Skip to content

Network Ninja

The Long Road to Cisco

  • Home
  • About
  • Legal Disclaimer
  • Archives
Less
More
Trim
Untrim
« Older
Home
Loading
Newer »

Tag Archive for 'Framework'

Switch Security Layer-2 Attacks – One

Published
by
Deon Botha
on May 27, 2008
in 802.1X, AAA, BCMSN, CAM, Certification, Cisco Systems, Concepts and Constructs, MAC Address Flooding, Port Security and TCAM
. 0 Comments

Mac-Address-Flooding

MAC Address Flooding

MAC Address flooding results in a switch’s CAM table overflow, which causes flooding of regular data frames out all switch ports. This attack can be launched for the malicious purpose of collecting a broad sample of traffic or as a denial of service (DoS) attack.

A switch has a limited CAM table and can only contain a limited number of entries at one time. If for example an intruder at the beginning of a work day floods a switch with invalid MAC entries then until the invalid entries expire the switch will flood all frames out all ports. This has two negative effects:

  • Switch traffic is inefficient and voluminous
  • The attacker/intruder connected to a switch port and capture traffic that is not normally seen on that port.

Mitigation of this attack is to configure port-security and defining the number of MAC addresses allowed on a given port. Port security can also specify the MAC addresses allowed on a port.

Port Security

This is a feature of Cisco Catalyst Switches, it is a security feature that restricts a switch port to a specific number of MAC addresses. These MAC addresses can be dynamically learned or statically configured. When configured the switch will only allow frames on those ports from the configured MAC addresses.

NB if you configure 4 MAC addresses and don’t specify them, the switch will learn 4 addresses dynamically. Those 4 will then be the MAC addresses allowed.

A feature (on some platforms) combine statically configured and dynamically learnt addresses. When configured an interface converts dynamically learnt addresses to “sticky secure” addresses. This adds those addresses to the config as if they were added by switchport port-security mac-address

Port Security – Configuration

Enable Port Security on the Switch:

switch#configure terminal
switch(config)#interface gigabitethernet 0/1
switch(config-if)#switchport port-security

Set the maximum number of MAC addresses that will be allowed on the port (default is one)

switch(config-if)#switchport port-security maximum value

Be sure to set this value to 2 when you have a Cisco IP Phone and a desktop attached to a switchport. I know I didn’t do this and it resulted in a port security violation. My bad.

Now Option 1 you can set whether the MAC address(es) learnt must be aged out after X time

switch(config-if)#switchport port-security aging 1-1024

Now optional 2 specify the MAC addresses that will be allowed on the port (this can also be dynamically learnt thats why its optional)

switch(config-if)#switchport port-security mac-address mad-address
switch(config-if)#switchport port-security mac-address mad-address

Finally set the action to be taken if something goes wrong (mac address attack)

switch(config-if)#switchport port-security violation {shutdown/restrict/protect}

Protect Mode drops the frame and leaves no syslog message, Restrict mode drops the frame and logs the drop + a SMTP trap is sent, and finally shutdown logs + SMTP traps + errdisables the interface (CAT OS, Cisco IOS).

Port security has a feature called “sticky MAC address” that can limit switch port access to a single, specific MAC address without the network administrator having to gather MAC addresses of every legitimate device and manually associate it with a particular switch port (This cannot be used where Voice VLANs are in use).

switch(config-if)#switchport port-security mac-address sticky

Last but not least lets check port-security:

switch(config)#show port-security

Authentication

Authentication, authorization and accounting (AAA) network security services provide a framework through which acess control is set up on a network. Authentication is the way a user is identified before being allowed access to the network and network services. AAA authentication is configured by defining a list of named authentication methods and then applying that list to various interfaces. The list defined the type of authentication (enable password, Kerberos 5, Kerberos 5-Telnet Authentication, Line Password, Local database, Local database with case sensitive, No Authentication, RADIUS, TACACS+) to be performed and the sequence in which they will be performed.

The only exception is the “default” list. The default list is automatically applied to all interfaces if no other method/list is defined. A defined method/list overrides the default list.

802.1x

IEEE 802.1x defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. Until a workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port. After authentication normal traffic can pass through.

With 802.1x port-based authentication, the devices in the network have specific port roles:

Client: the end-device that requests access to the LAN and switch. The end-device must be running 802.1x compliant software. (the port the end-device (client) is attached to is the supplicant)

Authentication server: performs the actual authentication. The server authenticates the identity of the client and lets the switch know whether to let the end-device access the LAN. As the switch is acting as a proxy the authentication service is transparent to the end-device. The RADIUS security system with Extensible Authentication Protocol (EAP) is the only supported authentication server.

