Quản trị mạng - Chapter 6: Securing the local area network

ategy ? Refer to 6.1.1.1 • “The LAN-to-perimeter security strategy is based on the idea that if users are not practicing security in their desktop operations, no amount of security precautions will guarantee a secure network.” Policy Compliance Infection Containment Secure Addressing Endpoint Security Threat Protection Host Based on three elements: • Cisco Network Admission Control (NAC) • Endpoint protection • Network infection containment Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Introducing Endpoint Security Refer to 6.1.1.2 1. What’s the borderless network ? 2. What’s the benefit of cloud computing ? 3. What’s the two major components of traditional network security ? 4. What’s the SecureX architecture ? Operating Systems Basic Security Services 1. Trusted code and trusted path – ensures that the integrity of the operating system is not violated. Using hash message authentication codes (HMACs) or digital signatures Refer to 6.1.1.3 2. Privileged context of execution – provides identity authentication and certain privileges based on the identity 3. Process memory protection and isolation – provides separation from other users and their data 4. Access control to resources – ensures confidentiality and integrity of data Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Example: Verify the Integrity of Windows Vista System Files Types of Application Attacks • Modern operating systems provide each process with an identity and privileges. • Privilege switching is possible during program operation or during a single login session. Refer to 6.1.1.4 • These are a few techniques that help protect an endpoint from operating system vulnerabilities: 1.Least privilege concept 2. Isolation between processes 3.Reference monitor 4.Small, verifiable pieces of code Types of Application Attacks Types of Application Attacks I have gained direct access to this application’s privileges I have gained access to Direct this system which is trusted by the other system, allowing me to access it. Indirect Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco Systems Endpoint Security Solutions IronPortCisco Security Agent Cisco NAC Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Other Vendor Enpoint Security Solutions Cisco IronPort Products IronPort uses SenderBase, the world's largest threat detection database, to help provide preventive and reactive security measures. Refer to 6.1.2.1 IronPort products include: • C-Series- an E-mail security appliances for virus and spam control • S-Series- a Web security appliance for spyware filtering, URL filtering, and anti-malware • M-Series- a Security management appliance Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IronPort C-Series InternetInternet Before IronPort Firewall After IronPort Firewall Encryption Platform MTA DLP Scanner Antispam Antivirus Policy Enforcement Mail Routing IronPort E-mail Security Appliance Groupware Users Users Groupware DLP Policy Manager Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IronPort S-Series Web Proxy Firewall Firewall Before IronPort After IronPort InternetInternet Antispyware Antivirus Antiphishing URL Filtering Policy Management Users Users IronPort S-Series Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Endpoint Security with Network Admission Control NAC Framework The purpose of NAC:
Allow only authorized and compliant systems to access the network
To enforce network security policy Cisco NAC Appliance Refer to 6.1.3 • Software module embedded within NAC-enabled products • Integrated framework leveraging multiple Cisco and NAC-aware vendor products • In-band Cisco NAC Appliance solution can be used on any switch or router platform • Self-contained, turnkey solution Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com The NAC Framework AAA ServerCredentials Credentials Vendor Servers Hosts Attempting Network Access Network Access Devices Policy Server Decision Points and RemediationEnforcement Credentials EAP/UDP, EAP/802.1x RADIUS HTTPS Access Rights Notification Cisco Trust Agent Comply? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com NAC Components • Cisco NAC Appliance Server(NAS) Serves as an in-band or out-of- band device for network access control • Cisco NAC Appliance Manager (NAM) • Cisco NAC Appliance Agent (NAA) Optional lightweight client for device-based registry scans in unmanaged environments • Rule-set updates Scheduled automatic updates for Centralizes management for administrators, support personnel, and operators antivirus, critical hotfixes, and other applications M G R Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco NAC Appliance Process THE GOAL Cisco NAM 1. Host attempts to access a web page or uses an optional client. Network access is blocked until wired or wireless host provides login information. Authentication Server M G R Intranet/ Network 2. Host is redirected to a login page. Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device. Device is noncompliant or login is incorrect. Host is denied access and assigned to a quarantine role with access to online remediation resources. 