Quản trị mạng - Chapter 6: Securing the local area network
Modern enterprise networks deploy wireless, VoIP, and SAN
devices that require specialized security solutions.
• Wireless technologies are the most prone to network attacks.
A number of technologies have evolved to miligate these
attacks.
• With the increased adoption of VoIP, serveral security
considerations specific to VoIP technology have emerged.
Recent advances in VoIP security address many of these
concerns.
• SAN technology enables faster, easier, more reliable access
to data. Securing data is paramount, so technologies have
developed specificlly to secure SANs and ensure data
integrity and secrecy
143 trang |
Chia sẻ: nguyenlam99 | Lượt xem: 849 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Quản trị mạng - Chapter 6: Securing the local area network, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
ategy ?
Refer to 6.1.1.1
• “The LAN-to-perimeter security strategy is based on
the idea that if users are not practicing security in their
desktop operations, no amount of security precautions
will guarantee a secure network.”
Policy
Compliance
Infection
Containment
Secure
Addressing Endpoint Security
Threat
Protection
Host
Based on three elements:
• Cisco Network Admission Control (NAC)
• Endpoint protection
• Network infection containment
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Introducing Endpoint Security
Refer to 6.1.1.2
1. What’s the borderless network ?
2. What’s the benefit of cloud computing ?
3. What’s the two major components of traditional
network security ?
4. What’s the SecureX architecture ?
Operating Systems Basic Security Services
1. Trusted code and trusted path – ensures that the
integrity of the operating system is not violated. Using
hash message authentication codes (HMACs) or digital
signatures
Refer to 6.1.1.3
2. Privileged context of execution – provides identity
authentication and certain privileges based on the identity
3. Process memory protection and isolation – provides
separation from other users and their data
4. Access control to resources – ensures confidentiality
and integrity of data
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example: Verify the Integrity of Windows Vista System Files
Types of Application Attacks
• Modern operating systems provide each process
with an identity and privileges.
• Privilege switching is possible during program
operation or during a single login session.
Refer to 6.1.1.4
• These are a few techniques that help protect an
endpoint from operating system vulnerabilities:
1.Least privilege concept
2. Isolation between processes
3.Reference monitor
4.Small, verifiable pieces of code
Types of Application Attacks
Types of Application Attacks
I have gained direct
access to this application’s
privileges
I have gained access to
Direct
this system which is trusted
by the other system,
allowing me to access it.
Indirect
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco Systems Endpoint Security Solutions
IronPortCisco Security Agent
Cisco NAC
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Other Vendor Enpoint Security Solutions
Cisco IronPort Products
IronPort uses SenderBase, the
world's largest threat detection
database, to help provide
preventive and reactive security
measures.
Refer to 6.1.2.1
IronPort products include:
• C-Series- an E-mail security appliances for virus
and spam control
• S-Series- a Web security appliance for spyware
filtering, URL filtering, and anti-malware
• M-Series- a Security management appliance
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IronPort C-Series
InternetInternet
Before IronPort
Firewall
After IronPort
Firewall
Encryption Platform
MTA
DLP
Scanner
Antispam
Antivirus
Policy Enforcement
Mail Routing
IronPort E-mail Security Appliance
Groupware
Users
Users
Groupware
DLP Policy
Manager
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IronPort S-Series
Web Proxy
Firewall Firewall
Before IronPort After IronPort
InternetInternet
Antispyware
Antivirus
Antiphishing
URL Filtering
Policy Management
Users
Users
IronPort S-Series
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Endpoint Security with Network Admission Control
NAC Framework
The purpose of NAC:
Allow only authorized and compliant
systems to access the network
To enforce network security policy
Cisco NAC Appliance
Refer to 6.1.3
• Software module embedded
within NAC-enabled
products
• Integrated framework
leveraging multiple Cisco
and NAC-aware vendor
products
• In-band Cisco NAC
Appliance solution can be
used on any switch or router
platform
• Self-contained, turnkey
solution
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
The NAC Framework
AAA
ServerCredentials Credentials
Vendor
Servers
Hosts Attempting
Network Access
Network
Access
Devices Policy Server
Decision Points
and RemediationEnforcement
Credentials
EAP/UDP,
EAP/802.1x
RADIUS HTTPS
Access Rights
Notification
Cisco
Trust
Agent
Comply?
