Understanding Switch Security

Similar documents
Cisco Networking Academy CCNP

CCNP Switch Questions/Answers Securing Campus Infrastructure

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Configuring Dynamic ARP Inspection

Configuring Dynamic ARP Inspection

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Configuring Port-Based Traffic Control

Configuring Private VLANs

FiberstoreOS. Security Configuration Guide

Configuring Port-Based Traffic Control

FSOS Security Configuration Guide

Configuring Port-Based Traffic Control

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Authorized CCNP. Student. LabManual SWITCH.

Configuring Port-Based Traffic Control

Configuring Private VLANs

Configuring 802.1X Port-Based Authentication

Configuring DHCP Features and IP Source Guard

Configuring Port-Based Traffic Control

Chapter 2. Switch Concepts and Configuration. Part II

Configuring Port Security

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Switched Networks. Version: Demo

: Building Cisco Multilayer Switched Networks

Cisco Exam Bundle

Configuring IPv6 First-Hop Security

Configuring DHCP Features and IP Source Guard

actualtests.cisco.ccnp switch by.passforu

Configuring Web-Based Authentication

Campus Networking Workshop. Layer 2 engineering Spanning Tree and VLANs

Building Cisco Multilayer Switched Networks (BCMSN)

Configuring Private VLANs

Configuring IEEE 802.1x Port-Based Authentication

22 Cisco IOS Commands for the Catalyst 4500 Series Switches interface

Configuring DHCP Features and IP Source Guard

Number: Passing Score: 800 Time Limit: 120 min File Version: 9.0. Cisco Questions & Answers

Configuring Private VLANs

Configuring Optional STP Features

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

ActualTest v by-VA

Configuring Web-Based Authentication

Configuring Optional Spanning-Tree Features

Configuring Web-Based Authentication

Configuring DHCP Snooping

Maintaining Specific VLAN Identification. Comparing ISL and 802.1Q. VLAN Trunking

Configuring 802.1X Port-Based Authentication

Implementing Inter-VLAN Routing. 2003, Cisco Systems, Inc. All rights reserved. 2-1

Access Rules. Controlling Network Access

Describing the STP. Enhancements to STP. Configuring PortFast. Describing PortFast. Configuring. Verifying

Understanding and Configuring Dynamic ARP Inspection

Lab 8-2 Securing Spanning Tree Protocol

Configuring IEEE 802.1x Port-Based Authentication

Q&As Implementing Cisco IP Switched Networks (SWITCH v2.0)

Describing the STP. 2003, Cisco Systems, Inc. All rights reserved. 2-1

Cisco Exam Bundle

VLANs. 2003, Cisco Systems, Inc. All rights reserved. 2-1

Configuring SPAN and RSPAN

Configuring Web-Based Authentication

VLANs. 2003, Cisco Systems, Inc. All rights reserved. 2-1

Download: PT-Topology-STP2.pkt

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Configuring Private VLANs Using NX-OS

Configuring Network Security with ACLs

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Lab Port Level Tuning to Control STP Behavior

Cisco 4-Port and 8-Port Layer 2 Gigabit EtherSwitch Network Interface Module Configuration Guide for Cisco 4000 Series ISR

Configuring EtherChannels and Link-State Tracking

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Configuring Network Admission Control

Configuring IEEE 802.1X Port-Based Authentication

VLANs. Traditional Campus Networks. Performance Issues. Broadcast Issues. Bridges terminate collision domains

Describing the STP. IEEE Documents. Download this file. Enhancements to STP. Download: PT-Topology-STP2.pkt STP

Security Commands. Consolidated Platform Command Reference, Cisco IOS XE 3.3SE (Catalyst 3850 Switches) OL

Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards

Configuring VLAN ACLs

Configuring 802.1X Port-Based Authentication

Cisco IOS Commands for the Catalyst 4500 Series Switches

Configuring EtherChannels and Layer 2 Trunk Failover

Configuring Private Hosts

Configuring Web-Based Authentication

With 802.1X port-based authentication, the devices in the network have specific roles.

Cisco IOS Commands for the Catalyst 4500 Series Switches

Finding Feature Information, page 2 Information About DHCP Snooping, page 2 Information About the DHCPv6 Relay Agent, page 8

Cisco CCNP Exam

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

Configuring VLANs. Understanding VLANs CHAPTER

Configuring Optional STP Features

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

CCNA Semester 2 labs. Labs for chapters 2 10

Implementing Cisco IP Switched Networks (SWITCH)

Configuring Interface Characteristics

Cisco IOS Commands for the Catalyst 4500 Series Switches

Implementing Inter-VLAN Routing

Configuring Network Admission Control

CCNA Security 1.0 Student Packet Tracer Manual

Configuring EtherChannels

Configuring SPAN and RSPAN

With 802.1X port-based authentication, the devices in the network have specific roles.

