Understanding Switch Security

Transcription

1 Overview of Switch Security Understanding Switch Security Most attention surrounds security attacks from outside the walls of an organization. Inside the network is left largely unconsidered in most security discussions. 2003, Cisco Systems, Inc. All rights reserved , Cisco Systems, Inc. All rights reserved. BCMSN v Overview of Switch Security Rogue Access Points The default state of networking equipment: Firewalls (placed at the organizational borders) Default: Secure and must be configured for communications. Routers and switches (placed internal to an organization) Default: Unsecured, and must be configured for security Rogue network devices can be: Access switches Wireless routers Wireless access points Hubs These devices are typically connected at access level switches. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

2 Rogue Access Points Mitigating STP manipulation Use: To enforce the placement of the root bridge To enforce the STP domain borders Root guard BPDU guard Problem: BPDUs BPDU Blocking and now listening to BPDUs Portfast X Forwards BPDUs to other switches. STP Reconvergence? 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Enabling PortFast can create a security risk in a switched network. A port configured with PortFast will go into blocking state if it receives a Bridge Protocol Data Unit (BPDU). This could lead to false STP information that enters the switched network and causes unexpected STP behavior. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Solution: BPDU Guard BPDU Portfast & BPDU Guard Err-Disable, Shutdown No BPDUs sent Root Guard Protect Potential Root Protect Potential Root Not supported with Packet Tracer Distribution1(config)#interface range fa 0/10-24 Distribution1(config-if-range)#spanning-tree bpduguard enable When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. BPDU guard will also keep switches added outside the wiring closet by users from impacting and possibly violating Spanning Tree Protocol. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Root Guard prevents a switch from becoming the root bridge. Typically access switches Configured on switches that connect to this switch. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

3 Root Guard Root Guard UplinkFast must be disabled because it cannot be used with root guard. Next Distribution1(config)#interface fa 0/3 Distribution1(config-if-range)#spanning-tree guard root Distribution1(config)#interface gig 0/2 Distribution1(config-if-range)#spanning-tree guard root Root Guard I STP will now Inconsistent transition to listening State no sate, traffic then learning is passed. state, then forwarding sate. Superior BPDU I no longer want to be root. I have I want been to be reconfigured root to bridge! be a nonroot bridge. Distribution2(config)#interface fa 0/3 Distribution2(config-if-range)#spanning-tree guard root Distribution2(config)#interface gig 0/1 Distribution2(config-if-range)#spanning-tree guard root Access2(config)#no spanning-tree uplinkfast This message appears after root guard blocks a port: %SPANTREE-2-ROOTGUARDBLOCK: Port 0/3 tried to become non-designated in VLAN 1. Moved to root-inconsistent state 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Switch Attack Categories MAC Flooding Attack MAC layer attacks VLAN attacks Spoofing attacks Attacks on switch devices 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

4 Building the MAC Address Table Building the MAC Address Table MAC Address Table Port Source MAC Add MAC Address Table Port Source MAC Add switch Switch learns Source MAC Destination MAC is not in table, so floods it out all ports (unknown unicast) switch Frame is sent from Abbreviated MAC addresses Abbreviated MAC addresses , Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Building the MAC Address Table MAC Address Table Port Source MAC Add switch 1111 Abbreviated MAC addresses Bidirectional Communications 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Building the MAC Address Table MAC Address Table Port Source MAC Add switch 1111 Abbreviated MAC addresses 2222 Numerous Invalid Source Addresses Attacker Common Layer 2 or switch attack For: 3333 Numerous Invalid Source Addresses Collecting a broad sample of traffic Denial of Service (DoS) attack Switch s CAM tables are limited in size (1,024 to over 16,000 entries). Tools such as dsniff can flood the CAM table in just over 1 minute. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

