16 switch security kho tài liệu bách khoa

Configuration Guidelines• Only on static access ports • Not on trunk or dynamic access ports • Not on SPAN port • Not on EtherChannel port • Not configurable on per-VLAN basis • No aging

BSCI v3.0—2-1

Switch Security

Types of Attacks

• CAM table overflow

• VLAN hopping

• Spanning tree manipulation

• MAC address spoofing

• DHCP attacks

CAM Table Overflow Attack

B D

Port Security

MAC A

MAC E MAC F

Attacker

Attacker

Secure MAC Addresses

• Static

• Dynamic

• Sticky

Sticky address learning

Port security aging

Default Setting

Disabled 1

Shutdown Disabled Disabled Aging time is 0 When enabled, the default type is

absolute.

Configuration Guidelines

• Only on static access ports

• Not on trunk or dynamic access ports

• Not on SPAN port

• Not on EtherChannel port

• Not configurable on per-VLAN basis

• No aging of sticky addresses

• No simultaneous enabling of protect and restrict options

Configuring Port Security

switchport mode access

switch(config-if)#

 Set the interface mode as access

switchport port-security

switch(config-if)#

 Enable port security on the interface

switchport port-security maximum value

switch(config-if)#

 Set the maximum number of secure MAC addresses for the interface (optional)

Configuring Port Security (Cont.)

switchport port-security mac-address sticky

switch(config-if)#

 Enable sticky learning on the interface (optional)

switchport port-security violation {protect | restrict | shutdown}

switch(config-if)#

 Set the violation mode (optional)

switchport port-security mac-address mac-address

switch(config-if)#

 Enter a static secure MAC address for the interface (optional)

Configuring Port Security Aging

switchport port-security aging {static | time time | type

{absolute | inactivity}}

switch(config-if)#

 Enable or disable static aging for the secure port, or set the aging time or type

sw-class# show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count) -

Fa0/12 1 0 0 Shutdown - Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

Verifying Port Security

Verifying Port Security (Cont.)

sw-class# show port-security interface fa0/12

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address : 0000.0000.0000

Security Violation Count : 0

Verifying Port Security (Cont.)

sw-class# show port-security address

Secure Mac Address Table - Vlan Mac Address Type Ports Remaining Age

(mins) - - -

1 0000.ffff.aaaa SecureConfigured Fa0/12

- Total Addresses in System (excluding one mac per port) : 0

-Max Addresses limit in System (excluding one mac per port) : 1024

Auto recovery from err-disable state

• If the port – security feature has shutdown a port, the port can be restored to an operational state using the error-

disable recovery procedure.

• Enable recovery cause is port – security:

Switch(config)#errdisable recovery cause psecure-violation

• Set a global recovery timeout by using the command:

Switch(config)#errdisable recovery interval seconds

VLAN 10

Mitigating VLAN Hopping

switchport mode access

switch(config-if)#

 Configure port as an access port

Spanning Tree Manipulation

Root

Bridge

Root Bridge

Implementing BPDUGuard to Mitigate

Spanning Tree Manipulation

 The BPDU – guard feature shuts down ports when ports receive BPDU.

Switch(config)#spanning-tree portfast bpduguard

or

Switch(config-if)#spanning-tree bpduguard enable

Auto recovery from err-disable state

• If the BPDU – guard feature has shutdown a port, the port can be restored to an operational state using the error- disable recovery procedure.

• Enable recovery cause is BPDU – guard :

Switch(config)#errdisable recovery cause bpduguard

• Set a global recovery timeout by using the command:

Switch(config)#errdisable recovery interval seconds

DHCP Attacks

DHCP Server

DHCP requests with spoofed MAC addresses

Attacker attempting to starve DHCP server

Attacker attempting to set up rogue DHCP server

Untrusted

DHCP Snooping

Rouge DHCP Attacker

Client

Legitimate DHCP Server

• DHCP snooping allows the

IEEE 802.1x

• Standard set by the IEEE 802.1 working group

• A framework designed to address and provide port-based access control using authentication

• Layer 2 protocol for transporting authentication messages between supplicant (user/PC) and authenticator (switch

or access point)

• Actual enforcement is via MAC-based filtering and port-state monitoring

Corporate Network

No Access

Identity-Based Authentication

802.1x and Port Security

Cisco Secure ACS/RADIUS

Port Security

andIdentity

B = Legitimate User

I do not know A,

I do know B.

A = Attacker

Port unauthorized

Hub

BSCI v3.0—2-26

SPAN

Implementing Switch Port Analyzer

Switch Port Analyzer

• The Switch Port Analyzer (SPAN) feature is used to mirror traffic from one source switch port or VLAN to a destination port.

• It allows a monitoring device, such as a network analyzer or

“sniffer”, to be attached to the destination port for capturing traffic.

• SPAN is available in two different forms:

 SPAN: Both the SPAN source and destination are located on the same switch.

 Remote SPAN (RSPAN): The SPAN source and destination are located on different switches Mirrored traffic is copied over a special – purpose VLAN across trunks between switches from the source to the destination.

• Both the SPAN source and destination are located on the same switch.

SPAN Configuration

Define the source of the SPAN session data:

Switch(config)#monitor session-id source {vlan vlan-list

| interface interface-number} [tx | rx | both]

• session-id: Uniquely identify the SPAN session.

• source interface interface-number: Specify the interface

which traffic incoming or outgoing traffic will be monitored.

• source vlan vlan-list: Specify the VLANs which traffic transit

through will be monitored.

• tx | rx | both: Traffic can be selected for mirroring based on the direction it is traveling the SPAN source (tx: transmitted from the source, rx: received from the source, both: traffic in both directions).

SPAN Configuration (Cont.)

Identify the SPAN destination:

Switch(config)#monitor session-id destination interface

interface-number [encapsulation replicate][ingress {vlan vlan-id | dot1q vlan vlan-id | isl}]

• session-id: Uniquely identify the SPAN session.

• destination interface interface-number: Identify the

destination interface used by the session.

• encapsulation replicate: Capture any VLAN tagging

information of the Layer 2 Protocol packets.

• ingress vlan vlan-id: Allows sending traffic into the destination

port Sending traffic will be sent untagged to VLAN vlan-id.

• ingress {dot1q vlan vlan-id | isl}: Allows sending traffic

into the destination port Sending traffic will be sent with tag dot1q

or ISL With dot1q tag, native VLAN is specified.

SPAN Configuration (Cont.)

• Monitoring traffic going to and coming from a device connected

to the interface g1/0/1 and the network analyzer is connected to the interface g1/0/48.