Cisco Security
Impenetrable Wall? or Hacker’s Delight?
Kevin King - Senior Technical Instructor ● Infrastructructure/Cloud Consulting
| MCT CCSI MCSE-Private Cloud MCSA
MCSA-Server 2012 MCSE CCNA Data Center Cisco Quality Instructor 2014
New Horizons CLC| 6700 Jefferson, Building A | Albuquerque, NM 87109
p: 505.830.7100 |f: 505.830.2239 | kking@nhabq.com | www.nhabq.com
Major Concepts
•
Describe endpoint vulnerabilities and protection methods
•
Describe basic Catalyst switch vulnerabilities
•
Configure and verify switch security features, including port security and
storm control
•
Describe the fundamental security considerations of Wireless, VoIP, and
SANs
Securing the LAN
Perimeter
MARS
ACS
Areas of concentration:
• Securing endpoints
• Securing network
infrastructure
Firewall
Internet
VPN
IPS
Iron Port
Hosts
Web
Server
Email
Server
DNS
LAN
Addressing Endpoint Security
Policy
Compliance
Infection
Containment
Secure
Host
Threat
Protection
Based on three elements:
• Cisco Network Admission Control (NAC)
• Endpoint protection
• Network infection containment
Operating Systems Basic Security Services
•
Trusted code and trusted path – ensures that the integrity of
the operating system is not violated
•
Privileged context of execution – provides identity
authentication and certain privileges based on the identity
•
Process memory protection and isolation – provides
separation from other users and their data
•
Access control to resources – ensures confidentiality and
integrity of data
Types of Application Attacks
Direct
Indirect
I have gained direct
access to this
application’s privileges
I have gained access to
this system which is
trusted by the other
system, allowing me to
access it.
Cisco Systems Endpoint Security Solutions
Cisco Security Agent
IronPort
Cisco NAC
Cisco NAC
The purpose of NAC:
 Allow only authorized and compliant systems
to access the network
 To enforce network security policy
NAC Framework
• Software module
embedded within NACenabled products
• Integrated framework
leveraging multiple Cisco
and NAC-aware vendor
products
Cisco NAC Appliance
• In-band Cisco NAC
Appliance solution can
be used on any switch or
router platform
• Self-contained, turnkey
solution
Cisco NAC Appliance Process
1.
Host attempts to access a web page or uses
an optional client.
Network access is blocked until wired or
wireless host provides login information.
THE GOAL
Authentication
Server
M
G
R
Cisco NAM
2.
Host is
redirected to a login page.
Cisco NAC Appliance validates
username and password, also
performs device and network
scans to assess vulnerabilities on
device.
3a.
Cisco NAS
3.
Intranet/
Network
The host is authenticated and optionally
scanned for posture compliance
Device is noncompliant
or login is incorrect.
Host is denied access and assigned
to a quarantine role with access to online
remediation resources.
Quarantine
Role
3b.
Device is “clean”.
Machine gets on “certified
devices list” and is granted
access to network.
CSA Architecture
Server Protected by
Cisco Security Agent
Administration
Workstation
Alerts
Events
SSL
Security
Policy
Management Center for
Cisco Security Agent
with Internal or External
Database
Attack Phases
– Probe phase
• Ping scans
• Port scans
– Penetrate phase
• Transfer exploit
code to target
– Persist phase
• Install new code
• Modify
configuration
– Propagate phase
• Attack other
targets
– Paralyze phase
• Erase files
• Crash system
• Steal data
Server
Protected by
Cisco Security
Agent
– File system interceptor
– Network interceptor
– Configuration interceptor
– Execution space
interceptor
CSA Log Messages
Layer 2 Security
Perimeter
MARS
ACS
Firewall
Internet
VPN
IPS
Iron Port
Hosts
Web
Server
Email
Server
DNS
OSI Model
When it comes to networking, Layer 2 is often a very weak
link.
Application Stream
Application
Session
Transport
Network
Data Link
Physical
Presentation
Compromised
Presentation
Application
Session
Protocols and Ports
Transport
IP Addresses
Network
Initial
MACCompromise
Addresses
Data Link
Physical Links
Physical
MAC Address1 Spoofing
Attack
2
Switch Port
AABBcc
The switch keeps track of the
endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another host—in this case,
AABBcc
12AbDd
MAC
Address:
AABBcc
MAC
Address:
12AbDd
Port 1
Port 2
MAC Address:
AABBcc
I have associated Ports 1 and 2 with
the MAC addresses of the devices
attached. Traffic destined for each
device will be forwarded directly.
