© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-2 Overview of Switch Security Most attention surrounds security attacks from outside the walls of an organization. Inside the network is left largely unconsidered in most security discussions.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-3 Overview of Switch Security The default state of networking equipment: Firewalls (placed at the organizational borders) –Default: Secure and must be configured for communications. Routers and switches (placed internal to an organization) –Default: Unsecured, and must be configured for security

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-4 Rogue Access Points Rogue network devices can be: –Access switches –Wireless routers –Wireless access points –Hubs These devices are typically connected at access level switches.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-5 Rogue Access Points Mitigating STP manipulation –To enforce the placement of the root bridge –To enforce the STP domain borders Use: –Root guard –BPDU guard

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-6 Enabling PortFast can create a security risk in a switched network. A port configured with PortFast will go into blocking state if it receives a Bridge Protocol Data Unit (BPDU). This could lead to false STP information that enters the switched network and causes unexpected STP behavior. Portfast X Blocking and now listening to BPDUs Forwards BPDUs to other switches. STP Reconvergence? BPDU Problem: BPDUs

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-7 When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. BPDU guard will also keep switches added outside the wiring closet by users from impacting and possibly violating Spanning Tree Protocol. Distribution1(config)#interface range fa 0/10 - 24 Distribution1(config-if-range)#spanning-tree bpduguard enable BPDU | Err-Disable, Shutdown Portfast & BPDU Guard No BPDUs sent Solution: BPDU Guard Not supported with Packet Tracer

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-8 Root Guard prevents a switch from becoming the root bridge.  Typically access switches Configured on switches that connect to this switch. Potential Root Protect Potential Root Root Guard

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-9 Root Guard Distribution1(config)#interface fa 0/3 Distribution1(config-if-range)#spanning-tree guard root Distribution1(config)#interface gig 0/2 Distribution1(config-if-range)#spanning-tree guard root Distribution2(config)#interface fa 0/3 Distribution2(config-if-range)#spanning-tree guard root Distribution2(config)#interface gig 0/1 Distribution2(config-if-range)#spanning-tree guard root Access2(config)#no spanning-tree uplinkfast UplinkFast must be disabled because it cannot be used with root guard. Next

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-10 This message appears after root guard blocks a port: %SPANTREE-2-ROOTGUARDBLOCK: Port 0/3 tried to become non-designated in VLAN 1. Moved to root-inconsistent state Root Guard Superior BPDU I want to be root bridge! STP Inconsistent State – no traffic is passed. I no longer want to be root. I have been reconfigured to be a non- root bridge. I will now transition to listening sate, then learning state, then forwarding sate.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-13 Building the MAC Address Table MAC Address Table Port Source MAC Add. 1 1111 Switch learns Source MAC Destination MAC is not in table, so floods it out all ports (unknown unicast) switch 1111 2222 3333 4444 Abbreviated MAC addresses 11113333

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-14 Building the MAC Address Table MAC Address Table Port Source MAC Add. 1 1111 6 3333 Frame is sent from 3333 switch 1111 2222 3333 4444 Abbreviated MAC addresses 33331111

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-15 Building the MAC Address Table MAC Address Table Port Source MAC Add. 1 1111 6 3333 Bidirectional Communications switch 1111 2222 3333 4444 Abbreviated MAC addresses 33331111 3333

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-16 16 Building the MAC Address Table MAC Address Table Port Source MAC Add. 1 1111 6 3333 Common Layer 2 or switch attack For: –Collecting a broad sample of traffic –Denial of Service (DoS) attack Switch’s CAM tables are limited in size (1,024 to over 16,000 entries). Tools such as dsniff can flood the CAM table in just over 1 minute. switch 1111 2222 3333 4444 Abbreviated MAC addresses Numerous Invalid Source Addresses 3333 Attacker Numerous Invalid Source Addresses

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-17 Building the MAC Address Table MAC Address Table Port Source MAC Add. 1 1111 6 3333 Dsniff (macof) can generate 155,000 MAC entries on a switch per minute It takes about 70 seconds to fill the cam table Once table is full, traffic without a CAM entry floods on the VLAN. (unknown unicasts) switch 1111 2222 3333 4444 Abbreviated MAC addresses Numerous Invalid Source Addresses 3333 Attacker Numerous Invalid Source Addresses TABLE IS FULL

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-18 Building the MAC Address Table MAC Address Table Port Source MAC Add. 1 1111 6 3333 Once the CAM table is full, new valid entries will not be accepted. Switch must flood frames to that address out all ports. This has two adverse effects: The switch traffic forwarding is inefficient and voluminous. An intruding device can be connected to any switch port and capture traffic not normally seen on that port. switch 1111 2222 3333 4444 Abbreviated MAC addresses Numerous Invalid Source Addresses 3333 Attacker Numerous Invalid Source Addresses TABLE IS FULL I see all frames!

