Chapter 6: Securing the Local Area Network

Chapter Outline:

6.0 Introduction
6.1 Endpoint Security
6.2 Layer 2 Security Threats
6.3 Summary

Section 6.1: Endpoint Security

Upon completion of this section, you should be able to:

Describe endpoint security and the enabling technologies.
Explain how Cisco AMP is used to ensure endpoint security.
Explain how Cisco NAC authenticates and enforces the network security policy.

Topic 6.1.1: Introducing Endpoint Security

Securing LAN Elements

Traditional Endpoint Security

The Borderless Network

Securing Endpoints in the Borderless Network

Post malware attack questions:
- Where did it come from?
- What was the threat method and point of entry?
- What systems were affected?
- What did the threat do?
- Can I stop the threat and root cause?
- How do we recover from it?
- How do we prevent it from happening again?
Host-Based Protection:
- Antivirus/Antimalware
- SPAM Filtering
- URL Filtering
- Blacklisting
- Data Loss Prevention (DLP)

Modern Endpoint Security Solutions

Hardware and Software Encryption of Local Data

Topic 6.1.2: Antimalware Protection

Advanced Malware Protection

AMP and Managed Threat Defense

Talos teams gather real-time threat intelligence from a variety of sources:
- 1.6 million deployed security devices, including firewall, IPS, web, and email appliances
- 150 million endpoints
They then analyze this data:
- 100 TB of security intelligence daily
- 13 billion web requests per day
- 35% of the world’s enterprise email traffic

AMP for Endpoints

AMP for Endpoints– AMP for Endpoints integrates with Cisco AMP for Networks to deliver comprehensive protection across extended networks and endpoints.
AMP for Networks– Provides a network-based solution and is integrated into dedicated Cisco ASA Firewall and Cisco FirePOWER network security appliances.
AMP for Content Security– This is an integrated feature in Cisco Cloud Web Security or Cisco Web and Email Security Appliances to protect against email and web-based advanced malware attacks.

Topic 6.1.3: Email and Web Security

Securing Email and Web

Cisco Email Security Appliance

Features and benefits of Cisco Email Security solutions:

Global threat intelligence
Spam blocking
Advanced malware protection
Outbound message control

Cisco Web Security Appliance

Client Initiates Web Request

WSA Forwards Request

Reply Sent to WSA and Then To Client

Topic 6.1.4: Controlling Network Access

Cisco Network Admission Control

Cisco NAC Functions

Cisco NAC Components

Network Access for Guests

Three ways to grant sponsor permissions:

to only those accounts created by the sponsor
to all accounts
to no accounts (i.e., they cannot change any permissions)

Cisco NAC Profiler

Section 6.2: Layer 2 Security Considerations

Upon completion of the section, you should be able to:

Describe Layer 2 vulnerabilities.
Describe CAM table overflow attacks.
Configure port security to mitigate CAM table overflow attacks.
Configure VLAN Truck security to mitigate VLAN hopping attacks.
Implement DHCP Snooping to mitigate DHCP attacks.
Implement Dynamic Arp Inspection to mitigate ARP attacks.
Implement IP Source Guard to mitigate address spoofing attacks.

Topic 6.2.1: Layer 2 Security Threats

Describe Layer 2 Vulnerabilities

Switch Attack Categories

Topic 6.2.2: CAM Table Attacks

Basic Switch Operation

CAM Table Operation Example

CAM Table Attack

Intruder Runs Attack Tool

Fill CAM Table

Switch Floods All Traffic

Attacker Captures Traffic

CAM Table Attack Tools

Topic 6.2.3: Mitigating CAM Table Attacks

Countermeasure for CAM Table Attacks

Port Security

Enabling Port Security

Verifying Port Security

Port Security Options

Enabling Port Security Options

Port Security Violations

Security Violation Modes:

Protect
Restrict
Shutdown

Port Security Aging

Port Security with IP Phones

SNMP MAC Address Notification

Topic 6.2.4: Mitigating VLAN Attacks

VLAN Hopping Attacks

VLAN Double-Tagging Attack

Step 1 – Double Tagging Attack

Step 2 – Double Tagging Attack

Step 3 – Double Tagging Attack

Mitigating VLAN Hopping Attacks

PVLAN Edge Feature

Verifying Protected Ports

Private VLANs

Topic 6.2.5: Mitigating DHCP Attacks

DHCP Spoofing Attack

DHCP Starvation Attack

Attacker Initiates a Starvation Attack

DHCP Server Offers Parameters

Client Requests all Offers

DHCP Server Acknowledges All Requests

Mitigating VLAN Attacks

The switch will deny packets containing specific information:

Unauthorized DHCP server messages from an untrusted port
Unauthorized DHCP client messages not adhering to the snooping binding table or rate limits
DHCP relay-agent packets that include option-82 information on an untrusted port