Seguridad de las redes informaticas wireless
pkalckbh
6 views
123 slides
Jun 06, 2024
Slide 1 of 123
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
About This Presentation
Seguridad de las redes informaticas wireless
Slide Content
1© 2009 Cisco Learning Institute.
CCNA Security
Chapter Six
Securing the Local Area Network
CCNA Security
Chapter Six
Securing the Local Area Network
222© 2009 Cisco Learning Institute.
Lesson Planning
•This lesson should take 3-4 hours to present
•The lesson should include lecture,
demonstrations, discussions and assessments
•The lesson can be taught in person or using
remote instruction
Lesson Planning
•This lesson should take 3-4 hours to present
•The lesson should include lecture,
demonstrations, discussions and assessments
•The lesson can be taught in person or using
remote instruction
333© 2009 Cisco Learning Institute.
Major Concepts
•Describe endpoint vulnerabilities and protection
methods
•Describe basic Catalyst switch vulnerabilities
•Configure and verify switch security features,
including port security and storm control
•Describe the fundamental security
considerations of Wireless, VoIP, and SANs.
Major Concepts
•Describe endpoint vulnerabilities and protection
methods
•Describe basic Catalyst switch vulnerabilities
•Configure and verify switch security features,
including port security and storm control
•Describe the fundamental security
considerations of Wireless, VoIP, and SANs.
444© 2009 Cisco Learning Institute.
Lesson Objectives
Upon completion of this lesson, the successful participant
will be able to:
1.Describe endpoint security and the enabling technologies
2.Describe how Cisco IronPort is used to ensure endpoint security
3.Describe how Cisco NAC products are used to ensure endpoint
security
4.Describe how the Cisco Security Agent is used to ensure
endpoint security
5.Describe the primary considerations for securing the Layer 2
infrastructure
6.Describe MAC address spoofing attacks and MAC address
spoofing attack mitigation
Lesson Objectives
Upon completion of this lesson, the successful participant
will be able to:
1.Describe endpoint security and the enabling technologies
2.Describe how Cisco IronPort is used to ensure endpoint security
3.Describe how Cisco NAC products are used to ensure endpoint
security
4.Describe how the Cisco Security Agent is used to ensure
endpoint security
5.Describe the primary considerations for securing the Layer 2
infrastructure
6.Describe MAC address spoofing attacks and MAC address
spoofing attack mitigation
555© 2009 Cisco Learning Institute.
Lesson Objectives
7.Describe MAC Address table overflow attacks and MAC Address
table overflow attack mitigation
8.Describe STP manipulation attacks and STP manipulation attack
mitigation
9.Describe LAN Storm attacks and LAN Storm attack mitigation
10.Describe VLAN attacks and VLAN attack mitigation
11.Describe how to configure port security
12.Describe how to verify port security
13.Describe how to configure and verify BPDU Guard and Root Guard
14.Describe how to configure and verify storm control
15.Describe and configure Cisco SPAN
16.Describe and configure Cisco RSPAN
Lesson Objectives
7.Describe MAC Address table overflow attacks and MAC Address
table overflow attack mitigation
8.Describe STP manipulation attacks and STP manipulation attack
mitigation
9.Describe LAN Storm attacks and LAN Storm attack mitigation
10.Describe VLAN attacks and VLAN attack mitigation
11.Describe how to configure port security
12.Describe how to verify port security
13.Describe how to configure and verify BPDU Guard and Root Guard
14.Describe how to configure and verify storm control
15.Describe and configure Cisco SPAN
16.Describe and configure Cisco RSPAN
666© 2009 Cisco Learning Institute.
Lesson Objectives
17.Describe the best practices for Layer 2
18.Describe the fundamental aspects of enterprise security for
advanced technologies
19.Describe the fundamental aspects of wireless security and the
enabling technologies
20.Describe wireless security solutions
21.Describe the fundamental aspects of VoIP security and the
enabling technologiesReference: CIAG course on VoIP security.
22.Describe VoIP security solutions
23.Describe the fundamental aspects of SAN security and the
enabling technologies
24.Describe SAN security solutions
Lesson Objectives
17.Describe the best practices for Layer 2
18.Describe the fundamental aspects of enterprise security for
advanced technologies
19.Describe the fundamental aspects of wireless security and the
enabling technologies
20.Describe wireless security solutions
21.Describe the fundamental aspects of VoIP security and the
enabling technologiesReference: CIAG course on VoIP security.
22.Describe VoIP security solutions
23.Describe the fundamental aspects of SAN security and the
enabling technologies
24.Describe SAN security solutions
777© 2009 Cisco Learning Institute.
Endpoint Security Considerations
•Introducing Endpoint Security
•Endpoint Security with IronPort
•Endpoint Security with Network Admission
Control
•Endpoint Security with Cisco Security Agent
Endpoint Security Considerations
•Introducing Endpoint Security
•Endpoint Security with IronPort
•Endpoint Security with Network Admission
Control
•Endpoint Security with Cisco Security Agent
888© 2009 Cisco Learning Institute.
Introducing Endpoint Security
•Securing the LAN
•Addressing Endpoint Security
•Operating Systems Basic Security Services
•Types of Application Attacks
•Cisco Systems Endpoint Security Solutions
Introducing Endpoint Security
•Securing the LAN
•Addressing Endpoint Security
•Operating Systems Basic Security Services
•Types of Application Attacks
•Cisco Systems Endpoint Security Solutions
999© 2009 Cisco Learning Institute.
Securing the LAN
IPS
MARS
VPN
ACS
Iron Port
Firewall
Web
Server
Email
ServerDNS
LAN
Hosts
Perimeter
Internet
Areas of concentration:
•Securing endpoints
•Securing network
infrastructure
Securing the LAN
IPS
MARS
VPN
ACS
Iron Port
Firewall
Web
Server
ServerDNS
LAN
Hosts
Perimeter
Internet
Areas of concentration:
•Securing endpoints
•Securing network
infrastructure
101010© 2009 Cisco Learning Institute.
Threat
Protection
Policy
Compliance
Infection
Containment
Secure
Host
Addressing Endpoint Security
Based on three elements:
•Cisco Network Admission Control (NAC)
•Endpoint protection
•Network infection containment
Threat
Protection
Policy
Compliance
Infection
Containment
Secure
Host
Addressing Endpoint Security
Based on three elements:
•Cisco Network Admission Control (NAC)
•Endpoint protection
•Network infection containment
111111© 2009 Cisco Learning Institute.
Operating Systems Basic
Security Services
•Trusted code and trusted path –ensures that the integrity
of the operating system is not violated
•Privileged context of execution –provides identity
authentication and certain privileges based on the identity
•Process memory protection and isolation –provides
separation from other users and their data
•Access control to resources –ensures confidentiality and
integrity of data
Operating Systems Basic
Security Services
•Trusted code and trusted path –ensures that the integrity
of the operating system is not violated
•Privileged context of execution –provides identity
authentication and certain privileges based on the identity
•Process memory protection and isolation –provides
separation from other users and their data
•Access control to resources –ensures confidentiality and
integrity of data
121212© 2009 Cisco Learning Institute.
Types of Application Attacks
I have gained direct
access to this
application’s privileges
I have gained access to
this system which is
trusted by the other
system, allowing me to
access it.
Indirect
Direct
Types of Application Attacks
I have gained direct
access to this
application’s privileges
I have gained access to
this system which is
trusted by the other
system, allowing me to
access it.
Indirect
Direct
131313© 2009 Cisco Learning Institute.
Cisco Systems Endpoint
Security Solutions
Cisco NAC
IronPort
Cisco Security Agent
Cisco Systems Endpoint
Security Solutions
Cisco NAC
IronPort
Cisco Security Agent
141414© 2009 Cisco Learning Institute.
Endpoint Security with IronPort
•Cisco IronPort Products
•IronPort C-Series
•Iron-Port S-Series
Endpoint Security with IronPort
•Cisco IronPort Products
•IronPort C-Series
•Iron-Port S-Series
151515© 2009 Cisco Learning Institute.
Cisco IronPort Products
IronPortproducts include:
•E-mail security appliances for virus
and spam control
•Web security appliance for spyware
filtering, URL filtering, and anti-malware
•Security management appliance
Cisco IronPort Products
IronPortproducts include:
•E-mail security appliances for virus
and spam control
•Web security appliance for spyware
filtering, URL filtering, and anti-malware
•Security management appliance
161616© 2009 Cisco Learning Institute.
IronPort C-Series
InternetInternet
Antispam
Antivirus
Policy Enforcement
Mail Routing
Before IronPort
IronPort E-mail Security Appliance
Firewall
Groupware
Users
After IronPort
Users
Groupware
Firewall
Encryption Platform
MTA
DLP
Scanner
DLP Policy
Manager
IronPort C-Series
InternetInternet
Antispam
Antivirus
Policy Enforcement
Mail Routing
Before IronPort
IronPort E-mail Security Appliance
Firewall
Groupware
Users
After IronPort
Users
Groupware
Firewall
Encryption Platform
MTA
DLP
Scanner
DLP Policy
Manager
171717© 2009 Cisco Learning Institute.
