A a a a

' Roles-based management with centralized authentication, authorization, and logging. Centralized authentication of devices connected to the network. Traffic isolation and access controls. Encryption of all data leaving the storage network for business continuance, remote vaulting, and backup. The Cisco MDS 9000 family of products is designed to allow storage professionals to achieve optimal security for their SANs. The security features of this product line make it well suited for...

Acknowledgments

I want to thank the team at Cisco Press for their direction and support throughout the writing process. For their support and encouragement throughout this process, I wish to thank and acknowledge Tom Warrick and the instructor team at SkillSoft. I also wish to thank Kevin Wallace, who brought his talent and experience to this project and was an enormous help each step of the way. Finally, I want to thank my family for their continued support through this project, especially my children,...

Additional Cisco Catalyst Switch Security Features

No single network device secures an entire network from all potential attacks. Rather, multiple hardware and or software solutions work in tandem to help secure the overall network. For example, virtual private networks (VPN) and firewalls can help protect sensitive traffic from eavesdroppers and prevent unwanted traffic from entering a network. As described earlier in this chapter, a Layer 2 Cisco Catalyst switch can also aid in network security. The additional Cisco Catalyst switch security...

Additional Forms of Attack

Buffer overflows are not the only concern. The larger issue is that a buffer overflow may be used to initiate malicious code such as viruses, worms, and Trojan horses so that they may gain access to your system and begin to do their damage. Two of the most destructive worms that have been unleashed on the Internet are SQL Slammer and Code Red. The destruction these worms caused was made possible by remote root buffer overflows. In contrast to worms, viruses are more likely to take advantage of...

Best Practices for Securing Endpoints

As mentioned earlier, trusted operating systems exist, but they are expensive and can be cumbersome to support. For the most part these are used for military or government purposes, acting as critical servers or workstations. For most modern operating systems, regardless of vendor, the default configuration is still quite untrustworthy. Significant improvements have occurred in the last ten years, but the sophistication of attacks has also greatly improved. As an administrator, you should...

Combining IEEE 8021x with Port Security Features

Earlier in this chapter you read about port security features supported on Cisco Catalyst switches. Interestingly, these port security features can be used in conjunction with 802.1x authentication to provide enhanced port security. For example, suppose a client authenticates via 802.1x, and the switch's port security table is not full (or the client's MAC address has been statically configured in the CAM table). The client is permitted to transmit data to the network. However, suppose the...

Command Reference to Check Your Memory

This section includes the most important configuration and EXEC commands covered in this chapter. To see how well you have memorized the commands as a side effect of your other studies, cover the left side of the table with a piece of paper, read the descriptions on the right side, and see whether you remember the commands. Table 3-13 Chapter 3 Configuration Command Reference Table 3-13 Chapter 3 Configuration Command Reference A global configuration mode command that configures a router's...

Data Classification Characteristics

Table 1-4 offers a few characteristics by which data can be classified. Table i-4 Data Classification Characteristics How valuable the data is to the organization How long the data will be considered relevant When determining a classification approach, define how many classification levels you need. Having too many classification levels can prove difficult to administer, whereas having too few classification levels lacks the granularity needed to classify a wide spectrum of data. As part of...

Defining Endpoint Security

Before you can take steps to defend your endpoints, you must better understand what endpoint security is and what it consists of. We will begin by exploring the fundamental principles involved in host security, as well as discuss the need to defend endpoints from viruses, worms, Trojan horses, and other security threats. Cisco bases its strategy for securing hosts, as well as the more overarching network and enterprise security needs, on three broad elements (see Table 7-2). The Cisco Security...

Definition of Key Terms

Define the following key terms from this chapter, and check your answers in the glossary confidentiality, integrity, availability, preventive control, deterrent control, detective control, vulnerability, exploit, phreaker, Defense in Depth, IP spoofing, data diddling, salami attack, denial of service (DoS) This chapter covers the following topics Increasing operations security This section explains the day-to-day procedures for deploying, maintaining, and retiring information security...

