2009 srs 07 layer2attacks - cursuri automatica si...
TRANSCRIPT
EndpointSecurity
17‐nov‐2009
Whatthislectureisabout:
Securinghostsinsideanetwork Hosts&servers
Switches
IPphones SANs
Layer2aGacks Onthenetwork Onitsdevices
2
EndpointSecurity
Asecurenetworkisonlyasstrongasitsweakestlink
3
Securing“inside”and“outside” Youknowaboutsecuringtheperimeterofanetworkagainstoutsidethreats: ACLs(normal,reflexive,dynamic)
CBAC
ZPF TCPintercept
IDS/IPS:NIPS
Internalthreatsarethere,too. Howwellcanyoucontrolwhoaccessesyourinternalnetwork?
4
Overviewofendpointsecurity So\warehasweaknesses(people,too). People_using_so\wareissomethingyoucansecureuptoacertainlimit. Trustworthinessofyourso\wareANDuserscanbeimprovedby:
Hardeningsecurity
Restric_ngaccesstounneededfeatures
Blockingaccesstovulnerablefeatures
5
Big‐picturestrategyforendpointsecurity NAC(NetworkAdmissionControl)
Asolu_onthatrequireseveryendpointtocomplywithcompanypolicies.
Non‐compliantendpointsaredeniedaccess.
Endpointprotec_on HIPSdon’tlie…
…butprotectagainstworms,viruses,trojans
ImplementedusingCSA(CiscoSecurityAgent)
ComplementedbyIronPortPerimeterSecurityAppliances
Networkinfec_oncontainment BeforestoppinganaGack,containmentinrequired
Mustbeanautomatedprocess
ImplementedasaNAC,CSAorIPSservice
6
Opera_ngsystemsecurity Protec_nganendpointisprotec_ngitsservicesandapplica_ons.
Ul_mately,anopera_ngsystemhasfullaccessoverahost.
Protec_ngtheopera_ngsystembecomesapriority.
OS’eshavebasicsecurityfeatureslike: Processes–independentaddressspaces
Privileges–execu_onmustbemadefromauseraccountwithsufficientprivileges.
Leastprivilegeconcept Appliestoprocessesandusers,aswell.
7
Gainingaccess:directlyandindirectly Securitymustbeviewedfromanetworkperspec_ve,too.
Hostshaveprivilegesandcanbe“trusted”,too.
8
Strategy:NAC–NetworkAccessControl NACprovidesseveralfeaturesinordertoenforceanetworksecuritypolicy: Authen_ca_onandauthoriza_on
Evalua_ngaforeigndeviceagainstthepoliciesofthenetwork
Quaran_ningofnoncompliantsystems Remedia_onofnoncompliantsystems
9
Strategy:NAC–NetworkAccessControl
Purpose:ensurethatonlyauthen_catedandpolicy‐complianthostsaregivenaccesstothenetwork. Protectsagainstforeigndevicessuchaslaptops,PDAs,smartphones.
Notonly“guest”devices,butalsodevicesfromyourcompanythathavegoneoff‐siteandmighthavebecomeinfected.
Thesedevicescaninfectanetworkfrominsidetheperimeter. NetworkIntrusionPreven_onSystem(NIPS)doesn’thelphere
10
CiscoNAC CiscoimplementsNACintwologicalmodels:
NACframework Distributedsolu_on,forlargenetworks,manynetworkconnec_onsandmanyendpoints.
Suitedforremoteaccesssolu_ons,too.
NACappliance Simplifiedsolu_on,self‐contained
An_‐virusandvulnerabilityupdates
CanbeusedonanyCiscoplamorm
Turnkeysolu_on
11
CiscoNACframework–distributedsolu_on Severaldevicesenforcingdifferentsecuritypolicies.
12
AAA Server Credentials
RADIUS
Credentials
HTTPS
Access Rights Comply?
Vendor Servers
Policy Server Decision Points and Remediation
Credentials
EAP/UDP,
EAP/802.1x
Notification
Hosts Attempting Network Access
Enforcement
CiscoNACappliance
13
CiscoNACcomponents: NAS(NACApplianceServer)
Storesnetworksecuritypolicies
Performsdevice‐compliancechecks
NAM(NACApplianceManager) Administra_oninterfaceusedbysupportpersonnel
Allowsconfigura_onofNAS
NAA(NACApplianceAgent) Clientso\ware,runsonendpointmachines
Read‐onlyrightsovertheopera_ngsystem
Performsconstantdeepinspec_onandanalysis
HowdoesCiscoNACappliancework?
