5 .

Security Fundamentals

Introduction to Networks v7.0

(ITN)
Key security concepts

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Current State of Cybersecurity
Current State of Affairs
• Cyber criminals now have the expertise and tools necessary to take down critical infrastructure
and systems. Their tools and techniques continue to evolve.
• Maintaining a secure network ensures the safety of network users and protects commercial
interests. All users should be aware of security terms in the table.

Security Terms Description

An asset is anything of value to the organization. It includes people, equipment, resources,
Assets
and data.
Vulnerability A vulnerability is a weakness in a system, or its design, that could be exploited by a threat.
Threat A threat is a potential danger to a company’s assets, data, or network functionality.
Exploit An exploit is a mechanism that takes advantage of a vulnerability.
Mitigation is the counter-measure that reduces the likelihood or severity of a potential
Mitigation
threat or risk. Network security involves multiple mitigation techniques.
Risk is the likelihood of a threat to exploit the vulnerability of an asset, with the aim of
Risk negatively affecting an organization. Risk is measured using the probability of the
occurrence of an event and its consequences.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
5.1 LAN Security

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
LAN Security Attacks
Common LAN Attacks
 Common security solutions using
routers, firewalls, Intrusion
Prevention System (IPSs), and VPN
devices protect Layer 3 up through
Layer 7.
 Layer 2 must also be protected.

 Common Layer 2 attacks include:

• CDP Reconnaissance Attack
• Telnet Attacks
• MAC Address Table Flooding Attack
• VLAN Attacks
• DHCP Attacks
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
LAN Security Attacks
CDP Reconnaissance Attack
 The Cisco Discovery Protocol (CDP) is
a proprietary Layer 2 link discovery
protocol, enabled by default.
 CDP can automatically discover other
CDP-enabled devices.
 CDP information can be used by an
attacker.
 Use the no cdp run global configuration
command to disable CDP globally.
 Use the no cdp enable interface
configuration command to disable CDP
on a port.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
LAN Security Attacks
Telnet Attacks
 There are two types of Telnet attacks:
• Brute Force Password Attack - trial-and-
error method used to obtain the administrative
password.
• Telnet DoS Attack - Attacker continuously
requests Telnet connections in an attempt to
render the Telnet service unavailable.
 To mitigate these attacks:
• Use SSH
• Use strong passwords that are changed
frequently.
• Limit access to the vty lines using an access
control list (ACL)
• Use AAA with either TACACS+ or RADIUS
protocols.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
LAN Security Attacks
MAC Address Table Flooding Attack
 Common LAN switch attack is the MAC
address table flooding attack.
• An attacker sends fake source MAC
addresses until the switch MAC address
table is full and the switch is overwhelmed.
• Switch is then in fail-open mode and
broadcasts all frames, allowing the attacker
to capture those frames.
 Configure port security to mitigate these
attacks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
LAN Security Attacks
VLAN Attacks
 Switch spoofing attack - an example of a
VLAN attack.
• Attacker can gain VLAN access by
configuring a host to spoof a switch and use
the 802.1Q trunking protocol and DTP to
trunk with the connecting switch.
 Methods to mitigate VLAN attacks:
• Explicitly configure access links.
• Disable auto trunking.
• Manually enable trunk links.
• Disable unused ports, make them access
ports, and assign to a black hole VLAN.
• Change the default native VLAN.
• Implement port security.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
LAN Security Attacks
DHCP Attacks
 DHCP spoofing attack - An attacker
configures a fake DHCP server on the
network to issue IP addresses to clients.
 DHCP starvation attack - An attacker
floods the DHCP server with bogus DHCP
requests and leases all of the available IP
addresses. This results in a denial-of-
service (DoS) attack as new clients cannot
obtain an IP address.
 Methods to mitigate DHCP attacks:
• Configure DHCP snooping
• Configure port security

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Configure Layer 2 security features

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Implement Port Security
Enable Port Security
Port security is enabled with the switchport port-security interface configuration command.

