cisco security impenetrable wall? or hacker’s delight? kevin king - senior technical instructor...
TRANSCRIPT
Cisco SecurityImpenetrable Wall? or Hacker’s Delight?
Kevin King - Senior Technical Instructor ● Infrastructructure/Cloud Consulting| MCT CCSI MCSE-Private Cloud MCSA MCSA-Server 2012 MCSE CCNA Data Center Cisco Quality Instructor 2014 New Horizons CLC| 6700 Jefferson, Building A | Albuquerque, NM 87109 p: 505.830.7100 |f: 505.830.2239 | [email protected] | www.nhabq.com
Major Concepts• Describe endpoint vulnerabilities and protection methods
• Describe basic Catalyst switch vulnerabilities
• Configure and verify switch security features, including port security and storm control
• Describe the fundamental security considerations of Wireless, VoIP, and SANs
Securing the LAN
IPS
MARS
VPN
ACS
Iron Port
Firewall
Web Server
Email Server DNS
LAN
Hosts
Perimeter
Internet
Areas of concentration:• Securing endpoints• Securing network
infrastructure
Threat Protection
Policy Compliance
Infection Containment
SecureHost
Addressing Endpoint Security
Based on three elements:• Cisco Network Admission Control (NAC)• Endpoint protection• Network infection containment
Operating Systems Basic Security Services• Trusted code and trusted path – ensures that the integrity of
the operating system is not violated
• Privileged context of execution – provides identity authentication and certain privileges based on the identity
• Process memory protection and isolation – provides separation from other users and their data
• Access control to resources – ensures confidentiality and integrity of data
Types of Application AttacksI have gained direct
access to this application’s privileges
I have gained access to this system which is trusted by the other
system, allowing me to access it. Indirect
Direct
Cisco Systems Endpoint Security Solutions
Cisco NAC
IronPortCisco Security Agent
Cisco NAC
NAC Framework
• Software module embedded within NAC-enabled products
• Integrated framework leveraging multiple Cisco and NAC-aware vendor products
• In-band Cisco NAC Appliance solution can be used on any switch or router platform
• Self-contained, turnkey solution
The purpose of NAC: Allow only authorized and compliant
systems to access the network To enforce network security policy
Cisco NAC Appliance
Cisco NAC Appliance ProcessTHE GOAL
Intranet/Network
2. Host is redirected to a login page.
Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device.
Device is noncompliant or login is incorrect.
Host is denied access and assigned to a quarantine role with access to online remediation resources.
3a.3b. Device is “clean”.
Machine gets on “certified devices list” and is granted access to network.
Cisco NAS
Cisco NAM
1. Host attempts to access a web page or uses an optional client.
Network access is blocked until wired or wireless host provides login information. Authentication
Server
MGR
QuarantineRole
3. The host is authenticated and optionallyscanned for posture compliance
CSA Architecture
Management Center for Cisco Security Agent
with Internal or External Database
SecurityPolicy
Server Protected by Cisco Security Agent
Administration Workstation
SSL
EventsAlerts
Attack Phases
– File system interceptor– Network interceptor– Configuration interceptor– Execution space
interceptor
Server Protected by Cisco Security
Agent
– Probe phase• Ping scans• Port scans
– Penetrate phase• Transfer exploit
code to target– Persist phase
• Install new code• Modify
configuration– Propagate phase
• Attack other targets
– Paralyze phase• Erase files• Crash system• Steal data
CSA Log Messages
IPS
MARS
VPN
ACS
Iron Port
Firewall
Web Server
Email Server DNS
Hosts
Perimeter
Internet
Layer 2 Security
OSI Model
MAC Addresses
When it comes to networking, Layer 2 is often a very weak link.
Physical Links
IP Addresses
Protocols and Ports
Application StreamApplication
Presentation
Session
Transport
Network
Data Link
Physical
Co
mp
rom
ised
Application
Presentation
Session
Transport
Network
Data Link
Physical
Initial Compromise
MAC Address Spoofing Attack
MAC Address: AABBcc
AABBcc 12AbDdSwitch Port
1 2
MAC Address: AABBcc
Attacker
Port 1Port 2
MAC Address: 12AbDd
I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
The switch keeps track of theendpoints by maintaining aMAC address table. In MAC spoofing, the attacker posesas another host—in this case,AABBcc
MAC Address Spoofing Attack
MAC Address: AABBcc
AABBcc
Switch Port
1 2
MAC Address: AABBcc
Attacker
Port 1 Port 2
AABBcc
1 2I have changed the MACaddress on my computer to match the server.