5 Building the MAC Address Table Building the MAC Address Table MAC Address Table Port Source MAC Add switch 1111 Abbreviated MAC addresses 2222 Numerous Invalid TABLE IS FULL Source Addresses Attacker 3333 Numerous Invalid Source Addresses Dsniff (macof) can generate 155,000 MAC entries on a switch per minute It takes about 70 seconds to fill the cam table Once table is full, traffic without a CAM entry floods on the VLAN. (unknown unicasts) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v MAC Address Table Port Source MAC Add switch 1111 Abbreviated MAC addresses 2222 Numerous Invalid TABLE IS FULL Source Addresses Attacker 3333 Numerous Invalid Source Addresses Once the CAM table is full, new valid entries will not be accepted. Switch must flood frames to that address out all ports. This has two adverse effects: The switch traffic forwarding is I see all inefficient and voluminous. frames! An intruding device can be connected to any switch port and capture traffic not normally seen on that port. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v MAC Flooding Port Security If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on. If the initial, malicious flood of invalid CAM table entries is a one-time event: Eventually, the switch will age out older, invalid CAM table entries New, legitimate devices will be able to create an entry in the CAM Traffic flooding will cease Intruder may never be detected (network seems normal). Port security restricts port access by MAC address. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

6 Configuring Port Security on a Switch Configuring Port Security on a Switch Switch(config-if)# switchport port-security [maximum value] violation {protect restrict shutdown} mac-address mac-address Enable port security. Set MAC address limit. Specify allowable MAC addresses. Define violation actions. Switch(config-if)# switchport port-security maximum value Set the number of allowed MAC address that the port can grant access. Default = 1 Range 1 to 1,024 These addresses can be configured explicitly or can be learned dynamically. Default: Addresses are learned dynamically by hosts sending frames on that interface. Switch(config-if)# switchport port-security 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Configuring Port Security on a Switch Configuring Port Security on a Switch Switch(config-if)# switchport port-security mac-address sticky You can configure MAC addresses to be sticky. Dynamically learned or manually configured Stored in the MAC address table Added to the running-config If the running-config is copied to the startup-config the interface does not need to dynamically relearn them when the switch restarts. After using this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. You must: copy running-config startup-config If you do not save the configuration, they are lost. If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. Note: Sticky secure addresses can be manually configured, it is not recommended. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Switch(config-if)# switchport port-security aging time value Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

7 Configuring Port Security on a Switch Switch(config-if)# switchport port-security mac-address mac-address MAC addresses can be statically configured on an interface. If the number of static addresses configured is less than the maximum number secured on the port the remaining address are learned dynamically. Switch(config-if)# switchport port-security maximum value Port Security: Secure MAC Addresses The switch supports these types of secure MAC addresses: Static Configured using switchport port-security mac-address mac-address Stored in the address table Added to running configuration. Dynamic Sticky These are dynamically configured Stored only in the address table Removed when the switch restarts These are dynamically configured Stored in the address table Added to the running configuration. If running-config saved to startup-config, when the switch restarts, the interface does not need to dynamically reconfigure them. Note: When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The interface adds all the sticky secure MAC addresses to the running configuration. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Port Security: Violation Port Security: Violation Station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Switch(config-if)#switchport port-security violation {protect restrict shutdown} By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions: Protect: Port is allowed to stay up Frames from the nonallowed address are dropped There is no log of the violation Restrict: Port is allowed to stay up Frames from the nonallowed address are dropped A log message is created and Simple Network Management Protocol (SNMP) trap and syslog message of the violation are kept/sent. Shut down (default): Port is put into Errdisable state which effectively shuts down the port. Frames from a nonallowed address: Log entry is made, SNMP trap sent Interface must be reenabled manually. (shutdown > no shutdown) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

8 Port Security: Steps Port Security: Static Addresses X Switch(config)# interface fa 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 3 Switch(config-if)# switchport port-security mac-address a Switch(config-if)# switchport port-security mac-address b Switch(config-if)# switchport port-security mac-address c Restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. The port does not forward packets with source addresses outside the group of defined addresses. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Port Security: Verify Switch# show port-security Displays security information for all interfaces Port Security: Verify Switch# show port-security interface type mod/port Displays security information for a specific interface Switch# show port-security Secure Port MaxSecureAddr CurrentAddr Sec Violation Sec Action (Count) (Count) (Count) Fa5/ Shutdown Fa5/ Restrict Fa5/ Protect Total Addresses in System: 21 Max Addresses limit in System: 128 Switch# show port-security interface fastethernet 5/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses: 11 Total MAC Addresses: 11 Configured MAC Addresses: 3 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: , Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