Configuring 802.1X. Finding Feature Information. Information About 802.1X

CCNA Semester 3 labs. Part 1 of 1 Labs for chapters 1 8

Configuring Wireless Multicast

Transcription:

Overview of Switch Security Understanding Switch Security Most attention surrounds security attacks from outside the walls of an organization. Inside the network is left largely unconsidered in most security discussions. 2003, Cisco Systems, Inc. All rights reserved. 2-1 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-2 Overview of Switch Security Rogue Access Points The default state of networking equipment: Firewalls (placed at the organizational borders) Default: Secure and must be configured for communications. Routers and switches (placed internal to an organization) Default: Unsecured, and must be configured for security Rogue network devices can be: Access switches Wireless routers Wireless access points Hubs These devices are typically connected at access level switches. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-3 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-4

Rogue Access Points Mitigating STP manipulation Use: To enforce the placement of the root bridge To enforce the STP domain borders Root guard BPDU guard Problem: BPDUs BPDU Blocking and now listening to BPDUs Portfast X Forwards BPDUs to other switches. STP Reconvergence? 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-5 Enabling PortFast can create a security risk in a switched network. A port configured with PortFast will go into blocking state if it receives a Bridge Protocol Data Unit (BPDU). This could lead to false STP information that enters the switched network and causes unexpected STP behavior. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-6 Solution: BPDU Guard BPDU Portfast & BPDU Guard Err-Disable, Shutdown No BPDUs sent Root Guard Protect Potential Root Protect Potential Root Not supported with Packet Tracer Distribution1(config)#interface range fa 0/10-24 Distribution1(config-if-range)#spanning-tree bpduguard enable When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. BPDU guard will also keep switches added outside the wiring closet by users from impacting and possibly violating Spanning Tree Protocol. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-7 Root Guard prevents a switch from becoming the root bridge. Typically access switches Configured on switches that connect to this switch. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-8

Root Guard Root Guard UplinkFast must be disabled because it cannot be used with root guard. Next Distribution1(config)#interface fa 0/3 Distribution1(config-if-range)#spanning-tree guard root Distribution1(config)#interface gig 0/2 Distribution1(config-if-range)#spanning-tree guard root Root Guard I STP will now Inconsistent transition to listening State no sate, traffic then learning is passed. state, then forwarding sate. Superior BPDU I no longer want to be root. I have I want been to be reconfigured root to bridge! be a nonroot bridge. Distribution2(config)#interface fa 0/3 Distribution2(config-if-range)#spanning-tree guard root Distribution2(config)#interface gig 0/1 Distribution2(config-if-range)#spanning-tree guard root Access2(config)#no spanning-tree uplinkfast This message appears after root guard blocks a port: %SPANTREE-2-ROOTGUARDBLOCK: Port 0/3 tried to become non-designated in VLAN 1. Moved to root-inconsistent state 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-9 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-10 Switch Attack Categories MAC Flooding Attack MAC layer attacks VLAN attacks Spoofing attacks Attacks on switch devices 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-11 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-12

Building the MAC Address Table Building the MAC Address Table MAC Address Table Port Source MAC Add. 1 1111 3333 1111 MAC Address Table Port Source MAC Add. 1 1111 6 3333 1111 3333 switch Switch learns Source MAC Destination MAC is not in table, so floods it out all ports (unknown unicast) switch Frame is sent from 3333 1111 3333 1111 3333 Abbreviated MAC addresses Abbreviated MAC addresses 2222 4444 2222 4444 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-13 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-14 Building the MAC Address Table MAC Address Table Port Source MAC Add. 1 1111 6 3333 switch 1111 Abbreviated MAC addresses 2222 3333 4444 1111 3333 3333 1111 Bidirectional Communications 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-15 Building the MAC Address Table MAC Address Table Port Source MAC Add. 1 1111 6 3333 switch 1111 Abbreviated MAC addresses 2222 Numerous Invalid Source Addresses 3333 4444 Attacker Common Layer 2 or switch attack For: 3333 Numerous Invalid Source Addresses Collecting a broad sample of traffic Denial of Service (DoS) attack Switch s CAM tables are limited in size (1,024 to over 16,000 entries). Tools such as dsniff can flood the CAM table in just over 1 minute. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-16 16

