CCNP Switch Notes Campus Network Security
Attention has traditionally been paid to network perimeter security, such as firewall, and to mitigating Layer 3 attacks.However, networks must be protected against Layer 2 attacks, too. These are launched from devices inside the network by either a rogue device or a legitimate device that has been compromised. Rogue devices might be placed maliciously or might just be connected to an access switch by an employee wanting more switch port or wireless access. They include:
- Wireless routers or hubs
- Access switches
A switch might become the Spanning Tree root bridge and disrupt user traffic. Use root guard and bpdu guard commands to prevent this. (Spanning Tree security is discussed later in this chapter.)
The following are four typical types of attacks against a switched network:
- MAC address-based attacks: MAC address flooding
- VLAN-based attacks: VLAN hopping and attacks against devices on the same VLAN
- Spoofing attacks: DHCP spoofing, MAC spoofing, Address Resolution Protocol (ARP) spoofing, and Spanning Tree attacks
- Attacks against the switch: Cisco Discovery Protocol (CDP) manipulation, Telnet attacks, and Secure Shell (SSH) attacks
MAC Address-Based Attacks
Common MAC address-based attacks rely on flooding the CAM table and can be mitigated by using port security and port-based authentication.
MAC Address Flooding
In a MAC address flooding attack, the attacker fills the switch’s Content Addressable Memory (CAM) table with invalid MAC addresses. After the table is full, all traffic with an address not in the table is flooded out all interfaces. This has two bad effects: more traffic on the LAN and more work for the switch. This can also cause the CAM tables of adjacent switches to overflow. Additionally, the intruder’s traffic is also flooded, so they have access to more ports than they would normally have. After the attack stops, CAM entries age out and life returns to normal. However, meanwhile the attacker might have captured a significant amount of data.
Port security and port-based authentication can help mitigate MAC address attacks.
Port security limits the number of MAC addresses allowed per port and can also limit which MAC addresses are allowed. Allowed MAC addressed can be manually configured or the switch can sticky learn them. Table 7-1 lists port security commands; these are given at the interface.
TABLE 7-1 Port Security Commands
The following commands show how to verify the port security configuration:
Switch#show port-security interface fa 1/0/15
Port Security : Enabled
Port Status : Secure-Up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
802.1x authentication requires a computer (called a client) to be authenticated before it is allowed access to the LAN.This can be combined with port security to enable only authenticated clients with specified MAC addresses to access a port. When a computer connects to a switch port configured for 802.1x authentication, it follows these steps:
Step 1. The port is in the unauthorized state, allowing only 802.1x EAP over LAN (EAPOL) traffic.
Step 2. The client connects to the port. The switch either requests authentication or the client sends an EAPOL frame to begin authentication.
Step 3. The switch relays authentication information between the client and a RADIUS server that acts in proxy for the client.
Step 4.If authentication succeeds, the port transitions to the authorized state, and normal LAN traffic is allowed
Table 7-2 shows commands to configure 802.1x authentication on a switch
VLAN-based attacks include VLAN hopping, in which a station can access a VLAN other than its own. This can be done with switch spoofing or with 802.1Q double-tagging.
Switch Spoofing Switch spoofing involves a station configured to negotiate a trunk link between itself and the switch. By default, switches dynamically negotiate trunking status using Dynamic Trunking Protocol (DTP). If a computer can use DTP to establish a trunk link to the switch, it receives all traffic bound for every VLAN allowed on that trunk. By default, all VLANs are allowed on a trunk.
You can mitigate this by turning off DTP on all ports that should not become trunks, such as most access ports, using the interface command switchport nonegotiate. If the port should be an access port, configure it as such with the interface command switchport mode access and turn off CDP on that port. Additionally, shut down all unused ports and assign them to an unused VLAN. The commands to do this are:
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlanvlan
A double-tagging attack is possible because 802.1Q trunking does not tag frames from the native VLAN. In this attack, the attacking computer negotiates a trunk port between itself and the switch and then generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port, and the second matches the VLAN of a host it wants to attack, as shown in Figure 7-1. The first switch in the path strips off the first 802.1Q tag and forwards it to adjacent switches. The next switch forwards the frame based on the VLAN listed in the second tag.
The double-tagging method of a VLAN hopping attack works even if trunk ports are set to off, if the trunk has the same VLAN as the attacker.