14
THE GOAL
Intranet/ Network
Cisco NAS
Cisco NAM
Authentication Server
M G R
Quarantine Role
Host attempts to access a web page or uses an optional client.
Network access is blocked until wired or wireless host provides login information.
1
Host is redirected to a login page.
Cisco NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on device.
2
The host is authenticated 3
Device is noncompliant or login is incorrect.
Host is denied access and assigned to a quarantine role with access to online remediation resources.
3aDevice is “clean”.
Machine gets on “certified devices list” and is granted access to network.
3b
Strategy:IronPort AcquiredbyCiscoin2007. Leadingproviderofan_‐spam,an_‐virus,an_‐spywareappliances.
C‐series:e‐mailsecurity,virusandspamcontrol
S‐series:websecurity,an_‐spyware,an_‐malware
M‐series:e‐mail,webandorganisa_on‐specificpolicies
15
Strategy:IronPortcombinedfunc_onality
16
Web Proxy
Antispyware
Antivirus
Antiphishing
URL Filtering
Policy Management
Firewall
Users
Before IronPort
Internet
Firewall
Users
IronPort S-Series
After IronPort
Internet
HIPSsolu_on:CiscoSecurityAgent(CSA) CSA–HIPSsolu_onprovidingendpointsecurity
Installsondesktopandserversystems
Onemagementconsolefor>100.000clients:scalable
Components: ManagementcenterforCSA
Administra_veinterface,allowsdefini_onofgroupsandpolicies
Maintainslogsforalertssentbyclients
CiscoSecurityAgent Installedonhostsystem
Con_nousmonitoringofapplica_onsandtheopera_ngsystem
17 Management Center for Cisco Security Agent with Internal or External Database
Security policy
Server Protected by Cisco Security Agent
Administration Workstation
Events Alerts
SSL
CSAfunc_onality Whenapplica_onsrequiresystemresources,theymakeanopera_ngsystemcalltothekerne.
CSAinterceptssystemcallsandcomparesthemtothesystempolicy.
Iftherequestviolatesthepolicy: CSAblocksit
Sendsanappropriateerrormessagetotheapplica_on SendsanalerttotheManagementCenter
18
opera_ngsystemcall kernel
CSAinterceptfeature CSAinterceptsopera_ngsystemcallsusingfourspecializedinterceptors: Filesysteminterceptor:read/writerequeststoallfilesystems
Networkinterceptor:inspectsnetworktraffic;canforcelimita_onstoprotectfromDoSaGacks
Configura_oninterceptor:read/writerequeststotheopera_ngsystem’sconfigura_on(liketheregistry)
Execu_onspaceinterceptor:protectsthedynamicrun_meenvironment Blocksrequeststomemorythatisnotownedbyanapplica_on
19
CSAsecurityfeatures CSAenablesprotec_onagainstallphasesofanaGack:
20
ProbephasePingscansPortscans
TransferexploitcodetotargetPenetratephase
InstallnewcodeModifyconfigura_on
Persistphase
AGackothertargetsLeverageotherhosts.
Propagatephase
CrashsystemErasefilesStealdata
Paralyzephase
Layer2security
Thelowestlinkthatcanprovetobetheweakest.
21
Thissec_onwillcover: Layer2aGackmethods:
MACaddressspoofing
STPmanipula_on MACtableoverflow
LANstorms
VLANaGacks
Also,aliGlebriefrecapoftheLANtechnologiesmen_onedabove.
22
Compromisinglayer2comprimisesalllayers
23
Ifthedatalinklayerishacked,theotherlayerswillnotbeaware.
Switchednetworks Ahubisanintermediarydevicethatforwardsdatatoallportsexcepttheoneitwasreceived.
Switchesop_mizethisbehaviour: Theyforwarddataonspecificports,basedondes_na_onMACaddresses.
So,switchesmustlearnonwhichportiseachMACaddresslocated.TheCAMmemorystoresthesemappings.
HowdoesaswitchlearnaboutMACaddresses?
CanaswitchlearnaMACaddressonmorethanoneport?
CanaswitchlearnmorethanoneMACaddressperport? Giveanexample.When?
24
MACspoofing ThewayswitcheslearnMACaddressesisavulnerabilitybyitself.
HostscanuseanotherMACaddresstoimpersonateanotherdeviceand“fool”theswitch. TheswitchreceivesframeswiththespoofedMACaddress.
