Module 7
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Module 7 as PDF for free.
More details
- Words: 5,735
- Pages: 95
Module 7: Secure Network Architecture and Management
1
PDF created with pdfFactory trial version www.pdffactory.com
Overview
2
PDF created with pdfFactory trial version www.pdffactory.com
Layer 2 Security Best Practices
3
PDF created with pdfFactory trial version www.pdffactory.com
Factors affecting layer 2 mitigation techniques
• •
An example of case #1 could be a small business network using a broadband connection behind a DSL router or firewall. An example of case #8 could be a large application service provider data center. These cases are discussed in further detail in the following sections. 4
PDF created with pdfFactory trial version www.pdffactory.com
1.Single security zone, one user group, single physical switch
•
•
An example of such a design would be a switch within a network DMZ created between an edge router and a corporate firewall as shown in Figure . In this design all systems within the security zone are on the same VLAN. Vulnerabilities The primary Layer 2 vulnerabilities in this design include the following: – MAC spoofing – CAM table overflow
5
PDF created with pdfFactory trial version www.pdffactory.com
1.Single security zone, one user group, single physical switch
•
Mitigation Port security may be administratively appropriate in this case because of the limited size of the design. The Layer 2 switches are a part of the security perimeter between the zones of trust and should be managed as securely as possible including the use of SSH for command line management, Simple Network Management Protocol Version 3 (SNMPv3) for remote management, configuration audits and regular penetration testing of each VLAN using tools capable of exploiting Layer 2 vulnerabilities such as Dsniff. An equally effective and less administratively taxing approach would be to use dynamic port security through the application of DHCP snooping and Dynamic ARP Inspection.
6
PDF created with pdfFactory trial version www.pdffactory.com
1.Single security zone, one user group, single physical switch
7
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Mitigating CAM table overflow attack
8
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Mitigating CAM Table Overflow Attacks
• You can mitigate CAM table overflow attacks in several ways. One of the primary ways is to configure port security on the switch. You can apply port security in three ways: – Static secure MAC addresses – Dynamic secure MAC addresses – Sticky secure MAC addresses
9
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Mitigating CAM Table Overflow Attacks •
The type of action taken when a port security violation occurs falls into the following three categories: – Protect If the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a number of MAC addresses are removed or the number of allowable addresses is increased. You receive no notification of the security violation in this type of instance. – Restrict If the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until some number of secure MAC addresses are removed or the maximum allowable addresses is increased. In this mode, a security notification is sent to the Simple Network Management Protocol (SNMP) server (if configured) and a syslog message is logged. The violation counter is also incremented. – Shutdown If a port security violation occurs, the interface changes to error-disabled and the LED is turned off. It sends an SNMP trap, logs to a syslog message, and increments the violation counter.
10
PDF created with pdfFactory trial version www.pdffactory.com
1.Single security zone, one user group, single physical switch
11
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Using dynamic ARP inspection to mitigate MAC spoofing attacks
12
PDF created with pdfFactory trial version www.pdffactory.com
2.Single security zone, one user group, multiple physical switches
• •
This can be represented by a very large DMZ, or a DMZ with multiple VLANs all existing within a single security zone of trust. Additionally, this could also be represented as a Layer 3 switch within the DMZ to provide inter-VLAN routing. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing – CAM table overflow – VLAN hopping – Spanning tree attacks, in networks with multiple switches. 13
PDF created with pdfFactory trial version www.pdffactory.com
2.Single security zone, one user group, multiple physical switches
•
•
Mitigation If the security zone is small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. BPDU guard and root guard can be used to mitigate attacks against the Spanning Tree Protocol (STP). The Layer 2 switches are a part of the security perimeter between zones of trust and should be managed as securely as possible including the use of SSH for command line management, SNMPv3 for remote management, configuration audits and regular penetration testing of each VLAN using tools capable of exploiting Layer 2 vulnerabilities such as Dsniff.
14
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Mitigating VLAN Hopping Attacks
•
Mitigating VLAN hopping attacks requires the following configuration modifications: – Always use dedicated VLAN IDs for all trunk ports. – Disable all unused ports and place them in an unused VLAN. – Set all user ports to nontrunking mode by disabling DTP. Use the switchport mode access command in the interface configuration mode. – For backbone switch-to-switch connections, explicitly configure trunking. – Do not use the user native VLAN as the trunk port native VLAN. – Do not use VLAN 1 as the switch management VLAN. 15
PDF created with pdfFactory trial version www.pdffactory.com
3.Single security zone, multiple user groups, single physical switch
•
•
A typical example of such a design would be an application service provider data center or different departments within a single corporate enterprise that require data segregation. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing – CAM table overflow – VLAN hopping
16
PDF created with pdfFactory trial version www.pdffactory.com
3.Single security zone, multiple user groups, single physical switch
•
Mitigation If the security zone is small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by using the following VLAN best practices as guidelines: – Use dedicated VLAN IDs for all trunk ports. – Disable all unused switch ports and place them in an unused VLAN. – Set all user ports to non-trunking mode by explicitly turning off DTP on those ports.
17
PDF created with pdfFactory trial version www.pdffactory.com
4.Single security zone, multiple user groups, multiple physical switches •
•
This design represents one where high-availability is a factor as well as the need to trunk information between the switch devices. In addition, the direction of travel for the network traffic as determined through STP requires additional considerations when determining some of the more specific mitigation techniques. VLANs are used to provide traffic segmentation between the various user groups. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing – CAM table overflow – VLAN hopping – STP attacks 18
PDF created with pdfFactory trial version www.pdffactory.com
4.Single security zone, multiple user groups, multiple physical switches
•
Mitigation If the security zone is small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined in this module. If necessary, deploy 802.1x authentication to prevent unauthorized access to the security zone from an attacker who may physically connect to a switch in the design. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.
19
PDF created with pdfFactory trial version www.pdffactory.com
5.Multiple security zones, one user group, single physical switch
•
Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing, within VLANs – CAM table overflow, through per VLAN traffic flooding – VLAN hopping 20
PDF created with pdfFactory trial version www.pdffactory.com
5.Multiple security zones, one user group, single physical switch
•
Mitigation If the security zones are small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined in this module. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.
21
PDF created with pdfFactory trial version www.pdffactory.com
5.Multiple security zones, one user group, single physical switch
•
•
In the design shown in Figure , another mitigation approach would be to split the Layer 2 functionality of the switch to two separate physical switches. If this is done, the mitigation techniques described in case #1 would apply to both distinct security zones. If private VLANs (PVLANs) are employed in any of the VLANs, consideration must be given to the possibility of private VLAN attacks. If the VLANs utilize DHCP for address assignment then DHCP starvation by an attacker and needs to be considered.
