1 / 69

CCNP 3 v4 Module 7 Minimizing Service Loss and Data Theft in a Switched Network

CCNP 3 v4 Module 7 Minimizing Service Loss and Data Theft in a Switched Network. Objectives. Switch Security Issues Mitigating VLAN attacks Mitigating Spoof Attacks Implementing Authentication, Authorization and Accounting – AAA Defending Network Switches. Overview.

lamya
Download Presentation

CCNP 3 v4 Module 7 Minimizing Service Loss and Data Theft in a Switched Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CCNP 3 v4 Module 7 Minimizing Service Loss and Data Theft in a Switched Network

  2. Objectives • Switch Security Issues • Mitigating VLAN attacks • Mitigating Spoof Attacks • Implementing Authentication, Authorization and Accounting – AAA • Defending Network Switches

  3. Overview • This module describes some measures to secure Cisco’s multilayer switches based on Cisco’s SAFE blueprint. • Cisco Systems has implemented a number of device level countermeasures to defend the individual devices as well as the entire network from security threats. • In this module we will spell out possible vulnerabilities, define threats, and describes the countermeasures that should be implemented to mitigate security risks

  4. Switch Security Concerns • Network security coverage often focuses on perimeter devices and the filtering of packets based upon Layer 3 and 4 headers, ports, stateful packet inspection and VPNs. • Campus Access devices and Layer 2 communication are left largely unconsidered in most security discussions.

  5. Firewalls, Routers and Switches • Firewalls, placed at the organizational borders, arrive in a secure operational mode and allow no communication, until configured to do so. • The opposite is true for routers and switches. • Unlike firewalls, routers and switches have a default operational mode that forwards all traffic unless configured otherwise

  6. Securing more than the perimeter

  7. Layer 2 Attacks • Attacks launched against switches and at Layer 2 can be grouped as follows: • MAC Layer Attacks • VLAN Attacks • Spoof Attacks • Attacks on Switch Devices

  8. MAC Flooding Attack

  9. MAC Flooding • A common Layer 2/switch attack is MAC Flooding, resulting in CAM table overflow that causes flooding of regular data frames out all switch ports. • A network intruder can maliciously flood a switch with a large number of frames from a range of invalid source MAC addresses. • Once the CAM is full the switch cannot create any additional CAM table entries. • The switch must flood new legitimate frames out all ports (the switch is in dumb hub mode). • The intruding device can now be attached to any switchport and see all traffic that flows through that switch.

  10. Mitigation for MAC Flood Attacks • Configure Port Security to define the number of MAC addresses that are allowed on a given port. • Port security can also specify what MAC address is allowed on a given port. • Sticky configuration with maximum MAC address count.

  11. Port Security • Port security restricts a switch port to a specific set and/or number of MAC addresses. • Addresses can be learned dynamically or configured statically. • To dynamically allow a set of MAC address on an interface, use the “sticky” configuration. • When configured on an interface, the interface converts dynamically learned addresses to "sticky secure" addresses. • The sticky configuration cannot be applied to trunk ports • The swtichport must be in switchport mode access Switch(config-if)# switchport port-security mac-address sticky

  12. Port Security Configuration Switch(config)#int fa0/1 Switch(config-if)#switchport port-security Command rejected: Fa0/1 is not an access port. Switch(config-if)#switchport mode access Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security mac-address sticky Switch(config-if)#switchport port-security maximum 4 Switch(config-if)#switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode

  13. show port-security

  14. show port-security address

  15. Caveats to Port Security Configuration • Port security is enabled on a port-by-port basis • By default, only one MAC address is allowed access through a given switch port when port security is enabled. • Static MAC address entries for a given switchport may interfere with the maximum MAC address configuration. • The default violation action is shutdown.

  16. Switchport Violation Actions • There are three violation actions that can be configured on the secure port: • Protect – frames from the non-allowed address are dropped but there is no log of the violation • Restrict – frames from the non-allowed address are dropped and a log message is created • Shutdown – if any frames are seen from a non-allowed address, the interface is errdisabled and a log message is created. • To bring a switchport out of errdisable, you must manually use the shutdown/no shutdown inteface configuration mode command. • Shutdown is the default violation action.

  17. VLAN Hopping • VLAN hopping is a network attack whereby an end system sends packets to, or collects them from, a VLAN that should not be accessible to that end system. • VLAN Hopping can be accomplished by Switch Spoofing or Double Tagging http://www.sans.org/resources/idfaq/vlan.php http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

  18. Switch Spoofing • In a Switch Spoofing attack, the network attacker configures a system to spoof itself as a switch by emulating ISL or 802.1Q signaling and using DTP. • Doing so, allows the end system to negotiate a trunk link with the switch. • Remember, by default Cisco switchports are set to dynamic desirable mode. • The solution to switch spoofing is to configure all edge ports as access ports which essentially turns off trunking. • You can also change the native VLAN from the default of 1 so that the trunk is not negotiated properly. Switch(config)# int range fa0/ 1 – 20 Switch(config-range-if)# switchport mode access Switch(config-if)# switchport trunk native vlan 10

  19. Private VLANs • Private VLANs provide traffic isolation between ports although they may exist on the same Layer 3 segment and VLAN. • Private VLANs (PVLANs) can be implemented on Catalyst 4500s and 6500s to keep some switch ports shared and some switch ports isolated, although all ports exist on the same VLAN. • The 2950 and 3550 support "protected ports" which is functionally similar to PVLANs on a per switch basis.

  20. Private VLAN Port Types A port in a PVLAN can be one of three types: • Isolated An isolated port has complete Layer 2 separation from other ports within the same PVLAN except for the promiscuous port. • Traffic received from an isolated port is forwarded only to promiscuous ports. • Promiscuous A promiscuous port can communicate with all ports within the PVLAN, including the community and isolated ports. • The default gateway for the segment would likely be hosted on a promiscuous port. • Community Community ports communicate among themselves and with their promiscuous ports. • These interfaces are isolated at Layer 2 from all other interfaces in other communities. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm

  21. Private VLAN Configuration Guidelines • VTP does not support private VLANs so you must configure your VTP mode to transparent and manually add each primary and the associated private VLANs to each switch. • VLAN 1 and VLANs 1002 – 1005 cannot be private VLANs. • A primary VLAN can have one isolated VLAN and multiple community VLANs. • An isolated or community VLAN can have only one primary VLAN associated with it. • If you delete a VLAN used in the private VLAN configuration, the private VLAN ports associated with the VLAN become inactive • Private VLAN ports can be on different network devices if the devices are trunk-connected and the primary and secondary VLANs have not been removed from the trunk. • All primary, isolated, and community VLANs associated within a private VLAN must maintain the same topology across trunks. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm

  22. Private VLAN Configuration Example Router# configure terminal Router(config)# vlan 202 Router(config-vlan)# private-vlan primary Router(config-vlan)# exi Router(config)# vlan 303 Router(config-vlan)# private-vlan community Router(config-vlan)# exi Router(config)# vlan 440 Router(config-vlan)# private-vlan isolated Router(config-vlan)# exi Router(config)# vlan 202 Router(config-vlan)# private-vlan association 303-307,309,440 Router(config-vlan)# end Router(config)# interface fastethernet 5/1 Router(config-if)# switchport mode private-vlan host | promiscuous Router(config-if)# switchport private-vlan host-association 202 303 Router(config)# interface fastethernet 5/2 Router(config-if)# switchport mode private-vlan host | promiscuous Router(config-if)# switchport private-vlan host-association 202 440 Router# show vlan private-vlan Switch(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ 202 303 community Fa5/1 202 440 isolated Fa5/2

  23. Protected Ports • Protected ports do not forward any traffic to other ports that are also protected ports. • Forwarding behavior between a protected port and a nonprotected port proceeds as usual. Switch# configure terminal Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport protected Switch(config-if)# end

  24. VLAN Security using ACLs Cisco multilayer switches support three types of ACLs: • Router access control lists (RACLs) Supported in the ternary content addressable memory (TCAM) hardware on Cisco multilayer switches • Quality of service (QoS) access control lists Supported in the TCAM hardware on Cisco multilayer switches • VLAN access control lists (VACLs) Supported in software on Cisco multilayer switches • VACLs are also referred to as VLAN maps

  25. VLAN ACL Examples

  26. Routed ACLs • RACLs are supported in hardware through IP standard ACLs and IP extended ACLs, with permit and deny actions. • With RACLs, access list statistics and logging are not supported.

  27. VLAN ACLs • VACLs (also called VLAN access maps in IOS software) apply to all traffic on the VLAN. • VACLs are similar to route maps and follow route-map conventions, where map sequences are checked in order. • VLAN maps have three actions that can be configured: • Drop • Forward • Redirect

  28. VLAN Map Configuration ALSwitch7(config)#ip access-list extended HRServerAllowed ALSwitch7(config-ext-nacl)#permit tcp 172.16.50.16 0.0.0.15 host 172.16.50.240 eq www ALSwitch7(config-ext-nacl)#exit ALSwitch7(config)#ip access-list extended HRServerBlocked ALSwitch7(config-ext-nacl)#permit tcp 172.16.50.0 0.0.0.127 host 172.16.50.240 eq www ALSwitch7(config-ext-nacl)#exit ALSwitch7(config)#ip access-list extended HRServerDefaults ALSwitch7(config-ext-nacl)#permit ip any any ALSwitch7(config-ext-nacl)#exit ALSwitch7(config)#vlan access-map HRServerMap 10 ALSwitch7(config-access-map)#match ip address HRServerAllowed ALSwitch7(config-access-map)#action forward ALSwitch7(config-access-map)#exit ALSwitch7(config)#vlan access-map HRServerMap 20 ALSwitch7(config-access-map)#match ip address HRServerBlocked ALSwitch7(config-access-map)#action drop ALSwitch7(config-access-map)#exit ALSwitch7(config)#vlan access-map HRServerMap 30 ALSwitch7(config-access-map)#match ip address HRServerDefaults ALSwitch7(config-access-map)#action forward ALSwitch7(config-access-map)#end ALSwitch7#config t ALSwitch7(config)# vlan filter HRServerMap vlan-list 20

  29. show vlan map and show vlan filter ALSwitch7#show vlan access-map Vlan access-map "HRServer" 10 Match clauses: ip address: HRServerAllowed Action: forward Vlan access-map "HRServerMap" 20 Match clauses: ip address: HRServerBlocked Action: drop Vlan access-map "HRServerMap" 30 Match clauses: ip address: HRServerDefaults Action: forward ALSwitch7#show vlan filter VLAN Map HRServerMap is filtering VLANs: 50 ALSwitch7#

  30. Defending Network Switches • CDP can be selectively disabled on interfaces where management is not being performed or if you do not want CDP information learned out of that interface. Switch(config-if)#no cdp enable

  31. Controlling VTY Access • Cisco provides ACLs to permit or deny Telnet access to the VTY ports of a switch. • Use the access-class line configuration mode command to specify a subnet that is allowed to telnet to the switch. • The access-class command uses a standard ACL with the in keyword. • A standard ACL is used because the access-class command filters inbound connections Switch(config-line)#access-class 5 in • ‘out’ can also be used to filter outbound VTY connections.

  32. Access-class Example

  33. Use Secure Shell – SSH • SSH can be configured for remote access to Cisco multilayer switches. • Catalyst 2950s do not support SSH Switch(config)#hostname ALSwitch ALSwitch(config)#ip domain-name cisco.com ALSwitch(config)#ip ssh version 2 Please create RSA keys to enable SSH. ALSwitch(config)#crypto key generate rsa general-keys The name for the keys will be: ALSwitch.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] ALSwitch(config)# 00:47:18: %SSH-5-ENABLED: SSH 1.99 has been enabled ALSwitch(config)#line vty 0 15 ALSwitch(config-line)#transport input ssh ALSwitch(config-line)#login local ALSwitch(config-line)#exit ALSwitch(config)#username leo privilege 15 secret baca

  34. Encrypt Password • Make sure to use encrypted passwords. • Encrypted password can be used for enable passwords, user passwords, console and vty passwords. ALSwitch(config)#enable secret class ALSwitch(config)#username user1 secret userpass ALSwitch(config)#username leo privilege 15 secret baca ALSwitch(config)#exi ALSwitch#sho run ... ! hostname ALSwitch ! enable secret 5 $1$kH1o$2yH/E500t6PC1rCCDeFEb1 ! username leo privilege 15 secret 5 $1$nwnw$rvATQge3PqFS8qARlTOd51 username user1 secret 5 $1$CalZ$rCMYfxqKPrJfWENUrHIZL.

  35. Service Password Encryption • Some passwords are not encrypted by default, such as the enable password command and the line configuration mode password command • To encrypt any plaintext passwords or keystrings, use the global configuration mode command: Switch(config)# service password-encryption • This will encrypt plaintext passwords with Cisco level 7 encryption. • This encryption level is not very strong

  36. END PART 1 PART 1 STOP HERE

  37. DHCP Spoof Attack

  38. DHCP Snooping • DHCP Snooping is a Catalyst feature that determines which switch ports can respond to DHCP requests. • Ports are identified as trusted and untrusted. • Trusted ports can source all DHCP messages while untrusted ports can source requests only. • Trusted ports host a DHCP server or can be an uplink toward the DHCP server. • If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down.

  39. DHCP Snooping Example

  40. DHCP Snooping Configuration http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swdhcp82.htm

  41. show ip dhcp snooping

  42. MAC Address Spoofing • MAC Spoofing attacks occur when a device spoofs the MAC address of a valid network device to gain access to frames of the valid device. • The attacker generates a single frame with a source MAC address of the valid device. • Once the valid host sends new frames, the spoofed CAM table entry is overwritten so forwarding to that MAC address resumes on the legitimate port.

  43. MAC Address Spoofing Example

  44. ARP Table Entries • In normal ARP operation, a host sends a broadcast to determine the MAC address of a host with a particular IP address. • The device at that IP address replies with its MAC address. • The host that originated the request then caches the ARP response, creating an ARP table entry. • ARP table entries are used to populate the destination Layer 2 header of packets sent to that IP address.

  45. ARP Table Example

  46. ARP Spoofing • By spoofing an ARP reply, an attacking device appears to be the destination MAC address sought by the senders. • Now the attacker’s MAC address is stored with the legitimate dest. IP address. • All packets destined for that IP address will be forwarded through the attacker’s system on the Ethernet network. ARP Cache Poisoning http://www.grc.com/nat/arp.htm

  47. ARP Spoof Example

  48. Dynamic ARP Inspection (DAI) • Dynamic ARP Inspection (DAI) prevents ARP spoofing by intercepting and validating all ARP requests and responses. • Each intercepted ARP reply is verified for valid MAC to IP address bindings before it is forwarded to a PC. • ARP replies coming from invalid devices are dropped. • The switch checks the MAC to IP binding in the ARP reply with the trusted DHCP snooping database. • This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a0080509b6f.html

  49. Dynamic ARP Inspection Example Configure all Access switch ports as untrusted and all switch ports connected to other switches as trusted.

  50. Dynamic ARP Inspection • To ensure that only valid ARP requests and responses are relayed, DAI takes the following actions: • Forwards ARP packets received on a trusted interface without any checks • Intercepts all ARP packets on untrusted ports • Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets that can update the local ARP cache. • Drops and/or logs ARP packets with invalid IP-to-MAC address bindings.

More Related