Cisco security

Implementing Cisco Edge Network Security Solutions (300206) Module 1 Securing the Local Area Network

Lesson Planning • This lesson should take 3-4 hours to present • The lesson should include lecture, demonstrations, discussions and assessments • The lesson can be taught in person or using remote instruction

2

Major Concepts • Describe endpoint vulnerabilities and protection methods • Describe basic Catalyst switch vulnerabilities • Configure and verify switch security features, including port security and storm control • Describe the fundamental security considerations of Wireless, VoIP, and SANs

3

Lesson Objectives

Upon completion of this lesson, the successful participant will be able to: 1. Describe endpoint security and the enabling technologies 2. Describe how Cisco IronPort is used to ensure endpoint security 3. Describe how Cisco NAC products are used to ensure endpoint security 4. Describe how the Cisco Security Agent is used to ensure endpoint security 5. Describe the primary considerations for securing the Layer 2 infrastructure 6. Describe MAC address spoofing attacks and MAC address spoofing attack mitigation

4

Lesson Objectives

7. Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation 8. Describe STP manipulation attacks and STP manipulation attack mitigation 9. Describe LAN Storm attacks and LAN Storm attack mitigation 10. Describe VLAN attacks and VLAN attack mitigation 11. Describe how to configure port security 12. Describe how to verify port security 13. Describe how to configure and verify BPDU Guard and Root Guard 14. Describe how to configure and verify storm control 15. Describe and configure Cisco SPAN 16. Describe and configure Cisco RSPAN

5

Lesson Objectives

17. Describe the best practices for Layer 2 18. Describe the fundamental aspects of enterprise security for advanced technologies 19. Describe the fundamental aspects of wireless security and the enabling technologies 20. Describe wireless security solutions 21. Describe the fundamental aspects of VoIP security and the enabling technologies Reference: CIAG course on VoIP security. 22. Describe VoIP security solutions 23. Describe the fundamental aspects of SAN security and the enabling technologies 24. Describe SAN security solutions

6

Securing the LAN

Perimeter

MARS ACS

Areas of concentration: • Securing endpoints • Securing network infrastructure

Firewall

Internet VPN

IPS

Iron Port

Hosts Web Server

Email Server

DNS

LAN

7

Addressing Endpoint Security

Policy Compliance Infection Containment Secure Host

Threat Protection

Based on three elements: • Cisco Network Admission Control (NAC) • Endpoint protection • Network infection containment

8

Operating Systems

• Trusted code and trusted path – ensures that the Security Services integrity Basic of the operating system is not violated • Privileged context of execution – provides identity authentication and certain privileges based on the identity • Process memory protection and isolation – provides separation from other users and their data • Access control to resources – ensures confidentiality and integrity of data

9

Types of Application Attacks

Direct

Indirect

I have gained direct access to this application’s privileges

I have gained access to this system which is trusted by the other system, allowing me to access it.

10

Cisco Systems Endpoint Security Solutions Cisco Security Agent

IronPort

Cisco NAC

11

Cisco IronPort Products

IronPort products include: • E-mail security appliances for virus and spam control • Web security appliance for spyware filtering, URL filtering, and anti-malware • Security management appliance

12

IronPort C-Series

Before IronPort

After IronPort

Internet

Internet

Firewall

Firewall Encryption Platform

MTA

DLP Scanner

Antispam Antivirus

DLP Policy Manager

IronPort E-mail Security Appliance

Policy Enforcement Mail Routing Groupware

Users

Groupware

Users

13

IronPort S-Series

Before IronPort

After IronPort

Internet

Firewall

Internet

Firewall

Web Proxy Antispyware

IronPort SSeries

Antivirus Antiphishing URL Filtering Policy Management

Users Users

14

Cisco NAC

The purpose of NAC:  Allow only authorized and compliant systems to access the network  To enforce network security policy NAC Framework • Software module embedded within NACenabled products • Integrated framework leveraging multiple Cisco and NAC-aware vendor products

Cisco NAC Appliance • In-band Cisco NAC Appliance solution can be used on any switch or router platform • Self-contained, turnkey solution

15

The NAC Framework

Network Access Devices Hosts Attempting Network Access

Policy Server Decision Points and Remediation

Enforcement

Credentials

AAA Server Credentials

Vendor Servers

Credentials EAP/UDP, Cisco Trust Agent

EAP/802.1x Notification

HTTPS

RADIUS Access Rights Comply?

16

NAC Components • Cisco NAS

• Cisco NAA

Serves as an in-band or outof-band device for network access control

• Cisco NAM

Optional lightweight client for device-based registry scans in unmanaged environments

• Rule-set updates

Centralizes management for administrators, support personnel, and operators

Scheduled automatic updates for antivirus, critical hotfixes, and other applications

M G R

17

Cisco NAC Appliance Process

1.

THE GOAL

Host attempts to access a web page or uses an optional client. Network access is blocked until wired or wireless host provides login information.

Authentication Server

M G R

2.

Host is redirected to a login page. Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device.

3a.

Cisco NAM

Cisco NAS

3.

Device is noncompliant or login is incorrect. Host is denied access and assigned to a quarantine role with access to online remediation resources.

Intranet/ Network

The host is authenticated and optionally scanned for posture compliance

Quarantine Role

3b.

Device is “clean”. Machine gets on “certified devices list” and is granted access to network.

