. 7
( 19)


Event correlation refers to the process of correlating attacks and other events that are happening si-
multaneously at different points across a network. Using Network Time Protocol (NTP) and hav-
ing the devices derive their time from an NTP server enables all alerts generated by the IPS to be
accurately time-stamped. A correlation tool can then correlate the alerts based on their time-
stamps. The administrator should enable NTP on all network devices to time-stamp events with a
common system time. These time-stamps can then be used to accurately assess when specific net-
work events happened in relation to other events, regardless of which device detected the event.
Another factor that facilitates event correlation is deploying a centralized monitoring facility on a
network. By monitoring all IPS events at a single location, an administrator greatly improves the
accuracy of event correlation.
Deploying a product that enables an administrator to correlate not only IPS events but also other
events on the network, such as syslog messages and NetFlow input, is also recommended. The
Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS) product can
provide this level of correlation.
146 CCNA Security Course Booklet, Version 1.0

Security Staff
IPS devices tend to generate numerous alerts and other events during network traffic processing.
Large enterprises require the appropriate security staff to analyze this activity and determine how
well the IPS is protecting the network. Examining these alerts also enables security operators to
tune the IPS and optimize the IPS operation to the unique requirements of the network.
Incident Response Plan
If a system is compromised on a network, a response plan must be implemented. The compro-
mised system should be restored to the state it was in before the attack. It must be determined if
the compromised system led to a loss of intellectual property or the compromise of other systems
on the network.
Although the CLI can be used to configure an IPS deployment, it is simpler to use a GUI-based
device manager. Several Cisco device management software solutions are available to help admin-
istrators manage an IPS solution. Some provide locally managed IPS solutions while others pro-
vide more centrally managed solutions.
There are two locally managed IPS solutions:

Cisco Router and Security Device Manager (SDM)

Cisco IPS Device Manager (IDM)

There are three centrally managed IPS solutions:

Cisco IDS Event Viewer (IEV)

Cisco Security Manager (CSM)

Cisco Security Monitoring, Analysis, and Response System (MARS)

IPS sensors and Cisco IOS IPS generate alarms when an enabled signature is triggered. These
alarms are stored on the sensor and can be viewed locally, or a central management application
such as MARS can pull the alarms from the sensors.
Upon detecting an attack signature, the Cisco IOS IPS feature can send a syslog message or an
alarm in Secure Device Event Exchange (SDEE) format. This format was developed to improve
communication of events generated by security devices. It primarily communicates IDS events but
the protocol is intended to be extensible and allows additional event types to be included as they
are defined.
Cisco SDM can monitor syslog and SDEE-generated events and keep track of alarms that are com-
mon in SDEE system messages, including IPS signature alarms.
An SDEE system alarm message has this type of format:
%IPS-4-SIGNATURE:Sig:1107 Subsig:0 Sev:2 RFC1918 address [ -

Managing signatures on many IPS devices can be difficult. To improve IPS efficiency in a net-
work, consider using these recommended configuration best practices.

The need to upgrade sensors with the latest signature packs must be balanced with the

momentary downtime during which the network becomes vulnerable to attack.
When setting up a large deployment of sensors, update signature packs automatically rather

than manually upgrading each sensor. This gives security operations personnel more time to
analyze events.
Chapter 5: Implementing Intrusion Prevention 147

When new signature packs are available, download them to a secure server within the

management network. Use another IPS to protect this server from attack by an outside party.
Place signature packs on a dedicated FTP server within the management network. If a

signature update is not available, a custom signature can be created to detect and mitigate a
specific attack.
Configure the FTP server to allow read-only access to the files within the directory on which

the signature packs are placed.
Configure the sensors to periodically check the FTP server for new signature packs, such as

once a week on a certain day. Stagger the time of day for each sensor to check the FTP server
for new signature packs, perhaps through a predetermined change window. This prevents
multiple sensors from overwhelming the FTP server by asking for the same file at the same
Keep the signature levels that are supported on the management console synchronized with

the signature packs on the sensors.

5.3 Implementing IPS
5.3.1 Configuring Cisco IOS IPS with CLI
Cisco IOS IPS enables administrators to manage intrusion prevention on routers that use Cisco
IOS Release 12.3(8)T4 or later. Cisco IOS IPS monitors and prevents intrusions by comparing
traffic against signatures of known threats and blocking the traffic when a threat is detected.
Several steps are necessary to use the Cisco IOS CLI to work with IOS IPS 5.x format signatures.
Cisco IOS version 12.4(10) or earlier used IPS 4.x format signatures and some IPS commands
have changed.
To implement IOS IPS:
Step 1. Download the IOS IPS files.
Step 2. Create an IOS IPS configuration directory in flash.
Step 3. Configure an IOS IPS crypto key.
Step 4. Enable IOS IPS.
Step 5. Load the IOS IPS signature package to the router.
Prior to Cisco IOS release 12.4(11)T, Cisco IOS IPS provided built-in signatures in the Cisco IOS
software image as well as support for imported signatures. In Cisco IOS software T-Train releases
prior to 12.4(11)T, and in all Cisco IOS Software 12.4 Mainline releases, IPS signature selection
involves loading an XML file onto the router. This file, called the signature definition file (SDF),
contains a detailed description of each selected signature in Cisco IPS Sensor software 4.x signa-
ture format.
Starting with Cisco IOS release 12.4(11)T, there are no built-in (hard-coded) signatures within the
Cisco IOS software. Instead all signatures are stored in a separate signature file and must be im-
ported. IOS releases 12.4(11)T and later use the newer 5.x format signature files, which can be can
be downloaded from Cisco.com (requires log in).
Step 1. Download the IOS IPS Files.
Prior to configuring IPS, it is necessary to download the IOS IPS signature package files and pub-
lic crypto key from Cisco.com. The specific IPS files to download vary depending on the current
release. Only registered customers can download the package files and key.
148 CCNA Security Course Booklet, Version 1.0

IOS-Sxxx-CLI.pkg - This is the latest signature package.

realm-cisco.pub.key.txt - This is the public crypto key used by IOS IPS.

Step 2. Create an IOS IPS Configuration Directory in Flash.
The second step is to create a directory in flash to store the signature files and configurations. Use
the mkdir directory-name privileged EXEC command to create the directory.
IOS IPS supports any Cisco IOS file system as the configuration location with proper write access.
A Cisco USB flash drive connected to the USB port of the router can be used as an alternative lo-
cation to store the signature files and configurations. The USB flash drive must remain connected
to the USB port of the router if it is used as the IOS IPS configuration directory location.
Other commands that are useful include rename current-name new-name. This allows the admin-
istrator to change the name of the directory.
To verify the contents of flash, enter the dir privileged EXEC command.

Step 3. Configure an IOS IPS Crypto Key.
Next, configure the crypto key used by IOS IPS. This key is located in the realm-cisco.pub.key.txt
file that was downloaded in Step 1.
The crypto key verifies the digital signature for the master signature file (sigdef-default.xml). The
content of the file is signed by a Cisco private key to guarantee its authenticity and integrity.
To configure the IOS IPS crypto key, open the text file, copy the contents of the file, and paste it in
the global configuration prompt. The text file issues the various commands to generate the RSA
At the time of signature compilation, an error message is generated if the public crypto key is in-
valid. This is an example of an error message:
%IPS-3-INVALID_DIGITAL_SIGNATURE: Invalid Digital Signature found (key not found)
If the key is configured incorrectly, the key must be removed and then reconfigured. Use the no
crypto key pubkey-chain rsa and the no named-key realm-cisco.pub signature commands
to reconfigure the key.
Enter the show command at the router prompt to confirm that the crypto key is configured.

Step 4. Enable IOS IPS.
The fourth step is to configure IOS IPS, which is a process that consists of several substeps.

