NET-130 (NetAcad Chapter 10)
NAC
A NAC device includes authentication, authorization, and accounting (AAA) services. In larger enterprises, these services might be incorporated into an appliance that can manage access policies across a wide variety of users and device types. The Cisco Identity Services Engine (ISE) is an example of a NAC device.
VPN-Enabled Router
A VPN-enabled router provides a secure connection to remote users across a public network and into the enterprise network. VPN services can be integrated into the firewall.
12. What is involved in an IP address spoofing attack?
A legitimate network IP address is hijacked by a rouge node
4. A threat actor sends a message that causes all other devices to believe the MAC address of the threat actor's device is the default gateway. What type of attack is this?
ARP spoofing
1. Which AAA component is responsible for collecting and reporting usage data for auditing and billing purposes?
Accounting
1. A threat actor changes the MAC address of the threat actor's device to the MAC address of the default gateway. What type of attack is this?
Address Spoofing
NGFW
An NGFW provides stateful packet inspection, application visibility and control, a next-generation intrusion prevention system (NGIPS), advanced malware protection (AMP), and URL filtering.
2. Which AAA component is responsible for controlling who is permitted to access the network?
Authentication
10.2.2 AAA Components AAA stands for Authentication, Authorization, and Accounting. The AAA concept is similar to using a credit card, as shown in the figure. The credit card identifies who can use it, how much that user can spend, and keeps an account of what items or services the user purchased. AAA provides the primary framework to set up access control on a network device. AAA is a way to control who is permitted to access a network (authenticate), what they can do while they are there (authorize), and to audit what actions they performed while accessing the network (accounting). Authentication-Authorization-and-Accounting--transcript--UUID
Authentication Who are you? Authorization How much can you spend? Accounting What did you spend it on?
4. In an 802.1X implementation, which device is responsible for relaying responses?
Authenticator
3. Which AAA component is responsible for determining what the user can access?
Authorization
2. Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack?
CDP
6. A threat actor discovers the IOS version and IP addresses of the local switch. What type of attack is this?
CDP reconnaissance
10.2.6 802.1X The IEEE 802.1X standard is a port-based access control and authentication protocol. This protocol restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN. With 802.1X port-based authentication, the devices in the network have specific roles, as shown in the figure.
Client (Supplicant) - This is a device running 802.1X-compliant client software, which is available for wired or wireless devices. Switch (Authenticator) - The switch acts as an intermediary between the client and the authentication server. It requests identifying information from the client, verifies that information with the authentication server, and relays a response to the client. Another device that could act as authenticator is a wireless access point. Authentication server - The server validates the identity of the client and notifies the switch or wireless access point that the client is or is not authorized to access the LAN and switch services.