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-19 MAC Flooding If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on. If the initial, malicious flood of invalid CAM table entries is a one-time event: Eventually, the switch will age out older, invalid CAM table entries New, legitimate devices will be able to create an entry in the CAM Traffic flooding will cease Intruder may never be detected (network seems normal).

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-21 Configuring Port Security on a Switch Enable port security. Set MAC address limit. Specify allowable MAC addresses. Define violation actions. Switch(config-if)# switchport port-security [maximum value] violation {protect | restrict | shutdown} mac-address mac-address Switch(config-if)# switchport port-security

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-22 Configuring Port Security on a Switch Set the number of allowed MAC address that the port can grant access. –Default = 1 –Range 1 to 1,024 These addresses can be configured explicitly or can be learned dynamically. Default: Addresses are learned dynamically by hosts sending frames on that interface. Switch(config-if)# switchport port-security maximum value

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-23 Configuring Port Security on a Switch You can configure MAC addresses to be sticky. –Dynamically learned or manually configured –Stored in the MAC address table –Added to the running-config If the running-config is copied to the startup-config the interface does not need to dynamically relearn them when the switch restarts. After using this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. –You must: copy running-config startup-config –If you do not save the configuration, they are lost. If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. Note: Sticky secure addresses can be manually configured, it is not recommended. Switch(config-if)# switchport port-security mac-address sticky

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-24 Configuring Port Security on a Switch Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes. Switch(config-if)# switchport port-security aging time value

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-25 Configuring Port Security on a Switch MAC addresses can be statically configured on an interface. If the number of static addresses configured is less than the maximum number secured on the port the remaining address are learned dynamically. Switch(config-if)# switchport port-security mac-address mac-address Switch(config-if)# switchport port-security maximum value

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-26 Port Security: Secure MAC Addresses The switch supports these types of secure MAC addresses: Static –Configured using switchport port-security mac-address mac-address –Stored in the address table –Added to running configuration. Dynamic –These are dynamically configured –Stored only in the address table –Removed when the switch restarts Sticky –These are dynamically configured –Stored in the address table –Added to the running configuration. –If running-config saved to startup-config, when the switch restarts, the interface does not need to dynamically reconfigure them. –Note: When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The interface adds all the sticky secure MAC addresses to the running configuration.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-27 Port Security: Violation Station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-28 Port Security: Violation By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions: Protect: Port is allowed to stay up Frames from the nonallowed address are dropped There is no log of the violation Restrict: Port is allowed to stay up Frames from the nonallowed address are dropped A log message is created and Simple Network Management Protocol (SNMP) trap and syslog message of the violation are kept/sent. Shut down (default): Port is put into Errdisable state which effectively shuts down the port. Frames from a nonallowed address: –Log entry is made, SNMP trap sent Interface must be reenabled manually. (shutdown > no shutdown) Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-30 Port Security: Static Addresses Restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. The port does not forward packets with source addresses outside the group of defined addresses. Switch(config)# interface fa 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 3 Switch(config-if)# switchport port-security mac-address 0000.0000.000a Switch(config-if)# switchport port-security mac-address 0000.0000.000b Switch(config-if)# switchport port-security mac-address 0000.0000.000c X

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-31 Port Security: Verify Switch# show port-security Displays security information for all interfaces Switch# show port-security Secure Port MaxSecureAddr CurrentAddr Sec Violation Sec Action (Count) (Count) (Count) ---------------------------------------------------------------------- Fa5/1 11 11 0 Shutdown Fa5/5 15 5 0 Restrict Fa5/11 5 4 0 Protect ---------------------------------------------------------------------- Total Addresses in System: 21 Max Addresses limit in System: 128