Identify the IPS rule name and specify the location.
Step 1.
Use the ip ips name [rule name] [optional ACL] command to create a
rule name. An optional extended or standard access control list
(ACL) can be configured to filter the scanned traffic. All traffic
that is permitted by the ACL is subject to inspection by the IPS.
Traffic that is denied by the ACL is not inspected by the IPS.
Use the ip ips config location flash:directory-name command to con-
figure the IPS signature storage location. Prior to IOS 12.4(11)T,
the ip ips sdf location command was used.
Enable SDEE and logging event notification.
Step 2.
To use SDEE, the HTTP server must first be enabled with the ip http
server command. If the HTTP server is not enabled, the router can-
not respond to the SDEE clients because it cannot see the requests.
SDEE notification is disabled by default and must be explicitly en-
abled. Use the ip ips notify sdee command to enable IPS SDEE event
notification. IOS IPS also supports logging to send event notifica-
tion. SDEE and logging can be used independently or enabled at the
same time. Logging notification is enabled by default. If the log-
Chapter 5: Implementing Intrusion Prevention 149

ging console is enabled, IPS log messages are displayed on the con-
sole. Use the ip ips notify log command to enable logging.
Configure the signature category.
Step 3.
All signatures are grouped into categories, and the categories are
hierarchical. This helps classify signatures for easy grouping and
tuning. The three most common categories are all, basic, and

The signatures that IOS IPS uses to scan traffic can be retired or unretired. Retiring a signature
means that IOS IPS does not compile that signature into memory for scanning. Unretiring a signa-
ture instructs IOS IPS to compile the signature into memory and use it to scan traffic. When IOS
IPS is first configured, all signatures in the all category should be retired, and then selected signa-
tures should be unretired in a less memory-intensive category. To retire and unretired signatures,
first enter IPS category mode using the ip ips signature-category command. Next use the
category category-name command to change a category. For example, use the category all
command to enter IPS category all action mode. To retire a category, use the retired true com-
mand. To unretire a category, use the retired false command.
Caution: Do not unretire the all category. The all signature category contains all signatures in a
signature release. The IOS IPS cannot compile and use all the signatures at one time, because it
will run out of memory.
The order in which the signature categories are configured on the router is also important. IOS IPS
processes the category commands in the order listed in the configuration. Some signatures belong
to multiple categories. If multiple categories are configured and a signature belongs to more than
one of them, IOS IPS uses the signature™s properties in the last configured category, for example,
retired, unretired, or actions.
4) Apply the IPS rule to a desired interface, and specify the direction.
Use the ip ips rule-name [in | out] interface configuration command to apply the IPS rule. The
in argument means that only traffic going into the interface is inspected by IPS. The out argument
specifies that only traffic going out of the interface is inspected.
Step 5. Load the IOS IPS Signature Package to the Router.
The last step is for the administrator to upload the signature package to the router. The most com-
mon method used is either FTP or TFTP. To copy the downloaded signature package from the FTP
server to the router, make sure to use the idconf parameter at the end of the command.
copy ftp://ftp_user:password@Server_IP_address/signature_package idconf
To verify that the signature package is properly compiled, the administrator uses the show ip ips
signature count command.

5.3.2 Configuring Cisco IOS IPS with SDM
Cisco SDM provides controls for applying Cisco IOS IPS on interfaces, importing and editing sig-
nature files from Cisco.com, and configuring the action that Cisco IOS IPS takes if a threat is de-
tected. The tasks for managing routers and security devices are displayed in a task pane on the left
side of the Cisco SDM home page. Choose Configure > Intrusion Prevention to display the in-
trusion prevention options in Cisco SDM.
For the SDM host computer, a minimum Java memory heap size of 256MB is required to config-
ure IOS IPS using SDM. If an error is generated when the Launch IPS Rule Wizard button is se-
lected, the Java memory heap size must be changed on the host computer. To do so, exit Cisco
SDM and open the Windows Control Panel. Click on the Java option which opens the Java Con-
trol Panel. Select the Java tab and click on the View button under the Java Applet Runtime Set-
tings. In the Java Runtime Parameter field enter exactly -Xmx256m and click OK.
150 CCNA Security Course Booklet, Version 1.0

With the Java memory heap size correctly configured, SDM displays four tabs in the Intrusion Pre-
vention Systems (IPS) window. Use the tabs at the top of the IPS window to configure or monitor

Create IPS - Contains the IPS Rule wizard that can be used to create a new Cisco IOS IPS

Edit IPS - Edit Cisco IOS IPS rules and apply or remove them from interfaces.

Security Dashboard - View the Top Threats table and deploy signatures associated with those

IPS Migration - Migrate Cisco IOS IPS configurations that were created using earlier

releases of the Cisco IOS Software. IPS Migration is not available in releases prior to Cisco
IOS Release 12.4(11)T.

The first three tabs are useful when creating and tuning IPS. The IPS Migration tab is available
when the router runs Cisco IOS 12.4(11)T and later. It should be used to convert custom or tuned
version 4.x signature files to version 5.x before IPS is implemented.
The administrator can use SDM to create a new rule on a Cisco router either manually through the
Edit IPS tab, or automatically using the IPS Rule wizard.
The Cisco IOS IPS Deployment Guide recommends using the IPS Rule wizard. The wizard does
more than just configure a rule. It performs all the Cisco IOS IPS configuration steps.
Configuring Cisco IOS IPS on a router or security device using Cisco SDM involves several steps.
Step 1. Choose Configure > Intrusion Prevention > Create IPS.
Step 2. Click the Launch IPS Rule Wizard button.
Step 3. Read the Welcome to the IPS Policies Wizard screen and click Next.
Identify the interfaces on which to apply the Cisco IOS IPS. Decide whether to apply the rule to
inbound traffic or outbound traffic. Checking the inbound and the outbound boxes applies the rule
to traffic flowing in both directions.
Step 4. In the Select Interfaces window, choose the interfaces to which to apply the IPS rule and
the direction of traffic by checking one or both of the boxes.
Step 5. Click Next.
Cisco IOS IPS compares traffic against signatures contained in the signature file. The signature file
can be located in router flash memory or on a remote system that the router can reach. Multiple
signature file locations can be specified so that if the router is unable to contact the first location, it
can attempt to contact other locations until it obtains a signature file.
Step 6. In the Signature File pane in the Signature File and Public Key window, select either the
Specify the signature file you want to use with the IOS IPS or Get the latest signature file
from Cisco.com and save to PC option and fill in the appropriate text box. The signature file is an
IOS IPS update package with the naming convention of IOS-Snnn-CLI.pkg, where nnn is the
number of the signature set.
Step 7. To download the latest signature file from Cisco.com, click Download.
The Cisco IOS IPS signature file contains default signature information. Any changes made to this
configuration are not saved to the signature file but rather in a special file called the delta file. The
delta file is saved to router flash memory. For security, the delta file must be digitally signed by a
key which is also obtained from Cisco.com.
Chapter 5: Implementing Intrusion Prevention 151

Place the public-key information in the Name and Key fields.
Step 8. Obtain the public key at http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup.
Step 9. Download the key to a PC.
Step 10. Open the key file in a text editor and copy the text after the phrase “named-key” into the
Name field. For example, if the line of text is “named-key realm-cisco.pub signature” copy
“realm-cisco.pub signature” to the Name field.
Step 11. Copy the text between the phrase “key-string” and the word “quit” into the Key field. The
text might look as follows:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
Step 12. Click Next.
Since Cisco IOS Release 12.4(11) or later, the location for storing signature information and the
type of signature category can be specified.
Step 13. In the Config Location and Category window, in the Config Location section, click the el-
lipsis (...) button next to the Config Location field to specify where to store the XML signature
files, including the delta file that is created when changes are made to the signature file.
Step 14. Because router memory and resource constraints can limit using all the available signa-
tures, choose a category in the Choose Category field that allows the Cisco IOS IPS to function
efficiently on the router. The basic signature category is appropriate for routers with less than 128
MB of flash memory, and the advanced signature category is appropriate for routers with more
than 128 MB of flash memory.
Step 15. Click Finish. The IPS Policies Wizard confirms the configured information in a summary
Use the show command to verify the IPS configuration generated by the SDM
IPS Wizard.
Virtual Fragment Reassembly (VFR) enables the Cisco IOS Firewall to create the appropriate dy-
namic ACLs, thereby protecting the network from various fragmentation attacks. To enable VFR
on an interface, use the ip virtual-reassembly command in interface configuration mode.