4. Which of the following mitigation techniques prevents ARP spoofing and ARP poisoning attacks?
DAI
5. Which of the following mitigation techniques prevents DHCP starvation and DHCP spoofing attacks?
DHCP snooping
3. A threat actor leases all the available IP addresses on a subnet. What type of attack is this?
DHCP starvation
9. Which Layer 2 attack will result in legitimate users not getting valid IP addresses?
DHCP starvation
3. Which device monitors SMTP traffic to block threats and encrypt outgoing messages to prevent data loss?
ESA
15. What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?
Enable port security
10.6.1 What did I learn in this module?
Endpoints are particularly susceptible to malware-related attacks that originate through email or web browsing, such as DDOS, date breaches, and malware. These endpoints have typically used traditional host-based security features, such as antivirus/antimalware, host-based firewalls, and host-based intrusion prevention systems (HIPSs). Endpoints are best protected by a combination of NAC, host-based AMP software, an email security appliance (ESA), and a web security appliance (WSA). Cisco WSA can perform blacklisting of URLs, URL-filtering, malware scanning, URL categorization, Web application filtering, and encryption and decryption of web traffic. AAA controls who is permitted to access a network (authenticate), what they can do while they are there (authorize), and to audit what actions they performed while accessing the network (accounting). Authorization uses a set of attributes that describes the user's access to the network. Accounting is combined with AAA authentication. The AAA server keeps a detailed log of exactly what the authenticated user does on the device. The IEEE 802.1X standard is a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. If Layer 2 is compromised, then all layers above it are also affected. The first step in mitigating attacks on the Layer 2 infrastructure is to understand the underlying operation of Layer 2 and the Layer 2 solutions: Port Security, DHCP Snooping, DAI, and IPSG. These won't work unless management protocols are secured. MAC address flooding attacks bombard the switch with fake source MAC addresses until the switch MAC address table is full. At this point, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic out all ports on the same VLAN without referencing the MAC table. The threat actor can now capture all of the frames sent from one host to another on the local LAN or local VLAN. The threat actor uses macof to rapidly generate many random source and destination MAC and IP. To mitigate MAC table overflow attacks, network administrators must implement port security. A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without the aid of a router. The threat actor configures a host to act like a switch to take advantage of the automatic trunking port feature enabled by default on most switch ports. A VLAN double-tagging attack is unidirectional and works only when the threat actor is connected to a port residing in the same VLAN as the native VLAN of the trunk port. Double tagging allows the threat actor to send data to hosts or servers on a VLAN that otherwise would be blocked by some type of access control configuration. Return traffic will also be permitted, letting the threat actor communicate with devices on the normally blocked VLAN. VLAN hopping and VLAN double-tagging attacks can be prevented by implementing the following trunk security guidelines: Disable trunking on all access ports. Disable auto trunking on trunk links so that trunks must be manually enabled. Be sure that the native VLAN is only used for trunk links. DHCP Attack: DHCP servers dynamically provide IP configuration information including IP address, subnet mask, default gateway, DNS servers, and more to clients. Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are mitigated by implementing DHCP snooping. ARP Attack: A threat actor sends a gratuitous ARP message containing a spoofed MAC address to a switch, and the switch updates its MAC table accordingly. Now the threat actor sends unsolicited ARP Requests to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway. ARP spoofing and ARP poisoning are mitigated by implementing DAI. Address Spoofing Attack: IP address spoofing is when a threat actor hijacks a valid IP address of another device on the subnet or uses a random IP address. MAC address spoofing attacks occur when the threat actors alter the MAC address of their host to match another known MAC address of a target host. IP and MAC address spoofing can be mitigated by implementing IPSG. STP Attack: Threat actors manipulate STP to conduct an attack by spoofing the root bridge and changing the topology of a network. Threat actors make their hosts appear as root bridges; therefore, capturing all traffic for the immediate switched domain. This STP attack is mitigated by implementing BPDU Guard on all access ports CDP Reconnaissance: CDP information is sent out CDP-enabled ports in a periodic, unencrypted multicast. CDP information includes the IP address of the device, IOS software version, platform, capabilities, and the native VLAN. The device receiving the CDP message updates its CDP database. the information provided by CDP can also be used by a threat actor to discover network infrastructure vulnerabilities. To mitigate the exploitation of CDP, limit the use of CDP on devices or ports.
7. Which Cisco solution helps prevent MAC and IP address spoofing attacks?
IP Source Guard
3. Which of the following mitigation techniques prevents MAC and IP address spoofing?
IPSG
5. Why is authentication with AAA preferred over a local database method?
It provides a fallback authentication method if the administrator forgets the username or password
10.1.3 Endpoint Protection
LAN devices such as switches, wireless LAN controllers (WLCs), and other access point (AP) devices interconnect endpoints. Most of these devices are susceptible to the LAN-related attacks that are covered in this module. But many attacks can also originate from inside the network. If an internal host is infiltrated, it can become a starting point for a threat actor to gain access to critical system devices, such as servers and sensitive data. Endpoints are hosts which commonly consist of laptops, desktops, servers, and IP phones, as well as employee-owned devices that are typically referred to as bring your own devices (BYODs). Endpoints are particularly susceptible to malware-related attacks that originate through email or web browsing. These endpoints have typically used traditional host-based security features, such as antivirus/antimalware, host-based firewalls, and host-based intrusion prevention systems (HIPSs). However, today endpoints are best protected by a combination of NAC, host-based AMP software, an email security appliance (ESA), and a web security appliance (WSA). Advanced Malware Protection (AMP) products include endpoint solutions such as Cisco AMP for Endpoints. The figure is a simple topology representing all the network security devices and endpoint solutions discussed in this module.