22
PDF created with pdfFactory trial version www.pdffactory.com
6.Multiple security zones, one user group, multiple physical switches •
•
This design, shown in Figure , represents a large data center within a single enterprise. However, the need to segregate traffic as well as data for various groups or departments within the enterprise is reflected by the separation of the data center into security zones. This can be accomplished securely through the use of VLANs within the data center, however, there are considerations which must be evaluated regarding some of the potential vulnerabilities. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing, within VLANs – CAM table overflow, through per VLAN traffic flooding – VLAN hopping – STP attacks
23
PDF created with pdfFactory trial version www.pdffactory.com
6.Multiple security zones, one user group, multiple physical switches •
Mitigation If the security zones are small enough, use port security to help mitigate CAM table overflow vulnerabilities as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined in this module. If necessary, deploy 802.1x authentication to prevent unauthorized access to each of the security zones from an attacker who may physically connect to a switch in the design. Another possible mitigation method would be to add a firewall within the design, or add a Layer 3 switch with an integrated firewall.
24
PDF created with pdfFactory trial version www.pdffactory.com
7.Multiple security zones, multiple user groups, single physical switch
• •
VLANs can be used to provide traffic segregation between the security zones. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing, within VLANs – CAM table overflow, through per VLAN traffic flooding – VLAN hopping – Private VLAN attacks, on a per VLAN basis
25
PDF created with pdfFactory trial version www.pdffactory.com
7.Multiple security zones, multiple user groups, single physical switch
•
Mitigation If the security zones are small enough, use port security to help mitigate CAM table overflow vulnerabilities as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined within this module. If necessary, deploy 802.1x authentication to prevent unauthorized access to each of the security zones from an attacker who may physically connect to a switch in the design. Another possible mitigation method would be to add a firewall within the data center design and integrate it into the central switch similar to that employed in the previous design. The firewall enforces additional Layer 3 traffic segregation between the various user groups. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.
26
PDF created with pdfFactory trial version www.pdffactory.com
8.Multiple security zones, multiple user groups, multiple physical switches
•
•
VLANs can be used to provide traffic segregation between the security zones. The need to provide high security in some of the zones may require additional measures. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing, within VLANs – CAM table overflow, through per VLAN traffic flooding – VLAN hopping – STP attacks – VTP attacks 27
PDF created with pdfFactory trial version www.pdffactory.com
8.Multiple security zones, multiple user groups, multiple physical switches
•
Mitigation If the security zones are small enough, use port security to help mitigate CAM table overflow vulnerabilities as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined within this module. If necessary, deploy 802.1x authentication to prevent unauthorized access to each of the security zones from an attacker who may physically connect to a switch in the design. Another possible mitigation method would be to add a firewall within the data center design and integrate it into the one or more of the switches, similar to that employed in the case #6 design. The firewall enforces additional Layer 3 traffic segregation between the various user groups. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.
28
PDF created with pdfFactory trial version www.pdffactory.com
Layer 2 security best practices
29
PDF created with pdfFactory trial version www.pdffactory.com
SDM Security Audit
30
PDF created with pdfFactory trial version www.pdffactory.com
Using SDM to perform security audits
•
The SDM security audit feature compares router configurations to a predefined checklist of best practices using ICSA and Cisco TAC recommendations.
31
PDF created with pdfFactory trial version www.pdffactory.com
Using SDM to perform security audits •
Security Audit contains two modes: – Security Audit – Examines router configuration, then displays the Report Card screen, which shows a list of possible security problems. The administrator can then pick and choose which vulnerability to lock down. – One-step lockdown – Initiates the automatic lockdown using recommended settings.
32
PDF created with pdfFactory trial version www.pdffactory.com
Using SDM monitor mode •
The monitor function includes the following elements : – Overview – Displays the router status including a list of the error log entries. – Interface Status – Used to select the interface to monitor and the conditions (for example, packets and errors, in or out) to view. – Firewall Status – Displays a log showing the number of entry attempts that were denied by the firewall. – VPN Status – Displays statistics about active VPN connections on the router. – QoS Status – Display statistics on Quality of Service (QoS) configured on router. – Logging – Displays an event log categorized by severity level.
33
PDF created with pdfFactory trial version www.pdffactory.com
Using SDM monitor mode
34
PDF created with pdfFactory trial version www.pdffactory.com
Router Management Center (MC)
35
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to the Router MC
•
The CiscoWorks Router Management Center (Router MC), a component of the CiscoWorks VPN/Management Solution (VMS), provides scalable security management for the configuration and deployment of VPN connections. One of the greatest challenges in implementing large site-to-site and remote access VPNs is management. The primary role of the Router MC is to manage site-tosite VPNs . 36
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to the Router MC •
The Router MC can be defined as follows: – A Web-based application for the setup and maintenance of VPN connections using Cisco VPN Routers – Centralizes the configuration of IKE and tunnel policies for multiple devices – Scalable to a large number of VPN routers – Router MC is a web-based application designed for large-scale management of virtual private network (VPN) and firewall configurations on Cisco routers. Router MC 1.2.1 provides the following features: • Enables the setup and maintenance of VPN connections among multiple Cisco VPN routers, in a hub-and-spoke topology. • Enables the provisioning of the critical connectivity, security, and performance parameters of a site-to-site VPN, quickly and easily. • Allows for efficient migration from leased line connections to Internet or intranet-based VPN connections. • Allows for the overlay of a VPN over a Frame Relay network for added security. • Enables the configuration of Cisco IOS routers to function as firewalls.
37
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to the Router MC
•
Router MC is integrated with CiscoWorks Common Services, which supplies core server-side components required by Router MC, such as Apache Web server, Secure Sockets Layer (SSL) libraries, Secure Shell (SSH) libraries, embedded SQL database, Tomcat servlet engine, the CiscoWorks desktop, and others. 38
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to the Router MC •
•
Before installing Router MC 1.2.1, CiscoWorks Common Services 2.2 must be installed and operational. CiscoWorks Common Services provides centralized management of certain functions for all the CiscoWorks VMS products that are installed. These functions include: – Backup and restore of data – Integration with Access Control Server (ACS) or Common Management Framework (CMF) for user authentication and permissions – Licensing – Starting/stopping the database – Logging of administration tasks 39
PDF created with pdfFactory trial version www.pdffactory.com
Key concepts in the Router MC
40
PDF created with pdfFactory trial version www.pdffactory.com
Key concepts in the Router MC
41
PDF created with pdfFactory trial version www.pdffactory.com
Key concepts in the Router MC
42
PDF created with pdfFactory trial version www.pdffactory.com
Supported tunneling technologies
•
The Router MC supports the following tunneling technologies: – IPSec – IPSec with GRE – IPSec with GRE over a frame relay network – IPSec with GRE and DMVPN – Dynamic Multipoint VPN (DMVPN) combines GRE tunnels . 43
PDF created with pdfFactory trial version www.pdffactory.com
Router MC installation
•
The Router MC requires VMS 2.1 Common Services or CiscoWorks 2000 . VMS Common Services provides the CiscoWorks 2000 Server based components, software libraries, and software packages developed for the Router MC.
