Securing the Local Area Network

Questions and Answers

Which security measure involves authenticating users and enforcing network security policies for device access?

• Cisco Network Admission Control (NAC) (correct)
• Cisco Web Security Appliance (WSA)
• Cisco Advanced Malware Protection (AMP)
• Cisco Identity Services Engine (ISE)

In traditional endpoint security, what is the primary focus of host-based protection?

• Analyzing malware behavior in a sandbox environment
• Monitoring network traffic for malicious activity
• Providing security measures directly on individual devices (correct)
• Securing the network perimeter against external threats

Which of the following tools can be used to perform a CAM table overflow attack?

• ping
• macof (correct)
• netstat
• traceroute

What type of Layer 2 attack involves an attacker sending numerous DHCP request packets to exhaust the available IP addresses?

DHCP starvation (B)

Which modern security solution focuses on analyzing and correlating vast amounts of security intelligence data, including web requests and email traffic, to identify and respond to threats?

Cisco AMP (B)

What is the purpose of implementing DHCP snooping in a network?

To prevent rogue DHCP servers from providing incorrect IP addresses (C)

Which security violation mode will immediately disable a switch port upon detection of a policy violation?

Shutdown (B)

What is the primary function of the Cisco Email Security Appliance (ESA)?

To block spam and protect against email-borne malware (B)

What is a CAM table overflow attack designed to do?

Cause a switch to forward traffic for all VLANs out of all ports, regardless of the destination MAC address (D)

Which of the following is not a typical feature or benefit of Cisco Email Security solutions?

Intrusion detection (A)

Which security measure can you implement to mitigate CAM table overflow attacks?

Port security (B)

If you configure a switch port for switchport port-security mac-address sticky, what will happen?

The port will dynamically learn MAC addresses and add them to the running configuration. (C)

How does Cisco Advanced Malware Protection (AMP) enhance endpoint security compared to traditional antivirus software?

By providing continuous analysis of files and retrospective alerting (C)

An attacker configures a rogue DHCP server on the network. What type of attack are they attempting, and what is the potential impact?

DHCP spoofing; providing clients with incorrect DNS and gateway information, potentially redirecting traffic to malicious sites. (D)

Consider a scenario where an attacker has successfully launched a CAM table overflow attack. Describe the most likely impact on network operations and how an attacker might further exploit this vulnerability to compromise sensitive data. What additional steps could the attacker take once the CAM table is overflowed, and how would this facilitate data theft or further network intrusion?

The switch effectively turns into a hub. The attacker could set up a packet sniffer on their machine and capture all the traffic going through the switch. (C)

Traditional endpoint security primarily relies on perimeter-based protection methods.

False (B)

In the borderless network model, knowing the location of malware origin is unimportant after an attack.

False (B)

Cisco AMP focuses on discovering, enforcing, and hardening systems before a malware attack occurs.

True (A)

Cisco's ESA solutions primarily focus on securing web traffic and filtering URLs.

False (B)

Cisco NAC functions primarily to enforce application-layer filtering policies.

False (B)

Layer 2 vulnerabilities only affect the physical layer of the OSI model.

False (B)

A CAM table overflow attack involves exhausting a switch's memory with legitimate MAC addresses.

False (B)

Enabling port security guarantees protection against all types of network attacks.

False (B)

In port security, setting the violation mode to 'protect' will fully shutdown the port immediately upon detecting a violation.

False (B)

In a DHCP spoofing attack, a rogue server provides incorrect IP configuration information to clients.

True (A)

DHCP starvation attacks aim to deplete the DHCP server's available IP addresses.

True (A)

DHCP Snooping is configured on untrusted ports to forward DHCP requests to the DHCP server.

False (B)

Configuring DHCP Snooping trust on an interface auto-configures IP Source Guard.

False (B)

Talos teams analyze approximately 100 PB of security intelligence data daily.