Building the MAC Address Table Building the MAC Address Table MAC Address Table Port Source MAC Add. 1 1111 6 3333 switch 1111 Abbreviated MAC addresses 2222 Numerous Invalid TABLE IS FULL Source Addresses 3333 4444 Attacker 3333 Numerous Invalid Source Addresses Dsniff (macof) can generate 155,000 MAC entries on a switch per minute It takes about 70 seconds to fill the cam table Once table is full, traffic without a CAM entry floods on the VLAN. (unknown unicasts) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-17 MAC Address Table Port Source MAC Add. 1 1111 6 3333 switch 1111 Abbreviated MAC addresses 2222 Numerous Invalid TABLE IS FULL Source Addresses 3333 4444 Attacker 3333 Numerous Invalid Source Addresses Once the CAM table is full, new valid entries will not be accepted. Switch must flood frames to that address out all ports. This has two adverse effects: The switch traffic forwarding is I see all inefficient and voluminous. frames! An intruding device can be connected to any switch port and capture traffic not normally seen on that port. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-18 MAC Flooding Port Security If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on. If the initial, malicious flood of invalid CAM table entries is a one-time event: Eventually, the switch will age out older, invalid CAM table entries New, legitimate devices will be able to create an entry in the CAM Traffic flooding will cease Intruder may never be detected (network seems normal). Port security restricts port access by MAC address. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-19 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-20

Configuring Port Security on a Switch Configuring Port Security on a Switch Switch(config-if)# switchport port-security [maximum value] violation {protect restrict shutdown} mac-address mac-address Enable port security. Set MAC address limit. Specify allowable MAC addresses. Define violation actions. Switch(config-if)# switchport port-security maximum value Set the number of allowed MAC address that the port can grant access. Default = 1 Range 1 to 1,024 These addresses can be configured explicitly or can be learned dynamically. Default: Addresses are learned dynamically by hosts sending frames on that interface. Switch(config-if)# switchport port-security 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-21 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-22 Configuring Port Security on a Switch Configuring Port Security on a Switch Switch(config-if)# switchport port-security mac-address sticky You can configure MAC addresses to be sticky. Dynamically learned or manually configured Stored in the MAC address table Added to the running-config If the running-config is copied to the startup-config the interface does not need to dynamically relearn them when the switch restarts. After using this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. You must: copy running-config startup-config If you do not save the configuration, they are lost. If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. Note: Sticky secure addresses can be manually configured, it is not recommended. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-23 Switch(config-if)# switchport port-security aging time value Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-24

Configuring Port Security on a Switch Switch(config-if)# switchport port-security mac-address mac-address MAC addresses can be statically configured on an interface. If the number of static addresses configured is less than the maximum number secured on the port the remaining address are learned dynamically. Switch(config-if)# switchport port-security maximum value Port Security: Secure MAC Addresses The switch supports these types of secure MAC addresses: Static Configured using switchport port-security mac-address mac-address Stored in the address table Added to running configuration. Dynamic Sticky These are dynamically configured Stored only in the address table Removed when the switch restarts These are dynamically configured Stored in the address table Added to the running configuration. If running-config saved to startup-config, when the switch restarts, the interface does not need to dynamically reconfigure them. Note: When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The interface adds all the sticky secure MAC addresses to the running configuration. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-25 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-26 Port Security: Violation Port Security: Violation Station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-27 Switch(config-if)#switchport port-security violation {protect restrict shutdown} By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions: Protect: Port is allowed to stay up Frames from the nonallowed address are dropped There is no log of the violation Restrict: Port is allowed to stay up Frames from the nonallowed address are dropped A log message is created and Simple Network Management Protocol (SNMP) trap and syslog message of the violation are kept/sent. Shut down (default): Port is put into Errdisable state which effectively shuts down the port. Frames from a nonallowed address: Log entry is made, SNMP trap sent Interface must be reenabled manually. (shutdown > no shutdown) 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-28

Port Security: Steps Port Security: Static Addresses X Switch(config)# interface fa 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 3 Switch(config-if)# switchport port-security mac-address 0000.0000.000a Switch(config-if)# switchport port-security mac-address 0000.0000.000b Switch(config-if)# switchport port-security mac-address 0000.0000.000c Restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. The port does not forward packets with source addresses outside the group of defined addresses. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-29 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-30 Port Security: Verify Switch# show port-security Displays security information for all interfaces Port Security: Verify Switch# show port-security interface type mod/port Displays security information for a specific interface Switch# show port-security Secure Port MaxSecureAddr CurrentAddr Sec Violation Sec Action (Count) (Count) (Count) ---------------------------------------------------------------------- Fa5/1 11 11 0 Shutdown Fa5/5 15 5 0 Restrict Fa5/11 5 4 0 Protect ---------------------------------------------------------------------- Total Addresses in System: 21 Max Addresses limit in System: 128 Switch# show port-security interface fastethernet 5/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses: 11 Total MAC Addresses: 11 Configured MAC Addresses: 3 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-31 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-32