IronPort S-Series
Web Proxy
Antispyware
Antivirus
Antiphishing
URL Filtering
Policy Management
Firewall
Users
Users
Firewall
IronPort S-
Series
Before IronPort After IronPort
InternetInternet
IronPort S-Series
Web Proxy
Antispyware
Antivirus
Antiphishing
URL Filtering
Policy Management
Firewall
Users
Users
Firewall
IronPort S-
Series
Before IronPort After IronPort
InternetInternet
181818© 2009 Cisco Learning Institute.
Endpoint Security with
Network Admission Control
•Cisco NAC
•The NAC Framework
•NAC Components
•Cisco NAC Appliance Process
•Access Windows
Endpoint Security with
Network Admission Control
•Cisco NAC
•The NAC Framework
•NAC Components
•Cisco NAC Appliance Process
•Access Windows
191919© 2009 Cisco Learning Institute.
Cisco NAC
NAC Framework
•Software module
embedded within NAC-
enabled products
•Integrated framework
leveraging multiple Cisco
and NAC-aware vendor
products
•In-band Cisco NAC
Appliance solution can
be used on any switch or
router platform
•Self-contained, turnkey
solution
The purpose of NAC:
Allow only authorized and compliant systems to
access the network
To enforce network security policy
Cisco NAC Appliance
Cisco NAC
NAC Framework
•Software module
embedded within NAC-
enabled products
•Integrated framework
leveraging multiple Cisco
and NAC-aware vendor
products
•In-band Cisco NAC
Appliance solution can
be used on any switch or
router platform
•Self-contained, turnkey
solution
The purpose of NAC:
Allow only authorized and compliant systems to
access the network
To enforce network security policy
Cisco NAC Appliance
202020© 2009 Cisco Learning Institute.
The NAC Framework
AAA
Server
Credentials
Credentials
EAP/UDP,
EAP/802.1x
RADIUS
Credentials
HTTPS
Access Rights
Notification
Cisco
Trust
Agent
Comply?
Vendor
Servers
Hosts Attempting
Network Access
Network
Access
Devices Policy Server
Decision Points
and Remediation
Enforcement
The NAC Framework
AAA
Server
Credentials
Credentials
EAP/UDP,
EAP/802.1x
RADIUS
Credentials
HTTPS
Access Rights
Notification
Cisco
Trust
Agent
Comply?
Vendor
Servers
Hosts Attempting
Network Access
Network
Access
Devices Policy Server
Decision Points
and Remediation
Enforcement
212121© 2009 Cisco Learning Institute.
NAC Components
•Cisco NAS
Serves as an in-band or out-of-
band device for network access
control
•Cisco NAM
Centralizes management for
administrators, support
personnel, and operators
•Cisco NAA
Optional lightweight client for
device-based registry scans in
unmanaged environments
•Rule-set updates
Scheduled automatic updates
for antivirus, critical hotfixes,
and other applications
M
G
R
NAC Components
•Cisco NAS
Serves as an in-band or out-of-
band device for network access
control
•Cisco NAM
Centralizes management for
administrators, support
personnel, and operators
•Cisco NAA
Optional lightweight client for
device-based registry scans in
unmanaged environments
•Rule-set updates
Scheduled automatic updates
for antivirus, critical hotfixes,
and other applications
M
G
R
222222© 2009 Cisco Learning Institute.
Cisco NAC Appliance Process
THE GOAL
Intranet/
Network
2.
Host is
redirected to a login page.
Cisco NAC Appliance validates
username and password, also
performs device and network scans
to assess vulnerabilities on device.
Device is noncompliant
or login is incorrect.
Host is denied access and assigned
to a quarantine role with access to online
remediation resources.
3a.
3b.
Device is “clean”.
Machine gets on “certified
devices list” and is granted
access to network.
Cisco NAS
Cisco NAM
1.
Host attempts to access a web page or uses
an optional client.
Network access is blocked until wired or wireless
host provides login information. Authentication
Server
M
G
R
Quarantine
Role
3.
The host is authenticated and optionally
scanned for posture compliance
Cisco NAC Appliance Process
THE GOAL
Intranet/
Network
2.
Host is
redirected to a login page.
Cisco NAC Appliance validates
username and password, also
performs device and network scans
to assess vulnerabilities on device.
Device is noncompliant
or login is incorrect.
Host is denied access and assigned
to a quarantine role with access to online
remediation resources.
3a.
3b.
Device is “clean”.
Machine gets on “certified
devices list” and is granted
access to network.
Cisco NAS
Cisco NAM
1.
Host attempts to access a web page or uses
an optional client.
Network access is blocked until wired or wireless
host provides login information. Authentication
Server
M
G
R
Quarantine
Role
3.
The host is authenticated and optionally
scanned for posture compliance
232323© 2009 Cisco Learning Institute.
Access Windows
4.
Login
Screen
Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
Access Windows
4.
Login
Screen
Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
242424© 2009 Cisco Learning Institute.
Endpoint Security with
Cisco Security Agent
•CSA Architecture Model
•CSA Overview
•CSA Functionality
•Attack Phases
•CSA Log Messages
Endpoint Security with
Cisco Security Agent
•CSA Architecture Model
•CSA Overview
•CSA Functionality
•Attack Phases
•CSA Log Messages
252525© 2009 Cisco Learning Institute.
CSA Architecture
Management Center for
Cisco Security Agent
with Internal or External
Database
Security
Policy
Server Protected by
Cisco Security Agent
Administration
Workstation
SSL
EventsAlerts
CSA Architecture
Management Center for
Cisco Security Agent
with Internal or External
Database
Security
Policy
Server Protected by
Cisco Security Agent
Administration
Workstation
SSL
EventsAlerts
262626© 2009 Cisco Learning Institute.
CSA Overview
State
Rules and
Policies
Rules
Engine
Correlation
Engine
File System
Interceptor
Network
Interceptor
Configuration
Interceptor
Execution
Space
Interceptor
Application
Allowed
Request
Blocked
Request
CSA Overview
State
Rules and
Policies
Rules
Engine
Correlation
Engine
File System
Interceptor
Network
Interceptor
Configuration
Interceptor
Execution
Space
Interceptor
Application
Allowed
Request
Blocked
Request
272727© 2009 Cisco Learning Institute.
CSA Functionality
Security Application
Network
Interceptor
File System
Interceptor
Configuration
Interceptor
Execution
Space
Interceptor
Distributed Firewall X ― ― ―
Host Intrusion
Prevention
X ― ― X
Application
Sandbox
― X X X
Network Worm
Prevention
X ― ― X
File Integrity Monitor― X X ―
CSA Functionality
Security Application
Network
Interceptor
File System
Interceptor
Configuration
Interceptor
Execution
Space
Interceptor
Distributed Firewall X ― ― ―
Host Intrusion
Prevention
X ― ― X
Application
Sandbox
― X X X
Network Worm
Prevention
X ― ― X
File Integrity Monitor― X X ―
282828© 2009 Cisco Learning Institute.
Attack Phases
–File system interceptor
–Network interceptor
–Configuration interceptor
–Execution space
interceptor
Server
Protected by
Cisco Security
Agent
–Probe phase
•Ping scans
•Port scans
–Penetrate phase
•Transfer exploit
code to target
–Persist phase
•Install new code
•Modify
configuration
–Propagate phase
•Attack other
targets
–Paralyze phase
•Erase files
•Crash system
•Steal data
Attack Phases
–File system interceptor
–Network interceptor
–Configuration interceptor
–Execution space
interceptor
Server
Protected by
Cisco Security
Agent
–Probe phase
•Ping scans
•Port scans
–Penetrate phase
•Transfer exploit
code to target
–Persist phase
•Install new code
•Modify
configuration
–Propagate phase
•Attack other
targets
–Paralyze phase
•Erase files
•Crash system
•Steal data
292929© 2009 Cisco Learning Institute.
CSA Log Messages
CSA Log Messages
303030© 2009 Cisco Learning Institute.
Layer 2 Security Considerations
•Introduction to Layer 2 Security
•MAC Address Spoofing Attacks
•MAC Address Table Overflow Attacks
•STP Manipulation Attacks
•LAN Storm Attacks
•VLAN Attacks
Layer 2 Security Considerations
•Introduction to Layer 2 Security
•MAC Address Spoofing Attacks
•MAC Address Table Overflow Attacks
•STP Manipulation Attacks
•LAN Storm Attacks
•VLAN Attacks
313131© 2009 Cisco Learning Institute.
Introduction to Layer2 Security
•Layer 2 Security
•Overview of OSI Model
Introduction to Layer2 Security
•Layer 2 Security
•Overview of OSI Model
323232© 2009 Cisco Learning Institute.
