4 Securing Layer 2 MAC address spoofing STP manipulation attacks. Layer 2 security configurations include: Enabling port security BPDU guard Root guard Storm control Cisco switched port analyzer (SPAN) Remote SPAN (RSPAN).
5 Endpoint security Cisco Network Admission Control (NAC) complies with network security policies Endpoint protection Cisco Security Agent (CSA) IronPort Network infection containment automating key elements of the infection response process SDN ->NAC, CSA, IPS
6 Operating systems Trusted code the operating system code is not compromised Trusted path the system is a genuine one and not a Trojan Horse Privileged context of execution Provides identity authentication and certain privileges based on the identity. Process memory protection and isolation Provides separation from other users and their data. Access control to resources Ensures confidentiality and integrity of data.
7 Operating systems Protect an endpoint from operating system vulnerabilities: Least privilege concept Isolation between processes Reference monitor An access control concept that mediates all access to objects. Small, verifiable pieces of code
8 Endpoint security solution IronPort C-Series - An security appliance for virus and spam control. S-Series - A web security appliance for spyware filtering, URL filtering, and anti-malware. M-Series - A security management appliance that compliments the and web security appliances by managing and monitoring an organization's policy settings and audit information.
9 SenderBase IronPort SenderBase is the world's largest traffic monitoring service. SenderBase collects data from more than 100,000 ISPs, universities, and corporations. It measures more than 120 different parameters for any server on the Internet. This massive database receives more than five billion queries per day, with real-time data streaming in from every continent and both small and large network providers. SenderBase has the most accurate view of the sending patterns of any given mail sender because of the size of the database.
10 NAC With NAC, network security professionals can authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access
12 CSA Policy-driven, data-loss prevention with zero-update attack prevention and antivirus detection
14 Other vendors McAfee Symantec Juniper SonicWALL Fortinet.
15 Layer 2 Security Layer 2 attacks typically require internal access, either from an employee or visitor. If the Data Link Layer is hacked, communications are compromised without the other layers being aware of the problem. Security is only as strong as the weakest link. Regarding network security, the Data Link Layer is often the weakest link. When the layer is compromised, other layers are not aware of that fact, Buffer overflows Cisco Security Agent
16 Layer 2 Security
17 MAC address spoofing attacks
18 MAC address overflow attacks MAC address tables are limited in size Macof tool Bombarding the switch with fake source MAC addresses The switch begins to flood all incoming traffic to all ports => a hub
19 MAC address overflow attacks
20 MAC address overflow attacks Mitigated by configuring port security on the switch Statically specify the MAC addresses on a particular switch port Allow the switch to dynamically learn a fixed number of MAC addresses for a switch port.
21 Manipulation attacks
23 Manipulation attacks
24 Manipulation attacks Mitigation techniques for STP manipulation include Enabling PortFast Root guard and BPDU guard.
25 LAN Storm attack Errors in the protocol stack implementation Mistakes in network configurations Users issuing a DoS attack can cause a storm. Broadcast storms can also occur on networks. Switches always forward broadcasts out all ports. Some necessary protocols, such as Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP), use broadcasts; therefore, switches must be able to forward broadcast traffic. Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces.
26 LAN Storm attack
27 VLAN hopping attack Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination. Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the victim switch from the rogue switch.
28 VLAN hopping attack Prevent a basic VLAN hopping attack Turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations Manually enable trunking.
29 VLAN hopping attack
30 Mitigating Layer 2 attacks Enable port security. Statically specify MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses. Limit the number to one. The port either shuts down until it is administratively enabled (default mode) or drops incoming frames from the insecure host (restrict option). It is recommended that an administrator configure the port security feature to issue a shutdown rather than dropping frames from insecure hosts with the restrict option. The restrict option might fail under the load of an attack.
31 Configuring port security Step 1. Sets the interface mode as access If an interface is in the default mode (dynamic auto), it cannot be configured as a secure port.
32 Configuring port security Step 2. Enables port security on the interface
33 Configuring port security Step 3. Sets the maximum number of secure MAC addresses for the interface (optional) The range is 1 to 132. The default is 1.
