Mod9-securing Mls Networks
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Mod9-securing Mls Networks as PDF for free.
More details
- Words: 1,366
- Pages: 17
CCNP3 v3 Module 9: Securing Multilayer Switched Networks
© 2002, Cisco Systems, Inc. All rights reserved.
1
Security This module adds new material to the CCNP 3 curriculum It contains two main areas: •Mechanisms for monitoring traffic in a multi-layer switched network •Securing devices in a multi-layer switched network.
© 2002, Cisco Systems, Inc. All rights reserved.
2
Monitoring network performance with SPAN &VSPAN Switch Port Analyser (SPAN) is a method of monitoring network traffic by copying source port or VLAN specific traffic to a destination port for analysis SPAN can be used to monitor all network traffic, including: •Multicast and bridge protocol data unit (BPDU) packets; •Cisco Discovery Protocol (CDP); •VLAN Trunk Protocol (VTP); •Dynamic Trunking Protocol (DTP); •Spanning Tree Protocol (STP); and •Port Aggregation Protocol (PagP) packets. SPAN does not affect the switching of network traffic on source ports
© 2002, Cisco Systems, Inc. All rights reserved.
3
Monitoring Network Performance with RSPAN RSPAN is an implementation of SPAN designed to supports source ports, source VLAN’s, and destination ports across different switches RSPAN uses reflector ports to enable RSPAN to reproduce traffic from source ports residing on different switches to the destination port Like SPAN, RSPAN does not affect the switching of network traffic on source ports
© 2002, Cisco Systems, Inc. All rights reserved.
4
Modules for Improving network performance Extra dataflow generated by monitored traffic puts additional load on a networks switching bandwidth. A trend towards integration of time sensitive Voice over IP and interactive multimedia services into data networks further exacerbates the situation. The issues outlined above have been addressed by the introduction of two modules for the 6500 series chassis: •The Network Analysis Module (NAM) , containing features allowing it to store and analyze multiple monitored traffic streams in real time. •The Switch Fabric Module (SFM), designed to address the requirement for increased switching bandwidth
© 2002, Cisco Systems, Inc. All rights reserved.
5
The Network Analysis Module The NAM is a LAN monitoring solution that should be deployed at LAN aggregation points where it can have visibility of critical traffic and virtual LAN’s (VLAN’s) . The NAM provides remote monitoring functions based on RMON and RMON2 Management Information Bases (MIB's). It uses switched port analyser (SPAN) or remote SPAN (RSPAN) to accept data from physical ports and VLANS It simultaneously monitors multiple switch ports or VLAN’s and provides separate RMON/RMON2 statistics for each data source.
© 2002, Cisco Systems, Inc. All rights reserved.
6
The Switch Fabric Module The Catalyst 6500 Series switch fabric module (SFM), in combination with the Supervisor Engine 2, delivers an increase in available system bandwidth from the default 32Gbps on the forwarding bus to 256 Gbps. Key Features: •The Switch Fabric Module enables 30 Mpps Cisco Express Forwarding based central forwarding on Supervisor Engine 2 •The Switch Fabric Module enables up to 210 Mpps distributed forwarding on DCF-enabled switch fabric modules •The Switch Fabric Module supports advanced services such as quality of service (QoS) and security in hardware via access control lists (ACL's)
© 2002, Cisco Systems, Inc. All rights reserved.
7
Basic security Network security measures that were formerly handled by routers are now increasingly applicable for switches which combine components of layer 2 and 3 operation. Security policies can now be applied at the distribution layer and at the access layer within a switched / routed network. Most access policies will outline the following information: •Network device management issues such as physical security and access control •User access to the network •Traffic-flow policies •Route Filtering •All of these policies are increasingly enforceable at all levels of the switched network
© 2002, Cisco Systems, Inc. All rights reserved.
8
Basic security Other key topics in Basic Security: •Physical security •Out-of-band management •In-band management •Passwords and password encryption
© 2002, Cisco Systems, Inc. All rights reserved.
9
Controlling management traffic Access to in-band management sessions can be controlled and protected using these features: •Local user names options •VLANs •Access Control Lists (ACLs) •Web-interface options •Secure shell (SSH) session encryption •Local user name options (can be used in combinations) •username name secret encryptedpassword •username name nopassword •username name privilege level •username name user-maxlinks number •username name access-class ACL-number © 2002, Cisco Systems, Inc. All rights reserved.
10
Controlling management traffic VLANs Management traffic should have its own VLAN (I.e. the management VLAN defined in the switch / router should not be shared with user traffic) Access Control Lists (ACLs) Standard or extended access lists can be used to limit which hosts can source sessions to VTY lines Web interface Enabled using ip http server ip http port port-number can be used to change the TCP port on which the switch / router listens for browser requests (default 80) ip http access-class ACL-number can be used to bind a standard access list to the http server process, limiting which hosts can source sessions to the web management interface. © 2002, Cisco Systems, Inc. All rights reserved.
