Describle endpoint security with IronPort.
• Describle endpoint security with Network Admission Control.
• Describle endpoint Security with Cisco Security Agent.
• Describle MAC address spoofing attacks, STP manipulation
attacks, MAC address overflow attacks , LAN storm attacks ,
and VLAN attacks.
• Describle specific mitigation techniques for Layer 2 attacks.
• Configure port security, BPDU guard, root guard, storm
control, SPAN, RSPAN and PVLAN Edge.
• Describle wireless, VoIP, and SAN security considerations.
• Describle wireless, VoIP, and SAN security solutions
143 trang |
Chia sẻ: phuongt97 | Lượt xem: 389 | Lượt tải: 1
Bạn đang xem trước 20 trang nội dung tài liệu Bài giảng CCNA Security - Chapter 6: Securing the Local Area Network, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
longer a normal switch
port; only looped-back traffic passes through the reflector port.
• You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:
– The RSPAN VLAN is not configured as a native VLAN.
– Extended range RSPAN VLANs will not be propagated to other switches using VTP.
– No access port is configured in the RSPAN VLAN.
– All participating switches support RSPAN.
• The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 through 1005
(reserved to Token Ring and FDDI VLANs).
• You should create an RSPAN VLAN before configuring an RSPAN source or destination
session.
• If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the
unwanted flooding of RSPAN traffic across the network for VLAN-IDs that are lower than 1005.
Configuring PVLAN Edge
• The Private VLAN (PVLAN) Edge feature, also known as
protected ports, ensures that there is no exchange of
unicast, broadcast, or multicast traffic between ports on the
switch.
• The characteristics of PVLAN Edge. Refer to 6.3.7.1
Configuring PVLAN Edge
• To configure the PVLAN Edge feature, enter the command
switchport protected in interface configuration mode.
Reconmmended Practices for Layer 2
1. Manage switches in as secure a manner as
possible (SSH, out-of-band management, ACLs,
etc.)
2. Set all user ports to non-trunking mode (except if
using Cisco VoIP)
3. Use port security where possible for access ports
4. Enable STP attack mitigation (BPDU guard, root
guard)
5. Use Cisco Discovery Protocol only where
necessary – with phones it is useful
6. Configure PortFast on all non-trunking ports
7. Configure root guard on STP root ports
8. Configure BPDU guard on all non-trunking ports
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VLAN Practices
9. Always use a dedicated, unused native VLAN ID
for trunk ports
10.Do not use VLAN 1 for anything
11.Disable all unused ports and put them in an
unused VLAN
12.Manually configure all trunk ports and disable DTP
on trunk ports
13.Configure all non-trunking ports with switchport
mode access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Overview of Wireless, VoIP Security
Wireless VoIP
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Overview of SAN Security
SAN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Infrastructure-Integrated Approach
• Proactive threat and intrusion
detection capabilities that do not
simply detect wireless attacks
but prevent them
• Comprehensive protection to
safeguard confidential data and
communications
• Simplified user management
with a single user identity and
policy
• Collaboration with wired security
systems
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco IP Telephony Solutions
• Single-site deployment
• Centralized call
processing with remote
branches
• Distributed call-
processing deployment
• Clustering over the
IPWAN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Storage Network Solutions
• Investment protection
• Virtualization
• Security
• Consolidation
• Availability
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco Wireless LAN Controllers
• Responsible for system-wide wireless LAN functions
• Work in conjunction with Aps and the Cisco Wireless Control System
(WCS) to support wireless applications
• Smoothly integrate into existing enterprise networks
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Wireless Hacking
• War driving
• A neighbor hacks into
another neighbor’s
wireless network to get
free Internet access or
access information
• Free Wi-Fi provides an
opportunity to compromise
the data of users
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Hacking Tools
• Network Stumbler
• Kismet
• AirSnort
• CoWPAtty
• ASLEAP
• Wireshark
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Wireless Security Solutions
• Wireless networks using WEP or WPA/TKIP are not very
secure and vulnerable to hacking attacks.
• Wireless networks using WPA2/AES should have a
passphrase of at least 21 characters long.
• If an IPsec VPN is available, use it on any public wireless
LAN.