44
PDF created with pdfFactory trial version www.pdffactory.com
Router MC installation
• •
Before beginning the installation of the Router MC, verify that the server meets the requirements shown in Figure1 . Also, verify that the client machine being used meets the requirements shown in Figure2 . 45
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
46
PDF created with pdfFactory trial version www.pdffactory.com
Getting started with the Router MC
•
Log in to the CiscoWorks Web page and complete the following steps to launch the Router MC: – Open a browser and point the browser to the IP address of the CiscoWorks server with a port number of 1741. If the CiscoWorks server is local, type the following address in the browser: http://127.0.0.1:1741 – If this is the first time that CiscoWorks has been used, enter the username admin and the password admin. 47
PDF created with pdfFactory trial version www.pdffactory.com
Router MC interface
•
The Router MC main window is the first window that is encountered in the Router MC user interface. The Router MC user interface contains four tabs as shown in Figure – Devices – Configuration – Deployment – Reports – Admin
PDF created with pdfFactory trial version www.pdffactory.com
48
Router MC interface
•
The Router MC interface is the environment administrators work with when using the Router MC application . 49
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
The Devices tab, shown in Figure is used to import and manage the inventory of routers to be configured using the Router MC. – Device hierarchy – Use this option to view the device hierarchy and to manage the routers within the hierarchy by creating device groups, moving or deleting devices/groups, editing router parameters, and adding unmanaged spokes. – Device import – Use this option to import the routers to be configured into Router MC, and to re-import routers when necessary. – Credentials – Use this option to edit router credentials or synchronize the credentials of multiple routers from a comma-separated value (CSV) file. Device credentials include the username, password, and enable password. 50
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
Use the options in the Configuration tab, shown in Figure to configure VPN and firewall settings and policies for deployment to the routers. Settings and policies can be configured globally for all routers, for groups of routers, or for individual routers. 51
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
Select the configuration context using the Object Selector, shown in Figure along the left-hand side of the page. 52
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
Select the configuration context using the Object Selector, shown in Figure along the left-hand side of the page. 53
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
Deployment of VPN and firewall configurations is always done within the context of a deployment job, shown in Figure . 54
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
The deployment tab offers the administrator the following options, shown in Figure . 55
PDF created with pdfFactory trial version www.pdffactory.com
Installation process •
The Reports tab, shown in Figure is used to view reports on various Router MC functions. This tab presents the following options: – Deployment – Activities – Audit – Hub-Spoke Assignment
56
PDF created with pdfFactory trial version www.pdffactory.com
Installation process •
•
Administrators use the Admin tab, shown in Figure to define various Router MC application settings, and to define Auto Update Server (AUS) settings. This tab presents the following options: – Application Settings – Auto Update Server Settings
57
PDF created with pdfFactory trial version www.pdffactory.com
Basic work flow and tasks
•
Common configuration tasks include: – Configuring general Cisco IOS Firewall settings – Building access rules – Using Building Blocks – Using Upload 58
PDF created with pdfFactory trial version www.pdffactory.com
Simple Network Management Protocol (SNMP)
59
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
Another technique that the administrator can use to manage and monitor the network is to employ the Simple Network Management Protocol (SNMP). SNMP is an application-layer protocol that facilitates the exchange of management information between network devices. It is part of the TCP/IP protocol suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. SNMP can be used to manage Cisco routers, switches, wireless access points, firewalls, printers, servers and other SNMP capable devices . 60
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
There are 3 versions of SNMP, as shown in Figure . SNMPv1 and SNMPv2 have features in common, but SNMPv2 offers enhancements, such as additional protocol operations. SNMPv3 adds administration and security features. This section provides descriptions of the SNMPv3 protocol operations. Cisco recommends disabling SNMP if not in use or use version 3. 61
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
SNMP Key Terms In order to understand SNMP support in Cisco devices, it is important to understand the SNMP-related terminology discussed in Figure . 62
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
SNMP Key Terms In order to understand SNMP support in Cisco devices, it is important to understand the SNMP-related terminology discussed in Figure . 63
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
SNMP Basic Components An SNMP managed network consists of three key components: – Managed devices – Agents – Network management systems (NMSs) 64
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Components of SNMP
65
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
An NMS executes applications that monitor and control managed devices . NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network. SNMP management applications, such as CiscoWorks2000, communicate with agents to get statistics and alerts from the managed devices. 66
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
SNMP Basic Commands Managed devices are monitored and controlled using basic SNMP commands, as shown in Figure : – The read command is used by an NMS to monitor managed devices. The NMS examines different variables that are maintained by managed devices. – The write command is used by an NMS to control managed devices. The NMS changes the values of variables stored within managed devices. – Managed devices to asynchronously report events to the NMS use the trap command. When certain types of events occur, a managed device sends a trap to the NMS. – Traversal operations are used by the NMS to determine which variables a managed device supports and to sequentially gather information in variable tables, such as a routing table.