Developing a Secure Network

Day-to-day network operations include adding new components to the network, monitoring and maintaining existing components, and retiring other components. While you perform these operations, security should be a consideration, so this chapter discusses how security practices can be integrated into such day-to-day operations. Also, network security practices and procedures should be governed by a documented security policy, so this chapter discusses the elements and use of an effective security...

Do I Know This Already Quiz

The Do I Know This Already quiz helps you determine your level of knowledge of this chapter's topics before you begin. Table 3-1 details the major topics discussed in this chapter and their corresponding quiz questions. Table 3-1 Do I Know This Already Section-to-Question Mapping Table 3-1 Do I Know This Already Section-to-Question Mapping ISR Overview and Providing Secure Administrative Access Cisco Security Device Manager Overview 1. Which of the following are considered IOS security features...

Eapfast

Extensible Authentication Protocol Flexible Authentication via Secure Tunneling (EAP-FAST) was developed by Cisco. Similar to EAP with MS-CHAPv2, EAP-FAST protects authentication messages within a secure TLS tunnel. However, EAP-FAST uses shared secret keys. These keys, which are unique to each user, are called protected access credentials (PAC). PACs, which can be automatically or manually distributed to the supplicants, cause authentication to happen much faster than using digital...

Eapmd5

EAP-MD5 is a standards-based EAP type. This EAP type uses an MD5-Challenge message. This is much like the challenge message used in PPP CHAP (Point-to-Point Protocol Challenge Handshake Authentication Protocol), which uses MD5 (Message Digest 5) as its hashing algorithm. Figure 6-16 shows the messages exchanged in an EAP-MD5 authentication. Notice that the authentication begins when the PC (the supplicant) sends an EAP over LAN (EAPOL) message (specifically, an EAPOL-start message) to the...

Eaptls

Microsoft developed EAP-TLS (Extensible Authentication Protocol Transport Layer Security). EAP-TLS was designed to address weaknesses found in other EAP types (such as the one-way authentication used by EAP-MD5). However, the trade-off for addressing these weaknesses is increased complexity in the deployment of EAP-TLS. Specifically, EAP-TLS uses certificate-based (that is, X.509 certificate-based) authentication. Therefore, to perform mutual authentication between the supplicant and the...

Examining Application Vulnerabilities

It is important to take the proper steps to address the vulnerabilities faced by your operating system, such as applying service packs and hot fixes and tuning it for secure operation. However, the majority of attacks target applications or, perhaps more specifically, the data they are protecting (or both). These attacks against applications can be categorized as either direct or indirect Direct An attacker tricks the application into performing a task using the application's privileges....

Examining Operating System Vulnerabilities

The various endpoints that we support on our networks each support some form of endpoint, whether it is a desktop operating system (OS) or Network Operating System (NOS). These operating systems provide a set of basic security services to all applications that run on them. Table 7-3 lists the basic security services. Table 7-3 Basic Security Services Provided to Applications by Operating Systems Table 7-3 Basic Security Services Provided to Applications by Operating Systems This is the...

Exploring Secure Voice Solutions

In the past, large companies used privately owned telephone systems (such as private branch exchanges PBX ) to provide voice services to their employees. As data networks began to emerge, most companies maintained separate voice and data networks, and perhaps even a separate video network. However, with the performance and reliability offered by modern data networks, many network administrators began to see the wisdom of consolidating voice, data, and video traffic on the same network. This...

Exploring Security Fundamentals

As new vulnerabilities and new methods of attack are discovered, a relatively unsophisticated user can potentially launch a devastating attack against an unprotected network. This section begins by describing the challenges posed by the current security landscape. You will learn about the three primary goals of security confidentiality, integrity, and availability. This section also explains traffic classification and security controls. You will learn how to...