9 Verifying Port Security (Cont.) 802.1x Port-Based Authentication Switch#show port-security address Displays MAC address table security information Switch#show port-security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age (mins) SecureDynamic Fa5/1 15 (I) SecureDynamic Fa5/1 15 (I) SecureConfigured Fa5/1 16 (I) SecureConfigured Fa5/ SecureConfigured Fa5/ SecureConfigured Fa5/ SecureConfigured Fa5/ SecureConfigured Fa5/ SecureConfigured Fa5/11 25 (I) SecureConfigured Fa5/11 25 (I) Total Addresses in System: 10 Max Addresses limit in System: 128 Network access through switch requires authentication. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Port Authentication Port Authentication Cisco Catalyst switches can support port-based authentication which is a combination of: AAA authentication Port security Authenticated Normal EAPOLtraffic Based on IEEE 802.1x standard which defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN. After authentication is successful, normal traffic can pass through the port. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Client or server can initiate 802.1x session. Switch port starts off in the unauthorized state EAPOL traffic only, no data traffic. If client supports 802.1x but switch does not, the client abandons 802.1x and communicates normally. See you OS instructions for enabling 802.1x If the switch is configured for 802.1x but the client does not support it, the switch port remains in the unauthorized state and will not forward any traffic from the client. Authorized state ends and reverts back to unauthorized state when: User logs out Switch times out user s authorized session EAPOL Authenticated Normal traffic 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

10 Port Authentication Configuring 802.1x on the switch. EAPOL Authenticated Normal traffic Port based authentication can be handled by one or more RADIUS (Remote Authentication Dial-In User Service) servers. Note: Cisco does have other authentication methods (TACACS) but only RADIUS is supported for 802.1x. 1. Enable AAA on the switch (disabled by default) Switch(config)# aaa new-model 2. Define the RADIUS servers Switch(config)# radius-server host {hostname ip-address} [key string] 3. Define the authentication method Switch(config)# aaa authentication dot1x default group radius Causes all RADIUS authentication servers that are defined on the switch (previous step) to be used for 802.1x authentication. 4. Enable 802.1x on the switch (disabled by default) Switch(config)# dot1x system-auth-control 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Configuring 802.1x on the switch. 5. Configure each switch port that will use 802.1x EAPOL Authenticated Normal traffic Normal traffic Switch(config)# interface type mod/num Switch(config-if)# dot1x port-control [force-authorized force unauthorized auto} force-authorized (default): Port is forced to authorize with the connected client. No authentication necessary: Disables 802.1X and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1X-based authentication of the client. force-unauthorized: Port is forced to never authorize with the any connected client. Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. Port cannot send normal user traffic. Auto: Port uses an 802.1x exchange (EAPOL) to move from unauthorized to authorized state. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Requires client to be 802.1x capable X Configuring 802.1x on the switch. 6. Allow multiple hosts on the a switch port. Switch(config)# interface type mod/num Switch(config-if)# dot1x host-mode multi-host If a switch is connected to another switch or a hub 802.1x allows for all hosts on that port to receive the same authentication method. Verify: show dot1x all 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

11 Configuring 802.1x on the switch Switch(config)# aaa new-model Switch(config)# radius-server host key BigSecret Switch(config)# aaa authentication dot1x default group radius Switch(config)# dotx system-auth-control Switch(config)# interface range fa 0/1-40 Switch(config-if)# switchport access vlan 10 Switch(config-if)# switchport mode access Switch(config-if)# dot1x port-control auto Protecting Against VLAN Attacks 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved VLAN Hopping Attacks Explaining VLAN Hopping With trunking protocols possibility of rogue traffic hopping from one VLAN to another. Creates security vulnerabilities. These VLAN Hopping attacks are best mitigated by close control of trunk links: VLAN Access Control Lists (VACLs) Private VLANs (PVLANs). VLAN hopping attack where an end system sends packets to, or collects packets from, a VLAN that should not be accessible to that end system. This is done by: Switch spoofing Double tagging 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

12 VLAN Hopping: Switch Spoofing VLAN Hopping: DTP Attacker configures a system to spoof itself as a switch by emulating: ISL or 802.1Q signaling Dynamic Trunking Protocol (DTP) signaling Attacking system spoofs itself as a legitimate trunk negotiating device. Trunk link is negotiated dynamically. Attacking device gains access to data on all VLANs carried by the negotiated trunk. I m a switch Dynamic Auto Dynamic Desirable Trunk Access Dynamic Auto Access Trunk Trunk Access Dynamic Desirable Trunk Trunk Trunk Access Trunk Trunk Trunk Trunk Not recommended Access Access Access Not recommended Access Note: Table assumes DTP is enabled at both ends. show dtp interface to determine current setting 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v VLAN Hopping: switchport mode access VLAN Hopping: no switchport mode access Both of these commands should be used for access ports: switchport mode access switchport access vlan n Without the switchport mode access command, this interface will still try to negotiate trunking. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

