Lecture CCNA security partner - Chapter 5: Securing the Data Plane on Cisco Catalyst Switches

Topics covered in this chapter include the following: An introduction to fundamental switching concepts, starting with the building blocks of VLANs and trunking; an introduction to other building blocks of switching technology, including Spanning Tree Protocol for high availability; a revisit and further explanation of security threats that exploit vulnerabilities in the switching infrastructure;...

Trang 1

Securing the Data Plane on Cisco

Catalyst Switches

Trang 2

Contents

Topics covered in this chapter include the following:

• An introduction to fundamental switching concepts, starting with the

building blocks of VLANs and trunking

• An introduction to other building blocks of switching technology, including Spanning Tree Protocol for high availability

• A revisit and further explanation of security threats that exploit

vulnerabilities in the switching infrastructure

• A description of how to plan and develop a strategy for protecting the

data plane

• A description of the Spanning Tree Protocol Toolkit found on Cisco IOS

routers that prevents STP operations from having an impact on the

security posture

• A review of port security and how to configure it, to illustrate security

controls that are aimed at mitigating MAC spoofing and other threats

Trang 3

• Configuring VLANs and Trunks

• Configuring Inter-VLAN Routing

• Spanning Tree Overview

• STP 802.1D, RSTP, PVRST+ …

Trang 4

Mitigating Layer 2 Attacks

Trang 5

Domino Effect If Layer 2 is Compromised

Layer 2 independence enables interoperability and interconnectivity

However, from a security perspective, Layer 2 independence creates a

challenge because a compromise at one layer is not always known by the other layers

If the initial attack comes in at Layer 2, the rest of the network can be

compromised in an instant

Network security is only as strong as the weakest link, and that link might

Trang 6

Layer 2 Best Practices

The following list suggests Layer 2 security best practices All of these

suggestions are dependent upon your security policy

• Manage switches in as secure a manner as possible (SSH, OOB, permit lists, and so on)

• Whenever practical, declare the VLAN ID used on trunk ports with the

switchport trunk allowed vlan command

• Do not use VLAN 1 for anything

• Set all user ports to nontrunking (unless you are using Cisco VoIP)

• Use port security where possible for access ports

• Selectively use SNMP and treat community strings like root passwords

• Enable STP attack mitigation (BPDU guard, root guard)

• Use Cisco Discovery Protocol only where necessary (with phones it is

useful)

• Disable all unused ports and put them in an unused VLAN

Trang 7

Layer 2 Protection Toolkit

Components of Layer 2 Protection Toolkit

Trang 8

Mitigating VLAN Attacks

• VLAN Hopping

– VLAN Hopping by Rogue Trunk

– VLAN Hopping by Double Tagging

Trang 9

Mitigating VLAN Hopping by Rogue

Trang 10

VLAN Hopping by Rogue Trunk

A VLAN hopping attack can be launched in one of two ways:

• Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode: From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the

destination

• Introducing a rogue switch and turning trunking on: The attacker can

then access all the VLANs on the victim switch from the rogue switch

Trang 11

• Involves tagging transmitted frames with two 802.1q headers in order to forward the frames to the wrong VLAN

– The first switch strips the first tag off the frame and forwards the frame

– The second switch then forwards the packet to the destination based on the VLAN identifier in the second 802.1q header.

VLAN Hopping Attack - Double-Tagging

Mitigation techniques include ensuring that the native VLAN of the trunk ports is

different from the native VLAN of the user ports

Trang 12

STP Attack

• The attacking host broadcasts STP configuration and topology change BPDUs to force

spanning-tree recalculations

• The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge

• If successful, the attacking host becomes the root bridge and sees a variety of frames that otherwise are not accessible

Trang 13

• It should only be used on access ports!

– If PortFast is enabled on a port connecting to another switch, there is a risk of creating a spanning-tree loop.

