CNT 216: Module 10 - LAN Security Concepts
Cisco ESA (Email Security Appliance) Functions (5)
1. Block known threats. 2. Remediate against stealth malware that evaded initial detection. 3. Discard emails with bad links (as shown in the figure). 4. Block access to newly infected sites. 5. Encrypt content in outgoing email to prevent data loss.
describe steps to spear phishing attack attempt with a Cisco ESA implemented
1. threat actor sends phishing email to an important organization employee in the network 2. the firewall forwards the email to the Cisco ESA 3. the Cisco ESA analyzes the email, logs it, and discards it if it contains malware
Authenticator (Switch)
802.1X Authentication Process: The switch acts as an intermediary between the client and the authentication server. It requests identifying information from the client, verifies that information with the authentication server, and relays a response to the client. Another device that could act as authenticator is a wireless access point.
Client (supplicant)
802.1X Authentication Process: This is a device running 802.1X-compliant client software, which is available for wired or wireless devices.
IP address spoofing attack
A threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet. The legitimate network IP address is hijacked by the threat actor
spear phishing
A variation of phishing in which the phisher sends fraudulent emails to high-profile organization employees or executives that may have elevated login credentials.
ARP poisoning
An attack that corrupts the ARP cache.
DHCP spoofing attack
An attacker configures a fake DHCP server on the network to issue IP configuration to client. They may provide... - a nefarious website as DNS server - an incorrect IP address --> DoS attack - their own address as the default gateway -- MITM attack
VLAN hopping
An exploit that allows an attacker on a VLAN to gain access to traffic on other VLANs that would normally not be accessible by negotiating to become a trunk link
What three services are provided by the AAA framework?
Authentication - who are you? Authorization - what are your rights? Accounting - documentation of actions
Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?
Authorization; The protocols they are authorized to use have been limited
Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack?
CDP (Cisco Discovery Protocol)
CDP Reconnaissance
CDP broadcasts are sent unencrypted and unauthenticated. Therefore, an attacker could interfere with the network infrastructure by sending crafted CDP frames containing bogus device information to directly-connected Cisco devices.
Which Layer 2 attack will result in legitimate users not getting valid IP addresses?
DHCP Starvation
DHCP starvation attack
DOS attack on the DHCP server where attacker broadcasts forged DHCP requests to use all available leases
VLAN Attack Mitigation (3 things)
Disable trunking on all access ports. Disable auto trunking on trunk links so that trunks must be manually enabled. Be sure that the native VLAN is only used for trunk links.
Which device monitors SMTP traffic to block threats and encrypt outgoing messages to prevent data loss?
ESA
Which Cisco solution helps prevent MAC and IP address spoofing attacks?
IP Source Guard
Why is authentication with AAA preferred over a local database method?
It provides a fallback authentication method if the administrator forgets that username or password
When security is a concern, which OSI Layer is considered to be the weakest link in a network system?
Layer 2
Which Layer 2 attack will result in a switch flooding incoming frames to all ports?
MAC Address Overflow
Which attack encrypts the data on hosts in an attempt to extract a monetary payment from the victim?
Ransomware
What two protocols are supported on Cisco devices for AAA communications?
TACACS+ & RADIUS
VLAN Double Tagging Attack
The attacker sends a double tagged frame to the switch. The outer header contains the native VLAN of the switch, the inner tag is the victim VLAN. On arriving at the first switch, the switch reads the native VLAN and therefore forwards it out of all the native VLAN ports. The native VLAN is then stripped from the frame The frame then arrives at the second switch which is unaware of the fact it should have gone to the native VLAN and forwards the frame to the inner VLAN tag.
Authentication Server
The server validates the identity of the client and notifies the switch or wireless access point that the client is or is not authorized to access the LAN and switch services.
Data Breach
This is an attack in which an organization's data servers or hosts are compromised to steal confidential information.
Malware
This is an attack in which an organization's hosts are infected with malicious software that cause a variety of problems. For example, ransomware such as WannaCry, shown in the figure, encrypts the data on a host and locks access to it until a ransom is paid.
Which devices are specifically designed for network security?
VPN-enabled router, NGFW, and NAC
Which device monitors HTTP traffic to block access to risky sites and encrypt outgoing messages?
WSA
Today endpoints are best protected by...
a combination of NAC, host-based AMP software, an email security appliance (ESA), and a web security appliance (WSA)
Distributed Denial of Service (DDoS)
a coordinated attack from many devices, called zombies, with the intention of degrading or halting public access to an organization's website and resources.
Cisco ESA (Email Security Appliance)
a device that is designed to monitor Simple Mail Transfer Protocol (SMTP). It's constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and solutions by using a worldwide database monitoring system. This threat intelligence data is pulled by the Cisco ESA every three to five minutes.
IEEE 802.1X
a port-based access control and authentication protocol. This protocol restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN.
Address Spoofing
attacks occur when the threat actor changes the MAC and/or IP address of the threat actor's device to pose as another legitimate device, such as the default gateway
NAC (Network Access Control) Device
device includes authentication, authorization, and accounting (AAA) services. In larger enterprises, these services might be incorporated into an appliance that can manage access policies across a wide variety of users and device types. The Cisco Identity Services Engine (ISE) is an example
phishing attack
entices the user to click a link or open an attachment to gain sensitive information
Cisco WSA (Web Security Appliance)
mitigation technology for web-based threats. It helps organizations address the challenges of securing and controlling web traffic. The Cisco WSA combines advanced malware protection, application visibility and control, acceptable use policy controls, and reporting.
VPN-Enabled Router
provides a secure connection to remote users across a public network and into the enterprise network. VPN services can be integrated into the firewall.
NGFW (Next Generation Firewall)
provides stateful packet inspection, application visibility and control, a next-generation intrusion prevention system (NGIPS), advanced malware protection (AMP), and URL filtering.
STP Attack
the attacking host broadcasts STP bridge protocol data units (BPDUs) containing configuration and topology changes that will force spanning-tree recalculations, as shown in the figure. The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge.
no cdp run
turns off CDP for entire router (global config); mitigates CRP Reconnaissance attacks
no cdp enable
turns off CDP on specific interface; mitigates CRP Reconnaissance attacks
ARP spoofing
uses false gratuitous ARP replies to map any IP address to any MAC address