The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
MAC Address Table Overflow Attack
A B
C D
VLAN 10 VLAN 10
Intruder runs macof to begin sending unknown bogus MAC addresses.
3/25
3/25 MAC X 3/25 MAC Y 3/25 MAC Z
XYZ
flood
MAC PortX 3/25Y 3/25C 3/25
Bogus addresses are added to the CAM table. CAM table is full.
Host C
The switch floods the frames.
Attacker sees traffic to servers B and D.
VLAN 10
12
3
4
STP Manipulation Attack• Spanning tree protocol
operates by electing a root bridge
• STP builds a tree topology
• STP manipulation changes the topology of a network—the attacking host appears to be the root bridge
F F
F F
F B
Root BridgePriority = 8192MAC Address=
0000.00C0.1234
STP Manipulation AttackRoot Bridge
Priority = 8192
Root Bridge
F F
F F
F BSTP
BP
DU
Priority = 0 S
TP B
PD
U P
riorit
y =
0
F B
FF
F F
Attacker The attacking host broadcasts out STPconfiguration and topology change BPDUs.This is an attempt to force spanning treerecalculations.
LAN Storm Attack
• Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN.
• These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
BroadcastBroadcast
Broad
cast
Broad
cast
Broad
cast
Storm Control
Total number ofbroadcastpacketsor bytes
VLAN Attacks
VLAN = Broadcast Domain = Logical Network (Subnet)
Segmentation
Flexibility Security
VLAN Attacks802.1Q
802.1Q
ServerAttacker sees traffic destined for servers
Server
Trunk
Trunk
VLAN 20
VLAN 10
A VLAN hopping attack can be launched in two ways:• Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode• Introducing a rogue switch and turning trunking on
The second switch receives the packet, on the native VLAN
Double-Tagging VLAN AttackAttacker onVLAN 10, but puts a 20 tag in the packet
Victim(VLAN 20)Note: This attack works only if the
trunk has the same native VLAN as the attacker.
The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2.
20,10
20
Trunk(Native VLAN = 10)
802.1Q, 802.1Q802.1Q, Frame
Frame
1
2
3
4The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.
Port Security OverviewMAC A
MAC A
Port 0/1 allows MAC APort 0/2 allows MAC BPort 0/3 allows MAC C
Attacker 1
Attacker 2
0/1
0/20/3
MAC F
Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MACaddresses
CLI Commands
switchport mode accessSwitch(config-if)#
• Sets the interface mode as access
switchport port-securitySwitch(config-if)#
• Enables port security on the interface
switchport port-security maximum valueSwitch(config-if)#
• Sets the maximum number of secure MAC addresses for the interface (optional)
Switchport Port-Security ParametersParameter Description
mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured.
vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used.
vlan access (Optional) On an access port only, specify the VLAN as an access VLAN.
vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN
mac-address sticky [mac-address]
(Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses.
Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords..
maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.
The default setting is 1.
vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used.
vlan: set a per-VLAN maximum value. vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of
VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.
Port Security Violation Configuration
switchport port-security mac-address sticky
Switch(config-if)#
• Enables sticky learning on the interface (optional)
switchport port-security violation {protect | restrict | shutdown}
Switch(config-if)#
• Sets the violation mode (optional)
switchport port-security mac-address mac-address
Switch(config-if)#
• Enters a static secure MAC address for the interface (optional)
Switchport Port-Security ViolationParametersParameter Description
protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred.
shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.
shutdown vlan
Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
Port Security Aging Configuration
switchport port-security aging {static | time time | type {absolute | inactivity}}
Switch(config-if)#
• Enables or disables static aging for the secure port or sets the aging time or type
Switchport Port-Security Aging Parameters
Parameter Description
static Enable aging for statically configured secure addresses on this port.
time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.
type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.
type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
Typical Configuration
switchport mode access switchport port-security switchport port-security maximum 2switchport port-security violation shutdownswitchport port-security mac-address sticky switchport port-security aging time 120
Switch(config-if)#
S2
PC B
CLI Commandssw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/12 2 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
sw-class# show port-security interface f0/12Port Security : EnabledPort status : Secure-downViolation mode : ShutdownMaximum MAC Addresses : 2Total MAC Addresses : 1Configured MAC Addresses : 0Aging time : 120 minsAging type : AbsoluteSecureStatic address aging : DisabledSecurity Violation Count : 0
View Secure MAC Addresses
sw-class# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.ffff.aaaa SecureConfigured Fa0/12 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
MAC Address Notification
MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.