PortFast

Trang 14

• Enable PortFast on a Layer 2 access port and force it to enter the

forwarding state immediately

• Disable PortFast on a Layer 2 access port PortFast is disabled by

default

• Globally enable the PortFast feature on all nontrunking ports

• Determine if PortFast has been configured on a port

Trang 15

• To enable BPDU guard on all PortFast enabled ports, use the global

BPDU Guard Enabled

Attacker BPDU STP

Trang 16

• To enable BPDU filtering on all PortFast enabled ports, use the global

configuration command:

• To enable BPDU filtering on an interface, without having to enable

PortFast, use the interface configuration command:

Trang 17

• Root guard is best deployed toward ports that connect to switches that should not be the root bridge using the interface configuration

Root Guard Enabled

Attacker

Trang 18

Mitigating MAC

Spoofing and

MAC Table Overflow

Attacks

Trang 19

MAC Address Table Overflow Attack

• Attacker uses macof to generate multiple packets with spoofed source MAC address

• Over a short period of time, the MAC address table fills and no longer accepts new entries

– As long as the attack continues, the MAC address table remains full.

• Switch starts to broadcast (flood) packets all packets that it

receives out every port, making it behave like a hub

• The attacker can now sniff packets destined for the servers

VLAN 10

An attacker wishes to sniff packets

destined to Servers A and B To do

so, he launches a MAC flood attack.

Trang 20

MAC Address Spoofing

Trang 21

Trang 22

Trang 23

Mitigation techniques include configuring port security.

Trang 24

Using Port Security

• To prevent MAC spoofing and

MAC table overflows, enable port

security

• Port Security can be used to

statically specify MAC addresses

for a port or to permit the switch

to dynamically learn a limited

number of MAC addresses

• By limiting the number of

permitted MAC addresses on a

port to one, port security can be

used to control unauthorized

expansion of the network

Trang 25

• Set the interface to access mode.

• Enable port security on the interface

Enable Port Security

switchport mode access

Switch(config-if)#

switchport port-security

Switch(config-if)#

Trang 26

• Set the maximum number of secure MAC addresses for the interface

(optional)

• The range is 1 to 132 The default is 1

• Enter a static secure MAC address for the interface (optional)

• Enable sticky learning on the interface (optional)

Trang 27

• Set the violation mode (optional)

• The default is shutdown

– shutdown is recommended rather than protect (dropping frames)

– The restrict option might fail under the load of an attack.

Establish the Violation Rules

switchport port-security violation {protect | restrict | shutdown}

Switch(config-if)#

Trang 28

The errdisable recovery feature also allows you to monitor spanning tree violations

Errdisable Recovery

Trang 29

• Port security aging can be used to set the aging time for static and

dynamic secure addresses on a port

• Two types of aging are supported per port:

– absolute - The secure addresses on the port are deleted after the specified

aging time.

– inactivity - The secure addresses on the port are deleted only if they are

inactive for the specified aging time.

Port Aging

switchport port-security aging {static | time minutes | type {absolute |

inactivity}}

Switch(config-if)#

Trang 30

Sample Port Security Configuration

S2(config-if)# switchport mode access

S2(config-if)# switchport port-security

S2(config-if)# switchport port-security maximum 2

S2(config-if)# switchport port-security violation shutdown

S2(config-if)# switchport port-security mac-address sticky

S2(config-if)# switchport port-security aging time 120

S3

Trang 31

show port-security Command

SW2# show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

- - - -

Fa0/12 2 0 0 Shutdown

-Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

SW2# show port-security interface f0/12

Port Security : Enabled

Port status : Secure-down

Violation mode : Shutdown

Maximum MAC Addresses : 2

Total MAC Addresses : 1

Configured MAC Addresses : 0

Aging time : 120 mins

Aging type : Absolute

SecureStatic address aging : Disabled

Security Violation Count : 0

SW2# show port-security address

Secure Mac Address Table

-Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

Trang 32

Using SNMP to Monitor Access to Switch Port

Trang 33

• The MAC Address Notification feature sends SNMP traps to the network management station (NMS) whenever a new MAC address is added to

or an old address is deleted from the forwarding tables

MAC Address Notification

mac address-table notification

Switch(config)#

Trang 34

Trang 35

Dynamic ARP Inspection (DAI) determines the validity of an

ARP packet based on the MAC address-to-IP address

bindings stored in a DHCP snooping database.

Mitigating ARP Spoofing

Dynamic ARP Inspection :

IP Source Guard

Trang 36

Định dạng
Số trang	36
Dung lượng	548,49 KB