5.3.3 Modifying Cisco IOS IPS Signatures
The Cisco IOS CLI can be used to retire or unretire individual signatures or a group of signatures
that belong to a signature category. When a group of signatures are retired or unretired, all signa-
tures in that category are retired or unretired.
Some unretired signatures (either unretired as an individual signature or within an unretired cate-
gory) might not compile because of insufficient memory, invalid parameters, or if the signature is
152 CCNA Security Course Booklet, Version 1.0

The IOS CLI can also be used to change signature actions for one signature or a group of signa-
tures based on signature categories. To change an action, the event-action command must be
used in IPS Category Action mode or Signature Definition Engine mode.
The event-action command has several parameters, including produce-alert, deny-packet-in-
line, and reset-tcp-connection.

IPS signatures are loaded as part of the procedure to create a Cisco IOS IPS rule using the IPS rule
wizard. To view the configured signatures on the router, choose Configure > Intrusion Preven-
tion > Edit IPS > Signatures > All Categories. Because signatures optimize a configuration, con-
firm that all the correct signatures are loaded on the router or security device. From this window,
administrators can add customized signatures or import signatures that are downloaded from
Cisco.com. They can also edit, delete, enable, and disable signatures.
The signature tree enables an administrator to filter the signature list according to the type of sig-
nature that they want to view. To modify a signature, right-click on the signature and choose an op-
tion from the context menu. To change the severity of the signature, choose Set Severity To.
Cisco SDM can be used to tune a signature configuration. To tune a signature, choose Configure >
Intrusion Prevention > Edit IPS > Signatures > All Categories. A list of available signatures
To modify a signature action, right-click on the signature and choose Actions from the context
menu. The Assign Actions window appears. The available actions depend on the signature, but the
following are the most common actions:

Deny Attacker Inline - Create an ACL that denies all traffic from the IP address that is

considered the source of the attack by the Cisco IOS IPS system.
Deny Connection Inline - Drop the packet and all future packets from this TCP flow.

Deny Packet Inline - Do not transmit this packet (inline only).

Produce Alert - Generate an alarm message.

Reset TCP Connection - Send TCP resets to terminate the TCP flow.

To access and configure signature parameters, choose the signature and then click the Edit button
in the Intrusion Prevention System (IPS) window.
Signatures have different parameters:

Signature ID - Displays the unique numerical value that is assigned to this signature. This

value allows Cisco IOS IPS to identify a particular signature.
SubSignature ID - Displays the unique numerical value that is assigned to this subsignature.

A subsignature ID identifies a more granular version of a broad signature.
Alert Severity - Displays the severity of the alert for this signature.

Sig Fidelity Rating - Displays the confidence level of detecting a true positive.

Promiscuous Delta - Displays the value used to determine the seriousness of the alert. It is

not recommended to change the promiscuous delta settings.
Sig Description - Includes the signature name, alert notes, user comments, alert traits, and

release number.
Engine - Contains information about which engine the signature uses and characteristics

about how the engine operates.
Chapter 5: Implementing Intrusion Prevention 153

Event Counter - Displays the event count, the event count key, and whether an alert interval

is to be specified. An alert interval allows the administrator to define special handling for
timed events.
Alert Frequency - Settings to define the frequency of the alert.

Status - Shows whether the signature is enabled or retired.

5.4 Verify and Monitor IPS
5.4.1 Verifying Cisco IOS IPS
After IPS is implemented, it is necessary to verify the configuration to ensure correct operation.
There are several show commands which can be used to verify the IOS IPS configuration.
The show ip ips privileged EXEC command can be used with other parameters to provide spe-
cific IPS information.

The show ip ips all command displays all IPS configuration data. The output can be

lengthy depending on the IPS configuration.
The show ip ips configuration command displays additional configuration data that is not

displayed with the show running-config command.
The show ip ips interfaces command displays interface configuration data. The output

shows inbound and outbound rules applied to specific interfaces.
The show ip ips signatures command verifies the signature configuration. The command

can also be used with the key word detail to provide more explicit output.
The show ip ips statistics command displays the number of packets audited and the

number of alarms sent. The optional reset keyword resets output to reflect the latest statistics.
Use the clear ip ips configuration command to disable IPS, remove all IPS configuration en-
tries, and release dynamic resources. The clear ip ips statistics command resets statistics on
packets analyzed and alarms sent.
To verify the IPS configuration on the router using SDM, choose Configure > Intrusion Preven-
tion > Edit IPS. The Edit IPS tab shows all the interfaces on the router and whether they are con-
figured for Cisco IOS IPS. If “Enabled” appears in either the Inbound or Outbound column, Cisco
IOS IPS is enabled for that direction of traffic on that interface. If “Disabled” appears in either col-
umn, Cisco IOS IPS is disabled for that direction on the interface.
The Virtual Fragment Reassembly (VFR) Status field shows the status of VFR on an interface. If
VFR is enabled on the interface, the column displays “On.” If VFR is disabled, the column dis-
plays “Off.”
The Edit IPS tab also contains buttons that allow the administrator to configure and manage Cisco
IOS IPS policies, security messages, and signatures.

5.4.2 Monitoring Cisco IOS IPS
As of Cisco IOS Release 12.3(11)T, Cisco IOS IPS provides two methods to report IPS intrusion

SDM Security Device Event Exchange (SDEE)

154 CCNA Security Course Booklet, Version 1.0

Cisco IOS logging via syslog

To specify the method of event notification, use the ip global configu-
ips notify [log | sdee]
ration command.

The log keyword sends messages in syslog format.

The sdee keyword sends messages in SDEE format.

SDEE is the preferred method of reporting IPS activity. SDEE uses HTTP and XML to provide a
standardized interface. It can be enabled on an IOS IPS router using the ip ips notify sdee
command. The Cisco IOS IPS router can still send IPS alerts via syslog.
Administrators must also enable HTTP or HTTPS on the router when enabling SDEE. The use of
HTTPS ensures that data is secured as it traverses the network.
When Cisco SDEE notification is disabled, all stored events are lost. A new buffer is allocated
when the notifications are re-enabled. SDEE uses a pull mechanism. With a pull mechanism, re-
quests come from the network management application, and the IDS or IPS router responds.
SDEE becomes the standard format for all vendors to communicate events to a network manage-
ment application.
The buffer stores up to 200 events by default. If a smaller buffer is requested, all stored events are
lost. If a larger buffer is requested, all stored events are saved. The default buffer size can be al-
tered with the ip sdee events events command. The maximum number of events is 1,000. The
clear ip ips sdee {events | subscription} command clears SDEE events or subscriptions.

