Bài giảng CCNA Security - Chapter 6: Securing the Local Area Network

longer a normal switch port; only looped-back traffic passes through the reflector port. • You can configure any VLAN as an RSPAN VLAN as long as these conditions are met: – The RSPAN VLAN is not configured as a native VLAN. – Extended range RSPAN VLANs will not be propagated to other switches using VTP. – No access port is configured in the RSPAN VLAN. – All participating switches support RSPAN. • The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 through 1005 (reserved to Token Ring and FDDI VLANs). • You should create an RSPAN VLAN before configuring an RSPAN source or destination session. • If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005. Configuring PVLAN Edge • The Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between ports on the switch. • The characteristics of PVLAN Edge. Refer to 6.3.7.1 Configuring PVLAN Edge • To configure the PVLAN Edge feature, enter the command switchport protected in interface configuration mode. Reconmmended Practices for Layer 2 1. Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) 2. Set all user ports to non-trunking mode (except if using Cisco VoIP) 3. Use port security where possible for access ports 4. Enable STP attack mitigation (BPDU guard, root guard) 5. Use Cisco Discovery Protocol only where necessary – with phones it is useful 6. Configure PortFast on all non-trunking ports 7. Configure root guard on STP root ports 8. Configure BPDU guard on all non-trunking ports Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VLAN Practices 9. Always use a dedicated, unused native VLAN ID for trunk ports 10.Do not use VLAN 1 for anything 11.Disable all unused ports and put them in an unused VLAN 12.Manually configure all trunk ports and disable DTP on trunk ports 13.Configure all non-trunking ports with switchport mode access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Overview of Wireless, VoIP Security Wireless VoIP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Overview of SAN Security SAN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Infrastructure-Integrated Approach • Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them • Comprehensive protection to safeguard confidential data and communications • Simplified user management with a single user identity and policy • Collaboration with wired security systems Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco IP Telephony Solutions • Single-site deployment • Centralized call processing with remote branches • Distributed call- processing deployment • Clustering over the IPWAN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Storage Network Solutions • Investment protection • Virtualization • Security • Consolidation • Availability Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco Wireless LAN Controllers • Responsible for system-wide wireless LAN functions • Work in conjunction with Aps and the Cisco Wireless Control System (WCS) to support wireless applications • Smoothly integrate into existing enterprise networks Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Wireless Hacking • War driving • A neighbor hacks into another neighbor’s wireless network to get free Internet access or access information • Free Wi-Fi provides an opportunity to compromise the data of users Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Hacking Tools • Network Stumbler • Kismet • AirSnort • CoWPAtty • ASLEAP • Wireshark Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Wireless Security Solutions • Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks. • Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long. • If an IPsec VPN is available, use it on any public wireless LAN. • If wireless access is not needed, disable the wireless radio or wireless NIC. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VoIP Business Advantages • Little or no training costs • Mo major set-up fees PSTN VoIP Gateway • Lower telecom call costs • Productivity increases • Lower costs to move, add, or change • Lower ongoing service and maintenance costs • Enables unified messaging • Encryption of voice calls is supported • Fewer administrative personnel required Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VoIP Components Cisco Unified Communications Manager (Call Agent) MCU IP Backbone PSTN Cisco Unity IP Phone IP Phone Videoconference Station Router/ Gateway Router/ Gateway Router/ Gateway Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VoIP Protocols VoIP Protocol Description H.323 ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex MGCP Emerging IETF standard for PSTN gateway control; thin device control Megaco/H.248 Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard SIP IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323 RTP ETF standard media-streaming protocol RTCP IETF protocol that provides out-of-band control information for an RTP flow SRTP IETF protocol that encrypts RTP traffic as it leaves the voice device SCCP Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Threats • Reconnaissance • Directed attacks such as spam over IP telephony (SPIT) and spoofing • DoS attacks such as DHCP starvation, flooding, and fuzzing • Eavesdropping and man-in-the-middle attacks Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VoIP SPIT (VoIP Spam) • If SPIT grows like spam, it could result in regular DoS problems for network administrators. • Antispam methods do not block SPIT. • Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices. You’ve just won an all expenses paid vacation to the U.S. Virgin Islands !!! Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Fraud • Fraud takes several forms: – Vishing—A voice version of phishing that is used to compromise confidentiality. – Theft and toll fraud —The stealing of telephone services. • Use features of Cisco Unified Communications Manager to protect against fraud. – Partitions limit what parts of the dial plan certain phones have access to. – Dial plans filter control access to exploitive phone numbers. – FACs prevent unauthorized calls and provide a mechanism for tracking. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SIP Vulnerabilities • Registration hijacking: Allows a hacker to intercept incoming calls and reroute them. • Message tampering: Allows a hacker to Registrar Registrar Location Database SIP Servers/Services modify data packets traveling between SIP addresses. • Session tear-down: Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks. SIP Proxy SIP User Agents SIP User Agents Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using VLANs Voice VLAN = 110 Data VLAN = 10 IP phone 10.1.110.3 Desktop PC 5/1 • Creates a separate broadcast domain for voice traffic • Protects against eavesdropping and tampering • Renders packet-sniffing tools less effective • Makes it easier to implement (Vlan ACL) VACLs that are specific to voice traffic 802.1Q Trunk 171.1.1.1 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Voice VLAN Học viện mạng Bach Khoa - Website: www.bkacad.com 125 Using Cisco ASA Adaptive Security Appliances • Ensure SIP, SCCP, H.323, and MGCP requests conform to standards • Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager • Rate limit SIP requests • Enforce policy of calls (whitelist, blacklist, caller/called party, SIP URI) • Dynamically open ports for Cisco applications • Enable only “registered phones” to make calls • Enable inspection of encrypted phone calls Internet WAN Cisco Adaptive Security Appliance Cisco Adaptive Security Appliance Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using VPNs • Use IPsec for authentication • Use IPsec to protect all traffic, not just voice • Consider SLA with service provider Telephony Servers • Terminate on a VPN concentrator or large router inside of firewall to gain these benefits: • Performance • Reduced configuration complexity • Managed organizational boundaries IP WAN SRST Router Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using Cisco Unified Communications Manager • Signed firmware • Signed configuration files • Disable: – PC port – Setting button – Speakerphone – Web access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SAN Security Considerations SAN IP Network Specialized network that enables fast, reliable access among servers and external storage resources Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SAN Transport Technologies • Fibre Channel – the primary SAN transport for host-to-SAN connectivity • iSCSI – maps SCSI over TCP/IP and is another host-to-SAN connectivity LAN model • FCIP – a popular SAN-to- SAN connectivity model Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com World Wide Name • A 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network • Zoning can utilize WWNs to assign security permissions • The WWN of a device is a user-configurable parameter. Cisco MDS 9020 Fabric Switch Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Zoning Operation • Zone members see only other members of the zone. • Zones can be configured dynamically based on WWN. • Devices can be members of more than one zone. • Switched fabric zoning can take SAN Disk1Host1 Disk2 Disk3 ZoneA ZoneC place at the port or device level: based on physical switch port or based on device WWN or based on LUN ID. Host2Disk4 ZoneB An example of Zoning. Note that devices can be members of more than 1 zone. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Virtual Storage Area Network (VSAN) Physical SAN islands are virtualized onto common SAN infrastructure Cisco MDS 9000 Family with VSAN Service Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Security Focus SAN Target AccessSAN Protocol SAN Management Access Secure SAN IP Storage access Data Integrity and Secrecy Fabric Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SAN Management Three main areas of vulnerability: 1. Disruption of switch processing 2. Compromised fabric stability 3. Compromised data integrity and confidentiality Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Fabric and Target Access Three main areas of focus: • Application data integrity • LUN integrity • Application performance Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VSANs Two VSANs each with multiple zones. Disks and hosts are dedicated to VSANs although both hosts and disks can belong to Physical Topology VSAN 2 Disk1Host1 Disk2 Disk3 ZoneA ZoneC Relationship of VSANs to Zones multiple zones within a single VSAN. They cannot, however, span VSANs.VSAN 3 Host2Disk4 Disk6 Disk5 Host4 Host3 ZoneB ZoneA ZoneD Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com iSCSI and FCIP • iSCSI leverages many of the security features inherent in Ethernet and IP –ACLs are like Fibre Channel zones –VLANs are like Fibre Channel VSANs –802.1X port security is like Fibre Channel port security • FCIP security leverages many IP security features in Cisco IOS-based routers: –IPsec VPN connections through public carriers –High-speed encryption services in specialized hardware –Can be run through a firewall Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com iSCSI and FCIP • iSCSI leverages many of the security features inherent in Ethernet and IP –ACLs are like Fibre Channel zones –VLANs are like Fibre Channel VSANs –802.1X port security is like Fibre Channel port security • FCIP security leverages many IP security features in Cisco IOS-based routers: –IPsec VPN connections through public carriers –High-speed encryption services in specialized hardware –Can be run through a firewall Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • At Layer 2, a number of Vulnerabilities exist that require specialized mitigation techniques. • MAC address spoofing attacks are minimized with port security. • STP manipulatoin attacks are handled by BPDU guard and root guard. • MAC address table overflow attacks are addressed with port security, BPDU guard, and root guard. • Storm control is used to miligate LAN storm attacks. • VLAN attacks are controlled by disabling DTP and • Following basic guidelines for configuring trunk ports. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • Port security provides a baseline security solution at the Access Layer. • Port security is verified using CLI show commands and the mac address-table notification command. • BPDU guard and root guard are designed to mitigate STP attacks. • SPAN enables port mirroring, which allows tracffic to be monitored through a switch. • RSPAN extends the functionality of SPAN to multiple switches and the trunks connecting them. • Recommended Layer 2 practices, especially for VLAN and trunk configurations, greatly improve Layer 2 security. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • Modern enterprise networks deploy wireless, VoIP, and SAN devices that require specialized security solutions. • Wireless technologies are the most prone to network attacks. A number of technologies have evolved to miligate these attacks. • With the increased adoption of VoIP, serveral security considerations specific to VoIP technology have emerged. Recent advances in VoIP security address many of these concerns. • SAN technology enables faster, easier, more reliable access to data. Securing data is paramount, so technologies have developed specificlly to secure SANs and ensure data integrity and secrecy. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com