IPS
MARS
VPN
ACS
Iron Port
Firewall
Web
Server
Email
ServerDNS
Hosts
Perimeter
Internet
Layer 2 Security
IPS
MARS
VPN
ACS
Iron Port
Firewall
Web
Server
ServerDNS
Hosts
Perimeter
Internet
Layer 2 Security
333333© 2009 Cisco Learning Institute.
OSI Model
MAC Addresses
When it comes to networking, Layer 2 is often a very weak link.
Physical Links
IP Addresses
Protocols and Ports
Application Stream
Application
Presentation
Session
Transport
Network
Data Link
Physical
Compromised
Application
Presentation
Session
Transport
Network
Data Link
Physical
Initial Compromise
OSI Model
MAC Addresses
When it comes to networking, Layer 2 is often a very weak link.
Physical Links
IP Addresses
Protocols and Ports
Application Stream
Application
Presentation
Session
Transport
Network
Data Link
Physical
Compromised
Application
Presentation
Session
Transport
Network
Data Link
Physical
Initial Compromise
343434© 2009 Cisco Learning Institute.
Layer 2 Vulnerabilities
•MAC Address Spoofing Attacks
•MAC Address Table Overflow Attacks
•STP Manipulation Attacks
•Storm Attacks
•VLAN Attacks
Layer 2 Vulnerabilities
•MAC Address Spoofing Attacks
•MAC Address Table Overflow Attacks
•STP Manipulation Attacks
•Storm Attacks
•VLAN Attacks
353535© 2009 Cisco Learning Institute.
MAC Address Spoofing Attack
MAC
Address:
AABBcc
AABBcc12AbDdSwitch Port
1 2
MAC Address:
AABBcc
Attacker
Port 1
Port 2
MAC
Address:
12AbDd
I have associated Ports 1 and 2 with
the MAC addresses of the devices
attached. Traffic destined for each
device will be forwarded directly.
The switch keeps track of the
endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another host—in this case,
AABBcc
MAC Address Spoofing Attack
MAC
Address:
AABBcc
AABBcc12AbDdSwitch Port
1 2
MAC Address:
AABBcc
Attacker
Port 1
Port 2
MAC
Address:
12AbDd
I have associated Ports 1 and 2 with
the MAC addresses of the devices
attached. Traffic destined for each
device will be forwarded directly.
The switch keeps track of the
endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another host—in this case,
AABBcc
363636© 2009 Cisco Learning Institute.
MAC Address Spoofing Attack
MAC
Address:
AABBcc
AABBcc
Switch Port
1 2
MAC Address:
AABBcc
Attacker
Port 1 Port 2
AABBcc
1 2
I have changed the MAC
address on my computer
to match the server.
The device with MAC
address AABBcc has
changed locations to Port2.
I must adjust my MAC
address table accordingly.
MAC Address Spoofing Attack
MAC
Address:
AABBcc
AABBcc
Switch Port
1 2
MAC Address:
AABBcc
Attacker
Port 1 Port 2
AABBcc
1 2
I have changed the MAC
address on my computer
to match the server.
The device with MAC
address AABBcc has
changed locations to Port2.
I must adjust my MAC
address table accordingly.
373737© 2009 Cisco Learning Institute.
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without
flooding because the MAC address table contains port-to-MAC-
address mappings in the MAC address table for these PCs.
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without
flooding because the MAC address table contains port-to-MAC-
address mappings in the MAC address table for these PCs.
383838© 2009 Cisco Learning Institute.
MAC Address Table Overflow Attack
A B
C D
VLAN 10
VLAN 10
Intruder runs macof
to begin sending
unknown bogus MAC
addresses.
3/25
3/25 MAC X
3/25 MAC Y
3/25 MAC Z
XYZ
flood
MAC Port
X 3/25
Y 3/25
C 3/25
Bogus addresses are
added to the CAM
table. CAM table is full.
Host C
The switch floods
the frames.
Attacker sees traffic
to servers B and D.
VLAN 10
1
2
3
4
MAC Address Table Overflow Attack
A B
C D
VLAN 10
VLAN 10
Intruder runs macof
to begin sending
unknown bogus MAC
addresses.
3/25
3/25 MAC X
3/25 MAC Y
3/25 MAC Z
XYZ
flood
MAC Port
X 3/25
Y 3/25
C 3/25
Bogus addresses are
added to the CAM
table. CAM table is full.
Host C
The switch floods
the frames.
Attacker sees traffic
to servers B and D.
VLAN 10
1
2
3
4
393939© 2009 Cisco Learning Institute.
STP Manipulation Attack
•Spanning tree protocol
operates by electing a
root bridge
•STP builds a tree topology
•STP manipulation
changes the topology of a
network—the attacking
host appears to be the
root bridge
F F
F
F
F B
Root Bridge
Priority = 8192
MAC Address=
0000.00C0.1234
STP Manipulation Attack
•Spanning tree protocol
operates by electing a
root bridge
•STP builds a tree topology
•STP manipulation
changes the topology of a
network—the attacking
host appears to be the
root bridge
F F
F
F
F B
Root Bridge
Priority = 8192
MAC Address=
0000.00C0.1234
404040© 2009 Cisco Learning Institute.
STP Manipulation Attack
Root Bridge
Priority = 8192
Root
Bridge
F
F
F
F
F B
F B
F
F
F F
Attacker The attacking host broadcasts out STP
configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.
STP Manipulation Attack
Root Bridge
Priority = 8192
Root
Bridge
F
F
F
F
F B
F B
F
F
F F
Attacker The attacking host broadcasts out STP
configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.
414141© 2009 Cisco Learning Institute.
LAN Storm Attack
Broadcast, multicast, or unicast packets are flooded on all ports in the
same VLAN.
These storms can increase the CPU utilization on a switch to 100%,
reducing the performance of the network.
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
LAN Storm Attack
Broadcast, multicast, or unicast packets are flooded on all ports in the
same VLAN.
These storms can increase the CPU utilization on a switch to 100%,
reducing the performance of the network.
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
424242© 2009 Cisco Learning Institute.
Storm Control
Total
number of
broadcast
packets
or bytes
Storm Control
Total
number of
broadcast
packets
or bytes
434343© 2009 Cisco Learning Institute.
VLAN Attacks
VLAN = Broadcast Domain = Logical Network (Subnet)
Segmentation
Flexibility
Security
VLAN Attacks
VLAN = Broadcast Domain = Logical Network (Subnet)
Segmentation
Flexibility
Security
444444© 2009 Cisco Learning Institute.
VLAN Attacks
802.1Q
ServerAttacker sees traffic destined for servers
Server
Trunk
VLAN
20
VLAN
10
A VLAN hopping attack can be launched in two ways:
•Spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode
•Introducing a rogue switch and turning trunking on
VLAN Attacks
802.1Q
ServerAttacker sees traffic destined for servers
Server
Trunk
VLAN
20
VLAN
10
A VLAN hopping attack can be launched in two ways:
•Spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode
•Introducing a rogue switch and turning trunking on
454545© 2009 Cisco Learning Institute.
The second switch
receives the packet, on
the native VLAN
Double-Tagging VLAN Attack
Attacker on
VLAN 10, but puts a 20
tag in the packet
Victim
(VLAN 20)
Note: This attack works only if the
trunk has the same native
VLAN as the attacker.
The first switch strips off the first tag and
does not retag it (native traffic is not
retagged). It then forwards the packet to
switch 2.
20
Trunk
(Native VLAN = 10)
802.1Q, Frame
1
2
3
4
The second switch
examines the packet, sees
the VLAN 20 tag and
forwards it accordingly.
The second switch
receives the packet, on
the native VLAN
Double-Tagging VLAN Attack
Attacker on
VLAN 10, but puts a 20
tag in the packet
Victim
(VLAN 20)
Note: This attack works only if the
trunk has the same native
VLAN as the attacker.
The first switch strips off the first tag and
does not retag it (native traffic is not
retagged). It then forwards the packet to
switch 2.
20
Trunk
(Native VLAN = 10)
802.1Q, Frame
1
2
3
4
The second switch
examines the packet, sees
the VLAN 20 tag and
forwards it accordingly.
464646© 2009 Cisco Learning Institute.
Configuring Switch Security
•Configuring Port Security
•Verifying Port Security
•BPDU Guard and Root Guard
•Storm Control
•VLAN Configuration
•Cisco Switched Port Analyzer
•Cisco Remote Switched Port Analyzer
•Best Practices for Layer 2
Configuring Switch Security
•Configuring Port Security
•Verifying Port Security
•BPDU Guard and Root Guard
•Storm Control
•VLAN Configuration
•Cisco Switched Port Analyzer
•Cisco Remote Switched Port Analyzer
•Best Practices for Layer 2
474747© 2009 Cisco Learning Institute.
