– Chapter 5 – Secure LAN Switching

Slides:



Advertisements
Similar presentations
Ethernet Switch Features Important to EtherNet/IP
Advertisements

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Switching & Operations. Address learning Forward/filter decision Loop avoidance Three Switch Functions.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
We will be covering VLANs this week. In addition we will do a practical involving setting up a router and how to create a VLAN.
Secure LAN Switching Layer 2 security Introduction Port-level controls
Chapter 4: Managing LAN Traffic
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
Semester 3, v Chapter 3: Virtual LANs
– Chapter 5 – Secure LAN Switching
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.
VLAN V irtual L ocal A rea N etwork VLAN Network performance is a key factor in the productivity of an organization. One of the technologies used to.
Chapter 8: Virtual LAN (VLAN)
Cisco 3 - LAN Perrine. J Page 110/20/2015 Chapter 8 VLAN VLAN: is a logical grouping grouped by: function department application VLAN configuration is.
Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.
© 2002, Cisco Systems, Inc. All rights reserved..
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
Enabling Port Security
Configuring Cisco Switches Chapter 13 powered by DJ 1.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 Virtual Trunking Protocol.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
LAN Switching and Wireless Basic Switch Concepts and Configuration.
W&L Page 1 CCNA CCNA Training 2.7 Configure and verify trunking on Cisco switches Jose Luis Flores / Amel Walkinshaw Aug, 2015.
Switching Topic 2 VLANs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Switching in an Enterprise Network Introducing Routing and Switching in the.
W&L Page 1 CCNA CCNA Training 2.5 Describe how VLANs create logically separate networks and the need for routing between them Jose Luis.
1 VLANs Relates to Lab 6. Short module on basics of VLAN switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Cisco 3 - Switch Perrine. J Page 12/4/2016 Chapter 9 Which protocol is Cisco proprietary and designed to carry traffic from multiple VLANs? A Q.
+ Lecture#8: VLAN Asma AlOsaimi Topics VLAN Segmentation VLAN Implementation VLAN Security and Design 3.0.
Virtual Local Area Networks In Security By Mark Reed.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 VLANs.
CCNA Practice Exam Questions
Introduction to Networks v6.0
Instructor Materials Chapter 5: Network Security and Monitoring
Exploiting Layer 2 By Balwant Rathore.
Instructor Materials Chapter 7: Access Control Lists
SECURITY ZONES.
Switching and VLANs.
© 2002, Cisco Systems, Inc. All rights reserved.
Virtual Local Area Networks or VLANs
Spanning Tree Protocol
Instructor Materials Chapter 6: VLANs
Instructor Materials Chapter 5: Ethernet
Chapter 4 Data Link Layer Switching
Chapter 5: Switch Configuration
Chapter 2: Basic Switching Concepts and Configuration
VLAN Trunking Protocol
Instructor: Mr Malik Zaib
Virtual LANs.
Spanning Tree Protocol
Chapter 5: Network Security and Monitoring
Spanning Tree Protocol
Chapter 4: Access Control Lists (ACLs)
Routing and Switching Essentials v6.0
CCNA Routing and Switching Routing and Switching Essentials v6.0
Access Control Lists CCNA 2 v3 – Module 11
Switching and VLANs.
© 2002, Cisco Systems, Inc. All rights reserved.
Chapter 3: Implementing VLAN Security
© 2002, Cisco Systems, Inc. All rights reserved.
LAN Switching and Wireless – Chapter 2
Presentation transcript:

– Chapter 5 – Secure LAN Switching Layer 2 security Port security IP permit lists Protocol filtering Controlling LAN floods (using port filtering, protocol filtering, etc.) Private VLANs Using IEEE 802.1x for port authentication and access control Network Security

Switch and Layer 2 security Security of lower layer devices is important, because some threats are initiated on Layer 2 rather than Layer 3 and above. Example: A firewall or a router cannot block a compromised server on a DMZ LAN from connecting to another server on the same segment.  because the connection occurs at Layer 2 Focus of the chapter: Cisco Catalyst 5000 series switches (principles applicable to other types of switches) Network Security

Source: http://www. cisco Network Security

Switch and Layer 2 security (cont.) More example attacks: http://www.cisco.com/ca/events/pdfs/L2-security-Bootcamp-final.pdf (local copy) Network Security

Setting up a secure Layer 2 switching environment Overview of Counter-measures: Use VLANs to create logical groupings of devices  Each of the groups may have different security levels. Disable unused ports, and place them in a VLAN with no Layer 3 access. Besides VLANs, other mechanisms must be used (e.g., port security) Separate devices should be used for zones at different security levels. Disable Layer 3 connection (e.g., Telnet, HTTP) to the switch. Disable trunking on ports that do not require it (and place the trunk port in its own VLAN). A trunk is an interface on a switch that can carry packets for any VLAN. When packets get sent between switches, each packet gets tagged, based on the IEEE standard for passing VLAN packets between bridges, 802.1Q. The receiving switch removes the tag and forwards the packet to the correct port or VLAN in the case of a broadcast packet.  “VLAN Insecurity” (http://www.spirit.com/Network/net0103.html) Network Security

