LAN security technologies from Cisco
Cisco Network Admission Control (NAC)
Set of technologies and solutions Cisco built that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network resources. Work flow with qulays is as below:
a) When host tries to access network, cisco NAC finds that cisco trust agent (CTA) is not installed on it
b) NAC triggers a host audit from an audit server, qualys scanner appliance
c) qualys audits the host and return results to cisco access control server (ACS)
d) ACS maps the results to access policy and downloads the policy to the appropriate cisco network device (NAD)
e) NAD applies policy and sets a session timeout
DHCP Snooping
DHCP snooping prevents rogue DHCP servers from offering IP to clients, thereby preventing re-routing of network traffic via a rogue gateway/sniffer. DHCP table contains MAC & IP address, lease time, binding type and interface information. DHCP messages on trusted interfaces are permitted to pass through the switch, whereas packets on untrusted interfaces are blocked.
A few commands to enabling DHCP snooping are:
!Turn on snooping for the entire switch:
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan [number or range]
!Our DCHP server:
Switch(config)# interface GigabitEthernet 5/1
Switch(config-if)# ip dhcp snooping trust
!An untrusted client (not a required step):
Switch(config-if)# interface FastEthernet 2/1
Switch(config-if)# ip dhcp snooping limit rate 10
Switch(config)#interface range FastEthernet 2/0/1 - 8 , GigabitEthernet 1/0/1 - 3
Switch(config-if-range)# ip dhcp snooping trust
Switch(config-if)# ip dhcp relay information trusted
Switch(config)# ip dhcp snooping database tftp://10.1.1.1/file
IP Source Guard
IP source guard prevents clients from using IP address that was not assigned to them. Should only be enabled after DHCP snooping is on for at least a day. Access switch port can be restricted to allow only 1 MAC address.
Switch(config-if)# ip verify source vlan dhcp-snooping
!Set explicit access mode (dynamic or trunk ports can't have security)
Switch(config-if)# switchport mode access
!Enable port-security
Switch(config-if)# switchport port-security
!Specify how many MAC addresses can be used:
Switch(config-if)# switchport port-security maximum 1
!Action to take when a violation happens:
Switch(config-if)# switchport port-security violation {restrict | shutdown}
Dynamic ARP inspection
Dynamic ARP inspection discards ARP packets with invalid IP to MAC address bindings
Switch(config)# ip arp inspection vlan 1
Switch(config)# int range f1/1 - 4 , f2/24
Switch(config-if)# ip arp inspection trust
Switch# show ip arp inspection ?
Set of technologies and solutions Cisco built that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network resources. Work flow with qulays is as below:
a) When host tries to access network, cisco NAC finds that cisco trust agent (CTA) is not installed on it
b) NAC triggers a host audit from an audit server, qualys scanner appliance
c) qualys audits the host and return results to cisco access control server (ACS)
d) ACS maps the results to access policy and downloads the policy to the appropriate cisco network device (NAD)
e) NAD applies policy and sets a session timeout
DHCP Snooping
DHCP snooping prevents rogue DHCP servers from offering IP to clients, thereby preventing re-routing of network traffic via a rogue gateway/sniffer. DHCP table contains MAC & IP address, lease time, binding type and interface information. DHCP messages on trusted interfaces are permitted to pass through the switch, whereas packets on untrusted interfaces are blocked.
A few commands to enabling DHCP snooping are:
!Turn on snooping for the entire switch:
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan [number or range]
!Our DCHP server:
Switch(config)# interface GigabitEthernet 5/1
Switch(config-if)# ip dhcp snooping trust
!An untrusted client (not a required step):
Switch(config-if)# interface FastEthernet 2/1
Switch(config-if)# ip dhcp snooping limit rate 10
Switch(config)#interface range FastEthernet 2/0/1 - 8 , GigabitEthernet 1/0/1 - 3
Switch(config-if-range)# ip dhcp snooping trust
Switch(config-if)# ip dhcp relay information trusted
Switch(config)# ip dhcp snooping database tftp://10.1.1.1/file
IP Source Guard
IP source guard prevents clients from using IP address that was not assigned to them. Should only be enabled after DHCP snooping is on for at least a day. Access switch port can be restricted to allow only 1 MAC address.
Switch(config-if)# ip verify source vlan dhcp-snooping
!Set explicit access mode (dynamic or trunk ports can't have security)
Switch(config-if)# switchport mode access
!Enable port-security
Switch(config-if)# switchport port-security
!Specify how many MAC addresses can be used:
Switch(config-if)# switchport port-security maximum 1
!Action to take when a violation happens:
Switch(config-if)# switchport port-security violation {restrict | shutdown}
Dynamic ARP inspection
Dynamic ARP inspection discards ARP packets with invalid IP to MAC address bindings
Switch(config)# ip arp inspection vlan 1
Switch(config)# int range f1/1 - 4 , f2/24
Switch(config-if)# ip arp inspection trust
Switch# show ip arp inspection ?
posted by Usman Wahid at
1:09 PM
|
0 comments