Government and Military Classification Model

Table 1-2 provides an example of a data classification model, which is used by multiple governments and militaries. Table 1-2 Government and Military Data Classification Example Key __ Table 1-2 Government and Military Data Classification Example Key __ Data that has few or no privacy requirements Data that could cause embarrassment but not constitute a security threat if revealed Data that has a reasonable probability of causing damage if disclosed to an unauthorized party Data that has a...

How to Use This Book to Prepare for the IINS Exam

Using this book to prepare for the IINS exam is pretty straightforward read each chapter in succession, and follow the study suggestions in Chapter 16, Final Preparation. For the core chapters of this book (Chapters 1 through 15), you do have some choices about how much of the chapter you read. In some cases, you may already know most or all of the information covered in a given chapter. To help you decide how much time to spend on each chapter, the chapters begin with a Do I Know This Already...

IINS Exam Topics

Table I-1 lists the exam topics for the 640-553 IINS exam. Although the posted exam topics are not numbered at Cisco.com, Cisco Press does number the exam topics for easier reference. Notice that the topics are divided among nine major topic areas. The table also notes the part of this book in which each exam topic is covered. Because it is possible that the exam topics may change over time, it may be worthwhile to double-check the exam topics as listed on Cisco.com If Cisco later adds exam...

International Jurisdiction Issues

A unique legal challenge for prosecuting information security offenses deals with jurisdictional issues. For example, an attacker in one country could launch an attack from a computer in another country that targets a computer in yet another country. The international boundaries that were virtually crossed could pose significant challenges to litigators. Fortunately, governments are beginning to collaborate on such investigations and prosecutions. For example, organizations that share law...

Introduction to Cisco IBNS

Cisco IBNS can be deployed on an end-to-end Cisco network, which includes components such as Cisco Catalyst switches, wireless LAN (WLAN) devices (such as wireless access points and controllers), and a RADIUS server (such as a Cisco Secure Access Control Server ACS ). However, for a client to directly benefit from IBNS, the client operating system needs to support IEEE 802.1x. Fortunately, many modern operating systems (such as Microsoft Windows Vista) support 802.1x. For greater scalability,...

Launching a Local IP Spoofing Attack Using a Maninthe Middle Attack

If an attacker is on the same subnet as the target system, he might launch a man-in-the-middle attack. In one variant of a man-in-the-middle attack, the attacker convinces systems to send frames via the attacker's PC. For example, the attacker could send a series of gratuitous ARP (GARP) frames to systems. These GARP frames might claim that the attacker's Layer 2 MAC address was the MAC address of the next-hop router. The attacker could then capture traffic and forward it to the legitimate...

Launching a Remote IP Spoofing Attack with IP Source Routing

If an attacker uses a feature known as IP source routing, he can specify a complete routing path to be taken by two endpoints. Consider Figure 1-5. The attacker is on a different subnet than the destination host. However, the attacker sends an IP packet with a source route specified in the IP header, which causes the destination host to send traffic back to the spoofed IP address via the route specified. This approach can overcome the previously described challenge that an attacker might have...

Legal and Ethical Ramifications

Some businesses must abide by strict government regulations for security procedures. Therefore, information security professionals should be familiar with a few fundamental legal concepts. For example, most countries classify laws into one of the following three types Criminal law applies to crimes that have been committed and that might result in fines and or imprisonment for someone found guilty. Civil law addresses wrongs that have been committed. However, those wrongs are not considered...

Legal Issues to Consider

As a provider of network connectivity to customers, a service provider needs to be aware of potential liability issues. For example, if an e-commerce company lost a certain amount of business because of a service provider outage, the service provider might be found liable and have to pay damages. Also, some countries are passing laws dictating how companies handle privacy issues. For example, the Notification of Risk to Personal Data Act in the U.S. requires companies and government agencies...

Nonsecured Custom Applications

The vast majority (approximately 75 percent) of network attacks target specific applications, as opposed to lower-layer attacks. One reason attacks have become more targeted is the trend of attackers to be more motivated by profit, rather than by the fame or notoriety generated by creating a virus, for example. Unfortunately, because many organizations use custom applications (often not written with security in mind), these applications can be prime attack targets. Attacks on custom...