3a. 3b. Device is “clean”. Machine gets on “certified devices list” and is granted access to network. Cisco NAS Quarantine Role 3. The host is authenticated and optionally scanned for posture compliance Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Access Windows Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate 4. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Endpoint Security with Cisco Security Agent Server Protected by Cisco Security Agent Administration Workstation EventsAlerts Management Center for Cisco Security Agent with Internal or External Database Security Policy SSL Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CSA Overview File System Interceptor Network Interceptor Configuration Interceptor Execution Space Interceptor Application State Rules and Policies Rules Engine Correlation Engine Allowed Request Blocked Request Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CSA Functionality Security Application NetworkInterceptor File System Interceptor Configuration Interceptor Execution Space Interceptor Distributed Firewall X ― ― ― Host Intrusion X ― ― XPrevention Application Sandbox ― X X X Network Worm Prevention X ― ― X File Integrity Monitor ― X X ― Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Attack Phases Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CSA Log Messages Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Extra: Prerequisites for IOS NAC Endpoint Security with Network Admission Control • Refer to 6.1.3.4 Endpoint Security with Network Admission Control • Refer to 6.1.3.5 OSI Model • When it comes to networking, Layer 2 is often a very weak link. • If the Data Link Layer is hacked,communications are compromised without the other layers being aware of the problem. • Security is only as strong as the weakest link. • Regarding network security, the Data Link layer is offen the weakest link. Application StreamApplication Application MAC Addresses Physical Links IP Addresses Protocols and Ports Presentation Session Transport Network Data Link Physical C o m p r o m i s e d Presentation Session Transport Network Data Link Physical Initial Compromise Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com OSI Model • Why Layer 2 is weakest link ? • What is the common method of Refer to 6.2.1, Internet application subversion on the Internet ? OSI Model • What is Buffer Overflow Attack ? Refer to Internet MAC Address Spoofing Attack MAC Address: AABBcc AABBcc 12AbDdSwitch Port 1 2 The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc MAC Address: AABBcc Attacker Port 1 Port 2 MAC Address: 12AbDd I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com MAC Address Spoofing Attack AABBcc Switch Port 1 2 Attacker AABBcc 1 2I have changed the MAC address on my computer to match the server. MAC Address: AABBcc MAC Address: AABBccPort 1 Port 2 The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com MAC Address Spoofing Attack Extra: ARP Spoofing (Man-in-the-middle) • ARP spoofing is to send fake, or “spoofed”, ARP message to an Ethernet LAN. Generally ,the aim is to associate the attacker’s MAC address with the IP address of another node (such as the default gateway). • Any traffic meant for that IP address would be mistakenly sent to the attacker instead. • The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (MITM) • The attacker could also launch a Denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim’s default gateway. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Extra: ARP Spoofing (Man-in-the-middle) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Extra: ARP Poisoning (MITM) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com MAC Address Table Overflow Attack Intruder runs macof to begin sending unknown bogus MAC addresses. 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ MAC Port X 3/25 Y 3/25 C 3/25 Bogus addresses are added to the CAM table. CAM table is full. 12 A B C D VLAN 10 VLAN 10 3/25 flood Host C The switch floods the frames. Attacker sees traffic to servers B and D. VLAN 10 3 4 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com MAC Address Table Overflow Attack • Normal Switch Operation Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com MAC Address Table Overflow Attack • Flooding Behavior After a CAM Table Overflow Attack. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com STP Manipulation Attack • Spanning tree protocol operates by electing a root bridge • STP builds a tree topology • STP manipulation changes the topology of a F F Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234 network—the attacking host appears to be the root bridge F F F B Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com STP Manipulation Attack Root Bridge Priority = 8192 F F F F F B F F Root Bridge F B F F Attacker The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com STP Manipulation Attack • Converged STP Network. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com STP Manipulation Attack • Introducing a Rogue Switch. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com LAN Storm Attack Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast • Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Storm Control Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VLAN Attacks
Segmentation