NMS
MAC A
MAC B
F1/1 = MAC AF1/2 = MAC B
F2/1 = MAC D(address ages out)
Switch CAM Table
SNMP traps sent to NMS when new MAC addresses appear or
when old ones time out.
MAC D is awayfrom the network.
F1/2
F1/1
F2/1
Configure Portfast
Command Description
Switch(config-if)# spanning-tree portfast
Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately.
Switch(config-if)# no spanning-tree portfast
Disables PortFast on a Layer 2 access port. PortFast is disabled by default.
Switch(config)# spanning-tree portfast default
Globally enables the PortFast feature on all nontrunking ports.
Switch# show running-config interface type slot/port
Indicates whether PortFast has been configured on a port.
Server Workstation
BPDU Guard
Switch(config)#spanning-tree portfast bpduguard default
• Globally enables BPDU guard on all ports with PortFast enabled
F F
FF
F B
Root Bridge
BPDU Guard
Enabled
AttackerSTP
BPDU
Display the State of Spanning Tree
Switch# show spanning-tree summary totals Root bridge for: none.PortFast BPDU Guard is enabledUplinkFast is disabledBackboneFast is disabledSpanning tree default pathcost method used is shortName Blocking Listening Learning Forwarding STP Active-------------------- -------- --------- -------- ---------- ---------- 1 VLAN 0 0 0 1 1 <output omitted>
Root Guard
Switch(config-if)#
spanning-tree guard root
• Enables root guard on a per-interface basis
Root BridgePriority = 0
MAC Address = 0000.0c45.1a5d
F F
F F
F BF
STP BPDUPriority = 0
MAC Address = 0000.0c45.1234
Root Guard
Enabled
Attacker
Verify Root GuardSwitch# show spanning-tree inconsistentports Name Interface Inconsistency-------------------- ---------------------- ------------------VLAN0001 FastEthernet3/1 Port Type InconsistentVLAN0001 FastEthernet3/2 Port Type InconsistentVLAN1002 FastEthernet3/1 Port Type InconsistentVLAN1002 FastEthernet3/2 Port Type InconsistentVLAN1003 FastEthernet3/1 Port Type InconsistentVLAN1003 FastEthernet3/2 Port Type InconsistentVLAN1004 FastEthernet3/1 Port Type InconsistentVLAN1004 FastEthernet3/2 Port Type InconsistentVLAN1005 FastEthernet3/1 Port Type InconsistentVLAN1005 FastEthernet3/2 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10
Storm Control Methods• Bandwidth as a percentage of the total available bandwidth
of the port that can be used by the broadcast, multicast, or unicast traffic
• Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
• Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received
• Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.
Storm Control Configuration
• Enables storm control
• Specifies the level at which it is enabled
• Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic
Switch(config-if)# storm-control broadcast level 75.5Switch(config-if)# storm-control multicast level pps 2k 1k
Switch(config-if)# storm-control action shutdown
Storm Control ParametersParameter Description
broadcast This parameter enables broadcast storm control on the interface.
multicast This parameter enables multicast storm control on the interface.
unicast This parameter enables unicast storm control on the interface.
level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port.• level: Rising suppression level. The range is 0.00 to 100.00. Block the flooding of
storm packets when the value specified for level is reached.• level-low: (Optional) Falling suppression level, up to two decimal places. This
value must be less than or equal to the rising suppression value.
level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port.
• bps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for bps is reached.
• bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value.
level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port.
• pps: Rising suppression level. The range is 0.0 to 10000000000.0. Block the flooding of storm packets when the value specified for pps is reached.
• pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value.
action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap.
The keywords have these meanings:• shutdown: Disables the port during a storm• trap: Sends an SNMP trap when a storm occurs
Verify Storm Control Settings
Switch# show storm-control
Interface Filter State Upper Lower Current
--------- ------------- ---------- --------- ---------Gi0/1 Forwarding 20 pps 10 pps 5 pps
Gi0/2 Forwarding 50.00% 40.00% 0.00%
<output omitted>
Trunk(Native VLAN = 10)
1. Disable trunking on all access ports.
2. Disable auto trunking and manually enable trunking
3. Be sure that the native VLAN is used only for trunk lines and no where else
Mitigating VLAN Attacks
switchport mode trunk
switchport trunk native vlan vlan_number
switchport nonegotiate
.
Switch(config-if)#
• Specifies an interface as a trunk link
Switch(config-if)#
• Prevents the generation of DTP frames.
Switch(config-if)#
• Set the native VLAN on the trunk to an unused VLAN
Controlling Trunking
Traffic Analysis
A SPAN port mirrors traffic to another port where a monitoring device is connected.
Without this, it can be difficult to track hackers after they have entered the network.
“Intruder Alert!”
Attacker
IDSRMON ProbeProtocol Analyzer
Layer 2 Guidelines
• Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.)
• Set all user ports to non-trunking mode (except if using Cisco VoIP)
• Use port security where possible for access ports• Enable STP attack mitigation (BPDU guard, root guard)• Use Cisco Discovery Protocol only where necessary –
with phones it is useful• Configure PortFast on all non-trunking ports• Configure root guard on STP root ports• Configure BPDU guard on all non-trunking ports
VLAN Practices
• Always use a dedicated, unused native VLAN ID for trunk ports
• Do not use VLAN 1 for anything• Disable all unused ports and put them in an unused
VLAN• Manually configure all trunk ports and disable DTP on
trunk ports• Configure all non-trunking ports with switchport mode
access
Overview of Wireless, VoIP Security
Wireless VoIP
Overview of SAN Security
SAN
Infrastructure-Integrated Approach
• Proactive threat and intrusion detection capabilities that do not simply detect wireless attacks but prevent them
• Comprehensive protection to safeguard confidential data and communications
• Simplified user management with a single user identity and policy
• Collaboration with wired security systems
Cisco IP Telephony Solutions
• Single-site deployment
• Centralized call processing with remote branches
• Distributed call-processing deployment
• Clustering over the IPWAN
Storage Network Solutions
• Investment protection
• Virtualization
• Security
• Consolidation
• Availability
Cisco Wireless LAN Controllers
• Responsible for system-wide wireless LAN functions
• Work in conjunction with Aps and the Cisco Wireless Control System (WCS) to support wireless applications
• Smoothly integrate into existing enterprise networks
Wireless Hacking
• War driving
• A neighbor hacks into another neighbor’s wireless network to get free Internet access or access information
• Free Wi-Fi provides an opportunity to compromise the data of users
Hacking Tools
• Network Stumbler• Kismet• AirSnort• CoWPAtty• ASLEAP• Wireshark
Safety Considerations
• Wireless networks using WEP or WPA/TKIP are not very secure and vulnerable to hacking attacks.
• Wireless networks using WPA2/AES should have a passphrase of at least 21 characters long.
• If an IPsec VPN is available, use it on any public wireless LAN.
• If wireless access is not needed, disable the wireless radio or wireless NIC.
VoIP Business Advantages
• Lower telecom call costs
• Productivity increases
• Lower costs to move, add, or change
• Lower ongoing service and maintenance costs
• Little or no training costs
• Mo major set-up fees
• Enables unified messaging
• Encryption of voice calls is supported
• Fewer administrative personnel required
PSTN VoIP
Gateway
VoIP Components
Cisco UnifiedCommunications
Manager(Call Agent)
MCU
CiscoUnity
IPPhone
IPPhone
VideoconferenceStation
IPBackbone
PSTN
Router/Gateway
Router/Gateway
Router/Gateway
PBX
VoIP Protocols
VoIP Protocol Description
H.323ITU standard protocol for interactive conferencing; evolved from H.320 ISDN standard; flexible, complex
MGCP Emerging IETF standard for PSTN gateway control; thin device control
Megaco/H.248Joint IETF and ITU standard for gateway control with support for multiple gateway types; evolved from MGCP standard
SIPIETF protocol for interactive and noninteractive conferencing; simpler but less mature than H.323
RTPETF standard media-streaming protocol
RTCPIETF protocol that provides out-of-band control information for an RTP flow
SRTPIETF protocol that encrypts RTP traffic as it leaves the voice device
SCCPCisco proprietary protocol used between Cisco Unified Communications Manager and Cisco IP phones
Threats
• Reconnaissance• Directed attacks such as spam over IP telephony (SPIT) and spoofing• DoS attacks such as DHCP starvation, flooding, and fuzzing• Eavesdropping and man-in-the-middle attacks
VoIP SPIT• If SPIT grows like spam, it could result in
regular DoS problems for network administrators.
• Antispam methods do not block SPIT.• Authenticated TLS stops most SPIT attacks
because TLS endpoints accept packets only from trusted devices.
You’ve just won an all expenses
paid vacation to the U.S.
Virgin Islands !!!
Fraud
• Fraud takes several forms:– Vishing—A voice version of phishing that is used to compromise
confidentiality.– Theft and toll fraud—The stealing of telephone services.
• Use features of Cisco Unified Communications Manager to protect against fraud.– Partitions limit what parts of the dial plan certain phones have access to.– Dial plans filter control access to exploitive phone numbers.– FACs prevent unauthorized calls and provide a mechanism for tracking.