Configuring Port Security
•Port Security Overview
•Port Security Configuration
•Switchport Port-Security Parameters
•Port-Security Violation Configuration
•Switchport Port-Security Violation Parameters
•Port Security Aging Configuration
•Switchport Port-Security Aging Parameters
•Typical Configuration
Configuring Port Security
•Port Security Overview
•Port Security Configuration
•Switchport Port-Security Parameters
•Port-Security Violation Configuration
•Switchport Port-Security Violation Parameters
•Port Security Aging Configuration
•Switchport Port-Security Aging Parameters
•Typical Configuration
484848© 2009 Cisco Learning Institute.
Port Security Overview
MAC A
MAC A
Port 0/1 allows MAC A
Port 0/2 allows MAC B
Port 0/3 allows MAC C
Attacker 1
Attacker 2
0/1
0/2
0/3
MAC F
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to
dynamically learn a limited number of MAC
addresses
Port Security Overview
MAC A
MAC A
Port 0/1 allows MAC A
Port 0/2 allows MAC B
Port 0/3 allows MAC C
Attacker 1
Attacker 2
0/1
0/2
0/3
MAC F
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to
dynamically learn a limited number of MAC
addresses
494949© 2009 Cisco Learning Institute.
CLI Commands
switchport mode access
Switch(config-if)#
•Sets the interface mode as access
switchport port-security
Switch(config-if)#
•Enables port security on the interface
switchport port-security maximum value
Switch(config-if)#
•Sets the maximum number of secure MAC addresses for
the interface (optional)
CLI Commands
switchport mode access
Switch(config-if)#
•Sets the interface mode as access
switchport port-security
Switch(config-if)#
•Enables port security on the interface
switchport port-security maximum value
Switch(config-if)#
•Sets the maximum number of secure MAC addresses for
the interface (optional)
505050© 2009 Cisco Learning Institute.
Switchport Port-Security Parameters
Parameter Description
mac-addressmac-address(Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional
secure MAC addresses up to the maximum value configured.
vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.
vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky
[mac-address]
(Optional) Enable the interface for sticky learning by entering only the mac-address stickykeywords. When sticky
learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximumvalue (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer 2
functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
nvlan:set a per-VLAN maximum value.
nvlan vlan-list:set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
Switchport Port-Security Parameters
Parameter Description
mac-addressmac-address(Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional
secure MAC addresses up to the maximum value configured.
vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.
vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky
[mac-address]
(Optional) Enable the interface for sticky learning by entering only the mac-address stickykeywords. When sticky
learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximumvalue (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer 2
functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
nvlan:set a per-VLAN maximum value.
nvlan vlan-list:set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
515151© 2009 Cisco Learning Institute.
Port Security Violation Configuration
switchport port-security mac-address sticky
Switch(config-if)#
•Enables sticky learning on the interface (optional)
switchport port-security violation {protect |
restrict | shutdown}
Switch(config-if)#
•Sets the violation mode (optional)
switchport port-security mac-address mac-address
Switch(config-if)#
•Enters a static secure MAC address for the interface
(optional)
Port Security Violation Configuration
switchport port-security mac-address sticky
Switch(config-if)#
•Enables sticky learning on the interface (optional)
switchport port-security violation {protect |
restrict | shutdown}
Switch(config-if)#
•Sets the violation mode (optional)
switchport port-security mac-address mac-address
Switch(config-if)#
•Enters a static secure MAC address for the interface
(optional)
525252© 2009 Cisco Learning Institute.
Switchport Port-Security Violation
Parameters
ParameterDescription
protect (Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
restrict (Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred.
shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and increments the
violation counter. When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery causepsecure-violationglobal
configuration command, or you can manually re-enable it by entering the shutdownand
no shut downinterface configuration commands.
shutdown
vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on
which the violation occurred is error-disabled.
Switchport Port-Security Violation
Parameters
ParameterDescription
protect (Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
restrict (Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred.
shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and increments the
violation counter. When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery causepsecure-violationglobal
configuration command, or you can manually re-enable it by entering the shutdownand
no shut downinterface configuration commands.
shutdown
vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on
which the violation occurred is error-disabled.
535353© 2009 Cisco Learning Institute.
Port Security Aging Configuration
switchport port-security aging {static | time time|
type {absolute | inactivity}}
Switch(config-if)#
•Enables or disables static aging for the secure port or
sets the aging time or type
Port Security Aging Configuration
switchport port-security aging {static | time time|
type {absolute | inactivity}}
Switch(config-if)#
•Enables or disables static aging for the secure port or
sets the aging time or type
545454© 2009 Cisco Learning Institute.
Switchport Port-Security
Aging Parameters
Parameter Description
static Enable aging for statically configured secure
addresses on this port.
time time Specify the aging time for this port. The range is 0 to
1440 minutes. If the time is 0, aging is disabled for
this port.
type absolute Set absolute aging type. All the secure addresses
on this port age out exactly after the time (minutes)
specified and are removed from the secure address
list.
type inactivity Set the inactivity aging type. The secure addresses
on this port age out only if there is no data traffic
from the secure source address for the specified
time period.
Switchport Port-Security
Aging Parameters
Parameter Description
static Enable aging for statically configured secure
addresses on this port.
time time Specify the aging time for this port. The range is 0 to
1440 minutes. If the time is 0, aging is disabled for
this port.
type absolute Set absolute aging type. All the secure addresses
on this port age out exactly after the time (minutes)
specified and are removed from the secure address
list.
type inactivity Set the inactivity aging type. The secure addresses
on this port age out only if there is no data traffic
from the secure source address for the specified
time period.
555555© 2009 Cisco Learning Institute.
Typical Configuration
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120
Switch(config-if)#
S2
PC B
Typical Configuration
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120
Switch(config-if)#
S2
PC B
565656© 2009 Cisco Learning Institute.
Verifying Port Security
•CLI Commands
•View Secure MAC Addresses
•MAC Address Notification
Verifying Port Security
•CLI Commands
•View Secure MAC Addresses
•MAC Address Notification
575757© 2009 Cisco Learning Institute.
CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/12 2 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security interface f0/12
Port Security : Enabled
Port status : Secure -down
Violation mode : Shutdown
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Aging time : 120 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation Count : 0
CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/12 2 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security interface f0/12
Port Security : Enabled
Port status : Secure -down
Violation mode : Shutdown
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Aging time : 120 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation Count : 0
585858© 2009 Cisco Learning Institute.
View Secure MAC Addresses
sw-class# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.ffff.aaaa SecureConfigured Fa0/12 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
View Secure MAC Addresses
sw-class# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.ffff.aaaa SecureConfigured Fa0/12 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
595959© 2009 Cisco Learning Institute.
MAC Address Notification
MAC address notificationallows monitoring of the MAC
addresses, at the module and port level, added by the switch
or removed from the CAM table for secure ports.
NMS
MAC A
MAC B
F1/1 = MAC A
F1/2 = MAC B
F2/1 = MAC D
(address ages out)
Switch CAM Table
SNMP traps sent to
NMS when new MAC
addresses appear or
when old ones time out.
MAC D is away
from the network.
F1/2
F1/1
F2/1
MAC Address Notification
MAC address notificationallows monitoring of the MAC
addresses, at the module and port level, added by the switch
or removed from the CAM table for secure ports.
NMS
MAC A
MAC B
F1/1 = MAC A
F1/2 = MAC B
F2/1 = MAC D
(address ages out)
Switch CAM Table
SNMP traps sent to
NMS when new MAC
addresses appear or
when old ones time out.
MAC D is away
from the network.
F1/2
F1/1
F2/1
606060© 2009 Cisco Learning Institute.
BPDU Guard and Root Guard
•Configure Portfast
•BPDU Guard
•Display the State of Spanning Tree
•Root Guard
•Verify Root Guard
BPDU Guard and Root Guard
•Configure Portfast
•BPDU Guard
•Display the State of Spanning Tree
•Root Guard
•Verify Root Guard
616161© 2009 Cisco Learning Institute.
Configure Portfast
Command Description
Switch(config-if)# spanning-
tree portfast
Enables PortFast on a Layer 2 access port and forces it to
enter the forwarding stateimmediately.
Switch(config-if)# no
spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is
disabled by default.
Switch(config)# spanning-tree
portfast default
Globally enables the PortFast feature on all nontrunking
ports.
Switch#show running-config
interface typeslot/port
Indicates whether PortFast has been configured on a port.
Server Workstation
Configure Portfast
Command Description
Switch(config-if)# spanning-
tree portfast
Enables PortFast on a Layer 2 access port and forces it to
enter the forwarding stateimmediately.
Switch(config-if)# no
spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is
disabled by default.
Switch(config)# spanning-tree
portfast default
Globally enables the PortFast feature on all nontrunking
ports.
Switch#show running-config
interface typeslot/port
Indicates whether PortFast has been configured on a port.
Server Workstation
626262© 2009 Cisco Learning Institute.
BPDU Guard
Switch(config)#
spanning-tree portfast bpduguard default
•Globally enables BPDU guard on all ports with PortFast
enabled
F F
F
F
F B
Root
Bridge
BPDU
Guard
Enabled
Attacker
STP
BPDU
BPDU Guard
Switch(config)#
spanning-tree portfast bpduguard default
•Globally enables BPDU guard on all ports with PortFast
enabled
F F
F
F
F B
Root
Bridge
BPDU
Guard
Enabled
Attacker
STP
BPDU
636363© 2009 Cisco Learning Institute.
Display the State of Spanning Tree
Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
-------------------- ---------------------------------------------
1 VLAN 0 0 0 1 1
<output omitted>
Display the State of Spanning Tree
Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
-------------------- ---------------------------------------------
1 VLAN 0 0 0 1 1
<output omitted>
646464© 2009 Cisco Learning Institute.
Root Guard
Switch(config-if)#
spanning-tree guard root
•Enables root guard on a per-interface basis
Root Bridge
Priority = 0
MAC Address =
0000.0c45.1a5d
F F
F
F
F B
F
STP BPDU
Priority = 0
MAC Address = 0000.0c45.1234
Root
Guard
Enabled
Attacker
Root Guard
Switch(config-if)#
spanning-tree guard root
•Enables root guard on a per-interface basis
Root Bridge
Priority = 0
MAC Address =
0000.0c45.1a5d
F F
F
F
F B
F
STP BPDU
Priority = 0
MAC Address = 0000.0c45.1234
Root
Guard
Enabled
Attacker
656565© 2009 Cisco Learning Institute.
Verify Root Guard
Switch# show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ---------------------- ------------------
VLAN0001 FastEthernet3/1 Port Type Inconsistent
VLAN0001 FastEthernet3/2 Port Type Inconsistent
VLAN1002 FastEthernet3/1 Port Type Inconsistent
VLAN1002 FastEthernet3/2 Port Type Inconsistent
VLAN1003 FastEthernet3/1 Port Type Inconsistent
VLAN1003 FastEthernet3/2 Port Type Inconsistent
VLAN1004 FastEthernet3/1 Port Type Inconsistent
VLAN1004 FastEthernet3/2 Port Type Inconsistent
VLAN1005 FastEthernet3/1 Port Type Inconsistent
VLAN1005 FastEthernet3/2 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10
Verify Root Guard
Switch# show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ---------------------- ------------------
VLAN0001 FastEthernet3/1 Port Type Inconsistent
VLAN0001 FastEthernet3/2 Port Type Inconsistent
VLAN1002 FastEthernet3/1 Port Type Inconsistent
VLAN1002 FastEthernet3/2 Port Type Inconsistent
VLAN1003 FastEthernet3/1 Port Type Inconsistent
VLAN1003 FastEthernet3/2 Port Type Inconsistent
VLAN1004 FastEthernet3/1 Port Type Inconsistent
VLAN1004 FastEthernet3/2 Port Type Inconsistent
VLAN1005 FastEthernet3/1 Port Type Inconsistent
VLAN1005 FastEthernet3/2 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10
666666© 2009 Cisco Learning Institute.
Storm Control
•Methods
•Configuration
•Parameters
•Verifying Settings
Storm Control
•Methods
•Configuration
•Parameters
•Verifying Settings
676767© 2009 Cisco Learning Institute.
Storm Control Methods
•Bandwidth as a percentage of the total available
bandwidth of the port that can be used by the broadcast,
multicast, or unicast traffic
•Traffic rate in packets per second at which broadcast,
multicast, or unicast packets are received
•Traffic rate in bits per second at which broadcast,
multicast, or unicast packets are received
•Traffic rate in packets per second and for small frames.
This feature is enabled globally. The threshold for small
frames is configured for each interface.
Storm Control Methods
•Bandwidth as a percentage of the total available
bandwidth of the port that can be used by the broadcast,
multicast, or unicast traffic
•Traffic rate in packets per second at which broadcast,
multicast, or unicast packets are received
•Traffic rate in bits per second at which broadcast,
multicast, or unicast packets are received
•Traffic rate in packets per second and for small frames.
This feature is enabled globally. The threshold for small
frames is configured for each interface.
686868© 2009 Cisco Learning Institute.
Storm Control Configuration
•Enables storm control
•Specifies the level at which it is enabled
•Specifies the action that should take place when the
threshold (level) is reached, in addition to filtering traffic
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps
2k 1k
Switch(config-if)# storm-control action shutdown
Storm Control Configuration
•Enables storm control
•Specifies the level at which it is enabled
•Specifies the action that should take place when the
threshold (level) is reached, in addition to filtering traffic
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps
2k 1k
Switch(config-if)# storm-control action shutdown
696969© 2009 Cisco Learning Institute.
Storm Control Parameters
Parameter Description
broadcast This parameter enables broadcast storm control on the interface.
multicast This parameter enables multicast storm control on the interface.
unicast This parameter enables unicast storm control on the interface.
level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port.
•level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.
•level-low: (Optional) Falling suppression level, up to two decimal places. This
value must be less than or equal to the rising suppression value.
level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
•bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
•bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
•pps:Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
•pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic
and to not send an SNMP trap.
The keywords have these meanings:
•shutdown:Disables the port during a storm
•trap:Sends an SNMP trap when a storm occurs
Storm Control Parameters
Parameter Description
broadcast This parameter enables broadcast storm control on the interface.
multicast This parameter enables multicast storm control on the interface.
unicast This parameter enables unicast storm control on the interface.
level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port.
•level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.
•level-low: (Optional) Falling suppression level, up to two decimal places. This
value must be less than or equal to the rising suppression value.
level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
•bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
•bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
•pps:Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
•pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic
and to not send an SNMP trap.
The keywords have these meanings:
•shutdown:Disables the port during a storm
•trap:Sends an SNMP trap when a storm occurs
707070© 2009 Cisco Learning Institute.
Verify Storm Control Settings
Switch# show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ---------- --------- --------
-Gi0/1 Forwarding 20 pps 10 pps 5 pps
Gi0/2 Forwarding 50.00% 40.00% 0.00%
<output omitted>
Verify Storm Control Settings
Switch# show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ---------- --------- --------
-Gi0/1 Forwarding 20 pps 10 pps 5 pps
Gi0/2 Forwarding 50.00% 40.00% 0.00%
<output omitted>
717171© 2009 Cisco Learning Institute.
VLAN Configuration
•Mitigating VLAN Attacks
•Controlling Trunking
VLAN Configuration
•Mitigating VLAN Attacks
•Controlling Trunking
727272© 2009 Cisco Learning Institute.
Trunk
(Native VLAN = 10)
1.Disable trunking on all access
ports.
2.Disable auto trunking and manually
enable trunking
3.Be sure that the native VLAN is
used only for trunk lines and no
where else
Mitigating VLAN Attacks
Trunk
(Native VLAN = 10)
1.Disable trunking on all access
ports.
2.Disable auto trunking and manually
enable trunking
3.Be sure that the native VLAN is
used only for trunk lines and no
where else
Mitigating VLAN Attacks
737373© 2009 Cisco Learning Institute.
switchport mode trunk
switchport trunk native vlan vlan_number
switchport nonegotiate
.
Switch(config-if)#
•Specifies an interface as a trunk link
Switch(config-if)#
•Prevents the generation of DTP frames.
Switch(config-if)#
•Set the native VLAN on the trunk to an unused VLAN
Controlling Trunking
switchport mode trunk
switchport trunk native vlan vlan_number
switchport nonegotiate
.
Switch(config-if)#
•Specifies an interface as a trunk link
Switch(config-if)#
•Prevents the generation of DTP frames.
Switch(config-if)#
•Set the native VLAN on the trunk to an unused VLAN
Controlling Trunking
747474© 2009 Cisco Learning Institute.
Cisco Switched Port Analyzer
•Traffic Analysis
•CLI Commands
•SPAN and IDS
Cisco Switched Port Analyzer
•Traffic Analysis
•CLI Commands
•SPAN and IDS
757575© 2009 Cisco Learning Institute.
Traffic Analysis
A SPAN port mirrors traffic to
another port where a
monitoring device is
connected.
Without this, it can be difficult
to track hackers after they
have entered the network.
“Intruder
Alert!”
Attacker
IDS
RMON Probe
Protocol Analyzer
Traffic Analysis
A SPAN port mirrors traffic to
another port where a
monitoring device is
connected.
Without this, it can be difficult
to track hackers after they
have entered the network.
“Intruder
Alert!”
Attacker
IDS
RMON Probe
Protocol Analyzer
767676© 2009 Cisco Learning Institute.
