Implementing Cisco Edge Network Security Solutions (300206) Module 1 Securing the Local Area Network
Lesson Planning • This lesson should take 3-4 hours to present • The lesson should include lecture, demonstrations, discussions and assessments • The lesson can be taught in person or using remote instruction
2
Major Concepts • Describe endpoint vulnerabilities and protection methods • Describe basic Catalyst switch vulnerabilities • Configure and verify switch security features, including port security and storm control • Describe the fundamental security considerations of Wireless, VoIP, and SANs
3
Lesson Objectives
Upon completion of this lesson, the successful participant will be able to: 1. Describe endpoint security and the enabling technologies 2. Describe how Cisco IronPort is used to ensure endpoint security 3. Describe how Cisco NAC products are used to ensure endpoint security 4. Describe how the Cisco Security Agent is used to ensure endpoint security 5. Describe the primary considerations for securing the Layer 2 infrastructure 6. Describe MAC address spoofing attacks and MAC address spoofing attack mitigation
4
Lesson Objectives
7. Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation 8. Describe STP manipulation attacks and STP manipulation attack mitigation 9. Describe LAN Storm attacks and LAN Storm attack mitigation 10. Describe VLAN attacks and VLAN attack mitigation 11. Describe how to configure port security 12. Describe how to verify port security 13. Describe how to configure and verify BPDU Guard and Root Guard 14. Describe how to configure and verify storm control 15. Describe and configure Cisco SPAN 16. Describe and configure Cisco RSPAN
5
Lesson Objectives
17. Describe the best practices for Layer 2 18. Describe the fundamental aspects of enterprise security for advanced technologies 19. Describe the fundamental aspects of wireless security and the enabling technologies 20. Describe wireless security solutions 21. Describe the fundamental aspects of VoIP security and the enabling technologies Reference: CIAG course on VoIP security. 22. Describe VoIP security solutions 23. Describe the fundamental aspects of SAN security and the enabling technologies 24. Describe SAN security solutions
6
Securing the LAN
Perimeter
MARS ACS
Areas of concentration: • Securing endpoints • Securing network infrastructure
Firewall
Internet VPN
IPS
Iron Port
Hosts Web Server
Email Server
DNS
LAN
7
Addressing Endpoint Security
Policy Compliance Infection Containment Secure Host
Threat Protection
Based on three elements: • Cisco Network Admission Control (NAC) • Endpoint protection • Network infection containment
8
Operating Systems
• Trusted code and trusted path – ensures that the Security Services integrity Basic of the operating system is not violated • Privileged context of execution – provides identity authentication and certain privileges based on the identity • Process memory protection and isolation – provides separation from other users and their data • Access control to resources – ensures confidentiality and integrity of data
9
Types of Application Attacks
Direct
Indirect
I have gained direct access to this application’s privileges
I have gained access to this system which is trusted by the other system, allowing me to access it.
10
Cisco Systems Endpoint Security Solutions Cisco Security Agent
IronPort
Cisco NAC
11
Cisco IronPort Products
IronPort products include: • E-mail security appliances for virus and spam control • Web security appliance for spyware filtering, URL filtering, and anti-malware • Security management appliance
12
IronPort C-Series
Before IronPort
After IronPort
Internet
Internet
Firewall
Firewall Encryption Platform
MTA
DLP Scanner
Antispam Antivirus
DLP Policy Manager
IronPort E-mail Security Appliance
Policy Enforcement Mail Routing Groupware
Users
Groupware
Users
13
IronPort S-Series
Before IronPort
After IronPort
Internet
Firewall
Internet
Firewall
Web Proxy Antispyware
IronPort SSeries
Antivirus Antiphishing URL Filtering Policy Management
Users Users
14
Cisco NAC
The purpose of NAC: Allow only authorized and compliant systems to access the network To enforce network security policy NAC Framework • Software module embedded within NACenabled products • Integrated framework leveraging multiple Cisco and NAC-aware vendor products
Cisco NAC Appliance • In-band Cisco NAC Appliance solution can be used on any switch or router platform • Self-contained, turnkey solution
15
The NAC Framework
Network Access Devices Hosts Attempting Network Access
Policy Server Decision Points and Remediation
Enforcement
Credentials
AAA Server Credentials
Vendor Servers
Credentials EAP/UDP, Cisco Trust Agent
EAP/802.1x Notification
HTTPS
RADIUS Access Rights Comply?
