of 27
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
1/27
Chapter 8
Chapter 8Minimising Service Loss and Data Theft
Objectives
Understand Switch security issues
Protect against VLAN attacks Protect against spoof attacks
Secure network switches
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
2/27
Chapter 8
Layer 2 Malicious Attacks
Layer 2 malicious attacks are typically launched by a
device connected to the campus network. This can bea physical rogue device placed on the network or anexternal intrusion that takes control of and launchesattacks from a trusted device.
In either case, the network sees all traffic as
originating from a legitimate connected device. Thefollowing lists the types of attacks launched againstswitches and Layer 2:
1. MAC layer attacks2. VLAN attacks3. Spoof attacks4. Switch device attacks
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
3/27
Chapter 8
MAC Flood Attack
To mitigate against MAC flooding, port security is configured to definethe number of MAC addresses that are allowed on a given port. Port
security can also specify which MAC address is allowed on a given port.
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
4/27
Chapter 8
Switch Configuration Port Security
To limit the number of addresses that can be learned on an interfaceswitches provide a feature calledport security.The number of MAC addresses per port can be limited to 1.The first address dynamically learned by the switch becomes thesecure address.
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
5/27
Chapter 8
Static secure MAC addresses: MAC addresses are manually configuredby using the switchport port-security mac-address interfaceconfiguration comman
d. MAC addresses configured in this way arestored in the address table and are added to the running configurationon the switch.
Dynamic secure MAC addresses: MAC addresses are dynamicallylearned and stored only in the address table. MAC addressesconfigured in this way are removed when the switch restarts.
Sticky secure MAC addresses: You can configure a port to dynamicallylearn MAC addresses and then save these MAC addresses to therunning configuration.
Switch Configuration Port Security
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
6/27
Chapter 8
switchport mode access
Sets the interface mode as access; an interface in the default mode (dynamic
desirable) cannot be configured as a secure port.
switchport port-security
Enables port security on the interface switchport port-security maximum 6
Sets the maximum number of secure MAC addresses for the interface.
The range is 1 to 132; the default is 1.
switchport port-security aging time 5
Learned addresses are not aged out by default but can be with this command. Value
from 1 to 1024 in minutes.
switchport port-security mac-address 0000.0000.000b
Enter a static secure MAC address for the interface, repeating the
command as many times as necessary. You can use this command to enter the
maximum number of secure MAC addresses. If you configure fewer secure MAC
addresses than the maximum, the remaining MAC addresses are dynamicallylearned.
switchport port-security mac-address sticky
Enable dynamic learning of MAC address on the interface.
switchport port-security violation shutdown / Restrict / Protect
Set the violation mode, the action to be taken when a security violation is
detected.
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
7/27Chapter 8
Port Security: Violation
By default, if the maximum number of connections is achieved and a new MAC
address attempts to access the port, the switch must take one of the
following actions: Protect:Frames from the non-allowed address are dropped, but there is no
log of the violation. Theprotect argument is platform or version dependent.
Restrict:Frames from the non-allowed address are dropped, a log message
is created and Simple Network Management Protocol (SNMP) trap sent.
Shut down:If any frames are seen from a non-allowed address, theinterface is errdisabled, a logentry is made, SNMP trap sent and manualintervention (no shutdown) or errdisable recovery must be used to makethe interface usable. Port LED is switched off.
Switch(config-if)#switchport port-security violation{protect | restrict | shutdown}
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
8/27Chapter 8
AAA Network Configuration
Authentication, authorization, and accounting (AAA) network securityservices provide the primary framework through which access control isset up on a switch.AAA is an architectural framework for configuring a set of three
independent security functions in a consistent manner.
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
9/27Chapter 8
Until the workstation is authenticated, 802.1x access control allows
only Extensible Authentication Protocol over LAN (EAPOL) trafficthrough the port to which the workstation is connected.
After authentication succeeds, normal traffic can pass through theport.
802.1x Port-Based Authentication
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
10/27Chapter 8
Configure AAA & 802.1xClient Authenticator Authentication
Server
172.120.39.46
ALS1# configure terminalALS1 (config)#aaa new-modelALS1 (config)#radius-server host 172.120.39.46 auth-port 1812 key rad123
ALS1 (config)#aaa authentication dot1x default group radius localALS1 (config)#dot1x system-auth-controlALS1 (config)#int fa0/1ALS1 (config-if)#dot1x port-control auto | force-authorised | force-unauthorisedALS1 (config-if)#end
Fa0/1 Fa0/2
Port-based authentication can be handled by one or moreexternal RADIUS server.Note that although Cisco switches will allow otherauthentication methods, only RADIUS is supported for 802.1x.
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
11/27Chapter 8
VLAN Hopping Switch Spoofing
802.1qNative VLAN 10
VLAN 10 & 20
VLAN 10
VLAN 20
VLAN 20
802.1qNative VLAN 10
In a switch spoofing attack, the network attacker configures a systemto spoof itself as a switch by performing Inter-Switch Link (ISL) or
802.1Q trunking, along with DTP negotiations, to establish a trunkconnection to the switch.
