Deploying Layer 2 Security in Server Farms

Transcription

1 March, 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA USA Tel: NETS (6387) ax:

2 THE SPECIICATIONS AND INORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY O ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ULL RESPONSIBILITY OR THEIR APPLICATION O ANY PRODUCTS. THE SOTWARE LICENSE AND LIMITED WARRANTY OR THE ACCOMPANYING PRODUCT ARE SET ORTH IN THE INORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REERENCE. I YOU ARE UNABLE TO LOCATE THE SOTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE OR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB s public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT ILES AND SOTWARE O THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL AULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE O MERCHANTABILITY, ITNESS OR A PARTICULAR PURPOSE AND NONINRINGEMENT OR ARISING ROM A COURSE O DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE OR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROITS OR LOSS OR DAMAGE TO DATA ARISING OUT O THE USE OR INABILITY TO USE THIS MANUAL, EVEN I CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED O THE POSSIBILITY O SUCH DAMAGES. CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, ollow Me Browsing, ormshare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iquick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, ast Step, GigaStack, Internet Quotient, IOS, IP/TV, iq Expertise, the iq logo, iq Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The astest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R) Copyright 2004 Cisco Systems, Inc. All rights reserved.

3 CONTENTS 1 Overview 1 2 Problem Description-MAC looding 2 Solutions 3 Problem Description-ARP Spoofing 5 Solutions 6 Problem Description-PVLAN Vulnerabilities 9 Solution 10 Problem Description-VLAN Hopping 11 Solutions 12 Problem Description - Spanning Tree Vulnerabilities 13 Solutions 14 I NDEX iii

4 Contents iv

5 Data center security generally has two stages: securing the physical perimeter and securing the network perimeter. Physical security keeps out any unauthorized individuals, while firewalls, intrusion detection devices, and security features deployed at the data center edge deny outside users access to secured infrastructure and applications. If an attacker is able to bypass these security permimeters through physical means or through compromising a network device or server, the edge security perimeter may not protect the applications and information housed within the server farm. Layer 2 attacks are often a topic of discussion for the campus environment, but should also not be forgotten when discussing data center security. Designing and implementing a security policy to guard against localized Layer 2 intrusion and attacks is an extremely important aspect of data center security design. Many of the features which guard against these attacks also help to ensure that a misconfiguration or a non-malicious event does not result in unnecessary downtime for the data center. This document discusses some common Layer 2 attacks and the features available within Cisco IOS to mitigate these attacks. Overview To increase scalability, mobility, and interoperability of the access layer and service modules, Layer 2 protocols and features are often incorporated into the data center environment. A collapsed, single layer data center architecture consists of two layers: aggregation and access (front-end). igure 1 shows these data center layers. 1

6 igure 1 Data Center Design with Layer 2 and Layer 3 Aspects Campus core or Internet edge Layer 3 Aggregation layer Layer 2 Access layer (ront-end) Direct attachment or compromised device Attacker In the server farm, many servers often reside in the same subnet (segment). If one server is compromised, the possibility of others being compromised increases. Alternatively, if the server is secure and uncompromised and the attacker is able to gain control of the switch, data traffic to and from the server(s) can be captured regardless of the security of the server OS and applications. Problem Description-MAC looding MAC flooding is the attempt to exploit the fixed hardware limitations of the switch's content addressable memory (CAM) table. The Catalyst switch CAM table stores the source MAC address and the associated port of each device connected to the switch. The CAM table on the Catalyst 6000 can contain 128,000 entries. These 128,000 entries are organized as 8 pages that can store approximately 16,000 entries. A 17 bit hash algorithm is used to place each entry in the CAM table. If the hash results in the same value, each entry is stored on separate pages. Once these eight locations are full, the traffic is flooded out all ports on the same VLAN on which the source traffic is being received. Multiple well known tools including Macof and Dsniff, can be used to perform ethical hacking in testing security settings. Each 2