Verifying Port Security (Cont.) 802.1x Port-Based Authentication Switch#show port-security address Displays MAC address table security information Switch#show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0001.0001.0001 SecureDynamic Fa5/1 15 (I) 1 0001.0001.0002 SecureDynamic Fa5/1 15 (I) 1 0001.0001.1111 SecureConfigured Fa5/1 16 (I) 1 0001.0001.1112 SecureConfigured Fa5/1-1 0001.0001.1113 SecureConfigured Fa5/1-1 0005.0005.0001 SecureConfigured Fa5/5 23 1 0005.0005.0002 SecureConfigured Fa5/5 23 1 0005.0005.0003 SecureConfigured Fa5/5 23 1 0011.0011.0001 SecureConfigured Fa5/11 25 (I) 1 0011.0011.0002 SecureConfigured Fa5/11 25 (I) ------------------------------------------------------------------- Total Addresses in System: 10 Max Addresses limit in System: 128 Network access through switch requires authentication. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-33 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-34 Port Authentication Port Authentication Cisco Catalyst switches can support port-based authentication which is a combination of: AAA authentication Port security Authenticated Normal EAPOLtraffic Based on IEEE 802.1x standard which defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN. After authentication is successful, normal traffic can pass through the port. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-35 Client or server can initiate 802.1x session. Switch port starts off in the unauthorized state EAPOL traffic only, no data traffic. If client supports 802.1x but switch does not, the client abandons 802.1x and communicates normally. See you OS instructions for enabling 802.1x If the switch is configured for 802.1x but the client does not support it, the switch port remains in the unauthorized state and will not forward any traffic from the client. Authorized state ends and reverts back to unauthorized state when: User logs out Switch times out user s authorized session EAPOL Authenticated Normal traffic 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-36

Port Authentication Configuring 802.1x on the switch. EAPOL Authenticated Normal traffic Port based authentication can be handled by one or more RADIUS (Remote Authentication Dial-In User Service) servers. Note: Cisco does have other authentication methods (TACACS) but only RADIUS is supported for 802.1x. 1. Enable AAA on the switch (disabled by default) Switch(config)# aaa new-model 2. Define the RADIUS servers Switch(config)# radius-server host {hostname ip-address} [key string] 3. Define the authentication method Switch(config)# aaa authentication dot1x default group radius Causes all RADIUS authentication servers that are defined on the switch (previous step) to be used for 802.1x authentication. 4. Enable 802.1x on the switch (disabled by default) Switch(config)# dot1x system-auth-control 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-37 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-38 Configuring 802.1x on the switch. 5. Configure each switch port that will use 802.1x EAPOL Authenticated Normal traffic Normal traffic Switch(config)# interface type mod/num Switch(config-if)# dot1x port-control [force-authorized force unauthorized auto} force-authorized (default): Port is forced to authorize with the connected client. No authentication necessary: Disables 802.1X and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1X-based authentication of the client. force-unauthorized: Port is forced to never authorize with the any connected client. Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. Port cannot send normal user traffic. Auto: Port uses an 802.1x exchange (EAPOL) to move from unauthorized to authorized state. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-39 Requires client to be 802.1x capable X Configuring 802.1x on the switch. 6. Allow multiple hosts on the a switch port. Switch(config)# interface type mod/num Switch(config-if)# dot1x host-mode multi-host If a switch is connected to another switch or a hub 802.1x allows for all hosts on that port to receive the same authentication method. Verify: show dot1x all 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-40

Configuring 802.1x on the switch. 172.30.10.100 Switch(config)# aaa new-model Switch(config)# radius-server host 172.30.10.100 key BigSecret Switch(config)# aaa authentication dot1x default group radius Switch(config)# dotx system-auth-control Switch(config)# interface range fa 0/1-40 Switch(config-if)# switchport access vlan 10 Switch(config-if)# switchport mode access Switch(config-if)# dot1x port-control auto Protecting Against VLAN Attacks 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-41 2003, Cisco Systems, Inc. All rights reserved. 2-42 VLAN Hopping Attacks Explaining VLAN Hopping With trunking protocols possibility of rogue traffic hopping from one VLAN to another. Creates security vulnerabilities. These VLAN Hopping attacks are best mitigated by close control of trunk links: VLAN Access Control Lists (VACLs) Private VLANs (PVLANs). VLAN hopping attack where an end system sends packets to, or collects packets from, a VLAN that should not be accessible to that end system. This is done by: Switch spoofing Double tagging 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-43 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-44

