Tài liệu Data Center: Securing Server Farms ppt

Document Organization iDocument Conventions ii C H A P T E R 1 Securing Intranet Server Farms: Overview 1-1 Data Center Security 1-1 The Need for Intranet Security 1-2 Security Technolog

Corporate Headquarters

Cisco Systems, Inc

170 West Tasman Drive

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system All rights reserved Copyright © 1981, Regents of the University of California

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Data Center: Securing Server Farms

Copyright © 2004 Cisco Systems, Inc All rights reserved.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.;

Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA,

CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo,

Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net

Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,

ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered

trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries

All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship

between Cisco and any other company (0304R)

Document Organization i

Document Conventions ii

C H A P T E R 1 Securing Intranet Server Farms: Overview 1-1

Data Center Security 1-1

The Need for Intranet Security 1-2

Security Technologies 1-3

Data Center Security Topologies 1-3

Deploying Layer 2 Security in Server Farms 1-3

Deploying Private VLANs in the Data Center 1-4

Security Considerations in the Intranet Data Center 1-5

Deploying Network-Based Intrusion Detection 1-6

Deploying Host-Based Intrusion Detection 1-7

Data Center Networking Architecture 1-8

Network Infrastructure 1-9

Cisco Storage Networking 1-9

Application Optimization 1-10

Business Continuance Networking 1-10

C H A P T E R 2 Data Center Security Topologies 2-1

Packet Filtering: Access Layer 2-7

Security for Multi-Tier Server Farms 2-8

Intrusion Detection Sensors 2-10

Network IDS: Access Layer 2-11

Host IDS 2-12

C H A P T E R 3 Deploying Layer 2 Security in Server Farms 3-1

Overview 3-1

PVLANs in the Data Center 4-1

Private VLANs and Content Switching 4-3

CSS Deployments 4-4

Solutions 4-7

CSM Deployments 4-10

Solution 4-11

C H A P T E R 5 Security Considerations for the Intranet Data Center 5-1

Intranet Data Center Overview 5-1

Distributed Intranet Data Centers 5-4

Route Health Injection 5-6

Layer 2 Attack Mitigation 5-9

Solution Design Details 5-10

Simple Pattern Matching 6-10

Session-Aware Pattern Matching 6-10

Context-Based Signatures 6-10

Protocol Decode-Based 6-10

Heuristic Analysis 6-11

Traffic Anomaly Analysis 6-11

IDS Software Configuration 6-12

Network Sensor 6-12

Traffic Capture 6-13

SPAN (Switched Port Analyzer) 6-13

VACL (VLAN Access Control Lists) 6-14

RSPAN (Remote Switched Port Analyzer) with VACL 6-15

Server Agent for Windows 7-4

Server Agent for Solaris 7-4

Scalability and Performance 7-12

Limitations and Restrictions 7-13

Conclusion 7-13

Additional References 7-13

I N D E X

This Solution Reference Network Design (SRND) provides design and implementation recommendations fo r deploying security services in the data center This document discusses security topologies that include both appliance and integrated devices.

This publication provides solution guidelines for enterprises implementing Data Centers with Cisco devices The intended audiences for this design guide include network architects, network managers, and others concerned with the implementation of secure Data Center solutions, including:

• Cisco sales and support engineers

• Cisco partners

• Cisco customers

Document Organization

This document contains the following chapters

Chapter 1, “Securing Intranet Server Farms:

Provides an overview of security topologies

Chapter 3, “Deploying Layer 2 Security in Server Farms”

Provides design recommendations for deploying Layer

2 security in the server farm

Chapter 4, “Deploying Private VLANS in the Data Center”

Provides design recommendations for deploying Private VLANs in the data center

Chapter 5, “Security Considerations for the Intranet Data Center”

Provides design recommendations for implementing security for intranet server farms

Chapter 6, “Deploying Network-Based Intrusion Detection”

Describes the benefits of deploying network intrusion detection in the data center and addresses mitigation techniques, deployment models ,and the management of the infrastructure

Chapter 7, “Deploying Host-Based Intrusion Detection”

Describes the need for employing host-based intrusion prevention in the data center and addresses the design, deployment, and management of this infrastructure

Document Conventions

This guide uses the following conventions to convey instructions and information:

Convention Description

boldface font Commands and keywords

italic font Variables for which you supply values

{x | y | z} A choice of required keywords appears in braces separated by vertical bars You must select one

screen font Examples of information displayed on the screen

boldface screen

font

Examples of information you must enter

< > Nonprinting characters, for example passwords, appear in angle brackets

Securing Intranet Server Farms: Overview

1-1

This chapter describes the importance of securing intranet server farms and introduces the different

topics described in the other chapters in the Security Intranet Server Farms SRND It includes the

following sections:

• Data Center Security Topologies, page 1-3

• Deploying Layer 2 Security in Server Farms, page 1-3

• Deploying Private VLANs in the Data Center, page 1-4

• Security Considerations in the Intranet Data Center, page 1-5

• Deploying Network-Based Intrusion Detection, page 1-6

• Deploying Host-Based Intrusion Detection, page 1-7

• Data Center Networking Architecture, page 1-8

Data Center Security

Data center security is based on an effective security policy that accurately defines access and connection requirements within your data center Once you have a good security policy, you can use many state-of-the-art Cisco technologies and products to protect your data center resources from internal and external threats and to ensure data privacy and integrity Cisco delivers a powerful set of network security technologies, shown in Figure 1-1, that can be deployed as standalone appliances or as modules for the Cisco Catalyst 6500 Series These solutions include the following categories of products and

technologies:

• Access controls

• Firewalls

• Extranet VPN termination

• Network and host-based intrusion detection and prevention systems (network and host IDS)

To understand how these technologies are integrated into the other solution areas within the Data Center Networking Architecture, refer to the section “Data Center Networking Architecture” section on page 1-9, or see the following website:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/networking_solutions_packages_list.html

Alternatively, at www.cisco.com, just enter “go/datacenter.”

