BCMSN30S08 Switch Security

7/27/2019 BCMSN30S08 Switch Security

http://slidepdf.com/reader/full/bcmsn30s08-switch-security 1/69



Overview of Switch Security



Rogue Access Points

• Rogue networkdevices can be:

– Wireless hubs

– Wireless routers

–

Access switches – Hubs

• These devices aretypically connectedat access levelswitches.



Switch Attack Categories

• MAC layer attacks

• VLAN attacks

• Spoofing attacks

• Attacks on switch devices



MAC Flooding Attack



Port Security

Port security restricts port access by MAC address.



Configuring Port Security on a Switch

• Enable port security

• Set MAC address limit

• Specify allowable MAC addresses

• Define violation actions

Switch(config-if)#switchport port-security [maximum value]violation {protect | restrict | shutdown}

• Enables port security and specifies the maximum number of

MAC addresses that can be supported by this port.



Verifying Port Security

Switch#show port-security

• Displays security information for all interfaces

Switch#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)---------------------------------------------------------------------------

Fa5/1 11 11 0 ShutdownFa5/5 15 5 0 Restrict

Fa5/11 5 4 0 Protect---------------------------------------------------------------------------

Total Addresses in System: 21 Max Addresses limit in System: 128



Verifying Port Security (Cont.)

Switch#show port-security interface type mod/port

• Displays security information for a specific interface

Switch#show port-security interface fastethernet 5/1

Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses: 11Total MAC Addresses: 11Configured MAC Addresses: 3

Aging time: 20 mins Aging type: InactivitySecureStatic address aging: Enabled Security Violation count: 0



Verifying Port Security (Cont.)

Switch#show port-security address

• Displays MAC address table security information

Switch#show port-security addressSecure Mac Address Table

------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age

(mins)---- ----------- ---- ----- -------------1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)1 0001.0001.1112 SecureConfigured Fa5/1 -1 0001.0001.1113 SecureConfigured Fa5/1 -

1 0005.0005.0001 SecureConfigured Fa5/5 231 0005.0005.0002 SecureConfigured Fa5/5 231 0005.0005.0003 SecureConfigured Fa5/5 231 0011.0011.0001 SecureConfigured Fa5/11 25 (I)1 0011.0011.0002 SecureConfigured Fa5/11 25 (I)-------------------------------------------------------------------Total Addresses in System: 10 Max Addresses limit in System: 128



Port Security with Sticky MAC Addresses

Sticky MAC stores dynamically learned MAC addresses.



AAA Network Configuration

• Authentication

– Verifies a user identify

• Authorization

– Specifies the permitted tasks for the

user

• Accounting

– Provides billing, auditing, andmonitoring



Authentication Methods

• Enable password

• Kerberos 5

• Kerberos 5-Telnet

authentication

• Line password

• Local database

• Local database with casesensitivity

• No authentication

• RADIUS

• TACACS+

Switch(config)#aaa authentication login {default |list-name} method1 [ method2...]

• Creates a local authentication list

Cisco IOS AAA supports these authentication methods:



802.1x Port-Based Authentication

Network access through switch requires authentication.



Configuring 802.1x

Switch(config)#aaa authentication dot1x {default} method1

[method2…]

• Creates an 802.1x port-based authentication method list

Switch(config)#dot1x system-auth-control

• Globally enables 802.1x port-based authentication

Switch(config)#interface type slot/port

• Enters interface configuration mode

Switch(config-if)#dot1x port-control auto

• Enables 802.1x port-based authentication on the interface

Switch(config)#aaa new-model

• Enables AAA



Summary

• Layer 2 security measures must be taken as a subset of the overallnetwork security plan.

• Rogue access to the network can undermine the security.

• Switch attacks fall into four main categories.

• MAC flooding attacks are launched against Layer 2 access switches

and can overflow the CAM table.• Port security can be configured at Layer 2 to block input from

devices.

• Configuring port security on a switch is easy and recommended.

• Sticky MAC addresses allow port security to limit access to a

specific, dynamically learned MAC address.• Multilayer switches should be configured to support security.

• AAA can be used for authentication on a multilayer switch.

• 802.1x port-based authentication can mitigate risk of rogue devicesgaining unauthorized access.