VLAN Hopping: Switch Spoofing VLAN Hopping: DTP Attacker configures a system to spoof itself as a switch by emulating: ISL or 802.1Q signaling Dynamic Trunking Protocol (DTP) signaling Attacking system spoofs itself as a legitimate trunk negotiating device. Trunk link is negotiated dynamically. Attacking device gains access to data on all VLANs carried by the negotiated trunk. I m a switch Dynamic Auto Dynamic Desirable Trunk Access Dynamic Auto Access Trunk Trunk Access Dynamic Desirable Trunk Trunk Trunk Access Trunk Trunk Trunk Trunk Not recommended Access Access Access Not recommended Access Note: Table assumes DTP is enabled at both ends. show dtp interface to determine current setting 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-45 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-46 VLAN Hopping: switchport mode access VLAN Hopping: no switchport mode access Both of these commands should be used for access ports: switchport mode access switchport access vlan n Without the switchport mode access command, this interface will still try to negotiate trunking. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-47 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-48

VLAN Hopping: switchport mode access VLAN Hopping with Double Tagging Now configure the range of interfaces for permanent nontrunking, access mode Notice that negotiation of trunking has been turned off and that this port will only be a non-trunking access port. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-49 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-50 VLAN Hopping with Double Tagging VLAN Hopping with Double Tagging Double tagging allows a frame to be forwarded to a destination VLAN other than the source s VLAN. Attacker s workstation generates frames with two 802.1Q headers Switch forwards the frames onto a VLAN that would be inaccessible to the attacker through legitimate means. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-51 First switch strips the first tag off the frame because the first tag (VLAN 10) matches the trunk port Frame is forwarded with the inner 802.1Q tag Second switch then forwards the packet to the destination based on the VLAN identifier in the second 802.1Q header. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-52

Mitigating VLAN Hopping: Access Ports Mitigating VLAN Hopping: Trunk Ports Switch(config)#interface range fa 0/11-15 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 10 Switch(config)#interface range fa 0/16-17 Switch(config-if-range)#shutdown Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 999 Access Ports Configure all unused ports as access ports so that trunking cannot be negotiated across those links. Place all unused ports: In the shutdown state Associate with a VLAN designed only for unused ports, carrying no user data traffic Switch(config)#interface gig 0/1 Switch(config-if-range)#switchport mode trunk Switch(config-if-range)#switchport trunk native vlan 2 Switch(config-if-range)#switchport trunk allowed vlan 2,10,20,99 Trunk Ports Trunking as on, rather than negotiated The native VLAN to be different from any data VLANs (VLAN 1 is the default) The specific VLAN range to be carried on the trunk 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-53 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-54 Types of ACLs Types of ACLs 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-55 Access control lists (ACLs) are useful for controlling access in a multilayer switched network. This topic describes VACLs and their purpose as part of VLAN security. Cisco Systems multilayer switches support three types of ACLs Router access control lists (RACLs): Supported in the TCAM hardware on Cisco multilayer switches. In Catalyst switches, RACL can be applied to any routed interface, such as a switch virtual interface (SVI) or Layer 3 routed port. Port access control list (PACL): Filters traffic at the port level. PACLs can be applied on a Layer 2 switch port, trunk port, or EtherChannel port. Allow Layer 3 filtering on Layer 2 ports. VACLs: VACLs, also known as VLAN access-maps, apply to all traffic in a VLAN. VACLs support filtering based on Ethertype and MAC addresses. VACLs are order-sensitive, similar to Cisco IOS based route maps. VACLs are capable of controlling traffic flowing within the VLAN or controlling switched traffic, whereas RACLs control only routed traffic. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-56

VACLs VACLs 1. Define a VLAN access map. Switch(config)# vlan access-map map_name [seq#] VACLs (a.k.a. VLAN access maps) apply to all traffic on the VLAN. VACLs apply to: IP traffic MAC-Layer traffic VACLs follow route-map conventions, in which map sequences are checked in order. First, define the VLAN access map. If you don t specify a sequence number, the first route map condition will be automatically numbered as 10. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-57 2. Configure a match clause. Switch(config-access-map)# match {ip address {1-199 1300-2699 acl_name} ipx address {800-999 acl_name} mac address acl_name} 3. Configure an action clause Switch(config-access-map)# action {drop [log]} {forward [capture]} {redirect {{fastethernet gigabitethernet tengigabitethernet} slot/port} {port-channel channel_id}} Once you have entered the vlan access-map command, you can enter match and action commands in the route-map configuration mode. Each access-map command has a list of match and action commands associated with it. The match commands specify the match criteria the conditions that should be tested to determine whether or not to take action. The action commands specify the actions the actions to perform if the match criteria are met. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-58 VLAN Map Configuration Guidelines Configuring VACLs. If there is no VLAN ACL configured to deny traffic on a routed VLAN interface (input or output), and no VLAN map configured, all traffic is permitted. Each VLAN map consists of a series of entries. The order of entries in an VLAN map is important. A frame that comes into the switch is tested against the first entry in the VLAN map. If it matches, the action specified for that part of the VLAN map is taken. If there is no match, the packet is tested against the next entry in the map. If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet. 1. Define a VLAN access map. Switch(config)# vlan access-map map_name [seq#] 2. Configure a match clause. Switch(config-access-map)# match {ip address {1-199 1300-2699 acl_name} ipx address {800-999 acl_name} mac address acl_name} 3. Configure an action clause Switch(config-access-map)# action {drop [log]} {forward [capture]} {redirect {{fastethernet gigabitethernet tengigabitethernet} slot/port} {port-channel channel_id}} 4. Apply a map to VLANs Switch(config)# vlan filter map_name vlan_list list 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-59 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-60

