intTypePromotion=1
zunia.vn Tuyển sinh 2024 dành cho Gen-Z zunia.vn zunia.vn
ADSENSE

Lecture CCNA Security - Chapter 6: Securing the Local Area Network

Chia sẻ: You Can | Ngày: | Loại File: PDF | Số trang:143

75
lượt xem
5
download
 
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

The following will be discussed in this chapter: Describle endpoint security with IronPort; describle endpoint security with Network Admission Control; describle endpoint Security with Cisco Security Agent; describle MAC address spoofing attacks, STP manipulation attacks, MAC address overflow attacks, LAN storm attacks, and VLAN attacks;...

Chủ đề:
Lưu

Nội dung Text: Lecture CCNA Security - Chapter 6: Securing the Local Area Network

  1. Chapter 6- Securing the Local Area Network CCNA Security
  2. Objectives • Describle endpoint security with IronPort. • Describle endpoint security with Network Admission Control. • Describle endpoint Security with Cisco Security Agent. • Describle MAC address spoofing attacks, STP manipulation attacks, MAC address overflow attacks , LAN storm attacks , and VLAN attacks. • Describle specific mitigation techniques for Layer 2 attacks. • Configure port security, BPDU guard, root guard, storm control, SPAN, RSPAN and PVLAN Edge. • Describle wireless, VoIP, and SAN security considerations. • Describle wireless, VoIP, and SAN security solutions. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  3. Introducing Endpoint Security Perimeter MARS ACS Areas of concentration: Firewall • Securing endpoints • Securing network Internet infrastructure VPN IPS Iron Port Hosts Web Email Server Server DNS LAN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  4. Introducing Endpoint Security Refer to 6.1.1.1 • What is the idea for the LAN-to- perimeter security strategy ? • “The LAN-to-perimeter security strategy is based on the idea that if users are not practicing security in their desktop operations, no amount of security precautions will guarantee a secure network.”
  5. Addressing Endpoint Security Policy Compliance Infection Containment Secure Host Based on three elements: Threat • Cisco Network Admission Control (NAC) Protection • Endpoint protection • Network infection containment Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  6. Introducing Endpoint Security Refer to 6.1.1.2 1. What’s the borderless network ? 2. What’s the benefit of cloud computing ? 3. What’s the two major components of traditional network security ? 4. What’s the SecureX architecture ?
  7. Operating Systems Basic Security Services Refer to 6.1.1.3 1. Trusted code and trusted path – ensures that the integrity of the operating system is not violated. Using hash message authentication codes (HMACs) or digital signatures 2. Privileged context of execution – provides identity authentication and certain privileges based on the identity 3. Process memory protection and isolation – provides separation from other users and their data 4. Access control to resources – ensures confidentiality and integrity of data Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  8. Example: Verify the Integrity of Windows Vista System Files
  9. Types of Application Attacks Refer to 6.1.1.4 • Modern operating systems provide each process with an identity and privileges. • Privilege switching is possible during program operation or during a single login session. • These are a few techniques that help protect an endpoint from operating system vulnerabilities: 1. Least privilege concept 2. Isolation between processes 3. Reference monitor 4. Small, verifiable pieces of code
  10. Types of Application Attacks
  11. Types of Application Attacks I have gained direct Direct access to this application’s privileges I have gained access to this system which is trusted by the other system, allowing me to access it. Indirect Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  12. Cisco Systems Endpoint Security Solutions Cisco Security Agent IronPort Cisco NAC Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  13. Other Vendor Enpoint Security Solutions
  14. Cisco IronPort Products Refer to 6.1.2.1 IronPort uses SenderBase, the world's largest threat detection database, to help provide preventive and reactive security measures. IronPort products include: • C-Series- an E-mail security appliances for virus and spam control • S-Series- a Web security appliance for spyware filtering, URL filtering, and anti-malware • M-Series- a Security management appliance Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  15. http://www.senderbase.org/
  16. IronPort C-Series Before IronPort After IronPort Internet Internet Firewall Firewall Encryption Platform DLP MTA Scanner Antispam Antivirus IronPort E-mail Security Appliance DLP Policy Manager Policy Enforcement Mail Routing Groupware Groupware Users Users Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  17. IronPort S-Series Before IronPort After IronPort Internet Internet Firewall Firewall Web Proxy Antispyware Antivirus IronPort S-Series Antiphishing URL Filtering Policy Management Users Users Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  18. Endpoint Security with Network Admission Control The purpose of NAC: Refer to 6.1.3  Allow only authorized and compliant systems to access the network  To enforce network security policy NAC Framework Cisco NAC Appliance • Software module embedded • In-band Cisco NAC within NAC-enabled Appliance solution can be products used on any switch or router • Integrated framework platform leveraging multiple Cisco • Self-contained, turnkey and NAC-aware vendor solution products Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  19. The NAC Framework Network Access Devices Policy Server Hosts Attempting Enforcement Decision Points Network Access and Remediation AAA Vendor Server Credentials Servers Credentials Credentials EAP/UDP, HTTPS RADIUS EAP/802.1x Cisco Access Rights Trust Comply? Agent Notification Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  20. NAC Components • Cisco NAC Appliance • Cisco NAC Appliance Server(NAS) Agent (NAA) Serves as an in-band or out-of- Optional lightweight client for band device for network access device-based registry scans in control unmanaged environments • Cisco NAC Appliance • Rule-set updates Manager (NAM) Scheduled automatic updates for Centralizes management for antivirus, critical hotfixes, and administrators, support other applications personnel, and operators M G R Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
ADSENSE

CÓ THỂ BẠN MUỐN DOWNLOAD

 

Đồng bộ tài khoản
2=>2