16
NAC Components • Cisco NAS
• Cisco NAA
Serves as an in-band or outof-band device for network access control
• Cisco NAM
Optional lightweight client for device-based registry scans in unmanaged environments
• Rule-set updates
Centralizes management for administrators, support personnel, and operators
Scheduled automatic updates for antivirus, critical hotfixes, and other applications
M G R
17
Cisco NAC Appliance Process
1.
THE GOAL
Host attempts to access a web page or uses an optional client. Network access is blocked until wired or wireless host provides login information.
Authentication Server
M G R
2.
Host is redirected to a login page. Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device.
3a.
Cisco NAM
Cisco NAS
3.
Device is noncompliant or login is incorrect. Host is denied access and assigned to a quarantine role with access to online remediation resources.
Intranet/ Network
The host is authenticated and optionally scanned for posture compliance
Quarantine Role
3b.
Device is “clean”. Machine gets on “certified devices list” and is granted access to network.
18
Access Windows
Scan is performed Login Screen
(types of checks depend on user role)
Scan fails Remediate
4.
19
CSA Architecture
Server Protected by Cisco Security Agent
Administration Workstation
Alerts
Events
SSL
Security Policy Management Center for Cisco Security Agent with Internal or External Database
20
CSA Overview
Application
File System Interceptor
Network Interceptor
Configuration Interceptor
Execution Space Interceptor
Rules Engine Rules and Policies
State
Allowed Request
Correlation Engine Blocked Request
21
CSA Functionality
Security Application
Network File System Interceptor Interceptor
Configuratio n Interceptor
Execution Space Interceptor
Distributed Firewall
X
―
―
―
Host Intrusion Prevention
X
―
―
X
Application Sandbox
―
X
X
X
Network Worm Prevention
X
―
―
X
File Integrity Monitor
―
X
X
―
Attack Phases
– Probe phase • Ping scans • Port scans – Penetrate phase • Transfer exploit code to target – Persist phase • Install new code • Modify configuration – Propagate phase • Attack other targets – Paralyze phase • Erase files • Crash system • Steal data
Server Protected by Cisco Security Agent
– – – –
File system interceptor Network interceptor Configuration interceptor Execution space interceptor
CSA Log Messages
Layer 2 Security
Perimeter
MARS ACS
Firewall
Internet VPN
IPS
Iron Port
Hosts Web Server
Email Server
DNS
25
OSI Model
When it comes to networking, Layer 2 is often a very weak link. Application Stream
Application
Session Transport Network Data Link Physical
Presentation
Compromised
Presentation
Application
Session Protocols and Ports
Transport
IP Addresses
Network
Initial MACCompromise Addresses
Data Link
Physical Links
Physical
26
MAC Address Spoofing Attack
Switch Port
1
2
AABBcc
12AbDd
The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc
MAC Address: AABBcc
MAC Address: 12AbDd
Port 1 Port 2
MAC Address: AABBcc
Attacker
I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
27
MAC Address Spoofing Attack
Switch Port 1
2
I have changed the MAC address on my computer to match the server.
1
2 AABBcc
AABBcc Attacker
MAC Address: Port 1 AABBcc
Port 2
MAC Address: AABBcc
The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
28
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
MAC Address Table Overflow Attack
2
1
Bogus addresses are added to the CAM table. CAM table is full. MAC X Y C
Port 3/25 3/25 3/25
3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ
3/25 VLAN 10
VLAN 10
flood
Intruder runs macof to begin sending unknown bogus MAC addresses.
Host C
VLAN 10
3
The switch floods the frames.
A
C
4 Attacker sees traffic to servers B and D.
B
D
STP Manipulation Attack
Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234
F
F F
F
F
• Spanning tree protocol operates by electing a root bridge • STP builds a tree topology • STP manipulation changes the topology of a network—the attacking host appears to be the root bridge
B
31
STP Manipulation Attack
Root Bridge Priority = 8192
F
F
F F
F
F
B
B
F F
F
F Root Bridge
Attacker
The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.
