��Semester 3 v5 Semester 3 v5 --Chapter 8Chapter 8

Cisco Networking Academy

CCNP

Minimizing Service Loss

and Data Theft in a

Campus Network

��Switch security concernsSwitch security concerns

• Network security coverage often focuses on edge-routing devices and filtering of packets

• Campus access devices and L2 communication are left largely unconsidered

• But if an attack is launched at L2 on an internal campus device, the rest of the network can be quickly compromised

��Rogue DevicesRogue Devices

• Rogue devices can be

– Access Points

– Wireless routers

– Access switches

– Hubs

• Devices typically connected at access level switches

• To mitigate STP manipulation

• root guard

• BPDU guard

��Switch attack categoriesSwitch attack categories

• L2 malicious attacks are typically launched by a device connected to the campus network

– A physical rogue device

– An external intrusion that takes control of and launches attacks from a trusted device

• Types of L2 attacks

– MAC layer attacks

– VLAN attacks

– Spoof attacks

– Attacks on switch devices

��MAC flooding attackMAC flooding attack

• CAM table overflow that causes flooding of regular data frames out of all switch ports

• Purposes

– Collecting a broad sample of traffic

– DoS attack

• Suggested mitigation:

– Limit the number of allowed MAC addresses in a port using Port Security

��Port securityPort security

• Available on the 6500, 3550 and 2950

• Administrator configures MAC addresses to provide security

• It restricts a switch port to a specific set and/or number of MAC addresses

• Maximum number of secure MAC on a port

• A MAC address can be allowed:

– Static assignment of the MAC address

• switchport port-security mac-address mac_address

– Dynamic learning of the MAC address (sticky learning)

– Manually configure a number of MAC and the rest dynamically configured

��Configuring Port securityConfiguring Port security

1. Enable port security

2. Set MAC address limit ���� default = 1

3. Specify allowable MAC addresses

4. Define violation actions

– When the maximum number of secure MAC addresses has been added and a station whose MAC address is not in the table attempts to access

– A station whose MAC address is configured as secure on another secure port attempts to access the interface

– 3 violation modes

• Protect ����packets with unknown source addresses are dropped until secure MAC are manually removed

• Restrict ���� trap notification to the SNMP management station

• Shutdown ���� interface shut down and send an SNMP trap notification

��Sticky MAC addressesSticky MAC addresses

• Limits switch port access to a single, specific MAC address without the network administrator having gather and manually associate the MAC address of every legitimate device with a particular switch port

• The switch port converts dynamically learned MAC addresses to sticky MAC addresses

• It subsequently adds them to the running configuration as if they were static entries for a single MAC address to be allowed by Port Security

• Configuration:

– switchport port-security mac-address sticky

• It can not be used on ports that use voice VLANs

• usernames and passwords can be configured directly on the network device

– This configuration does not scale well

• Recommend ���� security handled at centralized location

• Different security features (AAA):

– Authentication

• Verifies a user identity

– Authorization

• Specifies the permitted tasks for the user

– Accounting

• Provides billing, auditing and monitoring

• AAA can use protocols such as RADIUS, TACACS+ or 802.1x to administer its security functions

��AAAAAA

• AAA enables dynamic configuration of the type of authentication and authorization

– On a per-line (per-user) basis

– On a per-service basis

• Method lists must be created

– Sequential list that defines the authentication methods used to authenticate a user

– Enable designation of one or more security protocols to be used for authentication

• Order is established by which servers will be contacted for authentication and authorization

• Users attempt login and must be authenticated by server

• Users must be authorized to user requested resources if Authorization is configured

• Users activity is recorded if Accounting is configured

��AAA processAAA process

��Configuring AAA AuthenticationConfiguring AAA Authentication

• AAA authentication

– Access to the console: aaa authentication login

– Access to VTYs through Telnet and SSH

– Access to privileged EXEC mode

• Default method:

– applied to all interfaces if no other method list is defined

• Named list method:

– must be applied to a specific interface before any of the defined

authentication methods will be performed

��Configuring AAA AuthenticationConfiguring AAA Authentication

• Responses:

– FAIL

• User has not met the criteria contained in the

authentication database to be successfully

authenticated

• Authentication ends with a FAIL response

– ERROR

• The security server has not responded to an

authentication query

• When ERROR detected, AAA select the next

authentication method defined in the authentication

method list

��Configuring AAA AuthenticationConfiguring AAA Authentication

• Authentication for logins on TTYs, VTYs, and the console:

RTA(config)#aaa authentication login

default tacacs+ none

default method 1st method If 1st errors, then grant access

• Client-server-based access control and authentication

protocol

• Restricts unauthorized clients from connecting to a

LAN through publicly accessible ports

• The authentication server authenticates each client

connected to a switch port before making available

any services offered by the switch or the LAN

• Before authentication, 802.1x only allows EAPOL

traffic through the port

– EAPOL(Extensible Authentication Protocol over LAN)

��802.1x802.1x

• Client

– device that requests access to the LAN and switch services and responds to requests from the switch

– It must be running 802.1X-compliant client software (Ex: XP)

• Authentication server

– validates the identity of the client

– notifies the switch whether or not the client is authorized to access the LAN and switch services

– RADIUS + EAP (Extensible Authentication Protocol) only

• Switch

– controls the physical access to the network based on the authentication status of the client

– proxy between the client and the authentication server

– includes the RADIUS client + 802.1x

– encapsulates and decapsulates the EAP frames

��Roles in 802.1xRoles in 802.1x

• The switch or the client can start authentication

• If 802.1X not enabled on the switch ���� EAPOL frames dropped

• If the client does not receive an EAP-request/identity frame after a defined number of attempts to start authentication ����client sends frames as if the port is in the authorized state

• Ex: OTP (One-Time-Password) authentication method + RADIUS server

��802.1x message exchange802.1x message exchange

• Unauthorized state ���� State where port starts

– the port disallows all traffic except for 802.1X protocol packets

• Authorized state

– When a client is successfully authenticated

– Allows all traffic for the client to flow normally

• If a client that does not support 802.1X is connected to an unauthorized 802.1X port

– The client is not granted access to the network

• If an 802.1X-enabled client connects to a port that is not running the 802.1X protocol

– the client sends frames as if the port is in the authorized state

• Dot1x port-control

– Force-authorized

– Force unauthorized

– Auto

��802.1x authorized ports802.1x authorized ports

• Dot1x port-control

– Force-authorized (default)

• 802.1X is disabled and the port transitions to the authorized state

without any authentication exchange required

– Force unauthorized

• the port remains in the unauthorized state

• The switch cannot provide authentication services

– Auto

• enables 802.1X authentication

• The port begins in unauthorized state

• allows only EAPOL frames through the port

• If the client is successfully authenticated, the port state changes to

authorized

• When a client logs off

– it sends an EAPOL-logoff message

– the switch port transitions to the unauthorized state

��802.1x authorized ports802.1x authorized ports

1. Enable AAAswitch(config)#aaa new-model

2. Create a 802.1x authentication method list

switch(config)# aaa authentication dot1x {default} method1 [method2…]

3. Globally enable 802.1x port-based

authenticationswitch(config)#dot1x system-auth-control

4. Enable 802.1x on the interface

switch(config)# interface interface_idswitch(config-if)# dot1x port-control auto

��Configuring 802.1xConfiguring 802.1x

��VLAN hoppingVLAN hopping

• Network attack where

– Attacking system sends packets to, or collects them from, a VLAN that should not be accessible to that system

– Attacking system spoofs itself as a legitimate trunk negotiating device

– Trunk link is negotiated dinamically

– Attacking device gains access to data on all VLANscarried by the negotiated trunk

• Implementations

• Switch spoofing

• Double tagging

��VLAN hopping VLAN hopping –– Switch spoofingSwitch spoofing

• Attacker gains access to a switch port and sends DTP negotiation frames toward a switch with DTP running and autonegotiation turned on

• Attacker and switch negotiate trunking over the port

• Switch allows all VLANs to traverse de trunk link

• Attacker sends data to, or collects it from, all VLANs carried on that trunk

��VLAN hopping VLAN hopping –– Double taggingDouble tagging

• An attacker generates frames with two 802.1Q headers in order to get the switch to forward frames onto a VLAN that would be inaccessible to the attacker through legitimate means

– Attacker sends a frame with two 802.1Q headers

– Switch1 strips the outer tag and forwards the frame to all ports within same native VLAN

