Scribd
Upload
36 views

CCNA7 LAN Security Module

The document discusses security for local area networks (LANs) and endpoints. It provides an overview of the CCNA v7 curriculum modules, with a focus on endpoint security and L2 security. It then mentions next steps, indicating there will be more information on security topics covered.

Uploaded by

Karim
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
36 views

CCNA7 LAN Security Module

The document discusses security for local area networks (LANs) and endpoints. It provides an overview of the CCNA v7 curriculum modules, with a focus on endpoint security and L2 security. It then mentions next steps, indicating there will be more information on security topics covered.

Uploaded by

Karim
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 48

CCNA 7: LAN Security

Cisco Networking Academy


September 2019 IPD Week

#NetAcadIPD
http://cs.co/IPD20
NetAcad.com
© 2019 Cisco and/or its affiliates. All rights reserved.
Agenda
Technical Session

1 CCNA v7 Modules

2 End Point Security

3 L2 Security

4 Next Steps

© 2019 Cisco and/or its affiliates. All rights reserved.


CCNA v7

© 2019 Cisco and/or its affiliates. All rights reserved.


CCNA 7.0 Course Outlines
CCNA v7 Course #1 CCNA v7 Course #2 CCNA v7 Course #3
Networking Today Basic Device Configuration Single-Area OSPFv2 Concepts
Basic Switch and End Device Switching Concepts Single-Area OSPFv2
Configuration VLANs Configuration
Protocol Models Inter-VLAN Routing WAN Concepts
Physical Layer STP
Number Systems Network Security Concepts
Etherchannel
Data Link Layer ACL Concepts
DHCPv4
Ethernet Switching ACLs for IPv4 Configuration
SLAAC and DHCPv6 Concepts
Network Layer NAT for IPv4
Address Resolution FHRP Concepts
LAN Security Concepts VPN and IPsec Concepts
Basic Router Configuration
IPv4 Addressing Switch Security Configuration QoS Concepts
IPv6 Addressing WLAN Concepts Network Management
ICMP WLAN Configuration Network Design
Transport Layer Routing Concepts
Network Troubleshooting
Application Layer IP Static Routing
Network Security Fundamentals Network Virtualization
Troubleshoot Static and Default
Build a Small Network Routes Network Automation
__ New/significantly changed
© 2019 Cisco and/or its affiliates. All rights reserved. content
Download Draft Scope and Sequence
Scope and Sequence

© 2019 Cisco and/or its affiliates. All rights reserved.


End Point Security

© 2019 Cisco and/or its affiliates. All rights reserved.


Today’s risk reality

More interconnected than ever


Expanded attack surface Multi-cloud reality
A software-defined world
Continuous operations
Must keep business running
Automated and
sophisticated threats
Workers connecting High likelihood of a breach
everywhere
Loss of control

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Attack landscape
Advanced Persistent Threats
constantly evolving Supply chain attacks

Ransomware

Unpatched Software
Data/IP Theft
Spyware/Malware
Malvertising
Wiper Attacks
Drive by Downloads
Phishing
Rogue Software
Man in the Middle
Botnets
DDoS
Credential compromise
Cryptomining

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Attacks Today
• Distributed Denial of Service: This is a coordinated attack from many
devices, called zombies, with the intention of degrading or halting public
access to an organization’s website and resources
• Data Breach: This is an attack in which an organization’s data servers or
hosts are compromised to steal confidential information.
• Malware: This is an attack in which an organization’s hosts are infected
with malicious software that cause a variety of problems. For example,
ransomware such as WannaCry

© 2019 Cisco and/or its affiliates. All rights reserved.


Traditional Endpoint Security

© 2019 Cisco and/or its affiliates. All rights reserved.


Modern Endpoint Security Solutions

© 2019 Cisco and/or its affiliates. All rights reserved.


E-mail Security Appliance (ESA)

• According to the Cisco


Security Report during
April 2019, 85% of all e-
mail send was Spam

• Cisco ESA is constantly


updated by real-time
feeds from Cisco Talos

© 2019 Cisco and/or its affiliates. All rights reserved.


Web Security Appliance (WSA)

© 2019 Cisco and/or its affiliates. All rights reserved.