Minimizing Service Loss and Data Theft in a Campus Network

Protecting Against VLAN Attacks



Explaining VLAN Hopping

• Attacking system spoofsitself as a legitimate trunknegotiating device.

• Trunk link is negotiateddynamically.

• Attacking device gainsaccess to data on all VLANscarried by the negotiatedtrunk.



VLAN Hopping with Double Tagging

Double tagging allows a frame to be forwarded to adestination VLAN other than the source’s VLAN.



Mitigating VLAN Hopping

Switch(config-if)#switchport access vlan vlan-id

• Statically assigns the ports to specific unused VLAN

Switch(config-if)#switchport mode access

• Configures the ports as access ports and turns off DTP

• Selects a range of interfaces to configure

Switch(config)# interface-range type mod/port-port



Types of ACLs



Configuring VACLs

Switch(config)#vlan access-map map_name [seq# ]

• Defines a VLAN access map

Switch(config-access-map)# match {ip address {1-199 |1300-2699 | acl_name} | ipx address {800-999 | acl_name}|

mac address acl_name}

• Configures the match clause in a VLAN access map sequence

Switch(config-access-map)#action {drop [log]} | {forward [capture]} | {redirect {type slot/ port} | {port-channelchannel_id }}

• Configures the action clause in a VLAN access map sequence

Switch(config)#vlan filter map_name vlan_list list

• Applies the VLAN access map to the specified VLANs



Private VLANS



PVLAN Port Types

• Isolated: Communicate with only promiscuous ports

• Promiscuous: Communicate with all other ports

• Community: Communicate with other members of community and all promiscuous ports



Configuring PVLANs

Switch(config-vlan)#private-vlan [primary | isolated |community]

• Configures a VLAN as a PVLAN

Switch(config-vlan)#private-vlan association{secondary_vlan_list | add svl | remove svl}

• Associates secondary VLANs with the primary VLAN

Switch#show vlan private-vlan type

• Verifies PVLAN configuration



Configuring PVLAN Ports

Switch(config-if)#switchport mode private-vlan {host | promiscuous}

• Configures an interface as a PVLAN port

Switch(config-if)#switchport private-vlan host-association{ primary_vlan_ID secondary_vlan_ID

• Associates an isolated or community port with a PVLAN

Switch#show interfaces private-vlan mapping

• Verifies PVLAN port configuration

Switch(config-if)#private-vlan mapping primary_vlan_ID

{secondary_vlan_list | add svl | remove svl}• Maps a promiscuous PVLAN port to a PVLAN



Summary

• VLAN hopping can allow Layer 2 unauthorized access toanother VLAN.

• VLAN hopping can be mitigated by:

– Properly configuring 802.1Q trunks

– Turning off trunk negotiation

• Access lists can be applied to VLANs to limit Layer 2 access.

• VACLs can be configured on Cisco Catalyst switches.

• PVLANs are configured to allow traffic flows to be restricted

between ports within the same VLAN.• PVLAN configurations can be applied to provide Layer 2

isolation between VLANS.




Protecting Against Spoof Attacks



DHCP Spoof Attacks

• Attacker activates DHCPserver on VLAN.

• Attacker replies to validclient DHCP requests.

• Attacker assigns IP

configuration informationthat establishes roguedevice as client defaultgateway.

• Attacker establishes

“man-in-the-middle”attack.



DHCP Snooping

• DHCP snooping allowsthe configuration of ports as trusted or untrusted.

• Untrusted ports cannot

process DHCP replies.• Configure DHCP

snooping on uplinks to aDHCP server.

• Do not configure DHCP

snooping on client ports.



Securing Against DHCP Snooping Attacks

Switch(config)# ip dhcp snooping limit rate [rate]

• Enables DHCP Option 82 data insertion

Switch(config)# ip dhcp snooping information option

• Number of packets per second accepted on a port

• Enables DHCP snooping globallySwitch(config)# ip dhcp snooping

Switch(config-if)# ip dhcp snooping trust

• Configures a trusted interface

Switch(config)# ip dhcp snooping vlan number [number]

• Enables DHCP snooping on your VLANs



IP source guard is configured on

untrusted L2 interfaces

IP Source Guard



Configuring IP Source Guard on a Switch

• Enables DHCP snooping on a specific VLAN

Switch(config)# ip dhcp snooping vlan number [number ]

• Enables DHCP snooping globally

Switch(config)# ip dhcp snooping

Switch(config-if)# ip verify source vlan

dhcp-snooping port-security

• Enables IP Source Guard, source IP, and source MACaddress filter on a port



ARP Spoofing



• DAI associates each interfacewith a trusted state or anuntrusted state.