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
NAC Components
• Cisco NAC Appliance
Server(NAS)
Serves as an in-band or out-of-
band device for network access
control
• Cisco NAC Appliance
Manager (NAM)
• Cisco NAC Appliance
Agent (NAA)
Optional lightweight client for
device-based registry scans in
unmanaged environments
• Rule-set updates
Scheduled automatic updates for
Centralizes management for
administrators, support
personnel, and operators
antivirus, critical hotfixes, and
other applications
M
G
R
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco NAC Appliance Process
THE GOAL
Cisco NAM
1. Host attempts to access a web page or uses
an optional client.
Network access is blocked until wired or wireless
host provides login information. Authentication
Server
M
G
R
Intranet/
Network
2. Host is
redirected to a login page.
Cisco NAC Appliance validates
username and password, also
performs device and network scans
to assess vulnerabilities on device.
Device is noncompliant
or login is incorrect.
Host is denied access and assigned
to a quarantine role with access to online
remediation resources.
3a.
3b. Device is “clean”.
Machine gets on “certified
devices list” and is granted
access to network.
Cisco NAS
Quarantine
Role
3. The host is authenticated and optionally
scanned for posture compliance
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Windows
Login
Screen
Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
4.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Endpoint Security with Cisco Security Agent
Server Protected by
Cisco Security Agent
Administration
Workstation
EventsAlerts
Management Center for
Cisco Security Agent
with Internal or External
Database
Security
Policy
SSL
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CSA Overview
File System
Interceptor
Network
Interceptor
Configuration
Interceptor
Execution
Space
Interceptor
Application
State Rules and Policies
Rules
Engine
Correlation
Engine
Allowed
Request Blocked
Request
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CSA Functionality
Security Application NetworkInterceptor
File System
Interceptor
Configuration
Interceptor
Execution
Space
Interceptor
Distributed Firewall X ― ― ―
Host Intrusion X ― ― XPrevention
Application
Sandbox ― X X X
Network Worm
Prevention X ― ― X
File Integrity Monitor ― X X ―
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Attack Phases
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CSA Log Messages
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Extra: Prerequisites for IOS NAC
Endpoint Security with Network Admission Control
• Refer to 6.1.3.4
Endpoint Security with Network Admission Control
• Refer to 6.1.3.5
OSI Model
• When it comes to networking, Layer 2 is often a very weak link.
• If the Data Link Layer is hacked,communications are compromised without
the other layers being aware of the problem.
• Security is only as strong as the weakest link.
• Regarding network security, the Data Link layer is offen the weakest link.
Application StreamApplication Application
MAC Addresses
Physical Links
IP Addresses
Protocols and Ports
Presentation
Session
Transport
Network
Data Link
Physical
C
o
m
p
r
o
m
i
s
e
d
Presentation
Session
Transport
Network
Data Link
Physical
Initial Compromise
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
OSI Model
• Why Layer 2 is weakest link ?
• What is the common method of
Refer to 6.2.1, Internet
application subversion on the
Internet ?
OSI Model
• What is Buffer Overflow Attack ?
Refer to Internet
MAC Address Spoofing Attack
MAC
Address:
AABBcc
AABBcc 12AbDdSwitch Port
1 2 The switch keeps track of the
endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another host—in this case,
AABBcc
MAC Address:
AABBcc Attacker
Port 1
Port 2
MAC
Address:
12AbDd
I have associated Ports 1 and 2 with the
MAC addresses of the devices attached.
Traffic destined for each device will be
forwarded directly.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
MAC Address Spoofing Attack
AABBcc
Switch Port
1 2
Attacker
AABBcc
1 2I have changed the MAC
address on my computer
to match the server.
MAC
Address:
AABBcc
MAC Address:
AABBccPort 1 Port 2
The device with MAC address
AABBcc has changed
locations to Port2. I must
adjust my MAC address table
accordingly.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
MAC Address Spoofing Attack
Extra: ARP Spoofing (Man-in-the-middle)
• ARP spoofing is to send fake, or “spoofed”, ARP message to
an Ethernet LAN. Generally ,the aim is to associate the
attacker’s MAC address with the IP address of another node
(such as the default gateway).
• Any traffic meant for that IP address would be mistakenly
sent to the attacker instead.
• The attacker could then choose to forward the traffic to the
actual default gateway (passive sniffing) or modify the data
before forwarding it (MITM)
• The attacker could also launch a Denial-of-service attack
against a victim by associating a nonexistent MAC address to
the IP address of the victim’s default gateway.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Extra: ARP Spoofing (Man-in-the-middle)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Extra: ARP Poisoning (MITM)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding
because the MAC address table contains port-to-MAC-address
mappings in the MAC address table for these PCs.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
MAC Address Table Overflow Attack
Intruder runs macof
to begin sending
unknown bogus MAC
addresses.