– Switch2 interprets the frame according to information in the inner tag

– Switch2 forwards the frame out all ports associated with the second VLAN, including trunk ports

��How to mitigate VLAN hoppingHow to mitigate VLAN hopping

• Measures to defend the network from VLAN hopping

– Configure all unused ports as access ports• switch(config)#interface-range type mod/portswitch(config-if)#switchport mode access

– Place all unused ports in the shutdown state and associate with a VLAN designed only for unused ports, carrying no user data traffic • switch(config-if)#switchport access vlan vlan-id

– When establishing a trunk link, configure

• the Native VLAN to be different from any data VLANs

• trunking as on, rather than negotiated

• the specific VLAN range to be carried on the trunk

��ACLsACLs

• ACLs filter traffic

• 3 applications of ACLs:

– Router ACLs (RACLs)

• IP standard and IP extended ACLs

• filter routed traffic between VLANs

• Applied to L3 interfaces for specific directions (inbound/outbound)

– Port ACLs (PACLs)

• filter traffic entering a L2 switch port, trunk or Etherchannel

– VLAN ACLs or VLAN maps

• filter bridged and routed packets

• apply to all traffic on the VLAN based on Ethertype and MAC address

• Follow route-map conventions, where map sequences are checked in order

• VACLs are not defined by direction

��VLAN ACLs and VLAN MapsVLAN ACLs and VLAN Maps

• Can filter all traffic traversing a switch

• VLAN maps

– not defined by direction

– match clauses to select traffic and perform operations on it

– Each clause contains one or more ACLs

– only way to control filtering within a VLAN

– If there is a match clause for a packet in the VLAN map, and that packet does not match any of the entries within the map ���� default VLAN map action = drop the packet

– If there is no match clause for that packet

• default ���� forward the packet

• A VLAN map cannot be applied to a VLAN on a switch that has ACLs applied to L2 interfaces (port ACLs)

��VLAN ACLs and VLAN MapsVLAN ACLs and VLAN Maps

• Example of VACLs configuration:

– It does not allow any host using a source IP address from 10.1.0.0 to 10.1.255.255 to send frames across this switch

��Private VLAN (PVLAN)Private VLAN (PVLAN)

• Traditional solution

– One VLAN per costumer, with each VLAN having its own IP subnet

– Challenges

• High number of interfaces on SP devices

• Spanning tree becomes more complicated

• Network address space must be divided into many subnets

• Multiple ACL applications required to maintain security

• Private VLANs

– L2 isolation between ports within the same VLAN

– It eliminates the need for a separate VLAN and IP subnet per costumer

– Types of ports

• Isolated: Communicate only with promiscuous ports

• Promiscuous: Communicate with all other ports

• Community: Communicate with other members of community and all promiscuous ports

��Private VLAN (PVLAN)Private VLAN (PVLAN)

• Different PVLANs:

– Primary VLAN: Carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same primary VLAN

– Secondary VLANs

• Isolated VLAN: Carries traffic from isolated ports to a promiscuous ports

• Community VLAN: Carries traffic between community ports and promiscuous ports

��Configuring PVLANsConfiguring PVLANs

1. Set VTP mode to transparent

2. Create secondary VLANs (isolated and community)

3. Create the primary VLAN

– switch(config-vlan)#private-vlan [primary | isolated | community]

4. Associate the secondary VLAN to the primary VLAN

– switch(config-vlan)#private-vlan association {secondary_vlan_list | add sv1 | remove sv1}

5. Configure an interface to an isolated or community port

6. Associate the isolated port or community port to the primary-secondary VLAN pair

7. Configure an interface as a promiscuous port

8. Map the promiscuous port to the primary-secondary VLAN pair

��DHCP Spoofing AttackDHCP Spoofing Attack

• An attacker hosts a rogue DHCP server off of a switch port

• Client broadcasts a request for DHCP configuration information

• The rogue DHCP server responds before the legitimate DHCP server, assigning attacker-defined IP configuration information

• Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the clients

��DHCP SnoopingDHCP Snooping

• Catalyst feature that determines which switch ports can respond to DHCP requests

– Trusted ports can source all DCHP messages

– Untrusted ports can only source requests

• If a rogue DCHP on an untrusted port attempts to send DHCP response packets, the port is shut down

