Scribd Logo
Importer

Bienvenue sur Scribd !

  • BH Asia 02 Dugan

    Transféré par

    zafer berber
    24 vues17 pages
    blackhat

    Titre original

    Bh Asia 02 Dugan

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    blackhat

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    24 vues17 pages

    BH Asia 02 Dugan

    Transféré par

    zafer berber
    blackhat

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 17

    Putting 2 & 2 Together

    By Stephen Dugan, CCSI


    scdugan@101labs.com

    1
    Introduction
    Welcome to the presentation
    and
    Thank you for coming!

    o Who is the speaker?


    o What is the focus of the presentation?

    2
    Agenda
    o Introduction o Extras?
    o Section 1
    Current Design
    Best Practices

    o Section 2
    Emerging
    Design
    Practices
    3
    Section 1

    Current Design Model

    4
    Building Block of Network Design
    Access

    Distribution

    Ethernet
    Layer 2 or Layer 3
    CORE

    Building Block
    Server Farm Additions

    WAN Internet PSTN 5


    Section 1 Current Design Model

    Features:
    Link redundancy
    Load-Sharing
    Fast Convergence
    Manageable
    Scalable
    Security could be stronger.

    6
    Section 1 Current Design Model

    L2 Functions that provide security:


    Root Guard
    PortFast
    BPDU Guard
    Port Security
    Management VLAN
    Private VLANs

    7
    Section 1 Current Design Model

    L3 Functions that provide security:


    ACLs at Distribution Layer:
    Ingress - Egress from Core
    Route Filtering
    Network Based IDS (if used?!?)

    8
    Section 1 Current Design Model

    Hard issues to Address with this


    design:
    HSRP insecurities
    STP weaknesses
    ARP Spoofing
    Common mis-configurations

    9
    Section 2

    Emerging Changes to Design Model

    10
    Section 2 Emerging Changes
    Main Changes is focusing around
    bringing the Layer 3 Routing
    functionality close to the end stations.
    OR

    R2D
    Routing to Desktop
    11
    Section 2 Emerging Changes
    Access
    Layer 3

    Distribution
    Layer 3
    Core L2 or L3

    From the Physical Layout it looks the same (Good news no Rewire!)
    12
    Section 2 Emerging Changes

    With L3 Capabilities within the


    Access-Layer Box:
    HSRP isnt needed
    STP is irrelevant
    L3 Routing to Distribution Layer
    Concept of Private-VLANs can
    be implemented easily

    13
    Section 2 Emerging Changes

    Security Problems Solved:


    ARP Spoofing
    ROOT Take over
    HSRP MiTM Attack (or DOS)
    L3 Better QOS handling (NBAR)

    14
    Section 2 Emerging Changes
    Dist.
    Dist. RP
    EIG
    OS GigE
    PF or GigE
    F
    or SP
    EI O
    GR
    P Access Layer

    VL
    VLA
    4
    2
    3

    AN
    AN

    AN
    AN

    L
    N5

    6
    VL
    VL

    15
    Links
    o General Cisco Security
    n http://www.cisco.com/warp/public/707/21.ht
    ml#http
    n http://www.cisco.com/public/cons/isp/docum
    ents/IOSEssentialsPDF.zip
    n http://www.cisco.com/warp/public/cc/so/cuso
    /epso/sqfr/safe_wp.htm
    o Design
    n http://www.cisco.com/warp/public/cc/so/neso
    /lnso/cpso/gcnd_wp.htm
    16
    Thank you for coming!!

    Special thanks to
    Jeff Moss, Keith Myers and the
    rest of the Black Hat Crew.

    17

    Vous aimerez peut-être aussi