8/2/2019 11W NET3011 Ch6 SwSecurity 111
1/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
11W NET3011CCNP SWITCH Chapter 6
Securing Switches
David Bray
[email protected] contributions obtained from Rick Graziani & Cisco
bi tDegree.ca
Overview of Switch Security Castle Hedingham, England
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 2
Most attention surrounds security attacks from outside the walls of anorganization.
Inside the network is left largely unconsidered in most security discussions.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
2/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Overview of Switch Security
The default state of networkingequipment:
organizational borders)
Default: Secure and
must be configured forcommunications.
Routers and switches(placed internal to an
organization)
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 3
,and must be
configured for security
bi tDegree.ca
Rogue Access Points
Rogue networkdevices can be:
Access
switches
Wireless
routers
Wireless
access points
Hubs
These devices are
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 4
at access levelswitches.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
3/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Rogue Access Points
Mitigating STP manipulation To enforce the placement of the root bridge
To enforce the STP domain borders
Use these features (as previously discussed in Chapter 2): Root guard
BPDU guard
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 5
bi tDegree.ca
Switch Attack Categories
MAC layer attacks VLAN attacks Spoofing attacks Attacks on switch devices
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 6
8/2/2019 11W NET3011 Ch6 SwSecurity 111
4/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
MAC layer attacks
MAC address flooding
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 7
addresses.
This is intended to exhaust CAM table space.
Therefore, no space remains for entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports.
Solution Port security
MAC address VLAN access maps
bi tDegree.ca
VLAN hopping attacks
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 8
By altering the VLAN ID on packets encapsulated for trunking, an
attacking device can send or receive packets on various VLANs,bypassing Layer 3 security measures.
Solution Tighten up trunk configurations
Place unused ports in a common VLAN
8/2/2019 11W NET3011 Ch6 SwSecurity 111
5/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
VLAN attacks
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 9
Attacks between devices on a common VLAN Devices may need protection from one another, even though they are
on a common VLAN. Example: A single Service Provider segment populated with devices
from multiple customers.
Solution Private VLANs (pVLANs)
bi tDegree.ca
Spoofing attacks DHCP spoofing
Attacker masquerades as aDHCP server to perpetrate man-
- -
Attackers also use this method tocause DHCP starvation
use up available addresses inthe pool
lack of addresses for valid hostsresults in DoS (Denial of Service)
Solution
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 10
snoop ng
8/2/2019 11W NET3011 Ch6 SwSecurity 111
6/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Spoofing attacks
MAC spoofing
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 11
Attacking device spoofs the MAC address of a valid host currently in theCAM table.
Switch then forwards frames intended for the valid host to the attackingdevice.
Solution DHCP snooping
Port security
bi tDegree.ca
Spoofing attacks
Address Resolution Protocol (ARP) spoofing Attacking device crafts ARP replies associated with the IP of valid hosts.
The attacking devices MAC address then becomes the destination
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 12
address found in the Layer 2 frames sent by the valid network device. Solution
Dynamic ARP Inspection
DHCP snooping
Port security
8/2/2019 11W NET3011 Ch6 SwSecurity 111
7/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Attacks on switch devices
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 13
CDP information is transmitted in clear text
Divulges network topology information Solution Disable CDP on all ports where it doesnt have an intended purpose.
bi tDegree.ca
Attacks on switch devices
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 14
ecure e ro oco an e ne a ac s Telnet packets can be read in clear text. Solution
SSH version 2
Telnet with virtual type terminal (VTY) ACLs.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
8/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Switch Attack Categories
MAC layer attacks VLAN attacks Spoofing attacks Attacks on switch devices
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
bi tDegree.ca
Building the MAC Address TableMAC Address Table
Port Source MAC Add.
1 111111113333
Switch learns Source MAC Destination MAC is not in table,
so floods it out all ports
switch
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 16
(unknown unicast)1111
2222
3333
4444
Abbreviated
MAC
addresses
8/2/2019 11W NET3011 Ch6 SwSecurity 111
9/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Building the MAC Address Table
MAC Address Table
Port Source MAC Add.
1 1111
6 333333331111
Frame is sent from 3333
switch
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 17
1111
2222
3333
4444
Abbreviated
MAC
addresses
bi tDegree.ca
Building the MAC Address
TableMAC Address Table
Port Source MAC Add.
1 1111
6 3333
33331111
11113333
Bidirectional Communications
switch
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 18
1111
2222
3333
4444
Abbreviated
MAC
addresses
8/2/2019 11W NET3011 Ch6 SwSecurity 111
10/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Building the MAC Address TableMAC Address Table
Port Source MAC Add.
1 1111
6 3333 Numerous I nvalid3333
Numerous I nvalid
Source Addresses
Common Layer 2 or switch attack For:
Collecting a broad sample of
traffic
Denial of Service (DoS) attack
switch
ource resses
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 19
size (1,024 to over 16,000 entries).
Tools such as dsniff can flood theCAM table in just over 1 minute.
1111
2222
3333
4444
Abbreviated
MAC
addresses
Attacker
bi tDegree.ca
Building the MAC Address TableMAC Address Table
Port Source MAC Add.
1 1111
6 3333 Numerous I nvalid3333
Numerous I nvalid
Source AddressesTABLE IS FULL
Dsniff (macof) can generate155,000 MAC entries on a switchper minute
It takes about 70 seconds to fillthe cam table
Once table is full, traffic without a
switch
ource resses
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 20
.(unknown unicasts)1111
2222
3333
4444
Abbreviated
MAC
addresses
Attacker
8/2/2019 11W NET3011 Ch6 SwSecurity 111
11/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Building the MAC Address TableMAC Address Table
Port Source MAC Add.
1 1111
6 3333 Numerous I nvalid3333
Numerous I nvalid
Source AddressesTABLE IS FULL
Once the CAM table is full, new validentries will not be accepted.