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-32 Port Security: Verify Switch# show port-security interface type mod/port Displays security information for a specific interface Switch# show port-security interface fastethernet 5/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses: 11 Total MAC Addresses: 11 Configured MAC Addresses: 3 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-33 Verifying Port Security (Cont.) Switch#show port-security address Displays MAC address table security information Switch#show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0001.0001.0001 SecureDynamic Fa5/1 15 (I) 1 0001.0001.0002 SecureDynamic Fa5/1 15 (I) 1 0001.0001.1111 SecureConfigured Fa5/1 16 (I) 1 0001.0001.1112 SecureConfigured Fa5/1 - 1 0001.0001.1113 SecureConfigured Fa5/1 - 1 0005.0005.0001 SecureConfigured Fa5/5 23 1 0005.0005.0002 SecureConfigured Fa5/5 23 1 0005.0005.0003 SecureConfigured Fa5/5 23 1 0011.0011.0001 SecureConfigured Fa5/11 25 (I) 1 0011.0011.0002 SecureConfigured Fa5/11 25 (I) ------------------------------------------------------------------- Total Addresses in System: 10 Max Addresses limit in System: 128

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-35 Port Authentication Cisco Catalyst switches can support port-based authentication which is a combination of: AAA authentication Port security Based on IEEE 802.1x standard which defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN. After authentication is successful, normal traffic can pass through the port. EAPOL AuthenticatedNormal traffic

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-36 Port Authentication Client or server can initiate 802.1x session. Switch port starts off in the unauthorized state – EAPOL traffic only, no data traffic. If client supports 802.1x but switch does not, the client abandons 802.1x and communicates normally. –See you OS instructions for enabling 802.1x If the switch is configured for 802.1x but the client does not support it, the switch port remains in the unauthorized state and will not forward any traffic from the client. Authorized state ends and reverts back to unauthorized state when: –User logs out –Switch times out user’s authorized session EAPOL Authenticated Normal traffic

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-37 Port Authentication Port based authentication can be handled by one or more RADIUS (Remote Authentication Dial-In User Service) servers. Note: Cisco does have other authentication methods (TACACS) but only RADIUS is supported for 802.1x. EAPOL Authenticated Normal traffic

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-38 Configuring 802.1x on the switch. 1. Enable AAA on the switch (disabled by default) Switch(config)# aaa new-model 2. Define the RADIUS servers Switch(config)# radius-server host {hostname | ip-address} [key string] 3. Define the authentication method Switch(config)# aaa authentication dot1x default group radius Causes all RADIUS authentication servers that are defined on the switch (previous step) to be used for 802.1x authentication. 4. Enable 802.1x on the switch (disabled by default) Switch(config)# dot1x system-auth-control

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-39 Configuring 802.1x on the switch. force-authorized (default): –Port is forced to authorize with the connected client. –No authentication necessary: Disables 802.1X and causes the port to transition to the authorized state without any authentication exchange required. –The port transmits and receives normal traffic without 802.1X-based authentication of the client. force-unauthorized: –Port is forced to never authorize with the any connected client. –Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. –Port cannot send normal user traffic. Auto: –Port uses an 802.1x exchange (EAPOL) to move from unauthorized to authorized state. –Requires client to be 802.1x capable 5. Configure each switch port that will use 802.1x Switch(config)# interface type mod/num Switch(config-if)# dot1x port-control [force-authorized | force unauthorized | auto} EAPOL Authenticated Normal traffic X

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-40 Configuring 802.1x on the switch. If a switch is connected to another switch or a hub 802.1x allows for all hosts on that port to receive the same authentication method. Verify: show dot1x all 6. Allow multiple hosts on the a switch port. Switch(config)# interface type mod/num Switch(config-if)# dot1x host-mode multi-host

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-41 Configuring 802.1x on the switch. Switch(config)# aaa new-model Switch(config)# radius-server host 172.30.10.100 key BigSecret Switch(config)# aaa authentication dot1x default group radius Switch(config)# dotx system-auth-control Switch(config)# interface range fa 0/1 - 40 Switch(config-if)# switchport access vlan 10 Switch(config-if)# switchport mode access Switch(config-if)# dot1x port-control auto 172.30.10.100

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-43 VLAN Hopping Attacks With trunking protocols possibility of rogue traffic “hopping” from one VLAN to another. Creates security vulnerabilities. These VLAN Hopping attacks are best mitigated by close control of trunk links: –VLAN Access Control Lists (VACLs) –Private VLANs (PVLANs).