3/25 MAC X
3/25 MAC Y
3/25 MAC Z
XYZ
MAC Port
X 3/25
Y 3/25
C 3/25
Bogus addresses are
added to the CAM
table. CAM table is full.
12
A B
C D
VLAN 10 VLAN 10
3/25
flood
Host C
The switch floods
the frames.
Attacker sees traffic
to servers B and D.
VLAN 10
3
4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
MAC Address Table Overflow Attack
• Normal Switch Operation
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
MAC Address Table Overflow Attack
• Flooding Behavior After a CAM Table Overflow Attack.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
STP Manipulation Attack
• Spanning tree protocol
operates by electing a root
bridge
• STP builds a tree topology
• STP manipulation changes
the topology of a
F F
Root Bridge
Priority = 8192
MAC Address=
0000.00C0.1234
network—the attacking
host appears to be the root
bridge
F F
F B
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
STP Manipulation Attack
Root Bridge
Priority = 8192
F F
F F
F B
F
F
Root
Bridge
F B F F
Attacker The attacking host broadcasts out STP
configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
STP Manipulation Attack
• Converged STP Network.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
STP Manipulation Attack
• Introducing a Rogue Switch.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
LAN Storm Attack
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
• Broadcast, multicast, or unicast packets are flooded on all ports in the same
VLAN.
• These storms can increase the CPU utilization on a switch to 100%, reducing
the performance of the network.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Storm Control
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VLAN Attacks
Segmentation
Flexibility
Security
VLAN = Broadcast Domain = Logical Network (Subnet)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VLAN Attacks
• Refer to 6.2.6.2
802.1Q
Server
Trunk
VLAN
20
VLAN
10
ServerAttacker sees traffic destined for servers
A VLAN hopping attack can be launched in two ways:
1. Spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode
2. Introducing a rogue switch and turning trunking on
The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports,
except the ones that specifically require trunking. On the required trunking ports, disable
DTP (auto trunking) negotiations and manually enable trunking.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VLAN Attacks
Double-Tagging VLAN Attack
The second switch
receives the packet, on
the native VLAN
Attacker on
VLAN 10, but puts a 20
tag in the packet
The first switch strips off the first tag and
does not retag it (native traffic is not
retagged). It then forwards the packet to
switch 2.
20
802.1Q, Frame
1
2
3
An important characteristic of the double-
encapsulated VLAN hopping attack is that it
works even if trunk ports are disabled.
Victim
(VLAN 20)Note:
+ This type of attack is unidirectional.
+ This attack works only if the trunk has the
same native VLAN as the attacker.
Trunk
(Native VLAN = 10)
4
The second switch
examines the packet, sees
the VLAN 20 tag and
forwards it accordingly.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
DHCP Server Spoofing
• If an attacker connects a rogue DHCP server to the network, the rogue
DHCP server can respond to a client’s DHCP request. Even though both
the rogue DHCP server and the actual DHCP server respond to the
request, the client uses the rogue DHCP server’s response if it reachs
the client before the responese from the actual DHCP server.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Layer 2 Attacks
• Mitigating with Port Security
• Mitigating with Root Guard
• Mitigating with BPDU Guard
• Mitigating with Storm Control
• Mitigating with DHCP Snooping
• Mitigating with SPAN, IDS,RSPAN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Port Security Overview
MAC A
MAC A
Port 0/1 allows MAC A
Port 0/2 allows MAC B
Port 0/3 allows MAC C
0/1
0/2
0/3
Attacker 1
Attacker 2
MAC F
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to
dynamically learn a limited number of MAC
addresses
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Port Security
switchport mode access
Switch(config-if)#
• Sets the interface mode as access
switchport port-security
Switch(config-if)#
• Enables port security on the interface
switchport port-security maximum value
Switch(config-if)#
• Sets the maximum number of secure MAC addresses for
the interface (optional)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Switchport Port-Security Parameters
Parameter Description
mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional
secure MAC addresses up to the maximum value configured.
vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.
vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky
learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running [mac-address]
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer 2
functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
■ vlan: set a per-VLAN maximum value.
■ vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Port Security Violation Configuration
switchport port-security violation {protect | restrict |
shutdown}
Switch(config-if)#
• Sets the violation mode (optional)
switchport port-security mac-address
Switch(config-if)#
switchport port-security mac-address sticky
Switch(config-if)#
• Enables sticky learning on the interface (optional)
mac-address
• Enters a static secure MAC address for the interface
(optional)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Switchport Port-Security Violation Parameters
Parameter Description
protect (Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
restrict (Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred.
shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and increments the
violation counter. When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause psecure-violation global
configuration command, or you can manually re-enable it by entering the shutdown and
no shut down interface configuration commands.
shutdown
vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on
which the violation occurred is error-disabled.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
errdisable recovery cause {psecure-violation }
Port Security Aging Configuration
switchport port-security aging {static | time time | type
{absolute | inactivity}}
Switch(config-if)#
• Enables or disables static aging for the secure port or
sets the aging time or type
• The aging command allows MAC-Addresses on the
Secure switchport to be deleted after the set aging time
• This helps to avoid a situation where obsolete MAC-
Address occupy the table and saturates causing a
violation (when the max number exceeds)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Switchport Port-Security Aging Parameters
Parameter Description
static Enable aging for statically configured secure
addresses on this port.
time time Specify the aging time for this port. The range is 0 to
1440 minutes. If the time is 0, aging is disabled for
this port.
type absolute Set absolute aging type. All the secure addresses
on this port age out exactly after the time (minutes)
specified and are removed from the secure address
list.
type inactivity Set the inactivity aging type. The secure addresses
on this port age out only if there is no data traffic
from the secure source address for the specified
time period.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
show port-security interface {port-id}
Typical Configuration
S2
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120
Switch(config-if)# PC B
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Verifying Port Security
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/12 2 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security interface f0/12
Port Security : Enabled
Port status : Secure-down
Violation mode : Shutdown
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Aging time : 120 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation Count : 0
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
View Secure MAC Addresses
sw-class# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.ffff.aaaa SecureConfigured Fa0/12 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
clear port-security sticky
MAC Address Notification
NMS
MAC A
MAC B
F1/1 = MAC A
Switch CAM Table
SNMP traps sent to
NMS when new MAC
addresses appear or
when old ones time out.F1/2
F1/1
F2/1
MAC address notification
allows monitoring of the
MAC addresses, at the
module and port level, added
by the switch or removed
from the CAM table for
secure ports.
F1/2 = MAC B
F2/1 = MAC D
(address ages out)
MAC D is away
from the network.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Extra: Configuration Guidelines
Extra: Compatibility with Other Features
Configure Portfast
Server Workstation
Command Description
Switch(config-if)# spanning-
tree portfast
Enables PortFast on a Layer 2 access port and forces it to
enter the forwarding stateimmediately.
Switch(config-if)# no
spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is
disabled by default.
Switch(config)# spanning-tree
portfast default
Globally enables the PortFast feature on all nontrunking
ports.
Switch# show running-config
interface type slot/port
Indicates whether PortFast has been configured on a port.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
BPDU Guard
F F
F
F
F B
Root
Bridge
Switch(config)#
spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast
enabled
BPDU
Guard
Enabled
Attacker
STP
BPDU
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Display the State of Spanning Tree
Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
-------------------- -------- --------- -------- ---------- ----------
1 VLAN 0 0 0 1 1
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Receiving a BPDU on a PortFast-enabled port signals an invalid
configuration, such as the connection of an unauthorized device, and the
BPDU guard feature puts the port in an error-disabled state.
Root Guard
Root Bridge
Priority = 0
MAC Address =
0000.0c45.1a5d
F F
F F
F B
F
Root
Guard
Enabled
Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis
STP BPDU
Priority = 0
MAC Address = 0000.0c45.1234
Attacker
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Verify Root Guard
Switch# show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ---------------------- ------------------
VLAN0001 FastEthernet3/1 Port Type Inconsistent
VLAN0001 FastEthernet3/2 Port Type Inconsistent
VLAN1002 FastEthernet3/1 Port Type Inconsistent
VLAN1002 FastEthernet3/2 Port Type Inconsistent
VLAN1003 FastEthernet3/1 Port Type Inconsistent
VLAN1003 FastEthernet3/2 Port Type Inconsistent
VLAN1004 FastEthernet3/1 Port Type Inconsistent
VLAN1004 FastEthernet3/2 Port Type Inconsistent
VLAN1005 FastEthernet3/1 Port Type Inconsistent
VLAN1005 FastEthernet3/2 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Root guard is configured on a per-port basis. If a superior BPDU is received
on the port, root guard puts the port into a root-inconsistent state.