3. When security is a concern, which OSI Layer is considered to be the weakest link in a network system?
Layer 2
10.3.2 Switch Attack Categories Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak link. This is because LANs were traditionally under the administrative control of a single organization. We inherently trusted all persons and devices connected to our LAN. Today, with BYOD and more sophisticated attacks, our LANs have become more vulnerable to penetration. Therefore, in addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure. The first step in mitigating attacks on the Layer 2 infrastructure is to understand the underlying operation of Layer 2 and the threats posed by the Layer 2 infrastructure. Attacks against the Layer 2 LAN infrastructure are described in the table and are discussed in more detail later in this module.
Layer 2 Attacks MAC Table Attacks Includes MAC address flooding attacks. VLAN Attacks Includes VLAN hopping and VLAN double-tagging attacks. It also includes attacks between devices on a common VLAN. DHCP Attacks Includes DHCP starvation and DHCP spoofing attacks. ARP Attacks Includes ARP spoofing and ARP poisoning attacks. Address Spoofing Attacks Includes MAC address and IP address spoofing attacks. STP Attacks Includes Spanning Tree Protocol manipulation attacks.
10.2.3 Authentication Local and server-based are two common methods of implementing AAA authentication.
Local AAA Authentication Local AAA stores usernames and passwords locally in a network device such as the Cisco router. Users authenticate against the local database, as shown in figure. Local AAA is ideal for small networks. a remote client connects to a AAA router, is prompted for a username and password, the router checks its local database before allowing access into the corporate network 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is provided access to the network based on information in the local database. Server-Based AAA Authentication With the server-based method, the router accesses a central AAA server, as shown in figure. The AAA server contains the usernames and passwords for all users. The router uses either the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) protocols to communicate with the AAA server. When there are multiple routers and switches, server-based AAA is more appropriate. a remote client connects to a AAA router, is prompted for a username and password, the router authenticates the credentials using a AAA server, and the user is provided access to the network 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a AAA server. 4. The user is provided access to the network based on information in the remote AAA server.
4. Which Layer 2 attack will result in a switch flooding incoming frames to all ports?
MAC address overflow
10.2.1 Authentication with a Local Password In the previous topic, you learned that a NAC device provides AAA services. In this topic, you will learn more about AAA and the ways to control access.
Many types of authentication can be performed on networking devices, and each method offers varying levels of security. The simplest method of remote access authentication is to configure a login and password combination on console, vty lines, and aux ports, as shown in the vty lines in the following example. This method is the easiest to implement, but it is also the weakest and least secure. This method provides no accountability and the password is sent in plaintext. Anyone with the password can gain entry to the device. R1(config)# line vty 0 4 R1(config-line)# password ci5c0 R1(config-line)# login SSH is a more secure form of remote access: It requires a username and a password, both of which are encrypted during transmission. The username and password can be authenticated by the local database method. It provides more accountability because the username is recorded when a user logs in. The following example illustrates SSH and local database methods of remote access. R1(config)# ip domain-name example.com R1(config)# crypto key generate rsa general-keys modulus 2048 R1(config)# username Admin secret Str0ng3rPa55w0rd R1(config)# ssh version 2 R1(config)# line vty 0 4 R1(config-line)# transport input ssh R1(config-line)# login local The local database method has some limitations: User accounts must be configured locally on each device. In a large enterprise environment with multiple routers and switches to manage, it can take time to implement and change local databases on each device. The local database configuration provides no fallback authentication method. For example, what if the administrator forgets the username and password for that device? With no backup method available for authentication, password recovery becomes the only option. A better solution is to have all devices refer to the same database of usernames and passwords from a central server.