Switch (authenticator): controls physical access onto the network. Acts as an intermediary (proxy service) between client and authentication server. The switch uses a RADIUS software agent responsible for encapsulating and decapsulating EAP frames and interacting with the authentication server.

802.1x Configure

Enable AAA

switch#configure terminal
switch(config)#aaa new-model

You Radius Server Location

switch(config)#radius-server host 000.000.000.000auth-port port key auth-key

Create a 802.1x port-based authentication method list

switch(config)#aaa authentication dot1x default group radius

Globally configure 802.1x port-based autnetication

switch(config)#dot1q system-auth-control

OR enter enable 802.1x on an interface

switch(config)#interface gigabitethernet 0/1
switch(config-if)#dot1x port-control auto

Definition

Content Addressable Memory (CAM)is a specialized type of memory think of it as the opposite of Random Access Memory (RAM). With RAM an Operating Sysem (OS) provides an address, and receives the data stored at the supplied address. With CAM, the OS supplies the data, and the CAM returns a list of addresses where the data is stored, if any. Also a CAM searches the entire memory in one operation therefore is faster than RAM.

Binary CAMssearch only for 1 and 0’s (ON or OFF). A MAC address table in switches commonly get stored inside binary CAMs (sometimes even called a CAM Table).

A Ternary CAM (TCAM)allows the OS to match a third state, “X.” The “X” state is a “mask” and could be anything. Routers can store their entire routing table in these TCAMs, allowing for very quick lookups.

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Cisco Enterprise Wide Network Models

Published
by
Deon Botha
on April 3, 2008
in BCMSN, Certification, Cisco Systems and Enterprise Architecture
. 2 Comments

The Enterprise-Wide Architecture is the more specific enterprise level solution design model for the SONA Framework which gears and prepares the enterprise for Cisco IIN Vision.

The materials I have found on this reads like marketing and advertising sales copy and my version I am afraid might not come off much better.

The model focuses on the sites or locations of the enterprise namely campus (i.e. HQ, main building/buildings), data centre (i.e. could also be located at HQ unless farmed out or if you think of Google with their non-descript concrete buildings around the world that house their server), branch (1 or many locations), teleworker (road warrior or home office worker), and WAN/WAN with specific solutions and benefits for each location on implementing the design model.

Also have a look at the ECNM that has a look at a more recent model on this topic; look specifically at the sub-modules or modules and find these locations mentioned there.

Definitions

You will see the term Campus used often, this term I encountered in my CCNA studies and it is carried through further into later studies. A Campus is one or more buildings connected using a LAN infrastructure within the same geographic area.

You will also remember LAN being defined from CCNA studies and this applies to the Campus definition, a LAN is a network of connected devices within a limited geographic area.

This would build onto the Campus definition in a meaningful way. So to join the two terms a Campus as used in these posts wont span the globe (corporation sized wan environment) but be a localized collection of enterprise buildings, that could tie into the corporate wan, or not, but share a limited geographic area.

Think in South African terms the Didata Campus or maybe something like the Innovation Hub. Both Examples have multiple buildings located in close proximity of each other and have connectivity between each building. In international terms Microsoft Redmond Complex and the Googleplex come to mind as prime examples.

I am not saying that these companies use Cisco kit or employ this enterprise wide architecture (DD might being a Cisco Gold Partner but would probably use the ECNM), I am using their campuses as examples to illustrate the definition.

Overview

Cisco provides the enterprise-wide architecture which supports integration of the entire enterprise network (campus, data centre, WAN, branches, and teleworkers). This helps enterprises protect data and information securely and grow infrastructure and offerings by allowing employees, partners, suppliers, and customers secure, any time and anywhere access to tools, resources and services when needed as they need it.

Campus

Cisco Enterprise Campus Architecture empowers employees with advanced services (end-to-end) by combining core infrastructure (intelligent routing and switching) with tightly integrated productivity-enhancing technologies (IP Communications, Mobility, advanced services). This strategy allows enterprise to increase revenue, productivity, and customer satisfaction.

The design provides for high availability (resilient multilayer design), optimized bandwidth consumption (multicast), and quality of service (QoS) (multicast) while still addressing security challenges like worms, viruses, and other attacks on the network, even at the port level. This is done by a multilayered approach to design and implementation.