Attacker
MAC Address Spoofing Attack
Switch Port
1
2
I have changed the MAC
address on my computer
to match the server.
1
2
AABBcc
AABBcc
Attacker
MAC
Address: Port 1
AABBcc
Port 2
MAC Address:
AABBcc
The device with MAC
address AABBcc has
changed locations to Port2.
I must adjust my MAC
address table accordingly.
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without
flooding because the MAC address table contains port-to-MACaddress mappings in the MAC address table for these PCs.
MAC Address Table Overflow Attack
2
VLAN 10
flood
3
A
C
Intruder runs macof
to begin sending
unknown bogus
MAC addresses.
3/25 MAC X
3/25 MAC Y
3/25 MAC Z
XYZ
3/25
VLAN 10
1
Bogus addresses are
added to the CAM
table. CAM table is
full.
MAC Port
X
3/25
Y
3/25
C
3/25
VLAN 10
The switch floods
the frames.
Host C
4
Attacker sees traffic
to servers B and D.
B
D
STP Manipulation Attack
Root Bridge
Priority = 8192
MAC Address=
0000.00C0.1234
F
Spanning tree protocol
operates by electing a root
bridge
•
STP builds a tree topology
•
STP manipulation changes
the topology of a network—
the attacking host appears to
be the root bridge
F
F
F
F
•
B
STP Manipulation Attack
Root Bridge
Priority = 8192
F
F
F
F
F
F
B
B
F
F
F
F
Root
Bridge
Attacker
The attacking host broadcasts out STP
configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.
LAN Storm Attack
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
• Broadcast, multicast, or unicast packets are flooded on all ports in the
same VLAN.
• These storms can increase the CPU utilization on a switch to 100%,
reducing the performance of the network.
Storm Control
Total
number of
broadcast
packets
or bytes
VLAN Attacks
 Segmentation
 Flexibility
 Security
VLAN = Broadcast Domain = Logical Network (Subnet)
VLAN Attacks
802.1Q
VLAN
10
Trunk
VLAN
20
Attacker sees traffic destined for servers
Server
Server
A VLAN hopping attack can be launched in two ways:
• Spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode
• Introducing a rogue switch and turning trunking on
Double-Tagging VLAN Attack
1
Attacker on
VLAN 10, but puts a 20
tag in the packet
2
The first switch strips off the first tag
and does not retag it (native traffic is
not retagged). It then forwards the
packet to switch 2.
3
20
802.1Q, Frame
The second switch
receives the packet, on
the native VLAN
Trunk
(Native VLAN = 10)
4
Note: This attack works only if the
trunk has the same native
VLAN as the attacker.
The second switch
examines the packet,
sees the VLAN 20 tag
and forwards it
accordingly.
Victim
(VLAN 20)
Port Security Overview
MAC A
Port 0/1 allows MAC A
Port 0/2 allows MAC B
Port 0/3 allows MAC C
0/1
0/2
0/3
MAC A
MAC F
Attacker 1
Allows an administrator to statically specify MAC
Addresses for a port or to permit the switch to
dynamically learn a limited number of MAC
addresses
Attacker 2
CLI Commands
Switch(config-if)#
switchport mode access
• Sets the interface mode as access
Switch(config-if)#
switchport port-security
• Enables port security on the interface
Switch(config-if)#
switchport port-security maximum value
• Sets the maximum number of secure MAC addresses for
the interface (optional)
Switchport Port-Security Parameters
Parameter
Description
mac-address mac-address
(Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional
secure MAC addresses up to the maximum value configured.
vlan vlan-id
(Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native
VLAN is used.
vlan access
(Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice
(Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky
[mac-address]
(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky
learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running
configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value
(Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure
MAC addresses that you can configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. The active Switch Database Management (SDM) template determines this
number. This number represents the total of available MAC addresses, including those used for other Layer 2
functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list]
(Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan
keyword is not entered, the default value is used.
n
vlan: set a per-VLAN maximum value.
n
vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
Port Security Violation Configuration
Switch(config-if)#
switchport port-security violation {protect |
restrict | shutdown}
• Sets the violation mode (optional)
Switch(config-if)#
switchport port-security mac-address mac-address
• Enters a static secure MAC address for the interface
(optional)
Switch(config-if)#
switchport port-security mac-address sticky
• Enables sticky learning on the interface (optional)
Switchport Port-Security ViolationParameters
Parameter
Description
protect
(Optional) Set the security violation protect mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
restrict
(Optional) Set the security violation restrict mode. When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure MAC addresses
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred.
shutdown
(Optional) Set the security violation shutdown mode. In this mode, a port security
violation causes the interface to immediately become error-disabled and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and increments the
violation counter. When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause psecure-violation global
configuration command, or you can manually re-enable it by entering the shutdown and
no shut down interface configuration commands.
shutdown
vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on
which the violation occurred is error-disabled.