DHCP Snooping
Configure DHCP Snooping
IP Source Guard
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI)
determines the validity of an ARP
packet based on the MAC
address-to-IP address bindings
stored in a DHCP snooping
database.
Configure DAI
Protecting Against ARP Spoofing Attacks
Example: Configure DAI in DHCP Environments
ip dhcp snooping vlan 10
no ip dhcp snooping information option
ip dhcp snooping
ip dhcp-server 192.168.128.1
ip arp inspection vlan 10
ip arp inspection vlan 1 logging dhcp-bindings all
ip arp inspection validate ip
interface FastEthernet0/24
ip arp inspection trust
ip dhcp snooping trust
Example: Configure DAI in DHCP Environments
interface FastEthernet0/24
ip arp inspection trust
ip dhcp snooping trust
show interface f0/10 status err-disabled
• Switch#show interface f0/10 status err-disabled
Port Name Status Reason Err-
disabled Vlans
Fa0/10 err-disabled arp-inspection
show ip arp inspection
Example: Configure DAI in non-DHCP Environments
Storm Control Methods
• Bandwidth as a percentage of the total available bandwidth of the port
that can be used by the broadcast, multicast, or unicast traffic
• Traffic rate in packets per second at which broadcast, multicast, or
unicast packets are received
• Traffic rate in bits per second at which broadcast, multicast, or
unicast packets are received
• Traffic rate in packets per second and for small frames. This
feature is enabled globally. The threshold for small frames is
configured for each interface.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
storm-control {{broadcast | multicast | unicast} level {level [level-low]
| bps bps [bps-low] | pps pps [pps-low]}} | {action {shutdown | trap}}
Storm Control Configuration
• Enables storm control
• Specifies the level at which it is enabled
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps 2k
1k
Switch(config-if)# storm-control action shutdown
• Specifies the action that should take place when the
threshold (level) is reached, in addition to filtering traffic
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
storm-control broadcast level
Storm Control Parameters
Parameter Description
broadcast This parameter enables broadcast storm control on the interface.
multicast This parameter enables multicast storm control on the interface.
unicast This parameter enables unicast storm control on the interface.
level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port.
• level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.
• level-low: (Optional) Falling suppression level, up to two decimal places. This
value must be less than or equal to the rising suppression value.
level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
• bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
• bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
• pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
• pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic
and to not send an SNMP trap.
The keywords have these meanings:
• shutdown: Disables the port during a storm
• trap: Sends an SNMP trap when a storm occurs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Verify Storm Control Settings
Switch# show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ---------- --------- --------
-Gi0/1 Forwarding 20 pps 10 pps 5 pps
Gi0/2 Forwarding 50.00% 40.00% 0.00%
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Trunk
(Native VLAN = 10)
Mitigating VLAN Attacks
1. Disable trunking on all access
ports.
2. Disable auto trunking and
manually enable trunking
3. Be sure that the native VLAN is
used only for trunk lines and no
where else
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
switchport mode trunk
switchport nonegotiate
.
Switch(config-if)#
• Specifies an interface as a trunk link
Switch(config-if)#
Controlling Trunking
switchport trunk native vlan vlan_number
• Prevents the generation of DTP frames.
Switch(config-if)#
• Set the native VLAN on the trunk to an unused VLAN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Traffic Analysis
A SPAN port mirrors traffic to
another port where a monitoring
device is connected.
Without this, it can be difficult to
track hackers after they have
entered the network.
“Intruder
Alert!”
IDS
RMON Probe
Protocol Analyzer
Attacker
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring SPAN
Switch(config)#
monitor session session_number source {interface
interface-id [, | -] [both | rx | tx]} | {vlan vlan-id [,
| -] [both | rx | tx]}| {remote vlan vlan-id}
Switch(config)#
monitor session session_number destination {interface
interface-id [, | -] [encapsulation replicate] [ingress
{dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan
vlan-id}]} | {remote vlan vlan-id}
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example
Verify SPAN Configuration
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SPAN and IDS
IDS
Use SPAN to
mirror traffic in
and out of port F0/1
F0/2
• SPAN is not required for syslog or SNMP.
Attacker
F0/1 to port F0/2.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Overview of RSPAN
• An RSPAN port mirrors traffic to
another port on another switch
where a probe or IDS sensor is
connected.
• This allows more switches to be
monitored with a single probe or
IDS.
“Intruder
Alert!”
