Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter Six Securing the Local Area Network

Published bySharlene Beasley Modified over 6 years ago

Similar presentations

Presentation on theme: "Chapter Six Securing the Local Area Network"— Presentation transcript:

1 Chapter Six Securing the Local Area Network
CCNA Security Chapter Six Securing the Local Area Network

2 Layer 2 Security Perimeter Internet Hosts MARS ACS Iron Port DNS
Firewall Internet VPN IPS Iron Port Hosts Web Server Server DNS

3 OSI Model When it comes to networking, Layer 2 is often a very weak link. Application Presentation Session Transport Network Data Link Physical Application Stream Application Presentation Session Compromised Protocols and Ports Transport IP Addresses Network Initial Compromise MAC Addresses Data Link Physical Links Physical

4 MAC Address Spoofing Attack
1 2 The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc Switch Port AABBcc 12AbDd MAC Address: AABBcc MAC Address: 12AbDd Port 1 Port 2 MAC Address: AABBcc Attacker I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.

5 MAC Address Spoofing Attack
AABBcc 1 2 I have changed the MAC address on my computer to match the server. Switch Port 1 2 AABBcc Attacker MAC Address: AABBcc MAC Address: AABBcc Port 1 Port 2 The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.

6 MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.

7 MAC Address Table Overflow Attack
2 1 Bogus addresses are added to the CAM table. CAM table is full. Intruder runs macof to begin sending unknown bogus MAC addresses. MAC Port X /25 Y /25 C /25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ 3/25 Host C VLAN 10 VLAN 10 VLAN 10 flood 3 The switch floods the frames. 4 Attacker sees traffic to servers B and D. A B C D

8 STP Manipulation Attack
Spanning tree protocol operates by electing a root bridge STP builds a tree topology STP manipulation changes the topology of a network—the attacking host appears to be the root bridge Root Bridge Priority = 8192 MAC Address= C0.1234 F F F F F B

9 STP Manipulation Attack
Root Bridge Priority = 8192 F B F F F F F F F B F F STP BPDU Priority = 0 STP BPDU Priority = 0 Root Bridge Attacker The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.

10 LAN Storm Attack Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.

11 Storm Control Total number of broadcast packets or bytes

12 VLAN = Broadcast Domain = Logical Network (Subnet)
VLAN Attacks Segmentation Flexibility Security VLAN = Broadcast Domain = Logical Network (Subnet)

13 VLAN Attacks A VLAN hopping attack can be launched in two ways:
802.1Q VLAN 10 Trunk Trunk VLAN 20 Server 802.1Q Attacker sees traffic destined for servers Server A VLAN hopping attack can be launched in two ways: Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode Introducing a rogue switch and turning trunking on

14 Double-Tagging VLAN Attack
1 Attacker on VLAN 10, but puts a 20 tag in the packet The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2. 2 20,10 The second switch receives the packet, on the native VLAN 802.1Q, 802.1Q 20 3 802.1Q, Frame Trunk (Native VLAN = 10) Frame 4 The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly. Victim (VLAN 20) Note: This attack works only if the trunk has the same native VLAN as the attacker.

15 Port Security Overview
Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C MAC A 0/1 0/2 0/3 MAC A MAC F Attacker 1 Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses Attacker 2

16 CLI Commands Sets the interface mode as access
Switch(config-if)# switchport mode access Sets the interface mode as access Switch(config-if)# switchport port-security Enables port security on the interface Switch(config-if)# switchport port-security maximum value Sets the maximum number of secure MAC addresses for the interface (optional)

17 Switchport Port-Security Parameters
Description mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured. vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. vlan access (Optional) On an access port only, specify the VLAN as an access VLAN. vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN mac-address sticky [mac-address] (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. vlan [vlan-list] (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. vlan: set a per-VLAN maximum value. vlan vlan-list: set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.

18 Port Security Violation Configuration
Switch(config-if)# switchport port-security violation {protect | restrict | shutdown} Sets the violation mode (optional) Switch(config-if)# switchport port-security mac-address mac-address Enters a static secure MAC address for the interface (optional) Switch(config-if)# switchport port-security mac-address sticky Enables sticky learning on the interface (optional)

19 Switchport Port-Security Violation Parameters
Description protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown vlan Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.