Switch must flood frames to thataddress out all ports.
This has two adverse effects: Traffic forwarding is inefficient
(for devices and links).
switch
ource resses
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 21
An intruding device can be
connected to any switch port and
capture traffic not normally seenon that port.
1111
2222
3333
4444
Abbreviated
MAC
addresses
Attacker
frames!
bi tDegree.ca
MAC Flooding
If the attack is launched before the beginningof the day, the CAM table would be full as the
.
If the initial, malicious flood of invalid CAMtable entries is a one-time event:
Eventually, the switch will age out older,invalid CAM table entries
New, legitimate devices will be able to
create an entry in the CAM
Traffic flooding will cease
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 22
Intruder may never be detected (networkseems normal).
8/2/2019 11W NET3011 Ch6 SwSecurity 111
12/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
Port Security and
Authentication
bi tDegree.ca
Suggested Mitigation for MAC Flood Attacks
Port Security
Port security restricts port
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 24
access by MAC address. Port authentication
8/2/2019 11W NET3011 Ch6 SwSecurity 111
13/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Using Port Security on a Switch
The Port Security feature provides a way to restrict the hosts allowedto use a particular port.
This caps the maximum number of concurrent hosts on that port. In addition, hosts are identified by their MAC addresses, which
can be learned dynamically (the default)
can be configured statically
OR, a combination of both options above
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 25
bi tDegree.ca
Port Security: Secure MAC AddressesSecure MAC addresses are categorized as one of three types: Static
Configured usingswitchport port-security mac-address mac-address
Stored in the address table.
Preserved across reboots if running-config saved to startup-config.
Dynamic These are dynamically learned the default.
Stored only in the address table (lost when the switch restarts).
Sticky These are dynamically learned.
Stored in the address table.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 26
Once learned, they are added to the running configuration as command:switchport port-security sticky mac-address mac-address
Of course, if the running-config is saved to startup-config thereafter,
learned sticky addresses will be preserved across restarts.
Note: At the time the sticky option is enabled, the interface adopts allexisting dynamic secure MAC addresses as sticky secure MAC
addresses, added to the running configuration as discussed above.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
14/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Enabling Port Security on an Interface
Switch(config-if)# switchport port-security
Port security is enabled on an interface via this simple command.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 27
bi tDegree.ca
Set Maximum Allowable MAC Addresses
Set the number of concurrent MAC addresses allowable on the port.
Switch(config-if)# switchport port-security maximumvalue
Default = 1
Highest valid value depends upon the platform (for C4500, max is 1024)
These addresses can be configured explicitly or can be learneddynamically (more next slide).
Default: As expected, addresses are learned dynamically from thesource MAC within the frames received on that interface.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 28
8/2/2019 11W NET3011 Ch6 SwSecurity 111
15/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Statically Configuring MAC Addresses
Switch(config-if)#
switchport port-security mac-address mac-address
Allowable MAC address values are learned dynamically by default,but they can be statically configured using this command.
If the number of statically configured addresses is less than theallowable maximum in effect for the port (as discussed on previousslide), the remaining ones are learned dynamically.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 29
bi tDegree.ca
Enabling Sticky MAC AddressesSw(config-if)#
switchport port-security mac-address sticky [MAC-address]
ou can a so con gure s c y earn ng o a resses. Dynamically learned (manual configuration is possible by providing
the optional MAC-address value, but this is not recommended)
Stored in the MAC address table
Added to the running-config
If the running-config is copied to the startup-config thereafter, learnedaddresses will survive reboots. Otherwise, they would be lost at reboot
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 30
time. At the time this command is given, all dynamically learned MACs are
converted to sticky secure MAC addresses.
If sticky learning is disabled (via the no form of this command), anysticky secure MAC addresses in the running-config at that time areconverted to dynamic secure ones.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
16/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Configuring MAC Address Aging
Sets duration after which learned non-sticky MAC addresses are
Switch(config-if)# switchport port-security aging time value
. .
Value of 0 is the default, meaning NO aging.
Sw(config-if)#
switchport port-security aging type {absolute | inactivity}
Sets manner of aging: absolute aging (the default) means aged outfrom the time the address is first learned, whereas inactivity means
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 31
Sw(config-if)# switchport port-security aging static
Specifies that statically configured secure MAC addresses shouldalso be aged. Without this, only dynamically learned MACs areaged. Sticky MAC addresses are never aged out.
bi tDegree.ca
Port Security: Violation
If the station attempting toaccess the ort is different fromany of the identified secureMAC addresses, a securityviolation occurs.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 32
8/2/2019 11W NET3011 Ch6 SwSecurity 111
17/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Port Security: Violation
By default, if the maximum number of connections is achieved and a newMAC address attempts to access the port, the switch must take one of the
Switch(config-if)#switchport port-security violation
{protect | restrict | shutdown}
o ow ng ac ons:
Protect: Port is allowed to stay up
Frames from the nonallowed address are dropped
There is no log of the violation
Restrict: Port is allowed to stay up
Frames from the nonallowed address are dropped
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 33
A log message is created and Simple Network Management Protocol(SNMP) trap and syslog message of the violation are kept/sent.
Shut down (default): Port is put into Errdisable state which effectively shuts down the port.
Frames from a nonallowed address:
Log entry is made, SNMP trap sent
Interface must be re-enabled manually. (shutdown > no shutdown)
bi tDegree.ca
Port Security: Basic Configuration Steps
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 34
8/2/2019 11W NET3011 Ch6 SwSecurity 111
18/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Port Security Example:Static Addresses
X
Switch(config)# interface fa 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 3
Switch(config-if)# switchport port-security mac-address 0000.0000.000a
Switch confi -if switch ort ort-securit mac-address 0000.0000.000b
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 35
Restricts input to an interface by limiting and identifying MAC addresses of thestations allowed to access the port.
