1. Chapter Six Securing the Local Area Network
CCNA Security
Chapter Six
Securing the Local Area Network

2. Lesson Planning This lesson should take 3-4 hours to present
The lesson should include lecture, demonstrations, discussions and assessments
The lesson can be taught in person or using remote instruction

3. Major Concepts
Describe endpoint vulnerabilities and protection methods
Describe basic Catalyst switch vulnerabilities
Configure and verify switch security features, including port security and storm control
Describe the fundamental security considerations of Wireless, VoIP, and SANs

4. Lesson Objectives
Upon completion of this lesson, the successful participant will be able to:
Describe endpoint security and the enabling technologies
Describe how Cisco IronPort is used to ensure endpoint security
Describe how Cisco NAC products are used to ensure endpoint security
Describe how the Cisco Security Agent is used to ensure endpoint security
Describe the primary considerations for securing the Layer 2 infrastructure
Describe MAC address spoofing attacks and MAC address spoofing attack mitigation

5. Lesson Objectives
Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation
Describe STP manipulation attacks and STP manipulation attack mitigation
Describe LAN Storm attacks and LAN Storm attack mitigation
Describe VLAN attacks and VLAN attack mitigation
Describe how to configure port security
Describe how to verify port security
Describe how to configure and verify BPDU Guard and Root Guard
Describe how to configure and verify storm control
Describe and configure Cisco SPAN
Describe and configure Cisco RSPAN 5

6. Lesson Objectives Describe the best practices for Layer 2 security
Describe the fundamental aspects of enterprise security for advanced technologies
Describe the fundamental aspects of wireless security and the enabling technologies
Describe wireless security solutions
Describe the fundamental aspects of VoIP security and the enabling technologies   Reference: CIAG course on VoIP security.
Describe VoIP security solutions
Describe the fundamental aspects of SAN security and the enabling technologies
Describe SAN security solutions 6

7. Securing the LAN Areas of concentration: Securing endpoints
Perimeter
MARS
ACS
Areas of concentration:
Securing endpoints
Securing network infrastructure
Firewall
Internet
VPN
IPS
Iron Port
Hosts
Web Server
Server
DNS
LAN

8. Addressing Endpoint Security
Policy Compliance
Infection Containment
Secure Host
Based on three elements:
Cisco Network Admission Control (NAC)
Endpoint protection
Network infection containment
Threat Protection

9. Operating Systems Basic Security Services
Trusted code and trusted path – ensures that the integrity of the operating system is not violated
Privileged context of execution – provides identity authentication and certain privileges based on the identity
Process memory protection and isolation – provides separation from other users and their data
Access control to resources – ensures confidentiality and integrity of data

10. Types of Application Attacks
I have gained direct access to this application’s privileges
Direct
I have gained access to this system which is trusted by the other system, allowing me to access it.
Indirect

11. Cisco Systems Endpoint Security Solutions
IronPort
Cisco Security Agent
Cisco NAC

12. Cisco IronPort Products
IronPort products include:
security appliances for virus and spam control
Web security appliance for spyware filtering, URL filtering, and anti-malware
Security management appliance

13. IronPort E-mail Security Appliance
IronPort C-Series
Before IronPort
After IronPort
Internet
Internet
Firewall
Firewall
Encryption Platform
DLP Scanner
DLP Policy Manager
MTA
Antispam
Antivirus
Policy Enforcement
Mail Routing
IronPort Security Appliance
Groupware
Groupware
Users
Users

14. IronPort S-Series IronPort S-Series Before IronPort After IronPort
Internet
Internet
Firewall
Firewall
Web Proxy
Antispyware
Antivirus
Antiphishing
URL Filtering
Policy Management
IronPort S-Series
Users
Users

15. Cisco NAC The purpose of NAC:
Allow only authorized and compliant systems to access the network
To enforce network security policy
NAC Framework
Cisco NAC Appliance
Software module embedded within NAC-enabled products
Integrated framework leveraging multiple Cisco and NAC-aware vendor products
In-band Cisco NAC Appliance solution can be used on any switch or router platform
Self-contained, turnkey solution