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-44 Explaining VLAN Hopping VLAN hopping attack where an end system sends packets to, or collects packets from, a VLAN that should not be accessible to that end system. This is done by: –Switch spoofing –Double tagging

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-45 VLAN Hopping: Switch Spoofing Attacker configures a system to spoof itself as a switch by emulating: –ISL or 802.1Q signaling –Dynamic Trunking Protocol (DTP) signaling Attacking system spoofs itself as a legitimate trunk negotiating device. –Trunk link is negotiated dynamically. Attacking device gains access to data on all VLANs carried by the negotiated trunk. “I’m a switch”

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-46 VLAN Hopping: DTP Dynamic Auto Dynamic Desirable TrunkAccess Dynamic AutoAccessTrunk Access Dynamic Desirable Trunk Access Trunk Not recommended Access Not recommended Access Note: Table assumes DTP is enabled at both ends. show dtp interface – to determine current setting

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-47 VLAN Hopping: switchport mode access Both of these commands “should” be used for access ports:  switchport mode access  switchport access vlan n

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-48 VLAN Hopping: no switchport mode access Without the switchport mode access command, this interface will still try to negotiate trunking.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-49 VLAN Hopping: switchport mode access Now configure the range of interfaces for permanent nontrunking, access mode Notice that negotiation of trunking has been turned off and that this port will only be a non-trunking access port.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-51 VLAN Hopping with Double Tagging Double tagging allows a frame to be forwarded to a destination VLAN other than the source’s VLAN. Attacker’s workstation generates frames with two 802.1Q headers Switch forwards the frames onto a VLAN that would be inaccessible to the attacker through legitimate means.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-52 VLAN Hopping with Double Tagging First switch strips the first tag off the frame because the first tag (VLAN 10) matches the trunk port –Frame is forwarded with the inner 802.1Q tag Second switch then forwards the packet to the destination based on the VLAN identifier in the second 802.1Q header.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-53 Mitigating VLAN Hopping: Access Ports Access Ports –Configure all unused ports as access ports so that trunking cannot be negotiated across those links. –Place all unused ports: In the shutdown state Associate with a VLAN designed only for unused ports, carrying no user data traffic Switch(config)#interface range fa 0/11 - 15 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 10 Switch(config)#interface range fa 0/16 - 17 Switch(config-if-range)#shutdown Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 999

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-54 Mitigating VLAN Hopping: Trunk Ports Trunk Ports –Trunking as “on,” rather than negotiated –The native VLAN to be different from any data VLANs (VLAN 1 is the default) –The specific VLAN range to be carried on the trunk Switch(config)#interface gig 0/1 Switch(config-if-range)#switchport mode trunk Switch(config-if-range)#switchport trunk native vlan 2 Switch(config-if-range)#switchport trunk allowed vlan 2,10,20,99

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-56 Types of ACLs Access control lists (ACLs) are useful for controlling access in a multilayer switched network. This topic describes VACLs and their purpose as part of VLAN security. Cisco Systems multilayer switches support three types of ACLs Router access control lists (RACLs): –Supported in the TCAM hardware on Cisco multilayer switches. –In Catalyst switches, RACL can be applied to any routed interface, such as a switch virtual interface (SVI) or Layer 3 routed port. Port access control list (PACL): –Filters traffic at the port level. PACLs can be applied on a Layer 2 switch port, trunk port, or EtherChannel port. –Allow Layer 3 filtering on Layer 2 ports. VACLs: –VACLs, also known as VLAN access-maps, apply to all traffic in a VLAN. –VACLs support filtering based on Ethertype and MAC addresses. VACLs are order-sensitive, similar to Cisco IOS–based route maps. –VACLs are capable of controlling traffic flowing within the VLAN or controlling switched traffic, whereas RACLs control only routed traffic.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-57 VACLs (a.k.a. VLAN access maps) apply to all traffic on the VLAN. VACLs apply to: –IP traffic –MAC-Layer traffic VACLs follow route-map conventions, in which map sequences are checked in order. First, define the VLAN access map. If you don’t specify a sequence number, the first route map condition will be automatically numbered as 10. VACLs 1. Define a VLAN access map. Switch(config)# vlan access-map map_name [seq#]