Notice in the example, the switchport port-security command was rejected. This is because

port security can only be configured on manually configured access ports or manually
configured trunk ports. By default, Layer 2 switch ports are set to dynamic auto (trunking on).
Therefore, in the example, the port is configured with the switchport mode access interface
configuration command.

Note: Trunk port security is beyond the scope of this course.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Implement Port Security
Enable Port Security (Cont.)
Use the show port-security interface command to
display the current port security settings for
FastEthernet 0/1.
• Notice how port security is enabled, the violation
mode is shutdown, and how the maximum
number of MAC addresses is 1.
• If a device is connected to the port, the switch will
automatically add the device’s MAC address as a
secure MAC. In this example, no device is
connected to the port.

Note: If an active port is configured with the switchport

port-security command and more than one device is
connected to that port, the port will transition to the error-
disabled state.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Implement Port Security
Enable Port Security (Cont.)
After port security is enabled, other port security specifics can be configured, as shown in
the example.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Implement Port Security
Limit and Learn MAC Addresses
To set the maximum number of MAC addresses allowed on a port, use the following
command:

Switch(config-if)# switchport port-security maximum value

• The default port security value is 1.

• The maximum number of secure MAC addresses that can be configured depends the
switch and the IOS.
• In this example, the maximum is 8192.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Mitigate DHCP Attacks
DHCP Snooping
DHCP snooping filters DHCP messages and rate-limits DHCP traffic on untrusted ports.
• Devices under administrative control (e.g., switches, routers, and servers) are trusted
sources.
• Trusted interfaces (e.g., trunk links, server ports) must be explicitly configured as
trusted.
• Devices outside the network and all access ports are generally treated as untrusted
sources.

A DHCP table is built that includes the source MAC address of a device on an untrusted
port and the IP address assigned by the DHCP server to that device.
• The MAC address and IP address are bound together.
• Therefore, this table is called the DHCP snooping binding table.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Mitigate DHCP Attacks
Steps to Implement DHCP Snooping
Use the following steps to enable DHCP snooping:
Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration
command.
Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration
command.
Step 3: On untrusted interfaces, limit the number of DHCP discovery messages that can
be received using the ip dhcp snooping limit rate packets-per-second interface
configuration command.
Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp
snooping vlan global configuration command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Mitigate DHCP Attacks
DHCP Snooping Configuration Example
Refer to the DHCP snooping sample topology with trusted and untrusted ports.

• DHCP snooping is first enabled on S1.

• The upstream interface to the DHCP server
is explicitly trusted.
• F0/5 to F0/24 are untrusted and are,
therefore, rate limited to six packets per
second.
• Finally, DHCP snooping is enabled on
VLANS 5, 10, 50, 51, and 52.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Mitigate DHCP Attacks
DHCP Snooping Configuration Example (Cont.)
Use the show ip dhcp
snooping privileged EXEC
command to verify DHCP
snooping settings.

Use the show ip dhcp

snooping binding command
to view the clients that have
received DHCP information.

Note: DHCP snooping is also

required by Dynamic ARP
Inspection (DAI).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
VPN

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
VPN
Internet VPNs can provide important security features, such as the following:
■ Confidentiality (privacy): Preventing anyone in the middle of the Internet from
being able to read the data
■ Authentication: Verifying that the sender of the VPN packet is a legitimate device
and not a device used by an attacker
■ Data integrity: Verifying that the packet was not changed as the packet transited
the Internet
■ Anti-replay: Preventing a man in the middle from copying and later replaying the
pack- ets sent by a legitimate user, for the purpose of appearing to be a legitimate
user

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Site-to-Site VPNs with IPsec

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
VPN Flow steps
1 Host PC1 (10.2.2.2) on the right sends a packet to the web server (10.1.1.1), just as it
would without a VPN.
2 The router encrypts the packet, adds some VPN headers, adds another IP header (with
public IP addresses), and forwards the packet.
3 An attacker in the Internet copies the packet (called a man-in-the-middle attack).However,
the attacker cannot change the packet without being noticed and cannotread the contents
of the original packet.
4 Firewall FW1 receives the packet, confirms the authenticity of the sender, confirmsthat
the packet has not been changed, and then decrypts the original packet.
5 Server S1 receives the unencrypted packet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Remote Access VPNs with TLS


The user’s device creates a secure remote access VPN connection back to the enterprise
network

Remote access VPNs often use the Transport Layer Security (TLS) protocol to create a
secure VPN session.