The architectural model is standards based thereby extending support on the network for additions like 802.1x and Extensible Authentication Protocol (EAP), IP Security (IPSec), Multi protocol Label Switching Virtual Private Networks (MPLS VPN), identity management, and Virtual Local Area Networks (VLANs).

Data Centre

The Cisco Enterprise Data Centre Architecture supports the need for operational efficiency, optimization of utilization while enabling innovative service-orientated architectures, virtualization, and on-demand computing that is found within enterprise. This architecture model allows the data centre to scale without large or wholesale infrastructural change.

Branch

The Cisco enterprise Branch Architecture grants enterprise/corporate headquarters (HQ) the ability to extend applications and services (security, IP Communication, ERP, etc) to numerous (1 or 100s) of remote locations. The Cisco Empowered Branch solutions set makes use of the Integrated Services Routers (ISR) product range that includes single device integrated security, network analysis, caching, switching, converged voice and video.*

*With every benefit comes setbacks and in this case combining multiple solutions into a single chassis either fixed or modular comes single point of failure.

Teleworker

The Cisco enterprise Teleworker Architecture allows enterprise to deliver secure any time access to remote small or home office employees over standard broadband access services (ADSL, Wireless DSL, and at a stretch HSDPA & EDGE cellular technologies). This provides business with real time constant uptime allowing access to information when needed by employees ( i.e. resiliency) while allowing for a flexible work environment. Through the use of the integrated security within the ISR platform (800 Series) corporate (i.e. campus) security policies are extended to the network edge while enabling converged network services and applications (i.e. IP Telephony*, ERP solutions, etc) reach into employees homes and small offices.

*Check latency and lag issues of Wireless solutions before trying voice on them. Classic case of try before you buy, and try for a while before mind you if it works today doesn’t mean it will work at the end and beginning of the month.

WAN and MAN

The Cisco WAN and MAN Architecture allows for the convergence of voice, video and data service over a single IP network.

Resources:

Enterprise Architecture

Have a look at Aragoen Celtdra website on this topic (its for the BSCI but still applies).

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Intelligent Integrated Network and Service-Orientated Network Architecture

Published
by
Deon Botha
on April 2, 2008
in BCMSN, Certification, Cisco Systems, IIN and SONA
. 1 Comment

This post deals with two concepts that fit into one another or are parts of one another as the Cisco Service-Orientated Network Architecture (SONA) framework outlines the “how-to” for enterprises to evolve their Information Technology (IT) infrastructures into Intelligent Integrated Networks (IIN). The follow on to this post is the enterprise-wide architecture that explains the model a bit clearer.

Overview

The Cisco IIN Vision is one of network integration, intelligence and participation; while SONA is the three layered approach to achieving IIN namely the network services, interactive services and application layers respectively.

IIN Explained

Converged Networking requires a more integrated IT infrastructure (servers, data storage, workstations, etc) and networking infrastructure (switches, routers, etc). This is because of the needs and requirements of IP Protocol based applications that use voice, video and data network information in one interface (MS Dynamcs Applications could be an example iow CRM).

A standards based modular converged network provides for evolutionary (change over time) functionality addition (NAC, Security, voice, video) and IP-based applications (CRM, ERP, Web Applications, Software on Demand) capability. This by extension allows increased productivity by giving more information at once to employees, Information on demand when needed where needed, and reducing cost (long run allowing company to lower OPEX costs of IT; probably bring down IT IS costs and lowering of CAPEX expenditure year-on-year just for maintaining and upgrading) by allowing incremental changes to infrastructure (compared to wholesale replacements). I can go into skill sets, training expenses on new kit, learning curves, downtimes on installations etc.

By leveraging and applying built in component intelligence (ISR, Self Defending Network, etc) within the network components and extending those benefits end-to-end (from the core to the edge) intelligence and paid for features are spread accross the entire network.

With the participation of the network in service delivery; the added intelligence in network components mean active management, monitoring, and optimization by the network in service and application delivery end-to-end. The results is IT resources being pooled and shared or virtualized to changes in the network with the abliity to adapt to business needs and requirements. Through the use of Application-Orientated Networking (AON) the network can optimize performance and efficient delivery of networked application to end-user.

SONA

SONA

CISCO SONA FRAMEWORK LAYERS*

The path or “how-to” for IIN is SONA which explains how integrated systems can both allow for a dynamic, flexible architecture, and provide for operational efficiencies through standardization and virtualization.

This is very broad stroke overview and not in detail; for a more detailed explanation as to the how this all works see the ECNM or Enterprise Wide Architecture.