67
PDF created with pdfFactory trial version www.pdffactory.com
Extra: SNMP Notifications
68
PDF created with pdfFactory trial version www.pdffactory.com
Extra: SNMPv1
69
PDF created with pdfFactory trial version www.pdffactory.com
Extra: SNMPv2
70
PDF created with pdfFactory trial version www.pdffactory.com
SNMP security •
•
•
SNMP is often used to gather statistics and remotely monitor network infrastructure devices. It is a simple protocol which contains inadequate security in early versions. In SNMPv1, community strings, or passwords, are sent in clear text and can easily be stolen by someone eavesdropping on the wire. – These community strings are used to authenticate messages sent between the SNMP manager and the agent. SNMPv2 addresses some of the known security weaknesses of SNMPv1. Specifically, version 2 uses the MD5 algorithm to authenticate messages between the SNMP server and the agent. 71
PDF created with pdfFactory trial version www.pdffactory.com
Extra: SNMP security
72
PDF created with pdfFactory trial version www.pdffactory.com
SNMP security
•
SNMPv1 lacks any authentication capabilities, which results in vulnerability to a variety of security threats. These include the following: – Masquerading – Modification of information – Message sequence and timing modifications – Disclosure 73
PDF created with pdfFactory trial version www.pdffactory.com
SNMP Version 3 (SNMPv3)
•
SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are: – Message integrity – Ensuring that a packet has not been tampered with in-transit. – Authentication – Determining the message is from a valid source. – Encryption – Scrambling the contents of a packet prevent it from being seen by an unauthorized source. 74
PDF created with pdfFactory trial version www.pdffactory.com
Extra: SNMPv3 •
• • •
Data integrity Provided by the MD5 message digest algorithm. A 128-bit digest is calculated over the designated portion of a SNMPv3 message and included as part of the message sent to the recipient. Data origin authentication Provided by prefixing each message with a secret value shared by the originator of that message and its intended recipient before digesting. Message delay or replay Provided by including a timestamp value in each message. Data confidentiality Provided by the symmetric privacy protocol which encrypts an appropriate portion of the message according to a secret key known only to the originator and recipient of the message. This protocol is used in conjunction with the symmetric encryption algorithm, in the cipher block chaining mode, which is part of the Data Encryption Standard (DES). The designated portion of an SNMPv3 message is encrypted and included as part of the message sent to the recipient. 75
PDF created with pdfFactory trial version www.pdffactory.com
SNMP Version 3 (SNMPv3)
•
Cisco devices such as router and switches support SNMPv3 message types and the increased security capabilities, but many management software applications do not support SNMPv3. 76
PDF created with pdfFactory trial version www.pdffactory.com
SNMP Version 3 (SNMPv3)
•
Applications which support version 3 include MG-Soft MIB Browser and SNMP Research International’s CiAgent or Enterpol. HP Openview can support version 3 with the help of SNMP Research International extensions. 77
PDF created with pdfFactory trial version www.pdffactory.com
SNMP management applications
•
SNMP is a distributed management protocol. A system can operate exclusively as either an NMS or an agent, or it can perform the functions of both. When a system operates as both an NMS and an agent, another NMS might require that the system query managed devices and provide a summary of the information learned, or that it reports locally-stored management information. 78
PDF created with pdfFactory trial version www.pdffactory.com
SNMP management applications
•
CiscoView is a graphical SNMP-based device management tool that provides real-time views of networked Cisco devices. These views deliver a continuously updated physical picture of device configuration and performance conditions, with simultaneous views available for multiple device sessions. Additionally, CiscoView is designed for integration with leading network management platforms, such as HP OpenView Network Node Manager, to provide seamless and powerful methods of managing Cisco devices such as routers, switches, hubs, concentrators, and adapters. 79
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router •
•
•
SNMP can form the backbone of a network monitoring system as well as be an important tool for network security. There are 4 basic tasks to configure IOS SNMPv3. – Configure SNMP-Server EngineID – Configure SNMP-Server Group Names – Configure SNMP-Server Hosts – Configure SNMP-Server Users To display information about SNMP commands, use one of the following commands in EXEC mode : – show snmp engineID [local | remote] – show snmp groups – show snmp user Other: (config)# logging on 80
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
81
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
82
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
83
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
84
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
85
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
86
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
87
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
88
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
89
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
90
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on a PIX Security Appliance
•
SNMP Example In Figure , the NMS uses a Get operation to request management information contained in an agent on host 172.18.0.15. Within the Get request, the NMS includes a complete Object Identifier (OID) so that the agent knows exactly what is being sought. The response from the agent contains a variable binding containing the same OID and the data associated with it. The NMS then uses a Set request to tell the agent to change a piece of information. In an unrelated communication, host 172.16.0.2 sends a trap to the NMS because some urgent condition has occurred. 91
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on a PIX Security Appliance
•
• •
•
Enable SNMP The SNMP agent that runs on the PIX Security Appliance performs two functions: – Replies to SNMP requests from NMSs. – Sends traps to NMSs. To enable the SNMP agent and identify an NMS that can connect to the PIX Security Appliance, follow these steps: Step 1 Identify the IP address of the NMS that can connect to the PIX Security Appliance with the snmp-server host interface_name ip_address [trap | poll] [community text] [version 1 | 2c] [udp-port port] global configuration command. Specify trap or poll to limit the NMS to receiving traps only or browsing only. By default, the NMS can use both functions. SNMP traps are sent on UDP port 162 by default. The port number can be changed by using the udp-port keyword.
92
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on a PIX Security Appliance
•
• •
Step 2 Specify the community string with the snmp-server community key global configuration command. The SNMP community string is a shared secret between the PIX Security Appliance and the NMS. The key is a case-sensitive value up to 32 characters in length. Spaces are not permitted. Step 3 (Optional) Set the SNMP server location or contact information with the snmp-server {contact | location} text global configuration command. Step 4 Enable the PIX Security Appliance to send traps to the NMS with the snmp-server enable [traps [all | feature [trap1] [trap2]] [...]] global configuration command. By default, SNMP core traps are enabled. If a trap type is not entered in the command, syslog is the default. To enable or disable all traps, enter the all option. For snmp, each trap type can be identified separately.
93
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on a PIX Security Appliance
•
•
Step 5 Enable system messages to be sent as traps to the NMSwith the logging history level global configuration command. Syslog traps must also be enabled using the preceding snmp-server enable traps command. Step 6 Enable logging, so system messages are generated and can then be sent to an NMS, with the logging enable global configuration command.
94
PDF created with pdfFactory trial version www.pdffactory.com
Summary •
•
•
Upon completing this lesson, the student will be able to recommend an appropriate approach to threat mitigation for network topologies containing either single or multiple switches. The Student will also be able to discuss the use of the SDM Security Audit wizard to provide a comprehensive Router Security Audit. The enterprise management of VPNs was discussed. One of the greatest challenges to implementing large-scale Site-to-Site and Remote Access VPNs is management. The primary role of the Router MC is to manage Site-to-Site VPNs. The key topics associated with VPNs were explored, to give the student a broad understanding of how Router MC operates to better manage large-scale VPNs. Finally, the student learned about the SNMP. The student learned how SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. The student learned how SNMP, although simplistic, can be used effectively to assist the administrator in monitoring the network through its information gathering capabilities.