The ip command replaces the older ip audit notify command. If the ip
ips notify audit
notify command is part of an existing configuration, the IPS interprets it as the ip ips notify
A management appliance such as MARS, or management software such as IEV, CSM, or SDM,
must be used to view SDEE messages. For example, to view SDEE alarm messages in Cisco
SDM, choose Monitor > Logging > SDEE Message Log.
Syslog messages can also be viewed in SDM by choosing Monitor > Logging > Syslog.
Chapter 5: Implementing Intrusion Prevention 155

Chapter Summary
Refer to Packet Refer to
Tracer Activity Lab Activity
for this chapter for this chapter

Your Chapter Notes
156 CCNA Security Course Booklet, Version 1.0

Securing the Local Area Network

Chapter Introduction
A secure network is only as strong as its weakest link. For this reason, in addition to securing the
network edge, it is also important to secure the end devices that reside within the network. End-
point security includes securing the network infrastructure devices in the LAN as well as the end
systems, such as workstations, servers, IP phones, access points, and storage area networking
(SAN) devices. There are several endpoint security applications and devices available to accom-
plish this, including Cisco IronPort security appliances, Network admission control (NAC), and
Cisco Security Agent (CSA).
Endpoint security also encompasses securing Layer 2 of the network infrastructure to prevent
against Layer 2 attacks such as MAC address spoofing and STP manipulation attacks. Layer 2 se-
curity configurations include enabling port security, BPDU guard, root guard, storm control, Cisco
switched port analyzer (SPAN), and remote SPAN (RSPAN).
Finally, the type of security solutions implemented depends upon the type of LAN technologies
used. For example, networks that employ wireless, VoIP, and SANs technologies have additional
security considerations and solutions.
In a comprehensive hands-on lab for the chapter, Securing Layer 2 Switches, learners configure the
following on a Layer 2 switch: SSH access, storm control for broadcasts, PortFast, BPDU guard,
root guard, port security, and Switched Port Analyzer. Learners also verify the configurations,
monitor port activity using Wireshark, and analyze a sourced attack. The lab is found in the lab
manual on Academy Connection at cisco.netacad.net.
A Packet Tracer activity, Layer 2 Security, provides learners additional practice implementing the
technologies introduced in this chapter. Learners secure STP parameters to mitigate STP attacks,
enable storm control to prevent broadcast storms, and enable port security to prevent MAC address
table overflow attacks.
In a second Packet Tracer activity, Layer 2 VLAN Security, learners create a management VLAN,
attach a management PC to the management VLAN, and implement an ACL to prevent outside
users from accessing the management VLAN.
Packet Tracer activities for CCNA Security are found on Academy Connection at cisco.netacad.net.

6.1 Endpoint Security
6.1.1 Introducing Endpoint Security
The high-profile threats most often discussed in the media are external threats, such as Internet
worms and DoS attacks. But securing an internal local area network (LAN) is just as important as
securing the perimeter of a network. Without a secure LAN, users in an organization may not be
able to access the network, which can significantly reduce productivity.
158 CCNA Security Course Booklet, Version 1.0

Many network administrators develop their security strategy from the perimeter of a network and
work toward the LAN. Other administrators develop their network security strategy at the LAN
and work toward the perimeter. Regardless of the approach, two specific areas that are vital to se-
cure are the endpoints and the network infrastructure.
The LAN is made up of network endpoints. An endpoint, or host, is an individual computer system
or device that acts as a network client. Common endpoints are laptops, desktops, IP phones, and
personal digital assistants (PDAs). Servers can also be considered endpoints. The LAN-to-perime-
ter security strategy is based on the idea that if users are not practicing security in their desktop op-
erations, no amount of security precautions will guarantee a secure network.
The network infrastructure is the other area of focus for securing the LAN. Part of securing a LAN
is mitigating attacks. These attacks include MAC address spoofing attacks, STP manipulation at-
tacks, MAC address table overflow attacks, LAN storm attacks, and VLAN attacks. Another ele-
ment to securing the network infrastructure is securing the non-endpoint LAN devices. These
include switches, wireless devices, IP telephony devices, and storage area networking (SAN) de-
Before securing the network infrastructure, the initial focus must be endpoint security. Hosts must
be protected from viruses, Trojan Horses, worms, and other security threats. The Cisco strategy for
addressing endpoint security is based on three elements:

Cisco Network Admission Control (NAC) - The NAC solution ensures that every endpoint

complies with network security policies before being granted access to the network. NAC
provides access to compliant devices and ensures that noncompliant devices are denied
access, placed in quarantine, or given restricted access to resources.
Endpoint protection - Behavior-based technology is available with Cisco Security Agent

(CSA), which protects endpoints against threats that are posed by viruses, Trojan Horses, and
worms. IronPort perimeter security appliances complement CSA by focusing on email and
web security.
Network infection containment - To address the newest attack methods that can compromise

the network, containment focuses on automating key elements of the infection response
process. The Cisco Self-Defending Network (SDN) elements of NAC, CSA, and IPS provide
this service.

An endpoint security strategy is necessary because software tends to have weaknesses. Secure
(trustworthy) software is designed to protect data and withstand attack attempts. Historically, se-
cure software was used only within the military and in critical commercial systems. Generally, this
type of software is custom software.
Non-secure software can be made more trusted by hardening it or blocking vulnerabilities. While
hardening is often done, it requires documentation of the internal software components, which is
not commonly provided by vendors. Additionally, securing software requires securing operating
systems and any applications that run inside an operating system.
Operating systems provide basic security services to applications:

Trusted code and trusted path - Ensures that the integrity of the operating system is not

violated. Trusted code refers to the assurance that the operating system code is not
compromised. An operating system might provide integrity checking of all running code by
using hash message authentication codes (HMACs) or digital signatures. Integrity verification
of add-on software might be necessary at installation. Digital signatures can also be used.
Chapter 6: Securing the Local Area Network 159

Trusted path refers to a facility that ensures that the user is using a genuine system and not a
Trojan Horse. An example of a trusted path is the Ctrl-Alt-Delete key sequence required for
logging into Windows Server and Windows XP.
Privileged context of execution - Provides identity authentication and certain privileges

based on the identity.
Process memory protection and isolation - Provides separation from other users and their

Access control to resources - Ensures confidentiality and integrity of data.

An attacker can undermine all of these services. If either the trusted code or a trusted path is not
present or is compromised, the operating system and all applications can easily be subverted by
hostile code. An operating system might be made more vulnerable if there is a need to provide
support for legacy protocols.
Modern operating systems provide each process with an identity and privileges. Privilege switch-
ing is possible during program operation or during a single login session. For example, UNIX has
the suid (set user ID) facility and Windows has the runas utility.
These are a few techniques that help protect an endpoint from operating system vulnerabilities:

Least privilege concept - To better protect an endpoint, a process should never be given more

privilege than is necessary to perform a job.
Isolation between processes - Isolation between processes can be virtual or physical. For

example, memory protection can be done in hardware. Some trusted operating systems
provide isolation using logical execution compartments.
Reference monitor - A reference monitor is an access control concept that refers to a

mechanism or process that mediates all access to objects. It provides a central point for all
policy decisions, typically implementing auditing functions to keep track of access. In
addition to the reference monitor that usually exists in an operating system, CSA functions as
a reference monitor.
Small, verifiable pieces of code - For all security functionality, the idea is to have small,

easily verifiable pieces of code that are managed and monitored by a reference monitor.