Need for other counter-measures How about attacks launched from hosts sitting on a LAN? In general, those hosts are considered as trusted entities. So it is difficult to stop a host when it becomes an attacker. Solution: Make sure access to the LAN is secured.  MAC address filtering (e.g., Cisco’s port security, DHCP) Network Security

Port security A mechanism to restrict the MAC addresses that can connect via a particular port of the switch Allows a range of MAC addresses to be specified for a particular port Only frames with a right MAC address can go through the switch. Useful for preventing MAC address flooding attacks CAM overflow: Content-Addressable Memory (aka. associated memory) CAM table stores information such as MAC addresses available on physical ports, with their associated VLAN params. CAM table has fixed size. When a CAM table is full, the switch is unable to create a new entry.  It forwards a received frame to all ports, resulting in increased traffic and allowing the attacker to examine all frames. So, CAM overflow attacks may lead to subsequent DoS and traffic analysis attacks (next slide) Network Security

MAC Address Flooding Network Security

MAC Address Flooding (cont.) 8/7/2018 MAC Address Flooding (cont.) Counter-measures: Hard-coding the MAC addresses that are allowed to connect on a port, or Limiting the number of hosts that are allowed to connect on a port Example 5-1: approach 1 + timed suspension Console> (enable) set port security 2/1 enable Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08 Console> (enable) set port security 2/1 shutdown 600 Example 5-2: approach 2 Console> (enable) set port security 3/2 maximum 20 set port security http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.3and8.4glx/command/reference/set_l_q.html#wp1054409 To configure port security and unicast flood on a port or range of ports, use the set port security command. set port security mod/port... [enable | disable] [mac_addr] [age {age_time}] [maximum {num_ of_mac}] [shutdown {shutdown_time}] [unicast-flood {enable | disable}] [violation {shutdown | restrict}] Network Security

8/7/2018 IP permit lists Purpose: To restrict higher layer traffic, such asTelnet, SSH, HTTP, and SNMP, from entering a switch Allows IP addresses to be specified that are allowed to send these kinds of traffic through the switch Command: set ip permit enable Example 5-3 set ip permit enable [telnet | snmp | ssh] Enable the IP permit list. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/7.x/configuration/guide/ip_perm.html Network Security

Protocol Filtering Purpose: To limit broadcast/multicasts for certain protocols With Cisco Catalyst 5000 series of switches, packets are classified into protocol groups: IP 2. IPX AppleTalk, DECnet, Banyan VINES 4. Other protocols A port is configured to belong to one or more of these groups. For each of the groups a port belong to, the port is in one of the following states (for that group): On  Receive all broadcast/multicast traffic for that protocol Off  no broadcast/multicast traffic for that protocol Auto  auto-configured port The port becomes a member of the protocol group only after the device connected to the port transmits packets of that specific protocol group. Once the attached device stops transmitting packets for that protocol for 60 minutes, the port is removed form that protocol group. Example 5-4 Network Security

Controlling LAN floods Attackers may cause frame flood (e.g., CAM flooding), or send broadcast/multicast messages to flood the LAN. Counter-measures: Protocol filtering Setting up threshold limits for broadcast/multicast traffic on ports Catalyst switches allow thresholds for broadcast traffic to be set up on a per-port basis. The thresholds can depend on either the bandwidth consumed by broadcasts or the number of broadcast packets being sent across a port. ‘Bandwidth consumed’ is a preferred measure. (Why?) Example: Console> (enable) set port broadcast 2/1-6 75% Other broadcast/multicast traffic is dropped when the bandwidth consumed by broadcast/multicast traffic reaches 75%. Network Security

Private VLANs An enhancement to Catalyst 6000 switches Traditional VLAN: no layer 2 segregation of devices of the same VLAN  So when one of the devices in a VLAN is compromised, other devices on the same VLAN may be compromised as well. Purpose of private VLANs: To allow restrictions to be placed on the Layer 2 traffic of a VLAN. Three types of private VLAN ports: Promiscuous ports: communicate with all other private VLAN ports Isolated ports: have complete Layer 2 isolation from other ports within the same private VLAN (e.g., Ethernet ports in hotel rooms) Community ports: communicate among themselves and with their promiscuous ports Network Security

Using IEEE 802.1x Purpose: (a) port authentication; (b) access control Other usage: used in 802.11i for WLAN security Network Security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.