16. The NAC Framework Network Access Devices
Policy Server Decision Points and Remediation
Hosts Attempting Network Access
Enforcement
AAA Server
Vendor Servers
Credentials
Credentials
Credentials
EAP/UDP,
EAP/802.1x
RADIUS
HTTPS
Cisco Trust Agent
Access Rights
Comply?
Notification

17. NAC Components Cisco NAS Cisco NAM Cisco NAA Rule-set updates
Serves as an in-band or out-of-band device for network access control
Cisco NAM
Centralizes management for administrators, support personnel, and operators
Cisco NAA
Optional lightweight client for device-based registry scans in unmanaged environments
Rule-set updates
Scheduled automatic updates for antivirus, critical hotfixes, and other applications M G R

18. Cisco NAC Appliance Process
THE GOAL 1.
Host attempts to access a web page or uses an optional client.
Network access is blocked until wired or wireless host provides login information.
Authentication
Server M G R
Cisco NAM 2.
Host is redirected to a login page.
Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device.
Cisco NAS
Intranet/ Network 3.
The host is authenticated and optionally scanned for posture compliance
3b.
Device is “clean”.
Machine gets on “certified devices list” and is granted access to network.
3a.
Device is noncompliant or login is incorrect.
Host is denied access and assigned to a quarantine role with access to online remediation resources.
Quarantine
Role

19. Access Windows Scan is performed Scan fails Remediate 4.
(types of checks depend on user role)
Login
Screen
Scan fails
Remediate 4.

20. CSA Architecture Administration Workstation
Server Protected by Cisco Security Agent
Alerts
Events
SSL
Security Policy
Management Center for Cisco Security Agent with Internal or External Database

21. CSA Overview Application File System Interceptor Network Interceptor
Configuration Interceptor
Execution Space Interceptor
Rules Engine
Rules and Policies
State
Correlation Engine
Allowed Request
Blocked Request

22. CSA Functionality Security Application Network Interceptor
File System Interceptor
Configuration Interceptor
Execution Space Interceptor
Distributed Firewall X ―
Host Intrusion Prevention
Application Sandbox
Network Worm Prevention
File Integrity Monitor

23. Attack Phases Probe phase Ping scans Port scans Penetrate phase
Transfer exploit code to target
Persist phase
Install new code
Modify configuration
Propagate phase
Attack other targets
Paralyze phase
Erase files
Crash system
Steal data
Server
Protected by
Cisco Security
Agent
File system interceptor
Network interceptor
Configuration interceptor
Execution space interceptor

24. CSA Log Messages

25. Layer 2 Security Perimeter Internet Hosts MARS ACS Iron Port DNS
Firewall
Internet
VPN
IPS
Iron Port
Hosts
Web Server
Server
DNS

26. OSI Model
When it comes to networking, Layer 2 is often a very weak link.
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application Stream
Application
Presentation
Session
Compromised
Protocols and Ports
Transport
IP Addresses
Network
Initial Compromise
MAC Addresses
Data Link
Physical Links
Physical

27. MAC Address Spoofing Attack1 2
The switch keeps track of the endpoints by maintaining a
MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc
Switch Port
AABBcc
12AbDd
MAC Address: AABBcc
MAC Address: 12AbDd
Port 1
Port 2
MAC Address: AABBcc
Attacker
I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.

28. MAC Address Spoofing Attack
AABBcc 1 2
I have changed the MAC address on my computer to match the server.
Switch Port 1 2
AABBcc
Attacker
MAC Address: AABBcc
MAC Address: AABBcc
Port 1
Port 2
The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.

29. MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.

30. MAC Address Table Overflow Attack2 1
Bogus addresses are added to the CAM table. CAM table is full.
Intruder runs macof to begin sending unknown bogus MAC addresses.
MAC Port
X /25
Y /25
C /25
3/25 MAC X 3/25 MAC Y 3/25 MAC Z
XYZ
3/25
Host C
VLAN 10
VLAN 10
VLAN 10
flood 3
The switch floods the frames. 4
Attacker sees traffic to servers B and D. A B C D

31. STP Manipulation Attack
Spanning tree protocol operates by electing a root bridge
STP builds a tree topology
STP manipulation changes the topology of a network—the attacking host appears to be the root bridge
Root Bridge Priority = 8192 MAC Address= C0.1234 F F F F F B

32. STP Manipulation Attack
Root Bridge Priority = 8192 F B F F F F F F F B F F
STP BPDU Priority = 0
STP BPDU Priority = 0
Root Bridge
Attacker
The attacking host broadcasts out STP configuration and topology change BPDUs.
This is an attempt to force spanning tree recalculations.