18

Access Windows

Scan is performed Login Screen

(types of checks depend on user role)

Scan fails Remediate

4.

19

CSA Architecture

Server Protected by Cisco Security Agent

Administration Workstation

Alerts

Events

SSL

Security Policy Management Center for Cisco Security Agent with Internal or External Database

20

CSA Overview

Application

File System Interceptor

Network Interceptor

Configuration Interceptor

Execution Space Interceptor

Rules Engine Rules and Policies

State

Allowed Request

Correlation Engine Blocked Request

21

CSA Functionality

Security Application

Network File System Interceptor Interceptor

Configuratio n Interceptor

Execution Space Interceptor

Distributed Firewall

X

―

―

―

Host Intrusion Prevention

X

―

―

X

Application Sandbox

―

X

X

X

Network Worm Prevention

X

―

―

X

File Integrity Monitor

―

X

X

―

Attack Phases

– Probe phase • Ping scans • Port scans – Penetrate phase • Transfer exploit code to target – Persist phase • Install new code • Modify configuration – Propagate phase • Attack other targets – Paralyze phase • Erase files • Crash system • Steal data

Server Protected by Cisco Security Agent

– – – –

File system interceptor Network interceptor Configuration interceptor Execution space interceptor

CSA Log Messages

Layer 2 Security

Perimeter

MARS ACS

Firewall

Internet VPN

IPS

Iron Port

Hosts Web Server

Email Server

DNS

25

OSI Model

When it comes to networking, Layer 2 is often a very weak link. Application Stream

Application

Session Transport Network Data Link Physical

Presentation

Compromised

Presentation

Application

Session Protocols and Ports

Transport

IP Addresses

Network

Initial MACCompromise Addresses

Data Link

Physical Links

Physical

26

MAC Address Spoofing Attack

Switch Port

1

2

AABBcc

12AbDd

The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc

MAC Address: AABBcc

MAC Address: 12AbDd

Port 1 Port 2

MAC Address: AABBcc

Attacker

I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.

27

MAC Address Spoofing Attack

Switch Port 1

2

I have changed the MAC address on my computer to match the server.

1

2 AABBcc

AABBcc Attacker

MAC Address: Port 1 AABBcc

Port 2

MAC Address: AABBcc

The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.

28

MAC Address Table Overflow Attack

The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.

MAC Address Table Overflow Attack

2

1

Bogus addresses are added to the CAM table. CAM table is full. MAC X Y C

Port 3/25 3/25 3/25

3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ

3/25 VLAN 10

VLAN 10

flood

Intruder runs macof to begin sending unknown bogus MAC addresses.

Host C

VLAN 10

3

The switch floods the frames.

A

C

4 Attacker sees traffic to servers B and D.

B

D

STP Manipulation Attack

Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234

F

F F

F

F

• Spanning tree protocol operates by electing a root bridge • STP builds a tree topology • STP manipulation changes the topology of a network—the attacking host appears to be the root bridge

B

31

STP Manipulation Attack

Root Bridge Priority = 8192

F

F

F F

F

F

B

B

F F

F

F Root Bridge

Attacker

The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.

32

LAN Storm Attack

Broadcast

Broadcast

Broadcast

Broadcast

Broadcast

Broadcast

• Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.

Storm Control

Total number of broadcast packets or bytes

VLAN Attacks

 Segmentatio n  Flexibility  Security

VLAN = Broadcast Domain = Logical Network (Subnet)

VLAN Attacks

802.1Q

VLAN 10

Trunk VLAN 20

Attacker sees traffic destined for servers

Server

Server

A VLAN hopping attack can be launched in two ways: • Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode • Introducing a rogue switch and turning trunking on

Double-Tagging VLAN Attack

1

Attacker on VLAN 10, but puts a 20 tag in the packet

2

The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2.

3

20

802.1Q, Frame

The second switch receives the packet, on the native VLAN

Trunk (Native VLAN = 10)

4 Note: This attack works only if the trunk has the same native VLAN as the attacker.

The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.

Victim (VLAN 20)

Port Security Overview

MAC A

Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C

0/1 0/2 0/3 MAC A

MAC F

Attacker 1

Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses

Attacker 2

38

CLI Commands

Switch(config-if)# switchport mode access

• Sets the interface mode as access Switch(config-if)# switchport port-security

• Enables port security on the interface Switch(config-if)# switchport port-security maximum value

• Sets the maximum number of secure MAC addresses for the interface (optional)

39

Switchport Port-Security Parameters

Parameter

Description

mac-address mac-address

(Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured.

vlan vlan-id

(Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used.

vlan access

(Optional) On an access port only, specify the VLAN as an access VLAN.

vlan voice

(Optional) On an access port only, specify the VLAN as a voice VLAN

mac-address sticky [mac-address]

(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..

maximum value

(Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1.

vlan [vlan-list]

(Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. n vlan: set a per-VLAN maximum value. n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.

Port Security Violation Configuration

Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}

• Sets the violation mode (optional) Switch(config-if)# switchport port-security mac-address mac-address

• Enters a static secure MAC address for the interface (optional) Switch(config-if)# switchport port-security mac-address sticky

• Enables sticky learning on the interface (optional)

41

Switchport Port-Security Violation Parameters Parameter Description protect

(Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

restrict

(Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred.

shutdown

(Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecureviolation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.

shutdown vlan

Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.

