Selected Network Security Technologies Petr Grygárek rek Agenda: Security in switched networks Control Plane Policing 1
Security in Switched Networks 2
Switch Port Security Static MAC addresses assigned to ports various violation actions Limited number of MAC addresses per port broadcast/muticast storm control Disable/reenable limits (hysteresis) 3
DHCP Snooping Protects against non-authorized DHCP servers Intentional attacks (man-in-the-middle) plug&play devices Trusted and untrusted ports Per-VLAN configuration Creates DHCP binding table for ARP inspection 4
DHCP Snooping Additional Features DHCP requests rate limitation Protect against exhaustion of DHCP pool DHCP option 82 Switch attaches its MAC address and client port to the DHCP request DHCP Offer (broadcast) sent directly to the client 5
Related Protection Mechanisms Additional protection mechanisms may utilize the binding table ARP inspection Filtering of fake ARP replies Filtering of invalid bindings in ARP requests Filtering of ARP replies from non-matching MAC address Source IP+MAC+port verification Static entries may be inserted into the binding table Servers with static IP addresses etc. 6
Private VLANs and Protected Ports Communication is disallowed between ports that are configured as protected Private VLANs Primary VLAN and secondary VLANs Secondary VLANs: Community VLANs Isolated VLAN Promiscuous port 7
802.1x Authentication 8
What is 802.1x? Port-based authentication Securing office outlets, public hotplug places Authorized and unauthorized port state Operates on L2 Utilizes EAP and various authentication protocols Client-to-the-network or mutual authentication Authentication using user passwords or certificates (PKI) 9
802.1x Architecture Supplicant Components PC OS component, subordinate switch Authenticator 802.1x-enabled switch, access point Authentication server RADIUS protocol 10
802.1x Operation (1) Authenticator acts as proxy between supplicant and authentication server bridges between EAPOL and RADIUS encapsulations Authentication reacts on RADIUS authentication reply messages allows or disallows the client to access the network Single host mode Single authenticated client, other thraffic is dropped Multiple host mode After any client is successfully authenticated, all the other traffic is passed 11
802.1x Operation (2) 12
Extensible Authentication Protocol (EAP) General framework for exchange of authentication information between supplicant and authentication server Various authentication algorithms may be applied EAP-MD5 EAP-TLS PEAP... 13
EAP Messages EAPoL Start (from supplicant) Identity Request (from authenticator) Identity Response from supplicant, relayed to authentication server Success / Failure EAPoL Logoff (from supplicant) 14
Transmission of EAP Messages Supplicant-authenticator EAP over LAN (EAPoL) authenticator-authentication server attributes of RADIUS protocol messages UDP 15
Remote Access Dial-In User Service (RADIUS) Protocol Authentication - UDP/1812 Accounting - UDP/1813 start, stop events Protocol messages Access-request Access-accept, Access-reject Access-challenge Accounting-request, Accounting- response 16
EAP and RADIUS 17
Optional 802.1x Configuration Authentication server may pass additional information to the authenticator (Attribute-Value Pairs) Client-to-VLAN assignment ACL... Fallback VLAN for client that failed to authenticate or are not 802.1x-capable Numbers of authentication retries, minimum intervals between retries,... 18
EAPoL and RADIUS Messages in Action 19
Authentication of Supplicant-less Clients 20
Securing of the Control Plane 21
Control Plane Vulnerabilities (1) Routers/switches optimized to high volumes of handle data-plane traffic Not intended to handle heavy control plane traffic either related to unexpectedly increased protocol activity, abnormal traffic or DoS attacks IP options Wrong header parameters TCP floods, fragmentation, TTL=0, ICMP ping, unreachables, redirects Traffic logging 22
Control Plane Vulnerabilities (2) May result to unacceptable increase of CPU utilization Memory consumption 23
Control Plane Protection Mechanisms Rate limiting of ICMP message generation (redirects, unreachables) Rate limiting and selective filtering of routing protocol messages Rate limiting and and selective filtering of of STP and other L2 control protocol messages Control protocol authentication Receive ACLs Relates to traffic destined to any router's interface 2005 Petr Grygarek, address Advanced Computer Networks Technologies 24