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-58 VACLs Once you have entered the vlan access-map command, you can enter match and action commands in the route-map configuration mode. access-mapEach access-map command has a list of match and action commands associated with it. match –The match commands specify the match criteria—the conditions that should be tested to determine whether or not to take action. action –The action commands specify the actions—the actions to perform if the match criteria are met. 2. Configure a match clause. Switch(config-access-map)# match {ip address {1-199 | 1300-2699 | acl_name} | ipx address {800-999 | acl_name}| mac address acl_name} 3. Configure an action clause Switch(config-access-map)# action {drop [log]} | {forward [capture]} | {redirect {{fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel channel_id}}

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-59 VLAN Map Configuration Guidelines If there is no VLAN ACL configured to deny traffic on a routed VLAN interface (input or output), and no VLAN map configured, all traffic is permitted. Each VLAN map consists of a series of entries. –The order of entries in an VLAN map is important. –A frame that comes into the switch is tested against the first entry in the VLAN map. –If it matches, the action specified for that part of the VLAN map is taken. –If there is no match, the packet is tested against the next entry in the map. If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-60 Configuring VACLs. 1. Define a VLAN access map. Switch(config)# vlan access-map map_name [seq#] 2. Configure a match clause. Switch(config-access-map)# match {ip address {1-199 | 1300-2699 | acl_name} | ipx address {800-999 | acl_name}| mac address acl_name} 3. Configure an action clause Switch(config-access-map)# action {drop [log]} | {forward [capture]} | {redirect {{fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel channel_id}} 4. Apply a map to VLANs Switch(config)# vlan filter map_name vlan_list list

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-62 Example 2 Drop packets with source IP 10.1.0.0/16 in VLANs 1-4094. (Default) Drop all other IP packets: VLAN map has at least one match clause, IP address (Default) Forward all non-IP packets: Forward all other “frames”, no match clauses

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-63 Forward all UDP packets Drop all IGMP packets Forward all TCP packets (Default) Drop all other IP packets: VLAN map has at least one match clause, tcp-match (Default) Forward all non-IP packets: Forward all other “frames”, no match clauses FYI Example 3

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-65 DHCP Spoof Attacks The DHCP spoofing device replies to client DHCP requests. The intruder’s DHCP reply offers: IP address/Mask Default gateway Domain Name System (DNS) server Clients will then forward packets to the attacking device, which will in turn send them to the desired destination. This is referred to as a “man-in- the-middle” attack.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-76 DHCP Spoof Attacks “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) “Got it, thanks!” “Already got the info.” All default gateway frames and DNS requests sent to Rogue. “I can now forward these on to my leader.” (Rouge)

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-77 DHCP Snooping DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages –DHCP Server Untrusted ports can source requests only –If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. –A DHCP binding table is built for untrusted ports. Client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOFFER, DHCPACK, or DHCPNAK.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-78 DHCP Snooping “I need an IP address/mask, default gateway, and DNS server.” “Here you go, I might be first!” (Rouge) “Here you go.” (Legitimate) Switch: This is an untrusted port, I will block this DHCP Offer” “Thanks, got it.” Switch: This is a trusted port, I will allow this DHCP Offer”

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-79 Configuring DHCP Snooping. 1. Enable DHCP Snooping globally. Switch(config)# ip dhcp snooping 2. Enable DHCP Snooping for specific VLANs. Switch(config)# ip dhcp snooping vlan-id [vlan-id] 3. Configure at least one trusted port. Use no keyword to revert to untrusted. Switch(config)# interface type mod/num Switch(config-if)# ip dhcp snooping trust 4. For untrusted ports specify the rate-limit DHCP traffic. Switch(config-if)# ip dhcp snooping limit rate rate By default, all switch ports in these VLANs are untrusted. Used to prevent starvation attacks by limiting the number of DHCP requests on an untrusted port. Should be less than 100 pps.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-80 DHCP Snooping Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 50 Switch(config)# interface fa 0/0 Switch(config-if)# ip dhcp rate limit 20 Switch(config)# interface gig 0/1 Switch(config-if)# ip dhcp snooping trust Fa0/0 Gig0/1 By default all interfaces are untrusted.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-82 IP Source Guard IP Source Guard is similar to DHCP snooping. Prevents traffic attacks caused when a host tries to use the IP address (spoofed address) of its neighbor. Switch blocks all IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. IP Source Guard makes use of: –the DHCP snooping database –static IP source binding entries IP source guard is configured on untrusted L2 interfaces