Port Security Aging Configuration

Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}}

• Enables or disables static aging for the secure port or sets the aging time or type

43

Switchport Port-Security Aging Parameters

Parameter

Description

static

Enable aging for statically configured secure addresses on this port.

time time

Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.

type absolute

Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.

type inactivity

Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

Typical Configuration

S 2

Switch(config-if)# switchport switchport switchport switchport switchport switchport

mode access port-security port-security port-security port-security port-security

PC B

maximum 2 violation shutdown mac-address sticky aging time 120

45

CLI Commands

sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------Fa0/12 2 0 0 Shutdown --------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024

sw-class# show port-security Port Security : Port status : Violation mode : Maximum MAC Addresses : Total MAC Addresses : Configured MAC Addresses : Aging time : Aging type : SecureStatic address aging : Security Violation Count :

interface f0/12 Enabled Secure-down Shutdown 2 1 0 120 mins Absolute Disabled 0

46

View Secure MAC Addresses

sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age (mins) --------------------------------1 0000.ffff.aaaa SecureConfigured Fa0/12 ------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024

47

MAC Address Notification

MAC B

F1/2

SNMP traps sent to NMS when new MAC addresses appear or when old ones time out.

NMS

F1/1 F2/1 MAC A

Switch CAM Table F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D (address ages out)

MAC D is away from the network.

MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.

48

Configure Portfast

Server

Workstatio n

Command

Description

Switch(config-if)# spanning-tree portfast

Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately.

Switch(config-if)# no spanning-tree portfast

Disables PortFast on a Layer 2 access port. PortFast is disabled by default.

Switch(config)# spanningtree portfast default

Globally enables the PortFast feature on all nontrunking ports.

Switch# show running-config interface type slot/port

Indicates whether PortFast has been configured on a port.

49

BPDU Guard

Root Bridge

F

F

F F

F

B BPDU Guard Enabled

Attacker

STP BPDU

Switch(config)# spanning-tree portfast bpduguard default

• Globally enables BPDU guard on all ports with PortFast enabled

50

Display the State of Spanning Tree

Switch# show spanning-tree summary totals Root bridge for: none. PortFast BPDU Guard is enabled UplinkFast is disabled BackboneFast is disabled Spanning tree default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active -------------------- -------- --------- -------- ---------- --------1 VLAN 0 0 0 1 1

51

Root Guard

Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d

F

F F

F Root Guard Enabled

F

Attacker

F

B

STP BPDU Priority = 0 MAC Address = 0000.0c45.1234

Switch(config-if)# spanning-tree guard root

• Enables root guard on a per-interface basis

52

Verify Root Guard

Switch# show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ---------------------- -----------------VLAN0001 FastEthernet3/1 Port Type Inconsistent VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent VLAN1002 FastEthernet3/2 Port Type Inconsistent VLAN1003 FastEthernet3/1 Port Type Inconsistent VLAN1003 FastEthernet3/2 Port Type Inconsistent VLAN1004 FastEthernet3/1 Port Type Inconsistent VLAN1004 FastEthernet3/2 Port Type Inconsistent VLAN1005 FastEthernet3/1 Port Type Inconsistent VLAN1005 FastEthernet3/2 Port Type Inconsistent Number of inconsistent ports (segments) in the system :10

53

Storm Control Methods • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received • Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.

54

Storm Control Configuration

Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps 2k 1k Switch(config-if)# storm-control action shutdown

• Enables storm control • Specifies the level at which it is enabled • Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic

55

Storm Control Parameters

Parameter

Description

broadcast

This parameter enables broadcast storm control on the interface.

multicast

This parameter enables multicast storm control on the interface.

unicast

This parameter enables unicast storm control on the interface.

level level [level-low]

Rising and falling suppression levels as a percentage of total bandwidth of the port. • level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached. • level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value.

level bps bps [bps-low]

Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port. • bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. • bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value.

level pps pps [pps-low]

Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port. • pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. • pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value.

action {shutdown|trap}

The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap. The keywords have these meanings: • shutdown: Disables the port during a storm • trap: Sends an SNMP trap when a storm occurs

Verify Storm Control Settings

Switch# show storm-control Interface

Filter State

Upper

Lower

Current

---------Gi0/1

------------Forwarding

---------20 pps

--------10 pps

-------5 pps

Gi0/2

Forwarding

50.00%

40.00%

0.00%

Mitigating VLAN Attacks

Trunk (Native VLAN = 10)

1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else

58

Controlling Trunking

Switch(config-if)# switchport mode trunk

• Specifies an interface as a trunk link . Switch(config-if)# switchport nonegotiate

• Prevents the generation of DTP frames. Switch(config-if)# switchport trunk native vlan vlan_number

• Set the native VLAN on the trunk to an unused VLAN

59

Traffic Analysis

IDS RMON Probe Protocol Analyzer “Intruder Alert!”

 A SPAN port mirrors traffic to another port where a monitoring device is connected.  Without this, it can be difficult to track hackers after they have entered the network.

Attacker

CLI Commands

Switch(config)# monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlan-id [, | -] [both | rx | tx]}| {remote vlan vlan-id} Switch(config)# monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id}

Verify SPAN Configuration

SPAN and IDS

IDS

F0/2

F0/1

Attacker

Use SPAN to mirror traffic in and out of port F0/1 to port F0/2.

Overview of RSPAN

“Intruder Alert!” IDS

• An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. • This allows more switches to be monitored with a single probe or IDS.