• DHCP Option 82: switch information, such as the port ID of the DHCP request, is inserted into the DHCP request packet

��ARP Spoofing AttackARP Spoofing Attack

• By spoofing an ARP reply from a legitimate device, an attacking device appears to be the destination host sought by the senders

• The ARP reply from the attacker causes the sender to store the attacking system MAC address in the ARP cache. All packets destined for those IP address will be forwarded through the attacker system – The attacker sends ARP binding its MAC address with the IP destination address

– Host A updates ARP cache with attacker’s MAC address bound to C’s IP address

– The attacker sends ARP binding its MAC address with the IP sender address

– Destination updates ARP cache with attacker’s MAC address bound to sender’s IP address

��Dynamic ARP inspectionDynamic ARP inspection

• Prevents ARP spoofing or ‘poisoning’

• Intercepts and validates all ARP requests and responses

– Forwards ARP packets received on a trusted interface without any checks

– Intercepts all ARP packets on untrusted ports

– Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets that can update the local ARP cache

– Drops and/or logs ARP packets with invalid IP-to-MAC address bindings

• Configure all Access switch ports as untrusted and all switch ports connected to other switches as trusted

��Protecting Spanning TreeProtecting Spanning Tree

• Protect against switches being added on PortFast ports

– BPDU Guard shuts ports down when BPDUs are received

– BPDU filter specifies action to be taken when BPDUs are received

• BPDU Root Guard protects against a switch outside the designated network attempting to become the root bridge

��Configuring BPDU GuardConfiguring BPDU Guard

• BPDU Guard protects the network from loops that

might form if BPDUS are received on a PortFast

enabled switch port

• When a BPDU is received, the port is put in error-

disabled state

• Global configuration

• Interface configuration

Switch(config)#spanning-tree portfast bpduguard default

Switch(config-if)#spanning-tree bpduguard enable

��Configuring BPDU FilteringConfiguring BPDU Filtering

– Global configuration• It affects all PortFast ports on a switch without BPDU filtering

configured on the individual port

• If BPDUs are seen, the port looses its PortFast Status, BPDU

filtering is disabled and STP sends and receives BPDUs on the port

as any other STP port on the switch

• Upon startup, the port transmits ten BPDUs. If this port receives

any BPDUs during that time, PortFast and PortFast BPDU filtering

are disabled

– Interface configuration• Ignores all BPDUs received

• Sends no BPDUs

Switch(config-if)#spanning-tree bpdufilter enable

Switch(config)#spanning-tree portfast bpdufilter default

��Configuring Root GuardConfiguring Root Guard

– Root Guard limits the switch ports out of which the root

bridge may be negotiated

– If a root guard-enabled port receives BPDUs that are

superior to those being sent by the current root bridge, • that port will be moved to a root-inconsistent state (listening state)

• no data traffic will be forwarded across this port

– When the root guard-enable port receives inferior BPDUs,

the port will be unblocked again

Switch(config-if)#spanning-tree guard root

��Unidirectional link detectionUnidirectional link detection

• Unidirectional link– Traffic is transmitted between neighbors in one direction only

– Can cause ST topology loops

• UDLD– L2 protocol that works with the L1 mechanisms to determine the

physical status of a link

– Protocol that allows devices to detect an unidirectional link

– Both ends of the link must support UDLD

• A switch configured with UDLD

periodically transmits UDLD packets– If packets are not echoed back within a

specific time, the link is flagged as

unidirectional and the interface is shut

down (aggressive) or the port changes to an

undetermined state (normal)

��Loop guardLoop guard

• Provides protection when BPDUs are being sent, but not

received on a link that is considered operational

• When an unidirectional link is detected, the interface will

move into the STP loop-inconsistent blocking state

• Once a BPDU is received, the port will transition to the

appropriate state

Before loop guard

– C is not receiving BPDUs from B

– Port on C transitions to forwarding

state in 50 sec � LOOP

With loop guard

– C is not receiving BPDUs from B

– Port on C transitions to loop-

inconsistent state

��Comparison between Loop Guard and UDLDComparison between Loop Guard and UDLD

• On an Etherchannel bundle

– UDLD will disable individual failed links

– Loop Guard will put the entire channel in loop-inconsistent state

• Enabling both UDLD and Loop Guard provides the

highest level of protection

��Configuring UDLD and Loop GuardConfiguring UDLD and Loop Guard

• Configuring UDLD

– Enable UDLD on an interface

• S(config-if)#udld port

– Enable UDLD globally

• S(config)#udld enable

– Verify and reset UDLD

• S#udld reset

• S#show udld interface

• Configuring Loop Guard

– Enable Loop Guard on an interface• S(config)#spantree guard loop mod/port

• S(config)#spantree guard none mod/port

• Enabling root guard will disable root guard, if root guard is currently enabled on the ports

