Cisco Security

Implementing Cisco Edge
Network Security Solutions (300-

206)
Module 1
Securing the Local Area Network
Lesson Planning
This lesson should take 3-4 hours to present
The lesson should include lecture, demonstrations,
discussions and assessments
The lesson can be taught in person or using
remote instruction
2
Major Concepts
Describe endpoint vulnerabilities and protection
methods
Describe basic Catalyst switch vulnerabilities
Configure and verify switch security features,
including port security and storm control
Describe the fundamental security considerations
of Wireless, VoIP, and SANs
3
Lesson Objectives
Upon completion of this lesson, the successful participant
will be able to:
1. Describe endpoint security and the enabling technologies
2. Describe how Cisco IronPort is used to ensure endpoint
security
3. Describe how Cisco NAC products are used to ensure endpoint
security
4. Describe how the Cisco Security Agent is used to ensure
endpoint security
5. Describe the primary considerations for securing the Layer 2
infrastructure
6. Describe MAC address spoofing attacks and MAC address
spoofing attack mitigation
4
Lesson Objectives
7. Describe MAC Address table overflow attacks and MAC Address
table overflow attack mitigation
8. Describe STP manipulation attacks and STP manipulation attack
mitigation
9. Describe LAN Storm attacks and LAN Storm attack mitigation
10. Describe VLAN attacks and VLAN attack mitigation
11. Describe how to configure port security
12. Describe how to verify port security
13. Describe how to configure and verify BPDU Guard and Root
Guard
14. Describe how to configure and verify storm control
15. Describe and configure Cisco SPAN
16. Describe and configure Cisco RSPAN
5
Lesson Objectives
17. Describe the best practices for Layer 2
18. Describe the fundamental aspects of enterprise security for
advanced technologies
19. Describe the fundamental aspects of wireless security and the
enabling technologies
20. Describe wireless security solutions
21. Describe the fundamental aspects of VoIP security and the
enabling technologies Reference: CIAG course on VoIP security.
22. Describe VoIP security solutions
23. Describe the fundamental aspects of SAN security and the
enabling technologies
24. Describe SAN security solutions
6
Securing the LAN
IPS
MARS
VPN
ACS
Iron Port
Firewall
Web
Server
Email
Server
DNS
LAN
Hosts
Perimeter
Internet
Areas of concentration:
Securing endpoints
Securing network
infrastructure
7
Threat
Protection
Policy
Compliance
Infection
Containment
Secure
Host
Addressing Endpoint Security
Based on three elements:
Cisco Network Admission Control (NAC)
Endpoint protection
Network infection containment
8
Operating Systems
Basic Security Services
Trusted code and trusted path ensures that the
integrity of the operating system is not violated
Privileged context of execution provides identity
authentication and certain privileges based on the
identity
Process memory protection and isolation provides
separation from other users and their data
Access control to resources ensures confidentiality
and integrity of data
9
Types of Application Attacks
I have gained direct
access to this
applications privileges
I have gained access to
this system which is
trusted by the other
system, allowing me to
access it.
Indirect
Direct
10
Cisco Systems Endpoint
Security Solutions
Cisco NAC
IronPort
Cisco Security Agent
11
Cisco IronPort Products
IronPort products include:
E-mail security appliances for virus
and spam control
Web security appliance for spyware
filtering, URL filtering, and anti-malware
Security management appliance
12
IronPort C-Series
Internet
Internet
Antispam
Antivirus
Policy
Enforcement
Mail Routing
Before IronPort
IronPort E-mail Security Appliance
Firewall
Groupware
Users
After IronPort
Users
Groupware
Firewall
Encryption
Platform
MTA
DLP
Scanner
DLP Policy
Manager
13
IronPort S-Series
Web Proxy
Antispyware
Antivirus
Antiphishing
URL Filtering
Policy Management
Firewall
Users
Users
Firewall
IronPort S-
Series
Before IronPort After IronPort
Internet
Internet
14
Cisco NAC
NAC Framework
Software module
embedded within NAC-
enabled products
Integrated framework
leveraging multiple
Cisco and NAC-aware
vendor products
In-band Cisco NAC
Appliance solution can
be used on any switch
or router platform
Self-contained, turnkey
solution
The purpose of NAC:
Allow only authorized and compliant systems to
access the network
To enforce network security policy
Cisco NAC Appliance
15
The NAC Framework
AAA
Server
Credentials
Credentials
EAP/UDP,
EAP/802.1x
RADIUS
Credentials
HTTPS
Access Rights
Notification
Cisco
Trust
Agent
Comply?
Vendor
Servers
Hosts Attempting
Network Access
Network
Access
Devices Policy Server
Decision Points
and Remediation
Enforcement
16
NAC Components
Cisco NAS
Serves as an in-band or out-
of-band device for network
access control
Cisco NAM
Centralizes management for
administrators, support
personnel, and operators
Cisco NAA
Optional lightweight client for
device-based registry scans in
unmanaged environments
Rule-set updates
Scheduled automatic updates
for antivirus, critical hotfixes,
and other applications
M
G
R
17
Cisco NAC Appliance Process
THE GOAL
Intranet/
Network
2.
Host is
redirected to a login page.
Cisco NAC Appliance validates
username and password, also
performs device and network scans to
assess vulnerabilities on device.
Device is noncompliant
or login is incorrect.
Host is denied access and assigned
to a quarantine role with access to online
remediation resources.
3a.
3b.
Device is clean.
Machine gets on certified
devices list and is granted
access to network.
Cisco NAS
Cisco NAM
1.
Host attempts to access a web page or uses an
optional client.
Network access is blocked until wired or wireless
host provides login information.
Authentication
Server
M
G
R
Quarantine
Role
3.
The host is authenticated and optionally
scanned for posture compliance
18
Access Windows
4.
