulation (GRE)

194


195

IPSec

• IPSec

– A suite of protocols, accepted as an industry

standard, which provides secure data transmission

over layer 3 of the OSI model

– An IP standard and will only encrypt IP-based data

• IPSec supports two modes of operation: transport

mode and tunnel mode

196

IPSec (continued)

• Transport mode

– Primarily geared toward encrypting data that is being

sent host-to-host

– Only encrypts and decrypts the individual data

packets

• Which results in quite a bit of overhead on the

processor

• Tunnel mode

– Encrypts all data in the tunnel and is the mode

supported by Cisco components

197

IPSec Protocols

• Two IPSec protocols have been developed to

provide packet-level security

• They include the following characteristics:

– Authentication Header (AH)

– Encapsulating Security Payload (ESP)

198

IPSec Authentication Algorithms

• Authentication algorithms use one of two Hashed

Message Authentication Codes (HMAC)

– MD5 (message-digest algorithm 5)

– SHA-1 (secure hash algorithm)

• An HMAC is a secret key authentication algorithm

that ensures data integrity and originality

– Based on the distribution of the secret key

• Cryptographic software keys are exchanged

between hosts using an HMAC

199

IPSec Encryption Algorithms

• For encryption, the two most popular algorithms on

IPSec networks are 3DES (tripleDES) and AES

– These protocols are used solely with the IPSec ESP

protocol

• Remember, AH does not support encryption

200

IPSec Key Management

• You need to pay attention to how keys are handed

from node to node during IPSec authentication

• Two options are available

– Deliver the secret keys to all parties involved via e-

mail or on disk

– Utilize a key management protocol

• Key management is defined by the Internet

Security Association and Key Management

Protocol (ISAKMP)

– Governed by RFC 2407 and 2408

201

IPSec Transform Sets

• A transform set

– A configuration value (or simply stated, a command)

that allows you to establish an IPSEC VPN on a Cisco

firewall

• You can create a transform set through the CLI or

you can simply use the SDM GUI

• When creating an IPSec VPN you must specify a

protocol, the algorithm, and the method of key

management

202

Creating VPNs with the Security

Device Manager (SDM)

• Cisco supports VPNs with several different devices

• VPNs can be created on firewalls, routers,

computers

– And even on a device specifically made for VPNs,

called a VPN concentrator

• The following example focuses on using the Cisco

Security Device Manager (SDM) Web utility to

create a VPN on a Cisco router

212

Cisco Security Audit Wizard

• You can use the Cisco SDM to conduct security

audits

• The SDM’s Security Audit Wizard

– Can be used to verify your router’s configuration

• And determine what security settings have and have

not been configured

– Will also make recommendations as to which settings

should be enabled

– Provides an easy to use GUI that allows you to make

those changes

219

Cisco Security Audit Wizard

(continued)

220

Summary

• Protecting the physical equipment where sensitive

data resides is as important as protecting the data

itself

• When securing an organization’s network, you

must be sure to protect it against external threats

as well as internal threats

• User training is a key element to protecting the

network and the data within it

• Using an SSH connection to a router is a much

more secure method of connecting to a router than

clear text telnet

221

Summary (continued)

• Disabling unnecessary services increases a

router’s security

• IPSec is an industry-standard suite of protocols

and algorithms that allow for secure encrypted

VPN tunnels

• Cisco’s SDM is a multifunction Web utility that

allows you to create VPNs and complete a security

audit

cisco security

Documents

cisco security agent

voip security solutions23

wireless security solutions21

switch security features

endpoint vulnerabilities

endpoint security3

endpoint security4

endpoint security5