Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.

Published byAustin Caldwell Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management."— Presentation transcript:

1 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management

2 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 2 Lesson 7.1 - Layer 2 Security Best Practices Module 7 – Secure Network Architecture and Management

3 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 3

4 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 4

5 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 5

6 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 6

7 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 7

8 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 8

9 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 9

10 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 10

11 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 11

12 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 12

13 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 13

14 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 14

15 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 15

16 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 16

17 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 17

18 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 18

19 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 19

20 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 20

21 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 21

22 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 22

23 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 23 Typical Cases Case #Security ZonesNumber of User Groups Number of Switch Devices 1Single 2 Multiple 3SingleMultipleSingle 4 Multiple 5 Single 6MultipleSingleMultiple 7 Single 8Multiple

24 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 24 Single Security Zone, One User Group, One Physical Switch or DMZ Internet Vulnerabilities MAC spoofing CAM table overflow

25 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 25 Single Security Zone, One User Group, Multiple Physical Switches or DMZ Internet Vulnerabilities MAC spoofing CAM table overflow VLAN hopping Spanning tree attacks

26 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 26 Single Security Zone, Multiple User Groups, Single Physical Switch User Group A User Group B User Group C Vulnerabilities MAC spoofing CAM table overflow VLAN hopping

27 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 27 Single Security Zone, Multiple User Groups, Multiple Physical Switches User Group A User Group B User Group C Vulnerabilities MAC spoofing CAM table overflow VLAN hopping STP attacks

28 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 28 Multiple Security Zone, One User Group, Single Physical Switch External (DMZ) VLAN 100 Internal VLAN 200 Vulnerabilities MAC spoofing, within VLANs CAM table overflow per VLAN VLAN hopping

29 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 29 Multiple Switch Network Separation External (DMZ) VLAN 100 Internal VLAN 200

30 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 30 Multiple Security Zones, One User Group, Multiple Physical Switches Security Zone 1 Security Zone 2 Vulnerabilities MAC spoofing, within VLANs CAM table overflow, through per VLAN traffic flooding VLAN hopping STP attacks

31 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 31 Alternative Design for Multiple Security Zones, One User Group, Multiple Switches Security Zone 1 Security Zone 2

32 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 32 Multiple Security Zones, Multiple User Groups, Single Physical Switch Vulnerabilities MAC spoofing, within VLANs CAM table overflow, through per VLAN traffic flooding VLAN hopping Private VLAN attacks, on a per VLAN basis

33 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 33 Multiple Security Zones, Multiple User Groups, Multiple Physical Switches Security Zone 1 Security Zone 2 Vulnerabilities MAC spoofing, within VLANs CAM table overflow, through per VLAN traffic flooding VLAN hopping STP attacks VTP attacks

34 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 34 L2 Security Best Practices  Manage switches as securely as possible.  Use IP-permit lists to restrict access to management ports.  Selectively use SNMPv3 and treat community strings like root passwords.  Always use a dedicated VLAN ID for all trunk ports.  Avoid using VLAN 1.  Set all user ports to non-trunking mode.  Deploy port security where possible for user ports. Alternatively, deploy dynamic port security using DHCP snooping along with Dynamic ARP Inspection (DAI).  Have a plan for the ARP security issues in the network. Consider using DHCP Snooping along with Dynamic ARP Inspection and IP source guard to protect against MAC spoofing and IP spoofing on the network.

35 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 35 L2 Security Best Practices  Enable STP attack mitigation with BPDU Guard and Root Guard.  Use private VLANs where appropriate to further divide Layer 2 networks.  Use Cisco Discovery Protocol (CDP) only where appropriate.  Disable all unused ports and put them in an unused VLAN.  Use Cisco IOS Software ACLs on IP-forwarding devices to protect Layer 2 proxy on private VLANs.  Eliminate native VLANs from 802.1q trunks.  Use VTP passwords to authenticate VTP advertisements.  Consider using Layer 2 port authentication, such as 802.1x, to authenticate clients attempting connectivity to a network.  Procedures for change control and configuration analysis must be in place to ensure that changes result in a secure configuration.

36 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 36 Lesson 7.2 - SDM Security Audit Module 7 – Secure Network Architecture and Management

37 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 37 Security Audit Overview  Compares router configuration against a predefined checklist of ICSA and TAC approved best practices.  Examples of the audit include, but are not limited to, the following: –Shut down unneeded servers on the router, such as BOOTP, finger, and tcp/udp small-servers. –Shut down unneeded services on the router, such as CDP, ip source- route, and ip classless. –Apply firewall to outside interfaces. –Disable SNMP or enable with hard-to-guess community strings. –Shut down unused interfaces, no ip proxy-arp. –Force passwords for console and vty lines. –Force an enable secret password. –Enforce the use of access lists.

38 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 38 Security Audit Main Window

39 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 39 Monitor Mode Overview Interface Stats Firewall Stats VPN Stats

40 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 40 Lesson 7.3 – Router Management Center Module 7 – Secure Network Architecture and Management

41 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 41 The Router Management Center (MC)

42 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 42 What is the Router MC?