Login
Screen
Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
19
CSA Architecture
Management Center for
with Internal or External
Database
Security
Policy
Server Protected by
Administration
Workstation
SSL
Events Alerts
20
CSA Overview
State
Rules and
Policies
Rules
Engine
Correlation
Engine
File System
Interceptor
Network
Interceptor
Configuration
Interceptor
Execution
Space
Interceptor
Application
Allowed
Request
Blocked
Request
21
CSA Functionality
Security Application
Network
Interceptor
File System
Interceptor
Configuratio
n
Interceptor
Execution
Space
Interceptor
Distributed Firewall X
Host Intrusion
Prevention
X X
Application
Sandbox
X X X
Network Worm
Prevention
X X
File Integrity Monitor X X
Attack Phases
File system interceptor
Network interceptor
Configuration interceptor
Execution space
interceptor
Server
Protected by
Cisco Security
Agent
Probe phase
Ping scans
Port scans
Penetrate phase
Transfer exploit
code to target
Persist phase
Install new code
Modify
configuration
Propagate phase
Attack other
targets
Paralyze phase
Erase files
Crash system
Steal data
CSA Log Messages
IPS
MARS
VPN
ACS
Iron Port
Firewall
Web
Server
Email
Server
DNS
Hosts
Perimeter
Internet
Layer 2 Security
25
OSI Model
MAC Addresses
When it comes to networking, Layer 2 is often a very weak
link.
Physical Links
IP Addresses
Protocols and Ports
Application Stream
Application
Presentation
Session
Transport
Network
Data Link
Physical
C
o
m
p
r
o
m
i
s
e
d
Application
Presentation
Session
Transport
Network
Data Link
Physical
Initial Compromise
26
MAC Address Spoofing Attack
MAC
Address:
AABBcc
AABBcc 12AbDd
Switch Port
1 2
MAC Address:
AABBcc
Attacker
Port 1
Port 2
MAC
Address:
12AbDd
I have associated Ports 1 and 2 with
the MAC addresses of the devices
attached. Traffic destined for each
device will be forwarded directly.
The switch keeps track of the
endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another hostin this case,
AABBcc
27
MAC Address Spoofing Attack
MAC
Address:
AABBcc
AABBcc
Switch Port
1 2
MAC Address:
AABBcc
Attacker
Port 1
Port 2
AABBcc
1 2
I have changed the MAC
address on my computer
to match the server.
The device with MAC
address AABBcc has
changed locations to
Port2. I must adjust my
MAC address table
accordingly.
28
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding
because the MAC address table contains port-to-MAC-address
mappings in the MAC address table for these PCs.
MAC Address Table Overflow Attack
A B
C D
VLAN 10
VLAN 10
Intruder runs macof to
begin sending unknown
bogus MAC addresses.
3/25
3/25 MAC X
3/25 MAC Y
3/25 MAC Z
XYZ
flood
MAC Port
X 3/25
Y 3/25
C 3/25
Bogus addresses are
added to the CAM table.
CAM table is full.
Host C
The switch floods the
frames.
Attacker sees traffic to
servers B and D.
VLAN 10
1
2
3
4
STP Manipulation Attack
Spanning tree protocol
operates by electing a
root bridge
STP builds a tree
topology
STP manipulation
changes the topology of
a networkthe attacking
host appears to be the
root bridge
F F
F
F
F B
Root Bridge
Priority = 8192
MAC Address=
0000.00C0.1234
31
STP Manipulation Attack
Root Bridge
Priority = 8192
Root
Bridge
F
F
F
F
F B
F B
F
F
F F
Attacker The attacking host broadcasts out STP
configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.
32
LAN Storm Attack
Broadcast, multicast, or unicast packets are flooded on all ports in
the same VLAN.
These storms can increase the CPU utilization on a switch to 100%,
reducing the performance of the network.
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Storm Control
Total
number of
broadcast
packets
or bytes
VLAN Attacks
VLAN = Broadcast Domain = Logical Network (Subnet)
Segmentatio
n
Flexibility
Security
VLAN Attacks
802.1Q
Server
Attacker sees traffic destined for servers
Server
Trunk
VLAN
20
VLAN
10
A VLAN hopping attack can be launched in two ways:
Spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode
Introducing a rogue switch and turning trunking on
The second switch receives
the packet, on the native
VLAN
Double-Tagging VLAN Attack
Attacker on
VLAN 10, but puts a 20 tag
in the packet
Victim
(VLAN 20)
Note: This attack works only if the
trunk has the same
native VLAN as the
attacker.
The first switch strips off the first tag and
does not retag it (native traffic is not
retagged). It then forwards the packet to
switch 2.
20
Trunk
(Native VLAN = 10)
802.1Q, Frame
1
2
3
4
The second switch examines
the packet, sees the VLAN
20 tag and forwards it
accordingly.
Port Security Overview
MAC A
MAC A
Port 0/1 allows MAC A
Port 0/2 allows MAC B
Port 0/3 allows MAC C
Attacker 1
Attacker 2
0/1
0/2
0/3
MAC F
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to
dynamically learn a limited number of MAC
addresses
38
CLI Commands
switchport mode access
Switch(config-if)#
Sets the interface mode as access
switchport port-security
Switch(config-if)#
Enables port security on the interface
switchport port-security maximum value
Switch(config-if)#
Sets the maximum number of secure MAC addresses for
the interface (optional)
39
Switchport Port-Security Parameters
Parameter Description
mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional
secure MAC addresses up to the maximum value configured.
vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.
vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky
[mac-address]
(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky
learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer
2 functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
n vlan: set a per-VLAN maximum value.
n vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
Port Security Violation Configuration
switchport port-security mac-address sticky
Switch(config-if)#
Enables sticky learning on the interface (optional)
switchport port-security violation {protect |
restrict | shutdown}
Switch(config-if)#
Sets the violation mode (optional)
switchport port-security mac-address mac-address
Switch(config-if)#
Enters a static secure MAC address for the interface
(optional)
41
Switchport Port-Security Violation
Parameters
protect (Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. You are not
notified that a security violation has occurred.
restrict (Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. In this mode,
you are notified that a security violation has occurred.
shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off
the port LED. It also sends an SNMP trap, logs a syslog message, and increments
the violation counter. When a secure port is in the error-disabled state, you can
bring it out of this state by entering the errdisable recovery cause psecure-
violation global configuration command, or you can manually re-enable it by
entering the shutdown and no shut down interface configuration commands.
shutdown
vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN
on which the violation occurred is error-disabled.
