Enforcing Security Policies with VACLs

Routers can use IP access control lists (ACL) to permit or deny specific traffic from entering or exiting a network interface. Therefore, ACLs are used as traffic travels between network address spaces. However, a Cisco Catalyst switch can have an ACL applied within a VLAN. This intra-VLAN ACL is called a VLAN access control list (VACL). Example 6-7 shows the configuration of a VACL that permits Telnet traffic to be sent to a host at IP address 10.1.1.2 while denying all other traffic. Notice...

Combating DHCP Server Spoofing

On today's networks, most clients obtain their IP address information dynamically, using Dynamic Host Configuration Protocol (DHCP), rather than having their IP address information statically configured. To dynamically obtain IP address information, a client (for example, a PC) sends out a DHCP request. A DHCP server sees the request, and a DHCP response (including such information as an IP address, subnet mask, and default gateway) is sent to the requesting client. However, if an attacker...

Understanding Cisco Security Agent Interceptors

To help you understand how Cisco Security Agent interceptors work, we must first explore how applications access system resources. Each time an application needs access to system resources, it has to make an operating system call to the kernel. When this occurs, the Cisco Security Agent intercepts these operating system calls and compares them to the cached security policy. Figure 7-5 shows this process. Figure 7-5 Cisco Security Agent Interceptors Key ' As long as the request does not violate...

Using Dynamic ARP Inspection

The DHCP snooping feature dynamically builds a DHCP binding table, which contains the MAC addresses associated with specific IP addresses. Additionally, this feature supports static MAC address to IP address mappings, which might be appropriate for network devices, such as routers. This DHCP binding table can be used by the Dynamic ARP Inspection (DAI) feature to help prevent Address Resolution Protocol (ARP) spoofing attacks. Recall the purpose of ARP requests. When a network device needs to...

How This Book Is Organized

This book contains 15 core chapters Chapters 1 through 15. Chapter 16 includes some preparation tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the IINS exam. The core chapters are organized into parts. They cover the following topics Part I Network Security Concepts Chapter 1, Understanding Network Security Principles This chapter explains the need for network security and discusses the elements of a secure network. Additionally, legal and...

Overview of IEEE 8021x

IEEE 802.1x (commonly just called 802.1x) is a standards-based approach for providing port-based network access. Specifically, 802.1x is a Layer 2 protocol that defines how Extensible Authentication Protocol (EAP) frames are encapsulated typically between a user's network device (such as a PC) and a switch or wireless access point. The 802.1x standard also defines hardware components, as shown in Figure 6-15 and defined in Table 6-4. Figure 6-15 IEEE 802.1x Hardware Components Figure 6-15 IEEE...

Creating a Cisco Self Defending Network

Many modern security threats rapidly propagate across the Internet and internal networks. As a result, security components need to be able to respond rapidly to emerging threats. To combat these threats, Cisco offers the Cisco Self-Defending Network, which is its vision for using the network to recognize threats and then prevent and adapt to them. This section describes the implementation of the Cisco Self-Defending Network approach, which leverages Cisco products and solutions. As computing...

Do I Know This Already Quiz

The Do I Know This Already quiz helps you determine your level of knowledge of this chapter's topics before you begin. Table 9-1 details the major topics discussed in this chapter and their corresponding quiz questions. Table 9-1 Do I Know This Already Section-to-Question Mapping Table 9-1 Do I Know This Already Section-to-Question Mapping Identifying Common Voice Vulnerabilities 1. You administer a network that contains analog telephony devices connected to voice gateways. These voice gateways...

Securing a VoIP Network

Now that you have a foundational understanding of the myriad attacks that can target a VoIP network, this section addresses specific VoIP attack mitigations. Specifically, it covers separating voice traffic from data traffic using voice VLANs, using firewalls and VPNs to protect voice traffic, and approaches to harden the security of voice endpoints and servers. Protecting a VoIP Network with Auxiliary VLANs A fundamental approach to protecting voice traffic from attackers is to place it in a...