20 Port Security Aging Configuration
Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}} Enables or disables static aging for the secure port or sets the aging time or type

21 Switchport Port-Security Aging Parameters
Description static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

22 Typical Configuration
S2 PC B Switch(config-if)# switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120

23 CLI Commands sw-class# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Fa0/ Shutdown Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0

24 View Secure MAC Addresses
sw-class# show port-security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age (mins) ffff.aaaa SecureConfigured Fa0/ Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024

25 MAC Address Notification
MAC B SNMP traps sent to NMS when new MAC addresses appear or when old ones time out. NMS F1/2 F1/1 Switch CAM Table F2/1 F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D (address ages out) MAC A MAC D is away from the network. MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports.

26 Configure Portfast Server Workstation Command Description
Switch(config-if)# spanning-tree portfast Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning-tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port.

27 BPDU Guard Root Bridge F F F F F B BPDU Guard Enabled STP BPDU Attacker Switch(config)# spanning-tree portfast bpduguard default Globally enables BPDU guard on all ports with PortFast enabled

28 Display the State of Spanning Tree
Switch# show spanning-tree summary totals Root bridge for: none. PortFast BPDU Guard is enabled UplinkFast is disabled BackboneFast is disabled Spanning tree default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active 1 VLAN <output omitted>

29 Root Guard Enables root guard on a per-interface basis Attacker
Root Bridge Priority = 0 MAC Address = c45.1a5d F F F F Root Guard Enabled F B F STP BPDU Priority = 0 MAC Address = c Attacker Switch(config-if)# spanning-tree guard root Enables root guard on a per-interface basis

30 Verify Root Guard Switch# show spanning-tree inconsistentports
Name Interface Inconsistency VLAN FastEthernet3/ Port Type Inconsistent VLAN FastEthernet3/ Port Type Inconsistent VLAN FastEthernet3/ Port Type Inconsistent VLAN FastEthernet3/ Port Type Inconsistent VLAN FastEthernet3/ Port Type Inconsistent VLAN FastEthernet3/ Port Type Inconsistent VLAN FastEthernet3/ Port Type Inconsistent VLAN FastEthernet3/ Port Type Inconsistent VLAN FastEthernet3/ Port Type Inconsistent VLAN FastEthernet3/ Port Type Inconsistent Number of inconsistent ports (segments) in the system :10

31 Storm Control Methods Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.

32 Storm Control Configuration
Switch(config-if)# storm-control broadcast level 75.5 Switch(config-if)# storm-control multicast level pps k 1k Switch(config-if)# storm-control action shutdown Enables storm control Specifies the level at which it is enabled Specifies the action that should take place when the threshold (level) is reached, in addition to filtering traffic

33 Storm Control Parameters
Description broadcast This parameter enables broadcast storm control on the interface. multicast This parameter enables multicast storm control on the interface. unicast This parameter enables unicast storm control on the interface. level level [level-low] Rising and falling suppression levels as a percentage of total bandwidth of the port. level: Rising suppression level. The range is 0.00 to Block the flooding of storm packets when the value specified for level is reached. level-low: (Optional) Falling suppression level, up to two decimal places. This value must be less than or equal to the rising suppression value. level bps bps [bps-low] Specify the rising and falling suppression levels as a rate in bits per second at which traffic is received on the port. bps: Rising suppression level. The range is 0.0 to Block the flooding of storm packets when the value specified for bps is reached. bps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. level pps pps [pps-low] Specify the rising and falling suppression levels as a rate in packets per second at which traffic is received on the port. pps: Rising suppression level. The range is 0.0 to Block the flooding of storm packets when the value specified for pps is reached. pps-low: (Optional) Falling suppression level, up to one decimal place. This value must be equal to or less than the rising suppression value. action {shutdown|trap} The action taken when a storm occurs on a port. The default action is to filter traffic and to not send an SNMP trap. The keywords have these meanings: shutdown: Disables the port during a storm trap: Sends an SNMP trap when a storm occurs

34 Verify Storm Control Settings
Switch# show storm-control Interface   Filter State Upper Lower Current    Gi0/   Forwarding     20 pps      10 pps     5 pps Gi0/   Forwarding     50.00%      40.00%     0.00% <output omitted>

35 Mitigating VLAN Attacks
Trunk (Native VLAN = 10) Disable trunking on all access ports. Disable auto trunking and manually enable trunking Be sure that the native VLAN is used only for trunk lines and no where else

36 Controlling Trunking Specifies an interface as a trunk link
Switch(config-if)# switchport mode trunk Specifies an interface as a trunk link . Switch(config-if)# switchport nonegotiate Prevents the generation of DTP frames. Switch(config-if)# switchport trunk native vlan vlan_number Set the native VLAN on the trunk to an unused VLAN