13 VLAN Hopping: switchport mode access VLAN Hopping with Double Tagging Now configure the range of interfaces for permanent nontrunking, access mode Notice that negotiation of trunking has been turned off and that this port will only be a non-trunking access port. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v VLAN Hopping with Double Tagging VLAN Hopping with Double Tagging Double tagging allows a frame to be forwarded to a destination VLAN other than the source s VLAN. Attacker s workstation generates frames with two 802.1Q headers Switch forwards the frames onto a VLAN that would be inaccessible to the attacker through legitimate means. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v First switch strips the first tag off the frame because the first tag (VLAN 10) matches the trunk port Frame is forwarded with the inner 802.1Q tag Second switch then forwards the packet to the destination based on the VLAN identifier in the second 802.1Q header. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

14 Mitigating VLAN Hopping: Access Ports Mitigating VLAN Hopping: Trunk Ports Switch(config)#interface range fa 0/11-15 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 10 Switch(config)#interface range fa 0/16-17 Switch(config-if-range)#shutdown Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 999 Access Ports Configure all unused ports as access ports so that trunking cannot be negotiated across those links. Place all unused ports: In the shutdown state Associate with a VLAN designed only for unused ports, carrying no user data traffic Switch(config)#interface gig 0/1 Switch(config-if-range)#switchport mode trunk Switch(config-if-range)#switchport trunk native vlan 2 Switch(config-if-range)#switchport trunk allowed vlan 2,10,20,99 Trunk Ports Trunking as on, rather than negotiated The native VLAN to be different from any data VLANs (VLAN 1 is the default) The specific VLAN range to be carried on the trunk 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Types of ACLs Types of ACLs 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Access control lists (ACLs) are useful for controlling access in a multilayer switched network. This topic describes VACLs and their purpose as part of VLAN security. Cisco Systems multilayer switches support three types of ACLs Router access control lists (RACLs): Supported in the TCAM hardware on Cisco multilayer switches. In Catalyst switches, RACL can be applied to any routed interface, such as a switch virtual interface (SVI) or Layer 3 routed port. Port access control list (PACL): Filters traffic at the port level. PACLs can be applied on a Layer 2 switch port, trunk port, or EtherChannel port. Allow Layer 3 filtering on Layer 2 ports. VACLs: VACLs, also known as VLAN access-maps, apply to all traffic in a VLAN. VACLs support filtering based on Ethertype and MAC addresses. VACLs are order-sensitive, similar to Cisco IOS based route maps. VACLs are capable of controlling traffic flowing within the VLAN or controlling switched traffic, whereas RACLs control only routed traffic. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

15 VACLs VACLs 1. Define a VLAN access map. Switch(config)# vlan access-map map_name [seq#] VACLs (a.k.a. VLAN access maps) apply to all traffic on the VLAN. VACLs apply to: IP traffic MAC-Layer traffic VACLs follow route-map conventions, in which map sequences are checked in order. First, define the VLAN access map. If you don t specify a sequence number, the first route map condition will be automatically numbered as , Cisco Systems, Inc. All rights reserved. BCMSN v Configure a match clause. Switch(config-access-map)# match {ip address { acl_name} ipx address { acl_name} mac address acl_name} 3. Configure an action clause Switch(config-access-map)# action {drop [log]} {forward [capture]} {redirect {{fastethernet gigabitethernet tengigabitethernet} slot/port} {port-channel channel_id}} Once you have entered the vlan access-map command, you can enter match and action commands in the route-map configuration mode. Each access-map command has a list of match and action commands associated with it. The match commands specify the match criteria the conditions that should be tested to determine whether or not to take action. The action commands specify the actions the actions to perform if the match criteria are met. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v VLAN Map Configuration Guidelines Configuring VACLs. If there is no VLAN ACL configured to deny traffic on a routed VLAN interface (input or output), and no VLAN map configured, all traffic is permitted. Each VLAN map consists of a series of entries. The order of entries in an VLAN map is important. A frame that comes into the switch is tested against the first entry in the VLAN map. If it matches, the action specified for that part of the VLAN map is taken. If there is no match, the packet is tested against the next entry in the map. If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet. 1. Define a VLAN access map. Switch(config)# vlan access-map map_name [seq#] 2. Configure a match clause. Switch(config-access-map)# match {ip address { acl_name} ipx address { acl_name} mac address acl_name} 3. Configure an action clause Switch(config-access-map)# action {drop [log]} {forward [capture]} {redirect {{fastethernet gigabitethernet tengigabitethernet} slot/port} {port-channel channel_id}} 4. Apply a map to VLANs Switch(config)# vlan filter map_name vlan_list list 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