Port Security Aging Configuration
switchport port-security aging {static | time time |
type {absolute | inactivity}}
Switch(config-if)#
Enables or disables static aging for the secure port or
sets the aging time or type
43
Switchport Port-Security
Aging Parameters
static
Enable aging for statically configured secure
addresses on this port.
time time
Specify the aging time for this port. The range is 0
to 1440 minutes. If the time is 0, aging is disabled
for this port.
type absolute
Set absolute aging type. All the secure addresses
on this port age out exactly after the time
(minutes) specified and are removed from the
secure address list.
type inactivity
Set the inactivity aging type. The secure
addresses on this port age out only if there is no
data traffic from the secure source address for the
specified time period.
Typical Configuration
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security aging time 120
Switch(config-if)#
S
2
PC
B
45
CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/12 2 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security interface f0/12
Port Security : Enabled
Port status : Secure-down
Violation mode : Shutdown
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Aging time : 120 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation Count : 0
46
View Secure MAC Addresses
sw-class# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.ffff.aaaa SecureConfigured Fa0/12 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
47
MAC Address Notification
MAC address notification allows monitoring of the MAC
addresses, at the module and port level, added by the switch
or removed from the CAM table for secure ports.
NMS
MAC A
MAC B
F1/1 = MAC A
F1/2 = MAC B
F2/1 = MAC D
(address ages out)
Switch CAM Table
SNMP traps sent to
NMS when new MAC
addresses appear or
when old ones time out.
MAC D is away
from the network.
F1/2
F1/1
F2/1
48
Configure Portfast
Command Description
Switch(config-if)#
spanning-tree portfast
Enables PortFast on a Layer 2 access port and forces it to
enter the forwarding stateimmediately.
Switch(config-if)# no
spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is
disabled by default.
Switch(config)# spanning-
tree portfast default
Globally enables the PortFast feature on all nontrunking
ports.
Switch# show running-config
interface type
slot/port
Indicates whether PortFast has been configured on a port.
Server Workstatio
n
49
BPDU Guard
Switch(config)#
spanning-tree portfast bpduguard default
Globally enables BPDU guard on all ports with PortFast
enabled
F F
F
F
F B
Root
Bridge
BPDU
Guard
Enabled
Attacker
STP
BPDU
50
Display the State of Spanning Tree
Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name Blocking Listening Learning Forwarding STP
Active
-------------------- -------- --------- -------- ---------- ---------
-
1 VLAN 0 0 0 1 1
<output omitted>
51
Root Guard
Switch(config-if)#
spanning-tree guard root
Enables root guard on a per-interface basis
Root Bridge
Priority = 0
MAC Address =
0000.0c45.1a5d
F F
F
F
F B
F
STP BPDU
Priority = 0
MAC Address = 0000.0c45.1234
Root
Guard
Enabled
Attacker
52
Verify Root Guard
Switch# show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ---------------------- ------------------
VLAN0001 FastEthernet3/1 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10
53
Storm Control Methods
Bandwidth as a percentage of the total available
bandwidth of the port that can be used by the
broadcast, multicast, or unicast traffic
Traffic rate in packets per second at which broadcast,
multicast, or unicast packets are received
Traffic rate in bits per second at which broadcast,
multicast, or unicast packets are received
Traffic rate in packets per second and for small frames.
This feature is enabled globally. The threshold for small
frames is configured for each interface.
54
Storm Control Configuration
Enables storm control
Specifies the level at which it is enabled
Specifies the action that should take place when the
threshold (level) is reached, in addition to filtering traffic
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps
2k 1k
Switch(config-if)# storm-control action shutdown
55
Storm Control Parameters
broadcast This parameter enables broadcast storm control on the interface.
multicast This parameter enables multicast storm control on the interface.
unicast This parameter enables unicast storm control on the interface.
level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port.
level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.
level-low: (Optional) Falling suppression level, up to two decimal places. This value
must be less than or equal to the rising suppression value.
level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and
to not send an SNMP trap.
The keywords have these meanings:
shutdown: Disables the port during a storm
trap: Sends an SNMP trap when a storm occurs
Verify Storm Control Settings
Switch# show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ---------- --------- --------
-Gi0/1 Forwarding 20 pps 10 pps 5 pps
Gi0/2 Forwarding 50.00% 40.00% 0.00%
<output omitted>
Trunk
(Native VLAN = 10)
1. Disable trunking on all access
ports.
2. Disable auto trunking and
manually enable trunking
3. Be sure that the native VLAN is
used only for trunk lines and no
where else
Mitigating VLAN Attacks
58
switchport mode trunk
switchport trunk native vlan vlan_number
switchport nonegotiate
.
Switch(config-if)#
Specifies an interface as a trunk link
Switch(config-if)#
Prevents the generation of DTP frames.
Switch(config-if)#
Set the native VLAN on the trunk to an unused VLAN
Controlling Trunking
59
Traffic Analysis
A SPAN port mirrors traffic to
another port where a
monitoring device is
connected.