The port does not forward packets with source addresses outside the group ofdefined addresses.
. .
Switch(config-if)# switchport port-security mac-address 0000.0000.000c
bi tDegree.ca
Port Security: VerifySwitch#show port-security
Switch# show port-security
Secure Port MaxSecureAddr CurrentAddr Sec Violation Sec Action
(Count) (Count) (Count)
----------------------------------------------------------------------
Fa5/1 11 11 0 Shutdown
Fa5/5 15 5 0 Restrict
Fa5/11 5 4 0 Protect
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 36
----------------------------------------------------------------------
Total Addresses in System: 21
Max Addresses limit in System: 128
8/2/2019 11W NET3011 Ch6 SwSecurity 111
19/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Port Security: Verify
Switch# show port-security interface type mod/port
Displays security information for a specific interface
Switch# show port-security interface fastethernet 5/1
Port Security: Enabled
Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 11
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 37
Total MAC Addresses: 11
Configured MAC Addresses: 3
Aging time: 20 minsAging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0
bi tDegree.ca
Port Security: VerifySwitch#show port-security address
Displays MAC address table security information
Switch show ort-securit address
Secure Mac Address Table
------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)
1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)
1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)
1 0001.0001.1112 SecureConfigured Fa5/1 -
1 0001.0001.1113 SecureConfigured Fa5/1 -
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 38
. . ecure on gure a
1 0005.0005.0002 SecureConfigured Fa5/5 23
1 0005.0005.0003 SecureConfigured Fa5/5 23
1 0011.0011.0001 SecureConfigured Fa5/11 25 (I)
1 0011.0011.0002 SecureConfigured Fa5/11 25 (I)
-------------------------------------------------------------------
Total Addresses in System: 10
Max Addresses limit in System: 128 Inactivity aging configured
8/2/2019 11W NET3011 Ch6 SwSecurity 111
20/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Port Authentication
EAPOLAuthenticatedNormal traffic
Cisco Catalyst switches can support port-based authentication which is acombination of:
AAA authentication
Port security
Based on IEEE 802.1x standard which defines a client-server-basedaccess control and authentication rotocolthat restricts unauthorized
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 39
devices from connecting to a LAN through publicly accessible ports.
Until the client is authenticated, 802.1X access control allows onlyExtensible Authentication Protocol over LAN (EAPOL) traffic throughthe port to which the client is connected.
The authentication server authenticates each client connected to a switchport before making available any services offered by the switch or the LAN.
After authentication is successful, normal traffic can pass through the port.
bi tDegree.ca
Port Authentication
EAPOLAuthenticated
Client or server can initiatethe 802.1x session.
Switch port starts off in the unauthorized state EAPOL traffic only, no datatraffic.
If client supports 802.1x but switch does not, the client abandons 802.1xand communicates normally.
The manner in which 802.1x is enabled at the client, is OS-specific.
Normal traffic
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 40
. ,switch port remains in the unauthorized state and will not forward any trafficfrom the client.
Authorized state ends and reverts back to unauthorized state when: User logs out (client sends EAPOL-logoff message)
Switch times out the users authorized session due to inactivity
Ports link state transitions from up to down
8/2/2019 11W NET3011 Ch6 SwSecurity 111
21/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Port Authentication
Port based authentication canbe handled by one or moreRADIUS (Remote
Authentication Dial-In User EAPOLAuthenticated.
Note: Cisco does have otherauthentication methods
(TACACS) but only RADIUS issupported for 802.1x.
Normal traffic
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 41
bi tDegree.ca
Configuring 802.1x on the switch.1. Enable AAA on the switch (disabled by default)
Switch(config)# aaa new-model
2. Define the RADIUS servers
Switch(config)# radius-server host {hostname | ip-address}
[key string]
3. Define the authentication method
Switch(config)# aaa authentication dot1x default group radius
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 42
Causes all RADIUS authentication servers that are defined on theswitch (previous step) to be used for 802.1x authentication.
4. Enable 802.1x on the switch (disabled by default)
Switch(config)# dot1x system-auth-control
8/2/2019 11W NET3011 Ch6 SwSecurity 111
22/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Configuring 802.1xon the switch.
5. Configure each switch port thatwill use 802.1x
EAPOLAuthenticated
Normal traffic
X
force-authorized (default): Port is forced to authorize the connected client. No authentication necessary: Disables 802.1X and causes the port to transition to the
authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1X-based authentication of
Switch(config)# interface type mod/num
Switch(config-if)# dot1x port-control [force-authorized |
force-unauthorized | auto}
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 43
. force-unauthorized:
Port is forced to never authorize with the any connected client.
Causes the port to remain in the unauthorized state, ignoring all attempts by the clientto authenticate. Port cannot send normal user traffic.
Auto: Port uses an 802.1x exchange (EAPOL) to move from unauthorized to authorized
state. Requires client to be 802.1x capable
bi tDegree.ca
Configuring 802.1x
on the switch.
6. Allows multiple hosts on a switchport.
If a switch is connected to another switch or a hub, 802.1x allows forall hosts on that port to receive the same authentication method.
Switch(config)# interface type mod/num
Switch(config-if)# dot1x host-mode multi-host
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 44
Verify: show dot1x all
8/2/2019 11W NET3011 Ch6 SwSecurity 111
23/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Configuring 802.1xon the switch.
172.30.10.100
Switch(config)# aaa new-model
Switch(config)# radius-server host 172.30.10.100 key BigSecret
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface range fa 0/1 - 40
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 45
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
bi tDegree.ca
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
ttac s
8/2/2019 11W NET3011 Ch6 SwSecurity 111
24/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
VLAN Hopping Attacks
With trunking protocolspossibility of rogue traffichopping from one VLAN toanother.