• If wireless access is not needed, disable the wireless radio
or wireless NIC.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VoIP Business Advantages
• Little or no training costs
• Mo major set-up fees
PSTN VoIP
Gateway
• Lower telecom call costs
• Productivity increases
• Lower costs to move,
add, or change
• Lower ongoing service
and maintenance costs
• Enables unified
messaging
• Encryption of voice calls
is supported
• Fewer administrative
personnel required
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VoIP Components
Cisco Unified
Communications
Manager
(Call Agent)
MCU
IP
Backbone
PSTN
Cisco
Unity
IP
Phone
IP
Phone
Videoconference
Station
Router/
Gateway
Router/
Gateway
Router/
Gateway
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VoIP Protocols
VoIP Protocol Description
H.323 ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex
MGCP Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248 Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard
SIP IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323
RTP ETF standard media-streaming protocol
RTCP IETF protocol that provides out-of-band control information for an RTP flow
SRTP IETF protocol that encrypts RTP traffic as it leaves the
voice device
SCCP Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Threats
• Reconnaissance
• Directed attacks such as spam over IP telephony
(SPIT) and spoofing
• DoS attacks such as DHCP starvation, flooding, and
fuzzing
• Eavesdropping and man-in-the-middle attacks
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VoIP SPIT (VoIP Spam)
• If SPIT grows like spam, it could result in
regular DoS problems for network
administrators.
• Antispam methods do not block SPIT.
• Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets
only from trusted devices.
You’ve just
won an all
expenses
paid vacation
to the U.S.
Virgin Islands
!!!
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Fraud
• Fraud takes several forms:
– Vishing—A voice version of phishing that is used to compromise
confidentiality.
– Theft and toll fraud —The stealing of telephone services.
• Use features of Cisco Unified Communications Manager to protect
against fraud.
– Partitions limit what parts of the dial plan certain phones have access to.
– Dial plans filter control access to exploitive phone numbers.
– FACs prevent unauthorized calls and provide a mechanism for tracking.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SIP Vulnerabilities
• Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them.
• Message tampering:
Allows a hacker to
Registrar Registrar
Location
Database
SIP Servers/Services
modify data packets
traveling between SIP
addresses.
• Session tear-down:
Allows a hacker to
terminate calls or carry
out VoIP-targeted DoS
attacks.
SIP Proxy
SIP User Agents SIP User Agents
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using VLANs
Voice VLAN = 110 Data VLAN = 10
IP phone
10.1.110.3
Desktop PC
5/1
• Creates a separate broadcast domain for voice traffic
• Protects against eavesdropping and tampering
• Renders packet-sniffing tools less effective
• Makes it easier to implement (Vlan ACL) VACLs that
are specific to voice traffic
802.1Q Trunk 171.1.1.1
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Voice VLAN
Học viện mạng Bach Khoa - Website: www.bkacad.com 125
Using Cisco ASA Adaptive Security Appliances
• Ensure SIP, SCCP, H.323, and MGCP
requests conform to standards
• Prevent inappropriate SIP methods
from being sent to Cisco Unified
Communications Manager
• Rate limit SIP requests
• Enforce policy of calls (whitelist,
blacklist, caller/called party, SIP URI)
• Dynamically open ports for Cisco
applications
• Enable only “registered phones” to
make calls
• Enable inspection of encrypted phone
calls
Internet
WAN
Cisco Adaptive
Security Appliance
Cisco Adaptive
Security Appliance
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using VPNs
• Use IPsec for authentication
• Use IPsec to protect
all traffic, not just voice
• Consider SLA with service
provider
Telephony
Servers
• Terminate on a VPN concentrator
or large router inside of firewall to
gain these benefits:
• Performance
• Reduced configuration
complexity
• Managed organizational
boundaries
IP WAN
SRST
Router
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using Cisco Unified Communications Manager
• Signed firmware
• Signed
configuration files
• Disable:
– PC port
– Setting button
– Speakerphone
– Web access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SAN Security Considerations
SAN
IP
Network
Specialized network that
enables fast, reliable access
among servers and external
storage resources
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SAN Transport Technologies
• Fibre Channel – the
primary SAN transport for
host-to-SAN connectivity
• iSCSI – maps SCSI over
TCP/IP and is another
host-to-SAN connectivity LAN
model
• FCIP – a popular SAN-to-
SAN connectivity model
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
World Wide Name
• A 64-bit address that Fibre Channel networks use to
uniquely identify each element in a Fibre Channel network
• Zoning can utilize WWNs to assign security permissions
• The WWN of a device is a user-configurable parameter.
