CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network

Chapter Outline:

6.0 Introduction
6.1 Endpoint Security
6.2 Layer 2 Security Threats
6.3 Summary

Section 6.1: Endpoint Security

Upon completion of this section, you should be able to:

  • Describe endpoint security and the enabling technologies.
  • Explain how Cisco AMP is used to ensure endpoint security.
  • Explain how Cisco NAC authenticates and enforces the network security policy.

Topic 6.1.1: Introducing Endpoint Security

Securing LAN Elements

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 83

Traditional Endpoint Security

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 84

The Borderless Network

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 85

Securing Endpoints in the Borderless Network

Post malware attack questions:

  • Where did it come from?
  • What was the threat method and point of entry?
  • What systems were affected?
  • What did the threat do?
  • Can I stop the threat and root cause?
  • How do we recover from it?
  • How do we prevent it from happening again?

Host-Based Protection:

  • Antivirus/Antimalware
  • SPAM Filtering
  • URL Filtering
  • Blacklisting
  • Data Loss Prevention (DLP)

Modern Endpoint Security Solutions

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 86

Hardware and Software Encryption of Local Data

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 87

Topic 6.1.2: Antimalware Protection

Advanced Malware Protection

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 88

AMP and Managed Threat Defense

Talos teams gather real-time threat intelligence from a variety of sources:

  • 1.6 million deployed security devices, including firewall, IPS, web, and email appliances
  • 150 million endpoints

They then analyze this data:

  • 100 TB of security intelligence daily
  • 13 billion web requests per day
  • 35% of the world’s enterprise email traffic

AMP for Endpoints

  • AMP for Endpoints– AMP for Endpoints integrates with Cisco AMP for Networks to deliver comprehensive protection across extended networks and endpoints.
  • AMP for Networks– Provides a network-based solution and is integrated into dedicated Cisco ASA Firewall and Cisco FirePOWER network security appliances.
  • AMP for Content Security– This is an integrated feature in Cisco Cloud Web Security or Cisco Web and Email Security Appliances to protect against email and web-based advanced malware attacks.

Topic 6.1.3: Email and Web Security

Securing Email and Web

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 89

Cisco Email Security Appliance

Features and benefits of Cisco Email Security solutions:

  •  Global threat intelligence
  • Spam blocking
  •  Advanced malware protection
  •  Outbound message control

 Cisco Web Security Appliance

Client Initiates Web Request

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 90

WSA Forwards Request

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 91

Reply Sent to WSA and Then To Client

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 92

Topic 6.1.4: Controlling Network Access

Cisco Network Admission Control

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 93

Cisco NAC Functions

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 94

Cisco NAC Components

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 95

Network Access for Guests

Three ways to grant sponsor permissions:

  • to only those accounts created by the sponsor
  • to all accounts
  •  to no accounts (i.e., they cannot change any permissions)

Cisco NAC Profiler

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 96

Section 6.2: Layer 2 Security Considerations

Upon completion of the section, you should be able to:

  • Describe Layer 2 vulnerabilities.
  • Describe CAM table overflow attacks.
  • Configure port security to mitigate CAM table overflow attacks.
  • Configure VLAN Truck security to mitigate VLAN hopping attacks.
  • Implement DHCP Snooping to mitigate DHCP attacks.
  • Implement Dynamic Arp Inspection to mitigate ARP attacks.
  • Implement IP Source Guard to mitigate address spoofing attacks.