33. LAN Storm Attack
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN.
These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.

34. Storm Control
Total number of broadcast
packets
or bytes

35. VLAN = Broadcast Domain = Logical Network (Subnet)
VLAN Attacks
Segmentation
Flexibility
Security
VLAN = Broadcast Domain = Logical Network (Subnet)

36. VLAN Attacks A VLAN hopping attack can be launched in two ways:
802.1Q
VLAN 10
Trunk
Trunk
VLAN 20
Server
802.1Q
Attacker sees traffic destined for servers
Server
A VLAN hopping attack can be launched in two ways:
Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode
Introducing a rogue switch and turning trunking on

37. Double-Tagging VLAN Attack1
Attacker on VLAN 10, but puts a 20 tag in the packet
The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2. 2
20,10
The second switch receives the packet, on the native VLAN
802.1Q, 802.1Q 20 3
802.1Q, Frame
Trunk (Native VLAN = 10)
Frame 4
The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.
Victim (VLAN 20)
Note: This attack works only if the trunk has the same native VLAN as the attacker.

38. Port Security Overview
Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C
MAC A
0/1
0/2
0/3
MAC A
MAC F
Attacker 1
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to dynamically learn a limited number of MAC
addresses
Attacker 2

39. CLI Commands Sets the interface mode as access
Switch(config-if)#
switchport mode access
Sets the interface mode as access
Switch(config-if)#
switchport port-security
Enables port security on the interface
Switch(config-if)#
switchport port-security maximum value
Sets the maximum number of secure MAC addresses for the interface (optional)

40. Switchport Port-Security Parameters
Description
mac-address mac-address
(Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured.
vlan vlan-id
(Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used.
vlan access
(Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice
(Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky [mac-address]
(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value
(Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list]
(Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used.
vlan: set a per-VLAN maximum value.
vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.

41. Port Security Violation Configuration
Switch(config-if)#
switchport port-security violation {protect | restrict | shutdown}
Sets the violation mode (optional)
Switch(config-if)#
switchport port-security mac-address mac-address
Enters a static secure MAC address for the interface (optional)
Switch(config-if)#
switchport port-security mac-address sticky
Enables sticky learning on the interface (optional)

42. Switchport Port-Security Violation Parameters
Description
protect
(Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
restrict
(Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred.
shutdown
(Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.
shutdown vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.

43. Port Security Aging Configuration
Switch(config-if)#
switchport port-security aging {static | time time | type {absolute | inactivity}}
Enables or disables static aging for the secure port or sets the aging time or type
The aging command allows MAC-Addresses on the Secure switchport to be deleted after the set aging time
This helps to avoid a situation where obsolete MAC-Address occupy the table and saturates causing a violation (when the max number exceeds)

44. Switchport Port-Security Aging Parameters
Description
static
Enable aging for statically configured secure addresses on this port.
time time
Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.
type absolute
Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.
type inactivity
Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

45. Typical ConfigurationS2
PC B
Switch(config-if)#
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120

46. CLI Commands sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
Fa0/ Shutdown
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security interface f0/12
Port Security : Enabled
Port status : Secure-down
Violation mode : Shutdown
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Aging time : 120 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation Count : 0

47. View Secure MAC Addresses
sw-class# show port-security address
Secure Mac Address Table
Vlan Mac Address Type Ports Remaining Age
(mins)
ffff.aaaa SecureConfigured Fa0/
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

48. MAC Address Notification
MAC B
SNMP traps sent to NMS when new MAC addresses appear or when old ones time out.
NMS
F1/2
F1/1
Switch CAM Table
F2/1
F1/1 = MAC A
F1/2 = MAC B
F2/1 = MAC D (address ages out)
MAC A
MAC D is away from the network.
MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.