Flexibility
Security VLAN = Broadcast Domain = Logical Network (Subnet) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VLAN Attacks • Refer to 6.2.6.2 802.1Q Server Trunk VLAN 20 VLAN 10 ServerAttacker sees traffic destined for servers A VLAN hopping attack can be launched in two ways: 1. Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode 2. Introducing a rogue switch and turning trunking on The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VLAN Attacks Double-Tagging VLAN Attack The second switch receives the packet, on the native VLAN Attacker on VLAN 10, but puts a 20 tag in the packet The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2. 20 802.1Q, Frame 1 2 3 An important characteristic of the double- encapsulated VLAN hopping attack is that it works even if trunk ports are disabled. Victim (VLAN 20)Note: + This type of attack is unidirectional. + This attack works only if the trunk has the same native VLAN as the attacker. Trunk (Native VLAN = 10) 4 The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com DHCP Server Spoofing • If an attacker connects a rogue DHCP server to the network, the rogue DHCP server can respond to a client’s DHCP request. Even though both the rogue DHCP server and the actual DHCP server respond to the request, the client uses the rogue DHCP server’s response if it reachs the client before the responese from the actual DHCP server. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mitigating Layer 2 Attacks • Mitigating with Port Security • Mitigating with Root Guard • Mitigating with BPDU Guard • Mitigating with Storm Control • Mitigating with DHCP Snooping • Mitigating with SPAN, IDS,RSPAN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Port Security Overview MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C 0/1 0/2 0/3 Attacker 1 Attacker 2 MAC F Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Port Security switchport mode access Switch(config-if)# • Sets the interface mode as access switchport port-security Switch(config-if)# • Enables port security on the interface switchport port-security maximum value Switch(config-if)# • Sets the maximum number of secure MAC addresses for the interface (optional) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Switchport Port-Security Parameters Parameter Description mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured. vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. vlan access (Optional) On an access port only, specify the VLAN as an access VLAN. vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN mac-address sticky (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running [mac-address] configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. ■ vlan: set a per-VLAN maximum value. ■ vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Port Security Violation Configuration switchport port-security violation {protect | restrict | shutdown} Switch(config-if)# • Sets the violation mode (optional) switchport port-security mac-address Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# • Enables sticky learning on the interface (optional) mac-address • Enters a static secure MAC address for the interface (optional) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Switchport Port-Security Violation Parameters Parameter Description protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown vlan Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com errdisable recovery cause {psecure-violation } Port Security Aging Configuration switchport port-security aging {static | time time | type {absolute | inactivity}} Switch(config-if)# • Enables or disables static aging for the secure port or sets the aging time or type • The aging command allows MAC-Addresses on the Secure switchport to be deleted after the set aging time • This helps to avoid a situation where obsolete MAC- Address occupy the table and saturates causing a violation (when the max number exceeds) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Switchport Port-Security Aging Parameters Parameter Description static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com show port-security interface {port-id} Typical Configuration S2 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120 Switch(config-if)# PC B Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Verifying Port Security sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/12 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com View Secure MAC Addresses sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0000.ffff.aaaa SecureConfigured Fa0/12 - ------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com clear port-security sticky MAC Address Notification NMS MAC A MAC B F1/1 = MAC A Switch CAM Table SNMP traps sent to NMS when new MAC addresses appear or when old ones time out.F1/2 F1/1 F2/1 MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports. F1/2 = MAC B F2/1 = MAC D (address ages out) MAC D is away from the network. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Extra: Configuration Guidelines Extra: Compatibility with Other Features Configure Portfast Server Workstation Command Description Switch(config-if)# spanning- tree portfast Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning-tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com BPDU Guard F F F F F B Root Bridge Switch(config)# spanning-tree portfast bpduguard default • Globally enables BPDU guard on all ports with PortFast enabled BPDU Guard Enabled Attacker STP BPDU Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Display the State of Spanning Tree Switch# show spanning-tree summary totals Root bridge for: none. PortFast BPDU Guard is enabled UplinkFast is disabled BackboneFast is disabled Spanning tree default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active -------------------- -------- --------- -------- ---------- ---------- 1 VLAN 0 0 0 1 1 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Receiving a BPDU on a PortFast-enabled port signals an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in an error-disabled state. Root Guard Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d F F F F F B F Root Guard Enabled Switch(config-if)# spanning-tree guard root • Enables root guard on a per-interface basis STP BPDU Priority = 0 MAC Address = 0000.0c45.1234 Attacker Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Verify Root Guard Switch# show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ---------------------- ------------------ VLAN0001 FastEthernet3/1 Port Type Inconsistent VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent VLAN1002 FastEthernet3/2 Port Type Inconsistent VLAN1003 FastEthernet3/1 Port Type Inconsistent VLAN1003 FastEthernet3/2 Port Type Inconsistent VLAN1004 FastEthernet3/1 Port Type Inconsistent VLAN1004 FastEthernet3/2 Port Type Inconsistent VLAN1005 FastEthernet3/1 Port Type Inconsistent VLAN1005 FastEthernet3/2 Port Type Inconsistent Number of inconsistent ports (segments) in the system :10 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Root guard is configured on a per-port basis. If a superior BPDU is received on the port, root guard puts the port into a root-inconsistent state. DHCP Snooping Configure DHCP Snooping IP Source Guard Dynamic ARP Inspection Dynamic ARP Inspection (DAI) determines the validity of an ARP packet based on the MAC address-to-IP address bindings stored in a DHCP snooping database. Configure DAI Protecting Against ARP Spoofing Attacks Example: Configure DAI in DHCP Environments ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping ip dhcp-server 192.168.128.1 ip arp inspection vlan 10 ip arp inspection vlan 1 logging dhcp-bindings all ip arp inspection validate ip interface FastEthernet0/24 ip arp inspection trust ip dhcp snooping trust Example: Configure DAI in DHCP Environments interface FastEthernet0/24 ip arp inspection trust ip dhcp snooping trust show interface f0/10 status err-disabled • Switch#show interface f0/10 status err-disabled Port Name Status Reason Err- disabled Vlans Fa0/10 err-disabled arp-inspection show ip arp inspection Example: Configure DAI in non-DHCP Environments Storm Control Methods • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received • Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com storm-control {{broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]}} | {action {shutdown | trap}} Storm Control Configuration • Enables storm control • Specifies the level at which it is enabled Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 2k 1k Switch(config-if)# storm-control action shutdown • Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com storm-control broadcast level Storm Control Parameters Parameter Description broadcast This parameter enables broadcast storm control on the interface. multicast This parameter enables multicast storm control on the interface. unicast This parameter enables unicast storm control on the interface. level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port. • level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached. • level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value. level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port. • bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. • bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port. • pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. • pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap. The keywords have these meanings: • shutdown: Disables the port during a storm • trap: Sends an SNMP trap when a storm occurs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Verify Storm Control Settings Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ---------- --------- -------- -Gi0/1 Forwarding 20 pps 10 pps 5 pps Gi0/2 Forwarding 50.00% 40.00% 0.00% Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Trunk (Native VLAN = 10) Mitigating VLAN Attacks 1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com switchport mode trunk switchport nonegotiate . Switch(config-if)# • Specifies an interface as a trunk link Switch(config-if)# Controlling Trunking switchport trunk native vlan vlan_number • Prevents the generation of DTP frames. Switch(config-if)# • Set the native VLAN on the trunk to an unused VLAN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Traffic Analysis
A SPAN port mirrors traffic to another port where a monitoring device is connected.
