Home > Articles > Cisco > CCIE

This chapter is from the book

This chapter is from the book

Threats to Cisco Collaboration Networks

The first step toward securing a Cisco Collaboration solution is to understand the possible threats to infrastructure, endpoints, devices, and applications. Security threats pertinent to Cisco Collaboration networks can be broadly categorized as listed in Table 5-1.

Table 5-1 Threats to a Cisco Collaboration (Unified IP) Network

Threat Category

Description

Eavesdropping/interception attacks

Aimed at voice and signaling sessions, leading to loss of confidentiality or integrity, or both.

Identity theft/impersonation attacks

Used to exploit information in voice and video streams, leading to loss of confidentiality.

Toll fraud

Occurs by means of unauthorized or fraudulent use of telephony equipment or services.

Denial-of-service (DoS) attacks

Leads to degradation of voice and video services.

Intrusion attacks

Targeted at services associated with or enabled by the telephony implementation, such as servers in the same zone as UC servers.

There’s no single security control or tool/mechanism to thwart all the attack types listed in Table 5-1. Defense-in-Depth, also known as a layered security approach, is required to mitigate these threats. The following sections give insight into security measures at the various layers of the OSI model.

Layer 1 Security

Physical security entails securing Cisco Collaboration assets from physical access by an intruder and from potential damage by surrounding environmental factors. The major physical security controls include

  • Guards at data center or facility periphery
  • Badged access to data center/facilities
  • CCTV, alarms, and sensors at data center/facility entry and exits
  • Cisco Collaboration equipment secured in racks in data center and in closets at user access level
  • Uninterruptible power supply (UPS) for servers and network devices

Layer 2 Security

Layer 2 security can be deployed at the switching layer to prevent attacks originating from the user access layer such as:

  • MAC address spoofing
  • DHCP spoofing
  • Spanning Tree Protocol (STP) manipulation
  • ARP poisoning
  • Identity spoofing

Port Security

Cisco Catalyst switches have a feature called port security that helps to reduce spoofing and other attacks. Port security restricts the input to an interface by limiting and identifying MAC addresses of end devices. The port security feature can leverage MAC address learning in the following ways:

  • Static secure MAC address: Manually limits the MAC addresses to be allowed on a switch port by statically configuring the MAC addresses on a per-port basis. This feature allows MAC addresses learned to be saved in Content Addressable Memory (CAM) table and running configuration.
  • Sticky secure MAC address: The switch port dynamically learns the MAC addresses of connected devices (sticky) configured for sticky secure MAC addresses and stores these in the CAM table and running configuration.
  • Dynamic secure MAC address: The MAC addresses learned from the switch port set up for dynamic secure MAC addresses are stored only in a switch’s CAM table and not in the running configuration.

Upon violation of the number of MAC addresses per port, you can configure violation rules in one of following three ways:

  • Protect: When the switch port reaches its configured maximum number of secure MAC addresses, it starts dropping frames with an unknown source MAC address.
  • Restrict: Similar to the protect option, the major difference being that the restrict option can send an SNMP trap and a syslog message. It increments the violation counter when a port security violation occurs.
  • Shutdown: After a port security violation occurs, the port is shut down and put in err-disable state. This option also allows generation of the SNMP and syslog notifications, identical to the restrict option, and it will also increment a violation counter.

Example 5-1 illustrates enabling port security on a Cisco Catalyst switch for interface FastEthernet 0/10 where the maximum number of MAC addresses is set to 3 on this particular interface, and the port, upon exceeding the maximum count, will be put in err-disable mode (shut down). The mac-address command is used to set a static MAC and remember the MAC addresses connected to it (sticky).

Example 5-1 Cisco Catalyst Switch Port Security Configuration

UCSWITCH(config)# interface FastEthernet 0/10
UCSWITCH(config-if)# switchport port-security
UCSWITCH(config-if)# switchport port-security maximum 3
UCSWITCH(config-if)# switchport port-security violation shutdown
UCSWITCH(config-if)# switchport port-security mac-address 10BD.18DC.97F5
UCSWITCH(config-if)# switchport port-security mac-address sticky

DHCP Snooping

DHCP spoofing is used to launch Man-In-The-Middle (MITM), reconnaissance, and DoS attacks. In the DHCP spoofing attack, the attacker enables a rogue DHCP server on a network. When an endpoint (Cisco Unified IP Phone or softphone) sends a broadcast request for the DHCP configuration information, the rogue DHCP server responds before the original DHCP, thereby assigning the attacker-defined IP configuration information. DHCP snooping is a Cisco Catalyst switch feature that helps prevent DHCP spoofing attacks by enabling the switch ports to be set as either trusted (DHCP server-facing interface) or untrusted (user facing). Trusted switch ports can send DHCP requests and acknowledgements, whereas untrusted ports can only forward DHCP requests. DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. Example 5-2 outlines DHCP snooping configuration where FastEthernet 0/10 is set to trusted and FastEthernet 0/20 is set to untrusted.