The ultimate target of an attacker is often an application running on a host that processes sensitive
data that the attacker wants to obtain. Attacks to applications can be direct or indirect. In a direct
attack, the attacker fools the application into performing a task with the application™s privileges. In
an indirect attack, the attacker first compromises another subsystem and attacks the application
through the compromised subsystem (privilege escalation).
When an attacker has the option of communicating directly with the target application, the applica-
tion must be suitably protected. For example, an attacker might attempt a DoS attack to a specific
application. Another example of a direct attack to a target application is if an attacker uses flaws in
the application to bypass its access controls to obtain read or write access to sensitive data.
In another scenario, an attacker indirectly gains access to sensitive data through a chain of compro-
mises of other system components. For example, an attacker first obtains basic user-level access to
the system on which the sensitive data resides. Then, by exploiting a flaw in any local application,
the attacker attains system administration privileges (privilege escalation). Using those privileges,
the attacker might be able to read or write to most objects on the system, including sensitive data
of the target application.
160 CCNA Security Course Booklet, Version 1.0

Cisco Systems provides several components to ensure a robust endpoint security solution. The pri-
mary components of this solution are:


Cisco NAC


Cisco IronPort perimeter security appliances protect enterprises against Internet threats, with a
focus on email and web security, two of the main endpoint security considerations. Endpoints in
this case are secured by devices working on the network perimeter.
NAC uses the network infrastructure to enforce security policy compliance on all devices seeking
to access network computing resources. With NAC, network security professionals can authenti-
cate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior
to network access. NAC identifies whether networked devices are compliant with the network se-
curity policies and repairs any vulnerability before permitting access to the network.
CSA provides a fully integrated endpoint security solution that combines policy-driven, data-loss
prevention with zero-update attack prevention and anti-virus detection in a single agent and man-
agement console. CSA defends endpoints against data loss from both malware and user actions
and enforces acceptable-use and compliance policies within a simple management infrastructure.
IronPort, NAC, and CSA have some overlap in their functional support of endpoint security. These
technologies, when used in parallel, add layers of protection and are interoperable. They combine
to provide protection of operating system vulnerabilities against both direct and indirect attacks.
While there are a number of alternatives to the endpoint security solutions provided by Cisco Sys-
tems, the limitation of these other systems is that they do not provide a comprehensive end-to-end
approach to securing the network. Some of the major players in providing endpoint security solu-
tions are McAfee, Symantec, Juniper, SonicWALL, and Fortinet.

6.1.2 Endpoint Security with IronPort
Cisco Systems acquired IronPort Systems in 2007. IronPort is a leading provider of anti-spam,
anti-virus, and anti-spyware appliances. IronPort uses SenderBase, the world™s largest threat detec-
tion database, to help provide preventive and reactive security measures.
IronPort offers different security appliances:

C-Series - An email security appliance for virus and spam control.

S-Series - A web security appliance for spyware filtering, URL filtering, and anti-malware.

M-Series - A security management appliance that compliments the email and web security

appliances by managing and monitoring an organization™s policy settings and audit
The M-Series appliance is a flexible management tool for centralizing and consolidating policy
and runtime data, providing security professionals a single interface to manage all of their applica-
tion layer security systems.
By providing security solutions deployed at the network gateway, IronPort enables a perimeter de-
fense to help prevent Internet threats of all types from reaching the desktops of employees.
IronPort SenderBase is the world™s largest email traffic monitoring service. SenderBase collects
data from more than 100,000 ISPs, universities, and corporations. It measures more than 120 dif-
Chapter 6: Securing the Local Area Network 161

ferent parameters for any email server on the Internet. This massive database receives more than
five billion queries per day, with real-time data streaming in from every continent and both small
and large network providers. SenderBase has the most accurate view of the sending patterns of any
given mail sender because of the size of the database. It has remained the largest in the world be-
cause of the accuracy of the data. IronPort licenses SenderBase data to the open-source commu-
nity and other institutions that are participating in the fight against spam.
The eight largest ISPs and more than 20 percent of the largest enterprises in the world use the
IronPort C-Series email security appliances. By protecting the email systems of enterprises of all
sizes, the downtime that is associated with spam, viruses, and a wide variety of other threats has
been reduced. The system also reduces the burden on technical staff.
Spyware has become one of the most significant corporate security issues. More than 80 percent of
corporate PCs are infected with spyware, yet less than 10 percent of corporations have deployed
perimeter spyware defenses. The speed, variety, and maliciousness of spyware and web-based mal-
ware attacks have highlighted the importance of a robust, secure platform to protect the enterprise
network perimeter from such threats. The IronPort S-Series is a fast web security appliance that
offers multiple anti-malware scanning engines on a single, integrated appliance. The S-Series in-
cludes IronPort™s exclusive Web Reputation technology and Dynamic Vectoring and Streaming en-
gine, a new scanning technology that enables signature-based spyware filtering.
A security professional can run the scanning engines simultaneously to offer greater protection
against malware threats, with minimal performance degradation. It provides protection against a
wide variety of web-based threats, ranging from adware, phishing, and pharming attacks to more
malicious threats such as Trojan Horses, worms, and other system monitoring attacks.

6.1.3 Endpoint Security with Network Admission Control
The purpose of Cisco NAC is twofold: allow only authorized and compliant systems (whether
managed or unmanaged) to access the network and to enforce network security policy.
NAC helps maintain network stability by providing four important features: authentication and au-
thorization, posture assessment (evaluating an incoming device against the policies of the net-
work), quarantining of noncompliant systems, and remediation of noncompliant systems.
Cisco NAC products come in two general categories:

NAC framework - The NAC framework uses the existing Cisco network infrastructure and

third-party software to enforce security policy compliance on all endpoints. The NAC
framework is suited for high-performance network environments with diverse endpoints.
These environments require a consistent LAN, WAN, wireless, extranet, and remote access
solution that integrates into the existing security and patch software, tools, and processes.
Different devices in the network, not necessarily one device, can provide the four features of
Cisco NAC Appliance - The Cisco NAC Appliance solution condenses the four NAC

functions into an appliance form and provides a turnkey solution to control network access.
This solution is a natural fit for medium-scaled networks requiring a self-contained, turnkey
solution. The Cisco NAC Appliance is ideal for organizations that need simplified and
integrated tracking of operating system and anti-virus patches and vulnerability updates. It
does not require a Cisco network.
The components of a NAC framework provide compliance-based access control. NAC functions,
including authentication, authorization, and accounting (AAA), scanning, and remediation, are
performed by other Cisco products, such as a Cisco Secure Access Control Server (ACS), or part-
ner products such as TrendMicro.
162 CCNA Security Course Booklet, Version 1.0

The goal of both the NAC framework and the Cisco NAC Appliance is to ensure that only hosts
that are authenticated and have had their security posture examined and approved are permitted
onto the network. For example, company laptops that have been used offsite for a period of time
might not have received current security updates or could have become infected from other sys-
tems cannot connect to the network until they are examined and approved.
Network access devices function as the enforcement layer. They force the clients to query a RA-
DIUS server for authentication and authorization. The RADIUS server can query other devices,
such as a TrendMicro anti-virus server, and reply to the network enforcers. Only when everything
is up to standard is the host identified and admitted to the network.
The Cisco NAC Appliance consolidates all the functions of the NAC framework into a single net-
work appliance fulfilling all of the same roles. Several major components accomplish these tasks:

Cisco NAC Appliance Server (NAS) - A device that is used to perform network access

control. This security enforcement device is implemented at the network level. It can be
implemented in-band or out-of-band at Layer 2 or Layer 3 as a virtual gateway or as a real IP
gateway, and it can be deployed centrally or in a distributed manner. The Cisco NAS performs
device-compliance checks as users attempt to access the network.
Cisco NAC Appliance Manager (NAM) - A centralized administrative interface that is used

by technical support personnel. The Cisco NAM provides a web-based interface for creating
security policies and managing online users. It can also act as an authentication proxy to
authenticate servers on the back end. Administrators can use it to establish user roles,
compliance checks, and remediation requirements. The Cisco NAM communicates with and
manages the Cisco NAS, which is the enforcement component of the Cisco NAC Appliance.
Cisco NAC Appliance Agent (NAA) - Client software that facilitates network admission. This

lightweight, read-only agent runs on an endpoint machine. It performs a deep inspection of
the security profile of a local machine by analyzing registry settings, services, and files.
Through this inspection, the NAA can determine whether a device has the required anti-virus
dat file, security patch, or critical Windows hotfix. A hotfix is a patch that can be installed,
while the application is running, to address vulnerabilities. It can then correct the problem by
pushing the required update to the host. For unmanaged assets, the Cisco NAA can be
downloaded as needed.
Rule-set updates - Automatic updates are used to keep the security level high by always

providing the latest virus updates and software patches for quarantined hosts.
The Cisco NAC Appliance extends NAC to all network access methods, including access through
LANs, remote-access gateways, and wireless access points. The Cisco NAC Appliance also sup-
ports posture assessment for guest users.
When deployed, the Cisco NAC Appliance provides several benefits:

Recognizes users, their devices, and their roles in the network. This first step occurs at the

point of authentication, before malicious code can cause damage.
Evaluates whether machines are compliant with security policies. Security policies can

include specific anti-virus or anti-spyware software, operating system updates, or patches. The
Cisco NAC Appliance supports policies that vary by user type, device type, or operating
Enforces security policies by blocking, isolating, and repairing noncompliant machines.