Without this, it can be difficult
to track hackers after they
have entered the network.
Intruder
Alert!
Attacker
IDS
RMON Probe
Protocol Analyzer
CLI Commands
monitor session session_number source {interface
interface-id [, | -] [both | rx | tx]} | {vlan
vlan-id [, | -] [both | rx | tx]}| {remote vlan
vlan-id}
monitor session session_number destination
{interface interface-id [, | -] [encapsulation
replicate] [ingress {dot1q vlan vlan-id | isl |
untagged vlan vlan-id | vlan vlan-id}]} | {remote
vlan vlan-id}
Switch(config)#
Switch(config)#
Verify SPAN Configuration
SPAN and IDS
Attacker
IDS
Use SPAN
to mirror
traffic in and
out of port
F0/1 to port
F0/2.
F0/1
F0/2
Overview of RSPAN
An RSPAN port mirrors traffic
to another port on another
switch where a probe or IDS
sensor is connected.
This allows more switches to
be monitored with a single
probe or IDS.
Intruder
Alert!
Attacker
IDS
RSPAN VLAN
Source VLAN
Source VLAN
Source VLAN
Configuring RSPAN
2960-1 2960-2
2960-1(config)# vlan 100
2960-1(config-vlan)# remote-span
2960-1(config-vlan)# exit
2960-1(config)# monitor session 1 source interface FastEthernet 0/1
2960-1(config)# monitor session 1 destination remote vlan 100
reflector-port FastEthernet 0/24
2960-1(config)# interface FastEthernet 0/2
2960-1(config-if)# switchport mode trunk
2960-2(config)# monitor session 2 source remote vlan 100
2960-2(config)# monitor session 2 destination interface FastEthernet
0/3
2960-2(config)# interface FastEthernet 0/2
2960-2(config-if)# switchport mode trunk
1. Configure the RPSAN VLAN
2. Configure the RSPAN source ports and VLANs
3. Configure the RSPAN traffic to be forwarded
Verifying RSPAN Configuration
show monitor [session {session_number | all | local
| range list | remote} [detail]] [ | {begin | exclude
| include}expression]
2960-1 2960-2
Layer 2 Guidelines
Manage switches in as secure a manner as possible
(SSH, out-of-band management, ACLs, etc.)
Set all user ports to non-trunking mode (except if using
Cisco VoIP)
Use port security where possible for access ports
Enable STP attack mitigation (BPDU guard, root guard)
Use Cisco Discovery Protocol only where necessary
with phones it is useful
Configure PortFast on all non-trunking ports
Configure root guard on STP root ports
Configure BPDU guard on all non-trunking ports
VLAN Practices
Always use a dedicated, unused native VLAN ID for
trunk ports
Do not use VLAN 1 for anything
Disable all unused ports and put them in an unused
VLAN
Manually configure all trunk ports and disable DTP on
trunk ports
Configure all non-trunking ports with switchport mode
access
Overview of Wireless, VoIP Security
Wireless
VoIP
69
Overview of SAN Security
SAN
70
Infrastructure-Integrated Approach
Proactive threat and intrusion
detection capabilities that do
not simply detect wireless
attacks but prevent them
Comprehensive protection to
safeguard confidential data
and communications
Simplified user management
with a single user identity and
policy
Collaboration with wired
security systems
71
Cisco IP Telephony Solutions
Single-site deployment
Centralized call
processing with remote
branches
Distributed call-
processing deployment
Clustering over the
IPWAN
72
Storage Network Solutions
Investment
protection
Virtualization
Security
Consolidation
Availability
73
Cisco Wireless LAN Controllers
Responsible for system-wide wireless LAN
functions
Work in conjunction with Aps and the Cisco
Wireless Control System (WCS) to support
wireless applications
Smoothly integrate into existing enterprise
networks
74
Wireless Hacking
War driving
A neighbor hacks into
another neighbors
wireless network to get
free Internet access or
access information
Free Wi-Fi provides an
opportunity to
compromise the data of
users
75
Hacking Tools
Network Stumbler
Kismet
AirSnort
CoWPAtty
ASLEAP
Wireshark
76
Safety Considerations
Wireless networks using WEP or WPA/TKIP are
not very secure and vulnerable to hacking attacks.
Wireless networks using WPA2/AES should have
a passphrase of at least 21 characters long.
If an IPsec VPN is available, use it on any public
wireless LAN.
If wireless access is not needed, disable the
wireless radio or wireless NIC.
77
VoIP Business Advantages
Lower telecom call costs
Productivity increases
Lower costs to move,
add, or change
Lower ongoing service
and maintenance costs
Little or no training costs
Mo major set-up fees
Enables unified
messaging
Encryption of voice calls
is supported
Fewer administrative
personnel required
PSTN VoIP
Gateway
78
VoIP Components
Cisco Unified
Communications
Manager
(Call Agent)
MCU
Cisco
Unity
IP
Phone
IP
Phone
Videoconference
Station
IP
Backbone
PSTN
Router/
Gateway
Router/
Gateway
Router/
Gateway
79
VoIP Protocols
VoIP Protocol Description
H.323
ITU standard protocol for interactive conferencing; evolved from H.320
ISDN standard; flexible, complex
MGCP
Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248
Joint IETF and ITU standard for gateway control with support for multiple
gateway types; evolved from MGCP standard
SIP
IETF protocol for interactive and noninteractive conferencing; simpler but
less mature than H.323
RTP
ETF standard media-streaming protocol
RTCP
IETF protocol that provides out-of-band control information for an RTP flow
SRTP
IETF protocol that encrypts RTP traffic as it leaves the
voice device
SCCP
Cisco proprietary protocol used between Cisco Unified Communications
Manager and Cisco IP phones
Threats
Reconnaissance
Directed attacks such as spam over IP telephony
(SPIT) and spoofing
DoS attacks such as DHCP starvation, flooding, and
fuzzing
Eavesdropping and man-in-the-middle attacks
81
VoIP SPIT
If SPIT grows like spam, it could result in
regular DoS problems for network
administrators.