Source VLAN RSPAN VLAN

Source VLAN

Attacker

Source VLAN

Configuring RSPAN

1. Configure the RPSAN VLAN

2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit

2960-1

2960-2

2. Configure the RSPAN source ports and VLANs 2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan 100 reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk

3. Configure the RSPAN traffic to be forwarded 2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface FastEthernet 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk

Verifying RSPAN Configuration

2960-1

2960-2

show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression]

Layer 2 Guidelines

• Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) • Set all user ports to non-trunking mode (except if using Cisco VoIP) • Use port security where possible for access ports • Enable STP attack mitigation (BPDU guard, root guard) • Use Cisco Discovery Protocol only where necessary – with phones it is useful • Configure PortFast on all non-trunking ports • Configure root guard on STP root ports • Configure BPDU guard on all non-trunking ports

VLAN Practices

• Always use a dedicated, unused native VLAN ID for trunk ports • Do not use VLAN 1 for anything • Disable all unused ports and put them in an unused VLAN • Manually configure all trunk ports and disable DTP on trunk ports • Configure all non-trunking ports with switchport mode access

Overview of Wireless, VoIP Security

Wireless

VoIP

69

Overview of SAN Security

SAN

70

Infrastructure-Integrated Approach •

•

•

•

Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them Comprehensive protection to safeguard confidential data and communications Simplified user management with a single user identity and policy Collaboration with wired security systems

71

Cisco IP Telephony Solutions

• Single-site deployment • Centralized call processing with remote branches • Distributed callprocessing deployment • Clustering over the IPWAN

72

Storage Network Solutions

• Investment protection • Virtualization • Security • Consolidation • Availability

73

Cisco Wireless LAN Controllers

• •

•

Responsible for system-wide wireless LAN functions Work in conjunction with Aps and the Cisco Wireless Control System (WCS) to support wireless applications Smoothly integrate into existing enterprise networks

74

Wireless Hacking • War driving • A neighbor hacks into another neighbor’s wireless network to get free Internet access or access information • Free Wi-Fi provides an opportunity to compromise the data of users

75

Hacking Tools

• • • • • •

Network Stumbler Kismet AirSnort CoWPAtty ASLEAP Wireshark

76

Safety Considerations • Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks. • Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long. • If an IPsec VPN is available, use it on any public wireless LAN. • If wireless access is not needed, disable the wireless radio or wireless NIC.

77

VoIP Business Advantages

VoIP

PSTN

Gateway

• Lower telecom call costs • Productivity increases • Lower costs to move, add, or change • Lower ongoing service and maintenance costs

• Little or no training costs • Mo major set-up fees • Enables unified messaging • Encryption of voice calls is supported • Fewer administrative personnel required

78

VoIP Components

PSTN

Cisco Unified Communications Manager (Call Agent)

IP Backbone

MCU Cisco Unity IP Phone

Router/ Gateway

Router/ Gateway

Router/ Gateway

IP Phone Videoconference Station

79

VoIP Protocols

VoIP Protocol

Description

H.323

ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex

MGCP

Emerging IETF standard for PSTN gateway control; thin device control

Megaco/H.248

Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard

SIP

IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323

RTP RTCP

ETF standard media-streaming protocol IETF protocol that provides out-of-band control information for an RTP flow

SRTP

IETF protocol that encrypts RTP traffic as it leaves the voice device

SCCP

Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones

Threats

• Reconnaissance • Directed attacks such as spam over IP telephony (SPIT) and spoofing • DoS attacks such as DHCP starvation, flooding, and fuzzing • Eavesdropping and man-in-the-middle attacks

81

VoIP SPIT

• If SPIT grows like spam, it could result in regular DoS problems for network administrators. • Antispam methods do not block SPIT. • Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices.

You’ve just won an all expenses paid vacation to the U.S. Virgin Islands !!!

82

Fraud

• Fraud takes several forms: – Vishing—A voice version of phishing that is used to compromise confidentiality. – Theft and toll fraud—The stealing of telephone services.

• Use features of Cisco Unified Communications Manager to protect against fraud. – Partitions limit what parts of the dial plan certain phones have access to. – Dial plans filter control access to exploitive phone numbers. – FACs prevent unauthorized calls and provide a mechanism for tracking.

83

SIP Vulnerabilities

• Registration hijacking: Allows a hacker to intercept incoming calls and reroute them. • Message tampering: Allows a hacker to modify data packets traveling between SIP addresses. • Session tear-down: Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks.

Registrar

Registrar

Location Database

SIP Servers/Services

SIP Proxy

SIP User Agents

SIP User Agents

84

Using VLANs

Voice VLAN = 110

Data VLAN = 10

5/1

802.1Q Trunk

• • • •

IP phone 10.1.110.3

Desktop PC 171.1.1.1

Creates a separate broadcast domain for voice traffic Protects against eavesdropping and tampering Renders packet-sniffing tools less effective Makes it easier to implement VACLs that are specific to voice traffic

85

Using Cisco ASA Adaptive Security Appliances • • • • • • •

Ensure SIP, SCCP, H.323, and MGCP requests conform to standards Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager Rate limit SIP requests Enforce policy of calls (whitelist, blacklist, caller/called party, SIP URI) Dynamically open ports for Cisco applications Enable only “registered phones” to make calls Enable inspection of encrypted phone calls