CLI Commands
monitor session session_numbersource{interface
interface-id[,|-] [both|rx| tx]} | {vlanvlan-
id[, | -] [both| rx| tx]}| {remote vlanvlan-id}
monitor session session_numberdestination
{interfaceinterface-id[,| -] [encapsulation
replicate] [ingress {dot1q vlanvlan-id| isl|
untagged vlanvlan-id| vlanvlan-id}]} | {remote
vlanvlan-id}
Switch(config)#
Switch(config)#
CLI Commands
monitor session session_numbersource{interface
interface-id[,|-] [both|rx| tx]} | {vlanvlan-
id[, | -] [both| rx| tx]}| {remote vlanvlan-id}
monitor session session_numberdestination
{interfaceinterface-id[,| -] [encapsulation
replicate] [ingress {dot1q vlanvlan-id| isl|
untagged vlanvlan-id| vlanvlan-id}]} | {remote
vlanvlan-id}
Switch(config)#
Switch(config)#
777777© 2009 Cisco Learning Institute.
Verify SPAN Configuration
Verify SPAN Configuration
787878© 2009 Cisco Learning Institute.
SPAN and IDS
Attacker
IDS
Use SPAN to
mirror traffic in
and out of port
F0/1 to port
F0/2.
F0/1
F0/2
SPAN and IDS
Attacker
IDS
Use SPAN to
mirror traffic in
and out of port
F0/1 to port
F0/2.
F0/1
F0/2
797979© 2009 Cisco Learning Institute.
Cisco Remote Switched Port Analyzer
•Overview
•Configuring RSPAN
•Verifying RSPAN Configuration
Cisco Remote Switched Port Analyzer
•Overview
•Configuring RSPAN
•Verifying RSPAN Configuration
808080© 2009 Cisco Learning Institute.
Overview
•An RSPAN port mirrors traffic
to another port on another
switch where a probe or IDS
sensor is connected.
•This allows more switches to
be monitored with a single
probe or IDS.
“Intruder
Alert!”
Attacker
IDS
RSPAN VLAN
Source VLAN
Source VLAN
Source VLAN
Overview
•An RSPAN port mirrors traffic
to another port on another
switch where a probe or IDS
sensor is connected.
•This allows more switches to
be monitored with a single
probe or IDS.
“Intruder
Alert!”
Attacker
IDS
RSPAN VLAN
Source VLAN
Source VLAN
Source VLAN
818181© 2009 Cisco Learning Institute.
Configuring RSPAN
2960-1 2960-2
2960-1(config)# vlan 100
2960-1(config-vlan)# remote-span
2960-1(config-vlan)# exit
2960-1(config)# monitor session 1 source interface FastEthernet 0/1
2960-1(config)# monitor session 1 destination remote vlan 100
reflector-port FastEthernet 0/24
2960-1(config)# interface FastEthernet 0/2
2960-1(config-if)# switchport mode trunk
2960-2(config)# monitor session 2 source remote vlan 100
2960-2(config)# monitor session 2 destination interface FastEthernet 0/3
2960-2(config)# interface FastEthernet 0/2
2960-2(config-if)# switchport mode trunk
1. Configure the RPSAN VLAN
2. Configure the RSPAN source ports and VLANs
3. Configure the RSPAN traffic to be forwarded
Configuring RSPAN
2960-1 2960-2
2960-1(config)# vlan 100
2960-1(config-vlan)# remote-span
2960-1(config-vlan)# exit
2960-1(config)# monitor session 1 source interface FastEthernet 0/1
2960-1(config)# monitor session 1 destination remote vlan 100
reflector-port FastEthernet 0/24
2960-1(config)# interface FastEthernet 0/2
2960-1(config-if)# switchport mode trunk
2960-2(config)# monitor session 2 source remote vlan 100
2960-2(config)# monitor session 2 destination interface FastEthernet 0/3
2960-2(config)# interface FastEthernet 0/2
2960-2(config-if)# switchport mode trunk
1. Configure the RPSAN VLAN
2. Configure the RSPAN source ports and VLANs
3. Configure the RSPAN traffic to be forwarded
828282© 2009 Cisco Learning Institute.
Verifying RSPAN Configuration
show monitor[session{session_number| all| local
| range list | remote} [detail]] [ |{begin| exclude
| include}expression]
2960-1 2960-2
Verifying RSPAN Configuration
show monitor[session{session_number| all| local
| range list | remote} [detail]] [ |{begin| exclude
| include}expression]
2960-1 2960-2
838383© 2009 Cisco Learning Institute.
Best Practices
•Layer 2 Guidelines
•VLAN Practices
Best Practices
•Layer 2 Guidelines
•VLAN Practices
848484© 2009 Cisco Learning Institute.
Layer 2 Guidelines
•Manage switches in as secure a manner as possible
(SSH, out-of-band management, ACLs, etc.)
•Set all user ports to non-trunking mode (except if using
Cisco VoIP)
•Use port security where possible for access ports
•Enable STP attack mitigation (BPDU guard, root guard)
•Use Cisco Discovery Protocol only where necessary –
with phones it is useful
•Configure PortFast on all non-trunking ports
•Configure root guard on STP root ports
•Configure BPDU guard on all non-trunking ports
Layer 2 Guidelines
•Manage switches in as secure a manner as possible
(SSH, out-of-band management, ACLs, etc.)
•Set all user ports to non-trunking mode (except if using
Cisco VoIP)
•Use port security where possible for access ports
•Enable STP attack mitigation (BPDU guard, root guard)
•Use Cisco Discovery Protocol only where necessary –
with phones it is useful
•Configure PortFast on all non-trunking ports
•Configure root guard on STP root ports
•Configure BPDU guard on all non-trunking ports
858585© 2009 Cisco Learning Institute.
VLAN Practices
•Always use a dedicated, unused native VLAN ID for
trunk ports
•Do not use VLAN 1 for anything
•Disable all unused ports and put them in an unused
VLAN
•Manually configure all trunk ports and disable DTP on
trunk ports
•Configure all non-trunking ports with switchport mode
access
VLAN Practices
•Always use a dedicated, unused native VLAN ID for
trunk ports
•Do not use VLAN 1 for anything
•Disable all unused ports and put them in an unused
VLAN
•Manually configure all trunk ports and disable DTP on
trunk ports
•Configure all non-trunking ports with switchport mode
access
868686© 2009 Cisco Learning Institute.
Wireless, VoIP, and SAN Security
•Enterprise Advanced Technology Security
Considerations
•Wireless Security Considerations
•Wireless Security Solutions
•VoIP Security Considerations
•VoIP Security Solutions
•SAN Security Considerations
•SAN Security Solutions
Wireless, VoIP, and SAN Security
•Enterprise Advanced Technology Security
Considerations
•Wireless Security Considerations
•Wireless Security Solutions
•VoIP Security Considerations
•VoIP Security Solutions
•SAN Security Considerations
•SAN Security Solutions
878787© 2009 Cisco Learning Institute.
Enterprise Advanced Technology
Security Considerations
•Topology Overview
•Infrastructure-Integrated Approach
•Cisco IP Telephony Solutions
•Storage Network Solutions
Enterprise Advanced Technology
Security Considerations
•Topology Overview
•Infrastructure-Integrated Approach
•Cisco IP Telephony Solutions
•Storage Network Solutions
888888© 2009 Cisco Learning Institute.
Overview
Wireless
VoIP
Overview
Wireless
VoIP
898989© 2009 Cisco Learning Institute.
Overview
SAN
Overview
SAN
909090© 2009 Cisco Learning Institute.
Infrastructure-Integrated Approach
•Proactive threat and intrusion
detection capabilities that do
not simply detect wireless
attacks but prevent them
•Comprehensive protection to
safeguard confidential data and
communications
•Simplified user management
with a single user identity and
policy
•Collaboration with wired
security systems
Infrastructure-Integrated Approach
•Proactive threat and intrusion
detection capabilities that do
not simply detect wireless
attacks but prevent them
•Comprehensive protection to
safeguard confidential data and
communications
•Simplified user management
with a single user identity and
policy
•Collaboration with wired
security systems
919191© 2009 Cisco Learning Institute.
Cisco IP Telephony Solutions
•Single-site deployment
•Centralized call
processing with remote
branches
•Distributed call-
processing deployment
•Clustering over the
IPWAN
Cisco IP Telephony Solutions
•Single-site deployment
•Centralized call
processing with remote
branches
•Distributed call-
processing deployment
•Clustering over the
IPWAN
929292© 2009 Cisco Learning Institute.
Storage Network Solutions
•Investment
protection
•Virtualization
•Security
•Consolidation
•Availability
Storage Network Solutions
•Investment
protection
•Virtualization
•Security
•Consolidation
•Availability
939393© 2009 Cisco Learning Institute.
Wireless Security Considerations
•Cisco Wireless LAN Controllers
•Wireless Hacking
•Hacking Tools
•Security Considerations
Wireless Security Considerations
•Cisco Wireless LAN Controllers
•Wireless Hacking
•Hacking Tools
•Security Considerations
949494© 2009 Cisco Learning Institute.