Port Security Aging Configuration
Switch(config-if)#
switchport port-security aging {static | time time |
type {absolute | inactivity}}
• Enables or disables static aging for the secure port or
sets the aging time or type
Switchport Port-Security Aging Parameters
Parameter
Description
static
Enable aging for statically configured secure
addresses on this port.
time time
Specify the aging time for this port. The range is 0 to
1440 minutes. If the time is 0, aging is disabled for
this port.
type absolute
Set absolute aging type. All the secure addresses
on this port age out exactly after the time (minutes)
specified and are removed from the secure address
list.
type inactivity
Set the inactivity aging type. The secure addresses
on this port age out only if there is no data traffic
from the secure source address for the specified
time period.
Typical Configuration
S2
Switch(config-if)#
switchport
switchport
switchport
switchport
switchport
switchport
mode access
port-security
port-security
port-security
port-security
port-security
PC B
maximum 2
violation shutdown
mac-address sticky
aging time 120
CLI Commands
sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count)
(Count)
(Count)
---------------------------------------------------------------------------
Fa0/12
2
0
0
Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)
:0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security
Port Security
:
Port status
:
Violation mode
:
Maximum MAC Addresses
:
Total MAC Addresses
:
Configured MAC Addresses
:
Aging time
:
Aging type
:
SecureStatic address aging :
Security Violation Count
:
interface f0/12
Enabled
Secure-down
Shutdown
2
1
0
120 mins
Absolute
Disabled
0
View Secure MAC Addresses
sw-class# show port-security address
Secure Mac Address Table
------------------------------------------------------------------Vlan
Mac Address
Type
Ports
Remaining Age
(mins)
---1
-----------
----
-----
0000.ffff.aaaa
SecureConfigured
Fa0/12
-------------
------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 0
Max Addresses limit in System (excluding one mac per port) : 1024
MAC Address Notification
MAC B
F1/2
SNMP traps sent to
NMS when new MAC
addresses appear or
when old ones time out.
NMS
F1/1
F2/1
MAC A
Switch CAM Table
F1/1 = MAC A
F1/2 = MAC B
F2/1 = MAC D
(address ages out)
MAC D is away
from the network.
MAC address notification allows monitoring of the MAC
addresses, at the module and port level, added by the switch or
removed from the CAM table for secure ports.
Configure Portfast
Server
Workstation
Command
Description
Switch(config-if)# spanningtree portfast
Enables PortFast on a Layer 2 access port and forces it to
enter the forwarding stateimmediately.
Switch(config-if)# no
spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is
disabled by default.
Switch(config)# spanning-tree
portfast default
Globally enables the PortFast feature on all nontrunking
ports.
Switch# show running-config
interface type slot/port
Indicates whether PortFast has been configured on a port.
BPDU Guard
Root
Bridge
F
F
F
F
F
B
BPDU
Guard
Enabled
Attacker
STP
BPDU
Switch(config)#
spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast
enabled
Display the State of Spanning Tree
Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Spanning tree default pathcost method used is short
Name
Blocking Listening Learning Forwarding STP Active
-------------------- -------- --------- -------- ---------- ---------1 VLAN
0
0
0
1
1
<output omitted>
Root Guard
Root Bridge
Priority = 0
MAC Address =
0000.0c45.1a5d
F
F
F
F
Root
Guard
Enabled
F
Attacker
F
B
STP BPDU
Priority = 0
MAC Address = 0000.0c45.1234
Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis
Verify Root Guard
Switch# show spanning-tree inconsistentports
Name
Interface
Inconsistency
-------------------- ---------------------- -----------------VLAN0001
FastEthernet3/1
Port Type Inconsistent
VLAN0001
FastEthernet3/2
Port Type Inconsistent
VLAN1002
FastEthernet3/1
Port Type Inconsistent
VLAN1002
FastEthernet3/2
Port Type Inconsistent
VLAN1003
FastEthernet3/1
Port Type Inconsistent
VLAN1003
FastEthernet3/2
Port Type Inconsistent
VLAN1004
FastEthernet3/1
Port Type Inconsistent
VLAN1004
FastEthernet3/2
Port Type Inconsistent
VLAN1005
FastEthernet3/1
Port Type Inconsistent
VLAN1005
FastEthernet3/2
Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10
Storm Control Methods
•
Bandwidth as a percentage of the total available bandwidth
of the port that can be used by the broadcast, multicast, or
unicast traffic
•
Traffic rate in packets per second at which broadcast,
multicast, or unicast packets are received
•
Traffic rate in bits per second at which broadcast, multicast,
or unicast packets are received
•
Traffic rate in packets per second and for small frames. This
feature is enabled globally. The threshold for small frames is
configured for each interface.