Creates security vulnerabilities. These VLAN Hopping attacks
are best mitigated by closecontrol of trunk links:
VLAN Access Control Lists
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 47
(VACLs)
Private VLANs (pVLANs).
bi tDegree.ca
Explaining VLAN Hopping
VLAN hopping attack wherean end system sends packetsto, or collects packets from, aVLAN that should not beaccessible to that end system.
This is done by: Switch spoofing Double tagging
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
25/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
VLAN Hopping: Switch Spoofing
Attacker configures a system tospoof itself as a switch by
emulating:
or 802.1 s gna ng
Dynamic Trunking Protocol
(DTP) signaling
Attacking system spoofs itself asa legitimate trunk negotiatingdevice.
Trunk link is negotiateddynamically.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 49
Attacking device gains access todata on all VLANs carried by the
negotiated trunk.
Im a switch
bi tDegree.ca
VLAN Hopping: switchport mode accessSwitch(config)#interface range fa 0/11 - 15
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Both of these commands shouldbe used for access ports:
switchport mode access
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 50
switchport access vlan n
8/2/2019 11W NET3011 Ch6 SwSecurity 111
26/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
VLAN Hopping: no switchport mode access
Switch(config)#interface range fa 0/11 - 15
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#end
Switch#show interface fa 0/11 switchport
Name: Fa0/11
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 51
Access Mode VLAN: 10 (Accounting)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Without the switchport mode access command, this interface will
still try to negotiate trunking.
bi tDegree.ca
VLAN Hopping: switchport mode accessSwitch(config)#interface range fa 0/11 - 15
Switch(config-if-range)#switchport mode access
Name: Fa0/11
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Accounting)
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 52
Now configure the range of interfaces for permanent non-trunking,access mode
Notice that negotiation of trunking has been turned off and that this portwill only be a non-trunking access port.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
27/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
VLAN Hopping with Double Tagging
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
Conditions for this exploit: Attacker is on an access port on VLAN x.
The ingress switch has an 802.1q trunk
for which, the native VLAN is x (the same as the attackers access
VLAN)
53
bi tDegree.ca
VLAN Hopping with Double Tagging
.1q trunkNative VLAN 10
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 54
Double tagging allows a rame to be orwarded to a destination VLAN otherthan the sources VLAN. Attackers workstation generates frames with two 802.1Q headers
Switch is fooled into forwarding the frames onto a VLAN that wouldotherwise be inaccessible to the attacker through legitimate means.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
28/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
VLAN Hopping with Double Tagging
.1q trunk
Native VLAN 10
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 55
First switch strips the first tag off the frame because the first tag
(VLAN 10) matches the trunks native VLAN ID Frame is forwarded with the inner 802.1Q tag
Second switch then forwards the packet to the destination based onthe VLAN identifier within the second 802.1Q header.
bi tDegree.ca
Mitigating VLAN Hopping: Access PortsSwitch(config)#interface range fa 0/11 - 15
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Access Ports
Switch(config)#interface range fa 0/16 - 17
Switch(config-if-range)#shutdown
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 999
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 56
be negotiated across those links.
Place all unused ports:
In the shutdown state
Associate with a VLAN designed only for unused ports, carrying no user
data traffic
8/2/2019 11W NET3011 Ch6 SwSecurity 111
29/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Mitigating VLAN Hopping:
Trunk Ports
Switch(config)#interface gig 0/1
Switch(config-if-range)#switchport mode trunk
Switch(config-if-range)#switchport trunk native vlan 2
Switch(config-if-range)#switchport trunk allowed vlan 2,10,20,99
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 57
Trunk Ports Trunking as on, rather than negotiated
The native VLAN to be different from any data VLANs (VLAN 1 is thedefault)
Specify the allowable VLAN range to be carried on the trunk
bi tDegree.ca
Types of ACLs
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 58
8/2/2019 11W NET3011 Ch6 SwSecurity 111
30/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Types of ACLs
Access control lists (ACLs) are useful for controlling access in a multilayerswitched network. This topic describes VACLs and their purpose as part ofVLAN security.
Cisco S stems multila er switches su ort three t es of ACLs Router access control lists (RACLs):
Supported in the TCAM hardware on Cisco multilayer switches.
In Catalyst switches, RACL can be applied to any routed interface, suchas a switch virtual interface (SVI) or Layer 3 routed port.
Port access control list (PACL): Filters traffic at the port level. PACLs can be applied on a Layer 2 switch
port, trunk port, or EtherChannel port.
Allow La er 3 filterin on La er 2 orts.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 59
VACLs: VACLs, also known as VLAN access-maps, apply to all traffic in a VLAN.
VACLs support filtering based on Ethertype and MAC addresses. VACLsare order-sensitive, similar to Cisco IOSbased route maps.
VACLs are capable of controlling traffic flowing within the VLAN orcontrolling switched traffic, whereas RACLs control only routed traffic.
bi tDegree.ca
VACLs1. Define a VLAN access map.
Switch(config)# vlan access-map map_name [seq#]
VACLs (a.k.a. VLAN access maps) apply to all traffic on the VLAN. VACLs apply to:
IP traffic
MAC-Layer traffic
VACLs follow route-map conventions, in which map entries arechecked in sequence number order.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 60
First, define the VLAN access map. If you dont specify a sequence number, the first route map condition
will be automatically numbered as 10.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
31/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
VACLs
2. Configure a match clause.
Switch(config-access-map)# match {ip address {1-199 |
1300-2699 | acl_name} | ipx address {800-999 | acl_name}|
l
Once you have entered the vlan access-map command, you can enter match
_
3. Configure an action clause
Switch(config-access-map)# action {drop [log]} | {forward
[capture]} | {redirect {{fastethernet | gigabitethernet |
tengigabitethernet} slot/port} | {port-channel channel_id}}
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 61
- .
