How to Teach It

Document Sample
How to Teach It Powered By Docstoc
					                                            CCNA Security
                                              Chapter 6
                                           Securing the LAN

1.01 (KEY IDEAS 01) – MEDIA: N/A
This module introduces Securing the LAN. Key concepts include:
1.   Addressing endpoint security to secure the LAN
2.   Types of application attacks
3.   Cisco Systems Endpoint Security solutions
4.   Layer 2 vulnerabilities
5.   Configuring port security
6.   BPDU Guard and Root Guard
7.   Monitoring using SPAN and RSPAN
8.   Enterprise Advanced Technology Security for Wireless, VoIP and SAN


1.02 (TEACHING GOALS 01) – MEDIA: N/A
Your Challenge As A Teacher In This Chapter Is To:
1. Describe the concept and function of endpoint security
2. Explain the types of application attacks
3. Discuss the various Cisco Endpoint Security Solutions
4. Describe the primary considerations for securing the Layer 2 infrastructure
5. Describe MAC address spoofing attacks and mitigation
6. Describe MAC address table overflow attacks and mitigation
7. Describe STP manipulation attacks and mitigation
8. Describe LAN storm attacks and mitigation
9. Describe VLAN attacks and mitigation
10. Describe port security configuration
11. Describe and/or demonstrate how to verify port security
12. Describe BPDU Guard and Root Guard configuration and verification
13. Describe and configure storm control and verify
14. Describe and configure SPAN and RSPAN
15. Describe best practices for Layer 2
16. Describe the fundamental aspects of enterprise security for advanced technologies
17. Describe the fundamental aspects of wireless security and the enabling technologies
18. Discuss the fundamental aspects of VoIP security and the enabling technologies
19. Describe VoIP security solutions
20. Describe the fundamental aspects of SAN security and the enabling technologies
21. Describe SAN security solutions



1.03 (CRITICAL CONCEPTS 01) – MEDIA: N/A
What are the Critical Concepts/Processes?
1. Describe endpoint security and the enabling technologies
2. Describe how Cisco IronPort is used to ensure endpoint security
3. Describe how Cisco NAC products are used to ensure endpoint security
4.  Describe how the Cisco Security Agent is used to ensure endpoint security
5.  Describe the primary considerations for securing the Layer 2 infrastructure
6.  Describe MAC address spoofing attacks and MAC address spoofing attack mitigation
7.  Describe MAC Address table overflow attacks and MAC Address table overflow attack mitigation
8.  Describe STP manipulation attacks and STP manipulation attack mitigation
9.  Describe LAN Storm attacks and LAN Storm attack mitigation
10. Describe VLAN attacks and VLAN attack mitigation
11. Describe how to configure port security
12. Describe how to verify port security
13. Describe how to configure and verify BPDU Guard and Root Guard
14. Describe how to configure and verify storm control
15. Describe and configure Cisco SPAN
16. Describe and configure Cisco RSPAN
17. Describe the best practices for Layer 2
18. Describe the fundamental aspects of enterprise security for advanced technologies
19. Describe the fundamental aspects of wireless security and the enabling technologies
20. Describe wireless security solutions
21. Describe the fundamental aspects of VoIP security and the enabling technologies Reference: CIAG course on
    VoIP security.
22. Describe VoIP security solutions
23. Describe the fundamental aspects of SAN security and the enabling technologies
24. Describe SAN security solutions



1.04 (HOW TO TEACH 01) – MEDIA: N/A
The most important aspect of this lesson is for students to be able to experiment, comprehend and successfully
implement techniques to secure LANS: including MAC address security, VLAN mitigation, STP security, wireless
and VOIP protection. Have students breakup into groups and investigate the mitigation techniques of different
security needs, including what would be the result of too much or too little security per item.

     Introduce the major chapter topics
     Provide overview of each major topic in short 20-30 minute lectures
     Break the chapter up into six different areas
     Create students groups for each major area of the chapter
      1. Endpoint security, have teams research Ironport devices and Cisco NAC (Network Admission Control)
      2. Layer 2 device access security
      3. Secure Trunk and Access Ports
      4. BPDU Guard, Root Guard and Storm control.
      5. Capture switch traffic using SPAN and RSPAN
      6. Advanced technologies including Wireless, VoIP and SAN
     Plan activities that require students to experiment with the commands (See the Discussion and Classroom
      Activities section)
     Have the students share their findings

1.05 (DISCUSSION/ACTIVITIES 01) – MEDIA: N/A
Securing the LAN

This chapter introduces several Cisco products aimed at securing the LAN. Since many attacks
originate inside the LAN it is important to understand how to best implement security. Several
products are introduced in the first part of the chapter regarding Cisco Ironport, Cisco NAC
(Network Admisssion Control) and Cisco Security Agent. Since these products are not available
to the lab they may serve as good research topics. It may be beneficial to point out how the C-
Series Ironport equipment collapses the MTA, AntiSpam, AntiVirus, Policy and Mail Routing
into a single device. The Ironport S-Series provides Web Control collapsing Proxy,
AntiSpyware, AntiVirus, AnitPhising, URL Filtering and Policy Management into one device.
The NAC is primarily used to enforce network security policy.
Have the student’s breakup into two person teams to perform the labs depending on the class
size, this allows each student to configure a switch. The labs in this chapter are basically dealing
with layer 2 security and securing remote access to the devices. Several of the concepts dealing
with spanning-tree are most likely new to students. Based on the amount of material it may be
best to perform Part 1 and 2 in one lab and then perform the other 2 parts on another day. The
labs are designed to save partial configurations after part 2. Make sure to stress the importance of
not having anything assigned to VLAN 1. The lab should also stress moving the management off
of VLAN 1.
The last part of the chapter deals with Wireless Security, VoIP Security and SAN Security. This
is another area, depending on the equipment available, that may be difficult to provide practical
experience. There are some topics discussed in the Wireless area involving War Driving that
could be demonstrated in class. It would certainly be good to discuss the various options for
securing wireless including the use of VPNs. If Wireless LAN Controller equipment is available
it would be a good time to demonstrate how the controller and lightweight access points work.
Another research topic may be some of the potential VoIP threats that need to be considered.
Since the traffic is on the LAN it becomes even more apparent the need for port security and
device security to keep this traffic from being monitored. Once again it may be necessary to run
VoIP traffic across a VPN.