11
Encrypting communications using Secure SHell Because TELNET packets are transmitted in clear-text, these packets can be captured and their contents easily read It is recommended that SSH encryption be configured as a minimum for securing in-band management traffic where possible. SSH ‘public/private key pairs’ for asymmetric encryption The administrator generates a key-pair on SSH server (switch / router) One half of the pair is ‘public’, and is openly shared. Public keys can only be used to encrypt for transmission to the matching private key. The other half is ‘private’, and is kept a secret by the SSH server. Private keys can only decrypt packets from the matching public key. The administrator opens an SSH session to the SSH server, is ‘offered’ a copy of the server’s public key, and can now send information that only the SSH server can read.
© 2002, Cisco Systems, Inc. All rights reserved.
12
Controlling user traffic User traffic can be controlled using: •Virtual LANs •Port security •Protected ports and private VLANs •Access Control Lists (ACLs)
© 2002, Cisco Systems, Inc. All rights reserved.
13
Controlling user traffic The port security feature can be used to restrict input to an interface •Uses MAC address information to control traffic Protected ports and private VLANs control traffic within a switch •Protected ports and private VLANs are conceptually the same •Protected ports provides L2 isolation between ports in the same VLAN (protected ports can not forward traffic to each other) •Protected ports can communication normally with non-protected ports •ACLs can be deployed to control management sessions for remote control of the switch. The switch supports: •Port ACLs access-control traffic entering a Layer 2 interface. •Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces. •VLAN ACLs or VLAN maps access-control all packets (bridged and routed). © 2002, Cisco Systems, Inc. All rights reserved.
14
AAA, CiscoSecure ACS, RADIUS and TACACS+ AAA provides services for Authentication, Authorization and Accounting The CiscoSecure Access Control Server (ACS) is specialized security software that runs on Windows 2000 . •The CiscoSecure ACS software uses either the TACACS+ or the RADIUS protocol to provide network security and tracking. TACACS+ is a security application used with AAA and CiscoSecure ACS that provides centralized validation of users attempting to gain access to a router or network access server •Cisco proprietary protocol •More granular information and control than RADIUS RADIUS is a distributed client/server system used with AAA that secures networks against unauthorized access. •Open standard protocol © 2002, Cisco Systems, Inc. All rights reserved.
15
802.1x port-based authentication The IEEE 802.1X standard defines a client-server-based access control and authentication protocol. With 802.1X port-based authentication, the devices in the network have specific roles Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. Authentication server—performs the actual authentication of the client. Because the switch acts as the proxy, the authentication service is transparent to the client. Switch (edge switch or wireless access point)—controls the physical access to the network based on the authentication status of the client, requesting identity information from the authentication server.
© 2002, Cisco Systems, Inc. All rights reserved.
16
© 2002, Cisco Systems, Inc. All rights reserved.
17
© 2002, Cisco Systems, Inc. All rights reserved.
1
Security This module adds new material to the CCNP 3 curriculum It contains two main areas: •Mechanisms for monitoring traffic in a multi-layer switched network •Securing devices in a multi-layer switched network.
© 2002, Cisco Systems, Inc. All rights reserved.
2
Monitoring network performance with SPAN &VSPAN Switch Port Analyser (SPAN) is a method of monitoring network traffic by copying source port or VLAN specific traffic to a destination port for analysis SPAN can be used to monitor all network traffic, including: •Multicast and bridge protocol data unit (BPDU) packets; •Cisco Discovery Protocol (CDP); •VLAN Trunk Protocol (VTP); •Dynamic Trunking Protocol (DTP); •Spanning Tree Protocol (STP); and •Port Aggregation Protocol (PagP) packets. SPAN does not affect the switching of network traffic on source ports
© 2002, Cisco Systems, Inc. All rights reserved.
3
Monitoring Network Performance with RSPAN RSPAN is an implementation of SPAN designed to supports source ports, source VLAN’s, and destination ports across different switches RSPAN uses reflector ports to enable RSPAN to reproduce traffic from source ports residing on different switches to the destination port Like SPAN, RSPAN does not affect the switching of network traffic on source ports
© 2002, Cisco Systems, Inc. All rights reserved.
4
Modules for Improving network performance Extra dataflow generated by monitored traffic puts additional load on a networks switching bandwidth. A trend towards integration of time sensitive Voice over IP and interactive multimedia services into data networks further exacerbates the situation. The issues outlined above have been addressed by the introduction of two modules for the 6500 series chassis: •The Network Analysis Module (NAM) , containing features allowing it to store and analyze multiple monitored traffic streams in real time. •The Switch Fabric Module (SFM), designed to address the requirement for increased switching bandwidth
© 2002, Cisco Systems, Inc. All rights reserved.
5
The Network Analysis Module The NAM is a LAN monitoring solution that should be deployed at LAN aggregation points where it can have visibility of critical traffic and virtual LAN’s (VLAN’s) . The NAM provides remote monitoring functions based on RMON and RMON2 Management Information Bases (MIB's). It uses switched port analyser (SPAN) or remote SPAN (RSPAN) to accept data from physical ports and VLANS It simultaneously monitors multiple switch ports or VLAN’s and provides separate RMON/RMON2 statistics for each data source.
© 2002, Cisco Systems, Inc. All rights reserved.