34 Violation rules for the switch-port Step 1. Sets the violation mode (optional) Default condition (shutdown mode).
35 Violation rules for the switch-port Step 2. Enters a static secure MAC address for the interface (optional)
36 Violation rules for the switch-port Step 3. Enables sticky learning on the interface (optional)
37 Port Fast The spanning-tree PortFast feature causes an interface configured as a Layer 2 access port to transition from the blocking to the forwarding state immediately, bypassing the listening and learning states. Switch(config-if)# spanning-tree portfast Switch(config)# spanning-tree portfast default
38 Port Fast
39 BPDU Guard BPDU guard is used to protect the switched network from the problems caused by receiving BPDUs on ports that should not be receiving them. If a port that is configured with PortFast receives a BPDU, STP can put the port into the disabled state by using BPDU guard. Use this command to enable BPDU guard on all ports with PortFast enabled. Switch(config)# spanning-tree portfast bpduguard default
40 Root Guard Root guard is best deployed toward ports that connect to switches that should not be the root bridge. Switch(config-if)# spanning-tree guard root
41 Storm control Enables broadcast storm protection. Enables multicast storm protection. Specifies the action that should take place when the threshold (level) is reached.
42 VLAN Trunk Security Be sure to disable DTP (auto trunking) negotiations Manually enable trunking. To prevent a VLAN hopping attack that uses double 802.1Q encapsulation, the switch must look further into the frame to determine whether more than one VLAN tag is attached to it. One of the more important elements is to use a dedicated native VLAN for all trunk ports. Disable all unused switch ports and place them in an unused VLAN.
43 VLAN Trunk Security
44 VLAN Trunk Security Step 1. Specifies an interface as a trunk link
45 VLAN Trunk Security Step 2. Prevents the generation of DTP frames
46 VLAN Trunk Security Step 3. Set the native VLAN on the trunk to an unused VLAN The default native VLAN is VLAN 1.
47 SPAN Switched Port Analyzer A SPAN port mirrors traffic to another port where a monitoring device is connected. Without this, it can be difficult to track hackers after they have entered the network. RSPAN
48 Summary Layer2 Manage switches in secure a manner (SSH, out-of-band management, ACLs, etc.). Much like routers. Set all user ports to non-trunking ports (unless you are using Cisco VoIP). Use port security where possible for access ports. Enable STP attack mitigation (BPDU guard, root guard).
49 Summary Layer2 Use Cisco Discovery Protocol only where necessary with phones it is useful. Configure PortFast on all non-trunking ports. Configure root guard on STP root ports. Configure BPDU guard on all non-trunking ports. Always use a dedicated, unused native VLAN ID for trunk ports
50 Summary Layer2 Do not use VLAN 1 for anything. Disable all unused ports and put them in an unused VLAN. Manually configure all trunk ports and disable DTP on trunk ports. Configure all non-trunking ports with switchport mode access.
51 Wireless security WAR-Driving
52 Threats to wireless Network Stumbler software finds wireless networks. Kismet software displays wireless networks that do not broadcast their SSIDs. AirSnort software sniffs and cracks WEP keys. CoWPAtty cracks WPA-PSK (WPA1). ASLEAP gathers authentication data. Wireshark can scan wireless Ethernet data and SSIDs.
53 Mitigating threats to wireless Wireless networks using WEP or WPA/TKIP (Wi Fi Protected Acccess) (Temporal Key Integrity Protocol) are not very secure and are vulnerable to hacking attacks. Wireless networks using WPA2/AES (Advanced Encryption Standard) should have a pass phrase of at least 21 characters and this is the state of the art. If an IPsec VPN is available, use it on any public wireless LAN. If wireless access is not needed, disable the wireless radio or wireless NIC.
Operation of IP Data Networks Recognize the purpose and functions of various network devices such as Routers, Switches, Bridges and Hubs Select the components required to meet a given network specification
Course Number: SEC 150 Course Title: Security Concepts Hours: 2 Lab Hours: 2 Credit Hours: 3 Course Description: This course provides an overview of current technologies used to provide secure transport
ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security
Chapter 9: Switching QUESTION 15 Which two values are used by Spanning Tree Protocol to elect a root bridge? (Choose two.) A. amount of RAM B. bridge priority C. IOS version D. IP address E. MAC address
Cisco Certified Network Associate Exam Exam Number 200-120 CCNA Associated Certifications CCNA Routing and Switching Operation of IP Data Networks Operation of IP Data Networks Recognize the purpose and
642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,
ITE I Chapter 6 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Implement Spanning Tree Protocols LAN Switching and Wireless Chapter 5 Explain the role of redundancy in a converged
Switching in an Enterprise Network Introducing Routing and Switching in the Enterprise Chapter 3 Version 4.0 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Compare the types of
Ten Deadly Sins in Wireless Security The emergence and popularity of wireless devices and wireless networks has provided a platform for real time communication and collaboration. This emergence has created
CHAPTER 23 This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 2960 switch. Note For complete syntax and usage information for the commands used
CHAPTER 12 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 2960 switch. It includes information about VLAN
Interconnecting Cisco Networking Devices Part 2 Course Number: ICND2 Length: 5 Day(s) Certification Exam This course will help you prepare for the following exam: 640 816: ICND2 Course Overview This course
CHAPTER 5 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive
Solutions Guide Solutions for LAN Protection Allied Telesis security features safeguard networks and mitigate attacks Introduction The increasing number of connected devices in today s networks has created
CCNA R&S: Introduction to Networks Chapter 5: Ethernet 188.8.131.52 Introduction The OSI physical layer provides the means to transport the bits that make up a data link layer frame across the network media.