Itlookatthesourceaddressandlearnsitonadifferentport. TheswitchupdatesitsCAMtableandmapstheoldMACaddressonthenewport.
Framesdes_nedtothetargesthostarenowsenttotheaGackinghost.
25
Example:MACaddressspoofing
26
MACaddresstableoverflowaGack AswitchstoresMAC‐portmappingsinitsCAMmemory.
Which,ofcourse,islimited…
Floodingaswitchwithmanyfake(spoofed)sourceMACaddresseswillfillupthismemory. Havingitsmemoryfull,theswitchcannotlearnnewMACaddresses.
Whatdoesaswitchdowhenitdoesnothavethedes_na_onMACaddressinitsmemory?(whatwouldYOUdo?)
Theswitchwillstartac_nglikeahub. AnyaGackerwillbeabletosnifftrafficbetweenanytwohostsinthenetwork.
27
STPquickrecap STP=SpanningTreeProtocol
AProtocolthatSpansTreesoveryourlocalnetwork
TheMACaddresslearningmethodusedbyswitchesdoesnotworkifthereisaloopinthenetwork.
Also,loopsinaLANcancause: Datacyclingindefinitelyintheloop
MACaddresstableinconsistency
STPcreatesaloop‐freetopology(atree)coveringallyourswitches.
Trafficwillflowonlyonthetree’slinks.
28
STPfacts SwitchesinSTParecalled“bridges”.
Arootbridgeiselectedbasedon: Lowestconfiguredpriority
Iftheaboveareequal,thelowestMACaddressisthe_ebreaker(now,ifTHOSEareequalyou’vegotbiggerproblems…)
STPshutsdownswitchportsinordertocreatealoop‐freepath.
Incaseoffailures,closedportswillbeopenedagain. Thus,ensuringredundancy.
29
Rootbridge
STPmanipula_onaGacks Theelec_onprocessfortherootbridgeiscarriedoutusingBPDUs ABPDU(BridgeProtocolDataUnit)isasmallpieceofdataexchagedbetweenadjacentswitchesevery2seconds.
ItcontainsrelevantdataforSTPelec_onadstability.
SendingfalseBPDUscanchangethelogicaltopologyofthenetwork. AGackerscansendfalseBPDUstomakethemselvestherootbridgesandtobeabletoreceivealltraffictraversingthenetwork.
30
STPaGack:sendingthelowestpriority:0
31
LANstormaGack Broadcastsarevitalforanetworktofunc_onproperly.
Exampleprotocols:ARP,DHCP
Butfloodinganetworkwithbroadcasttrafficdegradesnetworkperformance.
Broadcaststorm:floodingthenetworkwithexcessivebroadcasttraffic. Whyisthispossible?
Becauseswitchesforwardbroadcastsoutonalltheirports.
32
Mi_ga_ngLANstorms
Broadcastscannotbeelliminatedfromthenetwork.
Solu_on:Stormcontrol(trafficsuppression) Monitorsunicast,mul_castandbroadcasttrafficonaninterface
Comparestheamountoftraffictoapredefinedthreshold.
Ifthenumberofincomingpacketsistoohigh,trafficisblocked. Stormcontrolublockstraffica\eraperiodof_me.
33
VLANsandVLANaGacks AVLAN(VirtualLAN)isalogicalbroadcastdomainwithinaswitchednetwork. Mul_pleVLANsappearasdifferentsubnets.
Allowsegmenta_onoftheLANwithoutusingrouters.
HostscannotcommunicatebetweenVLANswithoutarou_ng‐capabledevice(router,layer3switch).
VLANsareasimplewaytosecurelyisolategroupsofhostsinsideaLAN.
AGemp_ngtogainaccesstoanotherVLANisatypeofaVLANaGack.
34
VLANextensibility VLANsarenotrestrictedtoasinglegeographicalloca_on.
Inter‐switchlinksthatcarrymorethanoneVLANsarecalledtrunklinks. Commontrunkingprotocol:IEEE802.1q(“dot1q”)
PortsthatconnecthoststoasingleVLANarecalledaccessports.
35
VLANhoppingaGacks End‐users(theirhosts)arealwaysmembersofasingleVLAN.
AccessinganotherVLAN,otherthantheoneassignedtoyourswitchport,iscalledVLANhopping.
