© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Using Cisco Catalyst Switch Security Features

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Security Features in Cisco Catalyst Switches Identity-Based Network Services VLAN ACLs Private VLANs MAC Address Notification Rate Limiting SPAN for IPS Management Encryption Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Switching Infrastructure and Security Switching devices provide infrastructure protection through support for these: IBNS VACLs VLANs MAC address notification Rate limiting, also known as traffic policing SPANs Secure management protocols: –SSHv2 –SNMPv3

© 2006 Cisco Systems, Inc. All rights reserved. SND v Identity-Based Networking Services IBNS does the following: –Using the 802.1x protocol with Cisco enhancements, the network grants privileges based on user login information, regardless of the user location or device. The benefits of IBNS are as follows: –Allows different people to use the same PC and have different capabilities –Ensures that users get only their designated privileges, no matter how they are logged into the network –Reports unauthorized access Otherwise, there is no way to control who gets on the network and where they can go.

© 2006 Cisco Systems, Inc. All rights reserved. SND v IBNS functions as follows: Each user trying to enter the network must receive authorization based on a personal username and password. Valid Username Valid Password Yes Invalid Username Invalid Password No Identity-Based Networking Services (Cont.) Cisco ACS Cisco Secure ACS Client Accessing Switch

© 2006 Cisco Systems, Inc. All rights reserved. SND v VLAN ACL A VACL provides granular control for limited access within a VLAN or subnet.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Private VLAN Default Gateway Community A Community B Isolated Ports xxxx Community VLAN Isolated VLAN Primary VLAN Community VLAN PVLANs work as follows: –A common subnet is subdivided into multiple PVLANs. Hosts on a given PVLAN can communicate only with default the gateway and not with other hosts on the network using the isolated port. The advantage to using PVLANs is that traffic management is simplified while conserving IP address space.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Notification of Intrusions MAC address notification allows you to monitor MAC addresses, at the module and port level, added by the switch or removed from the CAM table. NMS e1/1 MAC A e1/2 MAC B e2/1 MAC X e1/1 = MAC A e1/2 = MAC B e2/1 = MAC D MAC-X not in CAM table Switch CAM Table SNMP trap sent to NMS when MAC-X appears on Ethernet port 2/1 MAC D is away from the network.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Rate Limiting What rate limiting does: Allows network managers to set bandwidth thresholds for users and by traffic type Benefits: Prevents the deliberate or accidental flooding of the network Keeps traffic flowing smoothly Rate Limiting for Different Classes of Users Network Manager Teachers Students 2 Mbps 10 Mbps 50 Mbps Otherwise, there can be a deliberate or accidental slowdown or freezing of the network.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Switched Port Analyzer What SPAN does: –SPAN port used to mirror traffic to another port where a probe or IDS sensor is connected Benefit: –Stops hackers before they can do damage Otherwise, there is no easy way to shut down hackers after they have entered the network. Intruder Alert! Attacker IPS IDS

© 2006 Cisco Systems, Inc. All rights reserved. SND v Management Encryption Management encryption works as follows: –Keeps hackers from reading usernames, passwords, and other information on intercepted network management packets Benefit: –Prevents hackers from stealing usernames and passwords to access switches SNMP Management Servers Username: dan Password: grades Password: %a)t#> Otherwise, snoopers can break into switches and bring down the network.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary The Cisco Catalyst switch portfolio supports secure connectivity, perimeter security, intrusion protection, identity services, and security management as key elements in the Cisco Self-Defending Network architecture The Cisco Catalyst IBNS feature provides user authentication using EAPOL and RADIUS. VACLs are used to filter VLAN traffic. PVLANs work by limiting which ports within a VLAN can communicate with other ports in the same VLAN MAC address notification enables you to track users on a network by storing the MAC address activity on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be generated and sent to the NMS. Rate limiting (traffic policing) involves creating a traffic policing agent that specifies the upper bandwidth limit for the traffic. SPAN is used to mirror traffic to another port where a probe or an IDS sensor is connected. Management encryption features, such as SSHv2 and SNMPv3, prevent hackers from stealing usernames and passwords and device configuration information.

© 2006 Cisco Systems, Inc. All rights reserved. SND v