49. Configure Portfast Server Workstation Command Description
Switch(config-if)# spanning-tree portfast
Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately.
Switch(config-if)# no spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is disabled by default.
Switch(config)# spanning-tree portfast default
Globally enables the PortFast feature on all nontrunking ports.
Switch# show running-config interface type slot/port
Indicates whether PortFast has been configured on a port.

50. BPDU Guard
Root Bridge F F F F F B
BPDU Guard Enabled
STP BPDU
Attacker
Switch(config)#
spanning-tree portfast bpduguard default
Globally enables BPDU guard on all ports with PortFast enabled

51. Display the State of Spanning Tree
Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
1 VLAN
<output omitted>

52. Root Guard Enables root guard on a per-interface basis Attacker
Root Bridge Priority = 0 MAC Address = c45.1a5d F F F F
Root Guard Enabled F B F
STP BPDU Priority = 0 MAC Address = c
Attacker
Switch(config-if)#
spanning-tree guard root
Enables root guard on a per-interface basis

53. Verify Root Guard Switch# show spanning-tree inconsistentports
Name Interface Inconsistency
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
VLAN FastEthernet3/ Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10

54. Storm Control Methods
Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic
Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received
Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.

55. Storm Control Configuration
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps k 1k
Switch(config-if)# storm-control action shutdown
Enables storm control
Specifies the level at which it is enabled
Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic

56. Storm Control Parameters
Description
broadcast
This parameter enables broadcast storm control on the interface.
multicast
This parameter enables multicast storm control on the interface.
unicast
This parameter enables unicast storm control on the interface.
level level [level-low]
Rising and falling suppression levels as a percentage of total bandwidth of the port.
level: Rising suppression level. The range is 0.00 to Block the flooding of storm packets when the value specified for level is reached.
level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value.
level bps bps [bps-low]
Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port.
bps: Rising suppression level. The range is 0.0 to Block the flooding of storm packets when the value specified for bps is reached.
bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value.
level pps pps [pps-low]
Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port.
pps: Rising suppression level. The range is 0.0 to Block the flooding of storm packets when the value specified for pps is reached.
pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value.
action {shutdown|trap}
The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap.
The keywords have these meanings:
shutdown: Disables the port during a storm
trap: Sends an SNMP trap when a storm occurs

57. Verify Storm Control Settings
Switch# show storm-control
Interface   Filter State Upper Lower Current
   Gi0/   Forwarding     20 pps      10 pps     5 pps
Gi0/   Forwarding     50.00%      40.00%     0.00%
<output omitted>

58. Mitigating VLAN Attacks
Trunk (Native VLAN = 10)
Disable trunking on all access ports.
Disable auto trunking and manually enable trunking
Be sure that the native VLAN is used only for trunk lines and no where else

59. Controlling Trunking Specifies an interface as a trunk link
Switch(config-if)#
switchport mode trunk
Specifies an interface as a trunk link .
Switch(config-if)#
switchport nonegotiate
Prevents the generation of DTP frames.
Switch(config-if)#
switchport trunk native vlan vlan_number
Set the native VLAN on the trunk to an unused VLAN

60. Traffic Analysis
IDS
RMON Probe
Protocol Analyzer
“Intruder Alert!”
A SPAN port mirrors traffic to another port where a monitoring device is connected.
Without this, it can be difficult to track hackers after they have entered the network.
Attacker

61. CLI Commands Switch(config)#
monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlan-id [, | -] [both | rx | tx]}| {remote vlan vlan-id}
monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id}
Switch(config)#

62. Verify SPAN Configuration

63. SPAN and IDS
IDS
F0/2
Use SPAN to mirror traffic in and out of port F0/1 to port F0/2.
F0/1
Attacker

64. Overview of RSPAN
“Intruder Alert!”
An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected.
This allows more switches to be monitored with a single probe or IDS.
IDS
Source VLAN
RSPAN VLAN
Source VLAN
Attacker
Source VLAN