Noncompliant machines are redirected into a quarantine area, where remediation occurs at the dis-
cretion of a security professional.
Chapter 6: Securing the Local Area Network 163

The Cisco NAC Appliance process involves several steps:
Step 1. The user attempts to access a network resource.
Step 2. The user is redirected to a login page.
Step 3. The host is authenticated and optionally scanned for posture compliance. If compliant, the
host is granted access to the network. If not compliant, the host is quarantined to a VLAN, where
the host can be patched and become compliant.
The Cisco NAA is the software interface that users see when they interact with the Cisco NAC Ap-
pliance. There are three access windows:
1. The first window is the initial login window where the user enters the username and password
and the system is scanned for compliance.
2. If the scan fails, the user is granted temporary access and is presented the You Have Temporary
Access window.
3. If remediation is available, the Please Download and Install the Required Software window in-
vites the user to install the necessary software to become compliant.

6.1.4 Endpoint Security with Cisco Security Agent
Cisco Security Agent (CSA), a host-based intrusion prevention system (HIPS) product, is software
that provides endpoint security by providing threat protection capabilities for server and desktop
computing systems. Because a single management console can support up to 100,000 agents, it is
a highly scalable solution.
The CSA architecture model consists of two components:

Management Center for CSA - Allows the administrator to divide network hosts into groups

by function and security requirements, and then configure security policies for those groups. It
can maintain a log of security violations and send alerts by email or pager.
Cisco Security Agent - The CSA component is installed on the host system, it continuously

monitors local system activity and analyzes the operations of that system. CSA takes
proactive action to block attempted malicious activity and polls the Management Center at
configurable intervals for policy updates.
An SSL-enabled web interface can be used to securely connect from an administration workstation
to the Management Center for CSA.
When an application needs access to system resources, it makes an operating system call to the
kernel. CSA intercepts these operating system calls and compares them with the cached security
policy. If the request does not violate the policy, it is passed to the kernel for execution.
If the request violates the security policy, CSA blocks the request and takes two actions:

An appropriate error message is passed back to the application.

An alert is generated and sent to the Management Center for CSA.

CSA correlates this particular operating system call with the other calls made by that application
or process, and monitors these events to detect malicious activity.
CSA provides protection through the deployment of four interceptors:

File system interceptor - All file read or write requests are intercepted and allowed or denied

based on the security policy.
164 CCNA Security Course Booklet, Version 1.0

Network interceptor - Network driver interface specification (NDIS) changes are controlled

and network connections are cleared through the security policy. The number of network
connections that are allowed within a specified time can also be limited to prevent DoS
Configuration interceptor - Read and write requests to the registry in Windows or to run

control (rc) files on UNIX are intercepted. This interception occurs because modification of
the operating system configuration can have serious consequences. Therefore, CSA tightly
controls read/write requests to the registry.
Execution space interceptor - This interceptor deals with maintaining the integrity of the

dynamic runtime environment of each application by detecting and blocking requests to write
to memory that are not owned by the requesting application. Attempts by one application to
inject code, such as a shared library or dynamic link library (DLL) into another, are also
detected and blocked. The interceptor also detects buffer overflow attacks, thereby preserving
the integrity of dynamic resources, such as the file system, configuration of web services,
memory, and network I/O.
By intercepting communication between applications and the underlying system, CSA combines
the functionality of traditional security approaches:

Distributed firewall - The network interceptor performs the functions of a host firewall.

HIPS - The network interceptor teams with the execution space interceptor to provide the

alerting capability of a HIPS with the proactive enforcement of a security policy.
Application sandbox - An application sandbox is an execution space in which suspect

programs can be run with less than normal access to system resources. This security service is
provided by a combination of file system, configuration, and execution space interceptors.
Network worm prevention - The network and execution space interceptors provide worm

prevention without a need for updates.
File integrity monitor - The file system and the configuration interceptors act as a file

integrity monitor.
The default policies that are preconfigured on CSA implement all of these security features. If
needed, customers can easily create or change policies.
Malicious attacks come in thousands of varieties, and new attacks are constantly being devised to
exploit discovered vulnerabilities. An analysis of the logical progression of an attack helps illus-
trate how almost every attack intends to gain control of core mechanisms in the target system.
There are significant differences between the attack mechanisms that are used in the probe and
penetrate phases compared to the attack mechanisms in the persist phase.
The first two stages change continuously, with new vulnerabilities being discovered and custom
exploits being created almost every day. Combating attacks at the probe and penetrate phases re-
quires constant updating of malicious IPS signatures and firewall defenses as these attacks evolve.
Attacks at these early phases also lend themselves to evasion techniques, such as Unicode encod-
ing of web strings or overlapping packet fragments. Attacks that alter at the penetrate stage require
a significant amount of investigation because they can generate false alarms that require time-con-
suming review by a security administrator.
In contrast, attack mechanisms in the persist phase and the later phases are comparatively stable.
The malicious activities of an attacker are limited, and an attack involves making a system call to
the kernel to access the system resources. The malicious code can attempt to modify the operating
system, modify files, create or alter network connections, or violate the memory space of active
Chapter 6: Securing the Local Area Network 165

Because consistently identifying attacks in their early phases is nearly impossible, CSA focuses on
providing proactive security by controlling access to system resources. This approach avoids the
need for updating defenses to keep up with the latest attack and protects hosts from a new attack.
For example, the Nimda and Slammer worms caused millions of dollars of damage to enterprises
on the first day of their appearance before updates were available, but CSA stopped these attacks
by identifying their malicious behavior without any updates.
CSA generates messages on client machines, which are logged and viewable from the CSA con-
sole. A user or administrator can review the log messages. A log message includes the date and
time, severity, text, an event code, filename, process name, source and destination IPs, rule ID, but-
ton code, source and destination ports, user, network packet, and raw event.
IronPort, NAC, and CSA work together to provide a seamless, comprehensive, end-to-end solution
for endpoint security in a LAN. However, a LAN can be vulnerable to a number of Layer 2 attacks
and VLAN attacks. Beyond endpoint security, attack mitigation in the LAN is a priority.

6.2 Layer 2 Security Considerations
6.2.1 Introducing Layer 2 Security
Network security professionals must mitigate attacks within the Layer 2 infrastructure. These at-
tacks include MAC address spoofing, STP manipulation, MAC address table overflows, LAN
storms, and VLAN attacks.
The first step in mitigating attacks such as these is to understand the underlying threats posed by
the Layer 2 infrastructure. Layer 2 can be a very weak link to the higher OSI Layers because if
Layer 2 is compromised, hackers can work their way up. It is important for the network security
professional to remember that Layer 2 attacks typically require internal access, either from an em-
ployee or visitor.
Another fundamental consideration is buffer overflows. Buffer overflows are often the source of a
DoS attack. Buffer overflows can be used to enable the execution of arbitrary code into a program
and unauthorized privilege escalation.
Layer 2 is the Data Link Layer in the OSI model. It is one of the seven layers designed to work to-
gether but with autonomy. Layer 2 operates above the Physical Layer and below the Network and
Transport Layers. Layer 2 independence enables interoperability and interconnectivity. From a se-
curity perspective, Layer 2 independence creates a challenge because when the layer is compro-
mised, other layers are not aware of that fact, leaving them open to being compromised. Network
security is only as strong as the weakest link, and that link is often the Data Link Layer.
To help prevent Layer 2 exploitations, an application must carefully validate user input. The input
might contain improperly formatted data, control sequences, or too much data, such as with buffer
overflows. Remember, buffer overflow exploits try to overwrite memory on an application.
Buffer overflows are perhaps the most common method of application subversion on the Internet
today. They are mostly used to gain access to root privileges or cause a DoS attack.
Tools, such as Cisco Security Agent, can be used to prevent buffer overflows.

