Chapter 6:

Securing the Local Area Network

CCNA Security v2.0

 6.0 Introduction
6.1 Endpoint Security
Chapter Outline 6.2 Layer 2 Security Threats
6.3 Summary

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 6.1:
Endpoint Security
Upon completion of this section, you should be able to:
• Describe endpoint security and the enabling technologies.

• Explain how Cisco AMP is used to ensure endpoint security.

• Explain how Cisco NAC authenticates and enforces the network security policy.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Topic 6.1.1:
Introducing Endpoint Security

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Securing LAN Elements

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Traditional Endpoint Security

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
The Borderless Network

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Securing Endpoints in the Borderless Network
Post malware attack Host-Based Protection:
questions: • Antivirus/Antimalware
• Where did it come from?
• SPAM Filtering
• What was the threat method
• URL Filtering
and point of entry?
• Blacklisting
• What systems were affected?
• Data Loss Prevention (DLP)
• What did the threat do?

• Can I stop the threat and root

cause?
• How do we recover from it?

• How do we prevent it from

happening again?

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Modern Endpoint Security Solutions

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Hardware and Software Encryption of Local
Data

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Topic 6.1.2:
Antimalware Protection

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Advanced Malware Protection

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
AMP and Managed Threat Defense

Talos teams gather real-time threat intelligence from a variety of

sources:
• 1.6 million deployed security devices, including firewall, IPS, web, and
email appliances
• 150 million endpoints

They then analyze this data:

• 100 TB of security intelligence daily
• 13 billion web requests per day
• 35% of the world’s enterprise email traffic

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
AMP for Endpoints

• AMP for Endpoints - AMP for Endpoints integrates with Cisco AMP for
Networks to deliver comprehensive protection across extended networks and
endpoints.
• AMP for Networks - Provides a network-based solution and is integrated
into dedicated Cisco ASA Firewall and Cisco FirePOWER network security
appliances.
• AMP for Content Security – This is an integrated feature in Cisco Cloud
Web Security or Cisco Web and Email Security Appliances to protect against
email and web-based advanced malware attacks.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Topic 6.1.3:
Email and Web Security

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Securing Email and Web

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Cisco Email Security Appliance
Features and benefits of Cisco Email Security solutions:
• Global threat intelligence
• Spam blocking

• Advanced malware protection

• Outbound message control

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Cisco Web Security Appliance

Client Initiates Web Request

WSA Forwards
Request

Reply Sent to WSA and Then

To Client

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Topic 6.1.4:
Controlling Network Access

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Cisco Network Admission Control

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Cisco NAC Functions

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Cisco NAC Components

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Network Access for Guests
Three ways to grant sponsor permissions:
• to only those accounts created by the sponsor

• to all accounts

• to no accounts (i.e., they cannot change any permissions)

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Cisco NAC Profiler

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Section 6.2:
Layer 2 Security Considerations
Upon completion of the section, you should be able to:
• Describe Layer 2 vulnerabilities.

• Describe CAM table overflow attacks.

• Configure port security to mitigate CAM table overflow attacks.

• Configure VLAN Truck security to mitigate VLAN hopping attacks.

• Implement DHCP Snooping to mitigate DHCP attacks.

• Implement Dynamic Arp Inspection to mitigate ARP attacks.

• Implement IP Source Guard to mitigate address spoofing attacks.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Topic 6.2.1:
Layer 2 Security Threats

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Describe Layer 2 Vulnerabilities

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Switch Attack Categories

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Topic 6.2.2:
CAM Table Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Basic Switch Operation

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
CAM Table Operation Example

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
CAM Table Attack

Intruder Runs Attack Tool

Fill CAM Table

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
CAM Table Attack

Switch Floods All Traffic

Attacker Captures Traffic

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
CAM Table Attack Tools

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Topic 6.2.3:
Mitigating CAM Table Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Countermeasure for CAM Table Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Port Security

Enabling Port Security

Verifying Port
Security

Port Security Options

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Enabling Port Security Options

Setting the Maximum Number of Mac Addresses

Manually Configuring Mac Addresses

Learning Connected Mac Addresses Dynamically

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Port Security Violations

Security Violation Modes:

• Protect

• Restrict

• Shutdown

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Port Security Aging

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Port Security with IP Phones

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
SNMP MAC Address Notification

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Topic 6.2.4:
Mitigating VLAN Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
VLAN Hopping Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
VLAN Double-Tagging Attack

Step 1 – Double Tagging Attack

Step 2 – Double Tagging Attack

Step 3 – Double Tagging Attack

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Mitigating VLAN Hopping Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Mitigating VLAN Hopping Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
PVLAN Edge Feature

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Verifying Protected Ports

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Topic 6.2.5:
Mitigating DHCP Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
DHCP Spoofing Attack

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
DHCP Starvation Attack
Attacker Initiates a Starvation Attack

DHCP Server Offers Parameters

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
DHCP Starvation Attack
Client Requests all Offers

DHCP Server Acknowledges All Requests

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Mitigating VLAN Attacks
The switch will deny packets
containing specific information:
• Unauthorized DHCP server
messages from an untrusted port
• Unauthorized DHCP client
messages not adhering to the
snooping binding table or rate
limits
• DHCP relay-agent packets that
include option-82 information on
an untrusted port

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Configuring DHCP Snooping

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Configuring DHCP Snooping Example
DHCP Snooping Reference Topology

Configuring a Maximum Number of MAC Addresses

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Configuring DHCP Snooping Example
Verifying DHCP Snooping

Configuring a Maximum Number of MAC Addresses

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Topic 6.2.6:
Mitigating ARP Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
ARP Spoofing and ARP Poisoning Attack

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Mitigating ARP Attacks
Dynamic ARP
Inspection:

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Configuring Dynamic ARP Inspection

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Configuring DHCP Snooping Example

ARP Reference Topology

Configuring Dynamic
ARP Inspection

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Configuring DHCP Snooping Example
Checking Source, Destination, and IP

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Topic 6.2.7:
Mitigating Address Spoofing Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Address Spoofing Attack

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Mitigating Address Spoofing Attacks
For each untrusted port, there are two possible levels of IP traffic security filtering:
• Source IP address filter

• Source IP and MAC address filter

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Configuring IP Source Guard

IP Source Guard Reference Topology

Configuring IP Source Guard

Checking IP Source Guard

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Topic 6.2.8:
Spanning Tree Protocol

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Introduction to the Spanning Tree Protocol

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Various Implementations of STP

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
STP Port Roles

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
STP Root Bridge

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
STP Path Cost

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
802.1D BPDU Frame Format

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
BPDU Propagation and Process

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Extended System ID

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Select the Root Bridge

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Topic 6.2.9:
Mitigating STP Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
STP Manipulation Attacks

Spoofing the Root Bridge

Successful STP Manipulation Attack

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Mitigating STP Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Configuring PortFast

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Configuring BDPU Guard

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Configuring Root Guard

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Configuring Loop Guard

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Section 6.3:
Summary
Chapter Objectives:
• Explain endpoint security.

• Describe various types of endpoint security applications.

• Describe Layer 2 vulnerabilities.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Thank you.