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-83 83 IP Source Guard If DHCP snooping is enabled the switch learns the MAC and IP address of the hosts that use DHCP. –Source IP address must be identical to the IP address learned by DHCP snooping. –Source MAC address must be identical to the source MAC address learned by DHCP snooping and by the switch port (MAC address table). For hosts that do not use DHCP a static IP source binding can be configured. If the IP address does not match either of these the switch drops the frame/packet. IP source guard is configured on untrusted L2 interfaces

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-84 IP source guard is configured on untrusted L2 interfaces IP Source Guard “I got an IP address/mask, from the DHCP Server.” “Now I will pretend I am a different Source IP Address.” Switch: This is an untrusted port, with Source Guard. I checked my binding table and your Source IP Address does not match the one via DHCP. So this traffic is denied!”

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-85 Configuring IP Source Guard. 1. Enable DHCP Snooping globally. Switch(config)# ip dhcp snooping 2. Enable DHCP Snooping for specific VLANs. Switch(config)# ip dhcp snooping vlan-id [vlan-id] 3. Enable IP Source Guard on one or more interfaces. Switch(config)# interface type mod/num Switch(config-if)# ip verify source [port security] 4. For hosts that do not use DHCP configure static IP source bindings. Switch(config)# ip source binding mac-address vlan vlan-id ip address interface type mod/num By default, all switch ports in these VLANs are untrusted. port security option inspects the MAC address too.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-86 IP Source Guard Switch(config)# interface fa0/0 Switch(config-if)# ip verify source Fa0/0 Gig0/1 Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 50 Switch(config)# interface gig 0/1 Switch(config-if)# ip dhcp snooping trust IP Source Guard DHCP Snooping

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-89 ARP: A quick look IP Packet put on hold ARP Request: Who has IP Address 172.16.10.25? Please send me your MAC Address. L2 Broadcast to all devices on network Hey that’s me! ARP Reply: Here is my MAC Address L2 Unicast only to sender of ARP Request I will add that to my ARP Table. 172.16.10.25 00-0C-04-38-44-AA I will now use the MAC Address to forward the frame. 00-0C- 04-17- 91-CC 00-0C- 04-38- 44-AA IP Packet now sent to Destination IP Packet no longer on hold

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-90 ARP Spoofing In normal ARP operation, a host sends a broadcast to determine the MAC address of a host with a particular IP address. The device at that IP address replies with its MAC address. The originating host caches the ARP response, using it to populate the destination Layer 2 header of packets sent to that IP address. By spoofing an ARP reply from a legitimate device with a gratuitous ARP, an attacking device appears to be the destination host sought by the senders. The ARP reply from the attacker causes the sender to store the MAC address of the attacking system in its ARP cache. All packets destined for those IP addresses will be forwarded through the attacker system.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-91 What is Gratuitous ARP? HOST B: “Hey everyone I’m host A and my IP Address is 10.1.1.2 and my MAC address is A.A.A.A” Gratuitous ARP is used by hosts to "announce" their IP address to the local network and avoid duplicate IP addresses on the network. Routers and other network hardware may use cache information gained from gratuitous ARPs. Gratuitous ARP is a broadcast packet (like an ARP request)

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-92 ARP has no security or ownership of IP or MAC addresses. Sent every 5 seconds Host A now does an ARP Request for 10.1.1.1. When the router replies add to ARP table. When the Attacker replies add to ARP table. 10.1.1.1 MAC C.C.C.C

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-93 Arpspoof in Action C:\>test C:\>arp -d 15.1.1.1 C:\>ping -n 1 15.1.1.1 Pinging 15.1.1.1 with 32 bytes of data: Reply from 15.1.1.1: bytes=32 time<10ms TTL=255 C:\>arp -a Interface: 15.1.1.26 on Interface 2 Internet Address Physical Address Type 15.1.1.1 00-04-4e-f2-d8-01 dynamic 15.1.1.25 00-10-83-34-29-72 dynamic C:\>arp -a Interface: 15.1.1.26 on Interface 2 Internet Address Physical Address Type 15.1.1.1 00-10-83-34-29-72 dynamic 15.1.1.25 00-10-83-34-29-72 dynamic [root@sconvery-lnx dsniff-2.3]#./arpspoof 15.1.1.1 0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 15.1.1.1 is-at 0:4:4e:f2:d8:1