Objectives and Methods

The most important and somewhat obvious objective of this book is to help you pass the 640-553 IINS exam. In fact, if the primary objective of this book were different, the book's title would be misleading However, the methods used in this book to help you pass the exams are also designed to make you much more knowledgeable about how to do your job. This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and...

Organizational Classification Model

Table 1-3 provides an example of an organizational data classification model. Table 1-3 Organizational Data Classification Example Table 1-3 Organizational Data Classification Example Information made available to the public (for example, through marketing materials) Data that could cause embarrassment but not constitute a security threat if revealed Organizational information that should be kept secret and whose accuracy should be maintained Sensitive organizational information (for example,...

Overview of SAN Operations

Organizations are producing ever-increasing amounts of data. A storage-area network (SAN) is an effective means to allow them to store and access this data in a secure fashion. This section examines the fundamentals of SAN operation and describes the technology behind these focused networks. It also examines attacks focused on SANs and discusses their defense. With ever-increasing storage needs, many organizations are moving away from traditional file servers to more sophisticated SAN solutions...

Network Security Concepts

Chapter 1 Understanding Network Security Principles Chapter 2 Developing a Secure Network Chapter 3 Defending the Perimeter This chapter covers the following topics Exploring security fundamentals This section explains the need for network security and discusses the elements of a secure network. Additionally, legal and ethical considerations are discussed. Understanding the methods of network attacks This section makes you aware of various threats targeting the security of your network and...

Constructing a Secure Infrastructure

Chapter 7 Implementing Endpoint Security Chapter 9 Exploring Secure Voice Solutions Chapter 10 Using Cisco IOS Firewalls to Defend the Network Chapter 11 Using Cisco IOS IPS to Secure the Network This chapter covers the following topics Defending against Layer 2 attacks This section explains how Cisco Catalyst switches can be configured to mitigate several common Layer 2 attacks. Cisco Identity-Based Networking Services This section examines how Cisco Identity-Based Networking Services (IBNS)...

Potential Attackers

Another element of defending your data is identifying potential attackers who might want to steal or manipulate that data. For example, a company might need to protect its data from corporate competitors, terrorists, employees, and hackers, to name just a few. The term hacker is often used very generically to describe attackers. However, not all hackers have malicious intent. Table 1-5 lists various types of hackers. Table 1-5 Types of Hackers Key ' _ A white hat hacker has the skills to break...

Providing SAN Security

It seems that every year organizations create more and more critical data data that needs to be stored securely for future reference. Storage-area networks (SAN) offer these organizations a targeted solution to meet this need in a cost-effective manner. With so much crucial data now residing on a SAN, securing this data effectively is a prime concern for these businesses. This chapter explores the fundamentals of SAN operations as well as the steps to take to effectively implement SAN security.

Responding to a Security Incident

Many deterrent controls might display warnings such as Violators will be prosecuted to the fullest extent of the law. However, to successfully prosecute an attacker, litigators typically require the following elements to present an effective argument Motive A motive describes why the attacker committed the act. For example, was he a disgruntled employee Also, potential motives can be valuable to define during an investigation. Specifically, an investigation might begin with those who had a...

Review All the Key Topics

Review the most important topics from this chapter, denoted with the Key Topic icon. Table 1-9 lists these key topics and the page where each is found. Reasons for the severity of internal threats The three primary goals of network security Government and military data classification example Legal elements needed to make a case Defending against different classes of attacks

Scope of the Challenge

The 2007 CSI FBI Computer Crime and Security Survey is a fascinating document that provides insight into trends in network attacks from 2004 to 2007. A copy of this document can be downloaded from As an example of the information contained in this document, Figure 1-1 shows the average number of security incidents reported by 208 respondents for the years 2004 to 2007. Notice that the percentage of respondents reporting more than 10 incidents in a year dramatically increased in 2007. Figure 1-1...