Antispam methods do not block SPIT.
Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets
only from trusted devices.
Youve just
won an all
expenses
paid vacation
to the U.S.
Virgin Islands
!!!
82
Fraud
Fraud takes several forms:
VishingA voice version of phishing that is used to compromise
confidentiality.
Theft and toll fraudThe stealing of telephone services.
Use features of Cisco Unified Communications Manager to protect
against fraud.
Partitions limit what parts of the dial plan certain phones have access to.
Dial plans filter control access to exploitive phone numbers.
FACs prevent unauthorized calls and provide a mechanism for tracking.
83
SIP Vulnerabilities
Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them.
Message tampering:
Allows a hacker to
modify data packets
traveling between SIP
addresses.
Session tear-down:
Allows a hacker to
terminate calls or carry
out VoIP-targeted DoS
attacks.
Registrar Registrar
Location
Database
SIP Servers/Services
SIP Proxy
SIP User Agents
SIP User Agents
84
Using VLANs
Creates a separate broadcast domain for voice traffic
Protects against eavesdropping and tampering
Renders packet-sniffing tools less effective
Makes it easier to implement VACLs that are specific to voice
traffic
Voice VLAN = 110
Data VLAN = 10
802.1Q Trunk
IP phone
10.1.110.3
Desktop PC
171.1.1.1
5/1
85
Using Cisco ASA Adaptive
Security Appliances
Ensure SIP, SCCP, H.323, and
MGCP requests conform to
standards
Prevent inappropriate SIP
methods from being sent to Cisco
Unified Communications Manager
Rate limit SIP requests
Enforce policy of calls (whitelist,
blacklist, caller/called party, SIP
URI)
Dynamically open ports for Cisco
applications
Enable only registered phones
to make calls
Enable inspection of encrypted
phone calls
Internet
WAN
Cisco Adaptive
Security
Appliance
Cisco Adaptive
Security Appliance
86
Using VPNs
Use IPsec for authentication
Use IPsec to protect
all traffic, not just voice
Consider SLA with service
provider
Terminate on a VPN concentrator
or large router inside of firewall to
gain these benefits:
Performance
Reduced configuration complexity
Managed organizational
boundaries
IP WAN
Telephony
Servers
SRST
Router
87
Using Cisco Unified Communications
Manager
Signed firmware
Signed
configuration files
Disable:
PC port
Setting button
Speakerphone
Web access
88
SAN Security Considerations
SAN
IP
Network
Specialized network that
enables fast, reliable access
among servers and external
storage resources
89
SAN Transport Technologies
Fibre Channel the
primary SAN transport
for host-to-SAN
connectivity
iSCSI maps SCSI over
TCP/IP and is another
host-to-SAN connectivity
model
FCIP a popular SAN-
to-SAN connectivity
model
LAN
90
World Wide Name
A 64-bit address that Fibre Channel networks use
to uniquely identify each element in a Fibre
Channel network
Zoning can utilize WWNs to assign security
permissions
The WWN of a device is a user-configurable
parameter.
Cisco MDS 9020 Fabric Switch
91
Zoning Operation
Zone members see only
other members of the zone.
Zones can be configured
dynamically based on WWN.
Devices can be members of
more than one zone.
Switched fabric zoning can
take place at the port or
device level: based on
physical switch port or based
on device WWN or based on
LUN ID.
SAN
Disk1
Host2
Disk4
Host1
Disk2
Disk3
Zone
A
ZoneB
ZoneC
An example of Zoning. Note
that devices can be members
of more than 1 zone.
92
Virtual Storage Area Network (VSAN)
Physical SAN islands
are virtualized onto
common SAN
infrastructure
Cisco MDS 9000
Family with VSAN Service
93
Security Focus
SAN
Secure
SAN
IP Storage
access
Data Integrity
and Secrecy
Target
Access
SAN
Protocol
SAN Management
Access
Fabric Access
94
SAN Management
Three main areas of vulnerability:
1. Disruption of switch processing
2. Compromised fabric stability
3. Compromised data integrity and confidentiality
95
Fabric and Target Access
Three main areas of focus:
Application data integrity
LUN integrity
Application performance
96
VSANs
Two VSANs each with
multiple zones. Disks and
hosts are dedicated to
VSANs although both
hosts and disks can belong
to multiple zones within a
single VSAN. They cannot,
however, span VSANs.