10. Which three Cisco products focus on endpoint security solutions? (Choose three.)
NAC Appliance Email Security Appliance Web Security Appliance
2. Which of the following mitigation techniques prevents many types of attacks including MAC address table overflow and DHCP starvation attacks?
Port Security
3. What mitigation technique must be implemented to prevent MAC address overflow attacks?
Port security
6. In a server-based AAA implementation, which protocol will allow the router to successfully communicate with the AAA server?
RADIUS
1. What two protocols are supported on Cisco devices for AAA communications? (Choose two.)
RADIUS TACACS+
1. Which attack encrypts the data on hosts in an attempt to extract a monetary payment from the victim?
Ransomware
2. A threat actor sends a BPDU message with priority 0. What type of attack is this?
STP attack
2. What would be the primary reason a threat actor would launch a MAC address overflow attack?
So that the threat actor can see frames that are destined for other devices.
10.5.7 ARP Attacks Recall that hosts broadcast ARP Requests to determine the MAC address of a host with a particular IPv4 address. This is typically done to discover the MAC address of the default gateway. All hosts on the subnet receive and process the ARP Request. The host with the matching IPv4 address in the ARP Request sends an ARP Reply. According to the ARP RFC, a client is allowed to send an unsolicited ARP Request called a "gratuitous ARP." When a host sends a gratuitous ARP, other hosts on the subnet store the MAC address and IPv4 address contained in the gratuitous ARP in their ARP tables. The problem is that an attacker can send a gratuitous ARP message containing a spoofed MAC address to a switch, and the switch would update its MAC table accordingly. Therefore, any host can claim to be the owner of any IP and MAC address combination they choose. In a typical attack, a threat actor can send unsolicited ARP Replies to other hosts on the subnet with the MAC Address of the threat actor and the IPv4 address of the default gateway. There are many tools available on the internet to create ARP man-in-the-middle attacks including dsniff, Cain & Abel, ettercap, Yersinia, and others. IPv6 uses ICMPv6 Neighbor Discovery Protocol for Layer 2 address resolution. IPv6 includes strategies to mitigate Neighbor Advertisement spoofing, similar to the way IPv6 prevents a spoofed ARP Reply. ARP spoofing and ARP poisoning are mitigated by implementing DAI.
Step 1 Normal State with Converged MAC Tables Each device has an accurate MAC table with the correct IPv4 and MAC addresses for the other devices on the LAN. Step 2 ARP Spoofing Attack The threat actor sends two spoofed gratuitous ARP Replies in an attempt to replace R1 as the default gateway: 1. The first one informs all devices on the LAN that the threat actor's MAC address (CC:CC:CC) maps to R1's IPv4 address, 10.0.0.1. 2. The second one informs all devices on the LAN that the threat actor's MAC address (CC:CC:CC) maps to PC1's IPv4 address, 10.0.0.11. Step 3 ARP Poisoning Attack with Man-in-the-Middle Attack R1 and PC1 remove the correct entry for each other's MAC address and replace it with PC2's MAC address. The threat actor has now poisoned the ARP caches of all devices on the subnet. ARP poisoning leads to various man-in-the-middle attacks, posing a serious security threat to the network.
10.5.3 VLAN Double-Tagging Attack A threat actor in specific situations could embed a hidden 802.1Q tag inside the frame that already has an 802.1Q tag. This tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify.