Cisco Adaptive Security Appliance Cisco Adaptive Security Appliance

WAN

Internet

86

Using VPNs

• Use IPsec for authentication • Use IPsec to protect all traffic, not just voice • Consider SLA with service provider • Terminate on a VPN concentrator or large router inside of firewall to gain these benefits: • Performance • Reduced configuration complexity • Managed organizational boundaries

Telephony Servers

IP WAN

SRST Router

87

Using Cisco Unified Communications Manager

• Signed firmware • Signed configuration files • Disable: – – – –

PC port Setting button Speakerphone Web access

88

SAN Security Considerations

IP Network

SAN

Specialized network that enables fast, reliable access among servers and external storage resources

89

SAN Transport Technologies • Fibre Channel – the primary SAN transport for host-to-SAN connectivity • iSCSI – maps SCSI over TCP/IP and is another host-to-SAN connectivity model • FCIP – a popular SANto-SAN connectivity model

LAN

90

World Wide Name • A 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network • Zoning can utilize WWNs to assign security permissions • The WWN of a device is a user-configurable parameter.

Cisco MDS 9020 Fabric Switch

91

Zoning Operation • • • •

Zone members see only other members of the zone. Zones can be configured dynamically based on WWN. Devices can be members of more than one zone. Switched fabric zoning can take place at the port or device level: based on physical switch port or based on device WWN or based on LUN ID.

SAN Disk2

Zone A

Host1

Disk3 Disk1

ZoneC

Disk4

Host2

ZoneB

An example of Zoning. Note that devices can be members of more than 1 zone.

92

Virtual Storage Area Network (VSAN)

Cisco MDS 9000 Family with VSAN Service

Physical SAN islands are virtualized onto common SAN infrastructure

93

Security Focus SAN Protocol

Fabric Access

IP Storage access

Target Access

SAN Management Access

SAN Secure SAN

Data Integrity and Secrecy

94

SAN Management

Three main areas of vulnerability: 1. Disruption of switch processing 2. Compromised fabric stability 3. Compromised data integrity and confidentiality

95

Fabric and Target Access

Three main areas of focus: • Application data integrity • LUN integrity • Application performance

96

VSANs

Relationship of VSANs to Zones Physical Topology VSAN 2 Disk2

Disk3 Disk1

Host1

ZoneA

ZoneC Host2

Disk4

ZoneB VSAN 3

Two VSANs each with multiple zones. Disks and hosts are dedicated to VSANs although both hosts and disks can belong to multiple zones within a single VSAN. They cannot, however, span VSANs.

ZoneD Host4

ZoneA Disk5 Host3 Disk6

97

iSCSI and FCIP • iSCSI leverages many of the security features inherent in Ethernet and IP –ACLs are like Fibre Channel zones –VLANs are like Fibre Channel VSANs –802.1X port security is like Fibre Channel port security

• FCIP security leverages many IP security features in Cisco IOS-based routers: –IPsec VPN connections through public carriers –High-speed encryption services in specialized hardware –Can be run through a firewall

98

Implementing Cisco Edge Network Security Solutions (300-206) Module 2 Access Lists

Objectives

• • • • •

Describe the usage and rules of access lists Establish standard IP access lists Produce extended IP access lists Apply access lists to interfaces Monitor and verify access lists

100

Objectives (continued)

• Create named access lists • Use Security Device Manager to create standard and extended IP access lists • Use Security Device Manager to create a router firewall

101

Access Lists: Usage and Rules

• Access lists – Permit or deny statements that filter traffic based on the source address, destination address, protocol type, and port number of a packet – Available for IP, IPX, AppleTalk, and many other protocols

102

Access List Usage

• You can create a standard access list that examines a packet for the packet’s source header information • deny any statement – Implicitly blocks all packets that do not meet the requirements of the access list – Exists even though it is not shown as part of the access list

• With careful planning, you can create access lists that control which traffic crosses particular links – And which segments of your network will have access to others

103

Access List Usage (continued)

104

Problems with Access Lists • Lack of planning is one of the most common problems associated with access lists • The need to enter the list sequentially into the router also presents problems – You cannot move individual statements once they are entered – When making changes, you must remove the list, using the no access-list [list number] command, and then retype the commands

• Access lists begin working the second they are applied to an interface

105

Access List Rules • Example of the structure of a standard IP access list: RouterA(config)#access-list 1 deny 172.22.5.2 0.0.0.0 RouterA(config)#access-list 1 deny 172.22.5.3 0.0.0.0 RouterA(config)# access-list 1 permit any

• Router applies each line in the order in which you type it into the access list • The no access-list [list #] command is used to remove an access list

106

Access List Rules (continued)

107

Access List Rules (continued) • As a general rule, the lines with the most potential matches should be first in the list – So that packets will not undergo unnecessary processing

• You should avoid unnecessarily long access lists • After you create access lists, you must apply them to interfaces so they can begin filtering traffic – You apply a list as either an outgoing or an incoming filter

108

Access List Rules (continued) • In summary, all access lists follow these rules: – Routers apply lists sequentially in the order in which you type them into the router – Routers apply lists to packets sequentially, from the top down, one line at a time – Packets are processed only until a match is made – Lists always end with an implicit deny – Access lists must be applied to an interface as either inbound or outbound traffic filters – Only one list, per protocol, per direction can be applied to an interface – Access lists are effective as soon as they are applied

