Cisco.Press.CCSP.SNRS.Quick.Reference.Sheets.pdf
(
1462 KB
)
Pobierz
648835998 UNPDF
Chapter 1 ..................................................3
Layer 2 Security
Chapter 2................................................14
Trust and Identity
Chapter 3................................................37
Cisco Network
Foundation Protection
CCSP SNRS
Quick Reference Sheets
Chapter 4................................................43
Secured Connectivity
Chapter 5................................................91
Adaptive Threat Defense
Brandon James Carroll
ciscopress.com
[
2
]
ABOUT THE AUTHOR
CCSP SNRS Quick Reference Sheets
by Brandon James Carroll
About the Author
Brandon James Carroll
is one of the country’s leading instructors for
Cisco security technologies, teaching classes that include the CCNA,
CCNP, CCSP courses, a number of the CCVP courses, as well as
custom developed courseware. In his six years with Ascolta, Brandon
has developed and taught many private Cisco courses for companies
such as Boeing, Intel, and Cisco themselves. He is a CCNA, CCNP,
CCSP, and a Certified Cisco Systems Instructor (CCSI). Brandon is the
author of
Cisco Access Control Security
.
Prior to becoming a technical instructor for Ascolta, Mr. Carroll was a
technician and an ADSL specialist for GTE Network Services and
Verizon Communications. His duties involved ISP router support and
network design. As a lead engineer, he tested and maintained Frame
Relay connections between Lucent B-STDX and Cisco routers. His
team was in charge of troubleshooting ISP Frame Relay to ATM cut-
overs for ADSL customers. Brandon trained new employees at Verizon
to the EPG in ADSL testing and troubleshooting procedures, and
managed a “Tekwizard” database for technical information and trou-
bleshooting techniques. Mr. Carroll majored in Information Technology
at St. Leo University.
About the Technical Reviewer
Ronald Trunk
, CCIE, CISSP, is a highly experienced consultant and
network architect with a special interest in secure network design and
implementation. He has designed complex multimedia networks for
both government and commercial clients. He is the author of several
articles on network security and troubleshooting. Ron lives in suburban
Washington DC.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright.
Please see page 120 for more details.
[
3
]
CHAPTER
1
Layer 2 Security
CCSP SNRS Quick Reference Sheets
by Brandon James Carroll
CHAPTER 1
Layer 2 Security
Examining Layer 2 Attacks
Security is a topic on every network administrator’s mind, regardless of whether it’s even part of his or her job. And to
protect networks, people deploy a variety of devices, including firewalls and intrusion prevention systems. Although these
types of devices need to be present, they don’t protect a certain area of the network that is often left vulnerable to attack:
Layer 2. That’s right; the access layer is often forgotten. This leaves your network open to myriad simple-to-run attacks
that can wreak havoc on a network.
Those preparing for the CCSP-SNRS certification exam must understand Layer 2 attacks and their mitigation techniques.
An understanding of these concepts and mitigation techniques will not only help you pass the test, it will also assist you
in securing your production networks.
Types of Layer 2 Attacks
Switches are susceptible to many of the same Layer 3 attacks as routers, but switches are vulnerable to Layer 2 attacks,
too, including the following:
n
Content-addressable memory (CAM) table overflow
n
VLAN hopping
n
Spanning-tree manipulation
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright.
Please see page 120 for more details.
[
4
]
CHAPTER
1
Layer 2 Security
CCSP SNRS Quick Reference Sheets
by Brandon James Carroll
n
MAC spoofing
n
Private VLAN (PVLAN) attacks
n
DHCP attacks
CAM Table Overflow Attack
This attack involves an attacker who floods the switch with bogus MAC addresses. The MAC table learns the bogus
addresses, and thus those bogus addresses fill up the MAC table, leaving no room to learn real MAC addresses. Because
the switch cannot now learn real MAC addresses, when a host sends traffic to another device, the switch must flood the
traffic to all ports except the one it was heard on. This, in effect, enables the attacker to get a copy of the frame. This type
of attack can be done by anyone running Knoppix STD (Security Tools Distribution), using an application called macof.
To mitigate this type of attack, implement port security.
NOTE
Cisco recommends that
you configure the port
security feature to issue a
shutdown instead of
dropping packets from
insecure hosts through
the restrict option. The
restrict option may fail
under the load of an
attack, and the port will
be disabled anyway.
Port Security
With the port security feature, you can restrict input to an interface by identifying and
limiting the number of MAC
addresses
that are allowed to be learned (and for that matter, even gain network access on a particular port). Port security
enables you to specify MAC addresses for each port or to permit a limited number of MAC addresses that are not stati-
cally defined. When a secure port receives a packet, the source MAC address of the packet is compared to the list of
secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a
device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode)
or drops incoming packets from the insecure host.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright.
Please see page 120 for more details.
[
5
]
CHAPTER
1
Layer 2 Security
CCSP SNRS Quick Reference Sheets
by Brandon James Carroll
Default Port Security Configuration
The default port security interface configuration settings are as follows:
n
Ports security is disabled.
n
Maximum MAC addresses setting is 1.
n
Violation mode is shutdown.
n
Sticky address learning is disabled.
n
Port security aging is disabled. Aging time is 0, and the default type is absolute.
NOTE
You can find a more
detailed discussion of
port security at the
following site:
http://www.cisco.com/en/
US/docs/switches/lan/cata
lyst2960/software/release/
12.2_25_see/configura-
tion/guide/swtrafc.html#
wp1038501
Port Security Configuration Guidelines
The following guidelines are only a few of the port security guidelines that you should be aware of. Some implications
with port security and VoIP configurations are not covered here.
n
Port security can be configured only on static access ports.
n
A secure port cannot be a dynamic access port or a trunk port. This means that you must indicate to the switch
whether the port is in switchport mode access or switchport mode trunk.
n
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
n
A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
n
You cannot configure port security on a per-VLAN basis.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright.
Please see page 120 for more details.
Plik z chomika:
Iskraa
Inne pliki z tego folderu:
cisco.rar
(3663899 KB)
Cisco.Press.CCIE.Professional.Development.Routing.TCP.IP.Volume.2.pdf
(95732 KB)
Cisco.Press.Authorized.Self.Study.Guide.Cisco.IP.Telephony.CIPT.2nd.Ed.chm
(30774 KB)
Cisco.Press.CCIE.Practical.Studies.Volume.II.rar
(13119 KB)
Cisco.Press.Home.Network.Security.Simplified.chm
(14497 KB)
Inne foldery tego chomika:
!3d programing
!Agile - Best Practices
!AI
!AJAX
!algorytmika
Zgłoś jeśli
naruszono regulamin