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-94 Dynamic ARP Inspection (DAI) To prevent ARP spoofing or “poisoning,” a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting and validating all ARP requests and responses. Each intercepted ARP reply is verified for valid MAC address–to–IP address bindings before it is forwarded to a PC to update the ARP cache. ARP replies coming from invalid devices are dropped. DAI determines the validity of an ARP packet based on valid MAC address-to-IP-address bindings database built by DHCP snooping or static ARP entries. In addition, in order to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets against user-configured ARP ACLs.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-95 DAI associates each interface with a trusted state or an untrusted state. Trusted interfaces bypass all DAI. Untrusted interfaces undergo DAI validation. Dynamic ARP Inspection

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-96 Sent every 5 seconds Host A now does an ARP Request for 10.1.1.1. When the router replies add to ARP table. When the Attacker replies switch drops packet. 10.1.1.1 MAC C.C.C.C I am running DHCP snooping with DAI. This ARP Reply is coming from an untrusted interface. Checked my database and it doesn’t match. Drop it. Trusted Untrusted

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-97 Configuring Dynamic ARP Inspection. 1. Enable DAI on one or more VLANs. Switch(config)# ip arp inspection vlan vlan-range 2. Configure trusted ports. Switch(config)# interface type mod/num Switch(config-if)# ip arp inspection trust By default, all switch ports in these VLANs are untrusted. Step 3 next slide…

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-98 Configuring Dynamic ARP Inspection. By default, all switch ports in these VLANs are untrusted. 3. (Optional) Validate that the ARP reply is really coming from the address listed inside the frame. Must choose at least one. Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]} scr-ma c: Check the source MAC address in frame against the sender MAC address in the ARP reply. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. dst-ma c: Check the destination MAC address in frame against the target MAC address in the ARP reply This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. ip : Check the sender’s IP address in all ARP requests; Check the sender IP address against the target IP address in all ARP replies check the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-99 Configuring Dynamic ARP Inspection. 4a. For hosts that do not use DHCP configure ARP ACL to define static MAC-IP bindings that are permitted. Switch(config)# arp access-list acl-name Switch(config-acl)# permit ip host sender-ip mac host sender-mac 4b. ARP ACL must be applied to the the DAI. Switch(config)# ip arp inspection filter acl-name vlan vlan- range [static] If there is not a match with the ACL the DHCP bindings database is checked next. If the static keyword is used the DHCP bindings database will not be checked.  In effect this is like an implicit deny statement at the end of the ARP ACL.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-100 100 Dynamic ARP Inspection Switch(config)# ip arp inspection vlan 10 50 Switch(config)# interface gig 0/1 Switch(config-if)# ip arp inspection trust This example shows how to configure DAI for hosts on VLANs 10 through 50. All client ports are untrusted by default. Only Gig 0/1 is trusted –Port where DHCP replies would be expected. Fa0/0 Gig0/1

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-105 Describing vty ACLs Set up standard IP ACL. Use line configuration mode to filter access with the access-class command. Set identical restrictions on every vty line.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-106 Configures a standard IP access list Switch(config)#access-list access-list-number {permit | deny | remark} source [mask] Enters configuration mode for a vty or vty range Restricts incoming or outgoing vty connections to addresses in the ACL Switch(config-line)#access-class access-list-number in|out Switch(config)#line vty {vty# | vty-range} Describing Commands to Apply ACLs

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-107 Best Practices: Switch Security Secure switch access: Set system passwords. Secure physical access to the console. Secure access via Telnet. Use SSH when possible. Configure system warning banners. Use Syslog if available.

© 2003, Cisco Systems, Inc. All rights reserved. BCMSN v2.0—2-108 Best Practices: Switch Security (Cont.) Secure switch protocols: Trim CDP and use only as needed. Secure spanning tree. Mitigate compromises through a switch: Take precautions for trunk links. Minimize physical port access. Establish standard access port configuration for both unused and used ports.

© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security.

Similar presentations

Presentation on theme: "© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security.

Similar presentations

Presentation on theme: "© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security."— Presentation transcript:

Similar presentations

About project

Feedback