109

Standard IP Access Lists • Standard IP access lists – Filter network traffic based on the source IP address only – Using a standard IP access list, you can filter traffic by a host IP, subnet, or a network address

• Configure standard IP access lists: – access-list [list #] [permit|deny] [source address] [source wildcard mask]

• Routers use wildcards to determine which bits in an address will be significant

110

Standard IP Access Lists (continued)

111

Standard IP Access Lists (continued)

112

Standard IP Access Lists (continued)

113

Standard IP Access Lists (continued)

114

Standard IP Access Lists (continued)

115

Standard IP Access List Examples • Standard IP access lists permit or deny packets based only on the source address – Addresses can be a single host address, a subnet address, or a full network address

116

117

Standard IP Access List Examples (continued)

118

Standard IP Access List Examples (continued) • Correct placement of a list is imperative • To view the access lists defined on your router, use the show access-lists command – For IP access lists you could also use the show ip access-lists command

• If you decide that an access list needs to be removed from an interface – You can remove it with the no ip access-group [list #] command

119

120

Standard IP Access List Examples (continued)

121

Standard IP Access List Examples (continued)

122

Standard IP Access List Examples (continued)

123

Standard IP Access List Examples (continued)

124

Standard IP Access List Examples (continued) • Application of the list as an outbound filter on FastEthernet0/0 – See Figure 10-15

• Use the show access-lists or show ip access-lists command followed by the show ip interface command – To verify that the list has been entered and applied correctly

125

Standard IP Access List Examples (continued)

126

127

Standard IP Access List Examples (continued)

128

Monitoring Standard IP Access Lists • Three main commands are available for monitoring access lists on your router – show access-lists – show ip access-lists – show interfaces or show ip interface

• Use the no access-list [list #] command to remove the list • Use the no ip accessgroup [list #][direction] command to remove the application of the list

129

Extended IP Access Lists • Extended IP access lists – Can filter by source IP address, destination IP address, protocol type, and application port number – This granularity allows you to design extended IP access lists that: • Permit or deny a single type of IP protocol • Filter by a particular port of a particular protocol

130

Extended IP Access Lists (continued) • To configure extended IP access lists, you must create the list and then apply it to an interface using the following syntax – access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [operator] [port] [destination IP address] [destination wildcard mask] [operator] [port] [log]

131

Extended IP Access List Examples

132

133

134

Extended IP Access List Examples (continued)

135

The “Established” Parameter • Established parameter – Permits traffic from any host on any network to any destination, as long as the traffic was in response to a request initiated inside the network

• Example: access-list 100 permit tcp any 15.0.0.0 0.255.255.255 established

136

Monitoring Extended IP Access Lists • The same commands used to monitor standard IP access lists are used to monitor extended IP access lists • Extended IP lists keep track of the number of packets that pass each line of an access list – The clear access-list counters [list #] command clears the counters – The no access-list [list#] command removes the list – The no ip access-group [list#] [direction] command removes the application of the list

137

Monitoring Extended IP Access Lists

138

Monitoring Extended IP Access Lists

139

Using Named Lists • Named access lists – In Cisco IOS versions 11.2 and above, names instead of numbers can be used to identify lists

• To name a standard IP access list, use the following syntax: RouterC(config)#ip access-list standard [name]

• To name an extended IP access list, use the following syntax: RouterC(config)#ip access-list extended [name]

140

Using Named Lists (continued) • Once the list is named, the permit or deny statement is entered • The commands follow the same syntax as unnamed lists – The beginning part of the command is not included

• To apply a standard IP named list to an interface, the syntax is: RouterC(config-if)#ip access-group [name] [in | out]

141

Using Named Lists (continued) • Advantages: – Allows you to maintain security by using an easily identifiable access list – Removes the limit of 100 lists per filter type – With named access lists lines can be selectively deleted in the ACL – Named ACLs provide greater flexibility to network administrators who work in environments where large numbers of ACLs are needed

142

Controlling VTY Line Access • Access lists are used for both traffic flow and security • One useful security feature of access lists is restricting access to telnet on your router – By controlling VTY line access

• You must first create a standard IP access list that permits the management workstation RouterA(config)#access-list 12 permit 192.168.12.12 0.0.0.0

• Then, it must be applied to the VTY lines access-class [acl #] in | out

143

Controlling VTY Line Access (continued) • To apply access list 12 to the VTY lines, use the following command: RouterA(config)#line vty 0 4 RouterA(config-line)#access-class 12 in

• The commands to restrict access to the VTY lines to network 192.168.12.0/24 only are: RouterA(config)#access-list 13 permit 192.168.12.0 0.0.0.255 RouterA(config)#line vty 0 4 RouterA(config-line)#access-class 13 in

144

Using Security Device Manager to Create Access Control Lists • Using the SDM, an administrator can accomplish all the tasks that formerly required use of the CLI interface • SDM allows you to easily create a standard or an extended access list or, as it is known in the SDM, an Access Control List (ACL)

145

146

147

148

149

150

151

Using Security Device Manager to Create a Router Firewall • Unlike the CLI, the SDM allows a router to be configured as a firewall

152

153

154

155

Using Security Device Manager to Create a Router Firewall (continued)

156

Using Security Device Manager to Create a Router Firewall (continued)

157

158

Summary • Access lists are one of the most important IOS tools for controlling network traffic and security • Access lists are created in a two-step process • All access lists are created sequentially and applied sequentially to all packets that enter an interface where the list is applied • By default, access lists always end in an implicit deny any statement • Only one access list per direction (inbound or outbound) per protocol can be applied to an interface