Name: Class: Date: Network Test 3 Study Guide Multiple Choice Identify the choice that best completes the statement or answers the question. 1. When a frame is received, which component reads the source
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
CCNA Security v1.0 Scope and Sequence Last updated April 7, 2011 Target Audience The Cisco CCNA Security course is designed for Cisco Networking Academy students seeking career-oriented, entry-level security
University of Khartuom Information technology & Network Administrator Switch port security Presented: by Ali Jbraldar National Security Telecommunications and Information Systems Security Committee (NSTISSC)
1. APPLE AIRPORT EXTREME 1.1 Product Description The following are device specific configuration settings for the Apple Airport Extreme. Navigation through the management screens will be similar but may
Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls
Ensuring Information Availability Security - Ensuring Information Availability Introduction The advent of the Internet and the huge array of connected devices has led to an insatiable demand for access
CHAPTER 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive
CHAPTER 51 This chapter describes how to configure the Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 4500 series switches. SPAN selects network traffic for analysis by a network
Security Considerations in IP Telephony Network Configuration Abstract This Technical Report deals with fundamental security settings in networks to provide secure VoIP services. Example configurations
CompTIA Network+ N10 005 Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs Domain 1.0: Network Concepts 1.1 Compare the layers of the OSI and TCP/IP Models TCP/IP Model Layer Matching
Cisco Certified Network Associate Version 2 (200-120) Exam Description: The 200-120 composite CCNA v2 exam is a 1-½ hour test with 50 60 questions. The 200-120 CCNA exam is the composite exam associated
Local Area Networks LAN Security and local attacks TDC 363 Winter 2008 John Kristoff - DePaul University 1 Overview Local network attacks target an internal network Some attacks can be launched remotely
Article ID: 5047 Configure Workgroup Bridge on the WAP351 Objective The Workgroup Bridge feature enables the Wireless Access Point (WAP) to bridge traffic between a remote client and the wireless LAN that
Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged
CCNA - Cisco Certified Network Associates [International Certification Exam Code 200-120 CCNA] What is CCNA? CCNA is a well renowned international certification by Cisco Systems in the field of computer
CHAPTER 21 This chapter describes how to configure the IEEE 802.1ak Multiple VLAN Registration Protocol () and Multiple Registration Protocol (MRP) as implemented in accordance with the IEEE 802.1ak standard.