Example 1 Example 2 Drop all traffic from network 10.1.9.0/24 on VLAN 10 and 20, Drop all traffic to Backup Server 0000.1111.4444 Drop packets with source IP 10.1.0.0/16 in VLANs 1-4094. (Default) Drop all other IP packets: VLAN map has at least one match clause, IP address (Default) Forward all non-ip packets: Forward all other frames, no match clauses 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-61 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-62 Forward all UDP packets Drop all IGMP packets FYI Example 3 Forward all TCP packets (Default) Drop all other IP packets: VLAN map has at least one match clause, tcp-match (Default) Forward all non-ip packets: Forward all other frames, no match clauses Protecting Against Spoof Attacks 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-63 2003, Cisco Systems, Inc. All rights reserved. 2-64

DHCP Spoof Attacks DHCP Review The DHCP spoofing device replies to client DHCP requests. The intruder s DHCP reply offers: IP address/mask Default gateway Domain Name System (DNS) server Clients will then forward packets to the attacking device, which will in turn send them to the desired destination. This is referred to as a man-inthe-middle attack. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-65 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-66 DHCP Discover: Host, I need an IP Address DHCP Discover: Host, I need an IP Address 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-67 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-68

DHCP Offer: Server, I ll offer one to you. DHCP Offer: Server, I ll offer one to you. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-69 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-70 DHCP Request: Host, I ll take it. DHCP Request: Host, I ll take it. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-71 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-72

DHCP ACK: Server, It s all yours. DHCP ACK: Server, It s all yours. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-73 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-74 The result DHCP Spoof Attacks Here you go, I might be first! (Rouge) I can now forward these on to my leader. (Rouge) I need an IP address/mask, default gateway, and DNS server. Got it, thanks! Here you go. (Legitimate) Already got the info. All default gateway frames and DNS requests sent to Rogue. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-75 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-76

DHCP Snooping DHCP Snooping DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages DHCP Server Untrusted ports can source requests only If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. A DHCP binding table is built for untrusted ports. Client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOFFER, DHCPACK, or DHCPNAK. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-77 Here you go, I might be first! (Rouge) Switch: This is an untrusted port, I will block this DHCP Offer Here you go. (Legitimate) Switch: This is a trusted port, I will allow this DHCP Offer I need an IP address/mask, default gateway, and DNS server. Thanks, got it. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-78 Configuring DHCP Snooping. DHCP Snooping By default all interfaces are untrusted. 1. Enable DHCP Snooping globally. Switch(config)# ip dhcp snooping 2. Enable DHCP Snooping for specific VLANs. Switch(config)# ip dhcp snooping vlan-id [vlan-id] By default, all switch ports in these VLANs are untrusted. 3. Configure at least one trusted port. Use no keyword to revert to untrusted. Switch(config)# interface type mod/num Switch(config-if)# ip dhcp snooping trust 4. For untrusted ports specify the rate-limit DHCP traffic. Switch(config-if)# ip dhcp snooping limit rate rate Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 50 Switch(config)# interface fa 0/0 Switch(config-if)# ip dhcp rate limit 20 Switch(config)# interface gig 0/1 Switch(config-if)# ip dhcp snooping trust Gig0/1 Fa0/0 Used to prevent starvation attacks by limiting the number of DHCP requests on an untrusted port. Should be less than 100 pps. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-79 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-80

Verifying DHCP Snooping IP Source Guard IP source guard is configured on untrusted L2 interfaces Switch# show ip dhcp snooping Verifies the DHCP snooping configuration IP Source Guard is similar to DHCP snooping. Prevents traffic attacks caused when a host tries to use the IP address (spoofed address) of its neighbor. Switch blocks all IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. IP Source Guard makes use of: the DHCP snooping database static IP source binding entries 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-81 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-82 IP Source Guard IP source guard is configured on untrusted L2 interfaces IP Source Guard If DHCP snooping is enabled the switch learns the MAC and IP address of the hosts that use DHCP. Source IP address must be identical to the IP address learned by DHCP snooping. Source MAC address must be identical to the source MAC address learned by DHCP snooping and by the switch port (MAC address table). For hosts that do not use DHCP a static IP source binding can be configured. If the IP address does not match either of these the switch drops the frame/packet. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-83 83 I got an IP address/mask, from the DHCP Server. IP source guard is configured on untrusted L2 interfaces Now I will pretend I am a different Source IP Address. Switch: This is an untrusted port, with Source Guard. I checked my binding table and your Source IP Address does not match the one via DHCP. So this traffic is denied! 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-84