159

Summary (continued) • Standard IP access lists allow you to filter traffic based on the source IP address of a packet • Extended IP access lists filter traffic based on source, destination, protocol type, and application type • Access lists can be used to restrict telnet by controlling VTY line access • Ranges of numbers represent all access lists

160

Summary (continued) • The SDM can be used to configure both standard and extended ACLs via the Additional Tasks configuration tab • The SDM can be used to configure a router as either a Basic or Advanced firewall • The main difference between a Basic and Advanced firewall is the ability to configure DMZ interfaces in the Advanced firewall setup wizard

161

CCNA Guide to Cisco Networking Fundamentals Fourth Edition

Chapter 14 Network Security

Objectives

• Distinguish between the different types of network security threats • Explain how to mitigate network security threats • Implement SSH on Cisco routers and switches • Configure VPNs with the Cisco Security Device Manager

163

General Network Security

• Security policy – An organization’s set of rules regarding how to handle and protect sensitive data

• A security policy should include: – – – – – –

Physical security Acceptable use of applications Safeguarding data Remote access to the network Data center Wireless security

164

General Network Security (continued)

• An effective security policy implements multiple layers of security • A security policy should have three goals: – To prevent the hacker from getting access to critical data – To slow down the hacker enough to be caught – To frustrate the hacker enough to cause him or her to quit the hacking attempt

• When designing a security policy, take care to specify exactly what you are trying to protect

165

Protecting the Hardware • The first level of security in any network is physical security • Critical nodes of an organization should be separated from the general workforce • The nodes should be kept in a central location where only a select group of people are allowed • If office space is limited and nodes must be located near employees – The servers should at least be stored in a locked cabinet

166

Protecting the Hardware (continued)

167

Protecting Software • The primary threats against software are malware and hackers • Malware – Refers to malicious programs that have many different capabilities

• Hackers are usually driven by greed, ego, and/or vengeance – They look to make personal gains through system vulnerabilities

168

Malware Prevention • The most important elements of a prevention plan – Installing and maintaining virus prevention software, – Conducting virus awareness training for network users

• Types of malware – – – – –

Virus Worm Macro Virus Polymorphic Virus Stealth Virus

169

Malware Prevention (continued) • Types of malware (continued) – Boot-Sector Virus – Trojan or Trojan Horse – Logic Bomb

• Virus prevention software – Available for installation on entire networks – Usually includes a version that will run on clients as well as servers – Must be updated regularly to ensure your network is protected against all the latest malware threats

170

Malware Prevention (continued) • User training – Users must be trained to update their antivirus software daily or, at a bare minimum, weekly – Users also must learn how viruses are transmitted between computers – Teach users to scan removable devices with the virus scanning software before using them

171

Firewalls • Firewall – The primary method of keeping hackers out of a network – Normally placed between a private LAN and the public Internet, where they act like gatekeepers – Can be a hardware device or it can be software – Types: personal and enterprise

• All data packets entering or exiting the network have to pass through an enterprise-level firewall – Firewall filters (or analyzes) packets

172

Firewalls (continued) • Four firewall topologies – – – –

Packet-filtering router Single-homed bastion Dual-homed bastion Demilitarized zone (DMZ)

173

174

175

176

177

Firewalls (continued) • Intrusion Detection Systems (IDS) – A security device that can detect a hacker’s attempts to gain access to the network – Can also detect virus outbreaks, worms, and distributed denial of service (DDoS) attacks

• Intrusion Prevention Systems (IPS) – Like an IDS, except that it is placed in line so all packets coming in or going out of the network pass through it – This allows an IPS to drop packets based on rules defined by the network administrator

178

Permissions, Encryption, and Authentication • Permission – An official approval that allows a user to access a specific network resource

• Encryption – Often consists of using security algorithms to scramble and descramble data – Types of algorithms • Symmetric key • Asymmetric key

179

Permissions, Encryption, and Authentication (continued)

180

Permissions, Encryption, and Authentication (continued)

181

Permissions, Encryption, and Authentication (continued) • Secure Sockets Layer – A means of encrypting a session between two hosts through the use of digital certificates, which are based on asymmetric key encryption

• Authentication – The process by which users verify to a server that they are who they say they are – There are several types of authentication • Password authentication protocol (PAP) • Challenge handshake authentication protocol (CHAP)

182

Permissions, Encryption, and Authentication (continued) • Additional authentication services supported by Cisco: – Remote Authentication Dial-in User Service (RADIUS) – Terminal Access Controller Access Control System Plus (TACACS+)

• These two common security protocols are based on the Authentication, Authorization, and Accounting (AAA) model

183

Mitigating Security Threats • The three basic strategies for mitigating security threats are: – Using the SSH protocol to connect to your routers and switches rather than telnet – Turning off unnecessary services – Keeping up-to-date on security patches (software releases) with a patch management initiative

184

Secure Shell (SSH) Connections • Secure Shell (SSH) protocol – Sends all data encrypted

• The two version of SSH are SSH Version 1 and SSH Version 2 – SSH Version 2 is the recommended version

• Some SSH commands are mandatory and others are optional • You must also generate an RSA key pair (asymmetric key encryption) – Which enables SSH

185

Secure Shell (SSH) Connections (continued) • The preferred method is to implement SSH on all VTY lines – Which ensures that all remote IP sessions to the router will be protected in the SSH tunnel

• The command sequence for enabling SSH is: Router(config)#hostname SshRouter SshRouter(config)#ip domain-name sshtest.com SshRouter(config)#crypto key generate rsa The name of the keys will be: SshRouter.sshtest.com

186

Disabling Unnecessary Services • You should disable the services unless your organization uses them • Methods – Go through the CLI and enter a series of commands for each service – Use the Security Audit Wizard in the Cisco Security Device Manager (SDM)

• The following services are unnecessary on most networks: – Finger Service – PAD Service

187

Disabling Unnecessary Services (continued) • The following services are unnecessary on most networks: (continued) – – – – – – –

TCP Small Servers Service UDP Small Servers Service IP Bootp Server Service Cisco Discovery Protocol (CDP) IP Source Route Maintenance Operations Protocol (MOP) Directed Broadcast

188

Disabling Unnecessary Services (continued) • The following services are unnecessary on most networks: (continued) – – – –

ICMP Redirects Proxy ARP IDENT IPv6

189

Patch Management • Your organization’s patch management program should account for all software in the organization – Including commercial applications as well as applications developed in-house

• A patch management program should take into account the major software vendor’s patch release schedules – As well as your organization’s business goals and needs

• Not all patches released by vendors are flawless

190

Virtual Private Networks (VPNs) • Virtual Private Networks (VPNs) – A popular technology for creating a connection between an external computer and a corporate site over the Internet

• To establish a VPN connection, you need VPNcapable components • Client-to-site VPN (also known as remote user VPN) – A VPN that allows designated users to have access to the corporate network from remote locations

191

Virtual Private Networks (VPNs)

192

Virtual Private Networks (VPNs) • Site-to-site VPN – A VPN that allows multiple corporate sites to be connected over low-cost Internet connections

• You can choose from several tunneling protocols to create secure, end-to-end tunnels – Point-to-Point Tunneling Protocol (PPTP) – Layer 2 Tunneling Protocol (L2TP) – Generic Routing Encapsulation (GRE)

193

Virtual Private Networks (VPNs)

194

IPSec • IPSec – A suite of protocols, accepted as an industry standard, which provides secure data transmission over layer 3 of the OSI model – An IP standard and will only encrypt IP-based data

• IPSec supports two modes of operation: transport mode and tunnel mode

195

IPSec (continued) • Transport mode – Primarily geared toward encrypting data that is being sent host-to-host – Only encrypts and decrypts the individual data packets • Which results in quite a bit of overhead on the processor

• Tunnel mode – Encrypts all data in the tunnel and is the mode supported by Cisco components

196

IPSec Protocols • Two IPSec protocols have been developed to provide packet-level security • They include the following characteristics: – Authentication Header (AH) – Encapsulating Security Payload (ESP)

197

IPSec Authentication Algorithms • Authentication algorithms use one of two Hashed Message Authentication Codes (HMAC) – MD5 (message-digest algorithm 5) – SHA-1 (secure hash algorithm)

• An HMAC is a secret key authentication algorithm that ensures data integrity and originality – Based on the distribution of the secret key

• Cryptographic software keys are exchanged between hosts using an HMAC

198

IPSec Encryption Algorithms • For encryption, the two most popular algorithms on IPSec networks are 3DES (tripleDES) and AES – These protocols are used solely with the IPSec ESP protocol

• Remember, AH does not support encryption

199

IPSec Key Management • You need to pay attention to how keys are handed from node to node during IPSec authentication • Two options are available – Deliver the secret keys to all parties involved via email or on disk – Utilize a key management protocol

• Key management is defined by the Internet Security Association and Key Management Protocol (ISAKMP) – Governed by RFC 2407 and 2408

200

IPSec Transform Sets • A transform set – A configuration value (or simply stated, a command) that allows you to establish an IPSEC VPN on a Cisco firewall

• You can create a transform set through the CLI or you can simply use the SDM GUI • When creating an IPSec VPN you must specify a protocol, the algorithm, and the method of key management

201

Creating VPNs with the Security Device Manager (SDM) • Cisco supports VPNs with several different devices • VPNs can be created on firewalls, routers, computers – And even on a device specifically made for VPNs, called a VPN concentrator

• The following example focuses on using the Cisco Security Device Manager (SDM) Web utility to create a VPN on a Cisco router

202

203

204

205

206

207

208

209

210

211

Cisco Security Audit Wizard • You can use the Cisco SDM to conduct security audits • The SDM’s Security Audit Wizard – Can be used to verify your router’s configuration • And determine what security settings have and have not been configured

– Will also make recommendations as to which settings should be enabled – Provides an easy to use GUI that allows you to make those changes

212

213

214

215

216

217

218

Cisco Security Audit Wizard (continued)

219

Summary • Protecting the physical equipment where sensitive data resides is as important as protecting the data itself • When securing an organization’s network, you must be sure to protect it against external threats as well as internal threats • User training is a key element to protecting the network and the data within it • Using an SSH connection to a router is a much more secure method of connecting to a router than clear text telnet

220

Summary (continued) • Disabling unnecessary services increases a router’s security • IPSec is an industry-standard suite of protocols and algorithms that allow for secure encrypted VPN tunnels • Cisco’s SDM is a multifunction Web utility that allows you to create VPNs and complete a security audit

221