95
PDF created with pdfFactory trial version www.pdffactory.com
1
PDF created with pdfFactory trial version www.pdffactory.com
Overview
2
PDF created with pdfFactory trial version www.pdffactory.com
Layer 2 Security Best Practices
3
PDF created with pdfFactory trial version www.pdffactory.com
Factors affecting layer 2 mitigation techniques
• •
An example of case #1 could be a small business network using a broadband connection behind a DSL router or firewall. An example of case #8 could be a large application service provider data center. These cases are discussed in further detail in the following sections. 4
PDF created with pdfFactory trial version www.pdffactory.com
1.Single security zone, one user group, single physical switch
•
•
An example of such a design would be a switch within a network DMZ created between an edge router and a corporate firewall as shown in Figure . In this design all systems within the security zone are on the same VLAN. Vulnerabilities The primary Layer 2 vulnerabilities in this design include the following: – MAC spoofing – CAM table overflow
5
PDF created with pdfFactory trial version www.pdffactory.com
1.Single security zone, one user group, single physical switch
•
Mitigation Port security may be administratively appropriate in this case because of the limited size of the design. The Layer 2 switches are a part of the security perimeter between the zones of trust and should be managed as securely as possible including the use of SSH for command line management, Simple Network Management Protocol Version 3 (SNMPv3) for remote management, configuration audits and regular penetration testing of each VLAN using tools capable of exploiting Layer 2 vulnerabilities such as Dsniff. An equally effective and less administratively taxing approach would be to use dynamic port security through the application of DHCP snooping and Dynamic ARP Inspection.
6
PDF created with pdfFactory trial version www.pdffactory.com
1.Single security zone, one user group, single physical switch
7
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Mitigating CAM table overflow attack
8
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Mitigating CAM Table Overflow Attacks
• You can mitigate CAM table overflow attacks in several ways. One of the primary ways is to configure port security on the switch. You can apply port security in three ways: – Static secure MAC addresses – Dynamic secure MAC addresses – Sticky secure MAC addresses
9
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Mitigating CAM Table Overflow Attacks •
The type of action taken when a port security violation occurs falls into the following three categories: – Protect If the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a number of MAC addresses are removed or the number of allowable addresses is increased. You receive no notification of the security violation in this type of instance. – Restrict If the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until some number of secure MAC addresses are removed or the maximum allowable addresses is increased. In this mode, a security notification is sent to the Simple Network Management Protocol (SNMP) server (if configured) and a syslog message is logged. The violation counter is also incremented. – Shutdown If a port security violation occurs, the interface changes to error-disabled and the LED is turned off. It sends an SNMP trap, logs to a syslog message, and increments the violation counter.
10
PDF created with pdfFactory trial version www.pdffactory.com
1.Single security zone, one user group, single physical switch
11
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Using dynamic ARP inspection to mitigate MAC spoofing attacks
12
PDF created with pdfFactory trial version www.pdffactory.com
2.Single security zone, one user group, multiple physical switches
• •
This can be represented by a very large DMZ, or a DMZ with multiple VLANs all existing within a single security zone of trust. Additionally, this could also be represented as a Layer 3 switch within the DMZ to provide inter-VLAN routing. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing – CAM table overflow – VLAN hopping – Spanning tree attacks, in networks with multiple switches. 13
PDF created with pdfFactory trial version www.pdffactory.com
2.Single security zone, one user group, multiple physical switches
•
•
Mitigation If the security zone is small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. BPDU guard and root guard can be used to mitigate attacks against the Spanning Tree Protocol (STP). The Layer 2 switches are a part of the security perimeter between zones of trust and should be managed as securely as possible including the use of SSH for command line management, SNMPv3 for remote management, configuration audits and regular penetration testing of each VLAN using tools capable of exploiting Layer 2 vulnerabilities such as Dsniff.
14
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Mitigating VLAN Hopping Attacks
•
Mitigating VLAN hopping attacks requires the following configuration modifications: – Always use dedicated VLAN IDs for all trunk ports. – Disable all unused ports and place them in an unused VLAN. – Set all user ports to nontrunking mode by disabling DTP. Use the switchport mode access command in the interface configuration mode. – For backbone switch-to-switch connections, explicitly configure trunking. – Do not use the user native VLAN as the trunk port native VLAN. – Do not use VLAN 1 as the switch management VLAN. 15
PDF created with pdfFactory trial version www.pdffactory.com
3.Single security zone, multiple user groups, single physical switch
•
•
A typical example of such a design would be an application service provider data center or different departments within a single corporate enterprise that require data segregation. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing – CAM table overflow – VLAN hopping
16
PDF created with pdfFactory trial version www.pdffactory.com
3.Single security zone, multiple user groups, single physical switch
•
Mitigation If the security zone is small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by using the following VLAN best practices as guidelines: – Use dedicated VLAN IDs for all trunk ports. – Disable all unused switch ports and place them in an unused VLAN. – Set all user ports to non-trunking mode by explicitly turning off DTP on those ports.
17
PDF created with pdfFactory trial version www.pdffactory.com
4.Single security zone, multiple user groups, multiple physical switches •
•
This design represents one where high-availability is a factor as well as the need to trunk information between the switch devices. In addition, the direction of travel for the network traffic as determined through STP requires additional considerations when determining some of the more specific mitigation techniques. VLANs are used to provide traffic segmentation between the various user groups. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing – CAM table overflow – VLAN hopping – STP attacks 18
PDF created with pdfFactory trial version www.pdffactory.com
4.Single security zone, multiple user groups, multiple physical switches
•
Mitigation If the security zone is small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined in this module. If necessary, deploy 802.1x authentication to prevent unauthorized access to the security zone from an attacker who may physically connect to a switch in the design. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.
19
PDF created with pdfFactory trial version www.pdffactory.com
5.Multiple security zones, one user group, single physical switch
•
Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing, within VLANs – CAM table overflow, through per VLAN traffic flooding – VLAN hopping 20
PDF created with pdfFactory trial version www.pdffactory.com
5.Multiple security zones, one user group, single physical switch
•
Mitigation If the security zones are small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined in this module. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.
21
PDF created with pdfFactory trial version www.pdffactory.com
5.Multiple security zones, one user group, single physical switch
•
•
In the design shown in Figure , another mitigation approach would be to split the Layer 2 functionality of the switch to two separate physical switches. If this is done, the mitigation techniques described in case #1 would apply to both distinct security zones. If private VLANs (PVLANs) are employed in any of the VLANs, consideration must be given to the possibility of private VLAN attacks. If the VLANs utilize DHCP for address assignment then DHCP starvation by an attacker and needs to be considered.