Each accessaccess--mapmap command has a list of match and action commandsassociated with it.
The matchmatch commands specify the match criteriathe conditions that
should be tested to determine whether or not to take action.
The actionaction commands specify the actionsthe actions to perform if
the match criteria are met.
bi tDegree.ca
VLAN Map Configuration Guidelines If there is no VLAN ACL configured to deny traffic on a routed VLAN
interface (input or output), and noVLAN map configured, all traffic is
permitted.
.
The order of entries in a VLAN map is important.
A frame that comes into the switch is tested against the first entry in
the VLAN map.
If it matches, the action specified for that part of the VLAN map is
taken.
If there is no match, the packet is tested against the next entry in themap.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 62
If the VLAN map has at least one match clause for the type of packet(IPor MAC) and the packet does not match any of these match clauses, the
default is to drop the packet.
If there is no match clause for that type of packetin the VLAN map, thedefault is to forward the packet.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
32/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
VACLs
Dont worry, several examples will help showhow this works
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 63
bi tDegree.ca
Configuring VACLs.1. Define a VLAN access map.
Switch(config)# vlan access-map map_name [seq#]
. .
Switch(config-access-map)# match {ip address {1-199 |
1300-2699 | acl_name} | ipx address {800-999 | acl_name}|
mac address acl_name}
3. Configure an action clause
Switch(config-access-map)# action {drop [log]} | {forward
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 64
[capture]} | {redirect {{fastethernet | gigabitethernet |tengigabitethernet} slot/port} | {port-channel channel_id}}
4. Apply a map to VLANs
Switch(config)# vlan filter map_name vlan-list list
8/2/2019 11W NET3011 Ch6 SwSecurity 111
33/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Example 1
Switch(config)# access-list 100 permit ip 10.1.9.0 0.0.0.255 any
Drop all traffic from network 10.1.9.0/24 on VLAN 10 and 20,
Drop all traffic to Backup Server 0000.1111.4444
Switch(config)#mac access-list extended BACKUP_SERVER
Switch(config-ext-mac)#permit any host 0000.1111.4444
Switch(config)# vlan access-map XYZ 10
Switch(config-map)#match ip address 100
Switch(config-map)# action drop
Switch(config-map)# vlan access-map XYZ 20
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 65
Switch(config-map)#match mac address BACKUP_SERVER
Switch(config-map)# action drop
Switch(config-map)# vlan access-map XYZ 30Switch(config-map)# action forward
Switch(config)# vlan filter XYZ vlan-list 10,20
bi tDegree.ca
Example 2
Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.255
Drop packets with source IP 10.1.0.0/16 in VLANs 1-4094. (Default) Drop all other IP packets: VLAN map has at least one match clause, IP address (Default) Forward all non-IP packets: Forward all other frames, no match clauses
Switch(config)# vlan access-map Check-10-1 10
Switch(config-access-map)#match ip address 1
Switch(config-access-map)# action drop
Switch(config)# vlan access-map Check-10-1 20
Switch(config-access-map)# action forward
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 66
w c con g v an er ec - - v an- s -
8/2/2019 11W NET3011 Ch6 SwSecurity 111
34/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Switch(config)# access-list 101permit udp any any
Switch(config)# ip access-list extended igmp-match
Switch confi -ext-nacl ermit i m an an
Forward all UDP packets Drop all IGMP packets Forward all TCP packets (Default) Drop all other IP packets: VLAN map has at least one match clause, tcp-match (Default) Forward all non-IP packets: Forward all other frames, no match clauses
ACLs
FYI Example 3
Switch(config)# ip access-list extended tcp-match
Switch(config-ext-nacl)#permit tcp any any
Switch(config)# vlan access-map drop-ip-default 10
Switch(config-access-map)#match ip address 101
Switch(config-access-map)# action forward
Switch(config)# vlan access-map drop-ip-default 20
2
VACLs
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 67
Switch(config-access-map)#match ip address igmp-match
Switch(config-access-map)# action drop
Switch(config)# vlan access-map drop-ip-default 30
Switch(config-access-map)#match ip address tcp-match
Switch(config-access-map)# action forward
Switch(config)# vlan filter drop-ip-default vlan-list 10-501
4
Filter
bi tDegree.ca
Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.0211 Forward MAC packets with decnet-iv or vines-ip protocols
(Default) Drop all other non-IP packets: VLAN map has at least one match clause, good-protocols
(Default) Forward all IP packets: Forward all other frames, no match clauses
FYI Example 4
Switch(config)#mac access-list extended good-hosts
Switch(config-ext-macl)#permit host 000.0c00.0111 any
Switch(config-ext-macl)#permit host 000.0c00.0211 any
Switch(config)#mac access-list extended good-protocols
Switch(config-ext-macl)#permit any any decnet-ip
Switch(config-ext-macl)#permit any any vines-ip
Switch(config)# vlan access-map drop-mac-default 10
MACACLs
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 68
Switch(config-access-map)#match mac address good-hostsSwitch(config-access-map)# action forward
Switch(config)# vlan access-map drop-mac-default 20
Switch(config-access-map)#match mac address good-protocols
Switch(config-access-map)# action forward
Switch(config)# vlan filter drop-mac-default vlan-list 10-501
3
Filter
8/2/2019 11W NET3011 Ch6 SwSecurity 111
35/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Private VLANS (Quick Reminder)
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
bi tDegree.ca
Configuring pVLANsSwitch(config)# vlan 200
Switch(config-vlan)#private-vlan community
Switch(config)# vlan 201
Switch(config-vlan)#private-vlan community
Switch(confi )# vlan 300
Switch(config-vlan)#private-vlan isolated
Switch(config)# vlan 100
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 200,201,300
Switch(config)# interface range fa 0/1 5
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 200,201,300
Switch(config)# interface range fa 0/10 12
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 200
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 70
w c con g n er ace range a
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 201
Switch(config)# interface range fa 0/20 25
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 300
Switch(config-if)# exit
Switch(config)# int vlan 100
Switch(config-if)#private-vlan mapping 200,201,300
Map secondary pVLANs
to SVI of primary so theycan be routed.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
36/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
t gat ng t er ttac s
bi tDegree.ca
DHCP Spoof Attacks The DHCP spoofing device replies to
client DHCP requests.