Without this, it can be difficult to track hackers after they have entered the network. “Intruder Alert!” IDS RMON Probe Protocol Analyzer Attacker Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring SPAN Switch(config)# monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlan-id [, | -] [both | rx | tx]}| {remote vlan vlan-id} Switch(config)# monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id} Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Example Verify SPAN Configuration Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SPAN and IDS IDS Use SPAN to mirror traffic in and out of port F0/1 F0/2 • SPAN is not required for syslog or SNMP. Attacker F0/1 to port F0/2. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Overview of RSPAN • An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. • This allows more switches to be monitored with a single probe or IDS. “Intruder Alert!” IDS RSPAN VLAN Source VLAN Attacker Source VLAN Source VLAN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring RSPAN 2960-1 2960-2 2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit 1. Configure the RPSAN VLAN 2. Configure the RSPAN source ports and VLANs 2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan 100 reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk 2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface FastEthernet 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk 3. Configure the RSPAN traffic to be forwarded Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Verifying RSPAN Configuration 2960-1 2960-2 show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression] Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com RSPAN Configuration Guidelines • If traffic for a port is monitored in one direction, you can use Catalyst 2950 or 2955 switches as source, intermediate, or destination switches. • If traffic for a port is monitored in both directions, make sure that the intermediate switches and the destination switch are switches other than Catalyst 2950 or 2955 switches, such as Catalyst 3550, 3750, or 6000 switches. • A port cannot serve as an RSPAN source port or RSPAN destination port while designated as an RSPAN reflector port. • When you configure a switch port as a reflector port, it is no longer a normal switch port; only looped-back traffic passes through the reflector port. • You can configure any VLAN as an RSPAN VLAN as long as these conditions are met: – The RSPAN VLAN is not configured as a native VLAN. – Extended range RSPAN VLANs will not be propagated to other switches using VTP. – No access port is configured in the RSPAN VLAN. – All participating switches support RSPAN. • The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 through 1005 (reserved to Token Ring and FDDI VLANs). • You should create an RSPAN VLAN before configuring an RSPAN source or destination session. • If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005. Configuring PVLAN Edge • The Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between ports on the switch. • The characteristics of PVLAN Edge. Refer to 6.3.7.1 Configuring PVLAN Edge • To configure the PVLAN Edge feature, enter the command switchport protected in interface configuration mode. Reconmmended Practices for Layer 2 1. Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) 2. Set all user ports to non-trunking mode (except if using Cisco VoIP) 3. Use port security where possible for access ports 4. Enable STP attack mitigation (BPDU guard, root guard) 5. Use Cisco Discovery Protocol only where necessary – with phones it is useful 6. Configure PortFast on all non-trunking ports 7. Configure root guard on STP root ports 8. Configure BPDU guard on all non-trunking ports Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VLAN Practices 9. Always use a dedicated, unused native VLAN ID for trunk ports 10.Do not use VLAN 1 for anything 11.Disable all unused ports and put them in an unused VLAN 12.Manually configure all trunk ports and disable DTP on trunk ports 13.Configure all non-trunking ports with switchport mode access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Overview of Wireless, VoIP Security Wireless VoIP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Overview of SAN Security SAN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Infrastructure-Integrated Approach • Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them • Comprehensive protection to safeguard confidential data and communications • Simplified user management with a single user identity and policy • Collaboration with wired security systems Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco IP Telephony Solutions • Single-site deployment • Centralized call processing with remote branches • Distributed call- processing deployment • Clustering over the IPWAN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Storage Network Solutions • Investment protection • Virtualization • Security • Consolidation • Availability Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco Wireless LAN Controllers • Responsible for system-wide wireless LAN functions • Work in conjunction with Aps and the Cisco Wireless Control System (WCS) to support