25 CHAPTER This chapter describes how to configure EtherChannel interfaces. For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 2950 Desktop Switch Command
CHAPTER 10 Configuring Interfaces This chapter defines the types of interfaces on the Cisco ME 3400E Ethernet Access switch and describes how to configure them. Understanding Interface Types, page 10-1
Voice over IP VoIP (In) Security Presented by Darren Bilby NZISF 14 July 2005 Security-Assessment.com Who We Are NZ s only pure-play security firm Largest team of security professionals in NZ Offices in
WIRELESS SECURITY Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Wireless LAN Security Learning Objectives Students should be able
CCNA : Cisco Certified Network Associate The CCNA certification indicates a foundation in and apprentice knowledge of networking. CCNA certified professionals can install, configure, and operate LAN, WAN,
Article ID: 5036 Configure WorkGroup Bridge on the WAP131 Access Point Objective The Workgroup Bridge feature enables the Wireless Access Point (WAP) to bridge traffic between a remote client and the wireless
IMPLEMENTING CISCO SWITCHED NETWORKS V2.0 (SWITCH) COURSE OVERVIEW: Implementing Cisco Switched Networks (SWITCH) v2.0 is a five-day instructor-led training course developed to help students prepare for
Tools for Attacking Layer 2 Network Infrastructure Kai-Hau Yeung, Dereck Fung, and Kin-Yeung Wong Abstract Data Link layer is considered as the weakest link in a secured network. If an initial attack comes
5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing
Description "Charting the Course... Course Summary Interconnecting Cisco Networking Devices: Accelerated (CCNAX), is a course consisting of ICND1 and ICND2 content in its entirety, but with the content
CHAPTER 1 Using the Command-Line Interface The 2900 XL switches and 3500 XL switches are supported by Cisco IOS software. These switches currently support Cisco IOS Release 11.2(8)SA6. This chapter describes
9 Simple steps to secure your Wi-Fi Network. Step 1: Change the Default Password of Modem / Router After opening modem page click on management - access control password. Select username, confirm old password
Course: 1DV447 Advanced LAN Technologies Network Security Spring 2014 Topology This is the logical topology of the network environment used for testing. 1/ Introduction The area i want to focus on is network
If security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders. Dan Farmer, System Administrators Guide to Cracking
CHAPTER 4 This chapter describes how to configure the firewall mode, routed or transparent, and how to customize transparent firewall operation. Note In multiple context mode, you cannot set the firewall
Lab VI Capturing and monitoring the network traffic 1. Goals To gain general knowledge about the network analyzers and to understand their utility To learn how to use network traffic analyzer tools (Wireshark)
ExamForce.com 640-816 CCNA ICND2 Study Guide 4 Chapter 1 - Configure, Verify, and Troubleshoot a Switch with VLANs and Interswitch Communications Chapter 1 Quick Jump To: Describe enhanced switching technologies
WLAN Information Security Best Practice Document Produced by FUNET led working group on wireless systems and mobility (MobileFunet) (WLAN security) Author: Wenche Backman Contributors: Ville Mattila/CSC
CCNA Security v1.0 Scope and Sequence Last updated June 18, 2009 Note: The English version of this course is scheduled to be generally available in July 2009. Target Audience The Cisco CCNA Security course
Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege
1 - Virtual LANs (VLANs) and VTP - Collision vs. Broadcast Domains A collision domain is simply defined as any physical segment where a collision can occur. Hubs can only operate at half-duplex, and thus
21 CHAPTER This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3560 switch. This feature helps prevent malicious attacks on the
This Lecture The Internet and Sockets Computer Security Tom Chothia How the Internet works. Some History TCP/IP Some useful network tools: Nmap, WireShark Some common attacks: The attacker controls the
How To Understand and Configure Your Network for IntraVUE Summary This document attempts to standardize the methods used to configure Intrauve in situations where there is little or no understanding of
27 CHAPTER Configuring LLDP, LLDP-MED, and Location Service This chapter describes how to configure the Link Layer Discovery Protocol (LLDP), LLDP Media Endpoint Discovery (LLDP-MED), and Location Service
CCNA Security Öngereksinimler: CCNA http://www.cliguru.com/ccna Kurs Tanımı: CCNA Security network'ün temellerini anlamış olan katılımcılara network güvenliği hakkında temel bilgi sağlamaya yönelik hazırlanmış
1 Bypassing Network Access Control Systems Ofir Arkin, CTO Blackhat USA 2006 email@example.com http://www.insightix.com 2 What this talk is about? Introduction to NAC The components of a NAC solution
Wireless LAN Attacks and Protection Tools (Section 3 contd.) WLAN Attacks Passive Attack unauthorised party gains access to a network and does not modify any resources on the network Active Attack unauthorised
DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)
Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
Own your LAN with Arp Poison Routing By: Rorik Koster April 17, 2006 Security is a popular buzzword heard every day throughout our American culture and possibly even more so in our global economy. From
CHAPTER 62 This chapter describes how to configure the port security feature. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master List, at this URL:
Management Software AT-S106 Web Browser User s Guide For the AT-GS950/48 Gigabit Ethernet Smart Switch Version 1.0.0 613-001339 Rev. A Copyright 2010 Allied Telesis, Inc. All rights reserved. No part of
CHAPTER 6 DESIGNING A NETWORK TOPOLOGY Expected Outcomes Able to identify terminology that will help student discuss technical goals with customer. Able to introduce a checklist that can be used to determine
Wireless LAN Controller Module Configuration Examples Document ID: 70530 Introduction Prerequisites Requirements Components Used Conventions Basic Configuration Example 1 Basic Configuration with an AP
Data Networking and Architecture The course focuses on theoretical principles and practical implementation of selected Data Networking protocols and standards. Physical network architecture is described