False (B)

Modern security solutions such as AMP and NAC focus entirely on preventing external threats, not internal ones.

False (B)

Flashcards

What is Endpoint Security?

Securing individual devices like computers, laptops, and mobile devices that connect to a network.

What is Antimalware Software?

Software designed to detect, prevent, and remove malware from a computer or network.

What is URL Filtering?

Filtering web content based on URLs.

What is Host-Based Protection?

Host-based protection including Antivirus/Antimalware, SPAM Filtering, URL Filtering and Blacklisting

What does Cisco's Talos team do?

It analyzes vast amounts of data to provide real-time threat intelligence, protecting networks from various security threats.

What is Cisco Email Security Appliance?

A security solution that inspects and filters email traffic to block spam, malware, and phishing attempts.

What is Cisco Web Security Appliance?

A security solution that filters web traffic, blocking access to malicious websites and preventing malware downloads.

What is Cisco NAC?

It authenticates users and enforces security policies before granting network access. Only compliant devices will be granted access.

What are layer 2 vulnerabilities?

Vulnerabilities present in the data link layer of the OSI model, such as MAC address spoofing, VLAN hopping, and ARP poisoning.

What is a CAM table overflow attack?

An attack that floods a switch's CAM table, causing it to forward traffic to all ports.

What is port security?

A security measure that limits the MAC addresses allowed on a port, mitigating CAM table overflow attacks.

How to limit MAC addresses?

A Cisco switch command: switchport port-security maximum value

How to configure MAC addresses?

A Cisco switch command for manually configuring MAC addresses: switchport port-security mac-address mac-address {vlan | { access | voice}}.

What are the port security violation modes?

Protect, Restrict, and Shutdown

What is DHCP Starvation Attack?

An attack which occurs when a malicious actor overwhelms the DHCP server with request, and the server has no addreses to provide.

Securing LAN Elements

Securing various elements within a Local Area Network (LAN), including servers, workstations, and network devices, through measures like firewalls, VPNs, and intrusion prevention systems.

Borderless Network

A network where devices can connect from anywhere without strict physical boundaries, often utilizing wireless and mobile technologies.

Advanced Malware Protection (AMP)

Uses global threat intelligence to provide continuous analysis of files, detecting and blocking advanced malware across the network and endpoints.

Spam blocking

Blocking unwanted or malicious content in email communications.

Switch Flooding

The switch floods the frames to all ports.

macof

A tool used to flood a CAM table with bogus MAC addresses.

DHCP Spoofing Attack

A DHCP attack where a malicious actor sends spoofed DHCP responses to clients, providing them with incorrect network configuration information, such as a fake gateway or DNS server.

Port Security Countermeasure

A countermeasure for CAM Table Attacks.

Learning MAC Addresses Dynamically

It learns connected MAC addresses dynamically.

Sticky Learning

Dynamically learns MAC addresses and adds it to the running configuration.

DHCP Snooping

A security feature that inspects DHCP traffic to filter out malicious DHCP messages and prevent DHCP attacks.

DHCP Snooping Trust

Trusts or untrusts the DHCP traffic.

Study Notes

Introduction to Securing the Local Area Network

• Chapter 6 focuses on securing the Local Area Network (LAN).
• Key areas of focus include endpoint security and addressing Layer 2 security threats.

Endpoint Security (Section 6.1)

• Aims to describe endpoint security.
• Aims to explain enabling technologies.
• Aims to explain how Cisco AMP, Cisco NAC authenticate and enforce network security.

LAN Elements

• LAN elements include:
  • Internet
  • VPN
  • Firewall
  • ESA/WSA
  • DNS
  • IPS
  • Web Server
  • Email Server
  • Hosts
  • ACS

Traditional Endpoint Security

• Host-Based Protection is provided by:
  • Antivirus/Antimalware Software
  • Host-Based IPS
  • Host-Based Firewall

Securing Endpoints in the Borderless Network

• Crucial post-malware attack questions include determining the origin, method, affected systems, and impact of the threat.
• Crucial to know if the threat can be stopped and the root cause eliminated?
• Crucial to know how to recover and prevent future occurrences.
• Host-based protection includes antivirus/antimalware, SPAM filtering, URL filtering, and blacklisting.