22
PDF created with pdfFactory trial version www.pdffactory.com
6.Multiple security zones, one user group, multiple physical switches •
•
This design, shown in Figure , represents a large data center within a single enterprise. However, the need to segregate traffic as well as data for various groups or departments within the enterprise is reflected by the separation of the data center into security zones. This can be accomplished securely through the use of VLANs within the data center, however, there are considerations which must be evaluated regarding some of the potential vulnerabilities. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing, within VLANs – CAM table overflow, through per VLAN traffic flooding – VLAN hopping – STP attacks
23
PDF created with pdfFactory trial version www.pdffactory.com
6.Multiple security zones, one user group, multiple physical switches •
Mitigation If the security zones are small enough, use port security to help mitigate CAM table overflow vulnerabilities as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined in this module. If necessary, deploy 802.1x authentication to prevent unauthorized access to each of the security zones from an attacker who may physically connect to a switch in the design. Another possible mitigation method would be to add a firewall within the design, or add a Layer 3 switch with an integrated firewall.
24
PDF created with pdfFactory trial version www.pdffactory.com
7.Multiple security zones, multiple user groups, single physical switch
• •
VLANs can be used to provide traffic segregation between the security zones. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing, within VLANs – CAM table overflow, through per VLAN traffic flooding – VLAN hopping – Private VLAN attacks, on a per VLAN basis
25
PDF created with pdfFactory trial version www.pdffactory.com
7.Multiple security zones, multiple user groups, single physical switch
•
Mitigation If the security zones are small enough, use port security to help mitigate CAM table overflow vulnerabilities as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined within this module. If necessary, deploy 802.1x authentication to prevent unauthorized access to each of the security zones from an attacker who may physically connect to a switch in the design. Another possible mitigation method would be to add a firewall within the data center design and integrate it into the central switch similar to that employed in the previous design. The firewall enforces additional Layer 3 traffic segregation between the various user groups. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.
26
PDF created with pdfFactory trial version www.pdffactory.com
8.Multiple security zones, multiple user groups, multiple physical switches
•
•
VLANs can be used to provide traffic segregation between the security zones. The need to provide high security in some of the zones may require additional measures. Vulnerabilities The primary layer 2 vulnerabilities of this design include the following: – MAC spoofing, within VLANs – CAM table overflow, through per VLAN traffic flooding – VLAN hopping – STP attacks – VTP attacks 27
PDF created with pdfFactory trial version www.pdffactory.com
8.Multiple security zones, multiple user groups, multiple physical switches
•
Mitigation If the security zones are small enough, use port security to help mitigate CAM table overflow vulnerabilities as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by following the VLAN best practices outlined within this module. If necessary, deploy 802.1x authentication to prevent unauthorized access to each of the security zones from an attacker who may physically connect to a switch in the design. Another possible mitigation method would be to add a firewall within the data center design and integrate it into the one or more of the switches, similar to that employed in the case #6 design. The firewall enforces additional Layer 3 traffic segregation between the various user groups. As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.
28
PDF created with pdfFactory trial version www.pdffactory.com
Layer 2 security best practices
29
PDF created with pdfFactory trial version www.pdffactory.com
SDM Security Audit
30
PDF created with pdfFactory trial version www.pdffactory.com
Using SDM to perform security audits
•
The SDM security audit feature compares router configurations to a predefined checklist of best practices using ICSA and Cisco TAC recommendations.
31
PDF created with pdfFactory trial version www.pdffactory.com
Using SDM to perform security audits •
Security Audit contains two modes: – Security Audit – Examines router configuration, then displays the Report Card screen, which shows a list of possible security problems. The administrator can then pick and choose which vulnerability to lock down. – One-step lockdown – Initiates the automatic lockdown using recommended settings.
32
PDF created with pdfFactory trial version www.pdffactory.com
Using SDM monitor mode •
The monitor function includes the following elements : – Overview – Displays the router status including a list of the error log entries. – Interface Status – Used to select the interface to monitor and the conditions (for example, packets and errors, in or out) to view. – Firewall Status – Displays a log showing the number of entry attempts that were denied by the firewall. – VPN Status – Displays statistics about active VPN connections on the router. – QoS Status – Display statistics on Quality of Service (QoS) configured on router. – Logging – Displays an event log categorized by severity level.
33
PDF created with pdfFactory trial version www.pdffactory.com
Using SDM monitor mode
34
PDF created with pdfFactory trial version www.pdffactory.com
Router Management Center (MC)
35
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to the Router MC
•
The CiscoWorks Router Management Center (Router MC), a component of the CiscoWorks VPN/Management Solution (VMS), provides scalable security management for the configuration and deployment of VPN connections. One of the greatest challenges in implementing large site-to-site and remote access VPNs is management. The primary role of the Router MC is to manage site-tosite VPNs . 36
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to the Router MC •
The Router MC can be defined as follows: – A Web-based application for the setup and maintenance of VPN connections using Cisco VPN Routers – Centralizes the configuration of IKE and tunnel policies for multiple devices – Scalable to a large number of VPN routers – Router MC is a web-based application designed for large-scale management of virtual private network (VPN) and firewall configurations on Cisco routers. Router MC 1.2.1 provides the following features: • Enables the setup and maintenance of VPN connections among multiple Cisco VPN routers, in a hub-and-spoke topology. • Enables the provisioning of the critical connectivity, security, and performance parameters of a site-to-site VPN, quickly and easily. • Allows for efficient migration from leased line connections to Internet or intranet-based VPN connections. • Allows for the overlay of a VPN over a Frame Relay network for added security. • Enables the configuration of Cisco IOS routers to function as firewalls.
37
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to the Router MC
•
Router MC is integrated with CiscoWorks Common Services, which supplies core server-side components required by Router MC, such as Apache Web server, Secure Sockets Layer (SSL) libraries, Secure Shell (SSH) libraries, embedded SQL database, Tomcat servlet engine, the CiscoWorks desktop, and others. 38
PDF created with pdfFactory trial version www.pdffactory.com
Introduction to the Router MC •
•
Before installing Router MC 1.2.1, CiscoWorks Common Services 2.2 must be installed and operational. CiscoWorks Common Services provides centralized management of certain functions for all the CiscoWorks VMS products that are installed. These functions include: – Backup and restore of data – Integration with Access Control Server (ACS) or Common Management Framework (CMF) for user authentication and permissions – Licensing – Starting/stopping the database – Logging of administration tasks 39
PDF created with pdfFactory trial version www.pdffactory.com
Key concepts in the Router MC
40
PDF created with pdfFactory trial version www.pdffactory.com
Key concepts in the Router MC
41
PDF created with pdfFactory trial version www.pdffactory.com
Key concepts in the Router MC
42
PDF created with pdfFactory trial version www.pdffactory.com
Supported tunneling technologies
•
The Router MC supports the following tunneling technologies: – IPSec – IPSec with GRE – IPSec with GRE over a frame relay network – IPSec with GRE and DMVPN – Dynamic Multipoint VPN (DMVPN) combines GRE tunnels . 43
PDF created with pdfFactory trial version www.pdffactory.com
Router MC installation
•
The Router MC requires VMS 2.1 Common Services or CiscoWorks 2000 . VMS Common Services provides the CiscoWorks 2000 Server based components, software libraries, and software packages developed for the Router MC.