Method:establishyourowntrunklinkwiththeswitch. ThetrunklinkcantransportanyVLAN
DTP(DynamicTrunkingProtocol)isac_vebydefaultandwillautoma_callynegociateatrunkwhenpossible.
36
802.1Q
Server Attacker sees traffic destined for servers
Server
Trunk
VLAN 20
VLAN 10
VLANhoppingmi_ga_on Solu_on:
DisableDTPonportsthatdonotrequiretrunking. Negocia_onofatrunkwillnotbepossibleanymore.
Preferably,manuallyenabletrunkingwhereneeded.
Unwantedtrunklinkscanbecreatedusing: AhostthatactslikeaswitchandsendsDTPnegocia_onframes.
Anormalswitch,ownedbytheaGacker.
37
Trunksandna_veVLANs Whenpassingoveratrunk,aframemustretainitsVLANinforma_on. SothattheendswitchwillknowtowhichVLANitbelongsto.
“Tagging”aframewithitsVLANinforma_onisdoneusingthedot1qprotocol.
Ifaframedoesnothaveatag,itisconsideredtobelongtothe“na_veVLAN”ofthetrunklink.
38
VLANhopping:double‐tagging
39
Victim (VLAN 20)
Note: This attack works only if the trunk has the same native VLAN as the attacker’s access VLAN.
20
Trunk (Native VLAN = 10)
802.1Q, Frame
Attacker is on VLAN 10 but also puts a 20 tag in the packet
1
The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2.
2
The second switch receives the packet on the native VLAN
3
The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.
4
ConfiguringLayer2Security
Herecomethecommands…
40
Overview
Overviewofthissec_on: Configuringportsecurity
Verifyingportsecurity
ConfiguringBPDUGuardandRootGuard ConfiguringStormControl
41
Portsecurity Portsecurityisafeaturethatallowsyouto:
ConfigurethemaximumnumberofMACaddressesaswitchcanlearnonacertainport.
Sta_callyconfiguretheallowedMACaddresses.
Protectsagainst: Unauthorizedexpansionofthenetwork. Foreignhostsorswitchesbecomingmembersofyournetwork.
AllincomingframesusingunallowedMACaddressesaredropped.
Bydefault…
42
Portsecurityexample
43
Configuringportsecurity Changingtheinterfacemodetoacces:[access!=trunk]
S1(config)#interface FastEthernet 0/24 S1(config-if)#switchport mode access
Thedefaultmodeonaswitchport(interface)isdynamicauto,whichwilluseDTPtotryanddynamicallynecogiateatrunkonthelink.
Portsecuritycannotbeenabledondynamicautoports.
Ac_va_ngportsecurityontheinterface:S1(config-if)#switchport port-security
SetthemaximumnumberofMACaddressesthatcanbelearnedontheinterface:
S1(config-if)#switchport port-security maximum 3
44
ConfiguringportsecurityMACaddresses
SpecifyingoneormoreMACaddressesthatcanbelearnedontheinterface:
S1(config-if)#switchport port-security mac-address 0026.08de.f22e
Wes_llhaveonlyamaximumof3MACaddressesontheinterface.
ConfiguringoneMACaddressleavestheother2tobedynamicallylearned.
ThefirstMACaddressofasendinghostwillberecorded.
45
Configuringportsecurityac_ons Theac_onthatistobetakenbytheswitchportwhenaninvalidsourceMACaddressisdetectedontheportiscalledviola_on.
Sewngtheviola_onmode:S1(config-if)#switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode
Sewngtheviola_onmodeisop_onal. Thedefaultistoshutdowntheport.
46
Portsecurityviola_onmodes Protect
Unacceptedpacketsaredropped.
RemovesomesecureMACaddressesorincreasethemaximumallowednumbertoletthempass.
Nono_fica_onsaresent.
Restrict Unacceptedpacketsaredropped.
Samesolu_onasforProtectmode.
SNMPtrapsaresent,syslogmessagesaswell,andtheviola_oncounterincreases.
Suscep_bletoDoSaGacks.
Shutdown Completelyshutsdowntheinterface.
Sendsthesameno_fica_onsasinRestrictmode.
Theportissetintheerror‐disabledstate.
Theporthastobemanuallybroughtup.