Securing Layer 2 Devices

The characteristics of Layer 2 LAN devices frequently make these devices attractive targets for attackers. If an attacker can compromise Layer 2, he has access to the upper layers. This chapter explores these Layer 2 vulnerabilities and describes methods of mitigating such weaknesses using features available on Cisco Catalyst switches. Cisco Catalyst switches also play an integral role in the Cisco Identity-Based Networking Services (IBNS) technology. IBNS offers per-user access control to...

The Anatomy of a Buffer Overflow Exploit

Because buffer overflows are one of the most common methods of application subversion in use today on the Internet, it is important that you understand these attacks and how to stop them. Let's take a look at the anatomy of a buffer overflow attack in detail. In most buffer overflow attacks, the attacker tries to subvert a program function that reads input and calls a subroutine (see Figure 7-1). What makes this possible is that the exploitable program function does not perform input length...

Understanding the Methods of Network Attacks

You might have noticed that this book has thus far referred to computer criminals as attackers rather than hackers. This wording is intentional, because not all hackers have malicious intent, even though the term hacker often has a negative connotation. In this section, you will gain additional insight into the mind-set and characteristics of various hackers. Additionally, you will be introduced to a variety of methods that attackers can use to infiltrate a computing system. To help mitigate...

Understanding the Types of Buffer Overflows

Most buffer overflow attacks are used to either root a system or cause a DoS attack. We will look at each of these types of attacks. The phrase rooting a system comes from the UNIX world. It means that a system has been hacked so that the attacker has root, or superuser, privileges. Rooting a system is most easily accomplished with either remote root or local root buffer overflows. Of these two, remote root buffer overflows are the more dangerous. This is because an attacker can own your system...

US Laws and Regulations

With increased levels of terrorist activity on the Internet and an ever-increasing percentage of Internet connectivity for the world's citizens, governments are forced to develop regulations and legislation covering information security. As a few examples, the U.S. government created the following regulations, which pertain to information security Gramm-Leach-Bliley Act (GLBA) of 1999 Did away with antitrust laws that disallowed banks, insurance companies, and securities firms from combining...

Using the SPAN Feature with IDS

Chapter 11, Using Cisco IOS IPS to Secure the Network, discusses the Cisco Intrusion Detection System (IDS) technology. With IDS, a sensor receives a copy of traffic for analysis. If the sensor recognizes the traffic as being malicious or suspicious, the IDS sensor can take a preconfigured action, such as generating an alarm or dynamically configuring a firewall to block the sender. One way to cause an IDS sensor to receive a copy of network traffic is to configure a port on a Cisco Catalyst...

Warning and Disclaimer

This book is designed to provide the information necessary to be successful on the Cisco IINS (640-553) exam. Every effort has been made to make this book as complete and accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from...

Working with the Cisco Security Agent

In today's computing environment, endpoint protection must encompass more than simple desktop systems. The Cisco Security Agent software provides full-featured endpoint protection with threat protection capabilities for server, desktop, and point-of-service (POS) computing systems. This highly scalable solution can support as many as 100,000 agents from a single management console. Figure 7-4 shows the architecture of the Cisco Security Agent, which can grow with an organization's changing...

Cisco Security Device Manager Overview

Cisco IOS routers support many features (including security features) that require complex configurations. To aid in a number of these configuration tasks, Cisco introduced the Cisco Security Device Manager (SDM) interface. This section introduces SDM, discusses how to configure and launch SDM, and how to navigate the SDM wizards. Cisco SDM provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router, as shown in Figure 3-3. Not only does SDM offer...

Port Security Configuration

Earlier in this chapter you saw that Cisco Catalyst port security features can be used to combat CAM table overflow attacks and MAC address spoofing attacks. Cisco recommends that port security be configured on a switch before a switch is deployed in the network, to be proactive instead of reactive. When a switch port security violation occurs, you can configure the switch port to respond in one of three ways Protect When configured for protect, a switch port drops frames with an unknown Topic...