7 tool can fill up an entire CAM table causing all traffic on that particular VLAN to be flooded, resulting in the ability to sniff all traffic. Once all traffic is flooded from the switch, all traffic on the VLAN can be seen. In igure 2, the attacker's machine resides on VLAN 10. The attacker floods MAC addresses to port 3/25 on the switch. When the CAM table threshold is reached, the switch operates as a hub and simply floods traffic out all ports. This flooding also occurs on adjacent switches configured with VLAN 10, however flooding is limited to only the source VLAN and does not effect other VLANs. igure 2 Mac looding Attack in the Data Center A B C VLAN 10 VLAN 10 3/25 B D A B C 3/25 MAC E 3/25 MAC 3/25 MAC G C A B D Attacker sees traffic to servers B and D Attacker Solutions eatures that can be deployed to guard against MAC flooding are: Port security VMPS 802.1x Port Security Port security allows you to specify MAC addresses for each port or to permit a limited number of MAC addresses. When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming packets from the insecure host. The port's behavior depends on how you configure it to respond to a security violator. Cisco recommends that you configure the port security feature to issue a shutdown instead of dropping packets from insecure hosts through the restrict option. The restrict option may fail under the load of an attack and the port is disabled anyway. 3

8 Port security can require a fairly significant amount of management and configuration overhead, but is an excellent way to lock down the data center switch ports. With a change management process in place, when additional server ports are needed they can be requested and configured on a case by case basis. Because mobility is not really an issue within the server farm, locking a server to a particular access port does not create many issues. This also ensures that a rogue device cannot simply be connected to a data center switch and given link status. igure 3 Port Security 3/3 Server A MAC 00-d0-b7-a0-83-e To enable port security use the following command: dmaaccess1> (enable) set port security <mod/port>? age Set port security agingtime disable Disable port security enable Enable port security maximum Set maximum number of secure MAC addresses shutdown Set port security shutdown time violation Set port security violation mode <mac_addr> MAC address Set port 3/3 to only allow the MAC address of Server A. If any other MAC address is detected on 3/3 the port is shutdown. dmaaccess1> (enable) set port security 3/3 00-d0-b7-a0-83-e5 violation shutdown Port 3/3 security violation mode shutdown. Mac address 00-d0-b7-a0-83-e5 set for port 3/3. Use the following show command to verify. dmaaccess1> (enable) show port security 3/3 * = Configured MAC Address Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex /3 enabled shutdown disabled 29 Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left / d0-b7-a0-83-e5 * - 00-d0-b7-a0-83-e5 no - Port looding on Address Limit /3 Enabled 4

9 VMPS VLAN Management Policy Server (VMPS) allows you to dynamically assign VLANs to a port based on the source MAC address of a requesting client. A VMPS database file provides a mapping for VLAN to MAC address which the switch uses to determine the validity of the requesting client's MAC address. The previously configured database file is downloaded from a TTP server when VMPS is initially configured. VMPS uses VLAN Query Protocol (VQP) to communicate with clients. This protocol runs over UDP, is unauthenticated, and presented in clear text. Cisco does not recommend VMPS because of the overhead associated with configuring and maintaining a VMPS database and the security concerns associated with the communication between the client and the switch x 802.1x uses Extensible Authentication Protocol (EAP) to authenticate a device before allowing it to forward any traffic to the switch. The supplicant (client) must be approved by the authenticator (switch). The authenticator utilizes a RADIUS server to authenticate client requests. If the client does not authenticate, link status is revoked and the client is not connected. Problem Description-ARP Spoofing Gratuitous ARPs can be used to perform an ARP spoofing attack. Before discussing gratuitous ARP attacks, you must first have a sound understanding of ARP and gratuitous ARP. ARP request messages are placed in a frame broadcast to all devices on a segment. Each device on the segment receives the broadcast message and examines the IP address. Either the host that owns the IP address being requested or a router that knows the location of the that host responds to the request by sending the requester back the target MAC address via unicast. When a host joins a network segment, it uses a gratuitous ARP (broadcast message) to announce its IP address to other computers and devices residing on the network segment. If a device on the network does not already have an ARP entry for the device, it will more than likely ignore the request. However, this is not the case if the device has an ARP entry for the device issuing gratuitous ARPs. igure 4 describes the ARP spoofing attack method. When server A ARPs for its default gateway's ( 's) MAC address it places the response in its ARP table. Now, when the attacker sends a gratuitous ARP stating that it is , server A updates its ARP table and forwards traffic to the attacker because server A thinks that the attacker's computer is its default gateway. 5