6.2.2 MAC Address Spoofing Attacks
Unlike hubs, switches regulate the flow of data between ports by creating instant networks that
contain only the two endpoint devices communicating with each other at that moment in time.
166 CCNA Security Course Booklet, Version 1.0

Switches accomplish this by forwarding data out specific ports based on the MAC address.
Switches maintain MAC address tables, also known as content-addressable memory (CAM)
lookup tables, to track the source MAC addresses associated with each switch port. These lookup
tables are populated by an address-learning process on the switch.
It is important to note that data frames are sent by end systems, and their source and destination
addresses are not changed throughout the switched domain. If a switch receives an incoming data
frame and the destination MAC address is not in the table, the switch forwards the frame out all
ports, except for the port on which it was received. When the destination node responds, the switch
records the MAC address of the node in the address table from the frame source address field.
Switches populate the MAC address table by recording the source MAC address of a frame, and
associating that address with the port on which the frame is received.
In networks with multiple interconnected switches, the MAC address tables record multiple MAC
addresses for the ports interconnecting switches. These MAC addresses reflect remote nodes or
nodes that are connected to another switch within the switched domain.
The method used by switches to populate the MAC address table leads to a vulnerability known as
MAC spoofing. Spoofing attacks occur when one host masquerades or poses as another to receive
otherwise inaccessible data or to circumvent security configurations.
MAC spoofing attacks occur when an attacker alters the MAC address of their host to match an-
other known MAC address of a target host. The attacking host then sends a frame throughout the
network with the newly configured MAC address. When the switch receives the frame, it examines
the source MAC address. The switch overwrites the current MAC address table entry and assigns
the MAC address to the new port. It then inadvertently forwards frames destined for the target host
to the attacking host.
When the switch changes the MAC address table, the target host does not receive any traffic until
it sends traffic. When the target host sends traffic, the switch receives and examines the frame, re-
sulting in the MAC address table being rewritten once more, realigning the MAC address to the
original port.

6.2.3 MAC Address Table Overflow Attacks
In addition to MAC spoofing attacks, MAC address table overflow attacks are also possible on
Layer 2 devices. Remember that switches use MAC addresses to direct network communications
through their switch fabric to the appropriate port toward the destination node. The term fabric
refers to the integrated circuits and the accompanying machine programming that enables device
operation. For example, the switch fabric is responsible for controlling the data paths through the
switch. The MAC address table in a switch contains the MAC addresses that can be reached from
a given physical port of a switch and the associated VLAN parameters for each. When a Layer 2
switch receives a frame, the switch looks in the MAC address table for the destination MAC ad-
dress and forwards the frames appropriately.
The key to understanding how MAC address overflow attacks work is to know that MAC address
tables are limited in size. MAC flooding takes advantage of this limitation by bombarding the
switch with fake source MAC addresses until the switch MAC address table is full. If enough en-
tries are entered into the MAC address table before older entries expire, the table fills up to the
point that no new entries can be accepted. When this occurs, the switch begins to flood all incom-
ing traffic to all ports because there is no room in the table to learn any legitimate MAC addresses.
The switch, in essence, acts like a hub. As a result, the attacker can see all of the frames sent from
one host to another. Traffic is flooded only within the local VLAN, so the intruder sees only traffic
within the local VLAN to which the intruder is connected.
Chapter 6: Securing the Local Area Network 167

If the intruder does not maintain the flood of invalid source MAC addresses, the switch eventually
ages out the older MAC address entries from the table and begins to act like a switch again.
The most common way of implementing a MAC address table overflow attack is using the macof
tool. This tool floods a switch with frames containing randomly generated source and destination
MAC and IP addresses. Over a short period of time, the MAC address table fills up. When the
MAC address table is full of invalid source MAC addresses, the switch begins to flood all frames
that it receives. As long as macof is left running, the table on the switch remains full, and the
switch continues to flood all received frames out of every port.
Both MAC spoofing and MAC address table overflow attacks can be mitigated by configuring port
security on the switch. With port security, the administrator can either statically specify the MAC
addresses on a particular switch port or allow the switch to dynamically learn a fixed number of
MAC addresses for a switch port. To statically specify the MAC addresses is not a manageable so-
lution for a production environment. Allowing the switch to dynamically learn a fixed number of
MAC addresses is an administratively scalable solution.

6.2.4 STP Manipulation Attacks
Another vulnerability of Layer 2 devices is the Spanning Tree Protocol (STP). STP is a Layer 2
protocol that ensures a loop-free topology. STP operates by electing a root bridge and building a
tree topology from that root. STP allows for redundancy, but at the same time, ensures that only
one link is operational at a time and no loops are present.
Network attackers can manipulate STP to conduct an attack by changing the topology of a net-
work. An attacker can make it appear that the attacking host is a root bridge, thereby spoofing the
root bridge. All traffic for the immediate switched domain then passes through the rogue root
bridge (the attacking system).
To conduct an STP manipulation attack, the attacking host broadcasts STP configuration and
topology change BPDUs to force spanning-tree recalculations. The BPDUs sent by the attacking
host announce a lower bridge priority in an attempt to be elected as the root bridge. If successful,
the attacking host becomes the root bridge and sees a variety of frames that otherwise are not ac-
This attack can be used to usurp all three of the security objectives: confidentiality, integrity, and
Mitigation techniques for STP manipulation include enabling PortFast as well as root guard and
BPDU guard.

6.2.5 LAN Storm Attack
Layer 2 devices are also vulnerable to LAN storm attacks. A LAN storm occurs when packets
flood the LAN, creating excessive traffic and degrading network performance. Errors in the proto-
col stack implementation, mistakes in network configurations, or users issuing a DoS attack can
cause a storm. Broadcast storms can also occur on networks. Remember that switches always for-
ward broadcasts out all ports. Some necessary protocols, such as Address Resolution Protocol
(ARP) and Dynamic Host Configuration Protocol (DHCP), use broadcasts; therefore, switches
must be able to forward broadcast traffic.
While it is not possible to prevent all types of packet storms and excessive broadcasts, it is possi-
ble to suppress them using storm control. Storm control prevents traffic on a LAN from being dis-
168 CCNA Security Course Booklet, Version 1.0

rupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. Storm control
(or traffic suppression) monitors packets passing from an interface to the switching bus and deter-
mines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of
a specified type received within a certain time interval and compares the measurement with a pre-
defined suppression-level threshold. Storm control then blocks traffic when the rising threshold is