43 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 43 Router MC Components

44 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 44 Configure Routers for SSH

45 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 45 Using the Router MC

46 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 46 The Router MC User Interface

47 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 47 Router MC WorkFlow

48 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 48 Cisco Security Manager

49 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 49 Lesson 7.4 – Simple Network Management Protocol (SNMP) Module 7 – Secure Network Architecture and Management

50 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 50 SNMP Introduction Application-layer protocol that facilitates the exchange of management information between network devices An SNMP managed network consists of three key components: Managed Devices Agents Network management systems (NMSs)

51 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 51 SNMP Agent

52 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 52 SNMP Management Entity

53 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 53 SNMP Device Management

54 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 54 SNMP Versions

55 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 55 Securing SNMP Access

56 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 56 SNMPv3 Message Format

57 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 57 SNMPv3  SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network.  The security features provided in SNMPv3 are: –Message integrity –Authentication –Encryption  SNMPv3 provides for both security models and security levels. –A security model is an authentication strategy that is set up for a user and the group in which the user resides. –A security level is the permitted level of security within a security model.

58 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 58 SNMP Security Models

59 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 59 SNMP NMS

60 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 60 SNMP Trap Watcher

61 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 61 Configure SNMP Engine The first task in configuring SNMPv3 is to configure the SNMP engine ID (a character string of up to 24 characters). Unambiguous identifier of an SNMP engine in the administrative domain. snmp-server engineID local engineID-string If not specifically configured with this command, the SNMP entity automatically allocates a value. After the SNMP engineID is configured, the order of an SNMPv3 configuration task list is groups, users, optional view(s), and optionally the host(s) where the notifications will be sent

62 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 62 SNMP Groups snmp-server group group- name {v1 | v2c | v3 {auth | noauth | priv}} [readread-view] [write write-view] [notify notify-view] [access access-list]  Configures an SNMP group that maps SNMP users to three SNMP views—read access, write access, and notifications.

63 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 63 SNMP User  snmp-server user username group-name [remote host [udp- port port]] {v1 |v2c | v3 [encrypted] [auth {md5 | sha} auth- password]} [access access-list] [priv {des | 3des | aes {128 | 192 | 256}} privpassword]  Configures a new user to an SNMP group.  This user can use SNMPv1, SNMPv2c, or SNMPv3.  If SNMPv3 is selected, the password, which can optionally be encrypted, has to be specified for the MD5 or SHA authentication.  Furthermore, SNMPv3 requires that you specify the privacy algorithm to be used (DES, 3-DES, AES, AES-192, or AES-256) and the password to be associated with this privacy protocol.

64 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 64 SNMP Host

65 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 65 AuthNoPriv SNMP Example The SNMP IOS configuration with user authentication and no encryption is straightforward:  router(config)# snmp-server engineID local 1234567890 router(config)# snmp-server group benoitgroup v3 auth router(config)# snmp-server user benoit benoitgroup v3 auth md5 benoitpassword router(config)# exit  In this example, the user benoit belongs to benoitgroup, which is defined with SNMPv3 authentication.  The user benoit is specified with the password benoitpassword, using the MD5 authentication algorithm.

66 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 66 Displaying information for SNMP  The running configuration does not show the SNMP user-related command:  This behavior is explained in RFC 3414, which describes SNMPv3: "A user's password or non- localized key MUST NOT be stored on a managed device/node.“  To display info about SNMP in config: –show snmp user –show snmp group

67 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 67 SNMP and the PIX Security Appliance

68 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 68 SNMP and the PIX Security Appliance  Step 1 - Identify the IP address of the NMS that can connect to the PIX –snmp-server host interface_name ip_address [trap | poll] [community text] [version 1 | 2c] [udp-port port]  Step 2 - Specify the community string –snmp-server community key  Step 3 - (Optional) Set the SNMP server location or contact information –snmp-server {contact | location} text  Step 4 - Enable the PIX Security Appliance to send traps to the NMS –snmp-server enable [traps [all | feature [trap1] [trap2]] [...]]

69 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 69 SNMP and the PIX Security Appliance  Step 5 - Enable system messages to be sent as traps to the NMS –logging history level –snmp-server enable traps  Step 6 - Enable logging, so system messages are generated and can then be sent to an NMS –logging on

70 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 70

Download ppt "© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management."

Similar presentations

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW)
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Implementing a Highly Available Network

Implementing a Highly Available Network
1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.

1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.
1 CCNA 2 v3.1 Module 4. 2 CCNA 2 Module 4 Learning about Devices.

1 CCNA 2 v3.1 Module 4. 2 CCNA 2 Module 4 Learning about Devices.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
SNMP Simple Network Management Protocol

SNMP Simple Network Management Protocol
1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, U.S./Canada Equipping Today’s Instructors for Tomorrow’s.

1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, U.S./Canada Equipping Today’s Instructors for Tomorrow’s.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Similar presentations

Ads by Google