Example 5-2 DHCP Snooping Configuration

UCSWITCH(config)# ip dhcp snooping VLAN 200 201
UCSWITCH(config)# no ip dhcp snooping information option
UCSWITCH(config)# ip dhcp snooping
!
UCSWITCH(config)# interface FastEthernet 0/10
UCSWITCH(config-if)# ip dhcp snooping trust
!
UCSWITCH(config)# interface FastEthernet 0/20
UCSWITCH(config-if)# no ip dhcp snooping trust
UCSWITCH(config-if)# ip dhcp snooping limit

DHCP snooping is also used for Dynamic ARP Inspection (DAI), as discussed later in this chapter.

Root Guard and BPDU Guard

When a Cisco switch boots up, Spanning Tree Protocol (STP) identifies one switch as a root bridge. STP uses bridge protocol data units (BPDU) to maintain a loop-free topology by blocking redundant paths between switches. An attacker can send spoofed BPDU packets to imitate a root bridge, thereby causing a reconvergence of the network traffic. The attacker can capture traffic, launch DoS attacks, or initiate MITM attacks. BPDU guard and Root Guard help prevent the DoS or MITM attacks originating as a result of STP manipulation. BPDU Guard helps stop STP manipulation by enabling port(s) that don’t accept any BPDUs. Root Guard ensures that when the root (or root bridge) is elected, a new BPDU on a designated port isn’t entertained.

The following is a configuration of BPDU Guard and Root Guard for thwarting STP manipulation:

UCSWITCH(config)# spanning-tree portfast bpduguard
UCSWITCH(config)# spanning-tree guard root

Dynamic ARP Inspection

An attacker can poison the Address Resolution Protocol (ARP) table. The intent is to conceal the identity so that the attacker’s switch/PC becomes the default gateway for the telephony subnet. ARP poisoning can be implemented by replying to and poisoning the network so that the attacker’s MAC address seems to be mapped to the default gateway IP address of the endpoints. An ARP attack can be mitigated by implementing Dynamic ARP Inspection (DAI), wherein the switch checks the IP/MAC mappings in the DHCP snooping binding table, thereby establishing the authenticity of packets before forwarding the packets to the destination. DAI drops all ARP packets that do not pass the inspection process. Example 5-3 outlines the process to enable DAI on a global and per-interface basis.

Example 5-3 DAI Interface-Specific and Global Setup

UCSWITCH(config)# ip arp inspection vlan 300
!
UCSWITCH(config)# interface FastEthernet 0/1
UCSWITCH(config-if)# ip arp inspection trust

802.1x

802.1x is a standard set by the IEEE 802.1 working group. It’s a framework designed to address and provide port-based access control using authentication, primarily using Extensible Authentication Protocol (EAP) as the key protocol. 802.1x is a Layer 2 protocol for transporting authentication messages (EAP) between a supplicant (user/endpoint/PC) and an authenticator (switch or access point) with an (optional) authentication server (RADIUS) at the back end to authenticate the supplicant. For wired supplicants, EAP over LAN (EAPoL) is used, and for wireless supplicants, EAP over Wireless (EAPoW) is used. Figure 5-1 shows 802.1x via EAPoL and EAPoW for wired and wireless supplicants, respectively, to a RADIUS (Cisco TACACS+) server.

Figure 5-1

Figure 5-1 802.1x in Cisco Collaboration Networks

Multidomain Authentication (MDA) helps define two domains on the same physical switch port: Voice VLAN Identifier (VVID) and Port VLAN Identifier (PVID). The 802.1x process for voice using an EAPoL and MDA approach is shown in the following steps:

  • Step 1. A Cisco Unified IP Phone learns VVID from Cisco Discovery Protocol (CDP). Third-party phones use Link Layer Discovery Protocol (LLDP). 802.1x times out.
  • Step 2. The switch initiates MAC Authentication Bypass (MAB).
  • Step 3. Cisco TACACS+ (RADIUS server) returns Access-Accept with the IP Phone’s vendor-specific attribute (VSA).
  • Step 4. IP Phone traffic is initially allowed on either VLAN until it sends an 802.1Q tagged packet. Then only voice VLAN is allowed for the IP Phone.
  • Step 5. The daisy-chained PC (connected to the PC port on the IP Phone) authenticates using 802.1x or MAB. PC traffic is allowed on the data VLAN only.

Example 5-4 demonstrates the switch configuration for MDA.