Modern Endpoint Security Solutions

• Modern solutions include:
  • AMP (Advanced Malware Protection)
  • NAC (Network Admission Control)
  • ESA (Email Security Appliance)
  • WSA (Web Security Appliance)

Antimalware Protection

• Advanced Malware Protection occurs during 3 phases:
  • Before: Discover, Enforce, Harden
  • During: Detect, Block, Defend
  • After: Scope, Contain, Remediate

AMP and Managed Threat Defense

• Talos security teams gather real-time threat intelligence from:
  • 1.6 million security devices, including firewalls, IPS, web and email appliances
  • 150 million endpoints
• They analyze 100 TB of security intelligence daily.
• They analyze 13 billion web requests per day.
• They analyze 35% of the world's enterprise email traffic.

Cisco Email Security Appliance

• Email Security solutions offer:
  • Spam blocking
  • Advanced malware protection
  • Outbound message control

Cisco Web Security Appliance

• Appliance functions from client initiates request to appliance forwards request
• Reply sent to appliance and then to client

Cisco NAC Functions

• Functions involving authentication, authorization, and accounting or AAA.
• Functions involve using EAP/UDP, EAP/802.1X

Layer 2 Security Consideration (Section 6.2)

• Describes layer 2 vulnerabilities.
• Describes CAM table overflow attacks.
• Configuring port security mitigates CAM table overflow attacks.
• Configuring VLAN Truck security mitigates VLAN hopping attacks.
• Implementing DHCP snooping and dynamic ARP inspection mitigates DHCP and ARP attacks.
• Implementing IP Source Guard mitigates address spoofing attacks.

Describe Layer 2 Vulnerabilities

• Layer 2 vulnerability occurs with data link
• Involves Ethernet Frames
• Initial compromise

Switch Attack Categories

• Attacks include:
  • CAM Table Attacks
  • VLAN Attacks
  • DHCP Attacks
  • ARP Attacks
  • Address Spoofing Attacks
  • STP Attacks

CAM Table Attacks

• Attack Tool runs to send bogus addresses, filling up the CAM table
• CAM Table Attack leads to switch flooding of all traffic because table is full
• The attacker captures traffic
• macof -1 eth1 is a tool used for CAM table attacks.

Mitigating CAM Table Attacks

• Port security is a countermeasure for CAM Table Attacks that grants specific MAC addresses to specific ports.

Port Security

• Port security can be enabled on a switch interface.
• Port security can be shutdown.
• Port security has options for aging and maximum MAC addresses.
• Port security violations can be set to protect, restrict, and shutdown.

Enabling Port Security Options

• The command switchport port-security maximum value sets the maximum number of MAC addresses.
• The command switchport port-security mac-address mac-address {vlan | { access | voice}} manually configures MAC addresses.
• The command switchport port-security mac-address sticky dynamically learns connected MAC addresses.

Port Security Violations

• Security violation modes include:
  • Protect - Forwards traffic with no Syslog message or counter increase
  • Restrict - Drops packets, sends Syslog message, and increases violation counter
  • Shutdown - Drops packets, sends Syslog message, increases violation counter, and shuts down port

Mitigating DHCP Attacks

• DHCP starvation involves an attacker initiating a starvation attack by the client requesting all offers from DHCP Server.
• DHCP spoofing involves "address requests" from a client that includes IP address, Subnet mask, Default Gateway and a Lease time

Configuring DHCP Snooping Example

• The command ip dhcp snooping enables DHCP snooping.
• DHCP snooping trusts and sets rate limits on interfaces.
• You can configure a max number of MAC addresses and verify DHCP snooping.