Storm Control Configuration
Switch(config-if)# storm-control broadcast level 75.5
Switch(config-if)# storm-control multicast level pps
1k
Switch(config-if)# storm-control action shutdown
2k
• Enables storm control
• Specifies the level at which it is enabled
• Specifies the action that should take place when the
threshold (level) is reached, in addition to filtering traffic
Storm Control Parameters
Parameter
Description
broadcast
This parameter enables broadcast storm control on the interface.
multicast
This parameter enables multicast storm control on the interface.
unicast
This parameter enables unicast storm control on the interface.
level level [level-low]
Rising and falling suppression levels as a percentage of total bandwidth of the port.
• level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.
• level-low: (Optional) Falling suppression level, up to two decimal places. This
value must be less than or equal to the rising suppression value.
level bps bps [bps-low]
Specify the rising and falling suppression levels as a rate in bits per second at which
traffic is received on the port.
• bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for bps is reached.
• bps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
level pps pps [pps-low]
Specify the rising and falling suppression levels as a rate in packets per second at
which traffic is received on the port.
• pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the
flooding of storm packets when the value specified for pps is reached.
• pps-low: (Optional) Falling suppression level, up to one decimal place. This value
must be equal to or less than the rising suppression value.
action {shutdown|trap}
The action taken when a storm occurs on a port. The default action is to filter traffic
and to not send an SNMP trap.
The keywords have these meanings:
• shutdown: Disables the port during a storm
• trap: Sends an SNMP trap when a storm occurs
Verify Storm Control Settings
Switch# show storm-control
Interface
Filter State
Upper
Lower
Current
---------Gi0/1
------------Forwarding
---------20 pps
--------10 pps
-------5 pps
Gi0/2
Forwarding
50.00%
40.00%
0.00%
<output omitted>
Mitigating VLAN Attacks
Trunk
(Native VLAN = 10)
1. Disable trunking on all access
ports.
2. Disable auto trunking and manually
enable trunking
3. Be sure that the native VLAN is
used only for trunk lines and no
where else
Controlling Trunking
Switch(config-if)#
switchport mode trunk
• Specifies an interface as a trunk link
.
Switch(config-if)#
switchport nonegotiate
• Prevents the generation of DTP frames.
Switch(config-if)#
switchport trunk native vlan vlan_number
• Set the native VLAN on the trunk to an unused VLAN
Traffic Analysis
IDS
RMON Probe
Protocol Analyzer
“Intruder
Alert!”
 A SPAN port mirrors traffic to
another port where a
monitoring device is
connected.
 Without this, it can be difficult
to track hackers after they
have entered the network.
Attacker
Layer 2 Guidelines
• Manage switches in as secure a manner as possible
(SSH, out-of-band management, ACLs, etc.)