The Network Infrastructure Layer is where all IT resources (servers, storage, and clients) are interconnected (campus, branch, data centre, WAN, MAN, teleworker) across the converged network foundation. The objective of this layer is to enable anywhere and anytime connectivity.

The Interactive Services Layer enables efficient allocation of resources to applications and business processes that work together to create functionality that can be used by multiple applications and is delivered through the network infrastructure.

The Application layer includes applications (commercial off-the-shelf and homegrown software) and collaboration applications. This layer can also use network services such as presence and location to build innovative solutions that enhance user experience. The objective is to meet business requirements and achieve efficiencies by leveraging the interactive services layer.

Resources:

Cisco SONA Fact Sheet

Cisco SONA Website

Aragoen Celtdra over at Baby, You can Route my World! has a nice explanation on this for the BSCI course

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

*CISCO SONA FRAMEWORK LAYERS: Graphic taken from SONA Fact Sheet on the Cisco Website, Copyright Cisco Systems, Inc

Search

About

You are currently browsing the Network Ninja weblog archives for 'framework' tag.

Latest

RSS
  • Digital Growth with your Job
  • Open Shortest Path First – OSPF Fundamentals – Scenario
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 13
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 12
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 11
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 10
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 9
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 8
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 7
  • Open Shortest Path First – OSPF Fundamentals – Questions and Answers – Question 6

Archives

  • June 2009
  • April 2009
  • March 2009
  • February 2009
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008

Categories

  • 802.11 (7)
  • 802.1Q (1)
  • 802.1X (1)
  • AAA (1)
  • Access Point (7)
  • ACL (4)
  • Addressing (3)
  • Asides (31)
  • auto-summary (3)
  • AutoQoS (1)
  • Bandwidth (2)
  • BCMSN (55)
  • BDR (2)
  • BGP (1)
  • BPDU Filtering (1)
  • BPDU Guard (2)
  • BPDU Root Guard (1)
  • BSCI (67)
  • BSCI Notes (18)
  • BSCI Questions (48)
  • Business (1)
  • Cabling and Equiptment (3)
  • CAM (1)
  • CCDA (1)
  • CDP (1)
  • CEF (1)
  • Certification (123)
  • CIDR (2)
  • CIR (2)
  • Cisco Systems (144)
  • Concepts and Constructs (76)
  • CoS (1)
  • Cost (3)
  • DAI (1)
  • DDNS (1)
  • Debug (2)
  • DHCP Snooping (1)
  • DHCP Spoofing (1)
  • DR (3)
  • DUAL (1)
  • Dynamic ARP Inspection (1)
  • ECNM (5)
  • EIGRP (5)
  • Enterprise Architecture (7)
  • EtherChannel (1)
  • GLBP (1)
  • Hello Timer (2)
  • Hold Timer (2)
  • Hot Standby Router Protocol (1)
  • HSRP (1)
  • IGRP (1)
  • IIN (2)
  • Inter-Vlan Routing (1)
  • Interconnection Technologies (2)
  • IP Source Guard (1)
  • IS-IS (1)
  • ISL (1)
  • LACP (1)
  • Link State Advertisements (2)
  • Load Balancing (2)
  • Loop Guard (1)
  • MAC Address Flooding (1)
  • MLS (1)
  • MSTP (1)
  • NBAR (1)
  • NBMA (1)
  • Off-Topic (12)
  • OSPF (18)
  • PAgP (1)
  • passive-interface (1)
  • PoE (1)
  • Port Security (1)
  • Priority (2)
  • Proxy ARP (1)
  • PVC (1)
  • QoS (2)
  • RIP (1)
  • RIPv2 (1)
  • Root Guard (1)
  • RSTP (1)
  • Show (6)
  • Software (1)
  • SONA (2)
  • SSH (2)
  • STP (5)
  • Stub Router (3)
  • summary-address (1)
  • Support (4)
  • Switch Spoofing (1)
  • TCAM (1)
  • Telnet (2)
  • Troubleshooting (1)
  • Trunk (6)
  • Unidirectional Link Detection (1)
  • VACL (3)
  • VC (1)
  • Vine (20)
  • VLAN (11)
  • VLAN Hopping (1)
  • VLSM (1)
  • VoIP (1)
  • VRRP (1)
  • VTP (4)
  • VTY (1)
  • Wireless (7)

Styled with Sawchuk

Powered by WordPressabc and K21.0-RC7

Entries Feed and Comments Feed

43 queries. 1.4230 seconds.