IDS
RSPAN VLAN
Source VLAN
Attacker Source VLAN
Source VLAN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring RSPAN
2960-1 2960-2
2960-1(config)# vlan 100
2960-1(config-vlan)# remote-span
2960-1(config-vlan)# exit
1. Configure the RPSAN VLAN
2. Configure the RSPAN source ports and VLANs
2960-1(config)# monitor session 1 source interface FastEthernet 0/1
2960-1(config)# monitor session 1 destination remote vlan 100
reflector-port FastEthernet 0/24
2960-1(config)# interface FastEthernet 0/2
2960-1(config-if)# switchport mode trunk
2960-2(config)# monitor session 2 source remote vlan 100
2960-2(config)# monitor session 2 destination interface FastEthernet 0/3
2960-2(config)# interface FastEthernet 0/2
2960-2(config-if)# switchport mode trunk
3. Configure the RSPAN traffic to be forwarded
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Verifying RSPAN Configuration
2960-1 2960-2
show monitor [session {session_number | all | local
| range list | remote} [detail]] [ | {begin | exclude
| include}expression]
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
RSPAN Configuration Guidelines
• If traffic for a port is monitored in one direction, you can use Catalyst 2950 or 2955 switches as
source, intermediate, or destination switches.
• If traffic for a port is monitored in both directions, make sure that the intermediate switches and
the destination switch are switches other than Catalyst 2950 or 2955 switches, such as
Catalyst 3550, 3750, or 6000 switches.
• A port cannot serve as an RSPAN source port or RSPAN destination port while designated as
an RSPAN reflector port.
• When you configure a switch port as a reflector port, it is no longer a normal switch
port; only looped-back traffic passes through the reflector port.
• You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:
– The RSPAN VLAN is not configured as a native VLAN.
– Extended range RSPAN VLANs will not be propagated to other switches using VTP.
– No access port is configured in the RSPAN VLAN.
– All participating switches support RSPAN.
• The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 through 1005
(reserved to Token Ring and FDDI VLANs).
• You should create an RSPAN VLAN before configuring an RSPAN source or destination
session.
• If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the
unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005.
Configuring PVLAN Edge
• The Private VLAN (PVLAN) Edge feature, also known as
protected ports, ensures that there is no exchange of
unicast, broadcast, or multicast traffic between ports on the
switch.
• The characteristics of PVLAN Edge. Refer to 6.3.7.1
Configuring PVLAN Edge
• To configure the PVLAN Edge feature, enter the command
switchport protected in interface configuration mode.
Reconmmended Practices for Layer 2
1. Manage switches in as secure a manner as
possible (SSH, out-of-band management, ACLs,
etc.)
2. Set all user ports to non-trunking mode (except if
using Cisco VoIP)
3. Use port security where possible for access ports
4. Enable STP attack mitigation (BPDU guard, root
guard)
5. Use Cisco Discovery Protocol only where
necessary – with phones it is useful
6. Configure PortFast on all non-trunking ports
7. Configure root guard on STP root ports
8. Configure BPDU guard on all non-trunking ports
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VLAN Practices
9. Always use a dedicated, unused native VLAN ID
for trunk ports
10.Do not use VLAN 1 for anything
11.Disable all unused ports and put them in an
unused VLAN
12.Manually configure all trunk ports and disable DTP
on trunk ports
13.Configure all non-trunking ports with switchport
mode access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Overview of Wireless, VoIP Security
Wireless VoIP
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Overview of SAN Security
SAN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Infrastructure-Integrated Approach
• Proactive threat and intrusion
detection capabilities that do not
simply detect wireless attacks
but prevent them
• Comprehensive protection to
safeguard confidential data and
communications
• Simplified user management
with a single user identity and
policy
• Collaboration with wired security
systems
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco IP Telephony Solutions
• Single-site deployment
• Centralized call
processing with remote
branches
• Distributed call-
processing deployment
• Clustering over the
IPWAN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Storage Network Solutions
• Investment protection
• Virtualization
• Security
• Consolidation
• Availability
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco Wireless LAN Controllers
• Responsible for system-wide wireless LAN functions
• Work in conjunction with Aps and the Cisco Wireless Control System
(WCS) to support wireless applications
• Smoothly integrate into existing enterprise networks
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Wireless Hacking
• War driving
• A neighbor hacks into
another neighbor’s
wireless network to get
free Internet access or
access information
• Free Wi-Fi provides an
opportunity to compromise
the data of users
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Hacking Tools
• Network Stumbler
• Kismet
• AirSnort
• CoWPAtty
• ASLEAP
• Wireshark
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Wireless Security Solutions
• Wireless networks using WEP or WPA/TKIP are not very
secure and vulnerable to hacking attacks.