Topic 6.2.1: Layer 2 Security Threats

Describe Layer 2 Vulnerabilities

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 97

Switch Attack Categories

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 98

Topic 6.2.2: CAM Table Attacks

Basic Switch Operation

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 99

CAM Table Operation Example

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 100

CAM Table Attack

Intruder Runs Attack Tool

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 101

Fill CAM Table

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 102

Switch Floods All Traffic

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 103

Attacker Captures Traffic

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 104

CAM Table Attack Tools

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 105

Topic 6.2.3: Mitigating CAM Table Attacks

Countermeasure for CAM Table Attacks

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 106

Port Security

Enabling Port Security

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 107

Verifying Port Security

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 108

Port Security Options

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 109

Enabling Port Security Options

Setting the Maximum Number of Mac Addresses

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 110

Manually Configuring Mac Addresses

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 111

Learning Connected Mac Addresses Dynamically

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 112

Port Security Violations

Security Violation Modes:

  • Protect
  • Restrict
  • Shutdown

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 113

Port Security Aging

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 114

Port Security with IP Phones

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 115

SNMP MAC Address Notification

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 116

Topic 6.2.4: Mitigating VLAN Attacks

VLAN Hopping Attacks

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 117

VLAN Double-Tagging Attack

Step 1 – Double Tagging Attack

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 118

Step 2 – Double Tagging Attack

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 119

Step 3 – Double Tagging Attack

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 120

Mitigating VLAN Hopping Attacks

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 121

PVLAN Edge Feature

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 122

Verifying Protected Ports

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 123

Private VLANs

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 124

Topic 6.2.5: Mitigating DHCP Attacks

DHCP Spoofing Attack

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 125

DHCP Starvation Attack

Attacker Initiates a Starvation Attack

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 126

DHCP Server Offers Parameters

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 127

Client Requests all Offers

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 128

DHCP Server Acknowledges All Requests

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 129

Mitigating VLAN Attacks

The switch will deny packets containing specific information:

  • Unauthorized DHCP server messages from an untrusted port
  • Unauthorized DHCP client messages not adhering to the snooping binding table or rate limits
  • DHCP relay-agent packets that include option-82 information on an untrusted port

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 130

Configuring DHCP Snooping

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 131

Configuring DHCP Snooping Example

DHCP Snooping Reference Topology

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 132

Configuring a Maximum Number of MAC Addresses

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 133

Verifying DHCP Snooping

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 134

Configuring a Maximum Number of MAC Addresses

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 135

Topic 6.2.6: Mitigating ARP Attacks

ARP Spoofing and ARP Poisoning Attack

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 136

Mitigating ARP Attacks

Dynamic ARP Inspection:

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 137

Configuring Dynamic ARP Inspection

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 138

Configuring DHCP Snooping Example

ARP Reference Topology

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 139

Configuring Dynamic ARP Inspection

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 140

Checking Source, Destination, and IP

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 141

Topic 6.2.7: Mitigating Address Spoofing Attacks

Address Spoofing Attack

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 142

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 143

Mitigating Address Spoofing Attacks

For each untrusted port, there are two possible levels of IP traffic security filtering:

  • Source IP address filter
  • Source IP and MAC address filter

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 144

Configuring IP Source Guard

IP Source Guard Reference Topology

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 145

Configuring IP Source Guard

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 146

Checking IP Source Guard

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 147

Topic 6.2.8: Spanning Tree Protocol

Introduction to the Spanning Tree Protocol

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 148

Various Implementations of STP

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 149

STP Port Roles

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 150

STP Root Bridge

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 151

STP Path Cost

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 152

802.1D BPDU Frame Format

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 153

BPDU Propagation and Process

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 154

Extended System ID

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 155

Select the Root Bridge

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 156

Topic 6.2.9: Mitigating STP Attacks

STP Manipulation Attacks

Spoofing the Root Bridge

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 157CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 158

Successful STP Manipulation Attack

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 159

Mitigating STP Attacks

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 160

Configuring PortFast

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 161

Configuring BDPU Guard

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 162

Configuring Root Guard

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 163

Configuring Loop Guard

CCNA Security 2.0 Study Material – Chapter 6: Securing the Local Area Network 164

Section 6.3: Summary

Chapter Objectives:

  • Explain endpoint security.
  • Describe various types of endpoint security applications.
  • Describe Layer 2 vulnerabilities.

Download Slide PowerPoint (pptx):

[sociallocker id=”54558″]

Icon

CCNASv2_InstructorPPT_CH6 5.70 MB 1827 downloads

...
[/sociallocker]


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments