Flexible Packet Matching

All rights re 2007 Cisco Systems, Inc. All rights re Many of the tools available today are not designed with deep packet inspection as a requirement instead, they are designed to provide matching for predefined fields in well-known protocol headers. If an attack uses a field outside the limited range of inspection of these features, you are left without a defense against the attack. FPM provides the means to configure match criteria for any or all fields in a packet...

Student Guide

Editorial, Production, and Web Services 02.06.07 Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel 408 526-4000 800 553-NETS (6387) Fax 408 527-0883 Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel +31 0 8000200791 Fax +31 0 20 357 1100 Cisco Systems, Inc. 168 Robinson Road 28-01 Capital Tower Singapore 068912 www.cisco.com Tel +65 6317 7777 Fax +65 6317 7799 Cisco has more than...

Data Plane Protection

This topic describes some strategies for protecting the data plane. 2007 Cisco Systems, Inc. All rights reserved. Cisco IOS Software includes various tools for dealing with attacks that may affect the data plane. Some of these security features include the following Access control lists (ACLs) Filter traffic through network devices Flexible Packet Matching Provides a flexible Layer 2 to Layer 7 stateless classification mechanism. Unicast Reverse Path Forwarding (uRPF) Helps mitigate problems...

CAM Table Overflow Attack

Attacker sees traffic to servers B and D 2007 Cisco Systems, Inc. All rights re This diagram illustrates a CAM table overflow attack. In this figure, the attacker is sending out multiple packets with various source MAC addresses. Over a short period of time, the CAM table in the switch fills up until it cannot accept new entries. As long as the flood is left running, the CAM table on the switch will remain full. When this happens, the switch begins to broadcast all packets that it receives out...

Control Plane Interface and Subinterface

The concept of early rate-limiting protocol specific traffic destined to the processor by applying QoS policies to the aggregate control plane interface was introduced with CoPP. CPPr extends this control plane functionality by providing three additional control plane subinterfaces under the top-level (aggregate) control plane interface. Each subinterface receives and processes a specific type of control plane traffic. The three sub interfaces are as follows Control plane host subinterface...

Commands to Mitigate DHCP Starvation Attacks

Switch(config) ip dhcp snooping switch(config) ip dhcp snooping vlan 90 switch(config) interface FastEthernet 0 5 switch(config-if) ip dhcp snooping trust switch(config-if) ip dhcp snooping limit rate 300 switch(config-if) end To enable and configure DHCP snooping, follow these steps Step 1 Globally enable DHCP snooping. switch(config) ip dhcp snooping Step 2 Enable DHCP snooping on a VLAN or range of VLANs. switch(config) ip dhcp snooping vlan vlan-range (Optional) Single VLAN number or a...

Entering Aggregate Control Plane Configuration Mode

After you create a class of traffic and define the service policy for the control plane, you need to apply the policy to either the aggregate control plane interface or one of the subinterfaces. After you enter the control-plane command, you can define aggregate CoPP policies for the RP. You can configure a service policy to police all traffic destined to the control plane from all line cards on the router (aggregate control plane services). Note Aggregate control plane services manage traffic...

Mitigating Pvlan Proxy Attacks

Router(config) access-list 101 deny ip 172.30.1.0 0.0.0.255 172.30.1.0 0.0.0.255 router(config) access-list 101 permit ip any any router(config-if) ip access-group 101 in Build ACL for subnet and apply ACL to interface 2007 Cisco Systems, Inc. All rights reseived. SNRS v2.0 1-20 Configure access control lists (ACLs) on the router port to mitigate PVLAN attacks. An example of using ACLs on the router port is if a server farm segment existed on subnet 172.30.1.0 24 and target C was in the server...

What Is EAP

EAP the Extensible Authentication Protocol A flexible transport protocol used to carry arbitrary authentication information not the authentication method itself Typically runs directly over data-link layers such as PPP or IEEE 802 media Originally specified in RFC 2284, obsolete by RFC 3748 Supports multiple authentication types 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 2-10 EAP, based on IETF 802.1x, is an end-to-end framework that allows the creation of authentication types...

Cisco Certified Security Professional

Expand Your Professional Options and Advance Your Career Professional level recognition in Cisco Certified Security Professional Cisco Certified Security Professional Cisco Certified Security Professional 2007 Cisco Systems, Inc. All rights re Recommended Training Through Cisco Learning Partners Securing Cisco Network Devices (SND) Securing Networks with Cisco Routers and Switches (SNRS) Securing Networks with PIX and ASA (SNPA) Implementing Cisco Intrusion Prevention Systems (IPS) Securing...

Configuring Port Security

Switch(config-if) switchport mode access Set the interface mode as access switch(config-if) switchport port-security Enable port security on the interface switchport port-security maximum value Set the maximum number of secure MAC addresses for the interface (optional) 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 1-8 Complete these steps to configure port security on an interface. Step 1 Enter interface configuration mode. switch(config) interface FastEthernet 0 8 Step 2 Configure...

TACACS and Radius Comparison

Authentication Authorization 1645 and 1812 Encrypts only passwords up to 16 bytes Separate control of each AAA service 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-15 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-15 Cisco Secure ACS conforms to the TACACS+ protocol as defined by Cisco Systems. Cisco Secure ACS conforms to the RADIUS protocol as defined in these RFCs RFC 2138, Remote Authentication Dial In User Service (RADIUS) RFC 2139, RADIUS Accounting RFC 2284, PPP...

Defining a CoPP Service Policy

Use the policy-map global configuration command to specify the service policy name, and use the configuration commands to associate a traffic class that was configured with the class-map command. The traffic class is associated with the service policy when you use the class command. You must then issue the class command after entering policy map configuration mode. After entering the class command, you are automatically in policy map class configuration mode. Follow these steps to define a...

PEAP with MSCHAPv2

EAP Request TLS start EAP Response TLS client hello EAP Request TLS start EAP Response TLS client hello EAP Response TLS Server Hello, Server Cert, Server Key Exchange, Server Hello Done EAP Response Cert Verify, Change Ciph Spec EAP Request TLS Change_Ciph_Spec Identity Request EAP-MS-CHAPv2 Challenge EAP-MS-CHAPV2 Response Identity response EAP-MS-CHAPv2 Challenge This diagram illustrates PEAP with MS-CHAPv2 message exchange between the supplicant, authenticator, and authentication server....

Web Interface

2 S Kh ffiFjvunte Medu 0 G- S Select Log Off to end the administration session. r CiscoSecure ACS v4.0 offers support for multiple AAA Clients and advanced TACACS+ and RADIUS features. It also supports several methods of authorization, authentication, and accounting (AAA) including several one-time-password cards. For more information on CiscoSecure products and upgrades, please visit http www.cisco.com. Copyright 2005 Cisco Systems, Inc. Copyright 1991-1992 RSA Data Security, Inc. MD5...

Working in Cisco Secure ACS

3 11 t3 Search 111 Favorites Media S Select Log Off to end the administration session. r CiscoSecure ACS v4.0 offers support for multiple AAA Clients and advanced TACACS+ and RADIUS features. It also supports several methods of authorization, authentication, and accounting (AAA) including several one-time-password cards. For more information on CiscoSecure products and upgrades, please visit http www.cisco.com. Copyright 2005 Cisco Systems, Inc. Copyright 1991-1992 RSA Data Security, Inc. MD5...