44
PDF created with pdfFactory trial version www.pdffactory.com
Router MC installation
• •
Before beginning the installation of the Router MC, verify that the server meets the requirements shown in Figure1 . Also, verify that the client machine being used meets the requirements shown in Figure2 . 45
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
46
PDF created with pdfFactory trial version www.pdffactory.com
Getting started with the Router MC
•
Log in to the CiscoWorks Web page and complete the following steps to launch the Router MC: – Open a browser and point the browser to the IP address of the CiscoWorks server with a port number of 1741. If the CiscoWorks server is local, type the following address in the browser: http://127.0.0.1:1741 – If this is the first time that CiscoWorks has been used, enter the username admin and the password admin. 47
PDF created with pdfFactory trial version www.pdffactory.com
Router MC interface
•
The Router MC main window is the first window that is encountered in the Router MC user interface. The Router MC user interface contains four tabs as shown in Figure – Devices – Configuration – Deployment – Reports – Admin
PDF created with pdfFactory trial version www.pdffactory.com
48
Router MC interface
•
The Router MC interface is the environment administrators work with when using the Router MC application . 49
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
The Devices tab, shown in Figure is used to import and manage the inventory of routers to be configured using the Router MC. – Device hierarchy – Use this option to view the device hierarchy and to manage the routers within the hierarchy by creating device groups, moving or deleting devices/groups, editing router parameters, and adding unmanaged spokes. – Device import – Use this option to import the routers to be configured into Router MC, and to re-import routers when necessary. – Credentials – Use this option to edit router credentials or synchronize the credentials of multiple routers from a comma-separated value (CSV) file. Device credentials include the username, password, and enable password. 50
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
Use the options in the Configuration tab, shown in Figure to configure VPN and firewall settings and policies for deployment to the routers. Settings and policies can be configured globally for all routers, for groups of routers, or for individual routers. 51
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
Select the configuration context using the Object Selector, shown in Figure along the left-hand side of the page. 52
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
Select the configuration context using the Object Selector, shown in Figure along the left-hand side of the page. 53
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
Deployment of VPN and firewall configurations is always done within the context of a deployment job, shown in Figure . 54
PDF created with pdfFactory trial version www.pdffactory.com
Installation process
•
The deployment tab offers the administrator the following options, shown in Figure . 55
PDF created with pdfFactory trial version www.pdffactory.com
Installation process •
The Reports tab, shown in Figure is used to view reports on various Router MC functions. This tab presents the following options: – Deployment – Activities – Audit – Hub-Spoke Assignment
56
PDF created with pdfFactory trial version www.pdffactory.com
Installation process •
•
Administrators use the Admin tab, shown in Figure to define various Router MC application settings, and to define Auto Update Server (AUS) settings. This tab presents the following options: – Application Settings – Auto Update Server Settings
57
PDF created with pdfFactory trial version www.pdffactory.com
Basic work flow and tasks
•
Common configuration tasks include: – Configuring general Cisco IOS Firewall settings – Building access rules – Using Building Blocks – Using Upload 58
PDF created with pdfFactory trial version www.pdffactory.com
Simple Network Management Protocol (SNMP)
59
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
Another technique that the administrator can use to manage and monitor the network is to employ the Simple Network Management Protocol (SNMP). SNMP is an application-layer protocol that facilitates the exchange of management information between network devices. It is part of the TCP/IP protocol suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. SNMP can be used to manage Cisco routers, switches, wireless access points, firewalls, printers, servers and other SNMP capable devices . 60
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
There are 3 versions of SNMP, as shown in Figure . SNMPv1 and SNMPv2 have features in common, but SNMPv2 offers enhancements, such as additional protocol operations. SNMPv3 adds administration and security features. This section provides descriptions of the SNMPv3 protocol operations. Cisco recommends disabling SNMP if not in use or use version 3. 61
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
SNMP Key Terms In order to understand SNMP support in Cisco devices, it is important to understand the SNMP-related terminology discussed in Figure . 62
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
SNMP Key Terms In order to understand SNMP support in Cisco devices, it is important to understand the SNMP-related terminology discussed in Figure . 63
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
SNMP Basic Components An SNMP managed network consists of three key components: – Managed devices – Agents – Network management systems (NMSs) 64
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Components of SNMP
65
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
An NMS executes applications that monitor and control managed devices . NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network. SNMP management applications, such as CiscoWorks2000, communicate with agents to get statistics and alerts from the managed devices. 66
PDF created with pdfFactory trial version www.pdffactory.com
SNMP introduction
•
SNMP Basic Commands Managed devices are monitored and controlled using basic SNMP commands, as shown in Figure : – The read command is used by an NMS to monitor managed devices. The NMS examines different variables that are maintained by managed devices. – The write command is used by an NMS to control managed devices. The NMS changes the values of variables stored within managed devices. – Managed devices to asynchronously report events to the NMS use the trap command. When certain types of events occur, a managed device sends a trap to the NMS. – Traversal operations are used by the NMS to determine which variables a managed device supports and to sequentially gather information in variable tables, such as a routing table.