Switch A removes the first tag for VLAN 100 because it matches the native VLAN for that link. It forwards the frame out all links with the same native VLAN, including its link to Switch B. Switch B sees the frame come in with an 802.1Q tag for VLAN 200, so it forwards it out the VLAN 200 link to the victim computer
To mitigate this type of attack, use the same strategies used for switch spoofing. You can also use VLAN access control lists, called VACLs, or implement Private VLANs
Cisco switches support of various kinds of ACLs:
- Traditional Router ACL (RACL)
- QoS ACL
VLAN access control lists (VACL) are similar to route-maps because they are composed of statements that contain match and set conditions. In a VACL, the “set” conditions are called “actions.” Actions include forward,drop, and redirect. Like route-maps, VACL statements are numbered for ordering. After configuration, VACLs are applied to traffic to specified VLANs.
The following is a sample VACL that instructs the switch to drop traffic matching ACL 101 (not shown) and forward all other traffic:
Switch(config)#vlan access-map Drop101 10
Switch(config-access-map)#match ip address 101
Switch(config-access-map)#vlan access-map Drop101 20
Switch(config)#vlan filter Drop101 vlan-list 10
To view VACL settings, use the commands show vlan access-map vacl_nameor show vlan filter access-map vacl_name.
Private VLANs (PVLAN) enable large companies or service providers to isolate users into separate multiaccess domains.Using a VLAN for each group is not scalable. For instance, the switch’s maximum VLANs would limit the number of customers an ISP can have. Each VLAN requires a separate IP subnet, which could also be a limiting factor.
PVLANs divide a VLAN into secondary VLANs, letting you isolate a set of ports from other ports within the same
VLAN. There are two types of secondary VLANs:
- Community VLANs: Ports can communicate with other ports in the same community VLAN.
- Isolated VLANs: Ports cannot communicate with each other.
Ports within a private VLAN can be one of three types:
- Community: Communicates with other community ports and with promiscuous ports
- Isolated: Communicates only with promiscuous ports
- Promiscuous: Communicates with all ports
Table 7-3 shows the commands to configure a primary private VLAN, secondary PVLANs, and their associated ports.
On some lower-end switches, protected ports can provide a simple version of private VLANs. Traffic from a protected port can access only an unprotected port. Traffic between protected ports is blocked. Configure port protection at the interface:
Spoof attacks include DHCP spoofing, MAC address spoofing, and ARP spoofing.
A DHCP spoofing attacker listens for DHCP requests and answers them, giving its IP address as the client default gateway. The attacker then becomes a “man-in-the-middle” as all off-net traffic flows through it.
DHCP snooping can prevent DHCP spoofing attacks. When DHCP snooping is enabled, only ports that uplink to an authorized DHCP server are trusted and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response (or “offer”) is seen on an untrusted port, the port is shut down. The switch can also be configured to send information, such as port ID, using DHCP option 82.
Configure DHCP snooping with the following commands, either globally or for a particular VLAN. Configure only individual ports that uplink to DHCP servers as trusted ports.
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping information option
Switch(config)#ip dhcp snooping vlan numbernumber
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#ip dhcp snooping limitpkts-per-second
Switch#show ip dhcp snooping
IP Source Guard
To extend the protection further, IP Source Guard tracks the IP addresses of the host connected to each port and prevents traffic sourced from another IP address from entering that port. The tracking can be done based on just an IP address or on both IP and MAC addresses
Enable IP Source Guard for both IP and MAC addresses on host access interfaces with the command ip verify source port-security.
In an ARP spoofing attack, the attacker sends out gratuitous (unsolicited) ARP messages giving the IP address of the local default gateway, with its own MAC address as the Layer 2 address. Local devices overwrite their existing correct ARP information with the incorrect one, and, thus, they forward off-net traffic to the attacker (it becomes a “man-in-the middle”). If the attacker then forwards it on to the legitimate router, this type of attack might go undetected by the users.
Dynamic ARP Inspection (DAI) can work with DHCP spoofing to stop ARP spoofing. DAI defines trusted and untrusted interfaces. It intercepts ARP messages on untrusted ports and checks them against the IP address/MAC address bindings in the DHCP snooping database. They must match for the switch to forward the traffic. Access ports should be configured as untrusted, and ports that connect to other switches or to a router should be trusted.
Enable DAI on a VLAN, or multiple VLANs, and configure trusted interfaces. You can optionally configure a rate limit or configure which addresses DAI matches against. (The default is IP and MAC address.) The basic commands are
Switch(config)#ip arp inspection vlanvlan_id
Switch(config-if)#ip arp inspection trust
Securing Your Switch
Here are some basic security suggestions for network devices:
- Use passwords that are not susceptible to a dictionary attack. Add numbers or substitute numbers and symbols for letters.
- Limit Telnet access using access lists
- Use SSH instead of Telnet.
- Physically secure access to the device.
- Use banners that warn against unauthorized access.
- Remove unused services, such as finger, the TCP and UDP small servers, service config, and HTTP server.
- Set up and monitor Syslog.
- Disable automatic trunking on all nontrunk ports.
- Disable CDP on ports where it is not needed.