Figure 1-1 Data Center Security and Data Center Networking

The Need for Intranet Security

In addition to protecting the perimeter of the data center against external threats, you must also protect the boundaries between functional and administrative regions within the data center Too often, security

within the intranet data center is inadequate, even though the data center hosts vital applications and

systems related to payroll, HR, manufacturing, marketing, and R&D Unfortunately, robust security is

often only deployed at the Internet edge to defend against external threats

In several recent third-party network security surveys, IT managers stated that 40-60% of the attacks and

security breaches affecting their networks came from users and devices inside the network They

estimated the loss of confidential and proprietary information from these internal attacks to have cost their organizations an average of six million dollars per year Such internal threats can originate from many sources:

• Devices compromised by outside attackers

• Outside attackers who have compromised upstream security devices

• Disgruntled current and former employees

• Accidental employee actions

To protect your vital data center resources from internal threats, you can apply many of the same technologies and strategies that work so well in defending the Internet edge However, the security policies that you develop for your intranet will be different, and the topologies and configuration required to support those policies may also differ

When designing topologies that integrate firewall and IDS devices into the data center network, you can either use standalone appliances or service modules integrated into the Catalyst 6500 chassis You can integrate appliance-based products with a variety of platforms, while Catalyst 6500-based service modules help improve performance and reduce administrative overhead through collapsed network topologies

Storage Network NAS

RAID

MDS9500

IP Network Infrastructure

Layer 2/3

Multi-Tier Applications

SSL

ContentSwitch

Cache

IDSFirewall

Security

• ACLs—ACLs prevent unwanted access to infrastructure devices and, to a lesser extent, protect server farm services ACLs come in different types, including router ACLs (RACLs), VLAN ACLs (VACLs), and QoS ACLs

• Firewalls—Firewalls create network boundaries between more secure and less secure resources While the typical location for firewalls remains the Internet edge and the edge of the data center, they are also used in multi-tier server farm environments to increase security between the different tiers

• Network and Host IDS—Network IDS proactively detects and responds to intrusion or other unusual network activity Host IDS enables real-time analysis and reaction to hacking attempts on specific applications or Web servers Host IDS is able to identify an attack and prevent access to server resources before unauthorized transactions occur

• AAA—AAA provides another layer of security by preventing unauthorized user access and by controlling user access to the network and network devices using a predefined profile Transactions

of all authorized and authenticated users are logged for accounting purposes, for billing, or for analysis

Data Center Security Topologies

Traditionally, the security of the Intranet data center has not received adequate attention However, it is necessary to provide security to protect the data center from internally initiated attacks In the data center topology recommended by Cisco, the intranet data center aggregation switches are directly connected to the campus core switches The goal of a good security design should be to create security perimeters and domains for both the network devices and applications residing in this internal data center that provide protection similar to that given to external (Internet) facing devices and systems

The intranet data center aggregation layer provides a key location for deploying firewall and IDS services In this architecture, the aggregation switches are in an active-standby (Layer 2-7) configuration This means that the active aggregation switch is the spanning tree root, the Hot Standby Router Protocol (HSRP) active router, and active for content switching and other Layer 4-7 services

Chapter 2, “Data Center Security Topologies.”focuses on how to deploy either appliance-based or service module-based packet filtering and IDS services at the data center aggregation layer to protect data center infrastructure devices and servers

Deploying Layer 2 Security in Server Farms

Layer 2 attacks are often a topic of discussion for the campus environment, but they should not be forgotten when discussing data center security Designing and implementing a security policy to guard

against localized Layer 2 intrusion and attacks is an extremely important aspect of data center security design Many of the features that guard against these attacks also help to ensure that a misconfiguration

or a non-malicious event does not result in unnecessary downtime for the data center Chapter 3,

“Deploying Layer 2 Security in Server Farms.” discusses some common Layer 2 attacks and the features available within Cisco IOS to mitigate these attacks

Deploying Private VLANs in the Data Center

In the server farm, many servers often reside in the same subnet (segment) If one server is compromised, the possibility of others being compromised increases Alternatively, if the server is secure and uncompromised and an attacker is able to gain control of the switch, data traffic to and from servers can

be captured regardless of the security of the server OS and applications Deploying private VLANs (PVLANs) in an enterprise data center environment provides an effective means of controlling Layer 2 access to servers and devices residing within the server farm

The Layer 2 isolation provided by PVLANs is an excellent way to supplement Layer 3 security Servers residing in an isolated VLAN can only communicate through the primary VLAN and are isolated at Layer 2 from any other servers configured for the same or other isolated VLANs Servers that are part

of a community VLAN can communicate at Layer 2 with all other servers residing in the same community VLAN, but they can only communicate with other devices or servers through the primary VLAN

Figure 1-2 shows both community and isolated VLANs and their associated primary VLANs configured

at the data center access layer In the example, each server configured in isolated VLANs 8 and 20 is isolated at Layer 2 from each other and from all other servers in the server farm The servers configured

in community VLAN 30 can communicate with each other but are isolated at Layer 2 from any server not configured for community VLAN 30

Figure 1-2 PVLANs Deployed at the Data Center Access Layer

In this environment, PVLAN traffic is carried between data center switches through 802.1q trunks All switches forwarding PVLAN traffic must be configured with the PVLAN information In a basic data center topology, PVLAN implementation is fairly simple and straightforward However, when content switching is added to the data center architecture certain interoperability issues arise Chapter 4,

“Deploying Private VLANs in the Data Center”discuss these issues and provides guidance and recommendations for implementation

Security Considerations in the Intranet Data Center

The security policies and deployments for the intranet data center act as a second layer of security against external users and applications, while providing protection from unauthorized internal users, internal systems, and remote users having access to the internal network Because an enterprise server farm can consist of multiple tiers, security services for the intranet server farms are not solely deployed

at the aggregation layer, but should also be deployed at each tier to protect each server farm layer, as shown in Figure 1-3 Using a layered security architecture provides a scalable modular approach for deploying security at each tier

Figure 1-3 Security Services at Server Farm Tiers

The layered architecture makes use of IOS security features, firewalls, VACLs, network IDS, and host IDS You must take an end-to-end solution-based approach when deploying each of these security services to ensure that features that are already implemented remain functional after security is implemented

The following summarizes some of the ways to address different security threats:

• Unauthorized Access—To prevent unauthorized access, AAA is used to provide login authentication, command authorization, and accounting information For scalability and manageability it is helpful to use a Terminal Access Controller Access Control System (TACACS) server (Cisco Secure ACS), which maintains a central location for username and password information

Third Tier Second Tier

Web Tier

Database Tier Application Tier

Aggregation tier

First Tier

Campus Core

• Denial of Service Attacks—You can use Cisco IOS quality of service (QoS) features to protect hosts and links against some kinds of flooding and DoS attacks If you do plan to use QoS features to control flooding, it is important to understand how those features work, and how common DoS attacks work

• Network Reconnaissance/Viruses/Worms—Third-party applications (such as nmap, dsniff, and Ethereal) can be used to perform packet sniffing and port scanning on network devices or hosts to quickly discover security holes However, these tools can also be used maliciously To guard against network reconnaissance attempts, either firewalls and intrusion detection devices can be deployed

• IP Spoofing—ACLs should be deployed on ingress and egress interfaces throughout to block address allocation for private (RFC 1918) address spaces Unicast reverse path forwarding (RPF) allows a router to verify that a packet entered the router on the correct ingress interface based on the source address of the packet

• Layer 2 Attack Mitigation—Designing and implementing a security policy to guard against localized Layer 2 intrusion and attacks is an extremely important aspect of data center security design

For details and implementation recommendations, refer to Chapter 5, “Security Considerations for the Intranet Data Center.”

