CCNAS Chp.6 Securing the LAN

oklahomaflockSecurity

Nov 3, 2013 (3 years and 5 months ago)

73 views

CCNAS Chp.6 Securing the LAN

Endpoints and network infrastructure should be the key to focus on when protecting the LAN

A LAN is made up of network endpoints (nodes)

Possible network infrastructure attacks include:



MAC Spoofing



STP Manipulation



MAC
Address table overflows



LAN Storm



VLAN attacks


Endpoint security

is

based around these 3 elements:



Network Admission Control (NAC)



o

E
nsures that every
node

complies with
se
curity policies before being granted access
to the network.

o

NAC
grants

access to
co
mplian
t devices and denies noncompliant devices
. They are
then put

in quarantine, or given restricted access to resources.

o

Products come in 2 catagories:



NAC Framework



Software module installed on a NAC
-
capable device



Used in High
-
Performance environemen
ts



NAC Appliance



Cisco NAC appliance that can be used on any switch/router



Self
-
contained



Doesn’t require a Cisco network



Endpoint protection




o

Behaviour
based technology with Cisco Securit
y Agent (CSA)

protects endpoints
against threats that are posed by viruses, Trojan Horses, and worms.

o


IronPort perimeter security appliances complement CSA by focusing on email and
web security.



Network infection containment



o

To address the newest attack methods tha
t can compromise the network,
containment focuses on automating key elements of the infection response process.

o

The Cisco Self
-
Defending Network (SDN) elements of NAC, CSA, and IPS provide this
service.

NAC Appliance Server

(NAS)


o

P
erforms network access

control at the network level.

NAC Appliance Manager (NAM)

o

is a centralized admin interface used by technical support personnel

NAC Appliance Agent (NAA)

o


is software for clients tha
t facilitates network admission and is optional

IronPort
uses
SenderBase

which
is the worlds’ largest threat detection database

IronPort
appliances
:



C
-
Series

o

Email + spam control



S
-
Series

o

Spyware + URL filter + Anti
-
Malware



M
-
Series

o

Security Management
-

centralises security policies and provides a single interface
to manage

all layer 7 security systems



Cisco Management centre for CSA (Security agent) allows up to 100,000 agents and is therefore
very scalable

CSA includes 4 interceptors:



File System


file read/writes



Network



Connections/# of connections



Configuration

-

re
gistry



Execution space



DLL

injection
/buffer overflows

The datalink layer is often described as the weakest link

Layer 2 Attacks



Switch Attacks



MAC Spoofing



MAC Address Table Overflow

o

Using the
macof

tool

o

Floods lots of bogus MAC addresses filling the
table

V
LAN Attacks

Hopping

Spoofs DTP or ISL packets in order to gain access to all the VLANs present (must have dynamic or
auto trunking enabled)

Double Encapsulated Tagging

Tags a
n

802.1Q frame but also contains another encapsulation with a different
VLAN (
the one they
want to get into)

The first tag is stripped at the next switch

then travels the native VLAN;

then

goes to the next switch
which
de
-
encapsulates

the next 802.1Q tag.

Port Security

Enabling Port security

Switch(config
-
if)# switchport mode
access

Switch(config
-
if)# switchport port
-
security

Switch(config
-
if)# switchport port
-
security maximum
value

Port Security Violation Rules

Default is to
shut down

the interface

To change it:

Switch(config
-
if)# switchport port
-
security violation
(
protect|restrict|shut|shut vlan)

Port Security Aging

Set a value as to when a mac address no longer stays in the ‘secure’ category

There are 2 types of aging settings:



Absolute

o

Deletes after a set period



Inactivity

o

Deletes after inactive for a set period

Set using:

Switch(config
-
if)# switchport port
-
security aging (static|time
time
|type
absolute/inactivity
)

LAYER 2 Recommended Practices



Configure PortFast on all non
-
trunking ports.



Configure root guard on STP root ports.



Disable CDP on all
non
-
network

dev
ices (except cisco phones)