wireless applications • Smoothly integrate into existing enterprise networks Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Wireless Hacking • War driving • A neighbor hacks into another neighbor’s wireless network to get free Internet access or access information • Free Wi-Fi provides an opportunity to compromise the data of users Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Hacking Tools • Network Stumbler • Kismet • AirSnort • CoWPAtty • ASLEAP • Wireshark Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Wireless Security Solutions • Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks. • Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long. • If an IPsec VPN is available, use it on any public wireless LAN. • If wireless access is not needed, disable the wireless radio or wireless NIC. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VoIP Business Advantages • Little or no training costs • Mo major set-up fees PSTN VoIP Gateway • Lower telecom call costs • Productivity increases • Lower costs to move, add, or change • Lower ongoing service and maintenance costs • Enables unified messaging • Encryption of voice calls is supported • Fewer administrative personnel required Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VoIP Components Cisco Unified Communications Manager (Call Agent) MCU IP Backbone PSTN Cisco Unity IP Phone IP Phone Videoconference Station Router/ Gateway Router/ Gateway Router/ Gateway Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VoIP Protocols VoIP Protocol Description H.323 ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex MGCP Emerging IETF standard for PSTN gateway control; thin device control Megaco/H.248 Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard SIP IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323 RTP ETF standard media-streaming protocol RTCP IETF protocol that provides out-of-band control information for an RTP flow SRTP IETF protocol that encrypts RTP traffic as it leaves the voice device SCCP Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Threats • Reconnaissance • Directed attacks such as spam over IP telephony (SPIT) and spoofing • DoS attacks such as DHCP starvation, flooding, and fuzzing • Eavesdropping and man-in-the-middle attacks Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VoIP SPIT (VoIP Spam) • If SPIT grows like spam, it could result in regular DoS problems for network administrators. • Antispam methods do not block SPIT. • Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices. You’ve just won an all expenses paid vacation to the U.S. Virgin Islands !!! Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Fraud • Fraud takes several forms: – Vishing—A voice version of phishing that is used to compromise confidentiality. – Theft and toll fraud —The stealing of telephone services. • Use features of Cisco Unified Communications Manager to protect against fraud. – Partitions limit what parts of the dial plan certain phones have access to. – Dial plans filter control access to exploitive phone numbers. – FACs prevent unauthorized calls and provide a mechanism for tracking. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SIP Vulnerabilities • Registration hijacking: Allows a hacker to intercept incoming calls and reroute them. • Message tampering: Allows a hacker to Registrar Registrar Location Database SIP Servers/Services modify data packets traveling between SIP addresses. • Session tear-down: Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks. SIP Proxy SIP User Agents SIP User Agents Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using VLANs Voice VLAN = 110 Data VLAN = 10 IP phone 10.1.110.3 Desktop PC 5/1 • Creates a separate broadcast domain for voice traffic • Protects against eavesdropping and tampering • Renders packet-sniffing tools less effective • Makes it easier to implement (Vlan ACL) VACLs that are specific to voice traffic 802.1Q Trunk 171.1.1.1 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Voice VLAN Học viện mạng Bach Khoa - Website: www.bkacad.com 125 Using Cisco ASA Adaptive Security Appliances • Ensure SIP, SCCP, H.323, and MGCP requests conform to standards • Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager • Rate limit SIP requests • Enforce policy of calls (whitelist, blacklist, caller/called party, SIP URI) • Dynamically open ports for Cisco applications • Enable only “registered phones” to make calls • Enable inspection of encrypted phone calls Internet WAN Cisco Adaptive Security Appliance Cisco Adaptive Security Appliance Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using VPNs • Use IPsec for authentication • Use IPsec to protect all traffic, not just voice • Consider SLA with service provider Telephony Servers • Terminate on a VPN concentrator or large router inside of firewall to gain these benefits: • Performance • Reduced configuration complexity • Managed organizational boundaries IP WAN SRST Router Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Cisco Unified Communications Manager • Signed firmware • Signed configuration files • Disable: – PC port – Setting button – Speakerphone – Web access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SAN