VSAN 3
Physical Topology
VSAN 2
Disk1
Host2 Disk4
Host1
Disk2
Disk3
Disk6
Disk5
Host4
Host3
ZoneA
ZoneB
ZoneC
ZoneA
ZoneD
Relationship of VSANs to Zones
97
iSCSI and FCIP
iSCSI leverages many of the security features inherent
in Ethernet and IP
ACLs are like Fibre Channel zones
VLANs are like Fibre Channel VSANs
802.1X port security is like Fibre Channel port security
FCIP security leverages many IP security features in
Cisco IOS-based routers:
IPsec VPN connections through public carriers
High-speed encryption services in specialized hardware
Can be run through a firewall
98
Implementing Cisco Edge
Network Security Solutions
(300-206)
Module 2
Access Lists
100
Objectives
Describe the usage and rules of access lists
Establish standard IP access lists
Produce extended IP access lists
Apply access lists to interfaces
Monitor and verify access lists
101
Objectives (continued)
Create named access lists
Use Security Device Manager to create standard
and extended IP access lists
Use Security Device Manager to create a router
firewall
102
Access Lists: Usage and Rules
Access lists
Permit or deny statements that filter traffic based on
the source address, destination address, protocol
type, and port number of a packet
Available for IP, IPX, AppleTalk, and many other
protocols
103
Access List Usage
You can create a standard access list that examines
a packet for the packets source header information
deny any statement
Implicitly blocks all packets that do not meet the
requirements of the access list
Exists even though it is not shown as part of the
access list
With careful planning, you can create access lists
that control which traffic crosses particular links
And which segments of your network will have access
to others
104
Access List Usage (continued)
105
Problems with Access Lists
Lack of planning is one of the most common
problems associated with access lists
The need to enter the list sequentially into the router
also presents problems
You cannot move individual statements once they are
entered
When making changes, you must remove the list,
using the no access-list [list number]
command, and then retype the commands
Access lists begin working the second they are
applied to an interface
106
Access List Rules
Example of the structure of a standard IP access
list:
RouterA(config)#access-list 1 deny
172.22.5.2 0.0.0.0
RouterA(config)#access-list 1 deny
172.22.5.3 0.0.0.0
RouterA(config)# access-list 1 permit any
Router applies each line in the order in which you
type it into the access list
The no access-list [list #] command is
used to remove an access list
107
Access List Rules (continued)
108
As a general rule, the lines with the most potential
matches should be first in the list
So that packets will not undergo unnecessary
processing
You should avoid unnecessarily long access lists
After you create access lists, you must apply them
to interfaces so they can begin filtering traffic
You apply a list as either an outgoing or an incoming
filter
109
In summary, all access lists follow these rules:
Routers apply lists sequentially in the order in which
you type them into the router
Routers apply lists to packets sequentially, from the
top down, one line at a time
Packets are processed only until a match is made
Lists always end with an implicit deny
Access lists must be applied to an interface as either
inbound or outbound traffic filters
Only one list, per protocol, per direction can be
applied to an interface
Access lists are effective as soon as they are applied
110
Standard IP Access Lists
Standard IP access lists
Filter network traffic based on the source IP address
only
Using a standard IP access list, you can filter traffic
by a host IP, subnet, or a network address
Configure standard IP access lists:
access-list [list #] [permit|deny]
[source address] [source wildcard mask]
Routers use wildcards to determine which bits in an
address will be significant
111
Standard IP Access Lists (continued)
112
113
114
115
116
Standard IP Access List Examples
Standard IP access lists permit or deny packets
based only on the source address
Addresses can be a single host address, a subnet
address, or a full network address
117
118
(continued)
119
(continued)
Correct placement of a list is imperative
To view the access lists defined on your router, use
the show access-lists command
For IP access lists you could also use the show ip
access-lists command
If you decide that an access list needs to be
removed from an interface
You can remove it with the no ip access-group
[list #] command
120
121
(continued)
122
(continued)
123
(continued)
124
(continued)
125
(continued)
Application of the list as an outbound filter on
FastEthernet0/0
See Figure 10-15
Use the show access-lists or show ip
access-lists command followed by the show
ip interface command
To verify that the list has been entered and applied
correctly
126
(continued)
127
128
(continued)
129
Monitoring Standard IP Access Lists
Three main commands are available for monitoring
access lists on your router
show access-lists
show ip access-lists
show interfaces or show ip interface
Use the no access-list [list #] command
to remove the list
Use the no ip accessgroup [list
#][direction] command to remove the
application of the list
130
Extended IP Access Lists
Extended IP access lists
Can filter by source IP address, destination IP
address, protocol type, and application port number
This granularity allows you to design extended IP
access lists that:
Permit or deny a single type of IP protocol
Filter by a particular port of a particular protocol
131
Extended IP Access Lists (continued)
To configure extended IP access lists, you must
create the list and then apply it to an interface using
the following syntax
access-list [list #] [permit|deny]
[protocol] [source IP address] [source
wildcard mask] [operator] [port]
[destination IP address] [destination
wildcard mask] [operator] [port] [log]
132
Extended IP Access List Examples
133
134
135
Extended IP Access List Examples
(continued)
136
The Established Parameter
Established parameter
Permits traffic from any host on any network to any
destination, as long as the traffic was in response to a
request initiated inside the network
Example:
access-list 100 permit tcp any 15.0.0.0
0.255.255.255 established
137
Monitoring Extended IP Access Lists
The same commands used to monitor standard IP
access lists are used to monitor extended IP access
lists
Extended IP lists keep track of the number of packets
that pass each line of an access list
The clear access-list counters [list #]
command clears the counters
The no access-list [list#] command removes
the list
The no ip access-group [list#] [direction]
command removes the application of the list
138
139
140
Using Named Lists
Named access lists
In Cisco IOS versions 11.2 and above, names instead
of numbers can be used to identify lists
To name a standard IP access list, use the following
syntax:
RouterC(config)#ip access-list standard
[name]
To name an extended IP access list, use the
following syntax:
RouterC(config)#ip access-list extended
[name]
141
Using Named Lists (continued)
Once the list is named, the permit or deny
statement is entered
The commands follow the same syntax as unnamed
lists
The beginning part of the command is not included
To apply a standard IP named list to an interface,
the syntax is:
RouterC(config-if)#ip access-group
[name] [in | out]
142
Using Named Lists (continued)
Advantages:
Allows you to maintain security by using an easily
identifiable access list
Removes the limit of 100 lists per filter type
With named access lists lines can be selectively
deleted in the ACL
Named ACLs provide greater flexibility to network
administrators who work in environments where large
numbers of ACLs are needed
143
Controlling VTY Line Access
Access lists are used for both traffic flow and
security
One useful security feature of access lists is
restricting access to telnet on your router
By controlling VTY line access
You must first create a standard IP access list that
permits the management workstation
RouterA(config)#access-list 12 permit
192.168.12.12 0.0.0.0
Then, it must be applied to the VTY lines
access-class [acl #] in | out
144
Controlling VTY Line Access
(continued)
To apply access list 12 to the VTY lines, use the
following command:
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class 12 in
The commands to restrict access to the VTY lines to
network 192.168.12.0/24 only are:
RouterA(config)#access-list 13 permit
192.168.12.0 0.0.0.255
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class 13 in
145
Using Security Device Manager to
Create Access Control Lists
Using the SDM, an administrator can accomplish all
the tasks that formerly required use of the CLI
interface
SDM allows you to easily create a standard or an
extended access list or, as it is known in the SDM,
an Access Control List (ACL)
146
147
148
149
150
151
152
Create a Router Firewall
Unlike the CLI, the SDM allows a router to be
configured as a firewall
153
154
155
156
Create a Router Firewall (continued)
157
Create a Router Firewall (continued)
158
159
Summary
Access lists are one of the most important IOS
tools for controlling network traffic and security
Access lists are created in a two-step process
All access lists are created sequentially and
applied sequentially to all packets that enter an
interface where the list is applied
By default, access lists always end in an implicit
deny any statement
Only one access list per direction (inbound or
outbound) per protocol can be applied to an
interface
160
Summary (continued)
Standard IP access lists allow you to filter traffic
based on the source IP address of a packet
Extended IP access lists filter traffic based on
source, destination, protocol type, and application
type
Access lists can be used to restrict telnet by
controlling VTY line access
Ranges of numbers represent all access lists
161
Summary (continued)
The SDM can be used to configure both standard
and extended ACLs via the Additional Tasks
configuration tab
The SDM can be used to configure a router as
either a Basic or Advanced firewall
The main difference between a Basic and
Advanced firewall is the ability to configure DMZ
interfaces in the Advanced firewall setup wizard
CCNA Guide to Cisco
Networking Fundamentals
Fourth Edition
Chapter 14
Network Security
163
Objectives
Distinguish between the different types of network
security threats
Explain how to mitigate network security threats
Implement SSH on Cisco routers and switches
Configure VPNs with the Cisco Security Device
Manager
164
General Network Security
Security policy
An organizations set of rules regarding how to handle
and protect sensitive data
A security policy should include:
Physical security
Acceptable use of applications
Safeguarding data
Remote access to the network
Data center
Wireless security
165
General Network Security (continued)
An effective security policy implements multiple
layers of security
A security policy should have three goals:
To prevent the hacker from getting access to critical
data
To slow down the hacker enough to be caught
To frustrate the hacker enough to cause him or her to
quit the hacking attempt
When designing a security policy, take care to
specify exactly what you are trying to protect
166
Protecting the Hardware
The first level of security in any network is physical
security
Critical nodes of an organization should be
separated from the general workforce
The nodes should be kept in a central location
where only a select group of people are allowed
If office space is limited and nodes must be located
near employees
The servers should at least be stored in a locked
cabinet
167
Protecting the Hardware (continued)
168
Protecting Software
The primary threats against software are malware
and hackers
Malware
Refers to malicious programs that have many
different capabilities
Hackers are usually driven by greed, ego, and/or
vengeance
They look to make personal gains through system
vulnerabilities
169
Malware Prevention
The most important elements of a prevention plan
Installing and maintaining virus prevention software,
Conducting virus awareness training for network
users
Types of malware
Virus
Worm
Macro Virus
Polymorphic Virus
Stealth Virus
170
Malware Prevention (continued)
Types of malware (continued)
Boot-Sector Virus
Trojan or Trojan Horse
Logic Bomb
Virus prevention software
Available for installation on entire networks
Usually includes a version that will run on clients as
well as servers
Must be updated regularly to ensure your network is
protected against all the latest malware threats
171
Malware Prevention (continued)
User training
Users must be trained to update their antivirus
software daily or, at a bare minimum, weekly
Users also must learn how viruses are transmitted
between computers
Teach users to scan removable devices with the virus
scanning software before using them
172
Firewalls
Firewall
The primary method of keeping hackers out of a
network
Normally placed between a private LAN and the
public Internet, where they act like gatekeepers
Can be a hardware device or it can be software
Types: personal and enterprise
All data packets entering or exiting the network
have to pass through an enterprise-level firewall
Firewall filters (or analyzes) packets
173
Firewalls (continued)
Four firewall topologies
Packet-filtering router
Single-homed bastion
Dual-homed bastion
Demilitarized zone (DMZ)
174
175
176
177
178
Firewalls (continued)
Intrusion Detection Systems (IDS)
A security device that can detect a hackers attempts
to gain access to the network
Can also detect virus outbreaks, worms, and
distributed denial of service (DDoS) attacks
Intrusion Prevention Systems (IPS)
Like an IDS, except that it is placed in line so all
packets coming in or going out of the network pass
through it
This allows an IPS to drop packets based on rules
defined by the network administrator
179
Permissions, Encryption, and
Authentication
Permission
An official approval that allows a user to access a
specific network resource
Encryption
Often consists of using security algorithms to
scramble and descramble data
Types of algorithms
Symmetric key
Asymmetric key
180
Authentication (continued)
181
182
Secure Sockets Layer
A means of encrypting a session between two hosts
through the use of digital certificates, which are