Understanding IP Spoofing

Attackers can launch a variety of attacks by initiating an IP spoofing attack. An IP spoofing attack causes an attacker's IP address to appear to be a trusted IP address. For example, if an attacker convinces a host that he is a trusted client, he might gain privileged access to a host. The attacker could also capture traffic, which might include credentials such as usernames and passwords. As another example, you might be familiar with denial-of-service (DoS) and distributed denial-of-service...

Identifying Common Voice Vulnerabilities

Because IP phones are readily accessible and plentiful in many corporate environments, they become attractive targets for attackers. Also, VoIP administrators should be on guard against VoIP variations of spam and fishing (both common in e-mail environments), as well as toll fraud (common in PBX environments). This section details these common attack targets for a VoIP network. Table 9-4 describes a few common VoIP attacks targeting endpoints. Table 9-4 Common VoIP Attack Targets Table 9-4...

Mitigating CAM Table Overflow Attacks

A Cisco Catalyst switch uses a Content Addressable Memory (CAM) table to store the information used by the switch to make forwarding decisions. Specifically, the CAM table contains a listing of MAC addresses that have been learned from each switch port. Then, when a frame enters the switch, the switch interrogates the frame's destination MAC address. If the destination MAC address is known to exist off one of the switch ports, the frame is forwarded out only that port. For example, consider...

Defending Against Layer 2 Attacks

This section begins by exploring the nature of Layer 2 switch operation and why it is such an attractive target for attackers. Then, approaches for mitigating a variety of Layer 2 attacks are addressed. These strategies include best practices for securing a Layer 2 network, protecting against VLAN hopping attacks, preventing an attacker from manipulating Spanning Tree Protocol (STP) settings, stopping DHCP server and ARP spoofing, preventing Content Addressable Memory (CAM) table overflow...

Defense in Depth

Defense Depth

Because a security solution is only as strong as its weakest link, network administrators are challenged to implement a security solution that protects a complex network. As a result, rather than deploying a single security solution, Cisco recommends multiple, overlapping solutions. These overlapping solutions target different aspects of security, such as securing against insider attacks and securing against technical attacks. These solutions should also be subjected to routine testing and...

Protecting Against an IP Spoofing Attack

The following approaches can be used to mitigate IP spoofing attacks Use access control lists (ACL) on router interfaces. As traffic comes into a router from an outside network, an ACL could be used to deny any outside traffic claiming to be addressed with IP addressing used internally on the local network. Conversely, ACLs should be used to prevent traffic leaving the local network from participating in a DDoS attack. Therefore, an ACL could deny any traffic leaving the local network that...

Examining the Cisco NAC Appliance

Several technologies can defend endpoints from the common threats they face. The Cisco NAC Appliance is one device that can be used to enhance and complement other endpoint security measures. Effectively the Cisco NAC comes in two flavors. The first is the Cisco NAC framework, which is a software module embedded within NAC-enabled devices. In this framework a number of both Cisco and other NAC-aware vendor products may be used to provide security. The second flavor is the Cisco NAC Appliance....

Configuring AAA Using Cisco Secure ACS

Cisco Secure ACS provides administrators with a centralized identity networking solution and simplified user management experience, whether they are working with Cisco devices or security management applications. Through Cisco Secure ACS, administrators can ensure the enforcement of assigned policies by controlling who can log into the network, the privileges a user may have on the network, and securing access to the administrative web interface for each configuration administrator. Cisco...

Defining Voice Fundamentals

This section begins by defining voice over IP and considering why it is needed in today's corporate environment. Because voice packets are flowing across a data infrastructure, various protocols are required to set up, maintain, and tear down a call. This section defines several popular voice protocols, in addition to hardware components that make up a voice over IP network. VoIP sends packetized voice over an IP network. Typically, the IP network serves as a data network as well, resulting in...