6
The Switch Fabric Module The Catalyst 6500 Series switch fabric module (SFM), in combination with the Supervisor Engine 2, delivers an increase in available system bandwidth from the default 32Gbps on the forwarding bus to 256 Gbps. Key Features: •The Switch Fabric Module enables 30 Mpps Cisco Express Forwarding based central forwarding on Supervisor Engine 2 •The Switch Fabric Module enables up to 210 Mpps distributed forwarding on DCF-enabled switch fabric modules •The Switch Fabric Module supports advanced services such as quality of service (QoS) and security in hardware via access control lists (ACL's)
© 2002, Cisco Systems, Inc. All rights reserved.
7
Basic security Network security measures that were formerly handled by routers are now increasingly applicable for switches which combine components of layer 2 and 3 operation. Security policies can now be applied at the distribution layer and at the access layer within a switched / routed network. Most access policies will outline the following information: •Network device management issues such as physical security and access control •User access to the network •Traffic-flow policies •Route Filtering •All of these policies are increasingly enforceable at all levels of the switched network
© 2002, Cisco Systems, Inc. All rights reserved.
8
Basic security Other key topics in Basic Security: •Physical security •Out-of-band management •In-band management •Passwords and password encryption
© 2002, Cisco Systems, Inc. All rights reserved.
9
Controlling management traffic Access to in-band management sessions can be controlled and protected using these features: •Local user names options •VLANs •Access Control Lists (ACLs) •Web-interface options •Secure shell (SSH) session encryption •Local user name options (can be used in combinations) •username name secret encryptedpassword •username name nopassword •username name privilege level •username name user-maxlinks number •username name access-class ACL-number © 2002, Cisco Systems, Inc. All rights reserved.
10
Controlling management traffic VLANs Management traffic should have its own VLAN (I.e. the management VLAN defined in the switch / router should not be shared with user traffic) Access Control Lists (ACLs) Standard or extended access lists can be used to limit which hosts can source sessions to VTY lines Web interface Enabled using ip http server ip http port port-number can be used to change the TCP port on which the switch / router listens for browser requests (default 80) ip http access-class ACL-number can be used to bind a standard access list to the http server process, limiting which hosts can source sessions to the web management interface. © 2002, Cisco Systems, Inc. All rights reserved.
11
Encrypting communications using Secure SHell Because TELNET packets are transmitted in clear-text, these packets can be captured and their contents easily read It is recommended that SSH encryption be configured as a minimum for securing in-band management traffic where possible. SSH ‘public/private key pairs’ for asymmetric encryption The administrator generates a key-pair on SSH server (switch / router) One half of the pair is ‘public’, and is openly shared. Public keys can only be used to encrypt for transmission to the matching private key. The other half is ‘private’, and is kept a secret by the SSH server. Private keys can only decrypt packets from the matching public key. The administrator opens an SSH session to the SSH server, is ‘offered’ a copy of the server’s public key, and can now send information that only the SSH server can read.
© 2002, Cisco Systems, Inc. All rights reserved.
12
Controlling user traffic User traffic can be controlled using: •Virtual LANs •Port security •Protected ports and private VLANs •Access Control Lists (ACLs)
© 2002, Cisco Systems, Inc. All rights reserved.
13
Controlling user traffic The port security feature can be used to restrict input to an interface •Uses MAC address information to control traffic Protected ports and private VLANs control traffic within a switch •Protected ports and private VLANs are conceptually the same •Protected ports provides L2 isolation between ports in the same VLAN (protected ports can not forward traffic to each other) •Protected ports can communication normally with non-protected ports •ACLs can be deployed to control management sessions for remote control of the switch. The switch supports: •Port ACLs access-control traffic entering a Layer 2 interface. •Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces. •VLAN ACLs or VLAN maps access-control all packets (bridged and routed). © 2002, Cisco Systems, Inc. All rights reserved.
14
AAA, CiscoSecure ACS, RADIUS and TACACS+ AAA provides services for Authentication, Authorization and Accounting The CiscoSecure Access Control Server (ACS) is specialized security software that runs on Windows 2000 . •The CiscoSecure ACS software uses either the TACACS+ or the RADIUS protocol to provide network security and tracking. TACACS+ is a security application used with AAA and CiscoSecure ACS that provides centralized validation of users attempting to gain access to a router or network access server •Cisco proprietary protocol •More granular information and control than RADIUS RADIUS is a distributed client/server system used with AAA that secures networks against unauthorized access. •Open standard protocol © 2002, Cisco Systems, Inc. All rights reserved.
15
802.1x port-based authentication The IEEE 802.1X standard defines a client-server-based access control and authentication protocol. With 802.1X port-based authentication, the devices in the network have specific roles Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. Authentication server—performs the actual authentication of the client. Because the switch acts as the proxy, the authentication service is transparent to the client. Switch (edge switch or wireless access point)—controls the physical access to the network based on the authentication status of the client, requesting identity information from the authentication server.
© 2002, Cisco Systems, Inc. All rights reserved.
16
© 2002, Cisco Systems, Inc. All rights reserved.
17
