Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Defense-in-Depth using Network Virtualization and Network Admission.

Published byEdith Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Defense-in-Depth using Network Virtualization and Network Admission."— Presentation transcript:

1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Defense-in-Depth using Network Virtualization and Network Admission Control Steven Carter – stevenca@cisco.com Susan Stewart – sustewar@cisco.com

2 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 2 Agenda  Background/Overview  Network Virtualization Techniques  Network Access Control  Securing the Wild, Wild, West  Q&A

3 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 3 Background  The term “Defense-in-Depth” refers to leveraging the defensive capability of every device in the network from the border of the network through the core, distribution, and access portions of the network and into the host itself.  This can be done by combining the following capabilities: – Firewall/IDS at the border to ward of threats before they enter the network – Network virtualization to segregate the physical network into multiple virtual networks to support multiple security levels and services – Network Access Control to authenticate user/hosts onto the network, check their security posture, and place them into the network that matches their requirements

4 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 4 Agenda  Background/Overview  Network Virtualization Techniques  Network Access Control  Securing the Wild, Wild, West  Q&A

5 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 5 Virtual Network Internal Network Virtualization  Provide several networks to support varying security postures, applications, etc.  One physical network supports many virtual networks  End-user perspective is that of being connected to a dedicated network (independent security policies, routing decisions, etc.) Actual Physical Infrastructure Visitor Virtual Network Voice

6 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 6 Network Device Virtualization  Switch Virtualization: – Data Plane – 802.1q VLANs – Control Plane – Per VLAN Spanning Tree

7 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 7 Network Device Virtualization (Cont.)  Router Virtualization: – Data Plane - Virtual Routing/Forwarding (VRFs) – Control Plane – Multiple instances of routing protocols (OSPF, EIGRP, etc) per routed plane. 802.1q, GRE, LSP, Physical Int, Others 802.1q or Others Global VRF

8 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 8 Data Path Virtualization  Tags: 802.1q  Tunnels (connection oriented) GRE/mGRE Label Switched Paths—LSP (MPLS) Multi-Hop Data Path Virtualization IP Single Hop Data Path Virtualization 802.1q Tags

9 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 9 Putting it Together

10 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 10 Agenda  Background/Overview  Network Virtualization Techniques  Network Access Control  Securing the Wild, Wild, West  Q&A

11 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 11 Network Access Control (NAC)  NAC can mean different things to different people, but for the purposes of this presentation, it should provide three important functions: – User/Host Authentication – The network should be able to authenticate the user (or at least the host) onto the network. – Host Posture Verification – The ability to make sure that the host posture (virus definitions, patches, firewalls, etc.) match the policy of the network for which it is destined. – Host Remediation – The placement of the host into the correct network  NAC provides that connection between Network Security and Host Security

12 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 12 Network Access Control (NAC) (Cont.) Authenticate & Authorize  Enforces authorization policies and privileges  Supports multiple user roles Update & Remediate  Network-based tools for vulnerability and threat remediation  Help-desk integration Quarantine & Enforce  Isolate non-compliant devices from rest of network  MAC and IP-based quarantine effective at a per-user level Scan & Evaluate  Agent scan for required versions of hotfixes, AV, etc  Network scan for virus and worm infections and port vulnerabilities First, establish ACCESS POLICIES. Then: LIMITED COMPLIANCE = LIMITED NETWORK ACCESS

13 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 13 What about the exceptions?  Hosts that do not support the mechanisms can be dealt with in various ways (external scanning, web authentication, etc.), but in general garner a lower level of trust and can be segregated from the general population  Because of their very nature, Research and Education networks have a number of hosts (upwards of 25%) that do not fit a supported configuration  There must be a credible option for these hosts, otherwise, you diminish much of the effect of implementing NAC in the first place

14 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 14 Addressing the Outliers  One option is to put a firewall in front of each and every host that cannot comply. This can be done with physical firewalls (i.e. a small firewall in front of every host): – Pros - Straight-forward and easy for the policy people to understand and buy into; Depending on the situation, could be more cost-effective – Cons – Logistically difficult and hard to administer; not scalable to large number