Configuring and Monitoring IEEE 8021x

Regardless of the EAP in use on the supplicant and authentication server, the 802.1x configuration on the authenticator (that is, the Cisco Catalyst switch) remains the same. Following are the general steps required to configure 802.1x authentication on a Cisco Catalyst switch Step 1 Globally enable authentication, authorization, and accounting (AAA) on the Cisco Catalyst switch. Just as you would enable AAA on a Cisco router, you can enable AAA on a Cisco Catalyst switch by issuing the aaa...

Protecting Against an STP Attack

Redundant links can be introduced into a Layer 2 switch topology to increase the network's availability. However, redundant links can potentially cause Layer 2 loops, which can result in broadcast storms. Fortunately, Spanning Tree Protocol (STP) can allow you to physically have redundant links while logically having a loop-free topology, thus preventing the potential for broadcast storms. STP achieves this loop-free topology by electing one switch as the root bridge. The network administrator...

Isolating Traffic Within a VLAN Using Private VLANs

Another way for a Cisco Catalyst switch to provide security is through the use of private VLANs (PVLAN). These PVLANs can provide privacy between groups of Layer 2 ports on a Cisco Catalyst switch. A PVLAN domain has a single primary VLAN. Additionally, the PVLAN domain contains secondary VLANs that provide isolation between ports in a PVLAN domain. Cisco Catalyst switches support two categories of secondary VLANs Isolated VLANs Ports belonging to an isolated VLAN lack Layer 2 connectivity...

ISR Overview and Providing Secure Administrative Access

This section begins by introducing the security features offered in the Cisco line of ISR routers. Additional hardware options for these routers are also discussed. Then, with a foundational understanding of the underlying hardware, you will learn a series of best practices for security administrative access to a router. For example, a router can be configured to give different privilege levels to different administrative logins. Although they are not a replacement for dedicated security...

Configuring AAA Using the Local User Database

Unauthorized access to a network creates the potential for network intruders to gain access to sensitive network equipment and services. The Cisco AAA architecture provides a means to address this threat through systematic, scalable access security. Of course, network users and would-be intruders are not the only ones to try to access the network. Network administrators also need access to network equipment, and AAA offers a secure means to provide this. Authentication, Authorization, and...

Locking Down the Router

This section begins by identifying router services that are susceptible to attack and by explaining how security can be compromised by various router management services. You will learn two approaches for hardening a Cisco IOS router against attacks Using Cisco SDM's One-Step Lockdown feature Using the auto secure CLI command Identifying Potentially Vulnerable Router Interfaces and Services One of the most obvious steps to secure a router is to administratively shut down any unused router...

Using Secure Management and Reporting

Network management and reporting applications help network administrators proactively monitor and configure their network. However, left unsecured, management and reporting traffic can be used by potential attackers to compromise network security. For example, captured management and reporting traffic might contain administrative credentials for logging onto a system. Therefore, this section focuses on securing such traffic types. Specifically, you will learn about securing syslog, SSH, and...

IINS Course Outlines

Another way to get some direction about the topics on the exams is to look at the course outlines for the related courses. Cisco offers one authorized CCNA Security-related course Implementing Cisco IOS Network Security (IINSvl.0). Cisco authorizes Certified Learning Solutions Providers (CLSP) and Certified Learning Partners (CLP) to deliver these classes. These authorized companies can also create unique custom course books using this material, in some cases to teach classes geared toward...

Constructing a Comprehensive Network Security Policy

One of the main reasons security breaches occur within an organization is the lack of a security policy or, if a security policy is in place, the lack of effectively communicating that security policy to all concerned. This section discusses the purpose of a security policy, what should be addressed in that policy, how to maximize its effectiveness, and how to create awareness and understanding of the policy. A security policy is a continually changing document that dictates a set of guidelines...

Increasing Operations Security

After a network is installed, network operations personnel monitor and maintain it. From a security perspective, operations security attempts to secure hardware, software, and various media while investigating anomalous network behavior. A computer network is a dynamic entity, continuously changing to meet the needs of its users. New network components are added and eventually retired. The life of these components can be defined by the System Development Life Cycle (SDLC), which consists of...