67
PDF created with pdfFactory trial version www.pdffactory.com
Extra: SNMP Notifications
68
PDF created with pdfFactory trial version www.pdffactory.com
Extra: SNMPv1
69
PDF created with pdfFactory trial version www.pdffactory.com
Extra: SNMPv2
70
PDF created with pdfFactory trial version www.pdffactory.com
SNMP security •
•
•
SNMP is often used to gather statistics and remotely monitor network infrastructure devices. It is a simple protocol which contains inadequate security in early versions. In SNMPv1, community strings, or passwords, are sent in clear text and can easily be stolen by someone eavesdropping on the wire. – These community strings are used to authenticate messages sent between the SNMP manager and the agent. SNMPv2 addresses some of the known security weaknesses of SNMPv1. Specifically, version 2 uses the MD5 algorithm to authenticate messages between the SNMP server and the agent. 71
PDF created with pdfFactory trial version www.pdffactory.com
Extra: SNMP security
72
PDF created with pdfFactory trial version www.pdffactory.com
SNMP security
•
SNMPv1 lacks any authentication capabilities, which results in vulnerability to a variety of security threats. These include the following: – Masquerading – Modification of information – Message sequence and timing modifications – Disclosure 73
PDF created with pdfFactory trial version www.pdffactory.com
SNMP Version 3 (SNMPv3)
•
SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are: – Message integrity – Ensuring that a packet has not been tampered with in-transit. – Authentication – Determining the message is from a valid source. – Encryption – Scrambling the contents of a packet prevent it from being seen by an unauthorized source. 74
PDF created with pdfFactory trial version www.pdffactory.com
Extra: SNMPv3 •
• • •
Data integrity Provided by the MD5 message digest algorithm. A 128-bit digest is calculated over the designated portion of a SNMPv3 message and included as part of the message sent to the recipient. Data origin authentication Provided by prefixing each message with a secret value shared by the originator of that message and its intended recipient before digesting. Message delay or replay Provided by including a timestamp value in each message. Data confidentiality Provided by the symmetric privacy protocol which encrypts an appropriate portion of the message according to a secret key known only to the originator and recipient of the message. This protocol is used in conjunction with the symmetric encryption algorithm, in the cipher block chaining mode, which is part of the Data Encryption Standard (DES). The designated portion of an SNMPv3 message is encrypted and included as part of the message sent to the recipient. 75
PDF created with pdfFactory trial version www.pdffactory.com
SNMP Version 3 (SNMPv3)
•
Cisco devices such as router and switches support SNMPv3 message types and the increased security capabilities, but many management software applications do not support SNMPv3. 76
PDF created with pdfFactory trial version www.pdffactory.com
SNMP Version 3 (SNMPv3)
•
Applications which support version 3 include MG-Soft MIB Browser and SNMP Research International’s CiAgent or Enterpol. HP Openview can support version 3 with the help of SNMP Research International extensions. 77
PDF created with pdfFactory trial version www.pdffactory.com
SNMP management applications
•
SNMP is a distributed management protocol. A system can operate exclusively as either an NMS or an agent, or it can perform the functions of both. When a system operates as both an NMS and an agent, another NMS might require that the system query managed devices and provide a summary of the information learned, or that it reports locally-stored management information. 78
PDF created with pdfFactory trial version www.pdffactory.com
SNMP management applications
•
CiscoView is a graphical SNMP-based device management tool that provides real-time views of networked Cisco devices. These views deliver a continuously updated physical picture of device configuration and performance conditions, with simultaneous views available for multiple device sessions. Additionally, CiscoView is designed for integration with leading network management platforms, such as HP OpenView Network Node Manager, to provide seamless and powerful methods of managing Cisco devices such as routers, switches, hubs, concentrators, and adapters. 79
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router •
•
•
SNMP can form the backbone of a network monitoring system as well as be an important tool for network security. There are 4 basic tasks to configure IOS SNMPv3. – Configure SNMP-Server EngineID – Configure SNMP-Server Group Names – Configure SNMP-Server Hosts – Configure SNMP-Server Users To display information about SNMP commands, use one of the following commands in EXEC mode : – show snmp engineID [local | remote] – show snmp groups – show snmp user Other: (config)# logging on 80
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
81
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
82
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
83
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
84
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
85
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
86
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
87
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
88
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
89
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on an IOS router
90
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on a PIX Security Appliance
•
SNMP Example In Figure , the NMS uses a Get operation to request management information contained in an agent on host 172.18.0.15. Within the Get request, the NMS includes a complete Object Identifier (OID) so that the agent knows exactly what is being sought. The response from the agent contains a variable binding containing the same OID and the data associated with it. The NMS then uses a Set request to tell the agent to change a piece of information. In an unrelated communication, host 172.16.0.2 sends a trap to the NMS because some urgent condition has occurred. 91
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on a PIX Security Appliance
•
• •
•
Enable SNMP The SNMP agent that runs on the PIX Security Appliance performs two functions: – Replies to SNMP requests from NMSs. – Sends traps to NMSs. To enable the SNMP agent and identify an NMS that can connect to the PIX Security Appliance, follow these steps: Step 1 Identify the IP address of the NMS that can connect to the PIX Security Appliance with the snmp-server host interface_name ip_address [trap | poll] [community text] [version 1 | 2c] [udp-port port] global configuration command. Specify trap or poll to limit the NMS to receiving traps only or browsing only. By default, the NMS can use both functions. SNMP traps are sent on UDP port 162 by default. The port number can be changed by using the udp-port keyword.
92
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on a PIX Security Appliance
•
• •
Step 2 Specify the community string with the snmp-server community key global configuration command. The SNMP community string is a shared secret between the PIX Security Appliance and the NMS. The key is a case-sensitive value up to 32 characters in length. Spaces are not permitted. Step 3 (Optional) Set the SNMP server location or contact information with the snmp-server {contact | location} text global configuration command. Step 4 Enable the PIX Security Appliance to send traps to the NMS with the snmp-server enable [traps [all | feature [trap1] [trap2]] [...]] global configuration command. By default, SNMP core traps are enabled. If a trap type is not entered in the command, syslog is the default. To enable or disable all traps, enter the all option. For snmp, each trap type can be identified separately.
93
PDF created with pdfFactory trial version www.pdffactory.com
Configure SNMP support on a PIX Security Appliance
•
•
Step 5 Enable system messages to be sent as traps to the NMSwith the logging history level global configuration command. Syslog traps must also be enabled using the preceding snmp-server enable traps command. Step 6 Enable logging, so system messages are generated and can then be sent to an NMS, with the logging enable global configuration command.
94
PDF created with pdfFactory trial version www.pdffactory.com
Summary •
•
•
Upon completing this lesson, the student will be able to recommend an appropriate approach to threat mitigation for network topologies containing either single or multiple switches. The Student will also be able to discuss the use of the SDM Security Audit wizard to provide a comprehensive Router Security Audit. The enterprise management of VPNs was discussed. One of the greatest challenges to implementing large-scale Site-to-Site and Remote Access VPNs is management. The primary role of the Router MC is to manage Site-to-Site VPNs. The key topics associated with VPNs were explored, to give the student a broad understanding of how Router MC operates to better manage large-scale VPNs. Finally, the student learned about the SNMP. The student learned how SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. The student learned how SNMP, although simplistic, can be used effectively to assist the administrator in monitoring the network through its information gathering capabilities.
95
PDF created with pdfFactory trial version www.pdffactory.com
Related Documents
Module 7
June 2020 18
Module 7
May 2020 23
Module 7
October 2019 42
Module 7
October 2019 33
Module 7
December 2019 52