47
Witnessinga“shutdown”viola_on Aportshuwngdowna\erreceivingonemoreMACaddressthanthemaximumallowed:
2d17h: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state 2d17h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0019.e792.8321 on port FastEthernet0/1. 2d17h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
2d17h: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
Checkingportstate:SW3(config-if)#do sh ip int brief | incl 0/1 FastEthernet0/1 unassigned YES unset down down
Checkingfortheerror‐disabledstate:SW3#show int fa 0/1
FastEthernet0/1 is down, line protocol is down (err-disabled) Hardware is Fast Ethernet, address is 001a.6cf8.8c01 (bia 001a.6cf8.8c01)
48
Recoveringfroma“shutdown”viola_on DonotaGemptthefollowing:
SW3(config)#int FastEthernet0/1 SW3(config-if)#no shutdown
…asitwillhavethefollowing“effect”:SW3(config-if)#do sh ip int brief | inc 0/1 FastEthernet0/1 unassigned YES unset down down
Err‐disabledstateisnotreallya“shutdown”modeoftheinterface.
Recoverbyshuwngdowntheinterfaceandbringingitupagain:SW3(config-if)#shutdown
SW3(config-if)#no shutdown 2d17h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
2d17h: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
49
Or,evenbeGer,automatethistorecovera\er60minutes:SW3(config)#errdisable recovery cause psecure-violation SW3(config)#errdisable recovery interval 60
The“s_cky”ones… DynamicallylearnedMACaddressesarelosta\ertheswitchreloads. Theywillbelearnedagainbutthiscouldbeasecurityrisk.
YoucanmakealldynamicallylearnedMACaddresses“s_cky”. MACaddresseswills_llbedynamicallylearned.
Buttheywillbeautoma_callysavedintherunningconfig.SW3(config-if)#switchport port-security mac-address sticky
Therunning‐configwillautoma_callyinclude:SW3#sh run | include sticky switchport port-security mac-address sticky switchport port-security mac-address sticky 0019.e792.8321
50
Agingportsecurityentries Configuringagingforsta_centries:
SW3(config-if)#switchport port-security aging static
Sewngthenumberofminutesa\erwhichtheentrieswillageout:
SW3(config-if)#switchport port-security aging time 15
Sewngthetypeofaging:SW3(config-if)#switchport port-security aging type ? absolute Absolute aging (default) inactivity Aging based on inactivity time period
Absolute:entrieswillageouta\er15minutes
Inac_vity:entrieswiiagououta\er15minutesofinac_vityfromthespecificMACaddress.
51
VerifyingportsecuritySW3#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)
--------------------------------------------------------------------------- Fa0/1 3 3 0 Shutdown Fa0/22 3 1 0 Protect
--------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 2
Max Addresses limit in System (excluding one mac per port) : 8320
Showingalllearnedorconfiguredaddresses:SW3#show port-security address Secure Mac Address Table ------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age (mins)
---- ----------- ---- ----- ------------- 1 0019.e792.8321 SecureSticky Fa0/1 - 1 0025.bcdc.17b6 SecureConfigured Fa0/1 11
1 001b.9035.f118 SecureDynamic Fa0/22 - ------------------------------------------------------------------------
52
PortFast
STPtakes_metoconvergeandgoesthroughseveralstates.
ThePortFastfeaturecanbeenabledonaccesslinkstoavoidSTPcalcula_onsonthem. TheyarenotincludedintheSTPtree,anyway.
53
ConfiguringPortFastglobally
ConfiguringPortFastonallnon‐trunkingportsatonce:SW3(config)#spanning-tree portfast default %Warning: this command enables portfast by default on all interfaces. You should now disable portfast explicitly on switched ports leading to hubs, switches and bridges as they may create temporary bridging loops.
CiscoIOSrarelygivesyousuchlongmessagessoyoushouldprobablykeepitinmind.
54
ConfiguringPortFastatinterfacelevel
EnablingPortFastforaspecificinterface:SW3(config-if)#spanning-tree portfast
%Portfast has been configured on FastEthernet0/1 but will only have effect when the interface is in a non-trunking mode.
ProofthatPortFastcannotworkontrunklinks.55
ConfiguringBPDUguard BPDUguardprotectsthenetworkbyblockingBPDUsonportswheretheyshouldnotbereceived. Thiswaythenetworktopologyremainspredic_ble.
IntruderscannotaltertherootbridgeoftheSTPtree.
AccessportsshouldhaveBPDUguardenabled.
56
ConfiguringBPDUguard BPDUguardisaPortFastfeature.
Bydefault,BPDUguardwillshutdowntheportifaBPDUisreceived.