based on asymmetric key encryption
Authentication
The process by which users verify to a server that
they are who they say they are
There are several types of authentication
Password authentication protocol (PAP)
Challenge handshake authentication protocol (CHAP)
183
Additional authentication services supported by
Cisco:
Remote Authentication Dial-in User Service (RADIUS)
Terminal Access Controller Access Control System
Plus (TACACS+)
These two common security protocols are based on
the Authentication, Authorization, and
Accounting (AAA) model
184
Mitigating Security Threats
The three basic strategies for mitigating security
threats are:
Using the SSH protocol to connect to your routers and
switches rather than telnet
Turning off unnecessary services
Keeping up-to-date on security patches (software
releases) with a patch management initiative
185
Secure Shell (SSH) Connections
Secure Shell (SSH) protocol
Sends all data encrypted
The two version of SSH are SSH Version 1 and SSH
Version 2
SSH Version 2 is the recommended version
Some SSH commands are mandatory and others
are optional
You must also generate an RSA key pair
(asymmetric key encryption)
Which enables SSH
186
Secure Shell (SSH) Connections
(continued)
The preferred method is to implement SSH on all
VTY lines
Which ensures that all remote IP sessions to the
router will be protected in the SSH tunnel
The command sequence for enabling SSH is:
Router(config)#hostname SshRouter
SshRouter(config)#ip domain-name sshtest.com
SshRouter(config)#crypto key generate rsa
The name of the keys will be:
SshRouter.sshtest.com
187
Disabling Unnecessary Services
You should disable the services unless your
organization uses them
Methods
Go through the CLI and enter a series of commands
for each service
Use the Security Audit Wizard in the Cisco Security
Device Manager (SDM)
The following services are unnecessary on most
networks:
Finger Service
PAD Service
188
(continued)
networks: (continued)
TCP Small Servers Service
UDP Small Servers Service
IP Bootp Server Service
Cisco Discovery Protocol (CDP)
IP Source Route
Maintenance Operations Protocol (MOP)
Directed Broadcast
189
(continued)
networks: (continued)
ICMP Redirects
Proxy ARP
IDENT
IPv6
190
Patch Management
Your organizations patch management program
should account for all software in the organization
Including commercial applications as well as
applications developed in-house
A patch management program should take into
account the major software vendors patch release
schedules
As well as your organizations business goals and
needs
Not all patches released by vendors are flawless
191
Virtual Private Networks (VPNs)
A popular technology for creating a connection
between an external computer and a corporate site
over the Internet
To establish a VPN connection, you need VPN-
capable components
Client-to-site VPN (also known as remote user
VPN)
A VPN that allows designated users to have access to
the corporate network from remote locations
192
193
Site-to-site VPN
A VPN that allows multiple corporate sites to be
connected over low-cost Internet connections
You can choose from several tunneling protocols to
create secure, end-to-end tunnels
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol (L2TP)
Generic Routing Encapsulation (GRE)
194
195
IPSec
IPSec
A suite of protocols, accepted as an industry
standard, which provides secure data transmission
over layer 3 of the OSI model
An IP standard and will only encrypt IP-based data
IPSec supports two modes of operation: transport
mode and tunnel mode
196
IPSec (continued)
Transport mode
Primarily geared toward encrypting data that is being
sent host-to-host
Only encrypts and decrypts the individual data
packets
Which results in quite a bit of overhead on the
processor
Tunnel mode
Encrypts all data in the tunnel and is the mode
supported by Cisco components
197
IPSec Protocols
Two IPSec protocols have been developed to
provide packet-level security
They include the following characteristics:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
198
IPSec Authentication Algorithms
Authentication algorithms use one of two Hashed
Message Authentication Codes (HMAC)
MD5 (message-digest algorithm 5)
SHA-1 (secure hash algorithm)
An HMAC is a secret key authentication algorithm
that ensures data integrity and originality
Based on the distribution of the secret key
Cryptographic software keys are exchanged
between hosts using an HMAC
199
IPSec Encryption Algorithms
For encryption, the two most popular algorithms on
IPSec networks are 3DES (tripleDES) and AES
These protocols are used solely with the IPSec ESP
protocol
Remember, AH does not support encryption
200
IPSec Key Management
You need to pay attention to how keys are handed
from node to node during IPSec authentication
Two options are available
Deliver the secret keys to all parties involved via e-
mail or on disk
Utilize a key management protocol
Key management is defined by the Internet
Security Association and Key Management
Protocol (ISAKMP)
Governed by RFC 2407 and 2408
201
IPSec Transform Sets
A transform set
A configuration value (or simply stated, a command)
that allows you to establish an IPSEC VPN on a Cisco
firewall
You can create a transform set through the CLI or
you can simply use the SDM GUI
When creating an IPSec VPN you must specify a
protocol, the algorithm, and the method of key
management
202
Creating VPNs with the Security
Device Manager (SDM)
Cisco supports VPNs with several different devices
VPNs can be created on firewalls, routers,
computers
And even on a device specifically made for VPNs,
called a VPN concentrator
The following example focuses on using the Cisco
Security Device Manager (SDM) Web utility to
create a VPN on a Cisco router
203
204
205
206
207
208
209
210
211
212
Cisco Security Audit Wizard
You can use the Cisco SDM to conduct security
audits
The SDMs Security Audit Wizard
Can be used to verify your routers configuration
And determine what security settings have and have
not been configured
Will also make recommendations as to which settings
should be enabled
Provides an easy to use GUI that allows you to make
those changes
213
214
215
216
217
218
219
Cisco Security Audit Wizard
(continued)
220
Summary
Protecting the physical equipment where sensitive
data resides is as important as protecting the data
itself
When securing an organizations network, you
must be sure to protect it against external threats
as well as internal threats
User training is a key element to protecting the
network and the data within it
Using an SSH connection to a router is a much
more secure method of connecting to a router than
clear text telnet
221
Summary (continued)
Disabling unnecessary services increases a
routers security
IPSec is an industry-standard suite of protocols
and algorithms that allow for secure encrypted
VPN tunnels
Ciscos SDM is a multifunction Web utility that
allows you to create VPNs and complete a security
audit

Cisco Security

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Cisco Security

Diunggah oleh

Hak Cipta:

Format Tersedia

Implementing Cisco Edge

Network Security Solutions (300-

Anda mungkin juga menyukai