Chapter 5 securing the data plane on cisco catalyst switches

• Whenever practical, declare the VLAN ID used on trunk ports with the switchport trunk allowed vlan command • Do not use VLAN 1 for anything.. VLAN Hopping Attack - Double-Tagging Miti

Securing the Data Plane

on Cisco Catalyst

Switches

Topics covered in this chapter include the following:

• An introduction to fundamental switching concepts, starting with the

building blocks of VLANs and trunking

• An introduction to other building blocks of switching technology, including Spanning Tree Protocol for high availability

• A revisit and further explanation of security threats that exploit

vulnerabilities in the switching infrastructure

• A description of how to plan and develop a strategy for protecting the

data plane

• A description of the Spanning Tree Protocol Toolkit found on Cisco IOS

routers that prevents STP operations from having an impact on the

• Configuring VLANs and Trunks

• Configuring Inter-VLAN Routing

• Spanning Tree Overview

• STP 802.1D, RSTP, PVRST+ …

Mitigating Layer 2 Attacks

Domino Effect If Layer 2 is Compromised

Layer 2 independence enables interoperability and interconnectivity

However, from a security perspective, Layer 2 independence creates a challenge because a

compromise at one layer is not always known by the other layers

If the initial attack comes in at Layer 2, the rest of the network can be compromised in an instant

Network security is only as strong as the weakest link, and that link might be the data link layer

Layer 2 Best Practices

The following list suggests Layer 2 security best practices All of these

suggestions are dependent upon your security policy.

• Manage switches in as secure a manner as possible (SSH, OOB, permit lists, and so on).

• Whenever practical, declare the VLAN ID used on trunk ports with the

switchport trunk allowed vlan command

• Do not use VLAN 1 for anything.

• Set all user ports to nontrunking (unless you are using Cisco VoIP).

• Use port security where possible for access ports.

• Selectively use SNMP and treat community strings like root passwords.

Layer 2 Protection Toolkit

Components of Layer 2 Protection Toolkit

Mitigating VLAN Attacks

• VLAN Hopping

Mitigating VLAN Hopping by Rogue Trunk

• By default most switches support Dynamic Trunk Protocol (DTP) which automatically try to negotiate trunk links

being capable of using either ISL or 802.1q

VLAN Hopping by Rogue Trunk

A VLAN hopping attack can be launched in one of two ways:

• Spoofing DTP messages from the attacking host to cause the

switch to enter trunking mode: From here, the attacker can send

traffic tagged with the target VLAN, and the switch then delivers the packets to the destination

• Introducing a rogue switch and turning trunking on: The attacker

can then access all the VLANs on the victim switch from the rogue switch

• Involves tagging transmitted frames with two 802.1q headers in

order to forward the frames to the wrong VLAN

VLAN identifier in the second 802.1q header.

VLAN Hopping Attack - Double-Tagging

Mitigation techniques include ensuring that the native VLAN of the trunk ports is

different from the native VLAN of the user ports

Mitigation techniques include ensuring that the native VLAN of the trunk ports is

different from the native VLAN of the user ports

STP Attack

• The attacking host broadcasts STP configuration and topology change BPDUs to force

spanning-tree recalculations

• The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge

• If successful, the attacking host becomes the root bridge and sees a variety of frames that otherwise are not accessible.

• It should only be used on access ports!

creating a spanning-tree loop.

PortFast

• Enable PortFast on a Layer 2 access port and force it to enter the forwarding state immediately.

• Disable PortFast on a Layer 2 access port PortFast is disabled

• To enable BPDU guard on all PortFast enabled ports, use the

global configuration command

BPDU Guard Enabled

• To enable BPDU filtering on all PortFast enabled ports, use the

global configuration command:

• To enable BPDU filtering on an interface, without having to enable PortFast, use the interface configuration command:

• Root guard is best deployed toward ports that connect to switches that should not be the root bridge using the interface configuration command:

Root Guard

spanning-tree guard root

Switch(config-if)#

Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d

F F

F B F

STP BPDU Priority = 0 MAC Address = 0000.0c45.1234

Root Guard Enabled

Attacker

Mitigating MAC

Spoofing and

MAC Table

Overflow Attacks

MAC Address Table Overflow Attack

• Attacker uses macof to generate multiple packets with spoofed source MAC address.

• Over a short period of time, the MAC address table fills and no longer accepts new entries

the MAC address table remains full.

• Switch starts to broadcast (flood) packets all packets that it

receives out every port, making it behave like a hub.

• The attacker can now sniff packets destined for the servers.

VLAN 10

An attacker wishes to sniff packets

destined to Servers A and B To do

so, he launches a MAC flood attack.

An attacker wishes to sniff packets

destined to Servers A and B To do

so, he launches a MAC flood attack.

MAC Address Spoofing

MAC Address Spoofing

MAC Address Spoofing

MAC Address Spoofing

Mitigation techniques include configuring port security.

Using Port Security

• To prevent MAC spoofing and

MAC table overflows, enable port

security.

• Port Security can be used to

statically specify MAC addresses

for a port or to permit the switch

to dynamically learn a limited

number of MAC addresses

• By limiting the number of

permitted MAC addresses on a

port to one, port security can be

used to control unauthorized

expansion of the network

• Set the interface to access mode.

• Enable port security on the interface

Enable Port Security

switchport mode access

Switch(config-if)#

switchport port-security

Switch(config-if)#

• Set the maximum number of secure MAC addresses for the

interface (optional)

• The range is 1 to 132 The default is 1

• Enter a static secure MAC address for the interface (optional)

• Enable sticky learning on the interface (optional)

• Set the violation mode (optional)

• The default is shutdown

Establish the Violation Rules

switchport port-security violation {protect | restrict | shutdown}

Switch(config-if)#

The errdisable recovery feature also allows you to monitor spanning tree violations

Errdisable Recovery

• Port security aging can be used to set the aging time for static

and dynamic secure addresses on a port

• Two types of aging are supported per port:

aging time.

inactive for the specified aging time.

Port Aging

switchport port-security aging {static | time minutes | type {absolute |

inactivity}}

Switch(config-if)#

Sample Port Security Configuration

S2(config-if)# switchport mode access

S2(config-if)# switchport port-security

S3

show port-security Command

SW2# show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

- - - -

Fa0/12 2 0 0 Shutdown

-Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

SW2# show port-security interface f0/12

Port Security : Enabled

Port status : Secure-down

Violation mode : Shutdown

Maximum MAC Addresses : 2

Total MAC Addresses : 1

Configured MAC Addresses : 0

Aging time : 120 mins

Aging type : Absolute

SecureStatic address aging : Disabled

Security Violation Count : 0

SW2# show port-security address

Secure Mac Address Table

-Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

Using SNMP to Monitor Access to Switch Port

• The MAC Address Notification feature sends SNMP traps to the

network management station (NMS) whenever a new MAC

address is added to or an old address is deleted from the

forwarding tables

MAC Address Notification

mac address-table notification

Switch(config)#

Dynamic ARP Inspection (DAI) determines the validity of an

ARP packet based on the MAC address-to-IP address

bindings stored in a DHCP snooping database.

Mitigating ARP Spoofing

Dynamic ARP Inspection :

IP Source Guard