65. Configuring RSPAN 1. Configure the RPSAN VLAN 2960-1 2960-2
2960-1(config)# vlan 100
2960-1(config-vlan)# remote-span
2960-1(config-vlan)# exit
1. Configure the RPSAN VLAN
2960-1
2960-2
2. Configure the RSPAN source ports and VLANs
2960-1(config)# monitor session 1 source interface FastEthernet 0/1
2960-1(config)# monitor session 1 destination remote vlan reflector-port FastEthernet 0/24
2960-1(config)# interface FastEthernet 0/2
2960-1(config-if)# switchport mode trunk
3. Configure the RSPAN traffic to be forwarded
2960-2(config)# monitor session 2 source remote vlan 100
2960-2(config)# monitor session 2 destination interface FastEthernet 0/3
2960-2(config)# interface FastEthernet 0/2
2960-2(config-if)# switchport mode trunk

66. Verifying RSPAN Configuration
2960-1
2960-2
show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression]

67. Layer 2 Guidelines
Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.)
Set all user ports to non-trunking mode (except if using Cisco VoIP)
Use port security where possible for access ports
Enable STP attack mitigation (BPDU guard, root guard)
Use Cisco Discovery Protocol only where necessary – with phones it is useful
Configure PortFast on all non-trunking ports
Configure root guard on STP root ports
Configure BPDU guard on all non-trunking ports

68. VLAN Practices
Always use a dedicated, unused native VLAN ID for trunk ports
Do not use VLAN 1 for anything
Disable all unused ports and put them in an unused VLAN
Manually configure all trunk ports and disable DTP on trunk ports
Configure all non-trunking ports with switchport mode access

69. Overview of Wireless, VoIP Security

70. Overview of SAN Security

71. Infrastructure-Integrated Approach
Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them
Comprehensive protection to safeguard confidential data and communications
Simplified user management with a single user identity and policy
Collaboration with wired security systems

72. Cisco IP Telephony Solutions
Single-site deployment
Centralized call processing with remote branches
Distributed call-processing deployment
Clustering over the IPWAN

73. Storage Network Solutions
Investment protection
Virtualization
Security
Consolidation
Availability

74. Cisco Wireless LAN Controllers
Responsible for system-wide wireless LAN functions
Work in conjunction with Aps and the Cisco Wireless Control System (WCS) to support wireless applications
Smoothly integrate into existing enterprise networks

75. Wireless Hacking War driving
A neighbor hacks into another neighbor’s wireless network to get free Internet access or access information
Free Wi-Fi provides an opportunity to compromise the data of users

76. Hacking Tools Network Stumbler Kismet AirSnort CoWPAtty ASLEAP
Wireshark

77. Safety Considerations
Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks.
Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long.
If an IPsec VPN is available, use it on any public wireless LAN.
If wireless access is not needed, disable the wireless radio or wireless NIC.

78. VoIP Business Advantages
PSTN
VoIP
Gateway
Little or no training costs
Mo major set-up fees
Enables unified messaging
Encryption of voice calls is supported
Fewer administrative personnel required
Lower telecom call costs
Productivity increases
Lower costs to move, add, or change
Lower ongoing service and maintenance costs

79. VoIP Components PSTN Cisco Unified Communications Manager (Call Agent)
IP Backbone
MCU
PBX
Cisco Unity
Router/ Gateway
Router/ Gateway
Router/ Gateway
IP Phone
IP Phone
Videoconference Station

80. VoIP Protocols VoIP Protocol Description H.323
ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex
MGCP
Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248
Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard
SIP
IETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323
RTP
ETF standard media-streaming protocol
RTCP
IETF protocol that provides out-of-band control information for an RTP flow
SRTP
IETF protocol that encrypts RTP traffic as it leaves the voice device
SCCP
Cisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones

81. Threats Reconnaissance
Directed attacks such as spam over IP telephony (SPIT) and spoofing
DoS attacks such as DHCP starvation, flooding, and fuzzing
Eavesdropping and man-in-the-middle attacks

82. VoIP SPIT
If SPIT grows like spam, it could result in regular DoS problems for network administrators.
Antispam methods do not block SPIT.
Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets only from trusted devices.
You’ve just won an all expenses paid vacation to the U.S. Virgin Islands !!!

83. Fraud Fraud takes several forms:
Vishing—A voice version of phishing that is used to compromise confidentiality.
Theft and toll fraud—The stealing of telephone services.
Use features of Cisco Unified Communications Manager to protect against fraud.
Partitions limit what parts of the dial plan certain phones have access to.
Dial plans filter control access to exploitive phone numbers.
FACs prevent unauthorized calls and provide a mechanism for tracking.