By default, a trunk connection provides an attacker with access to allVLANs in the network.
S1 S2
Trunk
Trunk
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
12/27Chapter 8
VLAN Hopping Double Tagging
Data VLAN20 VLAN10
802.1qNative VLAN 10
VLAN 10
Data VLAN20
Data
VLAN 10
VLAN 20
VLAN 20
1. Attacker sends a double-tagged broadcast packet into the local
access-LAN.2. Switch 1 forwards this across the trunk, removing the first tag, as
it matches the native VLAN.
3. Switch 2 receives the packet, and forwards it into VLAN 20.
S1 S2
AccessPort Trunk
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
13/27Chapter 8
Mitigating VLAN Hopping
Switch Spoofing:Configure all unused ports as accessports so that trunking
cannot be negotiated across those links.Place all unused ports in the shutdownstate and associatewith a VLAN designated only for unused ports, carrying nouser data traffic.
Switch Spoofing:Configure the native VLAN with an unused VLAN, which canthen be pruned off the trunk:
S1(conf)#vlan 800
S1(conf-vlan)# name bogus_native
S1(conf)#int fa0/1
S1(conf-if)#switchport trunk encap dot1q
S1(conf-if)#switchport trunk native vlan 800
S1(conf-if)#switchport trunk allowed vlan remove 800
S1(conf-if)# Switchport mode trunk
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
14/27Chapter 8
VLAN Access Control Lists
Router access control list (RACL):Applied to Layer 3 interfaces
such as SVI or L3 routed ports. It controls the access of routedtraffic between VLANs. RACLs are applied on interfaces for specificdirections (inbound or outbound). You can apply one access list in eachdirection.
Port access control list (PACL):Applied on a Layer 2 switch port,trunk port, or EtherChannel port. PACLs perform access control ontraffic entering a Layer 2 interface. With PACLs, you can filter IPtraffic by using IP access lists and non-IP traffic by using MACaddresses. When you apply a PACL to a trunk port, it filters trafficon all VLANs present on the trunk port.
VLAN access control list (VACL):Supported in software on Ciscomultilayer switches. Filtering based on Layer 2 or Layer 3 parameterswithin a VLAN. Unlike RACLs, VACLs are not defined by direction(input or output).
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
15/27Chapter 8
VACL Configuration
Computer
Computer
Server192.168.10.10/24VLAN 10
Host 1192.168.10.20/24
VLAN 10
Host 2192.168.20.20/24
VLAN 20
Deny all trafficfrom VLAN 20
reaching the VLAN10 server
DLS1
1.Create ACL to define traffic to block:DLS1(config)#ip access-list extended DENY_SERVERDLS1(conf-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 host 192.168.10.10
2. Create VLAN map to block and forward traffic:DLS1(config)# vlan access-map DENY_MAP 10DLS1(config-access-map)#match ip address DENY_SERVER
DLS1(config-access-map)#action dropDLS1(config-access-map)#vlan access-map DENY_MAP 20DLS1(config-access-map)#action forward
3. Apply VLAN map to VLAN 10DLS1(config)#vlan filter DENY_MAP vlan-list 10
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
16/27Chapter 8
Private VLANS
Used by Service providers to deploy host services and
network access where all devices reside in the samesubnetbut only communicate to a default gateway,backup servers, or another network.
Catalyst 6500/4500/3650 switches implement privatePVLANs, whereas the 2950 and 3550 supportprotected ports, which is functionality similar toPVLANs on a per-switch basis.
Advantages of pVLANs include:
1. Provides Security
2. Reduces the number of IP subnets
3. Reduces the VLANs utilisation by isolating trafficbetween network devices residing in the same VLAN
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
17/27Chapter 8
Private VLANs
Computer
Computer
Computer
Computer
Computer
Computer
R1
Fa0/1
Fa0/2
Fa0/3
Primary VLAN 100(Promiscuous)
SecondaryVLAN 10(Community)
Fa0/4
Fa0/5
Fa0/6
Fa0/7
SecondaryVLAN 20
(Community)
SecondaryVLAN 30(Isolated)
No
Yes
Yes
No
192.168.10.1/24
192.168.10.2/24
192.168.10.3/24
192.168.10.4/24
192.168.10.5/24
192.168.10.6/24
192.168.10.7/24
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
18/27Chapter 8
Private VLAN Configuration
DLS2(config)#vtp mode transparent
DLS2(config)#vlan 10
DLS2(config-vlan)#private-vlan community
DLS2(config)#vlan 20
DLS2(config-vlan)#private-vlan community
DLS2(config)#vlan 30
DLS2(config-vlan)#private-vlan isolated
DLS2(config-vlan)#exit
DLS2(config)#vlan 100
DLS2(config-vlan)#private-vlan primary
DLS2(config-vlan)#private-vlan association 10,20,30
Create Private VLANs:
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
19/27Chapter 8
Private VLAN Configuration
DLS2(config)#int fa0/1
DLS2(config)# switchport mode private-vlan promiscuous
DLS2(config)# switchport private-vlan mapping 100 10,20,30
DLS2(config)# int fa0/2
DLS2(config)# switchport mode private-vlan host
DLS2(config)# switchport private-vlan host-association 100 10
Populate Private VLANs:
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
20/27Chapter 8
1. An attacker activates a DHCPserver on a network segment.
2. The client broadcasts a requestfor DHCP configurationinformation.
3. The rogue DHCP serverresponds before the legitimateDHCP server can respond,assigning attacker-defined IPconfiguration information.
