YOMEDIA
ADSENSE
Lecture CCNA Security - Chapter 6: Securing the Local Area Network
74
lượt xem 5
download
lượt xem 5
download
Download
Vui lòng tải xuống để xem tài liệu đầy đủ
The following will be discussed in this chapter: Describle endpoint security with IronPort; describle endpoint security with Network Admission Control; describle endpoint Security with Cisco Security Agent; describle MAC address spoofing attacks, STP manipulation attacks, MAC address overflow attacks, LAN storm attacks, and VLAN attacks;...
AMBIENT/
Chủ đề:
Bình luận(0) Đăng nhập để gửi bình luận!
Nội dung Text: Lecture CCNA Security - Chapter 6: Securing the Local Area Network
- Chapter 6- Securing the Local Area Network CCNA Security
- Objectives • Describle endpoint security with IronPort. • Describle endpoint security with Network Admission Control. • Describle endpoint Security with Cisco Security Agent. • Describle MAC address spoofing attacks, STP manipulation attacks, MAC address overflow attacks , LAN storm attacks , and VLAN attacks. • Describle specific mitigation techniques for Layer 2 attacks. • Configure port security, BPDU guard, root guard, storm control, SPAN, RSPAN and PVLAN Edge. • Describle wireless, VoIP, and SAN security considerations. • Describle wireless, VoIP, and SAN security solutions. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- Introducing Endpoint Security Perimeter MARS ACS Areas of concentration: Firewall • Securing endpoints • Securing network Internet infrastructure VPN IPS Iron Port Hosts Web Email Server Server DNS LAN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- Introducing Endpoint Security Refer to 6.1.1.1 • What is the idea for the LAN-to- perimeter security strategy ? • “The LAN-to-perimeter security strategy is based on the idea that if users are not practicing security in their desktop operations, no amount of security precautions will guarantee a secure network.”
- Addressing Endpoint Security Policy Compliance Infection Containment Secure Host Based on three elements: Threat • Cisco Network Admission Control (NAC) Protection • Endpoint protection • Network infection containment Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- Introducing Endpoint Security Refer to 6.1.1.2 1. What’s the borderless network ? 2. What’s the benefit of cloud computing ? 3. What’s the two major components of traditional network security ? 4. What’s the SecureX architecture ?
- Operating Systems Basic Security Services Refer to 6.1.1.3 1. Trusted code and trusted path – ensures that the integrity of the operating system is not violated. Using hash message authentication codes (HMACs) or digital signatures 2. Privileged context of execution – provides identity authentication and certain privileges based on the identity 3. Process memory protection and isolation – provides separation from other users and their data 4. Access control to resources – ensures confidentiality and integrity of data Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- Example: Verify the Integrity of Windows Vista System Files
- Types of Application Attacks Refer to 6.1.1.4 • Modern operating systems provide each process with an identity and privileges. • Privilege switching is possible during program operation or during a single login session. • These are a few techniques that help protect an endpoint from operating system vulnerabilities: 1. Least privilege concept 2. Isolation between processes 3. Reference monitor 4. Small, verifiable pieces of code
- Types of Application Attacks
- Types of Application Attacks I have gained direct Direct access to this application’s privileges I have gained access to this system which is trusted by the other system, allowing me to access it. Indirect Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- Cisco Systems Endpoint Security Solutions Cisco Security Agent IronPort Cisco NAC Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- Other Vendor Enpoint Security Solutions
- Cisco IronPort Products Refer to 6.1.2.1 IronPort uses SenderBase, the world's largest threat detection database, to help provide preventive and reactive security measures. IronPort products include: • C-Series- an E-mail security appliances for virus and spam control • S-Series- a Web security appliance for spyware filtering, URL filtering, and anti-malware • M-Series- a Security management appliance Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- http://www.senderbase.org/
- IronPort C-Series Before IronPort After IronPort Internet Internet Firewall Firewall Encryption Platform DLP MTA Scanner Antispam Antivirus IronPort E-mail Security Appliance DLP Policy Manager Policy Enforcement Mail Routing Groupware Groupware Users Users Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- IronPort S-Series Before IronPort After IronPort Internet Internet Firewall Firewall Web Proxy Antispyware Antivirus IronPort S-Series Antiphishing URL Filtering Policy Management Users Users Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- Endpoint Security with Network Admission Control The purpose of NAC: Refer to 6.1.3 Allow only authorized and compliant systems to access the network To enforce network security policy NAC Framework Cisco NAC Appliance • Software module embedded • In-band Cisco NAC within NAC-enabled Appliance solution can be products used on any switch or router • Integrated framework platform leveraging multiple Cisco • Self-contained, turnkey and NAC-aware vendor solution products Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- The NAC Framework Network Access Devices Policy Server Hosts Attempting Enforcement Decision Points Network Access and Remediation AAA Vendor Server Credentials Servers Credentials Credentials EAP/UDP, HTTPS RADIUS EAP/802.1x Cisco Access Rights Trust Comply? Agent Notification Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
- NAC Components • Cisco NAC Appliance • Cisco NAC Appliance Server(NAS) Agent (NAA) Serves as an in-band or out-of- Optional lightweight client for band device for network access device-based registry scans in control unmanaged environments • Cisco NAC Appliance • Rule-set updates Manager (NAM) Scheduled automatic updates for Centralizes management for antivirus, critical hotfixes, and administrators, support other applications personnel, and operators M G R Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
ADSENSE
CÓ THỂ BẠN MUỐN DOWNLOAD
Thêm tài liệu vào bộ sưu tập có sẵn:
Báo xấu
LAVA
AANETWORK
TRỢ GIÚP
HỖ TRỢ KHÁCH HÀNG
Chịu trách nhiệm nội dung:
Nguyễn Công Hà - Giám đốc Công ty TNHH TÀI LIỆU TRỰC TUYẾN VI NA
LIÊN HỆ
Địa chỉ: P402, 54A Nơ Trang Long, Phường 14, Q.Bình Thạnh, TP.HCM
Hotline: 093 303 0098
Email: support@tailieu.vn