84. SIP Vulnerabilities
Registration hijacking: Allows a hacker to intercept incoming calls and reroute them.
Message tampering: Allows a hacker to modify data packets traveling between SIP addresses.
Session tear-down: Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks.
Location Database
SIP Servers/Services
Registrar
Registrar
SIP Proxy
SIP User Agents
SIP User Agents

85. Using VLANs Creates a separate broadcast domain for voice traffic
Voice VLAN = 110
Data VLAN = 10
5/1
IP phone
Desktop PC
802.1Q Trunk
Creates a separate broadcast domain for voice traffic
Protects against eavesdropping and tampering
Renders packet-sniffing tools less effective
Makes it easier to implement VACLs that are specific to voice traffic

86. Using Cisco ASA Adaptive Security Appliances
Ensure SIP, SCCP, H.323, and MGCP requests conform to standards
Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager
Rate limit SIP requests
Enforce policy of calls (whitelist, blacklist, caller/called party, SIP URI)
Dynamically open ports for Cisco applications
Enable only “registered phones” to make calls
Enable inspection of encrypted phone calls
Cisco Adaptive Security Appliance
WAN
Cisco Adaptive Security Appliance
Internet

87. Using VPNs Use IPsec for authentication
Use IPsec to protect all traffic, not just voice
Consider SLA with service provider
Terminate on a VPN concentrator or large router inside of firewall to gain these benefits:
Performance
Reduced configuration complexity
Managed organizational boundaries
IP WAN
Telephony Servers
SRST Router

88. Using Cisco Unified Communications Manager
Signed firmware
Signed configuration files
Disable:
PC port
Setting button
Speakerphone
Web access

89. SAN Security ConsiderationsIP
Network
Specialized network that enables fast, reliable access among servers and external storage resources

90. SAN Transport Technologies
Fibre Channel – the primary SAN transport for host-to-SAN connectivity
iSCSI – maps SCSI over TCP/IP and is another host-to-SAN connectivity model
FCIP – a popular SAN-to-SAN connectivity model
LAN

91. World Wide Name
A 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network
Zoning can utilize WWNs to assign security permissions
The WWN of a device is a user-configurable parameter.
Cisco MDS 9020 Fabric Switch

92. Zoning Operation Zone members see only other members of the zone.
Zones can be configured dynamically based on WWN.
Devices can be members of more than one zone.
Switched fabric zoning can take place at the port or device level: based on physical switch port or based on device WWN or based on LUN ID.
SAN
Disk2
Disk3
Disk1
ZoneA
Host1
ZoneC
Disk4
Host2
ZoneB
An example of Zoning. Note that devices can be members of more than 1 zone.

93. Virtual Storage Area Network (VSAN)
Cisco MDS 9000 Family with VSAN Service
Physical SAN islands are virtualized onto common SAN infrastructure

94. Data Integrity and Secrecy
Security Focus
SAN Protocol
Target Access
SAN Management Access
SAN
Fabric Access
Secure SAN
IP Storage access
Data Integrity and Secrecy

95. SAN Management Three main areas of vulnerability:
Disruption of switch processing
Compromised fabric stability
Compromised data integrity and confidentiality

96. Fabric and Target Access
Three main areas of focus:
Application data integrity
LUN integrity
Application performance

97. Relationship of VSANs to Zones
Two VSANs each with multiple zones. Disks and hosts are dedicated to VSANs although both hosts and disks can belong to multiple zones within a single VSAN. They cannot, however, span VSANs.
Physical Topology
VSAN 2
Disk2
Disk3
Host1
Disk1
ZoneA
ZoneC
Disk4
Host2
ZoneB
VSAN 3
ZoneD
Host4
ZoneA
Host3
Disk5
Disk6

98. iSCSI and FCIP
iSCSI leverages many of the security features inherent in Ethernet and IP
ACLs are like Fibre Channel zones
VLANs are like Fibre Channel VSANs
802.1X port security is like Fibre Channel port security
FCIP security leverages many IP security features in Cisco IOS-based routers:
IPsec VPN connections through public carriers
High-speed encryption services in specialized hardware
Can be run through a firewall