The intruders DHCP reply offers:
IP address/Mask
Default gateway
Domain Name System (DNS) server
Clients will then forward packets to the
attacking device, which will in turn sendthem to the desired destination.
This is referred to as a man-in-the-middle attack.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 72
8/2/2019 11W NET3011 Ch6 SwSecurity 111
37/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
DHCP Review
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 73
bi tDegree.ca
DHCP Discover: Host, I need an IP Address
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 74
8/2/2019 11W NET3011 Ch6 SwSecurity 111
38/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
DHCP Discover: Host, I need an IP Address
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 75
bi tDegree.ca
DHCP Offer: Server, Ill offer one to you.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 76
8/2/2019 11W NET3011 Ch6 SwSecurity 111
39/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
DHCP Offer: Server, Ill offer one to you.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 77
bi tDegree.ca
DHCP Request: Host, Ill take it.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 78
8/2/2019 11W NET3011 Ch6 SwSecurity 111
40/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
DHCP Request: Host, Ill take it.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 79
bi tDegree.ca
DHCP ACK: Server, Its all yours.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 80
8/2/2019 11W NET3011 Ch6 SwSecurity 111
41/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
DHCP ACK: Server, Its all yours.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 81
bi tDegree.ca
Successful DHCP Completion
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 82
8/2/2019 11W NET3011 Ch6 SwSecurity 111
42/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
DHCP Spoof Attacks
I need an IP
Here you go, Imight be first!
(Rouge)
,default gateway, andDNS server.
Here you go.(Legitimate)
Got it, thanks!
Already got theinfo.
I can now
forward these onto my leader.
(Rouge)
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 83
All default gatewayframes and DNS
requests sent toRogue.
bi tDegree.ca
DHCP Snooping DHCP snooping is a Cisco Catalyst
feature that determines which switch portscan respond to DHCP requests.
Ports are identified as trusted anduntrusted.
Trusted ports can source all DHCPmessages.
DHCP Server
Untrusted ports can source requests only. If a rogue device on an untrusted port
attempts to send a DHCP responsepacket into the network, the port isshut down.
A DHCP binding table is built for
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 84
. Client MAC address, IP address,lease time, binding type, VLANnumber, port IDare recorded.
From a DHCP snooping perspective,untrusted access ports should not sendany DHCP server responses, such asDHCPOFFER, DHCPACK, or DHCPNAK.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
43/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
DHCP Snooping
I need an IPaddress/mask,
Here you go, Imight be first!
(Rouge)
,and DNS server.
Here you go.(Legitimate)
Switch: This is an
untrusted port, I willblock this DHCP Offer
Thanks, got it.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 85
Switch: This is a trusted port, I
will allow this DHCP Offer
bi tDegree.ca
Configuring DHCP Snooping.
1. Enable DHCP Snooping globally.
Switch(config)# ip dhcp snooping
. .
Switch(config)# ip dhcp snooping vlan-id[vlan-id]
3. Configure at least one trusted port. Use no keyword to revert to untrusted.
Switch(config)# interface type mod/num
By default, all switch ports in these VLANs are untrusted.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 86
Switch(config-if)# ip dhcp snooping trust
4. For untrusted ports rate-limit DHCP traffic.
Switch(config-if)# ip dhcp snooping limit rate rate
Used to prevent starvation attacks by limiting the number of DHCP requests
on an untrusted port. Should be less than 100 pps.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
44/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
DHCP Snooping By default all interfaces areuntrusted.
Switch(config)# ip dhcp snoopingSwitch(config)# ip dhcp snooping vlan 10 50
Switch(config)# interface fa 0/0Switch(config-if)# ip dhcp rate limit 20
Switch(config)# interface gig 0/1
Switch(config-if)# ip dhcp snooping trust
Gig0/1
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 87
bi tDegree.ca
Verifying DHCP Snooping
Switch# show ip dhcp snooping
Verifies the DHCP snooping configuration
Switch# show ip dhcp snoopingSwitch DHCP snooping is enabled
DHCP Snooping is configured on the following VLANs:
10 30-40 50Insertion of option 82 information is enabled.
Interface Trusted Rate limit (pps)
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
--------- ------- ----------------GigibitEthernet0/1 yes none
FastEthernet0/1 no 20
Switch#
88
8/2/2019 11W NET3011 Ch6 SwSecurity 111
45/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
IP Source Guard
IP Source Guard is similar toDHCP snooping. Prevents traffic attacks caused
when a host tries to use the IP
IP source guard is configured onuntrusted L2 interfaces
address (spoofed address) of itsneighbor.
Switch blocks all IP traffic receivedon the interface, except for DHCPpackets allowed by DHCP
snooping.
IP Source Guard makes use of:
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 89
static IP source binding entries
bi tDegree.ca
IP Source Guard If DHCP snooping is enabled the
switch learns the MAC and IP
address of the hosts that useDHCP.
IP source guard is configured onuntrusted L2 interfaces
Source IP address must beidentical to the IP address
learned by DHCP snooping.
Source MAC address must be
identical to the source MAC
address learned by DHCPsnooping and by the switch
port (MAC address table).
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 90
For hosts that do not use DHCP astatic IP source binding can beconfigured.
If the IP address does not matcheither of these the switch drops theframe/packet.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
46/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
IP Source Guard
I got an IPaddress/mask, from
the DHCP Server.
