CS计算机代考程序代写 DHCP Instructor Materials Chapter X: Chapter Title

Instructor Materials Chapter X: Chapter Title

Chapter 5: Network Security and Monitoring
Connecting Networks

© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Presentation_ID
‹#›

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Cisco Networking Academy Program
Connecting Networks
Chapter 5: Network Security and Monitoring

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

Chapter 5 – Sections & Objectives
5.1 LAN Security
Explain how to mitigate common LAN security.
5.2 SNMP
Configure SNMP to monitor network operations in a small to medium-sized business network.
5.3 Cisco Switch Port Analyzer (SPAN)
Troubleshoot a network problem using SPAN.

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

5.1 LAN Security

© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Presentation_ID
‹#›

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Cisco Networking Academy Program
Connecting Networks
Chapter 5: Network Security and Monitoring

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

LAN Security
LAN Security Attacks
Common attacks against the Layer 2 LAN infrastructure include:
CDP Reconnaissance Attacks
Telnet Attacks
MAC Address Table Flooding Attacks
VLAN Attacks
DHCP Attacks

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
5.1 – LAN Security
5.1.1 – LAN Security Attacks

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

This topic covers several Layer 2 security solutions:
Mitigating MAC address table flooding attacks using port security
Mitigating VLAN attacks
Mitigating DHCP attacks using DHCP snooping
Securing administrative access using AAA
Securing device access using 802.1X port authentication
LAN Security
LAN Security Best Practices

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
5.1 – LAN Security
5.1.2 – LAN Security Best Practices

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

There are several strategies to help secure Layer 2 of a network:
Always use secure variants of these protocols such as SSH, SCP, SSL, SNMPv3, and SFTP.
Always use strong passwords and change them often.
Enable CDP on select ports only.
Secure Telnet access.
Use a dedicated management VLAN where nothing but management traffic resides.
Use ACLs to filter unwanted access.
LAN Security
LAN Security Best Practices

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
5.1 – LAN Security
5.1.2 – LAN Security Best Practices

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

5.2 SNMP

© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Presentation_ID
‹#›

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Cisco Networking Academy Program
Connecting Networks
Chapter 5: Network Security and Monitoring

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

SNMP
SNMP Operation
SNMP allows administrators to manage and monitor devices on an IP network.
SNMP Elements
SNMP Manager
SNMP Agent
MIB
SNMP Operation
Trap
Get
Set

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
5.2 – SNMP
5.2.1 SNMP Operation

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

SNMP
SNMP Operation
SNMP Security Model and Levels

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
5.2 – SNMP
5.2.1 – SNMP Operation

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

SNMP Operations

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Management Information Base (MIB)

Each MIB entry as an Object ID (OID)
For example from tree on this slide:

interface group would be 1.3.6.1.4.1.9.2.2

cisco flash group would be 1.3.6.1.4.1.9.9.10

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
SNMP
Configuring SNMP
Configuration steps
Configure community string
Document location of device
Document system contact
Restrict SNMP Access
Specify recipient of SNMP Traps
Enable traps on SNMP agent

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
5.2 – SNMP
5.2.2 – Configuring SNMP

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

SNMP
Configuring SNMP
Securing SNMPv3

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
5.2 – SNMP
5.2.2 – Configuring SNMP

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

5.3 Cisco Switch Port Analyzer (SPAN)

© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Presentation_ID
‹#›

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Cisco Networking Academy Program
Connecting Networks
Chapter 5: Network Security and Monitoring

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

Cisco Switch Port Analyzer
SPAN Overview
Port mirroring
The port mirroring feature allows a switch to copy and send Ethernet frames from specific ports to the destination port connected to a packet analyzer. The original frame is still forwarded in the usual manner.

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
5.3 Cisco Switch Port Analyzer
5.3.1 SPAN Overview

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

Cisco Switch Port Analyzer
SPAN Overview
SPAN terminology

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
5.3 – Switch Port Analyzer
5.3.1 – SPAN Overview

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

Cisco Switch Port Analyzer
SPAN Overview
RSPAN terminology

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
5.3 – Switch Port Analyzer
5.3.1 – SPAN Overview

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

Cisco Switch Port Analyzer
SPAN Configuration
Use monitor session global configuration command

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
5.3 – Cisco Switch Port Analyzer
5.3.2 – SPAN Configuration

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

Cisco Switch Port Analyzer
SPAN as a Troubleshooting Tool
SPAN allows administrators to troubleshoot network issues
Administrator can use SPAN to duplicate and redirect traffic to a packet analyzer
Administrator can analyze traffic from all devices to troubleshoot sub-optimal operation of network applications

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
5.3 – Cisco Switch Port Analyzer
5.3.3 – SPAN as a Troubleshooting Tool

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

5.4 Chapter Summary

© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Presentation_ID
‹#›

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
Cisco Networking Academy Program
Connecting Networks
Chapter 5: Network Security and Monitoring

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

Chapter Summary
Summary
At Layer 2, a number of vulnerabilities exist that require specialized mitigation techniques:
MAC address table flooding attacks are addressed with port security.
VLAN attacks are controlled by disabling DTP and following basic guidelines for configuring trunk ports.
DHCP attacks are addressed with DHCP snooping.
The SNMP protocol has three elements: the Manager, the Agent, and the MIB. The SNMP manager resides on the NMS, while the Agent and the MIB are on the client devices.
The SNMP Manager can poll the client devices for information, or it can use a TRAP message that tells a client to report immediately if the client reaches a particular threshold. SNMP can also be used to change the configuration of a device.

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5.4 – Chapter Summary
21

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

Summary Continued
SNMPv3 is the recommended version because it provides security.
SNMP is a comprehensive and powerful remote management tool. Nearly every item available in a show command is available through SNMP.
Switched Port Analyzer (SPAN) is used to mirror the traffic going to and/or coming from the host. It is commonly implemented to support traffic analyzers or IPS devices.

Presentation_ID
‹#›
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
2.4 – Chapter Summary

© 2006, Cisco Systems, Inc. All rights reserved.
Presentation_ID.scr

/docProps/thumbnail.jpeg