Lecture CCNA Security - Chapter 6: Securing the Local Area Network

The following will be discussed in this chapter: Describle endpoint security with IronPort; describle endpoint security with Network Admission Control; describle endpoint Security with Cisco Security Agent; describle MAC address spoofing attacks, STP manipulation attacks, MAC address overflow attacks, LAN storm attacks, and VLAN attacks;...
Nội dung trích xuất từ tài liệu:
Lecture CCNA Security - Chapter 6: Securing the Local Area Network Chapter 6- Securing the Local Area Network CCNA Security Objectives • Describle endpoint security with IronPort. • Describle endpoint security with Network Admission Control. • Describle endpoint Security with Cisco Security Agent. • Describle MAC address spoofing attacks, STP manipulation attacks, MAC address overflow attacks , LAN storm attacks , and VLAN attacks. • Describle specific mitigation techniques for Layer 2 attacks. • Configure port security, BPDU guard, root guard, storm control, SPAN, RSPAN and PVLAN Edge. • Describle wireless, VoIP, and SAN security considerations. • Describle wireless, VoIP, and SAN security solutions. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Introducing Endpoint Security Perimeter MARS ACS Areas of concentration: Firewall • Securing endpoints • Securing network Internet infrastructure VPN IPS Iron Port Hosts Web Email Server Server DNS LAN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Introducing Endpoint Security Refer to 6.1.1.1 • What is the idea for the LAN-to- perimeter security strategy ? • “The LAN-to-perimeter security strategy is based on the idea that if users are not practicing security in their desktop operations, no amount of security precautions will guarantee a secure network.” Addressing Endpoint Security Policy Compliance Infection Containment Secure Host Based on three elements: Threat • Cisco Network Admission Control (NAC) Protection • Endpoint protection • Network infection containment Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Introducing Endpoint Security Refer to 6.1.1.2 1. What’s the borderless network ? 2. What’s the benefit of cloud computing ? 3. What’s the two major components of traditional network security ? 4. What’s the SecureX architecture ? Operating Systems Basic Security Services Refer to 6.1.1.3 1. Trusted code and trusted path – ensures that the integrity of the operating system is not violated. Using hash message authentication codes (HMACs) or digital signatures 2. Privileged context of execution – provides identity authentication and certain privileges based on the identity 3. Process memory protection and isolation – provides separation from other users and their data 4. Access control to resources – ensures confidentiality and integrity of data Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Example: Verify the Integrity of Windows Vista System Files Types of Application Attacks Refer to 6.1.1.4 • Modern operating systems provide each process with an identity and privileges. • Privilege switching is possible during program operation or during a single login session. • These are a few techniques that help protect an endpoint from operating system vulnerabilities: 1. Least privilege concept 2. Isolation between processes 3. Reference monitor 4. Small, verifiable pieces of code Types of Application Attacks Types of Application Attacks I have gained direct Direct access to this application’s privileges I have gained access to this system which is trusted by the other system, allowing me to access it. Indirect Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco Systems Endpoint Security Solutions Cisco Security Agent IronPort Cisco NAC Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Other Vendor Enpoint Security Solutions Cisco IronPort Products Refer to 6.1.2.1 IronPort uses SenderBase, the world's largest threat detection database, to help provide preventive and reactive security measures. IronPort products include: • C-Series- an E-mail security appliances for virus and spam control ...