4. Host packets are redirected tothe attackers address as itemulates a default gateway forthe erroneous DHCP addressprovided to the client.
DHCP Snooping
Fa0/1
Client VLAN10
Legitimate
DHCPServer VLAN 10
RogueDHCPServer
Trunk
Fa0/2
Fa0/3
Fa0/1
Fa0/1
Fa0/2
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
21/27Chapter 8
Common Security Attacks Spoofing
Client
Legitimate
DHCPServer
RogueDHCPServer
DHCP snoopingallows theconfiguration of ports as trustedor untrusted.
Trusted ports can send DHCPrequests and acknowledgements.
Untrusted ports can forward onlyDHCP requests.
DHCP Snooping enables the switchto build a DHCP binding table that
maps a client MAC address, IPaddress, VLAN, and port ID.
Use the ip dhcp snoopingcommand.Trusted
UntrustedFa0/2
Fa0/3
Fa0/1
Fa0/1
Fa0/2
Trunk - Trusted
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
22/27
Chapter 8
Client VLAN10
Legitimate
DHCPServer VLAN 10
RogueDHCPServer
Trusted
Trunk
Untrusted
DHCP Snooping - Configuration
Fa0/2
Fa0/3
Fa0/1
Fa0/1
Fa0/2
ALS1(config)#ip dhcp snoopingALS1(config)#ip dhcp snooping vlan 10ALS1(config)#interface Fa0/1ALS1(config-if-range)#ip dhcp snooping trustALS1(config)#interface range fa0/2-3ALS1(config-if-range)#ip dhcp snooping limit rate 20ALS1(config-if-range)#ip verify source vlan dhcp-
snooping port-security
DLS1(config)#ip dhcp snoopingDLS1(config)#ip dhcp snooping vlan 10DLS1(config)#interface range Fa0/1-2DLS1(config-if-range)#ip dhcp snooping trust
ARP S fi
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
23/27
Chapter 8
ARP Spoofing
Computer
Computer
Host 2192.168.10.12/24
MAC: bbb.bbb.bbb
Attacker192.168.10.20/24
MAC: ccc.ccc.ccc
Host 1192.168.10.10/24MAC: aaa.aaa.aaa
DLS1
Computer
MAC IP192.168.10.12
Send ARP Request Send ARP Reply
bbb.bbb.bbb Send Gratuitous ARP
ccc.ccc.ccc
1. Host 1 sends an ARP broadcast to determine the MAC address of host withIP address 192.168.10.12.
2. Host 2 replies with its MAC address. Host 1 caches the ARP response, using itto populate the destination Layer 2 header of packets sent to 192.168.10.12.
3. The gratuitous ARP reply from the attacker causes the sender to store theMAC address of the attacking system in its ARP cache.
4. All packets destined for Host 2 are forwarded through the attacker system.
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
24/27
Chapter 8
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI) determines the validity of
an ARP packet based on the MAC address-to-IP addressbindings stored in a DHCP snooping database. To ensurethat only valid ARP requests and responses are relayed,DAI takes the following actions:
1. Forwards ARP packets received on a trustedinterface without any checks.
2. Intercepts all ARP packets on untrusted ports.
3. Verifies that each intercepted packet has a valid IP-
to-MAC address binding before forwarding packetsthat can update the local ARP cache.
4. Drops, logs, or drops and logs ARP packets with invalidIP-to-MAC address bindings.
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
25/27
Chapter 8
Client VLAN10
Legitimate
DHCPServer VLAN 10
RogueDHCPServer
Trusted
Trunk
Untrusted
Dynamic ARP Inspection - Configuration
Fa0/2
Fa0/3
Fa0/1
Fa0/1
Fa0/2
ALS1(config)#ip arp inspection vlan 10ALS1(config)#ip arp inspection validate src-macALS1(config)#ip arp inspection validate dst-macALS1(config)#ip arp inspection validate ip
ALS1(config)#interface Fa0/1ALS1(config-if-range)#ip arp inspection trust
DLS1(config)#ip arp inspection vlan 10DLS1(config)#interface range Fa0/1-2DLS1(config-if-range)#ip arp inspection trust
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
26/27
Chapter 8
Switch Security Summary
CDP packets can expose some network information.
Authentication information and data carried in Telnetsessions are vulnerable.
SSH provides a more secure option for Telnet. VTY ACLs should be used to limit Telnet access to
switch devices.
VTY ACL configuration commands use standard IP ACLlists.
Sound security measures and trimming of unusedapplications are the basis of best practices.
8/13/2019 Chap 8 -Minimising Service Loss & Data Theft
27/27
Any
Questions?