Cisco MDS 9020 Fabric Switch
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Zoning Operation
• Zone members see only other
members of the zone.
• Zones can be configured
dynamically based on WWN.
• Devices can be members of
more than one zone.
• Switched fabric zoning can take
SAN
Disk1Host1
Disk2 Disk3
ZoneA
ZoneC
place at the port or device level:
based on physical switch port or
based on device WWN or based
on LUN ID.
Host2Disk4
ZoneB
An example of Zoning. Note that
devices can be members of more
than 1 zone.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Virtual Storage Area Network (VSAN)
Physical SAN islands are
virtualized onto common
SAN infrastructure
Cisco MDS 9000
Family with VSAN Service
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Security Focus
SAN
Target AccessSAN Protocol
SAN Management
Access
Secure
SAN
IP Storage
access
Data Integrity and
Secrecy
Fabric Access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SAN Management
Three main areas of vulnerability:
1. Disruption of switch processing
2. Compromised fabric stability
3. Compromised data integrity and confidentiality
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Fabric and Target Access
Three main areas of focus:
• Application data integrity
• LUN integrity
• Application performance
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VSANs
Two VSANs each with
multiple zones. Disks and
hosts are dedicated to
VSANs although both hosts
and disks can belong to
Physical Topology
VSAN 2
Disk1Host1
Disk2 Disk3
ZoneA
ZoneC
Relationship of VSANs to Zones
multiple zones within a single
VSAN. They cannot,
however, span VSANs.VSAN 3
Host2Disk4
Disk6
Disk5
Host4
Host3
ZoneB
ZoneA
ZoneD
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
iSCSI and FCIP
• iSCSI leverages many of the security features inherent in
Ethernet and IP
–ACLs are like Fibre Channel zones
–VLANs are like Fibre Channel VSANs
–802.1X port security is like Fibre Channel port security
• FCIP security leverages many IP security features in Cisco
IOS-based routers:
–IPsec VPN connections through public carriers
–High-speed encryption services in specialized hardware
–Can be run through a firewall
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
iSCSI and FCIP
• iSCSI leverages many of the security features inherent in
Ethernet and IP
–ACLs are like Fibre Channel zones
–VLANs are like Fibre Channel VSANs
–802.1X port security is like Fibre Channel port security
• FCIP security leverages many IP security features in Cisco
IOS-based routers:
–IPsec VPN connections through public carriers
–High-speed encryption services in specialized hardware
–Can be run through a firewall
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• At Layer 2, a number of Vulnerabilities exist that require
specialized mitigation techniques.
• MAC address spoofing attacks are minimized with port
security.
• STP manipulatoin attacks are handled by BPDU guard and
root guard.
• MAC address table overflow attacks are addressed with port
security, BPDU guard, and root guard.
• Storm control is used to miligate LAN storm attacks.
• VLAN attacks are controlled by disabling DTP and
• Following basic guidelines for configuring trunk ports.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• Port security provides a baseline security solution at the Access
Layer.
• Port security is verified using CLI show commands and the mac
address-table notification command.
• BPDU guard and root guard are designed to mitigate STP
attacks.
• SPAN enables port mirroring, which allows tracffic to be
monitored through a switch.
• RSPAN extends the functionality of SPAN to multiple switches
and the trunks connecting them.
• Recommended Layer 2 practices, especially for VLAN and
trunk configurations, greatly improve Layer 2 security.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• Modern enterprise networks deploy wireless, VoIP, and SAN
devices that require specialized security solutions.
• Wireless technologies are the most prone to network attacks.
A number of technologies have evolved to miligate these
attacks.
• With the increased adoption of VoIP, serveral security
considerations specific to VoIP technology have emerged.
Recent advances in VoIP security address many of these
concerns.
• SAN technology enables faster, easier, more reliable access
to data. Securing data is paramount, so technologies have
developed specificlly to secure SANs and ensure data
integrity and secrecy.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Các file đính kèm theo tài liệu này:
- bai_giang_ccna_security_chapter_6_securing_the_local_area_ne.pdf