16 Example 1 Example 2 Drop all traffic from network /24 on VLAN 10 and 20, Drop all traffic to Backup Server Drop packets with source IP /16 in VLANs (Default) Drop all other IP packets: VLAN map has at least one match clause, IP address (Default) Forward all non-ip packets: Forward all other frames, no match clauses 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Forward all UDP packets Drop all IGMP packets FYI Example 3 Forward all TCP packets (Default) Drop all other IP packets: VLAN map has at least one match clause, tcp-match (Default) Forward all non-ip packets: Forward all other frames, no match clauses Protecting Against Spoof Attacks 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. 2-64

17 DHCP Spoof Attacks DHCP Review The DHCP spoofing device replies to client DHCP requests. The intruder s DHCP reply offers: IP address/mask Default gateway Domain Name System (DNS) server Clients will then forward packets to the attacking device, which will in turn send them to the desired destination. This is referred to as a man-inthe-middle attack. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v DHCP Discover: Host, I need an IP Address DHCP Discover: Host, I need an IP Address 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

18 DHCP Offer: Server, I ll offer one to you. DHCP Offer: Server, I ll offer one to you. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v DHCP Request: Host, I ll take it. DHCP Request: Host, I ll take it. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

19 DHCP ACK: Server, It s all yours. DHCP ACK: Server, It s all yours. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v The result DHCP Spoof Attacks Here you go, I might be first! (Rouge) I can now forward these on to my leader. (Rouge) I need an IP address/mask, default gateway, and DNS server. Got it, thanks! Here you go. (Legitimate) Already got the info. All default gateway frames and DNS requests sent to Rogue. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

20 DHCP Snooping DHCP Snooping DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages DHCP Server Untrusted ports can source requests only If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. A DHCP binding table is built for untrusted ports. Client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOFFER, DHCPACK, or DHCPNAK. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Here you go, I might be first! (Rouge) Switch: This is an untrusted port, I will block this DHCP Offer Here you go. (Legitimate) Switch: This is a trusted port, I will allow this DHCP Offer I need an IP address/mask, default gateway, and DNS server. Thanks, got it. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v Configuring DHCP Snooping. DHCP Snooping By default all interfaces are untrusted. 1. Enable DHCP Snooping globally. Switch(config)# ip dhcp snooping 2. Enable DHCP Snooping for specific VLANs. Switch(config)# ip dhcp snooping vlan-id [vlan-id] By default, all switch ports in these VLANs are untrusted. 3. Configure at least one trusted port. Use no keyword to revert to untrusted. Switch(config)# interface type mod/num Switch(config-if)# ip dhcp snooping trust 4. For untrusted ports specify the rate-limit DHCP traffic. Switch(config-if)# ip dhcp snooping limit rate rate Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan Switch(config)# interface fa 0/0 Switch(config-if)# ip dhcp rate limit 20 Switch(config)# interface gig 0/1 Switch(config-if)# ip dhcp snooping trust Gig0/1 Fa0/0 Used to prevent starvation attacks by limiting the number of DHCP requests on an untrusted port. Should be less than 100 pps. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

21 Verifying DHCP Snooping IP Source Guard IP source guard is configured on untrusted L2 interfaces Switch# show ip dhcp snooping Verifies the DHCP snooping configuration IP Source Guard is similar to DHCP snooping. Prevents traffic attacks caused when a host tries to use the IP address (spoofed address) of its neighbor. Switch blocks all IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. IP Source Guard makes use of: the DHCP snooping database static IP source binding entries 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v IP Source Guard IP source guard is configured on untrusted L2 interfaces IP Source Guard If DHCP snooping is enabled the switch learns the MAC and IP address of the hosts that use DHCP. Source IP address must be identical to the IP address learned by DHCP snooping. Source MAC address must be identical to the source MAC address learned by DHCP snooping and by the switch port (MAC address table). For hosts that do not use DHCP a static IP source binding can be configured. If the IP address does not match either of these the switch drops the frame/packet. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v I got an IP address/mask, from the DHCP Server. IP source guard is configured on untrusted L2 interfaces Now I will pretend I am a different Source IP Address. Switch: This is an untrusted port, with Source Guard. I checked my binding table and your Source IP Address does not match the one via DHCP. So this traffic is denied! 2003, Cisco Systems, Inc. All rights reserved. BCMSN v