Security Considerations SAN IP Network Specialized network that enables fast, reliable access among servers and external storage resources Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SAN Transport Technologies • Fibre Channel – the primary SAN transport for host-to-SAN connectivity • iSCSI – maps SCSI over TCP/IP and is another host-to-SAN connectivity LAN model • FCIP – a popular SAN-to- SAN connectivity model Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com World Wide Name • A 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network • Zoning can utilize WWNs to assign security permissions • The WWN of a device is a user-configurable parameter. Cisco MDS 9020 Fabric Switch Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Zoning Operation • Zone members see only other members of the zone. • Zones can be configured dynamically based on WWN. • Devices can be members of more than one zone. • Switched fabric zoning can take SAN Disk1Host1 Disk2 Disk3 ZoneA ZoneC place at the port or device level: based on physical switch port or based on device WWN or based on LUN ID. Host2Disk4 ZoneB An example of Zoning. Note that devices can be members of more than 1 zone. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Virtual Storage Area Network (VSAN) Physical SAN islands are virtualized onto common SAN infrastructure Cisco MDS 9000 Family with VSAN Service Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Security Focus SAN Target AccessSAN Protocol SAN Management Access Secure SAN IP Storage access Data Integrity and Secrecy Fabric Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SAN Management Three main areas of vulnerability: 1. Disruption of switch processing 2. Compromised fabric stability 3. Compromised data integrity and confidentiality Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Fabric and Target Access Three main areas of focus: • Application data integrity • LUN integrity • Application performance Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VSANs Two VSANs each with multiple zones. Disks and hosts are dedicated to VSANs although both hosts and disks can belong to Physical Topology VSAN 2 Disk1Host1 Disk2 Disk3 ZoneA ZoneC Relationship of VSANs to Zones multiple zones within a single VSAN. They cannot, however, span VSANs.VSAN 3 Host2Disk4 Disk6 Disk5 Host4 Host3 ZoneB ZoneA ZoneD Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com iSCSI and FCIP • iSCSI leverages many of the security features inherent in Ethernet and IP –ACLs are like Fibre Channel zones –VLANs are like Fibre Channel VSANs –802.1X port security is like Fibre Channel port security • FCIP security leverages many IP security features in Cisco IOS-based routers: –IPsec VPN connections through public carriers –High-speed encryption services in specialized hardware –Can be run through a firewall Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com iSCSI and FCIP • iSCSI leverages many of the security features inherent in Ethernet and IP –ACLs are like Fibre Channel zones –VLANs are like Fibre Channel VSANs –802.1X port security is like Fibre Channel port security • FCIP security leverages many IP security features in Cisco IOS-based routers: –IPsec VPN connections through public carriers –High-speed encryption services in specialized hardware –Can be run through a firewall Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • At Layer 2, a number of Vulnerabilities exist that require specialized mitigation techniques. • MAC address spoofing attacks are minimized with port security. • STP manipulatoin attacks are handled by BPDU guard and root guard. • MAC address table overflow attacks are addressed with port security, BPDU guard, and root guard. • Storm control is used to miligate LAN storm attacks. • VLAN attacks are controlled by disabling DTP and • Following basic guidelines for configuring trunk ports. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • Port security provides a baseline security solution at the Access Layer. • Port security is verified using CLI show commands and the mac address-table notification command. • BPDU guard and root guard are designed to mitigate STP attacks. • SPAN enables port mirroring, which allows tracffic to be monitored through a switch. • RSPAN extends the functionality of SPAN to multiple switches and the trunks connecting them. • Recommended Layer 2 practices, especially for VLAN and trunk configurations, greatly improve Layer 2 security. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • Modern enterprise networks deploy wireless, VoIP, and SAN devices that require specialized security solutions. • Wireless technologies are the most prone to network attacks. A number of technologies have evolved to miligate these attacks. • With the increased adoption of VoIP, serveral security considerations specific to VoIP technology have emerged. Recent advances in VoIP security address many of these concerns. • SAN technology enables faster, easier, more reliable access to data. Securing data is paramount, so technologies have developed specificlly to secure SANs and ensure data integrity and secrecy. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com