1 / 62

Network Security 2

Network Security 2. Module 7 – Secure Network Architecture and Management. Lesson 7.1 - Layer 2 Security Best Practices. Module 7 – Secure Network Architecture and Management. Typical Cases. Single Security Zone, One User Group, One Physical Switch. DMZ. Internet. or. Vulnerabilities

todd-moore
Download Presentation

Network Security 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security 2 Module 7 – Secure Network Architecture and Management

  2. Lesson 7.1 - Layer 2 Security Best Practices Module 7 – Secure Network Architecture and Management

  3. Typical Cases

  4. Single Security Zone, One User Group, One Physical Switch DMZ Internet or • Vulnerabilities • MAC spoofing • CAM table overflow

  5. Single Security Zone, One User Group, Multiple Physical Switches DMZ Internet • Vulnerabilities • MAC spoofing • CAM table overflow • VLAN hopping • Spanning tree attacks or

  6. L2 Security Best Practices • Manage switches as securely as possible. • Use IP-permit lists to restrict access to management ports. • Selectively use SNMPv3 and treat community strings like root passwords. • Always use a dedicated VLAN ID for all trunk ports. • Avoid using VLAN 1. • Set all user ports to non-trunking mode. • Deploy port security where possible for user ports. Alternatively, deploy dynamic port security using DHCP snooping along with Dynamic ARP Inspection (DAI). • Have a plan for the ARP security issues in the network. Consider using DHCP Snooping along with Dynamic ARP Inspection and IP source guard to protect against MAC spoofing and IP spoofing on the network.

  7. L2 Security Best Practices • Enable STP attack mitigation with BPDU Guard and Root Guard. • Use private VLANs where appropriate to further divide Layer 2 networks. • Use Cisco Discovery Protocol (CDP) only where appropriate. • Disable all unused ports and put them in an unused VLAN. • Use Cisco IOS Software ACLs on IP-forwarding devices to protect Layer 2 proxy on private VLANs. • Eliminate native VLANs from 802.1q trunks. • Use VTP passwords to authenticate VTP advertisements. • Consider using Layer 2 port authentication, such as 802.1x, to authenticate clients attempting connectivity to a network. • Procedures for change control and configuration analysis must be in place to ensure that changes result in a secure configuration.

  8. Lesson 7.2 - SDM Security Audit Module 7 – Secure Network Architecture and Management

  9. Security Audit Overview • Compares router configuration against a predefined checklist of ICSA and TAC approved best practices. • Examples of the audit include, but are not limited to, the following: • Shut down unneeded servers on the router, such as BOOTP, finger, and tcp/udp small-servers. • Shut down unneeded services on the router, such as CDP, ip source-route, and ip classless. • Apply firewall to outside interfaces. • Disable SNMP or enable with hard-to-guess community strings. • Shut down unused interfaces, no ip proxy-arp. • Force passwords for console and vty lines. • Force an enable secret password. • Enforce the use of access lists.

  10. Security Audit Main Window

  11. Monitor Mode Overview Interface Stats Firewall Stats VPN Stats

  12. Lesson 7.3 – Router Management Center Module 7 – Secure Network Architecture and Management

  13. The Router Management Center (MC)

  14. What is the Router MC?

  15. Router MC Components

  16. Configure Routers for SSH

  17. Using the Router MC

  18. The Router MC User Interface

  19. Router MC WorkFlow

  20. Cisco Security Manager

  21. Lesson 7.4 – Simple Network Management Protocol (SNMP) Module 7 – Secure Network Architecture and Management

  22. SNMP Introduction Application-layer protocol that facilitates the exchange of management information between network devices An SNMP managed network consists of three key components: • Managed Devices • Agents • Network management systems (NMSs)

  23. SNMP Agent

  24. SNMP Management Entity

  25. SNMP Device Management

  26. SNMP Versions

  27. Securing SNMP Access

  28. SNMPv3 Message Format

  29. SNMPv3 • SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. • The security features provided in SNMPv3 are: • Message integrity • Authentication • Encryption • SNMPv3 provides for both security models and security levels. • A security model is an authentication strategy that is set up for a user and the group in which the user resides. • A security level is the permitted level of security within a security model.

  30. SNMP Security Models

More Related