Deploying Network-Based Intrusion Detection

The deployment of network IDS is essential to a comprehensive security implementation Network IDS can be deployed at several points within a single network topology to form part of a multi-pronged defense against external, Internet-based threats, and internal threats, including network

misconfiguration, misuse, or negligent practices Packet inspectors, such as firewalls, are not enough to protect business critical applications from external and internal threats

Devices employed to enforce security policies must scrutinize the protocols and application data traversing the network Cisco network IDS products satisfy this requirement by identifying harmful network traffic and performing the appropriate action based on the established security policy Actions that may be taken consist of logging, shunning or resetting traffic that is identified as detrimental to the network

Figure 1-4 indicates the multiple network vulnerability points that the enterprise security policy must address across service domains The deployment options for Cisco network IDS include the following:

• Cisco Intrusion Detection System 4200 Security Appliance (Cisco IDS)

• Cisco Intrusion Detection System Module for the Catalyst 6500 series of switches (Cisco IDSM and IDSM-2)

• Cisco Intrusion Detection System Module for the 2600/3600/3700 series of routers (NM-CIDS) Each of these network sensors utilizes the Cisco IDS software, which ensures a secure network environment through extensive inspection of potential threats

Cisco IDS software is available as a standalone appliance or integrated into switches, routers and firewalls

Enterprise-level management and monitoring for Cisco IDS is delivered through browser-based user interfaces This provides a simplified and consistent user experience, while delivering powerful analytical tools that allow for a rapid and efficient response to threats Secure access to a command line interface (CLI) is also supported For further details and implementation recommendations, refer to

Chapter 6, “Deploying Network-Based Intrusion Detection.”

Figure 1-4 Enterprise Data Center - Network Vulnerablity Points

Deploying Host-Based Intrusion Detection

Using Cisco Security Agent (CSA) for endpoint protection is one strategy in the comprehensive, end-to-end security solution that Cisco recommends Deploying CSA can provide the following benefits

to your organization:

• Reduce losses in revenue and productivity from security-related outages

• Increase IT productivity by reducing the burden of applying operating system patches

• Protect proprietary or confidential company data

• Maintain service level agreements (SLA)

Internet Gateway

Internet Edge

Extranet Data Center

Campus Core

Internet SP1

Private

WAN

SP2 PSTN

Internet Server Farm

VPN

Intranet Data Center

The CSA architecture allows authorized personnel to update server software or to patch operating systems on a predetermined schedule, which avoids the cost of unforeseen downtime The CSA does not use utilize signature-based technology, but rather relies on host-based behavior to provide security As a result, signature updates are not necessary to protect against newly discovered threats The CSA also improves endpoint security management in the data center

Enterprises often employ several host-based security products to protect data center endpoints These may include personal firewalls, antivirus scanners, and audit or integrity products to track malicious configuration activity All of these functions are replaced with a single CSA agent, and this reduces deployment and management costs In addition, the Management Center for Cisco Security Agents (CSA MC) provides a single, centralized tool for deploying, administering, and monitoring CSA, and this simplifies network management The enterprise data center is a complex structure segmented into service and security domains The Internet, intranet, and extranet server farms each contain endpoints that can benefit from deploying CSA

Figure 1-5 illustrates the deployment of CSA on server endpoints in a data center server farm

Figure 1-5 CSA Deployment in the Enterprise Data Center

CSA is installed on each endpoint as an agent kit, which contains the security policies to be enforced on the endpoint You can use default or customized agent kits, which are available for different desktop and server environments The CSA default kits provide comprehensive, predefined policies that protect against many security violations, including port scan detection, buffer overflows, network worms, SYN floods, and Trojan horse programs For further details and implementation recommendations, refer to Chapter 7, “Deploying Host-Based Intrusion Detection Systems.”

Data Center Networking Architecture

The Data Center Networking architecture includes a suite of advanced solutions in the following areas:

• Data center IP network infrastructure

• Data center security

• Business continuance networking

As shown in Figure 1-6, data center services are related and interdependent The storage networking and network infrastructure services are the foundation because they provide the fundamental building blocks used by every network service After the infrastructure is in place, you can build server farms to support the application environments These environments should be protected using network security

technologies and optimized using load balancing and other application optimization technologies

Figure 1-6 Functional Areas of the Data Center Networking Architecture

Once the data center is functioning in an efficient and secure way, you should ensure that the entire data center does not provide a single point of failure through the use of distributed data centers, site selection, SAN extension and other business continuance technologies

Network Infrastructure

The Cisco intelligent switching infrastructure consolidates network components and resources by supporting distinct application and server environments on the same physical infrastructure, while

maintaining their virtual separation for security and availability purposes The term infrastructure refers

to the Layer 2 and Layer 3 configurations that provide network connectivity to the server farm as well

as the network devices that provide security and application-related functions Data centers are composed of devices that provide the following functions:

• Network connectivity, including switches and routers

• Network and server security, including firewalls and IDS

• Availability and scalability of applications, including load balancers, SSL offloaders, and cachesThe data center infrastructure must provide port density and Layer 2 and Layer 3 connectivity, while supporting security services provided by access control lists (ACLs), firewalls and IDS It must support server farm services such as content switching, caching, SSL offloading while integrating with multi-tier server farms, mainframes, and mainframe services (TN3270, load balancing and SSL offloading) For detailed information about designing and building your network infrastructure, see the following website http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns304/networking_solutions_package.html