10 igure 4 ARP Spoofing ARP for /24 Data center aggregation switch.1 I'm.1 Server A.5 Server B.4 Server C.3 Server D.2 Attacker The attacker is simply performing a man in the middle (MIM) attack and may go undetected because all traffic still reaches its destination. This type of attack can be performed using well known tools such as Ettercap. Solutions There are several features available that can be used as tools against ARP spoofing attacks. Port Security x Static ARP entries PVLANs ARP Inspection Port Security Port Security and 802.1x authentication was discussed in the previous section. Static ARP A static ARP configuration can be used in an extremely secure data center environment, where security is more of a concern that the operational overhead associated with maintaining static ARP mappings. To create a static ARP entry in CatOS perform the following: dmaaccess1> (enable) set arp static? <ip_addr> IP address Private VLANS PVLANs can be utilized to provide Layer 2 isolation of data center servers residing in the same VLAN or broadcast domain. This feature provides an effective means for guarding against ARP-based attacks. igure 5 provides an overview an enterprise data center configured with PVLANs. 6

11 igure 5 PVLANs in the Data Center Primary VLAN Primary VLAN Isolated Community Isolated Community There are three primary PVLAN concepts show in igure 5: Primary VLAN, isolated VLAN, community VLAN. Each isolated and community VLAN is mapped to either one or more primary VLANs. The primary VLAN provides the gateway through which the isolated and community VLANs are reached. When a server connected to a port that belongs to an isolated VLAN, the server can only talk with outside hosts through the primary VLAN and promiscuous port. The server is essentially isolated at Layer 2 from any other servers residing in the isolated VLAN. In igure 5, all servers residing in isolated VLAN 20 are not able to send or receive Layer 2 broadcast messages from any other servers residing in VLAN 20. When a server is connected to a port that belongs to a community VLAN, the server can communicate at Layer 2 with other servers residing within the same community VLAN. or the data center, community VLANs are very useful for allowing servers that need to communicate with each other through Layer 2 broadcast messages used for clustering protocols, and nth tier designs. Configuring PVLANs initially can be a bit cumbersome. The following shows the basic steps to creating a promiscuous port, a primary VLAN, and a secondary Isolated VLAN. dmaaccess1>(enable) set vlan 11 pvlan primary 'create the Primary VLAN VTP advertisements transmitting temporarily stopped,and will resume after the command finishes. Vlan 41 configuration successful dmaaccess1>(enable) show pvlan Primary Secondary Secondary-Type Ports dmaaccess1>(enable) set vlan 12 pvlan isolated 'create the isolated VLAN VTP advertisements transmitting temporarily stopped,and will resume after the command finishes. Vlan 42 configuration successful dmaaccess1>(enable) set pvlan / 'Map the primary VLAN to the secondary Successfully set the following ports to Private Vlan 11,12:3/2-3 dmaaccess1>(enable) set pvlan mapping / 'M ap the PVLAN to a port 7