EnablingBPDUguardgloballyontheswitch:SW3(config)#spanning-tree portfast bpduguard default
Verifying:SW3#show spanning-tree summary Switch is in pvst mode Root bridge for: VLAN0001
Extended system ID is enabled Portfast Default is enabled PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled Loopguard Default is disabled
[…output ommited…]
57
Rootguard
AnaGackercansendspoofedBPDUsinanaGempttobecometheroot.
Thedeviceconnectedtotheswitchportcanpar_cipateinSTPaslongasitdoesnottrytobecometheroot.
Rootguardputstheportintheroot‐incosistentstate. Itautoma_callyrecoverswhentheoffendingBPDUsstop.
58
ConfiguringRootguard ConfiguringRootguardontheinterface:
Switch(config-if)#spanning-tree guard root 00:16:27: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/1.
Rootguardshouldbeconfiguredonportsthatdonotleadtotherootswitch.
Toviewportstatesuse:Switch#show spanning-tree inconsistentports
BTW:sendingBPDUswithapriorityof0doesnotguaranteethatyouwillbecometherootbridge. Someotherswitchesmightexist,with0priorityandalowerMAC
address
59
Configuringstormcontrol Examplescenarionsforconfiguringstormcontrol:
Blockbroadcastpacketsover75.55%oftheinterface’scapacity:
sW(config-if)#storm-control broadcast level 75.55
Blockmul_castpacketsthatgoover5Mbps:sW(config-if)#storm-control multicast level bps 5000000
Configuretheinterfacetoshutdownwheneitherstormcontrolviola_onoccurs:
sW(config-if)#storm-control action shutdown
60
Verifyingstormcontrol Showstormcontrolstatus:
SW3# show storm-control Interface Filter State Upper Lower Current
--------- ------------- ---------- --------- ---------Gi0/1 Forwarding 20 pps 10 pps 5 pps
Gi0/2 Forwarding 50.00% 40.00% 0.00%
<output omitted>
61
MonitoringwithSPAN SPAN=SwitchedPortANalyzer ASPANportmirrorstraffictoanotherport. Monitorstheen_reinterface(port)orasingleVLAN
Monitorsinboundand/oroutboundtraffic
IdealdeploymentforIDSsystems.
Doesnotaffectnormalswitchingopera_on.
62
“Intruder Alert!”
IDS Protocol Analyzer
ConfiguringSPAN–Example1 The“monitorsession”command:
Sewngthesourceinterfacetomonitor:Switch(config)# monitor session 1 source interface gigabitethernet0/1
Sewngthedes_na_oninterface,wheretrafficwillbemirrored:Switch(config)# monitor session 1 destination interface gigabitethernet0/2 encapsulation replicate
The“encapsula_on”parametertellstheswitchtomirrortrafficwhileretainingthesameencapsula_onmethod.
63
ConfiguringSPAN–Example2 ThefollowingexamplemonitorsonlytwoVLANs:
MirroronlyreceivedtrafficonVLAN10:Switch(config)# monitor session 1 source vlan 10 rx
MirroronlysenttrafficonVLAN20:Switch(config)# monitor session 1 source vlan 20 tx
Thedes_na_oniss_llaninterface:Switch(config)# monitor session 1 destination interface FastEthernet 0/1
64
ViewingSPANconfigura_on
Usethe“showmonitor”commandtoviewconfigura_oninfoaboutallmonitorsessions:
#show monitor session 1 Session 1 --------- Source Ports: RX Only: None TX Only: None Both: Fa0/2 Destination Ports: Fa0/3
65
MonitoringwithRSPAN RSPAN=RemoteSPAN SPANmirrorstrafficbetweenportsonthesameswitch. RSPANmirrorstraffictoaportonadifferentswitch.
Thisway,trafficfrommul_pleswitchescanbemirroredtoasingledes_na_on. Mul_pletrafficflowscanbemonitoredatthesame_me.
UsingthesameIDS.
66
R S P A N V L A N
RSPANdeployment
RSPANcanbeusedtomonitortrafficfromseveraldifferentVLANs
67
IDS
Source VLAN
Source VLAN
Source VLAN
ConfiguringRSPAN
CreatetheRSPANVLANonbothswitches:2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit
ConfigureRSPANsourceportsandVLANs:2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan 100
reflector-port FastEthernet 0/2 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk
ConfigureRSPANtraffictobeforwarded:2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface
FastEthernet 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk
68
“Security depends not so much upon how much you have, as upon how much you can do without..”
JosephWoodCrutch
69