• Trusted interfaces bypass allDAI.

• Untrusted interfaces undergoDAI validation.

Dynamic ARP Inspection



Switch(config)#ip arp inspection vlan vlan_id [,vlan_id ]

• Enables DAI on a VLAN or range of VLANs

Switch(config-if)#ip arp inspection trust

• Enables DAI on an interface and sets the interface as a trusted

interface

Switch(config-if)#ip arp inspection validate {[src-mac ]

[dst-mac ] [ip ]}

• Configures DAI to drop ARP packets when the IP addresses are

invalid

Configuring DAI



Protection from ARP Spoofing

• Configure to protectagainst rogue DHCPservers.

• Configure for dynamicARP inspection.



Summary

• DHCP spoof attacks send unauthorized replies toDHCP queries.

• DHCP snooping is used to counter a DHCP spoof attack.

• DHCP snooping is easily implemented on a Cisco Catalyst

switch.• ARP spoofing can be used to redirect traffic to an

unauthorized device on the network.

• Dynamic ARP inspection in conjunction with DHCP snoopingcan be used to counter ARP spoofing attacks.

• Configuration commands for dynamic ARP inspection aresimple to understand.

• Dynamic APR inspection and DHCP snooping can protectagainst ARP spoofing attacks.




Describing STP Security Mechanisms



Protecting the Operation of STP

Protection against switchesbeing added on PortFast ports.

• BPDU guard shuts portsdown.

•

BPDU filter specifies actionto be taken when BPDUs arereceived.



Enabling and Verifying BPDU Guard

Switch#show spanning-tree summary totals

Root bridge for: none.PortFast BPDU Guard is enabled Etherchannel misconfiguration guard is enabled UplinkFast is disabled BackboneFast is disabled Default pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active-------------------- -------- --------- -------- ---------- ----------

34 VLANs 0 0 0 36 36

Switch(config)#spanning-tree portfast bpduguard

• Enables BPDU guard


• Displays BPDU guard configuration information



Describing BPDU Filtering

Switch#show spanning-tree summary totals Root bridge for:VLAN0010EtherChannel misconfiguration guard is enabled Extended system ID is disabled Portfast is enabled by defaultPortFast BPDU Guard is disabled by defaultPortfast BPDU Filter is enabled by default

Loopguard is disabled by defaultUplinkFast is disabled BackboneFast is disabled Pathcost method used is long

Name Blocking Listening Learning Forwarding STP Active---------------------- -------- --------- -------- ---------- ----------2 vlans 0 0 0 3 3

Switch(config)#spanning-tree portfast bpdufilter default

• Enables BPDU filtering


• Displays BPDU filtering configuration information



Describing Root Guard



Verifying Root Guard

Switch#show running-config interface fastethernet 5/8 Building configuration...Current configuration: 67 bytes!interface FastEthernet5/8switchport mode accessspanning-tree guard rootSwitch#show spanning-tree inconsistentports Name Interface Inconsistency-------------------- ---------------------- ------------------ VLAN0001 FastEthernet3/1 Port Type Inconsistent VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent

Number of inconsistent ports (segments) in the system :3

Switch#show running-config interface interface mod/port

• Displays interface configuration information

Switch#show spanning-tree inconsistentports

• Displays information about ports in inconsistent states



Summary

• BPDU guard and BPDU filtering protect the operation of STPon PortFast-configured ports.

• When BPDU guard is configured globally, it affects allPortFast configured ports.

•

BPDU guard can be configured per port, even on those portsnot configured with PortFast.

• BPDU filtering can be configured globally or per port.

• The root switch cannot be elected via BPDUs received on a

root-guard-configured port.• Root guard can be configured and verified using various

commands.