1.06 (DISCUSSION/ACTIVITIES 02) – MEDIA: N/A
Wireshark - www.wireshark.org
SuperScan4 – www.foundstone.com
Putty - www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Chapter Commands
Switch(config)# ip ssh [timeout seconds]
Switch(config)# ip ssh [authentication-retries integer]
Switch(config-if)# switchport trunk native vlan vlan-id
Switch(config-if)# switchport nonegotiate
Switch(config-if)# storm-control broadcast level percent
Switch(config-if)# spanning-tree bpduguard enable
Switch(config-if)# switchport port-security
Switch(config)# monitor session [session-id] [source|destination] interface [interface-id]
Switch# show monitor [session-id]

Locking Down Switch Access
  SSH for access to the switch
  authentication, authorization, and accounting (AAA)
  implementing port security
Password best Practices
    Password length should be long. The longer, the better. An acceptable length is 10 or
      more characters.
    Passwords should be complex. Include a mix of upper and lowercase letters, numbers,
      symbols and spaces.
    Avoid any password based on repetition, dictionary words, letter or number sequences,
      usernames, relative or pet names, or biographical information (e.g., birthdates, ID
      numbers, ancestor names, etc.).
    Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security =
      5ecur1ty.
    Change passwords often. This way, if a password is unknowingly compromised, the
      window of opportunity for the attacker to use the password is limited.
    Do not write passwords down and leave them in obvious places such as on the desk or
      monitor.


1.07 (DISCUSSION/ACTIVITIES 03) – MEDIA: N/A
Lecture/Discussion
What Is the Difference Between STP BPDU Guard and STP Root Guard?

On the Catalyst 2900XL, 3500XL, 2950, and 3550, configure switches with root guard in interface
configuration mode, as this example shows:

Hinda# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Hinda(config)# interface fastethernet 0/8
Hinda(config-if)# spanning-tree rootguard
Hinda(config-if)# ^Z
*Mar 15 20:15:16: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Rootguard
enabled on
port FastEthernet0/8 VLAN 1.^Z
Hinda#

BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the port upon
BPDU reception if PortFast is enabled on the port. The disablement effectively denies devices behind
such ports from participation in STP. You must manually reenable the port that is put into errdisable state
or configure errdisable-timeout.

Root guard allows the device to participate in STP as long as the device does not try to become the root. If
root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending
device ceases to send superior BPDUs.
Additional Resources
Precautions for the Use of VLAN 1

The reason VLAN 1 became a special VLAN is that L2 devices needed to have a default VLAN to assign
to their ports, including their management port(s). In addition to that, many L2 protocols such as CDP,
PAgP, and VTP needed to be sent on a specific VLAN on trunk links. For all these purposes VLAN 1
was chosen.

As a consequence, VLAN 1 may sometimes end up unwisely spanning the entire network if not
appropriately pruned and, if its diameter is large enough, the risk of instability can increase significantly.
Besides the practice of using a potentially omnipresent VLAN for management purposes puts trusted
devices to higher risk of security attacks from untrusted devices that by misconfiguration or pure accident
gain access to VLAN 1 and try to exploit this unexpected security hole.

To redeem VLAN 1 from its bad reputation, a simple common-sense security principle can be used: as a
generic security rule the network administrator should prune any VLAN, and in particular VLAN 1, from
all the ports where that VLAN is not strictly needed.

Therefore, with regard to VLAN 1, the above rule simply translates into the recommendations to:

• Not use VLAN 1 for inband management traffic and pick a different, specially dedicated VLAN that
keeps management traffic separate from user data and protocol traffic.

• Prune VLAN 1 from all the trunks and from all the access ports that don't require it (including not
connected and shutdown ports).

Similarly, the above rule applied to the management VLAN reads:

• Don't configure the management VLAN on any trunk or access port that doesn't require it (including
not connected and shutdown ports).

• For foolproof security, when feasible, prefer out-of-band management to inband management. (Refer
to [3] for a more detailed description of a out-of-band management infrastructure.)

As a general design rule it is desirable to "prune" unnecessary traffic from particular VLANs. For
example, it is often desirable to apply VLAN ACLs and/or IP filters to the traffic carried in the
management VLAN to prevent all telnet connections and allow only SSH sessions. Or it may be desirable
to apply QoS ACLs to rate limit the maximum amount of ping traffic allowed.

If VLANs other than VLAN 1 or the management VLAN represent a security concern, then automatic or
manual pruning should be applied as well. In particular, configuring VTP in transparent or off mode and
doing manual pruning of VLANs is commonly considered the most effective method to exert a more strict
level of control over a VLAN-based network.
1.10 (REFLECTION 01) – MEDIA: N/A
Resources


   Safari
   Introduction to Storage Area Networks -
         www.redbooks.ibm.com/redbooks/pdfs/sg245470.pdf
   Cisco Ironport Products
         www.cisco.com/web/products/ironport/index.html

				
DOCUMENT INFO