IP source guard is configured onuntrusted L2 interfaces
Now I will pretend I am a
different Source IP Address.
Switch: This is an untrusted port, with
Source Guard. I checked my bindingtable and your Source IP Address does
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 91
not match the one via DHCP. So this
traffic is denied!
bi tDegree.ca
Configuring IP Source Guard.1. Enable DHCP Snooping globally.
Switch(config)# ip dhcp snooping
. .
Switch(config)# ip dhcp snooping vlan-id[vlan-id]
3. Enable IP Source Guard on one or more interfaces.
Switch(config)# interface type mod/num
By default, all switch ports in these VLANs are untrusted.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 92
Switch(config-if)# ip verify source [port security]
4. For hosts that do not use DHCP configure static IP source bindings.
Switch(config)# ip source binding mac-address vlan vlan-id
ip-address interface type mod/num
port security option inspects the MAC address too.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
47/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
IP Source Guard
Switch(config)# interface fa0/1
Switch(config-if)# ip verify source
Fa0/1
IP Source Guard
Gig0/1Switch(config)# ip dhcp snoopingSwitch(config)# ip dhcp snooping vlan 10 50
Switch(config)# interface gig 0/1Switch(config-if)# ip dhcp snooping trust
DHCP Snooping
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 93
bi tDegree.ca
IP Source Guard
Switch(confi )# interface fastethernet0/1
This example shows how to enable IP source guard with static sourceIP and MAC filtering on VLANs 10 and 11.
Switch(config-if)# ip verify source port-security
Switch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.2
interface gigabitethernet0/1
Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4
interface gigabitethernet0/1
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 94
8/2/2019 11W NET3011 Ch6 SwSecurity 111
48/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
ARP Spoofing
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 95
bi tDegree.ca
ARP: A quick look
ARP Table
Destination MAC Address???
IP Packet put on hold
00-0C-04-17-91-CC
00-0C-04-38-44-AA IP Packet no longer on hold
Host Stevens
172.16.10.10
255.255.255.0
MAC 00-0C-04-17-91-CC
Host Cerf
172.16.10.25
255.255.255.0
MAC 00-0C-04-38-44-AA
172.16.10.3 00-0C-04-32-14-A1
172.16.10.19 00-0C-14-02-00-19
172.16.10.33 00-0C-A6-19-46-C1
DestinationSource
ARP Request: Who has IP Address172.16.10.25? Please send me yourMAC Address.
L2 Broadcast to alldevices on network
Hey thats me!
ARP Reply: Here ismy MAC Address
L2 Unicast only tosender of ARP Request
I will add that to
172.16.10.25 00-0C-04-38-44-AA
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 96
172.16.10.0/24Router A
Ethernet 0
172.16.10.1
255.255.255.0
MAC 03-0D-17-8A-F1-32
my ARP Table.
I will now use theMAC Address toforward the frame.
IP Packet now sent to Destination
8/2/2019 11W NET3011 Ch6 SwSecurity 111
49/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
ARP Spoofing
In normal ARP operation, a host sends a broadcast to determine theMAC address of a host with a particular IP address.
The device at that IP address replies with its MAC address. The originating host caches the ARP response, using it to populate the
destination Layer 2 header of packets sent to that IP address.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 97
By spoofing an ARP reply from a legitimate device with a gratuitousARP, an attacking device appears to be the destination host sought by
the senders. The ARP reply from the attacker causes the sender to store the MAC
address of the attacking system in its ARP cache.
All packets destined for those IP addresses will be forwarded throughthe attacker system.
bi tDegree.ca
What isGratuitous ARP?
HOST B: Hey everyone Im host A and my IP Address is10.1.1.2 and my MAC address is A.A.A.A
Gratuitous ARP is used by hosts to "announce" their IP
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
a ress to t e oca networ n an e ort to avoduplicate IP addresses on the network. Routers andother network hardware may use cache informationgained from gratuitous ARPs.
Gratuitous ARP is a broadcast packet (like an ARPrequest)
98
8/2/2019 11W NET3011 Ch6 SwSecurity 111
50/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
ARP has no security or ownership of IP or MACaddresses.
Sent every 5 seconds
Host A now does an ARP
10.1.1.1 MAC C.C.C.C
frames to GW
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 99
. . . .
When the router
replies add toARP table.
When the Attacker repliesadd to ARP table.
bi tDegree.ca
Arpspoof in Action
C:\>test
C: >ar -d 15.1.1.1
[root@sconvery-lnx dsniff-2.3]# ./arpspoof 15.1.1.1
0:10:83:34:29:72 ff:ff:ff:ff:ff:ff 0806 42: arp reply
15.1.1.1 is-at 0:10:83:34:29:72
0:10:83:34:29:72 ff:ff:ff:ff:ff:ff 0806 42: arp reply. . .
C:\>ping -n 1 15.1.1.1
Pinging 15.1.1.1 with 32 bytes of data:
Reply from 15.1.1.1: bytes=32 timearp -a
Interface: 15.1.1.26 on Interface 2
15.1.1.1 is-at 0:10:83:34:29:72
0:10:83:34:29:72 ff:ff:ff:ff:ff:ff 0806 42: arp reply
15.1.1.1 is-at 0:10:83:34:29:72
0:10:83:34:29:72 ff:ff:ff:ff:ff:ff 0806 42: arp reply
15.1.1.1 is-at 0:10:83:34:29:72
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 100
n erne ress ys ca ress ype
15.1.1.1 00-04-4e-f2-d8-01 dynamic
15.1.1.25 00-10-83-34-29-72 dynamic
C:\>arp -a
Interface: 15.1.1.26 on Interface 2
Internet Address Physical Address Type
15.1.1.1 00-10-83-34-29-72 dynamic
15.1.1.25 00-10-83-34-29-72 dynamic
8/2/2019 11W NET3011 Ch6 SwSecurity 111
51/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Dynamic ARPInspection (DAI)
To prevent ARP spoofing or poisoning, a switch must ensure thatonly valid ARP requests and responses are relayed.