Using IEEE 8021x for VLAN Assignment

The authentication server component of an 802.1x topology can also help restrict user access to network resources specifically, VLANs. In addition to configuration on the RADIUS server (that is, the authentication server), the Cisco Catalyst switch is configured with appropriate AAA commands. After a client (that is, a supplicant) successfully authenticates by providing a username and password, the RADIUS server, which maintains the username-to-VLAN mappings, sends the client's VLAN information...

Enforcing Security Policies with VACLs

Routers can use IP access control lists (ACL) to permit or deny specific traffic from entering or exiting a network interface. Therefore, ACLs are used as traffic travels between network address spaces. However, a Cisco Catalyst switch can have an ACL applied within a VLAN. This intra-VLAN ACL is called a VLAN access control list (VACL). Example 6-7 shows the configuration of a VACL that permits Telnet traffic to be sent to a host at IP address 10.1.1.2 while denying all other traffic. Notice...

Combating DHCP Server Spoofing

On today's networks, most clients obtain their IP address information dynamically, using Dynamic Host Configuration Protocol (DHCP), rather than having their IP address information statically configured. To dynamically obtain IP address information, a client (for example, a PC) sends out a DHCP request. A DHCP server sees the request, and a DHCP response (including such information as an IP address, subnet mask, and default gateway) is sent to the requesting client. However, if an attacker...

Understanding Cisco Security Agent Interceptors

To help you understand how Cisco Security Agent interceptors work, we must first explore how applications access system resources. Each time an application needs access to system resources, it has to make an operating system call to the kernel. When this occurs, the Cisco Security Agent intercepts these operating system calls and compares them to the cached security policy. Figure 7-5 shows this process. Figure 7-5 Cisco Security Agent Interceptors Key ' As long as the request does not violate...

Using Dynamic ARP Inspection

The DHCP snooping feature dynamically builds a DHCP binding table, which contains the MAC addresses associated with specific IP addresses. Additionally, this feature supports static MAC address to IP address mappings, which might be appropriate for network devices, such as routers. This DHCP binding table can be used by the Dynamic ARP Inspection (DAI) feature to help prevent Address Resolution Protocol (ARP) spoofing attacks. Recall the purpose of ARP requests. When a network device needs to...

How This Book Is Organized

This book contains 15 core chapters Chapters 1 through 15. Chapter 16 includes some preparation tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the IINS exam. The core chapters are organized into parts. They cover the following topics Part I Network Security Concepts Chapter 1, Understanding Network Security Principles This chapter explains the need for network security and discusses the elements of a secure network. Additionally, legal and...

Overview of IEEE 8021x

IEEE 802.1x (commonly just called 802.1x) is a standards-based approach for providing port-based network access. Specifically, 802.1x is a Layer 2 protocol that defines how Extensible Authentication Protocol (EAP) frames are encapsulated typically between a user's network device (such as a PC) and a switch or wireless access point. The 802.1x standard also defines hardware components, as shown in Figure 6-15 and defined in Table 6-4. Figure 6-15 IEEE 802.1x Hardware Components Figure 6-15 IEEE...

Creating a Cisco Self Defending Network

Many modern security threats rapidly propagate across the Internet and internal networks. As a result, security components need to be able to respond rapidly to emerging threats. To combat these threats, Cisco offers the Cisco Self-Defending Network, which is its vision for using the network to recognize threats and then prevent and adapt to them. This section describes the implementation of the Cisco Self-Defending Network approach, which leverages Cisco products and solutions. As computing...

Securing a VoIP Network

Now that you have a foundational understanding of the myriad attacks that can target a VoIP network, this section addresses specific VoIP attack mitigations. Specifically, it covers separating voice traffic from data traffic using voice VLANs, using firewalls and VPNs to protect voice traffic, and approaches to harden the security of voice endpoints and servers. Protecting a VoIP Network with Auxiliary VLANs A fundamental approach to protecting voice traffic from attackers is to place it in a...