Cisco Wireless LAN Controllers
•Responsible for system-wide wireless LAN
functions
•Work in conjunction with Aps and the Cisco
Wireless Control System (WCS) to support
wireless applications
•Smoothly integrate into existing enterprise
networks
Cisco Wireless LAN Controllers
•Responsible for system-wide wireless LAN
functions
•Work in conjunction with Aps and the Cisco
Wireless Control System (WCS) to support
wireless applications
•Smoothly integrate into existing enterprise
networks
959595© 2009 Cisco Learning Institute.
Wireless Hacking
•War driving
•A neighbor hacks into
another neighbor’s
wireless network to get
free Internet access or
access information
•Free Wi-Fi provides an
opportunity to
compromise the data of
users
Wireless Hacking
•War driving
•A neighbor hacks into
another neighbor’s
wireless network to get
free Internet access or
access information
•Free Wi-Fi provides an
opportunity to
compromise the data of
users
969696© 2009 Cisco Learning Institute.
Hacking Tools
•Network Stumbler
•Kismet
•AirSnort
•CoWPAtty
•ASLEAP
•Wireshark
Hacking Tools
•Network Stumbler
•Kismet
•AirSnort
•CoWPAtty
•ASLEAP
•Wireshark
979797© 2009 Cisco Learning Institute.
Safety Considerations
•Wireless networks using WEP or WPA/TKIP are
not very secure and vulnerable to hacking
attacks.
•Wireless networks using WPA2/AES should
have a passphrase of at least 21 characters
long.
•If an IPsec VPN is available, use it on any public
wireless LAN.
•If wireless access is not needed, disable the
wireless radio or wireless NIC.
Safety Considerations
•Wireless networks using WEP or WPA/TKIP are
not very secure and vulnerable to hacking
attacks.
•Wireless networks using WPA2/AES should
have a passphrase of at least 21 characters
long.
•If an IPsec VPN is available, use it on any public
wireless LAN.
•If wireless access is not needed, disable the
wireless radio or wireless NIC.
989898© 2009 Cisco Learning Institute.
VoIP Security Considerations
•VoIP Business Advantages
•VoIP Components and Protocols
•Threats
•VoIP SPIT
•Fraud
VoIP Security Considerations
•VoIP Business Advantages
•VoIP Components and Protocols
•Threats
•VoIP SPIT
•Fraud
999999© 2009 Cisco Learning Institute.
VoIP Business Advantages
•Lower telecom call costs
•Productivity increases
•Lower costs to move, add,
or change
•Lower ongoing service
and maintenance costs
•Little or no training costs
•Mo major set-up fees
•Enables unified
messaging
•Encryption of voice calls is
supported
•Fewer administrative
personnel required
PSTN VoIP
Gateway
VoIP Business Advantages
•Lower telecom call costs
•Productivity increases
•Lower costs to move, add,
or change
•Lower ongoing service
and maintenance costs
•Little or no training costs
•Mo major set-up fees
•Enables unified
messaging
•Encryption of voice calls is
supported
•Fewer administrative
personnel required
PSTN VoIP
Gateway
100100100© 2009 Cisco Learning Institute.
VoIP Components
Cisco Unified
Communications
Manager
(Call Agent)
MCU
Cisco
Unity
IP
Phone
IP
Phone
Videoconference
Station
IP
Backbone
PSTN
Router/
Gateway
Router/
Gateway
Router/
Gateway
VoIP Components
Cisco Unified
Communications
Manager
(Call Agent)
MCU
Cisco
Unity
IP
Phone
IP
Phone
Videoconference
Station
IP
Backbone
PSTN
Router/
Gateway
Router/
Gateway
Router/
Gateway
101101101© 2009 Cisco Learning Institute.
VoIP Protocols
VoIP Protocol Description
H.323
ITU standard protocol for interactive conferencing; evolved from H.320
ISDN standard; flexible, complex
MGCP
Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248
Joint IETF and ITU standard for gateway control with support for multiple
gateway types; evolved from MGCP standard
SIP
IETF protocol for interactive and noninteractiveconferencing; simpler but
less mature than H.323
RTP
ETF standard media-streaming protocol
RTCP
IETF protocol that provides out-of-band control information for an RTP flow
SRTP
IETF protocol that encrypts RTP traffic as it leaves the
voice device
SCCP
Cisco proprietary protocol used between Cisco Unified Communications
Manager and Cisco IP phones
VoIP Protocols
VoIP Protocol Description
H.323
ITU standard protocol for interactive conferencing; evolved from H.320
ISDN standard; flexible, complex
MGCP
Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248
Joint IETF and ITU standard for gateway control with support for multiple
gateway types; evolved from MGCP standard
SIP
IETF protocol for interactive and noninteractiveconferencing; simpler but
less mature than H.323
RTP
ETF standard media-streaming protocol
RTCP
IETF protocol that provides out-of-band control information for an RTP flow
SRTP
IETF protocol that encrypts RTP traffic as it leaves the
voice device
SCCP
Cisco proprietary protocol used between Cisco Unified Communications
Manager and Cisco IP phones
102102102© 2009 Cisco Learning Institute.
Threats
•Reconnaissance
•Directed attacks such as spam over IP telephony
(SPIT) and spoofing
•DoS attacks such as DHCP starvation, flooding, and
fuzzing
•Eavesdropping and man-in-the-middle attacks
Threats
•Reconnaissance
•Directed attacks such as spam over IP telephony
(SPIT) and spoofing
•DoS attacks such as DHCP starvation, flooding, and
fuzzing
•Eavesdropping and man-in-the-middle attacks
103103103© 2009 Cisco Learning Institute.
VoIP SPIT
•If SPIT grows like spam, it could result in
regular DoS problems for network
administrators.
•Antispam methods do not block SPIT.
•Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets
only from trusted devices.
You’ve just
won an all
expenses
paid vacation
to the U.S.
Virgin Islands
!!!
VoIP SPIT
•If SPIT grows like spam, it could result in
regular DoS problems for network
administrators.
•Antispam methods do not block SPIT.
•Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets
only from trusted devices.
You’ve just
won an all
expenses
paid vacation
to the U.S.
Virgin Islands
!!!
104104104© 2009 Cisco Learning Institute.
Fraud
•Fraud takes several forms:
–Vishing—A voice version of phishing that is used to compromise
confidentiality.
–Theft and toll fraud—The stealing of telephone services.
•Use features of Cisco Unified Communications Manager to protect
against fraud.
–Partitions limit what parts of the dial plan certain phones have access to.
–Dial plans filter control access to exploitive phone numbers.
–FACs prevent unauthorized calls and provide a mechanism for tracking.
Fraud
•Fraud takes several forms:
–Vishing—A voice version of phishing that is used to compromise
confidentiality.
–Theft and toll fraud—The stealing of telephone services.
•Use features of Cisco Unified Communications Manager to protect
against fraud.
–Partitions limit what parts of the dial plan certain phones have access to.
–Dial plans filter control access to exploitive phone numbers.
–FACs prevent unauthorized calls and provide a mechanism for tracking.
105105105© 2009 Cisco Learning Institute.
SIP Vulnerabilities
•Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them.
•Message tampering:
Allows a hacker to
modify data packets
traveling between SIP
addresses.
•Session tear-down:
Allows a hacker to
terminate calls or carry
out VoIP-targeted DoS
attacks.
Registrar Registrar
Location
Database
SIP Servers/Services
SIP Proxy
SIP User Agents
SIP User Agents
SIP Vulnerabilities
•Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them.
•Message tampering:
Allows a hacker to
modify data packets
traveling between SIP
addresses.
•Session tear-down:
Allows a hacker to
terminate calls or carry
out VoIP-targeted DoS
attacks.
Registrar Registrar
Location
Database
SIP Servers/Services
SIP Proxy
SIP User Agents
SIP User Agents
106106106© 2009 Cisco Learning Institute.
VoIP Security Solutions
•Using VLANs
•Using Cisco ASA Adaptive Security Appliances
•Using VPNs
•Using Cisco Unified Communications Manager
VoIP Security Solutions
•Using VLANs
•Using Cisco ASA Adaptive Security Appliances
•Using VPNs
•Using Cisco Unified Communications Manager
107107107© 2009 Cisco Learning Institute.
Using VLANs
•Creates a separate broadcast domain for voice traffic
•Protects against eavesdropping and tampering
•Renders packet-sniffing tools less effective
•Makes it easier to implement VACLs that are specific to voice
traffic
Voice VLAN = 110 Data VLAN = 10
802.1Q Trunk
IP phone
10.1.110.3
Desktop PC
171.1.1.1
5/1
Using VLANs
•Creates a separate broadcast domain for voice traffic
•Protects against eavesdropping and tampering
•Renders packet-sniffing tools less effective
•Makes it easier to implement VACLs that are specific to voice
traffic
Voice VLAN = 110 Data VLAN = 10
802.1Q Trunk
IP phone
10.1.110.3
Desktop PC
171.1.1.1
5/1
108108108© 2009 Cisco Learning Institute.