12 Successfully set mapping between 11 and 12 on 1/1 The Catalyst 4000 and 6500 switches offer full support for PVLANs. Besides the normal operations mentioned above, which already provide a means for mitigating against Layer 2 attacks, PVLANs support additional features which also guard against ARP spoofing attacks. Sticky ARP can be used to mitigate default gateway attacks and ARP entries learned through PVLAN ports do not age out. The Catalyst 2950 and 3550 switches provide stripped down support for PVLANs through the PVLAN edge feature. This feature provides functionality similar to the isolated VLAN configuration by no allowing Layer 2 access between any servers residing in PVLAN edge ports. ARP Inspection ARP Inspection is a feature which allows you to use VLAN Access Control Lists (VACLs) to deny or permit ARP traffic within a VLAN. To prevent ARP spoofing, the ARP Inspection feature can tie a specific MAC and IP address together; for example, a default gateway (router) and its MAC address. Note ARP Inspection is a new feature available in CatOS 7.5 and later and requires the use of a Supervisor 2 PC 2 In the data center, ARP Inspection can be deployed at the access layer to prevent a host from falsely representing itself as another device. The following example uses the ARP Inspection feature to protect the server farm default gateway. If another MAC address attempts to use the default gateways IP address, the packets are dropped. Set the ARP-Inspection ACL to permit traffic from the default gateway's IP and MAC address. dmaaccess1> (enable) set security acl ip default-gateway permit arp-inspection host A-01 default-gateway editbuffer modified. Use 'commit' command to apply changes. Deny any other MAC addresses with an IP address of dmaaccess1> (enable) set security acl ip default-gateway deny arp-inspection host any default-gateway editbuffer modified. Use 'commit' command to apply changes. Permit any other ARP traffic. Because there is an implicit deny all at the end of the access list, there must be a permit statement for any other traffic which must be allowed. dmaaccess1> (enable) set security acl ip default-gateway permit arp-inspection any any default-gateway editbuffer modified. Use 'commit' command to apply changes. The access list must be committed to memory. dmaaccess1> (enable) commit security acl default-gateway dmaaccess1> (enable) ACL commit in progress. The access list must now be mapped to a VLAN. dmaaccess1> (enable) set security acl map default-gateway 11 Mapping in progress. igure 6 shows a data center host attempting to represent itself as the default gateway. 8

13 igure 6 Data Center Host Represented as the Default Gateway d0-b7-a0-83-e5 3/3 VLAN d0-b7-a0-83-e When traffic is received from the host attempting to represent itself as , the packets are denied. The following output shows the log messages created when these packets are denied eb 26 09:37:46 %ACL-5-ARPINSPECTPKTDENIED2:ARP Payload: Source IP and source MAC c. Port 15/1 on vlan eb 26 09:38:07 %ACL-5-ARPINSPECTPKTDENIED2:ARP Payload: Source IP and source MAC c. Port 15/1 on vlan eb 26 09:38:28 %ACL-5-ARPINSPECTPKTDENIED2:ARP Payload: Source IP and source MAC c. Port 15/1 on vlan 11 Use the following show command to monitor the forwarded and dropped packet counters. dmaaccess1> (enable) sh security acl arp-inspection statistics ARP Inspection statistics Packets forwarded = 931 Packets dropped = 67 RARP packets (forwarded) = 0 Packets for which Match-mac failed = 0 Packets for which Address Validation failed = 0 IP packets dropped = 0 Additional information on ARP Inspection can be found in the CatOS 7.5 configuration guide. Problem Description-PVLAN Vulnerabilities PVLANs work by forcing Layer 2 isolation between hosts residing on the same segment. As shown in igure 7, when the attacker forwards packets with a destination MAC and IP address of the victim, PVLANs prohibit the forwarding of the packet by enforcing the PVLAN Isolated VLAN rules. 9

14 igure 7 PVLAN Enforcement Isolated VLAN Attacker Dropped Mac:B IP"2 S:A1 D:B2 X Router Mac:C IP:3 Isolated VLAN Victim Mac:B IP"2 Promiscuous port Aggregation switch What if the attacker changed the destination MAC address to be that of the router of MSC and did not change the destination IP address? In the example shown in igure 8, the attacker sends out a packet that has a destination MAC address of the router (Mac:C) but instead of changing the IP address, keeps the same destination IP address (IP:2). igure 8 Bypassing PVLAN Restrictions Isolated VLAN Attacker Mac:B IP"2 S:A1 D:C2 PVLAN rules enforced Router forwards packet S:A1 D:C2 S:A1 D:E2 Victim Mac:B IP"2 Isolated VLAN Promiscuous port Isolated port S:A1 D:B2 Aggregation switch Mac:C IP: The PVLAN security works as expected. This is not a PVLAN issue because the rules were enforced as expected. Because the packet has a destination MAC address of the default gateway, the PVLAN does not block the packet. It is forwarded to the router as expected. The router also simply forwards the packet to the destination IP address (IP:2) as expected. Therefore, the intended PVLAN security is bypassed. Solution VACLs To prevent this type of bypass and to prevent an attacker from exploiting a server residing in a PVLAN, you can configure VACLs on the switch, as well as ACLs on the inbound MSC or router interface. The ACLs prevent any packet with a source address of a PVLAN from being forwarded to a destination 10