• Wireless networks using WPA2/AES should have a
passphrase of at least 21 characters long.
• If an IPsec VPN is available, use it on any public wireless
LAN.
• If wireless access is not needed, disable the wireless radio
or wireless NIC.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VoIP Business Advantages
• Little or no training costs
• Mo major set-up fees
PSTN VoIP
Gateway
• Lower telecom call costs
• Productivity increases
• Lower costs to move,
add, or change
• Lower ongoing service
and maintenance costs
• Enables unified
messaging
• Encryption of voice calls
is supported
• Fewer administrative
personnel required
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VoIP Components
Cisco Unified
Communications
Manager
(Call Agent)
MCU
IP
Backbone
PSTN
Cisco
Unity
IP
Phone
IP
Phone
Videoconference
Station
Router/
Gateway
Router/
Gateway
Router/
Gateway
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VoIP Protocols
VoIP Protocol Description
H.323 ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex
MGCP Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248 Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard
SIP IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323
RTP ETF standard media-streaming protocol
RTCP IETF protocol that provides out-of-band control information for an RTP flow
SRTP IETF protocol that encrypts RTP traffic as it leaves the
voice device
SCCP Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Threats
• Reconnaissance
• Directed attacks such as spam over IP telephony
(SPIT) and spoofing
• DoS attacks such as DHCP starvation, flooding, and
fuzzing
• Eavesdropping and man-in-the-middle attacks
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VoIP SPIT (VoIP Spam)
• If SPIT grows like spam, it could result in
regular DoS problems for network
administrators.
• Antispam methods do not block SPIT.
• Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets
only from trusted devices.
You’ve just
won an all
expenses
paid vacation
to the U.S.
Virgin Islands
!!!
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Fraud
• Fraud takes several forms:
– Vishing—A voice version of phishing that is used to compromise
confidentiality.
– Theft and toll fraud —The stealing of telephone services.
• Use features of Cisco Unified Communications Manager to protect
against fraud.
– Partitions limit what parts of the dial plan certain phones have access to.
– Dial plans filter control access to exploitive phone numbers.
– FACs prevent unauthorized calls and provide a mechanism for tracking.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SIP Vulnerabilities
• Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them.
• Message tampering:
Allows a hacker to
Registrar Registrar
Location
Database
SIP Servers/Services
modify data packets
traveling between SIP
addresses.
• Session tear-down:
Allows a hacker to
terminate calls or carry
out VoIP-targeted DoS
attacks.
SIP Proxy
SIP User Agents SIP User Agents
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using VLANs
Voice VLAN = 110 Data VLAN = 10
IP phone
10.1.110.3
Desktop PC
5/1
• Creates a separate broadcast domain for voice traffic
• Protects against eavesdropping and tampering
• Renders packet-sniffing tools less effective
• Makes it easier to implement (Vlan ACL) VACLs that
are specific to voice traffic
802.1Q Trunk 171.1.1.1
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Voice VLAN
Học viện mạng Bach Khoa - Website: www.bkacad.com 125
Using Cisco ASA Adaptive Security Appliances
• Ensure SIP, SCCP, H.323, and MGCP
requests conform to standards
• Prevent inappropriate SIP methods
from being sent to Cisco Unified
Communications Manager
• Rate limit SIP requests
• Enforce policy of calls (whitelist,
blacklist, caller/called party, SIP URI)
• Dynamically open ports for Cisco
applications
• Enable only “registered phones” to
make calls
• Enable inspection of encrypted phone
calls
Internet
WAN
Cisco Adaptive
Security Appliance
Cisco Adaptive
Security Appliance
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using VPNs
• Use IPsec for authentication
• Use IPsec to protect
all traffic, not just voice
• Consider SLA with service
provider
Telephony
Servers
• Terminate on a VPN concentrator
or large router inside of firewall to
gain these benefits:
• Performance
• Reduced configuration
complexity
• Managed organizational
boundaries
IP WAN
SRST
Router
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Cisco Unified Communications Manager
• Signed firmware
• Signed
configuration files
• Disable:
– PC port
– Setting button
– Speakerphone
– Web access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SAN Security Considerations
SAN
IP
Network
Specialized network that
enables fast, reliable access
among servers and external
storage resources
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SAN Transport Technologies
• Fibre Channel – the
primary SAN transport for
host-to-SAN connectivity
• iSCSI – maps SCSI over
TCP/IP and is another
host-to-SAN connectivity LAN
model
• FCIP – a popular SAN-to-
SAN connectivity model
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
World Wide Name
• A 64-bit address that Fibre Channel networks use to
uniquely identify each element in a Fibre Channel network
• Zoning can utilize WWNs to assign security permissions
• The WWN of a device is a user-configurable parameter.