Backed by the industry’s best threat intelligence

Web/URL Network Analysis Email Malware/Endpoint DNS/IP Network Intrusions

III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00 Accurately identify


Threat intelligence researchers
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0 and block known threats

00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 Quickly analyze


Analyze network telemetry
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00 suspicious payloads

II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I Detect and block threats
Threat processing centers
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 in email messages

00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 00 Block access to known or suspected
Threat intelligence partners
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0 malicious web sites
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Endpoint Protection

© 2019 Cisco and/or its affiliates. All rights reserved.


Impossibly complex

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
So many alerts

44%
of alerts are
56%of alerts are
34%
of investigated
alerts are legitimate
51%
of legitimate
alerts are
49%
of legitimate
alerts are not
remediated remediated
NOT investigated investigated

Source: Cisco Annual CyberSecurity Report 2018


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Access Control

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Access Control – What is AAA?

© 2019 Cisco and/or its affiliates. All rights reserved.


Access Control –AAA Concept

© 2019 Cisco and/or its affiliates. All rights reserved.


Access Control with 802.1x

© 2019 Cisco and/or its affiliates. All rights reserved.


Demo
802.1x in Packet Tracer
7.2
© 2019 Cisco and/or its affiliates. All rights reserved.
L2 Security Threats

© 2019 Cisco and/or its affiliates. All rights reserved.


We don´t want your network to be like a
m&m…

 `Most of the attacks on the network occur or started from inside of


your network (FBI report on Networking Security)
© 2019 Cisco and/or its affiliates. All rights reserved.
Why L2 security is so important?

© 2019 Cisco and/or its affiliates. All rights reserved.


L2 Attacks in CCNA7

© 2019 Cisco and/or its affiliates. All rights reserved.


Attack
Mitigation
Techniques

© 2019 Cisco and/or its affiliates. All rights reserved.


MAC Address Table
Attack

© 2019 Cisco and/or its affiliates. All rights reserved.


MAC Address Table Flooding

© 2019 Cisco and/or its affiliates. All rights reserved.


Macof tool
• macof so dangerous is that an attacker can create a MAC table
overflow attack very quickly.
• For instance, a Catalyst 6500 switch can store 132,000 MAC
addresses in its MAC address table.
• A tool such as macof can flood a switch with up to 8,000 bogus
frames per second

© 2019 Cisco and/or its affiliates. All rights reserved.


MAC Address Attack Mitigation

© 2019 Cisco and/or its affiliates. All rights reserved.


MAC Address Attack Mitigation: Port security

© 2019 Cisco and/or its affiliates. All rights reserved.


VLAN Attacks

© 2019 Cisco and/or its affiliates. All rights reserved.


VLAN Hopping Attacks

© 2019 Cisco and/or its affiliates. All rights reserved.


VLAN Double-Tagging Attack

Step 1 – Double Tagging Attack

Step 2 – Double Tagging Attack

Step 3 – Double Tagging Attack

© 2019 Cisco and/or its affiliates. All rights reserved.


VLAN Attack Mitigation

• Disable trunking on all access ports.


• Disable auto trunking on trunk links so that trunks must
be manually enabled.
• Be sure that the native VLAN is only used for trunk
links.

© 2019 Cisco and/or its affiliates. All rights reserved.


DHCP Attacks

© 2019 Cisco and/or its affiliates. All rights reserved.


DHCP Starvation Attack
Attacker Initiates a Starvation Attack

DHCP Server Offers Parameters

© 2019 Cisco and/or its affiliates. All rights reserved.


DHCP Starvation Attack
Client Requests all Offers

DHCP Server Acknowledges All Requests

© 2019 Cisco and/or its affiliates. All rights reserved.


DHCP Spoofing

© 2019 Cisco and/or its affiliates. All rights reserved.


ARP and STP
Attacks

© 2019 Cisco and/or its affiliates. All rights reserved.


ARP Spoofing and ARP Poisoning Attack

© 2019 Cisco and/or its affiliates. All rights reserved.


STP Manipulation Attacks

Spoofing the Root Bridge

Successful STP Manipulation Attack

© 2019 Cisco and/or its affiliates. All rights reserved.


Mitigating STP Attacks

© 2019 Cisco and/or its affiliates. All rights reserved.


CDP Reconnaissance

© 2019 Cisco and/or its affiliates. All rights reserved.


CDP Reconnaissance

© 2019 Cisco and/or its affiliates. All rights reserved.


CDP Reconnaissance - Mitigation

• Disable CDP using no cdp run at the global config

• Or disable at the interface level using no cdp enable

© 2019 Cisco and/or its affiliates. All rights reserved.

You might also like