15 address also residing on the local subnet. With these ACLs configured, attempts to exploit the PVLAN configurations fail. When a PIX firewall serves as the server default gateway, this problem is alleviated because the PIX does not normally forward these packets as a router does. or additional information on configuring and designing networks with PVLANs, refer to Deploying Private VLANS in the Data Center. Problem Description-VLAN Hopping The use of trunk ports in the data center is fairly common. The data center access switches are typically connected to the aggregation switches through the use of trunk ports. By default, when a trunk is configured it carries all VLANs. Each access switch that supports more than one server VLAN must have a trunk connection to the data center aggregation switch, see igure 9. igure q Trunking in the Data Center Campus core 802.1q trunk ports 802.1q trunk ports Aggregation layer ront-end access layer (web servers) By default, all trunks carry VLAN 1 and all ports reside in VLAN 1. Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol (VTP) control messages are also carried on VLAN 1 by default. Even if VLAN 1 is cleared from a trunk interface, the control messages are still sent over VLAN 1 even though no data traffic is forwarded on VLAN 1. In the scenario shown inigure 10, the end host is set to use an 802.1Q encapsulated trunk to connect to the data center access switch. The end host is able to gain access because the native VLAN of both the host and the access switch is set to VLAN 1. The attacker then simply double encapsulates the packet with two VLAN tags. 11

16 igure 10 Double Tagged 802.1q Attack VLAN10 Data VLAN1 VLAN10 Data Attacker 802.1q, 802.1q 802.1q, frame 802.1q, frame irst tag removed and packet forwarded rame Victim When the switch receives the double encapsulated packet from the attacker, it strips off the first VLAN tag (Native VLAN) and forwards the packet to VLAN 10. In this case, the port that the attacker was connected to did not have to carry VLAN 10 for the attacker to reach VLAN 10. It was only necessary for the attacker to connect to the switch through a trunk port to tag the packet. Solutions Native VLAN Several steps can be taken to mitigate these types of attacks. irst, clear the native VLAN from all trunk ports. The control protocols may still be carried over the native VLAN, but no data traffic will be transmitted over it. If for some reason the native VLAN cannot be cleared from the trunk port, pick an unused VLAN to use as the native VLAN and use it for nothing else. Change the Native VLAN in CatOS using the following: dmaaccess2> (enable) set vlan 300 1/1 dmaaccess2> (enable) sh trunk 1/1 * - indicates vtp domain mismatch Port Mode Encapsulation Status Native vlan /1 auto negotiate trunking 300 Change the Native VLAN in NativeIOS with the following: dmaagg1(config-if)#switchport trunk native vlan 300 dmaagg1#sh int gig 2/8 trunk Port Mode Encapsulation Status Native vlan Gi2/8 desirable negotiate not-trunking 300 DTP DTP should also be disabled for all user ports. If the port is left with DTP auto-configured (default on many switches), an attacker can connect and arbitrarily cause the port to start trunking and therefore pass all VLAN information. To disable DTP in CatOS perform the following: dmaaccess1> (enable) set trunk 3/47 off 12

17 Port(s) 3/47 trunk mode set to off. To disable DTP in NativeIOS perform the following: dmaagg1(config-if)#switchport mode access dmaagg1#sh int gig 2/8 trunk Port Mode Encapsulation Status Native vlan Gi2/8 off 802.1q not-trunking 300 Problem Description - Spanning Tree Vulnerabilities A Layer 2 domain between the data center aggregation and access switches creates a highly scalable and mobile environment for the enterprise server farm. Use the Spanning Tree Protocol (STP) to maintain a loop-free topology for the redundant data center architecture. STP uses Bridge Protocol Data Units (BPDUs) to exchange messages which include configuration and topology change and acknowledgements. An rogue switch sending BPDUs can force topology changes in the network which can result as a DOS attack. As shown in igure 11, the attacker sends BPDUs with a lower bridge priority to both data center access switches. As a result, spanning tree converges and the attacker is able to see the previously unseen traffic. igure 11 Example of Spanning Tree Attack in the Data Center Root X B BX XB = Traffic Traffic BPDU BPDU Access switch Attacker STP root

