Cisco Presentation Guide · Cisco Presentation Guide Author: Cisco Corporate ID Dept Created Date: 12/18/2009 3:27:58 PM

© 2005 Petr Grygarek, Advanced Computer Networks Technologies 1

Selected Network Security Selected Network Security TechnologiesTechnologies

Petr GrygPetr Grygáárekrek

Agenda:Security in switched networksControl Plane Policing

2© 2005 Petr Grygarek, Advanced Computer Networks Technologies

Security in Switched Security in Switched NetworksNetworks


Switch Port SecuritySwitch Port Security

•Static MAC addresses assigned to Static MAC addresses assigned to portsports•various violation actionsvarious violation actions

•Limited number of MAC addresses Limited number of MAC addresses per portper port

•broadcast/muticast storm controlbroadcast/muticast storm control•Disable/reenable limits (hysteresis)Disable/reenable limits (hysteresis)


DHCP SnoopingDHCP Snooping

•Protects against non-authorized Protects against non-authorized DHCP serversDHCP servers•Intentional attacks (man-in-the-middle)Intentional attacks (man-in-the-middle)

•plug&play devicesplug&play devices

•Trusted and untrusted portsTrusted and untrusted ports•Per-VLAN configurationPer-VLAN configuration

•Creates DHCP binding table for ARP Creates DHCP binding table for ARP inspectioninspection


DHCP Snooping DHCP Snooping Additional FeaturesAdditional Features

•DHCP requests rate limitationDHCP requests rate limitation•Protect against exhaustion of DHCP poolProtect against exhaustion of DHCP pool

•DHCP option 82DHCP option 82•Switch attaches its MAC address and Switch attaches its MAC address and

client port to the DHCP requestclient port to the DHCP request

•DHCP Offer (broadcast) sent directly to DHCP Offer (broadcast) sent directly to the clientthe client


Related Protection MechanismsRelated Protection Mechanisms

•Additional protection mechanisms may Additional protection mechanisms may utilize the binding tableutilize the binding table

•ARP inspectionARP inspection•Filtering of fake ARP repliesFiltering of fake ARP replies

•Filtering of invalid bindings in ARP requestsFiltering of invalid bindings in ARP requests

•Filtering of ARP replies from non-matching Filtering of ARP replies from non-matching MAC addressMAC address

•Source IP+MAC+port verificationSource IP+MAC+port verification

•Static entries may be inserted into the Static entries may be inserted into the binding tablebinding table•Servers with static IP addresses etc.Servers with static IP addresses etc.


Private VLANs and Private VLANs and Protected PortsProtected Ports

•Communication is disallowed Communication is disallowed between ports that are configured as between ports that are configured as protectedprotected

•Private VLANsPrivate VLANs•Primary VLAN and secondary VLANsPrimary VLAN and secondary VLANs

•Secondary VLANs:Secondary VLANs:•Community VLANsCommunity VLANs

•Isolated VLANIsolated VLAN

•Promiscuous portPromiscuous port


802.1x Authentication802.1x Authentication


What is 802.1x ?What is 802.1x ?• Port-based authenticationPort-based authentication

•Securing office outlets, public “hotplug” Securing office outlets, public “hotplug” placesplaces

•Authorized and unauthorized port stateAuthorized and unauthorized port state

•Operates on L2Operates on L2

•Utilizes EAP and various Utilizes EAP and various authentication protocolsauthentication protocols•Client-to-the-network or mutual Client-to-the-network or mutual

authenticationauthentication

•Authentication using user passwords or Authentication using user passwords or certificates (PKI)certificates (PKI)


802.1x Architecture 802.1x Architecture ComponentsComponents

•SupplicantSupplicant•PC OS component, subordinate switchPC OS component, subordinate switch

•Authenticator Authenticator •802.1x-enabled switch, access point802.1x-enabled switch, access point

•Authentication serverAuthentication server•RADIUS protocolRADIUS protocol


802.1x Operation (1)802.1x Operation (1)•Authenticator acts as proxy between Authenticator acts as proxy between

supplicant and authentication serversupplicant and authentication server•bridges between EAPOL and RADIUS encapsulationsbridges between EAPOL and RADIUS encapsulations

•Authentication reacts on RADIUS Authentication reacts on RADIUS authentication reply messagesauthentication reply messages•allows or disallows the client to access the networkallows or disallows the client to access the network

•Single host modeSingle host mode•Single authenticated client, other thraffic is droppedSingle authenticated client, other thraffic is dropped

•Multiple host modeMultiple host mode•After any client is successfully authenticated, all the After any client is successfully authenticated, all the

other traffic is passedother traffic is passed


802.1x Operation (2)802.1x Operation (2)


Extensible Authentication Extensible Authentication Protocol (EAP)Protocol (EAP)

•General framework for exchange of General framework for exchange of authentication information between authentication information between supplicant and authentication serversupplicant and authentication server

•Various authentication algorithms Various authentication algorithms may be appliedmay be applied•EAP-MD5EAP-MD5

•EAP-TLSEAP-TLS

•PEAPPEAP

•......