Using Cisco ASA Adaptive
Security Appliances
•Ensure SIP, SCCP, H.323, and
MGCP requests conform to
standards
•Prevent inappropriate SIP
methods from being sent to Cisco
Unified Communications Manager
•Rate limit SIP requests
•Enforce policy of calls (whitelist,
blacklist, caller/called party, SIP
URI)
•Dynamically open ports for Cisco
applications
•Enable only “registered phones” to
make calls
•Enable inspection of encrypted
phone calls
Internet
WAN
Cisco Adaptive
Security Appliance
Cisco Adaptive
Security Appliance
Using Cisco ASA Adaptive
Security Appliances
•Ensure SIP, SCCP, H.323, and
MGCP requests conform to
standards
•Prevent inappropriate SIP
methods from being sent to Cisco
Unified Communications Manager
•Rate limit SIP requests
•Enforce policy of calls (whitelist,
blacklist, caller/called party, SIP
URI)
•Dynamically open ports for Cisco
applications
•Enable only “registered phones” to
make calls
•Enable inspection of encrypted
phone calls
Internet
WAN
Cisco Adaptive
Security Appliance
Cisco Adaptive
Security Appliance
109109109© 2009 Cisco Learning Institute.
Using VPNs
•Use IPsec for authentication
•Use IPsec to protect
all traffic, not just voice
•Consider SLA with service provider
•Terminate on a VPN concentrator
or large router inside of firewall to
gain these benefits:
•Performance
•Reduced configuration complexity
•Managed organizational
boundaries
IP WAN
Telephony
Servers
SRST
Router
Using VPNs
•Use IPsec for authentication
•Use IPsec to protect
all traffic, not just voice
•Consider SLA with service provider
•Terminate on a VPN concentrator
or large router inside of firewall to
gain these benefits:
•Performance
•Reduced configuration complexity
•Managed organizational
boundaries
IP WAN
Telephony
Servers
SRST
Router
110110110© 2009 Cisco Learning Institute.
Using Cisco Unified Communications
Manager
•Signed firmware
•Signed
configuration files
•Disable:
–PC port
–Setting button
–Speakerphone
–Web access
Using Cisco Unified Communications
Manager
•Signed firmware
•Signed
configuration files
•Disable:
–PC port
–Setting button
–Speakerphone
–Web access
111111111© 2009 Cisco Learning Institute.
SAN Security Considerations
•Overview
•SAN Transport Technologies
•World Wide Name
•Zoning Operation
•Virtual Storage Area Network
SAN Security Considerations
•Overview
•SAN Transport Technologies
•World Wide Name
•Zoning Operation
•Virtual Storage Area Network
112112112© 2009 Cisco Learning Institute.
Overview
SAN
IP
Network
Specialized network that
enables fast, reliable access
among servers and external
storage resources
Overview
SAN
IP
Network
Specialized network that
enables fast, reliable access
among servers and external
storage resources
113113113© 2009 Cisco Learning Institute.
SAN Transport Technologies
•Fibre Channel –the
primary SAN transport for
host-to-SAN connectivity
•iSCSI –maps SCSI over
TCP/IP and is another
host-to-SAN connectivity
model
•FCIP –a popular SAN-to-
SAN connectivity model
LAN
SAN Transport Technologies
•Fibre Channel –the
primary SAN transport for
host-to-SAN connectivity
•iSCSI –maps SCSI over
TCP/IP and is another
host-to-SAN connectivity
model
•FCIP –a popular SAN-to-
SAN connectivity model
LAN
114114114© 2009 Cisco Learning Institute.
World Wide Name
•A 64-bit address that Fibre Channel networks
use to uniquely identify each element in a Fibre
Channel network
•Zoning can utilize WWNs to assign security
permissions
•The WWN of a device is a user-configurable
parameter.
Cisco MDS 9020 Fabric Switch
World Wide Name
•A 64-bit address that Fibre Channel networks
use to uniquely identify each element in a Fibre
Channel network
•Zoning can utilize WWNs to assign security
permissions
•The WWN of a device is a user-configurable
parameter.
Cisco MDS 9020 Fabric Switch
115115115© 2009 Cisco Learning Institute.
Zoning Operation
•Zone members see only other
members of the zone.
•Zones can be configured
dynamically based on WWN.
•Devices can be members of
more than one zone.
•Switched fabric zoning can take
place at the port or device level:
based on physical switch port
or based on device WWN or
based on LUN ID.
SAN
Disk1
Host2Disk4
Host1
Disk2
Disk3
ZoneA
ZoneB
ZoneC
An example of Zoning. Note that
devices can be members of more
than 1 zone.
Zoning Operation
•Zone members see only other
members of the zone.
•Zones can be configured
dynamically based on WWN.
•Devices can be members of
more than one zone.
•Switched fabric zoning can take
place at the port or device level:
based on physical switch port
or based on device WWN or
based on LUN ID.
SAN
Disk1
Host2Disk4
Host1
Disk2
Disk3
ZoneA
ZoneB
ZoneC
An example of Zoning. Note that
devices can be members of more
than 1 zone.
116116116© 2009 Cisco Learning Institute.
Virtual Storage Area Network (VSAN)
Physical SAN islands
are virtualizedonto
common SAN
infrastructure
Cisco MDS 9000
Family with VSAN Service
Virtual Storage Area Network (VSAN)
Physical SAN islands
are virtualizedonto
common SAN
infrastructure
Cisco MDS 9000
Family with VSAN Service
117117117© 2009 Cisco Learning Institute.
SAN Security Solutions
•Security Focus
•SAN Management
•Fabric and Target Access
•VSANs
•iSCSI and FCIP
SAN Security Solutions
•Security Focus
•SAN Management
•Fabric and Target Access
•VSANs
•iSCSI and FCIP
118118118© 2009 Cisco Learning Institute.
Security Focus
SAN
Secure
SAN
IP Storage
access
Data Integrity and
Secrecy
Target AccessSAN Protocol
SAN Management
Access
Fabric Access
Security Focus
SAN
Secure
SAN
IP Storage
access
Data Integrity and
Secrecy
Target AccessSAN Protocol
SAN Management
Access
Fabric Access
119119119© 2009 Cisco Learning Institute.
SAN Management
Three main areas of vulnerability:
1.Disruption of switch processing
2.Compromised fabric stability
3.Compromised data integrity and confidentiality
SAN Management
Three main areas of vulnerability:
1.Disruption of switch processing
2.Compromised fabric stability
3.Compromised data integrity and confidentiality
120120120© 2009 Cisco Learning Institute.
Fabric and Target Access
Three main areas of focus:
•Application data integrity
•LUN integrity
•Application performance
Fabric and Target Access
Three main areas of focus:
•Application data integrity
•LUN integrity
•Application performance
121121121© 2009 Cisco Learning Institute.
VSANs
Two VSANs each with
multiple zones. Disks and
hosts are dedicated to
VSANs although both hosts
and disks can belong to
multiple zones within a
single VSAN. They cannot,
however, span VSANs.
VSAN 3
Physical Topology
VSAN 2
Disk1
Host2Disk4
Host1
Disk2Disk3
Disk6
Disk5
Host4
Host3
ZoneA
ZoneB
ZoneC
ZoneA
ZoneD
Relationship of VSANs to Zones
VSANs
Two VSANs each with
multiple zones. Disks and
hosts are dedicated to
VSANs although both hosts
and disks can belong to
multiple zones within a
single VSAN. They cannot,
however, span VSANs.
VSAN 3
Physical Topology
VSAN 2
Disk1
Host2Disk4
Host1
Disk2Disk3
Disk6
Disk5
Host4
Host3
ZoneA
ZoneB
ZoneC
ZoneA
ZoneD
Relationship of VSANs to Zones
122122122© 2009 Cisco Learning Institute.
iSCSI and FCIP
•iSCSI leverages many of the security features inherent in
Ethernet and IP.
–ACLs are like Fibre Channel zones
–VLANs are like Fibre Channel VSANs
–802.1X port security is like Fibre Channel port security
•FCIP security leverages many IP security features in
Cisco IOS-based routers:
–IPsec VPN connections through public carriers
–High-speed encryption services in specialized hardware
–Can be run through a firewall
iSCSI and FCIP
•iSCSI leverages many of the security features inherent in
Ethernet and IP.
–ACLs are like Fibre Channel zones
–VLANs are like Fibre Channel VSANs
–802.1X port security is like Fibre Channel port security
•FCIP security leverages many IP security features in
Cisco IOS-based routers:
–IPsec VPN connections through public carriers
–High-speed encryption services in specialized hardware
–Can be run through a firewall
123123123© 2009 Cisco Learning Institute.
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 6
- Slides 123
- Age 554 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
37 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
40 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
37 views
14
Fertility awareness methods for women in the society
Isaiah47
34 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
32 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
35 views