DAI at the switch prevents these attacks by intercepting andvalidating all ARP requests and responses.
Each intercepted ARP reply is verified for valid MAC addresstoIP address bindings before it is forwarded to a PC to update theARP cache.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 101
ARP replies coming from invalid devices are dropped. DAI determines the validity of an ARP packet based on valid MAC
address-to-IP-address bindings database built by DHCP snoopingor static ARP entries.
In addition, in order to handle hosts that use statically configured IPaddresses, DAI can also validate ARP packets against user-configuredARP ACLs.
bi tDegree.ca
DAI associates each interfacewith a trusted state or an
Dynamic ARP Inspection
untrusted state.
Trusted interfaces bypass alldynamic ARP inspection.
Untrusted interfaces undergo DAIvalidation.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 102
8/2/2019 11W NET3011 Ch6 SwSecurity 111
52/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
I am running DHCP snooping with DAI. ThisARP Reply is coming from an untrusted
interface. Checked my database and itdoesnt match. Drop it.
Sent every 5 seconds
Host A now does an ARP
10.1.1.1 MAC C.C.C.C
Trusted
Untrusted
Untrusted
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 103
. . . .
When the router
replies add toARP table.
When the Attacker repliesswitch drops packet.
bi tDegree.ca
Configuring Dynamic ARP Inspection1. Enable DAI on one or more VLANs.
Switch(config)# ip arp inspection vlan vlan-range
. on gure rus e por s o overr e un rus e e au .
Switch(config)# interface type mod/num
Switch(config-if)# ip arp inspection trust
Once DAI is enabled on a VLAN, the switch monitors untrustedmember ports to intercept and examine all ARP packets (requestsand replies):
Sender values are checked on requests while both Sender and
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 104
Target values are checked on replies. Packets with IP-to-MAC address bindings not found in its DHCP
snooping table are logged and discarded.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
53/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
Configuring Dynamic ARP Inspection
.fields inside the frame). One or more command options must be chosen.Each such command overrides any previous setting.
Sw(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}
scr-mac: Check the source MAC address in frame against the sender MAC address in the ARP
packet.
This check is performed on both ARP requests and replies. When enabled, packets with differentMAC addresses are classified as invalid and dropped.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 105
dst-mac: Check the destination MAC address in frame against the target MAC address in the ARP
reply.
This check is performed for ARP replies ONLY. When enabled, packets with different MACaddresses are classified as invalid and dropped.
ip: Checks the ARP payload for invalid and unexpected IP addresses.
Such addresses include 0.0.0.0, 255.255.255.255 and all IP multicast addresses.
For ARP requests, Senders IP address is validated.
For ARP replies, both Senders IP and Targets IP address fields are validated.
bi tDegree.ca
Dynamic ARP InspectionSw1(config)# ip arp inspection vlan 10-50
Sw1(config)# int range gig 0/1 - 2
Sw1(config-if)# ip arp inspection trust
This example shows DAI enabled on SW1 forports in VLANs 10 through 50.
All hosts are DHCP-configured. All member ports are untrusted by default. Only Gig 0/1, 0/2 are configured as trusted.
these ports lead to the network core
f0/1
gig0/1 & 0/2
SW1
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 106
8/2/2019 11W NET3011 Ch6 SwSecurity 111
54/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
ARP ACL for Dynamic ARP Inspection
4. For hosts that do not use DHCP, allowable MAC-IP bindings can beconfigured statically (as shown for DHCP snooping) or permitted viaan ARP ACL.
. .
Switch(config)# arp access-list acl-name
Switch(config-acl)# permit ip host sender-ipmac host
sender-mac
4.2 Apply the configured ARP ACL to DAI.
Switch(config)# ip arp inspection filter acl-name vlan
vlan-range [static]
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 107
If there is no match against the ARP ACL, the DHCP bindings database is
still checked next. However, if the static keyword is used, the DHCP bindings database will
not be checked.
In effect, this operates like an implicit deny statement at the end of the ARP
ACL.
bi tDegree.ca
DAI Rate Limiting, Errdisable, etc
Sw(config-if)# ip arp inspection limit
rate {pps [burst interval secs] | none}
, -against DoS attacks. Default = 15 pps, over a burstinterval of 1 sec
The burst interval is the consecutive interval in seconds, over which the
interface is monitored for an excessive ARP packet rate. Valid intervals are1 to 15.
The maximum configurable rate is 2048 pps.
Specifying rate none allows unlimited ARPs, turning off rate limiting.
When this rate is exceeded the ort is laced in errdisable mode.
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 108
Detailed information on dealing with errdisable:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml
Check cisco.com for more detail on using DAI including log bufferhandling, statistics, etc.
8/2/2019 11W NET3011 Ch6 SwSecurity 111
55/56
SwitchSecurity
Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray
bi tDegree.ca
DAI Verification (1)
SwitchA# show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
Gi1/1 Trusted None N/A
Gi1/2 Untrusted 15 1
Fa2/1 Untrusted 15 1
Fa2/2 Untrusted 15 1
109
bi tDegree.ca
DAI Verification (2)
SwitchA# show ip arp inspection vlan 10
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
10 Enabled Active
Vlan ACL Logging DHCP Logging
---- ----------- ------------
10 Deny Deny
110
8/2/2019 11W NET3011 Ch6 SwSecurity 111
56/56
SwitchSecurity
bi tDegree.ca
DAI Verification (3)
SwitchA# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
----------------- ---------- ---------- ----------- ---- --------------
-
11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.
. . .
111