• Set all user ports to non-trunking mode (except if using
Cisco VoIP)
• Use port security where possible for access ports
• Enable STP attack mitigation (BPDU guard, root guard)
• Use Cisco Discovery Protocol only where necessary –
with phones it is useful
• Configure PortFast on all non-trunking ports
• Configure root guard on STP root ports
• Configure BPDU guard on all non-trunking ports
VLAN Practices
• Always use a dedicated, unused native VLAN ID for
trunk ports
• Do not use VLAN 1 for anything
• Disable all unused ports and put them in an unused
VLAN
• Manually configure all trunk ports and disable DTP on
trunk ports
• Configure all non-trunking ports with switchport mode
access
Overview of Wireless, VoIP Security
Wireless
VoIP
Overview of SAN Security
SAN
Infrastructure-Integrated Approach
•
Proactive threat and intrusion
detection capabilities that do not
simply detect wireless attacks but
prevent them
•
Comprehensive protection to
safeguard confidential data and
communications
•
Simplified user management with a
single user identity and policy
•
Collaboration with wired security
systems
Cisco IP Telephony Solutions
•
Single-site deployment
•
Centralized call
processing with remote
branches
•
Distributed callprocessing deployment
•
Clustering over the
IPWAN
Storage Network Solutions
•
Investment protection
•
Virtualization
•
Security
•
Consolidation
•
Availability
Cisco Wireless LAN Controllers
•
Responsible for system-wide wireless LAN
functions
•
Work in conjunction with Aps and the Cisco
Wireless Control System (WCS) to support
wireless applications
•
Smoothly integrate into existing enterprise
networks
Wireless Hacking
•
War driving
•
A neighbor hacks into another
neighbor’s wireless network
to get free Internet access or
access information
•
Free Wi-Fi provides an
opportunity to compromise
the data of users
Hacking Tools
•
•
•
•
•
•
Network Stumbler
Kismet
AirSnort
CoWPAtty
ASLEAP
Wireshark
Safety Considerations
•
Wireless networks using WEP or WPA/TKIP are not very secure and
vulnerable to hacking attacks.
•
Wireless networks using WPA2/AES should have a passphrase of at
least 21 characters long.
•
If an IPsec VPN is available, use it on any public wireless LAN.
•
If wireless access is not needed, disable the wireless radio or wireless
NIC.
VoIP Business Advantages
VoIP
PSTN
Gateway
•
Little or no training costs
•
Mo major set-up fees
•
Lower telecom call costs
•
Enables unified messaging
•
Productivity increases
•
•
Lower costs to move, add, or
change
Encryption of voice calls is
supported
•
Fewer administrative
personnel required
•
Lower ongoing service and
maintenance costs
VoIP Components
PSTN
Cisco Unified
Communications
Manager
(Call Agent)
IP
Backbone
MCU
Cisco
Unity
IP
Phone
IP
Phone
Videoconference
Station
Router/
Gateway
Router/
Gateway
Router/
Gateway
VoIP Protocols
VoIP Protocol
Description
H.323
ITU standard protocol for interactive conferencing; evolved from H.320
ISDN standard; flexible, complex
MGCP
Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248
Joint IETF and ITU standard for gateway control with support for multiple
gateway types; evolved from MGCP standard
SIP
IETF protocol for interactive and noninteractive conferencing; simpler but
less mature than H.323
RTP
RTCP
ETF standard media-streaming protocol
IETF protocol that provides out-of-band control information for an RTP flow
SRTP
IETF protocol that encrypts RTP traffic as it leaves the
voice device
SCCP
Cisco proprietary protocol used between Cisco Unified Communications
Manager and Cisco IP phones
Threats
•
•
•
•
Reconnaissance
Directed attacks such as spam over IP telephony (SPIT) and spoofing
DoS attacks such as DHCP starvation, flooding, and fuzzing
Eavesdropping and man-in-the-middle attacks
VoIP SPIT
• If SPIT grows like spam, it could result in
regular DoS problems for network
administrators.
• Antispam methods do not block SPIT.
• Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets
only from trusted devices.
You’ve just
won an all
expenses
paid vacation
to the U.S.
Virgin Islands
!!!
Fraud
• Fraud takes several forms:
– Vishing—A voice version of phishing that is used to compromise
confidentiality.
– Theft and toll fraud—The stealing of telephone services.
• Use features of Cisco Unified Communications Manager to protect
against fraud.
– Partitions limit what parts of the dial plan certain phones have access to.
– Dial plans filter control access to exploitive phone numbers.
– FACs prevent unauthorized calls and provide a mechanism for tracking.
SIP Vulnerabilities
• Registration hijacking:
Allows a hacker to
intercept incoming calls
and reroute them.
• Message tampering:
Allows a hacker to
modify data packets
traveling between SIP
addresses.
• Session tear-down:
Allows a hacker to
terminate calls or carry
out VoIP-targeted DoS
attacks.