Cisco Storage Networking

Direct-attached storage is expensive, difficult to manage, and inefficient, requiring very large amounts

of unused capacity to ensure availability Storage-area network (SAN) and network-attached storage (NAS) systems help consolidate storage, increase availability, simplify management, and reduce capital and operational expenditures Unfortunately, many traditional SANs result in multiple SAN “islands” that lack the scalability and intelligence to deliver on the potential promised by storage networking

Business Continuance Network

Network Infrastructure

Storage Networking Data Center Security Application Optimization

Cisco provides fully integrated, multilayer, intelligent storage networking solutions, built with products such as the Cisco MDS 9000 Family, that scale to meet the needs of a SAN environment of any size Cisco’s innovative solutions combine advanced storage switching functions such as virtual SANs (VSANs), traffic management, and diagnostics with network-hosted storage services to provide unparalleled ease of management, scalability, and intelligence For more information about Cisco storage networking, see the following website:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns375/networking_solutions_package.html

Application Optimization

Application optimization is one of the key solution areas within the Data Center Networking architecture The objective of application optimization is to ensure high performance and high availability for applications running in the enterprise data center Optimization increases application availability and scalability using intelligent, application-aware network technology The network technologies that help optimize application performance include the following:

• Caching improves application response time

• Content switching and load balancing consolidate applications and increase application scalability and availability

• Secure Sockets Layer (SSL) offloading allows servers to increase the number of SSL transactions supported

For more information about data center application optimization solutions, see the following website: http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns377/networking_solutions_package.html

Business Continuance Networking

Business continuance is a top priority because customers expect continuous availability to organizational products and services, regardless of circumstances Business continuance keeps essential applications running and protects valuable data during and after a disruption or failure Cisco networking solutions support a portfolio of business continuance strategies required to meet the different recovery point objectives (RPOs) and recovery time objectives (RTOs) of enterprise applications These networking solutions include site selection between distributed data centers, storage area network (SAN) extension for mirroring mission-critical session traffic and data, and cost-effective WAN solutions for replication

of data to offsite backup and storage locations

The goal of disaster recovery and business continuance is guaranteed accessibility to data anywhere and

at any time In the event of a catastrophe, meeting this objective is impossible with a single data center, because it provides a single point of failure With a single data center in a disaster scenario, the business comes to a standstill until it is rebuilt and the applications and data are restored Using distributed data centers with Cisco site selection solutions overcome this single point of failure, while providing additional benefits, such as application scalability, high availability, and load distribution

SAN extension increases the geographic distance allowed for SAN storage operations, in particular for data replication and copy operations By replicating or copying data to an alternate site, an enterprise can protect its data in the event of disaster at the primary site For more information about site selection, SAN extension, and other business continuance solutions, see the following website:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns378/networking_solutions_package.htm

Data Center Security Topologies

The Intranet data center has traditionally been an area where security deployments have been thinly implemented Based on client surveys, growing security threats, and the increasing need to protect proprietary information; it is necessary to provide security to protect the data center from internally initiated attacks, whether malicious in nature or not The security options discussed in this include packet filtering and intrusion detection for network devices, servers, and applications The goal of this

is to provide an overview and understanding of the security options available for the intranet server farm and provide topologies that and recommendations for each of these options

Topologies

Figure 2-1 provides an overview of a large scale enterprise network Figure 2-1also shows the location

of the intranet data center in the network In this topology, the intranet data center aggregation switches are directly connected to the campus core switches There are no firewalls or IDS devices deployed between the data center switches and the campus core The goal is to create security perimeters and domains for both the network devices and applications residing in this internal data center similar to the protection given to external (Internet) facing devices and systems

Figure 2-1 Enterprise Network and Intranet Data Center

The intranet data center aggregation layer provides a key location for deploying firewall and IDS services, along with a variety of other services including: content switching, SSL offloading, and VPN termination In this architecture, the aggregation switches are in an active-standby (Layer 2-7)

configuration This means that the active aggregation switch is the spanning tree root, the Hot Standby Router Protocol (HSRP) active router, and active for content switching and other Layer 4-7 services.This focuses on deploying both appliance and integrated packet filtering and IDS services at the data center aggregation layer to protect both data center infrastructure devices and servers Additionally, this also discusses supplemental security features that you can deploy at the data center access layer

Internet Gateway

Internet Edge

Extranet Data Center

Campus Core

Internet SP1

Private

WAN

SP2 PSTN

Internet Server Farm

VPN

Intranet Data Center

Packet Filtering: Aggregation Layer

Packet filtering provides a means for blocking unwanted externally sourced or internally sourced network and application traffic Packet filter services deployed at the intranet data center aggregation layer consists of ACLs, appliance-based firewalls, and integrated blade-based firewall modules This section provides overviews of the three options Figure 2-2 shows the location of the data center aggregation layer

Figure 2-2 Intranet Data Center Aggregation Layer

on connection oriented requests, denying incomplete or malformed requests

Front-end Layer

Database Layer Application Layer

Data Center Aggregation Layer Campus Core

Appliance Firewalls

In typical designs incorporating an appliance firewall, the firewalls are deployed inline between the data center aggregation layer and the core switches This inline topology is sometimes deployed for Internet-facing data center designs, but is not necessarily optimal for the intranet data center for several reasons If the firewalls are deployed inline as show in Figure 2-3, routing between the campus core and data center is limited to static routing

Figure 2-3 Appliance Firewall Deployment

This static routing requirement introduces redundancy issues, and also places limitations on the amount

of deployable features available With static routing deployed, any loss of upstream routes on the outside

of the firewall is undetectable If the upstream device or link fails, traffic is simply dropped by the firewall and the data center aggregation switch is completely unaware

Note Beginning with PIX software release 6.3, OSPF support was added, thereby eliminating the static routing

limitation

For redundancy, the active and standby firewalls send and receive hello packets on the outside and inside interfaces respectively On the inside interfaces, the hello packets are exchanged via the Layer 2 etherchannel configured between the data center aggregation switches Because the outside interfaces must also exchange hello packets, a Layer 2 connection must be configured between the campus core switches This outside Layer 2 connection configuration is not recommended because it brings Layer 2 into the core of the network and creates the possibility of a Layer 2 loop

Campus Core

For companies interested in deploying disaster recovery or business continuance, the Content Switching Module (CSM) route health injection (RHI) feature plays an important role for the internal networks This feature allows the CSM to place a host route for the virtual IP address (VIP) in the multi-layer switch feature card (MSFC), which is then propagated through out the network via the interior routing protocol Without dynamic routing protocol support on the firewall, this route cannot be propagated from the data center switches to the campus core If a static route is created as an alternative, traffic can be black- holed because the route does not disappear when the VIP becomes unavailable.