EAP MessagesEAP Messages

•EAPoL Start (from supplicant)EAPoL Start (from supplicant)

•Identity Request (from authenticator)Identity Request (from authenticator)

•Identity ResponseIdentity Response•from supplicant, relayed to from supplicant, relayed to

authentication serverauthentication server

•Success / FailureSuccess / Failure

•EAPoL Logoff (from supplicant)EAPoL Logoff (from supplicant)


Transmission of EAP Transmission of EAP MessagesMessages

•Supplicant-authenticatorSupplicant-authenticator•EAP over LAN (EAPoL)EAP over LAN (EAPoL)

•authenticator-authentication serverauthenticator-authentication server•attributes of RADIUS protocol messagesattributes of RADIUS protocol messages

•UDPUDP


Remote Access Dial-In User Remote Access Dial-In User Service (RADIUS) ProtocolService (RADIUS) Protocol

•Authentication - UDP/1812Authentication - UDP/1812

•Accounting - UDP/1813Accounting - UDP/1813•start, stop eventsstart, stop events

•Protocol messagesProtocol messages•Access-requestAccess-request

•Access-accept, Access-rejectAccess-accept, Access-reject

•Access-challengeAccess-challenge

•Accounting-request, Accounting-Accounting-request, Accounting-responseresponse


EAP and RADIUSEAP and RADIUS


Optional 802.1x ConfigurationOptional 802.1x Configuration

•Authentication server may pass Authentication server may pass additional information to the additional information to the authenticator (Attribute-Value Pairs)authenticator (Attribute-Value Pairs)•Client-to-VLAN assignmentClient-to-VLAN assignment

•ACLACL

•......

•Fallback VLAN for client that failed to Fallback VLAN for client that failed to authenticateauthenticate•or are not 802.1x-capableor are not 802.1x-capable

•Numbers of authentication retries, Numbers of authentication retries, minimum intervals between retries, ...minimum intervals between retries, ...


EAPoL and RADIUS EAPoL and RADIUS Messages in ActionMessages in Action


Authentication of Authentication of Supplicant-less ClientsSupplicant-less Clients


Securing of the Control Securing of the Control PlanePlane


Control Plane Vulnerabilities (1)Control Plane Vulnerabilities (1)•Routers/switches optimized to high Routers/switches optimized to high

volumes of handle data-plane trafficvolumes of handle data-plane traffic

•Not intended to handle heavy control Not intended to handle heavy control plane trafficplane traffic•either related to unexpectedly increased either related to unexpectedly increased

protocol activity, abnormal traffic or DoS protocol activity, abnormal traffic or DoS attacksattacks

•IP optionsIP options

•Wrong header parametersWrong header parameters

•TCP floods, fragmentation, TTL=0,TCP floods, fragmentation, TTL=0,

•ICMP – ping, unreachables, redirectsICMP – ping, unreachables, redirects

•Traffic loggingTraffic logging


Control Plane Vulnerabilities (2)Control Plane Vulnerabilities (2)

•May result to unacceptable increase May result to unacceptable increase ofof•CPU utilizationCPU utilization

•Memory consumptionMemory consumption


Control Plane Protection Control Plane Protection MechanismsMechanisms

•Rate limiting of ICMP message Rate limiting of ICMP message generation (redirects, unreachables)generation (redirects, unreachables)

•Rate limiting and selective filtering of Rate limiting and selective filtering of routing protocol messagesrouting protocol messages

•Rate limiting and and selective filtering Rate limiting and and selective filtering of of STP and other L2 control protocol of of STP and other L2 control protocol messagesmessages

•Control protocol authenticationControl protocol authentication

Receive ACLsReceive ACLs•Relates to traffic destined to any router's Relates to traffic destined to any router's

interface addressinterface address

Documents

Cisco Presentation Guide · Cisco Presentation Guide Author: Cisco Corporate ID Dept Created Date: 12/18/2009 3:27:58 PM