Configuring IP Source Guard. 1. Enable DHCP Snooping globally. Switch(config)# ip dhcp snooping IP Source Guard IP Source Guard Switch(config)# interface fa0/0 Switch(config-if)# ip verify source Fa0/0 2. Enable DHCP Snooping for specific VLANs. Switch(config)# ip dhcp snooping vlan-id [vlan-id] By default, all switch ports in these VLANs are untrusted. 3. Enable IP Source Guard on one or more interfaces. Switch(config)# interface type mod/num Switch(config-if)# ip verify source [port security] port security option inspects the MAC address too. 4. For hosts that do not use DHCP configure static IP source Switch(config)# bindings. ip source binding mac-address vlan vlan-id ip address interface type mod/num DHCP Snooping Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 50 Switch(config)# interface gig 0/1 Switch(config-if)# ip dhcp snooping trust Gig0/1 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-85 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-86 IP Source Guard ARP Spoofing This example shows how to enable IP source guard with static source IP and MAC filtering on VLANs 10 and 11. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-87 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-88

ARP: A quick look ARP Spoofing Destination MAC Address??? 00-0C- 00-0C- 04-38- 04-17- ARP Table 44-AA 91-CC IP Address MAC Address 172.16.10.3 00-0C-04-32-14-A1 172.16.10.19 00-0C-14-02-00-19 172.16.10.33 00-0C-A6-19-46-C1 172.16.10.25 00-0C-04-38-44-AA Host Stevens ARP Request: Who 172.16.10.10 has IP Address L2 Broadcast to all 172.16.10.25? Please 255.255.255.0 send me your devices on network MAC 00-0C-04-17-91-CC MAC Address. Source I will add that to my ARP Table. I will now use the MAC Address to forward the frame. L2 Unicast only to sender of ARP Request 172.16.10.0/24 Destination IP Packet now sent to Destination IP Packet put no longer hold on hold Hey that s me! Host Cerf ARP Reply: Here is 172.16.10.25 my MAC Address 255.255.255.0 MAC 00-0C-04-38-44-AA Router A Ethernet 0 172.16.10.1 255.255.255.0 MAC 03-0D-17-8A-F1-32 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-89 In normal ARP operation, a host sends a broadcast to determine the MAC address of a host with a particular IP address. The device at that IP address replies with its MAC address. The originating host caches the ARP response, using it to populate the destination Layer 2 header of packets sent to that IP address. By spoofing an ARP reply from a legitimate device with a gratuitous ARP, an attacking device appears to be the destination host sought by the senders. The ARP reply from the attacker causes the sender to store the MAC address of the attacking system in its ARP cache. All packets destined for those IP addresses will be forwarded through the attacker system. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-90 What is Gratuitous ARP? ARP has no security or ownership of IP or MAC addresses. HOST B: Hey everyone I m host A and my IP Address is 10.1.1.2 and my MAC address is A.A.A.A Gratuitous ARP is used by hosts to "announce" their IP address to the local network and avoid duplicate IP addresses on the network. Routers and other network hardware may use cache information gained from gratuitous ARPs. Gratuitous ARP is a broadcast packet (like an ARP request) 10.1.1.1 MAC C.C.C.C Host A now does an ARP Request for 10.1.1.1. When the router replies add to ARP table. When the Attacker replies add to ARP table. Sent every 5 seconds 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-91 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-92