Step 1 The threat actor sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN tag of the threat actor, which is the same as the native VLAN of the trunk port. For the purposes of this example, assume that this is VLAN 10. The inner tag is the victim VLAN, in this example, VLAN 20. A VLAN double-tagging attack is unidirectional and works only when the attacker is connected to a port residing in the same VLAN as the native VLAN of the trunk port. The idea is that double tagging allows the attacker to send data to hosts or servers on a VLAN that otherwise would be blocked by some type of access control configuration. Presumably the return traffic will also be permitted, thus giving the attacker the ability to communicate with devices on the normally blocked VLAN. VLAN Attack Mitigation VLAN hopping and VLAN double-tagging attacks can be prevented by implementing the following trunk security guidelines, as discussed in a previous module: Disable trunking on all access ports. Disable auto trunking on trunk links so that trunks must be manually enabled. Be sure that the native VLAN is only used for trunk links. Step 2 The frame arrives on the first switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the frame is destined for VLAN 10, which is the native VLAN. The switch forwards the packet out all VLAN 10 ports after stripping the VLAN 10 tag. The frame is not retagged because it is part of the native VLAN. At this point, the VLAN 20 tag is still intact and has not been inspected by the first switch. Step 3 The frame arrives at the second switch which has no knowledge that it was supposed to be for VLAN 10. Native VLAN traffic is not tagged by the sending switch as specified in the 802.1Q specification. The second switch looks only at the inner 802.1Q tag that the threat actor inserted and sees that the frame is destined for VLAN 20, the target VLAN. The second switch sends the frame on to the target or floods it, depending on whether there is an existing MAC address table entry for the target.
10.5.5 DHCP Attacks Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are mitigated by implementing DHCP snooping. DHCP Starvation Attack The goal of the DHCP Starvation attack is to create a DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler. Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses. DHCP Spoofing Attack A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information: Wrong default gateway - The rogue server provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network. Wrong DNS server - The rogue server provides an incorrect DNS server address pointing the user to a nefarious website. Wrong IP address - The rogue server provides an invalid IP address effectively creating a DoS attack on the DHCP client.
Step 1 Threat Actor Connects Rogue DHCP Server A threat actor successfully connects a rogue DHCP server to a switch port on the same subnet and VLANs as the target clients. The goal of the rogue server is to provide clients with false IP configuration information. Step 2 Client Broadcasts DHCP Discovery Messages A legitimate client connects to the network and requires IP configuration parameters. Therefore, the client broadcasts a DHCP Discovery request looking for a response from a DHCP server. Both servers will receive the message and respond. Step 3 Legitimate and Rogue DHCP Reply The legitimate DHCP server responds with valid IP configuration parameters. However, the rogue server also responds with a DHCP offer containing IP configuration parameters defined by the threat actor. The client will reply to the first offer received. Step 4 Client Accepts Rogue DHCP Offer The rogue offer was received first, and therefore, the client broadcasts a DHCP request accepting the IP parameters defined by the threat actor. The legitimate and rogue server will receive the request. Step 5 Rogue Server Acknowledges The rogue server unicasts a reply to the client to acknowledge its request. The legitimate server will cease communicating with the client.
1. What is the behavior of a switch as a result of a successful MAC address table attack?
The switch will forward all received frames to all other ports within the VLAN.
Distributed Denial of Service (DDoS)
This is a coordinated attack from many devices, called zombies, with the intention of degrading or halting public access to an organization's website and resources.
Data Breach
This is an attack in which an organization's data servers or hosts are compromised to steal confidential information.
Malware
This is an attack in which an organization's hosts are infected with malicious software that cause a variety of problems. For example, ransomware such as WannaCry, shown in the figure, encrypts the data on a host and locks access to it until a ransom is paid.
5. A threat actor configures a host with the 802.1Q protocol and forms a trunk with the connected switch. What type of attack is this?
VLAN hopping
1. Which of the following mitigation techniques are used to protect Layer 3 through Layer 7 of the OSI Model? (Choose three.)
VPN Firewalls IPS Devices
2. Which devices are specifically designed for network security? (Choose three)
VPN-enabled router NGFW NAC
4. Which device monitors HTTP traffic to block access to risky sites and encrypt outgoing messages?
WSA
13. What three services are provided by the AAA framework? (Choose three.)
authentication authorization accounting
14. Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?
authorization
8. What is the purpose of AAA accounting?
to collect and report application usage
11. True or False? In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.
true
