Semester 3 v5 -Chapter 8 Cisco Networking Academy CCNP Minimizing Service Loss and Data Theft in a Campus Network Switch security concerns • Network security coverage often focuses on edge-routing devices and filtering of packets • Campus access devices and L2 communication are left largely unconsidered • But if an attack is launched at L2 on an internal campus device, the rest of the network can be quickly compromised Rogue Devices • Rogue devices can be – Access Points – Wireless routers – Access switches – Hubs • Devices typically connected at access level switches • To mitigate STP manipulation • root guard • BPDU guard Switch attack categories • L2 malicious attacks are typically launched by a device connected to the campus network – A physical rogue device – An external intrusion that takes control of and launches attacks from a trusted device • Types of L2 attacks – MAC layer attacks – VLAN attacks – Spoof attacks – Attacks on switch devices MAC flooding attack • CAM table overflow that causes flooding of regular data frames out of all switch ports • Purposes – Collecting a broad sample of traffic – DoS attack • Suggested mitigation: – Limit the number of allowed MAC addresses in a port using Port Security Port security • • • • • Available on the 6500, 3550 and 2950 Administrator configures MAC addresses to provide security It restricts a switch port to a specific set and/or number of MAC addresses Maximum number of secure MAC on a port A MAC address can be allowed: – Static assignment of the MAC address • switchport port-security mac-address mac_address – Dynamic learning of the MAC address (sticky learning) – Manually configure a number of MAC and the rest dynamically configured Configuring Port security 1. Enable port security 2. 3. 4. Set MAC address limit default = 1 Specify allowable MAC addresses Define violation actions – – – When the maximum number of secure MAC addresses has been added and a station whose MAC address is not in the table attempts to access A station whose MAC address is configured as secure on another secure port attempts to access the interface 3 violation modes • • • Protect packets with unknown source addresses are dropped until secure MAC are manually removed Restrict trap notification to the SNMP management station Shutdown interface shut down and send an SNMP trap notification Sticky MAC addresses • • Limits switch port access to a single, specific MAC address without the network administrator having gather and manually associate the MAC address of every legitimate device with a particular switch port The switch port converts dynamically learned MAC addresses to sticky MAC addresses It subsequently adds them to the running configuration as if they were static entries for a single MAC address to be allowed by Port Security Configuration: • It can not be used on ports that use voice VLANs • • – switchport port-security mac-address sticky AAA • usernames and passwords can be configured directly on the network device – This configuration does not scale well • Recommend security handled at centralized location • Different security features (AAA): – Authentication • Verifies a user identity – Authorization • Specifies the permitted tasks for the user – Accounting • Provides billing, auditing and monitoring • AAA can use protocols such as RADIUS, TACACS+ or 802.1x to administer its security functions AAA process • AAA enables dynamic configuration of the type of authentication and authorization – On a per-line (per-user) basis – On a per-service basis • Method lists must be created – Sequential list that defines the authentication methods used to authenticate a user – Enable designation of one or more security protocols to be used for authentication • Order is established by which servers will be contacted for authentication and authorization • Users attempt login and must be authenticated by server • Users must be authorized to user requested resources if Authorization is configured • Users activity is recorded if Accounting is configured Configuring AAA Authentication • AAA authentication – Access to the console: aaa authentication login – Access to VTYs through Telnet and SSH – Access to privileged EXEC mode • Default method: – applied to all interfaces if no other method list is defined • Named list method: – must be applied to a specific interface before any of the defined authentication methods will be performed Configuring AAA Authentication • Responses: – FAIL • User has not met the criteria contained in the authentication database to be successfully authenticated • Authentication ends with a FAIL response – ERROR • The security server has not responded to an authentication query • When ERROR detected, AAA select the next authentication method defined in the authentication method list Configuring AAA Authentication • Authentication for logins on TTYs, VTYs, and the console: RTA(config)#aaa authentication login default tacacs+ none default method 1st method If 1st errors, then grant access 802.1x • Client-server-based access control and authentication protocol • Restricts unauthorized clients from connecting to a LAN through publicly accessible ports • The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN • Before authentication, 802.1x only allows EAPOL traffic through the port – EAPOL(Extensible Authentication Protocol over LAN) Roles in 802.1x • Client – device that requests access to the LAN and switch services and responds to requests from the switch – It must be running 802.1X-compliant client software (Ex: XP) • Authentication server – validates the identity of the client – notifies the switch whether or not the client is authorized to access the LAN and switch services – RADIUS + EAP (Extensible Authentication Protocol) only • Switch – controls the physical access to the network based on the authentication status of the client – proxy between the client and the authentication server – includes the RADIUS client + 802.1x – encapsulates and decapsulates the EAP frames 802.1x message exchange • The switch or the client can start authentication • If 802.1X not enabled on the switch EAPOL frames dropped • If the client does not receive an EAP-request/identity frame after a defined number of attempts to start authentication client sends frames as if the port is in the authorized state • Ex: OTP (One-Time-Password) authentication method + RADIUS server 802.1x authorized ports • Unauthorized state State where port starts – the port disallows all traffic except for 802.1X protocol packets • Authorized state – When a client is successfully authenticated – Allows all traffic for the client to flow normally • If a client that does not support 802.1X is connected to an unauthorized 802.1X port – The client is not granted access to the network • If an 802.1X-enabled client connects to a port that is not running the 802.1X protocol – the client sends frames as if the port is in the authorized state • Dot1x port-control – Force-authorized – Force unauthorized – Auto 802.1x authorized ports • Dot1x port-control – Force-authorized (default) • 802.1X is disabled and the port transitions to the authorized state without any authentication exchange required – Force unauthorized • the port remains in the unauthorized state • The switch cannot provide authentication services – Auto • enables 802.1X authentication • The port begins in unauthorized state • allows only EAPOL frames through the port • If the client is successfully authenticated, the port state changes to authorized • When a client logs off – it sends an EAPOL-logoff message – the switch port transitions to the unauthorized state Configuring 802.1x 1. Enable AAA switch(config)#aaa new-model 2. Create a 802.1x authentication method list switch(config)# aaa authentication dot1x {default} method1 [method2…] 3. Globally enable 802.1x port-based authentication switch(config)#dot1x system-auth-control 4. Enable 802.1x on the interface switch(config)# interface interface_id switch(config-if)# dot1x port-control auto VLAN hopping • Network attack where – Attacking system sends packets to, or collects them from, a VLAN that should not be accessible to that system – Attacking system spoofs itself as a legitimate trunk negotiating device – Trunk link is negotiated dinamically – Attacking device gains access to data on all VLANs carried by the negotiated trunk • Implementations • Switch spoofing • Double tagging VLAN hopping – Switch spoofing • Attacker gains access to a switch port and sends DTP negotiation frames toward a switch with DTP running and autonegotiation turned on • Attacker and switch negotiate trunking over the port • Switch allows all VLANs to traverse de trunk link • Attacker sends data to, or collects it from, all VLANs carried on that trunk VLAN hopping – Double tagging • An attacker generates frames with two 802.1Q headers in order to get the switch to forward frames onto a VLAN that would be inaccessible to the attacker through legitimate means – Attacker sends a frame with two 802.1Q headers – Switch1 strips the outer tag and forwards the frame to all ports within same native VLAN – Switch2 interprets the frame according to information in the inner tag – Switch2 forwards the frame out all ports associated with the second VLAN, including trunk ports How to mitigate VLAN hopping • Measures to defend the network from VLAN hopping – Configure all unused ports as access ports • switch(config)#interface-range type mod/port switch(config-if)#switchport mode access – Place all unused ports in the shutdown state and associate with a VLAN designed only for unused ports, carrying no user data traffic • switch(config-if)#switchport access vlan vlan-id – When establishing a trunk link, configure • the Native VLAN to be different from any data VLANs • trunking as on, rather than negotiated • the specific VLAN range to be carried on the trunk ACLs • ACLs filter traffic • 3 applications of ACLs: – Router ACLs (RACLs) • IP standard and IP extended ACLs • filter routed traffic between VLANs • Applied to L3 interfaces for specific directions (inbound/outbound) – Port ACLs (PACLs) • filter traffic entering a L2 switch port, trunk or Etherchannel – VLAN ACLs or VLAN maps • filter bridged and routed packets • apply to all traffic on the VLAN based on Ethertype and MAC address • Follow route-map conventions, where map sequences are checked in order • VACLs are not defined by direction VLAN ACLs and VLAN Maps • Can filter all traffic traversing a switch • VLAN maps – not defined by direction – match clauses to select traffic and perform operations on it – Each clause contains one or more ACLs – only way to control filtering within a VLAN – If there is a match clause for a packet in the VLAN map, and that packet does not match any of the entries within the map default VLAN map action = drop the packet – If there is no match clause for that packet • default forward the packet • A VLAN map cannot be applied to a VLAN on a switch that has ACLs applied to L2 interfaces (port ACLs) VLAN ACLs and VLAN Maps • Example of VACLs configuration: – It does not allow any host using a source IP address from 10.1.0.0 to 10.1.255.255 to send frames across this switch Private VLAN (PVLAN) • Traditional solution – One VLAN per costumer, with each VLAN having its own IP subnet – Challenges • • • • • High number of interfaces on SP devices Spanning tree becomes more complicated Network address space must be divided into many subnets Multiple ACL applications required to maintain security Private VLANs – L2 isolation between ports within the same VLAN – It eliminates the need for a separate VLAN and IP subnet per costumer – Types of ports • Isolated: Communicate only with promiscuous ports • Promiscuous: Communicate with all other ports • Community: Communicate with other members of community and all promiscuous ports Private VLAN (PVLAN) • Different PVLANs: – Primary VLAN: Carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same primary VLAN – Secondary VLANs • Isolated VLAN: Carries traffic from isolated ports to a promiscuous ports • Community VLAN: Carries traffic between community ports and promiscuous ports Configuring PVLANs 1. Set VTP mode to transparent 2. Create secondary VLANs (isolated and community) 3. Create the primary VLAN – 4. switch(config-vlan)#private-vlan [primary | isolated | community] Associate the secondary VLAN to the primary VLAN – switch(config-vlan)#private-vlan association {secondary_vlan_list | add sv1 | remove sv1} 5. Configure an interface to an isolated or community port 6. Associate the isolated port or community port to the primary-secondary VLAN pair 7. Configure an interface as a promiscuous port 8. Map the promiscuous port to the primary-secondary VLAN pair DHCP Spoofing Attack • An attacker hosts a rogue DHCP server off of a switch port • Client broadcasts a request for DHCP configuration information • The rogue DHCP server responds before the legitimate DHCP server, assigning attackerdefined IP configuration information • Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the clients DHCP Snooping • Catalyst feature that determines which switch ports can respond to DHCP requests – Trusted ports can source all DCHP messages – Untrusted ports can only source requests • If a rogue DCHP on an untrusted port attempts to send DHCP response packets, the port is shut down • DHCP Option 82: switch information, such as the port ID of the DHCP request, is inserted into the DHCP request packet ARP Spoofing Attack • • By spoofing an ARP reply from a legitimate device, an attacking device appears to be the destination host sought by the senders The ARP reply from the attacker causes the sender to store the attacking system MAC address in the ARP cache. All packets destined for those IP address will be forwarded through the attacker system – – – – The attacker sends ARP binding its MAC address with the IP destination address Host A updates ARP cache with attacker’s MAC address bound to C’s IP address The attacker sends ARP binding its MAC address with the IP sender address Destination updates ARP cache with attacker’s MAC address bound to sender’s IP address Dynamic ARP inspection • • Prevents ARP spoofing or ‘poisoning’ Intercepts and validates all ARP requests and responses – Forwards ARP packets received on a trusted interface without any checks – Intercepts all ARP packets on untrusted ports – Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets that can update the local ARP cache – Drops and/or logs ARP packets with invalid IP-to-MAC address bindings • Configure all Access switch ports as untrusted and all switch ports connected to other switches as trusted Protecting Spanning Tree • • Protect against switches being added on PortFast ports – BPDU Guard shuts ports down when BPDUs are received – BPDU filter specifies action to be taken when BPDUs are received BPDU Root Guard protects against a switch outside the designated network attempting to become the root bridge Configuring BPDU Guard • BPDU Guard protects the network from loops that might form if BPDUS are received on a PortFast enabled switch port • When a BPDU is received, the port is put in errordisabled state • Global configuration Switch(config)#spanning-tree portfast bpduguard default • Interface configuration Switch(config-if)#spanning-tree bpduguard enable Configuring BPDU Filtering – Global configuration • It affects all PortFast ports on a switch without BPDU filtering configured on the individual port • If BPDUs are seen, the port looses its PortFast Status, BPDU filtering is disabled and STP sends and receives BPDUs on the port as any other STP port on the switch • Upon startup, the port transmits ten BPDUs. If this port receives any BPDUs during that time, PortFast and PortFast BPDU filtering are disabled Switch(config)#spanning-tree portfast bpdufilter default – Interface configuration • Ignores all BPDUs received • Sends no BPDUs Switch(config-if)#spanning-tree bpdufilter enable Configuring Root Guard – Root Guard limits the switch ports out of which the root bridge may be negotiated – If a root guard-enabled port receives BPDUs that are superior to those being sent by the current root bridge, • that port will be moved to a root-inconsistent state (listening state) • no data traffic will be forwarded across this port – When the root guard-enable port receives inferior BPDUs, the port will be unblocked again Switch(config-if)#spanning-tree guard root Unidirectional link detection • Unidirectional link – Traffic is transmitted between neighbors in one direction only – Can cause ST topology loops • UDLD – L2 protocol that works with the L1 mechanisms to determine the physical status of a link – Protocol that allows devices to detect an unidirectional link – Both ends of the link must support UDLD • A switch configured with UDLD periodically transmits UDLD packets – If packets are not echoed back within a specific time, the link is flagged as unidirectional and the interface is shut down (aggressive) or the port changes to an undetermined state (normal) Loop guard • Provides protection when BPDUs are being sent, but not received on a link that is considered operational • When an unidirectional link is detected, the interface will move into the STP loop-inconsistent blocking state • Once a BPDU is received, the port will transition to the appropriate state Before loop guard With loop guard – C is not receiving BPDUs from B – C is not receiving BPDUs from B – Port on C transitions to forwarding – Port on C transitions to loopstate in 50 sec LOOP inconsistent state Comparison between Loop Guard and UDLD • On an Etherchannel bundle – UDLD will disable individual failed links – Loop Guard will put the entire channel in loop-inconsistent state • Enabling both UDLD and Loop Guard provides the highest level of protection Configuring UDLD and Loop Guard • Configuring UDLD – Enable UDLD on an interface • S(config-if)#udld port – Enable UDLD globally • S(config)#udld enable – Verify and reset UDLD • S#udld reset • S#show udld interface • Configuring Loop Guard – Enable Loop Guard on an interface • S(config)#spantree guard loop mod/port • S(config)#spantree guard none mod/port • Enabling root guard will disable root guard, if root guard is currently enabled on the ports – Enable Loop Guard globally • S(config)#spantree global-default loopguard enable • S#show spantree guard mod/port | vlan CDP security issues • CDP is transmitted in clear text and unauthenticated • An attacker can use a packet analyzer to intercept CDP traffic • An attacker can analyze information in CDP packets to gain knowledge of network address and device information • An attacker can formulate attacks based on known vulnerabilities of network platforms Telnet and SSH • Telnet – Telnet packets are transmitted in clear-text – A user with an account on the system could gain elevated privileges – A remote attacker could crash the Telnet service, preventing legitimate use of that service – A remote attacker could find an enabled guest account present anywhere within the trusted domains of the server • SSH (Secure Shell) – The entire login session is encrypted – Replacement for rlogin, rsh, rcp, and rdist as well as Telnet and FTP – protects a network from attacks such as IP spoofing, IP source routing, and DNS spoofing Using vty ACLs • Restricting VTY connections – The access-class ACL-number applies the ACL to the interface – The ACL can be a standard or an extended ACL • Restricting web interface connections – To bind a standard ACL to the http server process: • ip http access-class ACL-number • ACL-number: 1 - 99 Best practices • Consider or establish organizational security policies – Proces for auditing existing networks – General security framework – Behaviors toward electronic data that are disallowed – Which tools and procedures are needed – Responsibilities of users and administrators – Process for handling network security incidents – Enterprise-wide, all site security implementation and enforcement plan • Secure switch devices • Secure switch protocols • Mitigate compromises launched through a switch Best practices: Secure switch access • Set system passwords enable secret • Secure physical access to the console • Secure access via Telnet • Use SSH when possible • Configure system warning banners • Disable unused services no service finger/config… • Disable the integrated HTTP daemon if not in use • Configure basic logging Restricting VTY connections • Remote management sessions can be enhanced using optional messages: – Message of the day • Display a banner to users as they enter a network device – Router(config)# banner motd ^C message ^C – Vacant message • displayed when the user session is disconnected. Router(config)#vacant-message ^C message ^C – Refuse message • displayed when the authentication fails at login Router(config)#refuse-message ^C message ^C • Applied to console, aux and vty lines • Not displayed for users connecting over SSH Best practices: Secure switch protocols • CDP – If CDP is not required, disable CDP globally on the device – If CDP is required, disable CDP on a per-interface basis on ports connected to untrusted networks • Secure the Spanning Tree protocol – Identify the intended root bridge in the design and assign an adequate bridge priority – Activate BPDU guard feature if available Best practices: Mitigating Compromises Launched through a switch • Proactively configure unused ports – Shutdown on unused ports – All unused ports in a specific unused VLAN – Configure unused ports as access ports • Considerations for trunk links – Disable automatic negotiation of trunking, and manually enable it on links that will require it – Ensure that trunks use a native VLAN dedicated only to trunk links • Minimize physical port access • Establish standard access port configuration for both unused and used ports • switchport host – Macro that disables Etherchannel, disables trunking, and enables STP Portfast Semester3v5 - Chapter 8 Cisco Networking Academy Minimizing Service Loss and Data Theft in a Campus Network The End