VPN that secures all packets from the device to a site by using a Cisco VPN client.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
16.3 Network Attack
Mitigations

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Network Attack Mitigations
The Defense-in-Depth Approach
To mitigate network attacks, you must first
secure devices including routers, switches,
servers, and hosts. Most organizations employ
a defense-in-depth approach (also known as a
layered approach) to security. This requires a
combination of networking devices and services
working in tandem.

Several security devices and services are

implemented to protect an organization’s users
and assets against TCP/IP threats:
• VPN 
• ASA Firewall 
• IPS 
• ESA/WSA 
• AAA Server 
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Network Attack Mitigations
Keep Backups
Backing up device configurations and data is one of the most effective ways of protecting
against data loss. Backups should be performed on a regular basis as identified in the
security policy. Data backups are usually stored offsite to protect the backup media if anything
happens to the main facility.
The table shows backup considerations and their descriptions.
Consideration Description

• Perform backups on a regular basis as identified in the security policy.

Frequency • Full backups can be time-consuming, therefore perform monthly or weekly backups with
frequent partial backups of changed files.
• Always validate backups to ensure the integrity of the data and validate the file
Storage
restoration procedures.
• Backups should be transported to an approved offsite storage location on a daily,
Security
weekly, or monthly rotation, as required by the security policy.
• Backups should be protected using strong passwords. The password is required to
Validation
restore the data.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Network Attack Mitigations
Upgrade, Update, and Patch
As new malware is released, enterprises
need to keep current with the latest
versions of antivirus software.
• The most effective way to mitigate a
worm attack is to download security
updates from the operating system
vendor and patch all vulnerable
systems.
• One solution to the management of
critical security patches is to make sure
all end systems automatically download
updates.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Network Attack Mitigations
Authentication, Authorization, and Accounting
Authentication, authorization, and accounting
(AAA, or “triple A”) network security services
provide the primary framework to set up
access control on network devices.
• AAA is a way to control who is permitted
to access a network (authenticate), what
actions they perform while accessing the
network (authorize), and making a record
of what was done while they are there
(accounting).
• The concept of AAA is similar to the use
of a credit card. The credit card identifies
who can use it, how much that user can
spend, and keeps account of what items
the user spent money on.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Network Attack Mitigations
Firewalls

Network firewalls reside between two or more

networks, control the traffic between them, and
help prevent unauthorized access.

A firewall could allow outside users controlled

access to specific services. For example,
servers accessible to outside users are usually
located on a special network referred to as the
demilitarized zone (DMZ). The DMZ enables a
network administrator to apply specific policies
for hosts connected to that network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Network Attack Mitigations
Types of Firewalls
Firewall products come packaged in various forms. These products use different
techniques for determining what will be permitted or denied access to a network. They
include the following:
• Packet filtering - Prevents or allows access based on IP or MAC addresses
• Application filtering - Prevents or allows access by specific application types based
on port numbers
• URL filtering - Prevents or allows access to websites based on specific URLs or
keywords
• Stateful packet inspection (SPI) - Incoming packets must be legitimate responses to
requests from internal hosts. Unsolicited packets are blocked unless permitted
specifically. SPI can also include the capability to recognize and filter out specific
types of attacks, such as denial of service (DoS).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Network Attack Mitigations
Endpoint Security
An endpoint, or host, is an individual computer system or device that acts as a network
client. Common endpoints are laptops, desktops, servers, smartphones, and tablets.

Securing endpoint devices is one of the most challenging jobs of a network administrator
because it involves human nature. A company must have well-documented policies in
place and employees must be aware of these rules.

Employees need to be trained on proper use of the network. Policies often include the use
of antivirus software and host intrusion prevention. More comprehensive endpoint security
solutions rely on network access control.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32