15 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 15 Addressing the Outliers (Cont.)  You can also do it (yes, you guessed it) VIRTUALLY  Difficult to do with a standard 802.1q VLANs because it is not scalable and difficult to avoid needing proper subset addresses per VLAN  Difficult to do with ACLs because of the shear number needed. Also not scalable and is difficult to maintain  Solution: Use sufficient security techniques to obviate the need for real firewalls

16 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 16 Agenda  Background/Overview  Network Virtualization Techniques  Network Access Control  Securing the Wild, Wild, West  Q&A

17 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 17 Securing the Wild, Wild, West  Overview: – Private VLANs to separate broadcast domains – Port Security prevents MAC spoofing – DHCP snooping prevents client attack on the switch and server – Dynamic ARP Inspection adds security to ARP using DHCP snooping table – IP Source Guard adds security to IP source address using DHCP snooping table

18 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 18 Securing the Wild, Wild, West (Cont.)  Private VLANs – PVLANs allow segregating broadcast segment into a non- broadcast multi-access-like segment. – Traffic that comes to a switch from a promiscuous port is able to go out on all the ports that belong to the same primary VLAN. – Traffic that comes to a switch from a port mapped to a secondary VLAN (it can be either an isolated, a community, or a two-way community VLAN) can be forwarded to a promiscuous port or a port belonging to the same community VLAN. Distribution Access Secondary VLAN (isolated)Secondary VLAN (community) Primary VLAN Secondary VLANs

19 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 19 Securing the Wild, Wild, West (Cont.)  Port Security – Restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port – Number of address on the port is configurable – Dynamically learned MAC address cuts down on administrative overhead – “sticky” and non-”sticky” variants give the option of retaining learned address across port-down events Only 1 MAC Address Allowed on the Port: Shutdown

20 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 20 Securing the Wild, Wild, West (Cont.)  DHCP Snooping – Acts like a firewall between untrusted hosts and trusted DHCP servers – Validates and Rate-Limits DHCP messages received from untrusted sources and filters out invalid messages. – Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses to validate subsequent requests from untrusted hosts DHCP Server DHCP Responses Trusted Untrusted DHCP Snooping Unauthorized DHCP Response DHCP Requests

21 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 21 Securing the Wild, Wild, West (Cont.)  Dynamic Arp Inspection – Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings – Valid ARP packets based upon DHCP snooping binding database or from user-configured ARP access control lists (ACLs) – Configurable to drop ARP packets when either the IP address or the the MAC address in the body does not match the Ethernet header DHCP Server DHCP Responses Trusted Untrusted DHCP Snooping Unauthorized DHCP Response DHCP Requests I’m your GW: 10.1.1.1 Not by my binding table Not by my binding table

22 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 22 Securing the Wild, Wild, West (Cont.)  IP Source Guard – IP source guard prevents IP spoofing by allowing only the IP addresses that are obtained through DHCP snooping on a particular port. –This process restricts the client IP traffic to those source IP addresses that are obtained from the DHCP server; any IP traffic with a source IP address other than that in the PACLs permit list is filtered out DHCP Server DHCP Responses Trusted Untrusted DHCP Snooping Unauthorized DHCP Response DHCP Requests I’m your GW: 10.1.1.1 Not by my Port ACL Not by my Port ACL

23 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 23 The End Questions? Comments? Criticisms? For more information: Steven Carter – stevenca@cisco.com Susan Stewart – sustewar@cisco.com

24

Download ppt "© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Defense-in-Depth using Network Virtualization and Network Admission."

Similar presentations

Virtual Trunk Protocol

Virtual Trunk Protocol
Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.

Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.

1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
000000_1 Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.

000000_1 Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.

1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Secure LAN Switching Layer 2 security Introduction Port-level controls

Secure LAN Switching Layer 2 security Introduction Port-level controls

Similar presentations

Ads by Google