Understanding IP Spoofing

Attackers can launch a variety of attacks by initiating an IP spoofing attack. An IP spoofing attack causes an attacker's IP address to appear to be a trusted IP address. For example, if an attacker convinces a host that he is a trusted client, he might gain privileged access to a host. The attacker could also capture traffic, which might include credentials such as usernames and passwords. As another example, you might be familiar with denial-of-service (DoS) and distributed denial-of-service...

Identifying Common Voice Vulnerabilities

Because IP phones are readily accessible and plentiful in many corporate environments, they become attractive targets for attackers. Also, VoIP administrators should be on guard against VoIP variations of spam and fishing (both common in e-mail environments), as well as toll fraud (common in PBX environments). This section details these common attack targets for a VoIP network. Table 9-4 describes a few common VoIP attacks targeting endpoints. Table 9-4 Common VoIP Attack Targets Table 9-4...

Contents

Chapter 1 Understanding Network Security Principles 5 Do I Know This Already Quiz 5 Why Network Security Is a Necessity 9 Types of Threats 9 Scope of the Challenge 10 Nonsecured Custom Applications 11 The Three Primary Goals of Network Security 12 Confidentiality 12 Integrity 12 Availability 13 Categorizing Data 13 Classification Models 13 Classification Roles 15 Controls in a Security Solution 16 Responding to a Security Incident 17 Legal and Ethical Ramifications 18 Legal Issues to Consider...

Mitigating CAM Table Overflow Attacks

A Cisco Catalyst switch uses a Content Addressable Memory (CAM) table to store the information used by the switch to make forwarding decisions. Specifically, the CAM table contains a listing of MAC addresses that have been learned from each switch port. Then, when a frame enters the switch, the switch interrogates the frame's destination MAC address. If the destination MAC address is known to exist off one of the switch ports, the frame is forwarded out only that port. For example, consider...

Defending Against Layer 2 Attacks

This section begins by exploring the nature of Layer 2 switch operation and why it is such an attractive target for attackers. Then, approaches for mitigating a variety of Layer 2 attacks are addressed. These strategies include best practices for securing a Layer 2 network, protecting against VLAN hopping attacks, preventing an attacker from manipulating Spanning Tree Protocol (STP) settings, stopping DHCP server and ARP spoofing, preventing Content Addressable Memory (CAM) table overflow...

Defense in Depth

Defense Depth

Because a security solution is only as strong as its weakest link, network administrators are challenged to implement a security solution that protects a complex network. As a result, rather than deploying a single security solution, Cisco recommends multiple, overlapping solutions. These overlapping solutions target different aspects of security, such as securing against insider attacks and securing against technical attacks. These solutions should also be subjected to routine testing and...

Protecting Against an IP Spoofing Attack

The following approaches can be used to mitigate IP spoofing attacks Use access control lists (ACL) on router interfaces. As traffic comes into a router from an outside network, an ACL could be used to deny any outside traffic claiming to be addressed with IP addressing used internally on the local network. Conversely, ACLs should be used to prevent traffic leaving the local network from participating in a DDoS attack. Therefore, an ACL could deny any traffic leaving the local network that...

Examining the Cisco NAC Appliance

Several technologies can defend endpoints from the common threats they face. The Cisco NAC Appliance is one device that can be used to enhance and complement other endpoint security measures. Effectively the Cisco NAC comes in two flavors. The first is the Cisco NAC framework, which is a software module embedded within NAC-enabled devices. In this framework a number of both Cisco and other NAC-aware vendor products may be used to provide security. The second flavor is the Cisco NAC Appliance....