Preventing STP Forwarding Loops



Unidirectional Link Failure



Loop Guard

Root



Before Loop Guard

Root



With Loop Guard

UDLD and Loop Guard Configuration



UDLD and Loop Guard ConfigurationCommands

Configuring and verifying UDLD

• udld enable

• show udld interface fa0/1

Configuring and verifying loop guard

• spantree global-default loopguard enable

• show spantree guard fa0/1



Configuring UDLD

Switch(config)#udld enable

• Enables UDLD globally on all fiber-optic interfaces

Switch(config-if)#udld enable

• Enables UDLD on an individual interface

Switch(config-if)#no udld enable

• Disables UDLD on an individual nonfiber-optic interface

Switch(config-if)#udld disable

• Disables UDLD on an individual fiber-optic interface



Resetting and Verifying UDLD

Switch# udld reset

• Resets all interfaces that have been shut down by UDLD

Switch#show udld interface• Displays UDLD information for a specific interface



Configuring Loop Guard



Comparing Loop Guard and UDLD

Loop Guard UDLD

Configuration Per port Per port

Action granularity Per VLAN Per Port

Autorecovery Yes Yes, with

errdisabletimeout feature

Protection against STP failures causedby unidirectional links

Yes, when enabled on all

root and alternative ports

in redundant topology

Yes, when enabled on all

links in redundant topology

Protection against STP failures causedby problem in software, resulting in

designated switch not sending BPDU

Yes No

Protection against miswiring No Yes



Summary

• UDLD detects and disables an interface with unidirectionalconnectivity, protecting the network from anomalous STPconditions.

• Loop guard detects and disables an interface with Layer 2unidirectional connectivity, protecting the network from

anomalous STP conditions.

• UDLD and loop guard are configured and verified usingspecific commands.

• Implementation of UDLD and loop guard protectsspanning tree operations from being disrupted due tounidirectional links.




Securing Network Switches



Describing Vulnerabilities in CDP

Describing Vulnerabilities in the Telnet



Describing Vulnerabilities in the TelnetProtocol

The Telnet connection sendstext unencrypted and potentiallyreadable.



Describing the Secure Shell Protocol

SSH replaces the Telnet sessionwith an encrypted connection.



Describing vty ACLs

• Set up standard IP ACL.

• Use line configurationmode to filter access withthe access-class command.

•

Set identical restrictions onevery vty line.



• Configures a standard IP access list

Switch(config)#access-list access-list-number

{permit | deny | remark} source [ mask ]

• Enters configuration mode for a vty or vty range

• Restricts incoming or outgoing vty connections to addresses

in the ACL

Switch(config-line)#access-class access-list-number in|out

Switch(config)#line vty {vty# | vty-range}

Describing Commands to Apply ACLs



Best Practices: Switch Security

Secure switch access:

• Set system passwords.

• Secure physical access to the console.

• Secure access via Telnet.

• Use SSH when possible.

• Configure system warning banners.

• Use Syslog if available.



Best Practices: Switch Security (Cont.)

Secure switch protocols:

• Trim CDP and use only as needed.

• Secure spanning tree.

Mitigate compromises through a switch: • Take precautions for trunk links.

• Minimize physical port access.

• Establish standard access port configuration for bothunused and used ports.



Summary

• CDP packets can expose some network information.

• Authentication information and data carried in Telnetsessions are vulnerable.

• SSH provides a more secure option for Telnet.

•vty ACLs should be used to limit Telnet access toswitch devices.

• vty ACL configuration commands use standard IP ACL lists.

• Sound security measures and trimming of unusedapplications are the basis of best practices.



Module Summary

•

Key switch security issues should be identified on aswitched network and proper measures taken to mitigateknown attacks.

• VLAN trunk links should be secured to defend against VLANhopping attacks.

• DHCP snooping, port security, and dynamic ARP inspectionare used to protect the network against spoofing attacks.

• When placed into service, switches should be configuredaccording to best practices to secure the switch device andits protocols from attacks that can be launched through aswitch.

• UDLD and loop guard protect the network from anomalousSTP conditions that result from unidirectional links.

• Implement AAA services to support port authentication using802.1x.

BCMSN30S08 Switch Security

Documents

Transcript of BCMSN30S08 Switch Security