32
LAN Storm Attack
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
• Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. • These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.
Storm Control
Total number of broadcast packets or bytes
VLAN Attacks
Segmentatio n Flexibility Security
VLAN = Broadcast Domain = Logical Network (Subnet)
VLAN Attacks
802.1Q
VLAN 10
Trunk VLAN 20
Attacker sees traffic destined for servers
Server
Server
A VLAN hopping attack can be launched in two ways: • Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode • Introducing a rogue switch and turning trunking on
Double-Tagging VLAN Attack
1
Attacker on VLAN 10, but puts a 20 tag in the packet
2
The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2.
3
20
802.1Q, Frame
The second switch receives the packet, on the native VLAN
Trunk (Native VLAN = 10)
4 Note: This attack works only if the trunk has the same native VLAN as the attacker.
The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.
Victim (VLAN 20)
Port Security Overview
MAC A
Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C
0/1 0/2 0/3 MAC A
MAC F
Attacker 1
Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
Attacker 2
38
CLI Commands
Switch(config-if)# switchport mode access
• Sets the interface mode as access Switch(config-if)# switchport port-security
• Enables port security on the interface Switch(config-if)# switchport port-security maximum value
• Sets the maximum number of secure MAC addresses for the interface (optional)
39
Switchport Port-Security Parameters
Parameter
Description
mac-address mac-address
(Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured.
vlan vlan-id
(Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used.
vlan access
(Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice
(Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky [mac-address]
(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value
(Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1.
vlan [vlan-list]
(Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. n vlan: set a per-VLAN maximum value. n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
Port Security Violation Configuration
Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}
• Sets the violation mode (optional) Switch(config-if)# switchport port-security mac-address mac-address
• Enters a static secure MAC address for the interface (optional) Switch(config-if)# switchport port-security mac-address sticky
• Enables sticky learning on the interface (optional)
41
Switchport Port-Security Violation Parameters Parameter Description protect
(Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
restrict
(Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred.
shutdown
(Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecureviolation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.
shutdown vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
Port Security Aging Configuration
Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}}
• Enables or disables static aging for the secure port or sets the aging time or type
43
Switchport Port-Security Aging Parameters
Parameter
Description
static
Enable aging for statically configured secure addresses on this port.
time time
Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.
type absolute
Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.
type inactivity
Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
Typical Configuration
S 2
Switch(config-if)# switchport switchport switchport switchport switchport switchport
mode access port-security port-security port-security port-security port-security
PC B
maximum 2 violation shutdown mac-address sticky aging time 120
45
CLI Commands
sw-class# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------Fa0/12 2 0 0 Shutdown --------------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security Port Security : Port status : Violation mode : Maximum MAC Addresses : Total MAC Addresses : Configured MAC Addresses : Aging time : Aging type : SecureStatic address aging : Security Violation Count :
interface f0/12 Enabled Secure-down Shutdown 2 1 0 120 mins Absolute Disabled 0
46
View Secure MAC Addresses
sw-class# show port-security address Secure Mac Address Table ------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age (mins) --------------------------------1 0000.ffff.aaaa SecureConfigured Fa0/12 ------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024
47
MAC Address Notification
MAC B
F1/2
SNMP traps sent to NMS when new MAC addresses appear or when old ones time out.
NMS
F1/1 F2/1 MAC A
Switch CAM Table F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D (address ages out)
MAC D is away from the network.
MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.
48
Configure Portfast
Server
Workstatio n
Command
Description
Switch(config-if)# spanning-tree portfast
Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately.
Switch(config-if)# no spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is disabled by default.
Switch(config)# spanningtree portfast default
Globally enables the PortFast feature on all nontrunking ports.
Switch# show running-config interface type slot/port
Indicates whether PortFast has been configured on a port.
49
BPDU Guard
Root Bridge
F
F
F F
F
B BPDU Guard Enabled
Attacker
STP BPDU
Switch(config)# spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast enabled
50
Display the State of Spanning Tree
Switch# show spanning-tree summary totals Root bridge for: none. PortFast BPDU Guard is enabled UplinkFast is disabled BackboneFast is disabled Spanning tree default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active -------------------- -------- --------- -------- ---------- --------1 VLAN 0 0 0 1 1