– Enable Loop Guard globally • S(config)#spantree global-default loopguard enable

• S#show spantree guard mod/port | vlan

• CDP is transmitted in clear text and unauthenticated

• An attacker can use a packet analyzer to intercept CDP traffic

• An attacker can analyze information in CDP packets to gain knowledge of network address and device information

• An attacker can formulate attacks based on known vulnerabilities of network platforms

��CDP security issuesCDP security issues

��Telnet and SSHTelnet and SSH

• Telnet– Telnet packets are transmitted in clear-text

– A user with an account on the system could gain elevated

privileges

– A remote attacker could crash the Telnet service, preventing

legitimate use of that service

– A remote attacker could find an enabled guest account

present anywhere within the trusted domains of the server

• SSH (Secure Shell)– The entire login session is encrypted

– Replacement for rlogin, rsh, rcp, and rdist as well as Telnet and FTP

– protects a network from attacks such as IP spoofing, IP source routing, and DNS spoofing

��Using vty ACLsUsing vty ACLs

• Restricting VTY connections

– The access-class ACL-number applies the ACL to the interface

– The ACL can be a standard or an extended ACL

• Restricting web interface connections

– To bind a standard ACL to the http server process:

• ip http access-class ACL-number

• ACL-number: 1 - 99

��Best practicesBest practices

• Consider or establish organizational security

policies

– Proces for auditing existing networks

– General security framework

– Behaviors toward electronic data that are disallowed

– Which tools and procedures are needed

– Responsibilities of users and administrators

– Process for handling network security incidents

– Enterprise-wide, all site security implementation and

enforcement plan

• Secure switch devices

• Secure switch protocols

• Mitigate compromises launched through a switch

��Best practices: Secure switch accessBest practices: Secure switch access

• Set system passwords ���� enable secret

• Secure physical access to the console

• Secure access via Telnet

• Use SSH when possible

• Configure system warning banners

• Disable unused services ���� no service finger/config…

• Disable the integrated HTTP daemon if not in use

• Configure basic logging

��Restricting VTY connectionsRestricting VTY connections

• Remote management sessions can be enhanced using optional messages:

– Message of the day

• Display a banner to users as they enter a network device

– Router(config)# banner motd ^C message ^C

– Vacant message

• displayed when the user session is disconnected.

Router(config)#vacant-message ^C message ^C

– Refuse message

• displayed when the authentication fails at login

Router(config)#refuse-message ^C message ^C

• Applied to console, aux and vty lines

• Not displayed for users connecting over SSH

��Best practices: Secure switch protocolsBest practices: Secure switch protocols

• CDP– If CDP is not required, disable CDP globally on the device

– If CDP is required, disable CDP on a per-interface basis on

ports connected to untrusted networks

• Secure the Spanning Tree protocol– Identify the intended root bridge in the design and assign

an adequate bridge priority

– Activate BPDU guard feature if available

��Best practices: Mitigating Compromises Best practices: Mitigating Compromises

Launched through a switchLaunched through a switch

• Proactively configure unused ports– Shutdown on unused ports

– All unused ports in a specific unused VLAN

– Configure unused ports as access ports

• Considerations for trunk links– Disable automatic negotiation of trunking, and manually enable it on links that will require it

– Ensure that trunks use a native VLAN dedicated only to trunk links

• Minimize physical port access

• Establish standard access port configuration for both unused and used ports

• switchport host

– Macro that disables Etherchannel, disables trunking, and enables STP Portfast

Cisco Networking Academy

��Semester3v5 Semester3v5 -- Chapter 8Chapter 8

The EndThe End

Minimizing Service Loss

and Data Theft in a

Campus Network