18 Solutions A first thought for mitigating STP-based attacks may be to just disable STP and utilize Layer 3 links to the access layer. Disabling STP in the data center creates more overhead for scaling services, more maintenance overhead, and less mobility. Therefore, it is not the best option for most designs. Instead of disabling STP, you can take advantage of several Cisco STP enhancement features to secure the STP topology in the data center. BPDU Guard BPDU guard and Portast work jointly to provide low convergence times to hosts residing on data center access ports. Normally, STP convergence takes around seconds. This is the time it takes for a port to transition from a blocking to forwarding state. Enabling Portast decreases the convergence time it takes for a port to go from blocking to forwarding to approximately 3 seconds. But what about the possibility of a spanning tree loop? If the switch sends the port directly into forwarding, how does it know there is no loop? This is where BPDU Guard comes in. By default when Portast is enabled, BPDU Guard is also turned on. When you use Portast, it is assumed that only hosts are connecting to the data center access ports and therefore, no BPDUs should be received on these ports. BPDU Guard shuts down the port when a BPDU is received on an interface enabled with Portast. BPDU Guard is an excellent tool for mitigating against STP attacks. If an attacker is connected to a port with BPDU Guard enabled and attempts to send BPDUs to the switch, the port simply shuts down. To enable Portast and BPDU Guard on CatOS perform the following: dmaaccess1> (enable) set spantree portfast bpdu-guard enable To enable Portast and BPDU Guard in Native IOS perform the following: dmaagg1(config-if)#spanning-tree portfast dmaagg1(config-if)#spanning-tree bpduguard enable Root Guard What if the attacker has access to or has compromised a switch and attempts to make that switch the root of the spanning tree topology? Use the STP Root Guard feature to ensure that the root switch of the spanning tree topology is locked down and that, even when a switch with a lower bridge priority is introduced, the root switch does not change and the spanning tree topology does not converge. To enable STP RootGuard in CatOS perform the following: dmaagg1(config-if)#spanning-tree guard root To enable STP RootGuard in Native IOS perform the following: dmaaccess1> (enable) set spantree guard root 2/8 Root guard must be enabled on all ports where the root bridge should not appear. igure 12 shows Root Guard enabled on a data center access switch. 14

19 igure 12 STP Root Guard eature Campus core or Internet edge Root guard shuts down port receiving lower bridge priority X Bridge priority Table 1 Summary of Layer 2 Attacks and Mitigation eatures MAC looding ARP Attacks VLAN Hopping STP Attacks Port Security X X PVLAN X Static ARP X X No VLAN1 X Disable DTP X Disable VTP X Clear Native VLAN X BPDU Guard X Root Guard X The Layer 2 security features discussed in this document provide additional security features to those already deployed through device security, firewalls, and intrusion detection devices. These features address specific problems with Layer 2 vulnerabilities within the data center. The deployment and configuration of the features discussed is this document is highly dependent on the established individual security policies within an organization. 15

20 16

21 INDEX Numerics 802.1q x 3, 5, 6 A ARP entries 5 inspection 6, 8 spoofing 5, 8 B BPDU guard 14 BPDUs 13 Bridge Protocol Data Units see BPDUs C CAM 2 CDP 11 Cisco Discovery Protocol see CDP content addressable memory 2 D dsniff 2 DTP 12 E EAP 5 ettercap 6 Extensible Authentication Protocol see EAP G gratuitous ARPs 5 I interoperability 1 L Layer 2 attacks 1 Layer 2 isolation 6 lock down 4 M MAC flooding 2 macof 2 man in the middle attacks 6 mobility 1 N native VLAN 11, 12 17

22 Index P PIX 11 Portast 14 port security 3, 6 PVLANs 6 R RADIUS 5 S scalability 1 Spanning Tree Protocol see STP static ARP entries 6 sticky ARP 8 STP 13 T TTP server 5 V VACLs 8 VLAN Management Policy Server 5 VLAN Query Protocol 5 VLAN Trunking Protocol see VTP VMPS 3, 5 VQP 5 VTP 11 18