22 Configuring IP Source Guard. 1. Enable DHCP Snooping globally. Switch(config)# ip dhcp snooping IP Source Guard IP Source Guard Switch(config)# interface fa0/0 Switch(config-if)# ip verify source Fa0/0 2. Enable DHCP Snooping for specific VLANs. Switch(config)# ip dhcp snooping vlan-id [vlan-id] By default, all switch ports in these VLANs are untrusted. 3. Enable IP Source Guard on one or more interfaces. Switch(config)# interface type mod/num Switch(config-if)# ip verify source [port security] port security option inspects the MAC address too. 4. For hosts that do not use DHCP configure static IP source Switch(config)# bindings. ip source binding mac-address vlan vlan-id ip address interface type mod/num DHCP Snooping Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan Switch(config)# interface gig 0/1 Switch(config-if)# ip dhcp snooping trust Gig0/1 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v IP Source Guard ARP Spoofing This example shows how to enable IP source guard with static source IP and MAC filtering on VLANs 10 and , Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

23 ARP: A quick look ARP Spoofing Destination MAC Address??? 00-0C- 00-0C ARP Table 44-AA 91-CC IP Address MAC Address C A C C-A C C AA Host Stevens ARP Request: Who has IP Address L2 Broadcast to all ? Please send me your devices on network MAC 00-0C CC MAC Address. Source I will add that to my ARP Table. I will now use the MAC Address to forward the frame. L2 Unicast only to sender of ARP Request /24 Destination IP Packet now sent to Destination IP Packet put no longer hold on hold Hey that s me! Host Cerf ARP Reply: Here is my MAC Address MAC 00-0C AA Router A Ethernet MAC 03-0D-17-8A-F , Cisco Systems, Inc. All rights reserved. BCMSN v In normal ARP operation, a host sends a broadcast to determine the MAC address of a host with a particular IP address. The device at that IP address replies with its MAC address. The originating host caches the ARP response, using it to populate the destination Layer 2 header of packets sent to that IP address. By spoofing an ARP reply from a legitimate device with a gratuitous ARP, an attacking device appears to be the destination host sought by the senders. The ARP reply from the attacker causes the sender to store the MAC address of the attacking system in its ARP cache. All packets destined for those IP addresses will be forwarded through the attacker system. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v What is Gratuitous ARP? ARP has no security or ownership of IP or MAC addresses. HOST B: Hey everyone I m host A and my IP Address is and my MAC address is A.A.A.A Gratuitous ARP is used by hosts to "announce" their IP address to the local network and avoid duplicate IP addresses on the network. Routers and other network hardware may use cache information gained from gratuitous ARPs. Gratuitous ARP is a broadcast packet (like an ARP request) MAC C.C.C.C Host A now does an ARP Request for When the router replies add to ARP table. When the Attacker replies add to ARP table. Sent every 5 seconds 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