As an alternative to deploying firewalls in front of the aggregation switches, you can deploy these firewalls on as services switches Service switches connect to the aggregation switches through Layer 2 trunks Instead of deploying devices that provide services like SSL offloading, content switching, and caching at the aggregation layer switches, you can connect these devices to the services switches Two primary benefits of utilizing the services switches are port preservation on the aggregation switches and IOS restrictions on the aggregation switches Specific versions of IOS must be used to support the desired switch modules, which may not integrate well with a strict change management system In some cases, it can take six months to a year of testing to change software versions on core network devices Moving this requirement from the data center aggregation switches to the services switches allows for faster deployment of these modules

Figure 2-4 Firewalls Deployed on Data Center Service Switches

When inbound traffic is received on the data center aggregation switch, a static route is used to forward the traffic over the Layer 2 links to the services switch Figure 2-4 shows the location and connectivity

of the services switches and their physical connection to the firewalls The services switch has two Layer

2 trunk links, the active link connected to the Layer 2 active aggregation switch and a standby link (blocking) to the secondary Layer 2 aggregation switch When traffic arrives on the services switch, it

is forwarded to the outside interface of the firewall The firewall then either blocks or forwards the traffic out of the inside interface back to the services switch Because the firewall has both the outside and inside interfaces connected to the same switch, security concerns often arise One of the primary concerns is that “VLAN hopping” may occur VLAN hopping is the ability of an attacker to hop VLANs, therefore bypassing the firewall altogether A recent series of tests performed on the Catalyst product

Campus Core

line by @Stake were specifically directed at testing the vulnerability of VLANs in these switches

@Stake found that when VLAN security configuration guidelines were properly followed, they were not able to hop or bypass VLANs on these switches utilizing a variety of well known attacks The URL below provides a link to the @Stake security document

http://www.cisco.com/application/pdf/en/us/guest/products/ps2706/c1244/ccmigration_09186a00800c4fda.pdf

Once again this design does not allow administrators to deploy RHI for the intranet data center The fact that the CSM resides in the services switch and shares its client side VLAN with the inside interface of the firewall, renders the RHI feature unusable The CSM client-side VLAN must reside on the MSFC for the VIP host route to be placed in the routing table For additional information on RHI, see the additional links section at the end of this

Integrated Firewalls

The Firewall Services Module (FWSM) is an integrated firewall for the Catalyst 6000 series switches The FWSM is configured similarly to a PIX firewall and therefore can be deployed to perform stateful packet inspection for both inbound and outbound traffic, as well as server to server communications This module provides packet inspection at a 5 gigabit throughput rate and supports the OSPF dynamic routing protocol Figure 2-5 shows the intranet data center aggregation switches with a pair of FWSMs

Figure 2-5 Data Center Aggregations Switches with FWSM

These previously mentioned features and upcoming features like firewall virtualization, make the FWSM a key element in redesigning security for the data center A particular use is in designing and deploying security for the multi-tier server farm, which with the FWSM becomes much cleaner and easier to manage This is detailed in the “Security for Multi-Tier Server Farms” section on page 2-8 of this

The FWSM is deployed in the same chassis as the MSFC and can be placed either in front or behind the MSFC as shown in Figure 2-6 Also included in the Figure 2-6 is the respective location of the CSM

Campus Core

Figure 2-6 Logical Diagram of the FWSM, MSFC, & CSM with FWSM in Front and Behind the MSFC

To prevent VLAN misconfiguration which may allow traffic to bypass the FWSM, you must pay close attention to which VLANs are configured on the outside and inside interfaces of the FWSM The side of the MSFC where you place the FWSM is dependent upon the type of configuration you are trying to achieve

Note If you are deploying the RHI feature of the CSM, the FWSM should be placed on the outside of the

MSFC This is because the CSM must place a host route for the VIP in the MSFC and therefore must share a VLAN with the MSFC on the CSM's client-side VLAN

When various blades like the CSM, SSLSM, VPNSM, and IDSM are placed into the same chassis, configuration complexities arise Software versions, VLAN configuration, and logical placement can all play important parts in interoperability of these modules

Packet Filtering: Access Layer

You can deploy PVLANs and IOS ACLs or VLAN ACLs (VACLs) at the access layer to limit communication to, from, and between the servers residing in the server farm The concept of PVLANs

is simple: PVLANs offer a means of providing Layer 2 isolation of servers from other servers residing

in the server farm All traffic into the server farm passes through a primary VLAN This primary VLAN

is mapped to one or more secondary VLANs The secondary VLANs can be configured as either isolated

or community VLANs Servers placed in isolated VLANs cannot communicate with any other servers

in the server farm Servers placed in community VLANs can only communicate with other servers also residing in the community VLAN

Data CenterAggregation Switch

Data CenterAggregation Switch

Figure 2-7 PVLANs Limit Server Communication

Because PVLANs provide only Layer 2 isolation between servers, you must configure ACLs in Cisco IOS or on Cisco firewalls to deny any Layer 3 access as well Traffic with a source address of a device residing in the server farm should not be allowed to also have a destination address of another device residing in the server farm If this filtering is not put in place, there is a possibility that the packet could simply be routed at Layer 3 to the desired server therefore bypassing the Layer 2 isolation all together PVLANs can be very beneficial for a number of reasons If the servers in your data center house sensitive material, each one can be isolated on its own VLAN without wasting IP addresses PVLANs also help

to provide assurance that if one of the servers in your data center is compromised, the other servers cannot be reached at either Layer 2 or Layer 3

For additional information about Private VLANs, see the “Deploying Private VLANS in the Data Center”

Security for Multi-Tier Server Farms

Multi-tier (often referred to as Nth-tier) server farms consist of three primary tiers: presentation tier, application tier, and the database tier Depending on the deployed application, the web tier and application tier can either reside on the same physical server or on separate servers Most vendors have gone with a physical three tier model, where the web and application tiers reside on separate servers This multi-tier architecture introduces a good deal of complexity into the data center architecture In multi-tier architectures, security is often deployed for each tier Filtering is recommended and should be performed in front of the presentation tier, between the presentation and application tiers, and between the application and database tiers Packet filtering is also often performed between servers residing in the same tier as well The packet filtering recommendations are dependent on the type of architecture deployed For the physical multi-tier server farm, as stated above, Cisco recommends that you filter at each layer, which provides the maximum amount of security for the server farm