SIP Vulnerabilities• Registration hijacking:
Allows a hacker to intercept incoming calls and reroute them.
• Message tampering: Allows a hacker to modify data packets traveling between SIP addresses.
• Session tear-down:Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks.
Registrar RegistrarLocationDatabase
SIP Servers/Services
SIP Proxy
SIP User Agents SIP User Agents
Using VLANs
• Creates a separate broadcast domain for voice traffic• Protects against eavesdropping and tampering• Renders packet-sniffing tools less effective• Makes it easier to implement VACLs that are specific to voice
traffic
Voice VLAN = 110 Data VLAN = 10
802.1Q Trunk
IP phone10.1.110.3
Desktop PC171.1.1.1
5/1
Using Cisco ASA Adaptive Security Appliances
• Ensure SIP, SCCP, H.323, and MGCP requests conform to standards
• Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager
• Rate limit SIP requests• Enforce policy of calls (whitelist,
blacklist, caller/called party, SIP URI)
• Dynamically open ports for Cisco applications
• Enable only “registered phones” to make calls
• Enable inspection of encrypted phone calls
Internet
WAN
Cisco Adaptive Security Appliance
Cisco Adaptive Security Appliance
Using VPNs• Use IPsec for authentication• Use IPsec to protect
all traffic, not just voice• Consider SLA with service
provider• Terminate on a VPN concentrator
or large router inside of firewall to gain these benefits:
• Performance
• Reduced configuration complexity
• Managed organizational boundaries
IP WAN
Telephony Servers
SRSTRouter
SAN Security Considerations
SAN IP
Network
Specialized network that enables fast, reliable access among servers and external storage resources
SAN Transport Technologies• Fibre Channel – the primary
SAN transport for host-to-SAN connectivity
• iSCSI – maps SCSI over TCP/IP and is another host-to-SAN connectivity model
• FCIP – a popular SAN-to-SAN connectivity model
LAN
World Wide Name• A 64-bit address that Fibre Channel networks use to uniquely identify
each element in a Fibre Channel network
• Zoning can utilize WWNs to assign security permissions
• The WWN of a device is a user-configurable parameter.
Cisco MDS 9020 Fabric Switch
Zoning Operation• Zone members see only other
members of the zone.
• Zones can be configured dynamically based on WWN.
• Devices can be members of more than one zone.
• Switched fabric zoning can take place at the port or device level: based on physical switch port or based on device WWN or based on LUN ID.
SAN
Disk1
Host2Disk4
Host1
Disk2 Disk3
ZoneA
ZoneB
ZoneC
An example of Zoning. Note that devices can be members of more than 1 zone.
Virtual Storage Area Network (VSAN)
Physical SAN islands are virtualized onto
common SAN infrastructure
Cisco MDS 9000Family with VSAN Service
Security Focus
SAN
SecureSAN
IP Storage access
Data Integrity and Secrecy
Target AccessSAN Protocol
SAN Management Access
Fabric Access
SAN ManagementThree main areas of vulnerability:
1. Disruption of switch processing
2. Compromised fabric stability
3. Compromised data integrity and confidentiality
Fabric and Target AccessThree main areas of focus:
• Application data integrity• LUN integrity• Application performance
VSANs
Two VSANs each with multiple zones. Disks and hosts are dedicated to VSANs although both hosts and disks can belong to multiple zones within a single VSAN. They cannot, however, span VSANs.
VSAN 3
Physical Topology
VSAN 2
Disk1
Host2Disk4
Host1
Disk2 Disk3
Disk6Disk5
Host4
Host3
ZoneA
ZoneB
ZoneC
ZoneA
ZoneD
Relationship of VSANs to Zones
iSCSI and FCIP• iSCSI leverages many of the security features inherent in Ethernet and IP
– ACLs are like Fibre Channel zones
– VLANs are like Fibre Channel VSANs
– 802.1X port security is like Fibre Channel port security
• FCIP security leverages many IP security features in Cisco IOS-based routers:
– IPsec VPN connections through public carriers
– High-speed encryption services in specialized hardware
– Can be run through a firewall
Cisco SecurityImpenetrable Wall? or Hacker’s Delight?
Kevin King - Senior Technical Instructor ● Infrastructructure/Cloud Consulting| MCT CCSI MCSE-Private Cloud MCSA MCSA-Server 2012 MCSE CCNA Data Center Cisco Quality Instructor 2014 New Horizons CLC| 6700 Jefferson, Building A | Albuquerque, NM 87109 p: 505.830.7100 |f: 505.830.2239 | [email protected] | www.nhabq.com