37 Traffic Analysis IDS RMON Probe Protocol Analyzer “Intruder Alert!” A SPAN port mirrors traffic to another port where a monitoring device is connected. Without this, it can be difficult to track hackers after they have entered the network. Attacker

38 CLI Commands Switch(config)#
monitor session session_number source {interface interface-id [, | -] [both | rx | tx]} | {vlan vlan-id [, | -] [both | rx | tx]}| {remote vlan vlan-id} monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} | {remote vlan vlan-id} Switch(config)#

39 Verify SPAN Configuration

40 SPAN and IDS IDS F0/2 Use SPAN to mirror traffic in and out of port F0/1 to port F0/2. F0/1 Attacker

41 Overview of RSPAN “Intruder Alert!” An RSPAN port mirrors traffic to another port on another switch where a probe or IDS sensor is connected. This allows more switches to be monitored with a single probe or IDS. IDS Source VLAN RSPAN VLAN Source VLAN Attacker Source VLAN

42 Configuring RSPAN 1. Configure the RPSAN VLAN 2960-1 2960-2
2960-1(config)# vlan 100 2960-1(config-vlan)# remote-span 2960-1(config-vlan)# exit 1. Configure the RPSAN VLAN 2960-1 2960-2 2. Configure the RSPAN source ports and VLANs 2960-1(config)# monitor session 1 source interface FastEthernet 0/1 2960-1(config)# monitor session 1 destination remote vlan reflector-port FastEthernet 0/24 2960-1(config)# interface FastEthernet 0/2 2960-1(config-if)# switchport mode trunk 3. Configure the RSPAN traffic to be forwarded 2960-2(config)# monitor session 2 source remote vlan 100 2960-2(config)# monitor session 2 destination interface FastEthernet 0/3 2960-2(config)# interface FastEthernet 0/2 2960-2(config-if)# switchport mode trunk

43 Verifying RSPAN Configuration
2960-1 2960-2 show monitor [session {session_number | all | local | range list | remote} [detail]] [ | {begin | exclude | include}expression]

44 Layer 2 Guidelines Manage switches in as secure a manner as possible (SSH, out-of-band management, ACLs, etc.) Set all user ports to non-trunking mode (except if using Cisco VoIP) Use port security where possible for access ports Enable STP attack mitigation (BPDU guard, root guard) Use Cisco Discovery Protocol only where necessary – with phones it is useful Configure PortFast on all non-trunking ports Configure root guard on STP root ports Configure BPDU guard on all non-trunking ports

45 VLAN Practices Always use a dedicated, unused native VLAN ID for trunk ports Do not use VLAN 1 for anything Disable all unused ports and put them in an unused VLAN Manually configure all trunk ports and disable DTP on trunk ports Configure all non-trunking ports with switchport mode access

Download ppt "Chapter Six Securing the Local Area Network"

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Part 2: Preventing Loops in the Network

Part 2: Preventing Loops in the Network
Switching & Operations. Address learning Forward/filter decision Loop avoidance Three Switch Functions.

Switching & Operations. Address learning Forward/filter decision Loop avoidance Three Switch Functions.
Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.

Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.

Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
STP Spanning tree protocol. Trunk port : A trunk port is a port that is assigned to carry traffic for all the VLANs that are accessible by a specific.

STP Spanning tree protocol. Trunk port : A trunk port is a port that is assigned to carry traffic for all the VLANs that are accessible by a specific.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Securing the Local Area Network

Securing the Local Area Network
VLANs- Chapter 3 CCNA Exploration Semester 3 Modified by Profs. Ward

VLANs- Chapter 3 CCNA Exploration Semester 3 Modified by Profs. Ward
CCENT Study Guide Chapter 11 VLANs and Inter-VLAN Routing.

CCENT Study Guide Chapter 11 VLANs and Inter-VLAN Routing.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
– Chapter 5 – Secure LAN Switching

– Chapter 5 – Secure LAN Switching
CCNA Guide to Cisco Networking Fundamentals Fourth Edition

CCNA Guide to Cisco Networking Fundamentals Fourth Edition
VLAN Trunking Protocol (VTP)

VLAN Trunking Protocol (VTP)
Building Cisco Multilayer Switched Networks (BCMSN)

Building Cisco Multilayer Switched Networks (BCMSN)

Similar presentations

Ads by Google