With the traditional appliance-based firewall, filtering at each layer requires a minimum of two firewalls

at each tier This in turn adds to the complexity of physical connections, management, and high availability Figure 2-8 shows a typical multi-tier server farm architecture with appliance-based firewalls deployed at each tier

Figure 2-8 Appliance-Based Firewalls Providing Security for the Multi-Tier Server Farm

The FWSM provides an excellent option for reducing the complexity of deploying security in a multi-tier architecture By consolidating the firewalls in a central location, management and physical connectivity issues are dramatically reduced

Note The logical topology is the same regardless of the physical topology

You can configure separate VLANs on the FWSM for each layer with routing and packet filtering performed between each tier This allows all traffic between VLANs to pass through the FWSM, therefore centralizing packet filtering services on a single physical pair of firewalls Future software releases for the FWSM will support a “firewall virtualization feature” This feature allows a single FWSM to be “virtualized” into multiple logical firewalls This virtualization allows you to create separate logical firewalls per tier, and, if desirable, per customer Figure 2-9 shows the multi-tier server farm with the FWSM

Campus Core

Figure 2-9 FWSM Providing Security for the Multi-Tier Server Farm

Intrusion Detection Sensors

Network IDS: Aggregation Layer

Network IDS devices should be deployed at the data center aggregation switches to provide a comprehensive level of protection for the data center network devices and a first level of protection for server farm components These network IDS sensors can be logically configured to reside behind the firewall modules also deployed in the aggregation switches This allows the sensor to shun network attacks that were not filtered while passing through the firewall

When deployed in the aggregation switches, you should configure the network IDS sensors to monitor synchronous traffic flows This allows the sensor to see both portions of the traffic flow, which in turn lowers the amount of false positives and false negatives the sensor reports if only allowed to have a one-sided view of the flow The network IDS devices are capable of shunning network attacks through proactive manipulation of ACLs When configured policies are violated, and the attack signature is matched, the IDS device can dynamically configure ACLs to shun the attack before it is able to compromise any servers or devices Figure 2-10 provides an overview of network IDS deployment in the data center

Web Tier

Database Tier Application Tier

FWSM withMulti-FirewallVirtualization

Campus Core

Figure 2-10 Network IDS in the Data Center

Because of the possibility of heavy traffic flowing through the data center, Cisco recommends that you deploy a gigabit capable IDS device An IDS with gigabit throughput capabilities is able to monitor greater amounts of traffic through the data center, increasing the level of security Currently, the IDS

4250 appliance IDS device is capable of providing gigabit monitoring capabilities In the near future, a gigabit capable IDS module for the Catalyst 6000 will be available Functionality of these devices is very similar and therefore, regardless of which is used, the same recommendations on what types of traffic to monitor and where will be maintained

Network IDS: Access Layer

IDS sensors can also be deployed at the data center access layer This can provide an optional additional layer of security for the network devices and servers

At the access layer, the sensors should be configured to monitor both synchronous and asynchronous traffic originated from the server farm Synchronous traffic monitoring is performed at a more granular level for server and application traffic Additionally, Cisco recommends that you monitor server initiated asynchronous traffic that If an attacker is able to compromise a server and begins to launch an attack initiated from the internal server farm, the network IDS sensor in the access switch is able to monitor and shun the attack, thereby protecting other internal systems from being compromised

Two options are also available for deploying network IDSs at the data center access layer For both Catalyst 6000 and other install bases, the gigabit appliance IDS sensors are available For access layers consisting of Catalyst 6000 series switches only, the gigabit intrusion detection sensor module (IDSM) will be available in the near future

Campus Core

Data CenterAggregation Switches

OutboundTraffic

InboundTraffic

Aggregation LayerNetwork IDSMonitoringSynchronous TrafficFlows

OutboundTraffic

InboundTraffic

AccNetMoSynchAsynch

Moregranularserver andapplicationspecificmonitoring

Host IDS

Cisco's Host IDS solution provides blanket coverage for the server operating system and to the applications running on the server The Host IDS agent software is loaded onto the server platform and monitored from a central management station Currently the server operating systems supported are: Windows 2000, Windows NT, and Sun Solaris The Host IDS sensor shuns attacks by actively monitoring traffic to the server and stopping an attack before it is allowed to execute

Figure 2-11 HIDS for the Server Farm

While the network IDS upstream protects against network and some server and application attacks, the Host IDS sensor protects against different types of malicious attacks, such as:

• OS and application vulnerabilities

• Uploading malicious executables

Deploying Layer 2 Security in Server Farms

Data center security generally has two stages: securing the physical perimeter and securing the network perimeter Physical security keeps out any unauthorized individuals, while firewalls, intrusion detection devices, and security features deployed at the data center edge deny outside users access to secured infrastructure and applications If an attacker is able to bypass these security permimeters through physical means or through compromising a network device or server, the edge security perimeter may not protect the applications and information housed within the server farm

Layer 2 attacks are often a topic of discussion for the campus environment, but should also not be forgotten when discussing data center security Designing and implementing a security policy to guard against localized Layer 2 intrusion and attacks is an extremely important aspect of data center security design Many of the features which guard against these attacks also help to ensure that a

misconfiguration or a non-malicious event does not result in unnecessary downtime for the data center This discusses some common Layer 2 attacks and the features available within Cisco IOS to mitigate these attacks

Overview

To increase scalability, mobility, and interoperability of the access layer and service modules, Layer 2 protocols and features are often incorporated into the data center environment A collapsed, single layer data center architecture consists of two layers: aggregation and access (front-end) Figure 3-1 shows these data center layers

Figure 3-1 Data Center Design with Layer 2 and Layer 3 Aspects

In the server farm, many servers often reside in the same subnet (segment) If one server is compromised, the possibility of others being compromised increases Alternatively, if the server is secure and uncompromised and the attacker is able to gain control of the switch, data traffic to and from the server(s) can be captured regardless of the security of the server OS and applications

Design Details

Problem Description-MAC Flooding

MAC flooding is the attempt to exploit the fixed hardware limitations of the switch's content addressable memory (CAM) table The Catalyst switch CAM table stores the source MAC address and the associated port of each device connected to the switch The CAM table on the Catalyst 6000 can contain 128,000 entries These 128,000 entries are organized as 8 pages that can store approximately 16,000 entries A