Configuring AAA Using Cisco Secure ACS

Cisco Secure ACS provides administrators with a centralized identity networking solution and simplified user management experience, whether they are working with Cisco devices or security management applications. Through Cisco Secure ACS, administrators can ensure the enforcement of assigned policies by controlling who can log into the network, the privileges a user may have on the network, and securing access to the administrative web interface for each configuration administrator. Cisco...

Defining Voice Fundamentals

This section begins by defining voice over IP and considering why it is needed in today's corporate environment. Because voice packets are flowing across a data infrastructure, various protocols are required to set up, maintain, and tear down a call. This section defines several popular voice protocols, in addition to hardware components that make up a voice over IP network. VoIP sends packetized voice over an IP network. Typically, the IP network serves as a data network as well, resulting in...

Configuring and Monitoring IEEE 8021x

Regardless of the EAP in use on the supplicant and authentication server, the 802.1x configuration on the authenticator (that is, the Cisco Catalyst switch) remains the same. Following are the general steps required to configure 802.1x authentication on a Cisco Catalyst switch Step 1 Globally enable authentication, authorization, and accounting (AAA) on the Cisco Catalyst switch. Just as you would enable AAA on a Cisco router, you can enable AAA on a Cisco Catalyst switch by issuing the aaa...

Isolating Traffic Within a VLAN Using Private VLANs

Another way for a Cisco Catalyst switch to provide security is through the use of private VLANs (PVLAN). These PVLANs can provide privacy between groups of Layer 2 ports on a Cisco Catalyst switch. A PVLAN domain has a single primary VLAN. Additionally, the PVLAN domain contains secondary VLANs that provide isolation between ports in a PVLAN domain. Cisco Catalyst switches support two categories of secondary VLANs Isolated VLANs Ports belonging to an isolated VLAN lack Layer 2 connectivity...

ISR Overview and Providing Secure Administrative Access

This section begins by introducing the security features offered in the Cisco line of ISR routers. Additional hardware options for these routers are also discussed. Then, with a foundational understanding of the underlying hardware, you will learn a series of best practices for security administrative access to a router. For example, a router can be configured to give different privilege levels to different administrative logins. Although they are not a replacement for dedicated security...

Locking Down the Router

This section begins by identifying router services that are susceptible to attack and by explaining how security can be compromised by various router management services. You will learn two approaches for hardening a Cisco IOS router against attacks Using Cisco SDM's One-Step Lockdown feature Using the auto secure CLI command Identifying Potentially Vulnerable Router Interfaces and Services One of the most obvious steps to secure a router is to administratively shut down any unused router...

Using Secure Management and Reporting

Network management and reporting applications help network administrators proactively monitor and configure their network. However, left unsecured, management and reporting traffic can be used by potential attackers to compromise network security. For example, captured management and reporting traffic might contain administrative credentials for logging onto a system. Therefore, this section focuses on securing such traffic types. Specifically, you will learn about securing syslog, SSH, and...

IINS Course Outlines

Another way to get some direction about the topics on the exams is to look at the course outlines for the related courses. Cisco offers one authorized CCNA Security-related course Implementing Cisco IOS Network Security (IINSvl.0). Cisco authorizes Certified Learning Solutions Providers (CLSP) and Certified Learning Partners (CLP) to deliver these classes. These authorized companies can also create unique custom course books using this material, in some cases to teach classes geared toward...

Constructing a Comprehensive Network Security Policy

One of the main reasons security breaches occur within an organization is the lack of a security policy or, if a security policy is in place, the lack of effectively communicating that security policy to all concerned. This section discusses the purpose of a security policy, what should be addressed in that policy, how to maximize its effectiveness, and how to create awareness and understanding of the policy. A security policy is a continually changing document that dictates a set of guidelines...

Increasing Operations Security

After a network is installed, network operations personnel monitor and maintain it. From a security perspective, operations security attempts to secure hardware, software, and various media while investigating anomalous network behavior. A computer network is a dynamic entity, continuously changing to meet the needs of its users. New network components are added and eventually retired. The life of these components can be defined by the System Development Life Cycle (SDLC), which consists of...