6.2.6 VLAN Attacks
A VLAN is a logical broadcast domain that can span multiple physical LAN segments. Within the
switched internetwork, VLANs provide segmentation and organizational flexibility. A VLAN
structure can be designed to enable grouping of stations logically by function, project team, or ap-
plication without regard to the physical location of the users. Each switch port can be assigned to
only one VLAN, thereby adding a layer of security. Ports in a VLAN share broadcasts; ports in
different VLANs do not share broadcasts. Containing broadcasts within a VLAN improves the
overall performance of the network.
Using VLAN technology, switch ports and their connected users can be grouped into logically de-
fined communities, such as coworkers in the same department, a cross-functional product team, or
diverse user groups sharing the same network application. A VLAN can exist on a single switch or
span multiple switches. VLANs can include hosts in a single building or multiple-building infra-
structures. VLANs can also connect across metropolitan area networks.
There are a number of different types of VLAN attacks prevalent in modern switched networks.
Rather than list all the types of attacks, it is important to understand the general methodology be-
hind these attacks and the primary approaches to mitigate them.
The VLAN architecture simplifies network maintenance and improves performance, but it also
opens the door to abuse. VLAN hopping enables traffic from one VLAN to be seen by another
VLAN with the aid of a router. Under certain circumstances, attackers can sniff data and extract
passwords and other sensitive information. The attack works by taking advantage of an incorrectly
configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for multi-
ple VLANs across the same physical link, generally between switches. The data moving across
these links might be encapsulated with IEEE 802.1Q or inter-switch link (ISL).
In a basic VLAN hopping attack, the attacker takes advantage of the default automatic trunking
configuration on most switches. The network attacker configures a system to spoof itself as a
switch. This spoofing requires that the network attacker be capable of emulating either ISL or
802.1Q signaling along with Cisco-proprietary Dynamic Trunking Protocol (DTP) signaling. By
tricking a switch into thinking it is another switch that needs to trunk, an attacker can gain access
to all the VLANs allowed on the trunk port. This attack requires a configuration on the port that
supports trunking with auto or dynamic mode to succeed. As a result, the attacker is a member of
all the VLANS that are trunked on the switch and can hop, that is, send and receive traffic on all
the VLANs.
A VLAN hopping attack can be launched in one of two ways:

Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode.

From here, the attacker can send traffic tagged with the target VLAN, and the switch then
delivers the packets to the destination.
Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs

on the victim switch from the rogue switch.
Chapter 6: Securing the Local Area Network 169

The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports, except
the ones that specifically require trunking. On the required trunking ports, disable DTP (auto
trunking) negotiations and manually enable trunking.
Another type of VLAN attack is a double-tagging (or double-encapsulated) VLAN hopping attack.
This type of attack takes advantage of the way that hardware on most switches operates. Most
switches perform only one level of 802.1Q decapsulation; this can allow an attacker in specific sit-
uations to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to go to a VLAN
that the original 802.1Q tag did not specify. An important characteristic of the double-encapsulated
VLAN hopping attack is that it works even if trunk ports are disabled.
A double-tagging VLAN hopping attack follows four steps:
1. The attacker sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN
tag of the attacker, which is the same as the native VLAN of the trunk port. For the purposes of
this example, assume that this is VLAN 10. The inner tag is the victim VLAN, in this example,
VLAN 20.
2. The frame arrives on the switch, which looks at the first 4-byte 802.1Q tag. The switch sees that
the frame is destined for VLAN 10, which is the native VLAN. The switch forwards the packet out
on all VLAN 10 ports after stripping the VLAN 10 tag. On the trunk port the VLAN 10 tag is
stripped, and the packet is not retagged since it is part of the Native VLAN. At this point, the
VLAN 20 tag is still intact and has not been inspected by the first switch.
3. The frame arrives at the second switch but has no knowledge that it was supposed to be for
VLAN 10. Native VLAN traffic is not tagged by the sending switch as specified in the 802.1Q
4. The second switch looks only at the inner 802.1Q tag that the attacker sent and sees that the
frame is destined for VLAN 20, the target VLAN. The second switch sends the frame on to the
victim port or floods it, depending on whether there is an existing MAC address table entry for the
victim host.
This type of attack is unidirectional and works only when the attacker and trunk port have the
same native VLAN. Thwarting this type of attack is not as easy as stopping basic VLAN hopping
attacks. The best approach is to ensure that the native VLAN of the trunk ports is different from
the native VLAN of the user ports. In fact, it is considered a security best practice to use a dummy
VLAN that is unused throughout the switched LAN as the native VLAN for all 802.1Q trunks in a
switched LAN.

6.3 Configuring Layer 2 Security
6.3.1 Configuring Port Security
After the vulnerabilities of a Layer 2 device are understood, the next step is to implement mitiga-
tion techniques to prevent the attacks that take advantage of those vulnerabilities. For example to
prevent MAC spoofing and MAC table overflows, enable port security.
Port security allows an administrator to statically specify MAC addresses for a port or to permit
the switch to dynamically learn a limited number of MAC addresses. By limiting the number of
permitted MAC addresses on a port to one, port security can be used to control unauthorized ex-
pansion of the network.
When MAC addresses are assigned to a secure port, the port does not forward frames with source
MAC addresses outside the group of defined addresses. When a port configured with port security
receives a frame, the source MAC address of the frame is compared to the list of secure source ad-
170 CCNA Security Course Booklet, Version 1.0

dresses that were manually configured or autoconfigured (learned) on the port. If a MAC address
of a device attached to the port differs from the list of secure addresses, the port either shuts down
until it is administratively enabled (default mode) or drops incoming frames from the insecure host
(restrict option). The behavior of the port depends on how it is configured to respond to a security
It is recommended that an administrator configure the port security feature to issue a shutdown
rather than dropping frames from insecure hosts with the restrict option. The restrict option might
fail under the load of an attack.
These are the steps for configuring port security on an access port:
Step 1. Configure an interface as an access interface.
Switch(config-if)# switchport mode access
If an interface is in the default mode (dynamic auto), it cannot be configured as a secure port.
Step 2. Enable port security on the interface using the switchport port-security.

The complete syntax includes a number of optional parameters.
Switch(config-if)# switchport port-security [mac-address mac-address [vlan {vlan-
id | {access | voice}}]] | [mac-address sticky [mac-address| vlan {vlan-id |
{access | voice}}]] [maximum value [vlan {vlan-list | {access | voice}}]]
Step 3. (Optional) Set the maximum number of secure MAC addresses for the interface.
Switch(config-if)# switchport port-security maximum value
The range is 1 to 132. The default is 1.
After port security is enabled, it is necessary to establish the violation rules for the access port. Vi-
olation rules refer to the actions that the switch takes if a security violation occurs.
These are the steps for configuring port security violation on an access port:
Step 1. Set the violation mode. This is the action that the switch takes when a security violation is
detected. If the violation mode is not specified, the default is to shut down the port.
Switch(config-if)# switchport port-security violation {protect | restrict |
shutdown | shutdown vlan}
When a secure port is in the error-disabled state, meaning that a violation has occurred and the
port is disabled, bring it out of this state by entering the errdisable recovery cause psecure-
violation global configuration command, or manually re-enable it by entering the shutdown and
no shutdown interface configuration commands.

Step 2. Enter a static secure MAC address for the interface.
Switch(config-if)# switchport port-security mac-address mac-address
Repeat this command as many times as necessary for each secure MAC address.
Step 3. Enable sticky learning on the interface.
Switch(config-if)# switchport port-security mac-address sticky
When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically
learned, up to the maximum number configured, to the running configuration and converts these
addresses to sticky secure MAC addresses.
Use the no switchport port-security interface configuration command to return the interface
to the default condition as an unsecure port. The sticky secure addresses remain part of the running
Use the no switchport port-security maximum value interface configuration command to re-
turn the interface to the default number of secure MAC addresses.
Chapter 6: Securing the Local Area Network 171

Use the no switchport port-security violation {protect | restrict} interface configura-
tion command to return the violation mode to the default condition (shutdown mode).
Port security aging can be used to set the aging time for static and dynamic secure addresses on a
port. Two types of aging are supported per port:

Absolute - The secure addresses on the port are deleted after the specified aging time.

Inactivity - The secure addresses on the port are deleted only if they are inactive for the


. 7
( 19)