Cisco MDS 9020 Fabric Switch
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Zoning Operation
• Zone members see only other
members of the zone.
• Zones can be configured
dynamically based on WWN.
• Devices can be members of
more than one zone.
• Switched fabric zoning can take
SAN
Disk1Host1
Disk2 Disk3
ZoneA
ZoneC
place at the port or device level:
based on physical switch port or
based on device WWN or based
on LUN ID.
Host2Disk4
ZoneB
An example of Zoning. Note that
devices can be members of more
than 1 zone.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Virtual Storage Area Network (VSAN)
Physical SAN islands are
virtualized onto common
SAN infrastructure
Cisco MDS 9000
Family with VSAN Service
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Security Focus
SAN
Target AccessSAN Protocol
SAN Management
Access
Secure
SAN
IP Storage
access
Data Integrity and
Secrecy
Fabric Access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SAN Management
Three main areas of vulnerability:
1. Disruption of switch processing
2. Compromised fabric stability
3. Compromised data integrity and confidentiality
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Fabric and Target Access
Three main areas of focus:
• Application data integrity
• LUN integrity
• Application performance
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VSANs
Two VSANs each with
multiple zones. Disks and
hosts are dedicated to
VSANs although both hosts
and disks can belong to
Physical Topology
VSAN 2
Disk1Host1
Disk2 Disk3
ZoneA
ZoneC
Relationship of VSANs to Zones
multiple zones within a single
VSAN. They cannot,
however, span VSANs.VSAN 3
Host2Disk4
Disk6
Disk5
Host4
Host3
ZoneB
ZoneA
ZoneD
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
iSCSI and FCIP
• iSCSI leverages many of the security features inherent in
Ethernet and IP
–ACLs are like Fibre Channel zones
–VLANs are like Fibre Channel VSANs
–802.1X port security is like Fibre Channel port security
• FCIP security leverages many IP security features in Cisco
IOS-based routers:
–IPsec VPN connections through public carriers
–High-speed encryption services in specialized hardware
–Can be run through a firewall
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
iSCSI and FCIP
• iSCSI leverages many of the security features inherent in
Ethernet and IP
–ACLs are like Fibre Channel zones
–VLANs are like Fibre Channel VSANs
–802.1X port security is like Fibre Channel port security
• FCIP security leverages many IP security features in Cisco
IOS-based routers:
–IPsec VPN connections through public carriers
–High-speed encryption services in specialized hardware
–Can be run through a firewall
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• At Layer 2, a number of Vulnerabilities exist that require
specialized mitigation techniques.
• MAC address spoofing attacks are minimized with port
security.
• STP manipulatoin attacks are handled by BPDU guard and
root guard.
• MAC address table overflow attacks are addressed with port
security, BPDU guard, and root guard.
• Storm control is used to miligate LAN storm attacks.
• VLAN attacks are controlled by disabling DTP and
• Following basic guidelines for configuring trunk ports.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• Port security provides a baseline security solution at the Access
Layer.
• Port security is verified using CLI show commands and the mac
address-table notification command.
• BPDU guard and root guard are designed to mitigate STP
attacks.
• SPAN enables port mirroring, which allows tracffic to be
monitored through a switch.
• RSPAN extends the functionality of SPAN to multiple switches
and the trunks connecting them.
• Recommended Layer 2 practices, especially for VLAN and
trunk configurations, greatly improve Layer 2 security.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• Modern enterprise networks deploy wireless, VoIP, and SAN
devices that require specialized security solutions.
• Wireless technologies are the most prone to network attacks.
A number of technologies have evolved to miligate these
attacks.
• With the increased adoption of VoIP, serveral security
considerations specific to VoIP technology have emerged.
Recent advances in VoIP security address many of these
concerns.
• SAN technology enables faster, easier, more reliable access
to data. Securing data is paramount, so technologies have
developed specificlly to secure SANs and ensure data
integrity and secrecy.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Các file đính kèm theo tài liệu này:
- ccna_security_chapter_6_securing_the_local_area_network_1337_4653.pdf