24 Arpspoof in Action Dynamic ARP Inspection (DAI) dsniff-2.3]#./arpspoof :4:43:f2:d8:1 ff:ff:ff:ff:ff:ff : arp reply C:\>test is-at 0:4:4e:f2:d8:1 0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff : arp reply C:\>arp -d is-at 0:4:4e:f2:d8:1 0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff : arp reply C:\>ping -n is-at 0:4:4e:f2:d8:1 0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff : arp reply Pinging with 32 bytes of data: is-at 0:4:4e:f2:d8:1 Reply from : bytes=32 time<10ms TTL=255 C:\>arp -a Interface: on Interface 2 Internet Address Physical Address Type e-f2-d8-01 dynamic dynamic C:\>arp -a Interface: on Interface 2 Internet Address Physical Address Type dynamic dynamic 2003, Cisco Systems, Inc. All rights reserved. BCMSN v To prevent ARP spoofing or poisoning, a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting and validating all ARP requests and responses. Each intercepted ARP reply is verified for valid MAC address to IP address bindings before it is forwarded to a PC to update the ARP cache. ARP replies coming from invalid devices are dropped. DAI determines the validity of an ARP packet based on valid MAC address-to-ip-address bindings database built by DHCP snooping or static ARP entries. In addition, in order to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets against user-configured 2003, ARP Cisco Systems, ACLs. Inc. All rights reserved. BCMSN v Dynamic ARP Inspection DAI associates each interface with a trusted state or an untrusted state. Trusted interfaces bypass all DAI. Untrusted interfaces undergo DAI validation MAC C.C.C.C I am running DHCP snooping with DAI. This ARP Reply is coming from an untrusted interface. Checked my database and it doesn t match. Drop it. Untrusted Untrusted Trusted Sent every 5 seconds Host A now does an ARP Request for When the router replies add to ARP table. When the Attacker replies switch drops packet. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

25 Configuring Dynamic ARP Inspection. Configuring Dynamic ARP Inspection. 1. Enable DAI on one or more VLANs. Switch(config)# ip arp inspection vlan vlan-range 2. Configure trusted ports. Switch(config)# interface type mod/num Switch(config-if)# ip arp inspection trust By default, all switch ports in these VLANs are untrusted. Step 3 next slide 2003, Cisco Systems, Inc. All rights reserved. BCMSN v By default, all switch ports in these VLANs are untrusted. 3. (Optional) Validate that the ARP reply is really coming from the address listed inside the frame. Must choose at least one. Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]} scr-mac: Check the source MAC address in frame against the sender MAC address in the ARP reply. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. dst-mac: Check the destination MAC address in frame against the target MAC address in the ARP reply This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. ip: Check the sender s IP address in all ARP requests; Check the sender IP address against the target IP address in all ARP replies check the ARP body for invalid and unexpected IP addresses. Addresses include , 2003, Cisco , Systems, Inc. All rights reserved. and all IP multicast addresses. BCMSN v Configuring Dynamic ARP Inspection. Dynamic ARP Inspection 4a. For hosts that do not use DHCP configure ARP ACL to define static MAC-IP bindings that are permitted. Switch(config)# arp access-list acl-name Switch(config-acl)# permit ip host sender-ip mac host sender-mac Switch(config)# ip arp inspection vlan Switch(config)# interface gig 0/1 Switch(config-if)# ip arp inspection trust Fa0/0 4b. ARP ACL must be applied to the the DAI. Switch(config)# ip arp inspection filter acl-name vlan vlanrange [static] If there is not a match with the ACL the DHCP bindings database is checked next. If the static keyword is used the DHCP bindings database will not be checked. In effect this is like an implicit deny statement at the end of the ARP ACL. This example shows how to configure DAI for hosts on VLANs 10 through 50. All client ports are untrusted by default. Only Gig 0/1 is trusted Port where DHCP replies would be expected. Gig0/1 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. 100 BCMSN v

26 Describing Vulnerabilities in CDP Securing Network Switches 2003, Cisco Systems, Inc. All rights reserved , Cisco Systems, Inc. All rights reserved. BCMSN v Describing Vulnerabilities in the Telnet Protocol Describing the Secure Shell Protocol The Telnet connection sends text unencrypted and potentially readable. SSH replaces the Telnet session with an encrypted connection. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v

27 Describing vty ACLs Describing Commands to Apply ACLs Switch(config)#access-list access-list-number {permit deny remark} source [mask] Set up standard IP ACL. Use line configuration mode to filter access with the access-class command. Set identical restrictions on every vty line. Configures a standard IP access list Switch(config)#line vty {vty# vty-range} Enters configuration mode for a vty or vty range Switch(config-line)#access-class access-list-number in out Restricts incoming or outgoing vty connections to addresses in the ACL 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v Best Practices: Switch Security Best Practices: Switch Security (Cont.) Secure switch access: Set system passwords. Secure physical access to the console. Secure access via Telnet. Use SSH when possible. Configure system warning banners. Use Syslog if available. Secure switch protocols: Trim CDP and use only as needed. Secure spanning tree. Mitigate compromises through a switch: Take precautions for trunk links. Minimize physical port access. Establish standard access port configuration for both unused and used ports. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v , Cisco Systems, Inc. All rights reserved. BCMSN v