Registrar
Registrar
Location
Database
SIP Servers/Services
SIP Proxy
SIP User Agents
SIP User Agents
Using VLANs
Voice VLAN = 110
Data VLAN = 10
5/1
802.1Q Trunk
•
•
•
•
IP phone
10.1.110.3
Desktop PC
171.1.1.1
Creates a separate broadcast domain for voice traffic
Protects against eavesdropping and tampering
Renders packet-sniffing tools less effective
Makes it easier to implement VACLs that are specific to voice
traffic
Using Cisco ASA Adaptive Security Appliances
• Ensure SIP, SCCP, H.323, and
MGCP requests conform to
standards
• Prevent inappropriate SIP
methods from being sent to Cisco
Unified Communications Manager
• Rate limit SIP requests
• Enforce policy of calls (whitelist,
blacklist, caller/called party, SIP
URI)
• Dynamically open ports for Cisco
applications
• Enable only “registered phones” to
make calls
• Enable inspection of encrypted
phone calls
Cisco Adaptive
Security Appliance
Cisco Adaptive
Security Appliance
Internet
WAN
Using VPNs
• Use IPsec for authentication
• Use IPsec to protect
all traffic, not just voice
• Consider SLA with service provider
• Terminate on a VPN concentrator
or large router inside of firewall to
gain these benefits:
• Performance
• Reduced configuration complexity
• Managed organizational boundaries
Telephony
Servers
IP WAN
SRST
Router
SAN Security Considerations
IP
Network
SAN
Specialized network that
enables fast, reliable access
among servers and external
storage resources
SAN Transport Technologies
•
Fibre Channel – the primary
SAN transport for host-toSAN connectivity
•
iSCSI – maps SCSI over
TCP/IP and is another hostto-SAN connectivity model
•
FCIP – a popular SAN-toSAN connectivity model
LAN
World Wide Name
•
A 64-bit address that Fibre Channel networks use to uniquely identify
each element in a Fibre Channel network
•
Zoning can utilize WWNs to assign security permissions
•
The WWN of a device is a user-configurable parameter.
Cisco MDS 9020 Fabric Switch
Zoning Operation
•
Zone members see only other
members of the zone.
SAN
Disk2
•
•
•
Zones can be configured
dynamically based on WWN.
Devices can be members of more
than one zone.
Switched fabric zoning can take
place at the port or device level:
based on physical switch port or
based on device WWN or based on
LUN ID.
ZoneA
Host1
Disk3
Disk1
ZoneC
Disk4
Host2
ZoneB
An example of Zoning. Note that
devices can be members of more
than 1 zone.
Virtual Storage Area Network (VSAN)
Cisco MDS 9000
Family with VSAN Service
Physical SAN islands
are virtualized onto
common SAN
infrastructure
Security Focus
SAN Protocol
Fabric Access
IP Storage
access
Target Access
SAN
SAN Management
Access
Secure
SAN
Data Integrity and
Secrecy
SAN Management
Three main areas of vulnerability:
1.
2.
3.
Disruption of switch processing
Compromised fabric stability
Compromised data integrity and confidentiality
Fabric and Target Access
Three main areas of focus:
• Application data integrity
• LUN integrity
• Application performance
VSANs
Relationship of VSANs to Zones
Physical Topology
VSAN 2
Disk2
Disk3
Disk1
Host1
ZoneA
ZoneC
Host2
Disk4
ZoneB
VSAN 3
ZoneD
Host4
ZoneA
Disk5
Host3
Disk6
Two VSANs each with multiple
zones. Disks and hosts are
dedicated to VSANs although
both hosts and disks can
belong to multiple zones within
a single VSAN. They cannot,
however, span VSANs.
iSCSI and FCIP
• iSCSI leverages many of the security features inherent in Ethernet and IP
– ACLs are like Fibre Channel zones
– VLANs are like Fibre Channel VSANs
– 802.1X port security is like Fibre Channel port security
•
FCIP security leverages many IP security features in Cisco
IOS-based routers:
– IPsec VPN connections through public carriers
– High-speed encryption services in specialized hardware
– Can be run through a firewall
Cisco Security
Impenetrable Wall? or Hacker’s Delight?
Kevin King - Senior Technical Instructor ● Infrastructructure/Cloud Consulting
| MCT CCSI MCSE-Private Cloud MCSA
MCSA-Server 2012 MCSE CCNA Data Center Cisco Quality Instructor 2014
New Horizons CLC| 6700 Jefferson, Building A | Albuquerque, NM 87109
p: 505.830.7100 |f: 505.830.2239 | kking@nhabq.com | www.nhabq.com