17 bit hash algorithm is used to place each entry in the CAM table If the hash results in the same value, each entry is stored on separate pages Once these eight locations are full, the traffic is flooded out all ports on the same VLAN on which the source traffic is being received Multiple well known tools including Macof and Dsniff, can be used to perform ethical hacking in testing security settings Each

Direct attachment orcompromised device

Attacker

Access layer (Front-end)

Layer 2

Aggregation layer Layer 3

Campus core or Internet edge

tool can fill up an entire CAM table causing all traffic on that particular VLAN to be flooded, resulting

in the ability to sniff all traffic Once all traffic is flooded from the switch, all traffic on the VLAN can

be seen

In Figure 3-2, the attacker's machine resides on VLAN 10 The attacker floods MAC addresses to port 3/25 on the switch When the CAM table threshold is reached, the switch operates as a hub and simply floods traffic out all ports This flooding also occurs on adjacent switches configured with VLAN 10, however flooding is limited to only the source VLAN and does not effect other VLANs

Figure 3-2 Mac Flooding Attack in the Data Center

If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming packets from the insecure host The port's behavior depends on how you configure it to respond to a security violator

Cisco recommends that you configure the port security feature to issue a shutdown instead of dropping packets from insecure hosts through the restrict option The restrict option may fail under the load of an attack and the port is disabled anyway

3/25 MAC E3/25 MAC F3/25 MAC G

Attacker

Attacker seestraffic toservers B and D

3/25

A B C

Port security can require a fairly significant amount of management and configuration overhead, but is

an excellent way to “lock down” the data center switch ports With a change management process in place, when additional server ports are needed they can be requested and configured on a case by case basis Because mobility is not really an issue within the server farm, locking a server to a particular access port does not create many issues This also ensures that a rogue device cannot simply be connected to a data center switch and given link status

Figure 3-3 Port Security

To enable port security use the following command:

dmaAccess1> (enable) set port security <mod/port> ? age Set port security agingtime disable Disable port security enable Enable port security maximum Set maximum number of secure MAC addresses shutdown Set port security shutdown time

violation Set port security violation mode

<mac_addr> MAC address

Set port 3/3 to only allow the MAC address of Server A If any other MAC address is detected on 3/3 the port is shutdown

dmaAccess1> (enable) set port security 3/3 00-d0-b7-a0-83-e5 violation shutdown Port 3/3 security violation mode shutdown.

Mac address 00-d0-b7-a0-83-e5 set for port 3/3.

Use the following show command to verify

dmaAccess1> (enable) show port security 3/3

* = Configured MAC Address Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex - - - - - - - - 3/3 enabled shutdown 0 0 1 disabled 29 Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left - - - - - - 3/3 1 00-d0-b7-a0-83-e5 * - 00-d0-b7-a0-83-e5 no - Port Flooding on Address Limit

- 3/3 Enabled

Server AMAC 00-d0-b7-a0-83-e5

3/3

VLAN Management Policy Server (VMPS) allows you to dynamically assign VLANs to a port based on the source MAC address of a requesting client A VMPS database file provides a mapping for VLAN to MAC address which the switch uses to determine the validity of the requesting client's MAC address The previously configured database file is downloaded from a TFTP server when VMPS is initially configured VMPS uses VLAN Query Protocol (VQP) to communicate with clients This protocol runs over UDP, is unauthenticated, and presented in clear text Cisco does not recommend VMPS because of the overhead associated with configuring and maintaining a VMPS database and the security concerns associated with the communication between the client and the switch

802.1x

802.1x uses Extensible Authentication Protocol (EAP) to authenticate a device before allowing it to forward any traffic to the switch The supplicant (client) must be approved by the authenticator (switch) The authenticator utilizes a RADIUS server to authenticate client requests If the client does not authenticate, link status is revoked and the client is not connected

Problem Description-ARP Spoofing

Gratuitous ARPs can be used to perform an ARP spoofing attack Before discussing gratuitous ARP attacks, you must first have a sound understanding of ARP and gratuitous ARP

ARP request messages are placed in a frame broadcast to all devices on a segment Each device on the segment receives the broadcast message and examines the IP address Either the host that owns the IP address being requested or a router that knows the location of the that host responds to the request by sending the requester back the target MAC address via unicast

When a host joins a network segment, it uses a gratuitous ARP (broadcast message) to announce its IP address to other computers and devices residing on the network segment If a device on the network does not already have an ARP entry for the device, it will more than likely ignore the request

However, this is not the case if the device has an ARP entry for the device issuing gratuitous ARPs

Figure 3-4 describes the ARP spoofing attack method When server A ARPs for its default gateway's (192.168.10.1's) MAC address it places the response in its ARP table Now, when the attacker sends a gratuitous ARP stating that it is 192.168.10.1, server A updates its ARP table and forwards traffic to the attacker because server A thinks that the attacker's computer is its default gateway

Figure 3-4 ARP Spoofing

The attacker is simply performing a man in the middle (MIM) attack and may go undetected because all traffic still reaches its destination This type of attack can be performed using well known tools such as Ettercap

A static ARP configuration can be used in an extremely secure data center environment, where security

is more of a concern that the operational overhead associated with maintaining static ARP mappings

To create a static ARP entry in CatOS perform the following:

dmaAccess1> (enable) set arp static ?

<ip_addr> IP address

Private VLANS

PVLANs can be utilized to provide Layer 2 isolation of data center servers residing in the same VLAN

or broadcast domain This feature provides an effective means for guarding against ARP-based attacks

Figure 3-5 provides an overview an enterprise data center configured with PVLANs

Data centeraggregation switch.1

192.168.10.0/24

Server D.2

Attacker

I'm 1

Server C.3

Server B.4

Server A.5ARP for 1

Figure 3-5 PVLANs in the Data Center

There are three primary PVLAN concepts show in Figure 3-5: Primary VLAN, isolated VLAN, community VLAN Each isolated and community VLAN is mapped to either one or more primary VLANs The primary VLAN provides the “gateway” through which the isolated and community VLANs are reached

When a server connected to a port that belongs to an isolated VLAN, the server can only talk with outside hosts through the primary VLAN and promiscuous port The server is essentially “isolated” at Layer 2 from any other servers residing in the isolated VLAN In Figure 3-5, all servers residing in isolated VLAN 20 are not able to send or receive Layer 2 broadcast messages from any other servers residing in VLAN 20

When a server is connected to a port that belongs to a community VLAN, the server can communicate

at Layer 2 with other servers residing within the same community VLAN For the data center, community VLANs are very useful for allowing servers that need to communicate with each other through Layer 2 broadcast messages used for clustering protocols, and nth tier designs

Configuring PVLANs initially can be a bit cumbersome

The following shows the basic steps to creating a promiscuous port, a primary VLAN, and a secondary Isolated VLAN

dmaAccess1>(enable) set vlan 11 pvlan primary -'Create the Primary VLAN VTP advertisements transmitting temporarily stopped,and will resume after the command finishes Vlan 41 configuration successful

dmaAccess1>(enable) show pvlan Primary Secondary Secondary-Type Ports - - - -

11 - - dmaAccess1>(enable) set vlan 12 pvlan isolated -'Create the isolated VLAN VTP advertisements transmitting temporarily stopped,and will resume after the command finishes Vlan 42 configuration successful

dmaAccess1>(enable) set pvlan 11 12 3/2-3 -'Map the primary VLAN to the secondary

Successfully set the following ports to Private Vlan 11,12:3/2-3 dmaAccess1>(enable) set pvlan mapping 11 12 1/1 -'M ap the PVLAN to a port

Successfully set mapping between 11 and 12 on 1/1

The Catalyst 4000 and 6500 switches offer full support for PVLANs Besides the normal operations mentioned above, which already provide a means for mitigating against Layer 2 attacks, PVLANs support additional features which also guard against ARP spoofing attacks Sticky ARP can be used to mitigate default gateway attacks and ARP entries learned through PVLAN ports do not age out The Catalyst 2950 and 3550 switches provide stripped down support for PVLANs through the PVLAN edge feature This feature provides functionality similar to the isolated VLAN configuration by no allowing Layer 2 access between any servers residing in PVLAN edge ports

ARP Inspection

ARP Inspection is a feature which allows you to use VLAN Access Control Lists (VACLs) to deny or permit ARP traffic within a VLAN To prevent ARP spoofing, the ARP Inspection feature can tie a specific MAC and IP address together; for example, a default gateway (router) and its MAC address

Note ARP Inspection is a new feature available in CatOS 7.5 and later and requires the use of a Supervisor 2

default-gateway editbuffer modified Use 'commit' command to apply changes.

Deny any other MAC addresses with an IP address of 10.14.0.1

dmaAccess1> (enable) set security acl ip default-gateway deny arp-inspection host 10.14.0.1 any

default-gateway editbuffer modified Use 'commit' command to apply changes.

Permit any other ARP traffic Because there is an implicit deny all at the end of the access list, there must

be a permit statement for any other traffic which must be allowed

dmaAccess1> (enable) set security acl ip default-gateway permit arp-inspection any any default-gateway editbuffer modified Use 'commit' command to apply changes.

The access list must be committed to memory

dmaAccess1> (enable) commit security acl default-gateway dmaAccess1> (enable) ACL commit in progress

The access list must now be mapped to a VLAN

dmaAccess1> (enable) set security acl map default-gateway 11 Mapping in progress.

Figure 3-6 shows a data center host attempting to represent itself as the default gateway

Figure 3-6 Data Center Host Represented as the Default Gateway

When traffic is received from the host attempting to represent itself as 10.14.0.1, the packets are denied The following output shows the log messages created when these packets are denied

2003 Feb 26 09:37:46 %ACL-5-ARPINSPECTPKTDENIED2:ARP Payload: Source IP 10.14.0.1 and source MAC 00-05-31-45-28-7c Port 15/1 on vlan 11

2003 Feb 26 09:38:07 %ACL-5-ARPINSPECTPKTDENIED2:ARP Payload: Source IP 10.14.0.1 and source MAC 00-05-31-45-28-7c Port 15/1 on vlan 11

2003 Feb 26 09:38:28 %ACL-5-ARPINSPECTPKTDENIED2:ARP Payload: Source IP 10.14.0.1 and source MAC 00-05-31-45-28-7c Port 15/1 on vlan 11

Use the following show command to monitor the forwarded and dropped packet counters

dmaAccess1> (enable) sh security acl arp-inspection statistics ARP Inspection statistics

Packets forwarded = 931 Packets dropped = 67 RARP packets (forwarded) = 0 Packets for which Match-mac failed = 0 Packets for which Address Validation failed = 0

IP packets dropped = 0

Additional information on ARP Inspection can be found in the CatOS 7.5 configuration guide

Problem Description-PVLAN Vulnerabilities

PVLANs work by forcing Layer 2 isolation between hosts residing on the same segment As shown in

Figure 3-7, when the attacker forwards packets with a destination MAC and IP address of the victim, PVLANs prohibit the forwarding of the packet by enforcing the PVLAN Isolated VLAN rules

10.14.0.12

3/3

10.14.0.100-d0-b7-a0-83-e5

10.14.0.100-d0-b7-a0-83-e5VLAN 11

Figure 3-7 PVLAN Enforcement

What if the attacker changed the destination MAC address to be that of the router of MSFC and did not change the destination IP address? In the example shown in Figure 3-8, the attacker sends out a packet that has a destination MAC address of the router (Mac:C) but instead of changing the IP address, keeps the same destination IP address (IP:2)

Figure 3-8 Bypassing PVLAN Restrictions

The PVLAN security works as expected This is not a PVLAN issue because the rules were enforced as expected Because the packet has a destination MAC address of the default gateway, the PVLAN does not block the packet It is forwarded to the router as expected The router also simply forwards the packet

to the destination IP address (IP:2) as expected Therefore, the intended PVLAN security is bypassed

Solution

VACLs

To prevent this type of bypass and to prevent an attacker from exploiting a server residing in a PVLAN, you can configure VACLs on the switch, as well as ACLs on the inbound MSFC or router interface The ACLs prevent any packet with a source address of a PVLAN from being forwarded to a destination

Mac:C IP:3

Aggregationswitch

Promiscuousport

Dropped

S:A1 D:B2

VictimMac:B IP"2

AttackerMac:B IP"2

Isolated VLANIsolated VLAN

AggregationswitchMac:C IP:3

Router forwardspacket

PVLAN rulesenforcedS:A1 D:C2

S:A1 D:C2

Promiscuous portIsolated port

S:A1 D:B2

S:A1 D:E2Victim

Mac:B IP"2

AttackerMac:B IP"2

Isolated VLANIsolated VLAN