Arpspoof in Action Dynamic ARP Inspection (DAI) [root@sconvery-lnx dsniff-2.3]#./arpspoof 15.1.1.1 0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply C:\>test 15.1.1.1 is-at 0:4:4e:f2:d8:1 0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply C:\>arp -d 15.1.1.1 15.1.1.1 is-at 0:4:4e:f2:d8:1 0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply C:\>ping -n 1 15.1.1.1 15.1.1.1 is-at 0:4:4e:f2:d8:1 0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply Pinging 15.1.1.1 with 32 bytes of data: 15.1.1.1 is-at 0:4:4e:f2:d8:1 Reply from 15.1.1.1: bytes=32 time<10ms TTL=255 C:\>arp -a Interface: 15.1.1.26 on Interface 2 Internet Address Physical Address Type 15.1.1.1 00-04-4e-f2-d8-01 dynamic 15.1.1.25 00-10-83-34-29-72 dynamic C:\>arp -a Interface: 15.1.1.26 on Interface 2 Internet Address Physical Address Type 15.1.1.1 00-10-83-34-29-72 dynamic 15.1.1.25 00-10-83-34-29-72 dynamic 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-93 To prevent ARP spoofing or poisoning, a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting and validating all ARP requests and responses. Each intercepted ARP reply is verified for valid MAC address to IP address bindings before it is forwarded to a PC to update the ARP cache. ARP replies coming from invalid devices are dropped. DAI determines the validity of an ARP packet based on valid MAC address-to-ip-address bindings database built by DHCP snooping or static ARP entries. In addition, in order to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets against user-configured 2003, ARP Cisco Systems, ACLs. Inc. All rights reserved. BCMSN v2.0 2-94 Dynamic ARP Inspection DAI associates each interface with a trusted state or an untrusted state. Trusted interfaces bypass all DAI. Untrusted interfaces undergo DAI validation. 10.1.1.1 MAC C.C.C.C I am running DHCP snooping with DAI. This ARP Reply is coming from an untrusted interface. Checked my database and it doesn t match. Drop it. Untrusted Untrusted Trusted Sent every 5 seconds Host A now does an ARP Request for 10.1.1.1. When the router replies add to ARP table. When the Attacker replies switch drops packet. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-95 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-96

Configuring Dynamic ARP Inspection. Configuring Dynamic ARP Inspection. 1. Enable DAI on one or more VLANs. Switch(config)# ip arp inspection vlan vlan-range 2. Configure trusted ports. Switch(config)# interface type mod/num Switch(config-if)# ip arp inspection trust By default, all switch ports in these VLANs are untrusted. Step 3 next slide 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-97 By default, all switch ports in these VLANs are untrusted. 3. (Optional) Validate that the ARP reply is really coming from the address listed inside the frame. Must choose at least one. Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]} scr-mac: Check the source MAC address in frame against the sender MAC address in the ARP reply. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. dst-mac: Check the destination MAC address in frame against the target MAC address in the ARP reply This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. ip: Check the sender s IP address in all ARP requests; Check the sender IP address against the target IP address in all ARP replies check the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 2003, Cisco 255.255.255.255, Systems, Inc. All rights reserved. and all IP multicast addresses. BCMSN v2.0 2-98 Configuring Dynamic ARP Inspection. Dynamic ARP Inspection 4a. For hosts that do not use DHCP configure ARP ACL to define static MAC-IP bindings that are permitted. Switch(config)# arp access-list acl-name Switch(config-acl)# permit ip host sender-ip mac host sender-mac Switch(config)# ip arp inspection vlan 10 50 Switch(config)# interface gig 0/1 Switch(config-if)# ip arp inspection trust Fa0/0 4b. ARP ACL must be applied to the the DAI. Switch(config)# ip arp inspection filter acl-name vlan vlanrange [static] If there is not a match with the ACL the DHCP bindings database is checked next. If the static keyword is used the DHCP bindings database will not be checked. In effect this is like an implicit deny statement at the end of the ARP ACL. This example shows how to configure DAI for hosts on VLANs 10 through 50. All client ports are untrusted by default. Only Gig 0/1 is trusted Port where DHCP replies would be expected. Gig0/1 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-99 2003, Cisco Systems, Inc. All rights reserved. 100 BCMSN v2.0 2-100

Describing Vulnerabilities in CDP Securing Network Switches 2003, Cisco Systems, Inc. All rights reserved. 2-101 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-102 Describing Vulnerabilities in the Telnet Protocol Describing the Secure Shell Protocol The Telnet connection sends text unencrypted and potentially readable. SSH replaces the Telnet session with an encrypted connection. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-103 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-104

Describing vty ACLs Describing Commands to Apply ACLs Switch(config)#access-list access-list-number {permit deny remark} source [mask] Set up standard IP ACL. Use line configuration mode to filter access with the access-class command. Set identical restrictions on every vty line. Configures a standard IP access list Switch(config)#line vty {vty# vty-range} Enters configuration mode for a vty or vty range Switch(config-line)#access-class access-list-number in out Restricts incoming or outgoing vty connections to addresses in the ACL 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-105 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-106 Best Practices: Switch Security Best Practices: Switch Security (Cont.) Secure switch access: Set system passwords. Secure physical access to the console. Secure access via Telnet. Use SSH when possible. Configure system warning banners. Use Syslog if available. Secure switch protocols: Trim CDP and use only as needed. Secure spanning tree. Mitigate compromises through a switch: Take precautions for trunk links. Minimize physical port access. Establish standard access port configuration for both unused and used ports. 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-107 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0 2-108

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback