4, Ch2- Switch Security

transcript

Ali Nezhad

Routing and Switching

CNET 311

Centennial CollegeCentennial College

Basic Switch Concepts and ConfigurationSwitch Security

Week #4Ch2. Wayne Lewis

2Ali Nezhad

Routing and SwitchingCNET 311

Outline

� Password Protection

� Securing Remote Access

� Security Risks

� Security Tools

� Configuring Port Security

3Ali Nezhad

Password Protection

4Ali Nezhad

Configuring Password Options

� Protection from unauthorized access

� Passwords for

� Console line

� vty lines

� Privileged EXEC mode

� Encrypt passwords

� Recover Passwords

5Ali Nezhad

Securing Console Access

� Need direct local physical access

� Removing password protection� (config-line)#no password and no login

6Ali Nezhad

Securing Virtual Terminal Access

� vty allows remote access.

� Does not need local access.

� Important to be secured

� All vty lines must be protected.

� 2960 has 15 terminal lines.

7Ali Nezhad

Securing Virtual Terminal Access

� Removing password: similar to console line

8Ali Nezhad

Securing Privileged EXEC Access

� This mode allows to view/config all options.

� You can also see unencrypted passwords.

� Important to be secured.

� Commands:

� enable password

� Stores password in startup-config and running-config as cleartext.

� enable secret

� Stores the password in an encrypted format.

� If configured, replaces the enable password.

� Cannot be the same as the enable password.

9Ali Nezhad

Encrypting Switch Passwords

� service password-encryption command

� Encrypts already set passwords that are stored as

cleartext.

� Uses the very weak type7 encryption standard.

� Type5 is more secure but must be invoked manually for

each password.

� Disable with the keyword no:

� Only stops encrypting new passwords.

� Previously encrypted passwords remain encrypted.

10Ali Nezhad

Password Recovery

� Different for different devices.

� Requires physical access.

� May not be able to recover passwords:

� Specially if encrypted.

� Can reset them to a new value.

� Will practice in the lab.

11Ali Nezhad

Login Banners and MOTD

� Messages that people can see at login.

� Login Banner

� (config)# banner login “Authorized …”

� Appears before login prompts.

� MOTD Banner

� Appears before the login banner.

� (config)# banner motd “Device Maintenance!”

� Remove both with no.

12Ali Nezhad

Secure Remote Access

13Ali Nezhad

Telnet and SSH

� SSH is secure and newer than

telnet.

� SSH encrypts messages.

14Ali Nezhad

Configuring Telnet

� Default on all Cisco switches

� If the transport protocol has been switched

to only support SSH, telnet can be restored:

� (config-line)# transport input telnet

� (config-line)# transport input all

15Ali Nezhad

SSH Characteristics

� Switch supports SSHv1 or SSHv2 for server.

� Switch supports only SSHv1 for client.

� Supports DES & 3DES encryption algorithms.

� Supports password-based authentication.

� Uses public key cryptography based on RSA.

16Ali Nezhad

Configuring SSH

1. Configure a host domain for the switch.

(config)# ip domain-name mydomain.com

2. Generate an encrypted RSA key pair

(config)# crypto key generate rsa

� A modulus size of 1024 is recommended.

� Enables SSH server for local and remote access.

� To delete the keys, use crypto key zeroize rsa

� After deletion, SSH server is automatically disabled.

17Ali Nezhad

Configuring SSH- Fine Tuning

Next steps only fine tune the SSH configuration.

1. Choose the ssh version (optional)

(config)# ip ssh version [1|2]

2. Configure SSH control parameters

A. Timeout value in seconds

� Default is 120 sec

� Range is 0-120 sec

� Applies to SSH phases such as connection, protocol

negotiation, parameter negotiation

18Ali Nezhad

B. Number of times a client can re-

authenticate.

� Default is 3 and the range is 0-5.

� For example, a user may allow the SSH session

idle more than 10min, 3 times before it terminates.

(config)# ip ssh {timeout seconds|authentication-retries number}

19Ali Nezhad

3. To prevent non-SSH connections

(config-line)# transport input ssh

Telnet sessions will be refused.

20Ali Nezhad

SSH Configuration Example

21Ali Nezhad

Security RisksCommon L2 Security Attacks

22Ali Nezhad

MAC Address Flooding Attack

� Makes the MAC address table overflow.

� Floods the switch with fake SRC addresses.

� Switch enters fail-open mode.

� Acts like a hub.

� Attacker receives all packets.

� Prevention: Port Security

23Ali Nezhad

MAC Address Flooding Attack

24Ali Nezhad

DHCP Spoofing Attack

� Attacker acts as a legitimate DHCP server.

� If on the same segment as a DHCP client, its

responses to DHCP requests reach the client sooner

than those from a valid server.

� The client uses the rogue device as its default

gateway and DNS server.

� Prevention: Port security and DHCP snooping

25Ali Nezhad

DHCP Snooping Technique

26Ali Nezhad

� Determines which ports can respond to DHCP requests.

� Ports are identified as trusted or untrusted.

� Trusted Ports

� Can send all kinds of DHCP messages.

� Can host a DHCP server or be connected to one.

� Untrusted Ports

� Can only send DHCP requests.

27Ali Nezhad

� A port is deemed untrusted if not

explicitly configured as trusted.

� If a DHCP response message is

detected from an untrusted port,

that port is disabled.

28Ali Nezhad

Configuring DHCP Snooping

1. Enable Snooping.

(config)# ip dhcp snooping

2. Enable DHCP snooping for a VLAN.

(config)# ip dhcp snooping vlan number <no.>

3. Define a port as trusted.

(config-if)# ip dhcp snooping trust

4. Do Rate Limiting. (Optional)- see next slide.

29Ali Nezhad

DHCP Starvation Attack

� Attacker bombards the DHCP server with

many DHCP requests with fake SRC

addresses.

� It depletes the available leases. (DoS)

� Prevention: Rate Limiting

� For the DHCP requests from untrusted ports

(config)# ip dhcp snooping limit rate <rate>

30Ali Nezhad

CDP Attack

� Cisco Discovery Protocol is targeted.

� CDP is a Cisco proprietary L2 protocol.

� It discovers other directly connected Cisco devices. Simplifies network configuration.

� CDP messages are not encrypted.

� They are broadcasted periodically.

� These messages contain info. such as SW version, IP_add, platform, capabilities, …

31Ali Nezhad

CDP Attack

� This info. can be used by an

attacker for attacks such as DoS.

� Prevention

� Disable CDP on devices that do not

use it.

32Ali Nezhad

Telnet Attacks� Password Attacks

� vty password is not enough.� They can be disabled using brute force.

� Prevention:� strong frequently changed passwords.

� Still the attacker may use MAC address flooding and a packet capture software to obtain the passwords.

� ACLs on vty lines.

� SSH instead of Telnet!

� DoS Attacks

� Exploiting flaws in the telnet SW to render it unavailable.

33Ali Nezhad

Security Tools

34Ali Nezhad

Network Security Tools

� Help verify security configurations.

� Test the network for weaknesses.

� Mimic attacks.

� Also test for application level

vulnerabilities.

� Email clients, browsers, missing patches, …

35Ali Nezhad

Basic Functions

� Security Audit

� Reveals what kind of information an attacker

can gather by traffic monitoring.

� Ex: MAC address flooding is used to audit

switches on what kind of info they broadcast.

� Penetration Tests

� Identify weaknesses within the configuration of

networking devices.

36Ali Nezhad

Common Features

� Service Identification� Identify services running on a host.

� Identify services running on non-standard transport layer ports e.g FTP on 210 (not 21)

� Support of SSL Services� Testing services that use SSL-level security such as

HTTPS, SMTPS, …

� Destructive Testing� Pressure testing. Done occasionally.

� Non-destructive Testing� Done routinely. Little impact on network performance.

� Up-to-date Database of Vulnerabilities

37Ali Nezhad

Port Security

38Ali Nezhad

Configuring Port Security

� Limit the number of valid MAC addresses allowed

on a port.

� A secure port forwards only the frames with a

source MAC-address from among its assigned

secure MAC addresses.

� The limit can be one.

� If the port is assigned to a particular MAC address, only

that host can use the port.

� Any attempt by another host results in a violation.

39Ali Nezhad

Implementing Port Security

� Do it for all interfaces.

� Specify a group of valid MAC addresses on

each port. (secure MAC addresses table)

� Allow only one MAC address to access the

port at a time.

� Specify that the port automatically shut

down if a violation is detected.

40Ali Nezhad

Secure MAC Address Types

� Static: stored in the address table and added to

the running config.(config-if)# switchport port-security mac-address <mac>

� Dynamic: learned dynamically and added to

the address table.

� Removed if switch restarts.

� Sticky: learned dynamically, added to the

address table and saved to the running config.

41Ali Nezhad

Sticky Secure MAC AddressesCharacteristics� (config-if)# switchport port-security mac-address sticky

� Enables sticky learning on an interface.

� The port converts all dynamic secure MAC addresses, including those learned before, to sticky and adds all of them to the running config.

� If disabled, the sticky addresses remain in the running config but are removed from the table.

� Addresses that were removed can be dynamically learned again and added to the address table dynamically.

42Ali Nezhad

Sticky Secure MAC Addresses

� (config-if)# switchport port-security mac-address sticky <mac>

� Configures a sticky secure MAC address.

� Addresses are added to the address table and the

running config.

� If port security is disabled, the sticky MAC

addresses remain in the running config.

43Ali Nezhad

� If the sticky addresses are saved to the

config file, when the switch restarts or the

port is shut down, the port does not need to

relearn these addresses.

� If not saved, they are lost.

� If sticky learning is disabled, sticky addresses

are converted to dynamic addresses and

removed from the running config.

44Ali Nezhad

� If you disable sticky learning and then issue:

(config-if)# switchport port-security mac-address sticky <mac>

� An error message appears.

� The sticky MAC address is not added to the

running config.

45Ali Nezhad

Security Violations

� The max. number of secure MAC addresses

have been added to the address table and:

� A station whose address is not in the address

table attempts to access the interface.

� An address learned or configured on one

secure interface is seen on another secure

interface in the same VLAN.

46Ali Nezhad

Violation Modes

� The action that a port is configured to

perform if a violation occurs.

� 3 Modes

� Protect

� Restrict

� Shutdown

47Ali Nezhad

Violation ModesProtect

� When the number of secure addresses reaches

the limit allowed on the port:

� Packets with unknown SRC addresses are

dropped until a sufficient number of secure

MACs are removed or the limit is increased.

� No violation notification is generated.

48Ali Nezhad

Violation ModesRestrict

� When the number of secure addresses

reaches the limit allowed on the port:

� Packets with unknown SRC addresses are

dropped until a sufficient number of secure

MACs are removed or the limit is increased.

� A violation notification is generated.

� An SNMP trap is sent, a syslog message is

logged and the violation counter is incremented.

49Ali Nezhad

Violation ModesShutdown

� Default mode on Cisco switches.

� A violation causes the port to immediately

shut down.

� The port becomes err-disabled.

� LED turns off.

� Notification and logging similar to Restrict.

� To resolve: shutdown and no shutdown.

50Ali Nezhad

Violation Modes

51Ali Nezhad

Default Port Security ConfigCatalyst Switches

52Ali Nezhad

Configuring Port Security

Note: Violation mode is not specified here. Defaults to shutdown.

53Ali Nezhad

Enabling Sticky Port Security

Note: Violation mode is not specified here. Defaults to shutdown.

54Ali Nezhad

Verifying Port Security� Check all interfaces.

� Check that any static MAC addresses are set correctly.

55Ali Nezhad

Verify Secure MAC Addresses

� Display all secure addresses on all ports or a

specific one.

56Ali Nezhad

Securing Unused Ports

� Disable them!

� (config-if)# shutdown

� Can use the range option:

(config)# int range fa0/3 – 24

(config-if-range)# shutdown

� Make them members of the black hole vlan.

57Ali Nezhad

Questions?

4, Ch2- Switch Security

Documents