Example 5-4 MDA Setup

UCSWITCH(config)# interface FastEthernet 1/1
UCSWITCH(config-if)# switchport mode access
UCSWITCH(config-if)# switchport access vlan 100
UCSWITCH(config-if)# switchport voice vlan 200
UCSWITCH(config-if)# spanning-tree portfast
UCSWITCH(config-if)# authentication event fail action next-method
UCSWITCH(config-if)# authentication host-mode multi-domain
UCSWITCH(config-if)# authentication order dot1x mab
UCSWITCH(config-if)# dot1x pae authenticator
UCSWITCH(config-if)# authentication port-control auto
UCSWITCH(config-if)# dot1x timeout tx-period 10
UCSWITCH(config-if)# dot1x max-req 2
UCSWITCH(config-if)# mab

Layer 3 Security

At Layer 3 of the OSI model, the following security mechanisms help restrain attacks from within and outside of a network:

  • Deploying RFC 2827 filtering, uRPF, and IP source guard (prevents IP spoofing)
  • Using routing protocol authentication
  • Disabling unnecessary Cisco IOS services (hardening)

RFC 2827 Filtering

To prevent IP spoofing attacks emerging from outside your network, RFC 1918 addresses should be filtered using IP access control lists (ACL). These addresses include the following:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  • 0.0.0.0/8
  • 127.0.0.0/8
  • 169.254.0.0

In addition to these addresses, the multicast range of 224.0.0.0/4, 239.0.0.0/8, and 240.0.0.0/5 and the broadcast address of 255.255.255.255 should be blocked.

IP Source Guard

The IP source guard feature can be enabled on untrusted switch ports. This feature blocks all IP traffic initially, except for DHCP packets captured by the DHCP snooping process. When a client receives a valid IP address from the trusted DHCP server, a port ACL (PACL) is applied to the port. This restricts the traffic only from known client source IP addresses configured in the binding, disregarding any other IP traffic. The following configuration enables IP source guard on the FastEthernet 0/10 interface of a Cisco Catalyst switch:

UCSwitch(config)# interface FastEthernet 0/10
UCSwitch(config-if)# ip verify source

Unicast Reverse Path Forwarding

Unicast Reverse Path Forwarding (uRPF) is a Cisco IOS feature that can be employed on Cisco IOS routers to prevent attempts to send packets with spoofed source IP addresses. The uRPF feature looks for the source IP address of a packet arriving on the inbound interface of a router in its routing table. If the source IP address exists in the network behind the router, and the routing table contains an entry for the same, the packet is allowed. uRPF requires Cisco Express Forwarding (CEF) to be enabled. The following snippet outlines the configuration of uRPF on FastEthernet 1/1 of a Cisco IOS router:

UCRouter(config)# interface FastEthernet 1/1
UCRouter(config-if)# ip verify unicast reverse-path

Routing Protocols Security

An attacker can attempt to manipulate the routing tables of routers by injecting his own malicious routes, thereby causing the router to send all voice and data network traffic to his own PC/router or drop the traffic altogether. To protect against such an attack, routing protocols should be secured by using authentication via plain-text authentication or MD5. MD5-based authentication creates a hash value from the key and sends it to the neighbors, where the neighboring router recalculates the hash value with the configured key to verify the integrity of the message. MD5 authentication is supported with the following routing protocols:

  • RIPv2
  • EIGRP
  • OSPF
  • BGP4

Router Hardening

Cisco IOS routers can be hardened by disabling services such as finger, TCP and UDP small servers, BootP, and Proxy ARP.

(Firewall) Security for Layers 4 Through 7

Firewalls such as Cisco Adaptive Security Appliance (ASA) enable protection of a Cisco Collaboration network by filtering traffic at Layer 3, Layer 4, and higher layers. In an ideal design, the firewall intercepts the traffic coming from or going to remote sites and the Internet to or from the internal network (data center) and consequently filters based on certain criteria such as source/destination based on subnet, inspection, or ports.

Cisco ASA works in routed mode, transparent mode, or multiple-context mode. In routed mode Cisco ASA appears as a hop in the network—that is, it works at Layer 3. Routed mode supports multiple interfaces and practically all Cisco Collaboration services/applications. For Cisco Collaboration network deployments, Cisco ASA should be configured in a single (default) context as a routed firewall.

Cisco ASA, on the other hand, also works in transparent mode where it is a Layer 2 firewall that acts like a bump in the wire. In transparent mode, Cisco ASA has some limitations pertinent to voice and video traffic:

  • Limited to the use of two traffic forwarding interfaces
  • Lack of support for QoS or Network Address Translation (NAT)
  • Lack of support for multicast routing
  • No site-to-site VPN (except for management of the firewall itself)

Cisco ASA also supports multiple-context mode, also known as multimode. In multiple-context mode, the firewall is regarded as multiple separate virtual firewalls on the same physical hardware. However, multiple-mode also has some feature limitations (in addition to those defined for transparent firewall):

  • Lack of support for VPN remote-access services
  • Lack of support for Phone Proxy
  • Lack of support for dynamic routing

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020