11W NET3011 Ch6 SwSecurity 111

8/2/2019 11W NET3011 Ch6 SwSecurity 111

1/56

SwitchSecurity

Copyright 2011, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.11W NET3011 David Bray

bi tDegree.ca

11W NET3011CCNP SWITCH Chapter 6

Securing Switches

David Bray

[email protected] contributions obtained from Rick Graziani & Cisco

bi tDegree.ca

Overview of Switch Security Castle Hedingham, England

11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved. 2

Most attention surrounds security attacks from outside the walls of anorganization.

Inside the network is left largely unconsidered in most security discussions.


2/56

SwitchSecurity


bi tDegree.ca

Overview of Switch Security

The default state of networkingequipment:

organizational borders)

Default: Secure and

must be configured forcommunications.

Routers and switches(placed internal to an

organization)


,and must be

configured for security

bi tDegree.ca

Rogue Access Points

Rogue networkdevices can be:

Access

switches

Wireless

routers

Wireless

access points

Hubs

These devices are


at access levelswitches.


3/56

SwitchSecurity


bi tDegree.ca

Rogue Access Points

Mitigating STP manipulation To enforce the placement of the root bridge

To enforce the STP domain borders

Use these features (as previously discussed in Chapter 2): Root guard

BPDU guard


bi tDegree.ca

Switch Attack Categories

MAC layer attacks VLAN attacks Spoofing attacks Attacks on switch devices



4/56

SwitchSecurity


bi tDegree.ca

MAC layer attacks

MAC address flooding


addresses.

This is intended to exhaust CAM table space.

Therefore, no space remains for entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports.

Solution Port security

MAC address VLAN access maps

bi tDegree.ca

VLAN hopping attacks


By altering the VLAN ID on packets encapsulated for trunking, an

attacking device can send or receive packets on various VLANs,bypassing Layer 3 security measures.

Solution Tighten up trunk configurations

Place unused ports in a common VLAN


5/56

SwitchSecurity


bi tDegree.ca

VLAN attacks


Attacks between devices on a common VLAN Devices may need protection from one another, even though they are

on a common VLAN. Example: A single Service Provider segment populated with devices

from multiple customers.

Solution Private VLANs (pVLANs)

bi tDegree.ca

Spoofing attacks DHCP spoofing

Attacker masquerades as aDHCP server to perpetrate man-

- -

Attackers also use this method tocause DHCP starvation

use up available addresses inthe pool

lack of addresses for valid hostsresults in DoS (Denial of Service)

Solution


snoop ng


6/56

SwitchSecurity


bi tDegree.ca

Spoofing attacks

MAC spoofing


Attacking device spoofs the MAC address of a valid host currently in theCAM table.

Switch then forwards frames intended for the valid host to the attackingdevice.

Solution DHCP snooping

Port security

bi tDegree.ca

Spoofing attacks

Address Resolution Protocol (ARP) spoofing Attacking device crafts ARP replies associated with the IP of valid hosts.

The attacking devices MAC address then becomes the destination


address found in the Layer 2 frames sent by the valid network device. Solution

Dynamic ARP Inspection

DHCP snooping

Port security


7/56

SwitchSecurity


bi tDegree.ca

Attacks on switch devices


CDP information is transmitted in clear text

Divulges network topology information Solution Disable CDP on all ports where it doesnt have an intended purpose.

bi tDegree.ca

Attacks on switch devices


ecure e ro oco an e ne a ac s Telnet packets can be read in clear text. Solution

SSH version 2

Telnet with virtual type terminal (VTY) ACLs.


8/56

SwitchSecurity


bi tDegree.ca

Switch Attack Categories

MAC layer attacks VLAN attacks Spoofing attacks Attacks on switch devices

11W NET3011 2011, David Bray, Algonquin College, Rick Graziani, Cisco Systems, Inc. All rights reserved.

bi tDegree.ca

Building the MAC Address TableMAC Address Table

Port Source MAC Add.

1 111111113333

Switch learns Source MAC Destination MAC is not in table,

so floods it out all ports

switch


(unknown unicast)1111

2222

3333

4444

Abbreviated

MAC

addresses


9/56

SwitchSecurity


bi tDegree.ca

Building the MAC Address Table

MAC Address Table


1 1111

6 333333331111

Frame is sent from 3333

switch


1111

2222

3333

4444

Abbreviated

MAC

addresses

bi tDegree.ca

Building the MAC Address

TableMAC Address Table


1 1111

6 3333

33331111

11113333

Bidirectional Communications

switch


1111

2222

3333

4444

Abbreviated

MAC

addresses


10/56

SwitchSecurity


bi tDegree.ca



1 1111

6 3333 Numerous I nvalid3333

Numerous I nvalid

Source Addresses

Common Layer 2 or switch attack For:

Collecting a broad sample of

traffic

Denial of Service (DoS) attack

switch

ource resses


size (1,024 to over 16,000 entries).

Tools such as dsniff can flood theCAM table in just over 1 minute.

1111

2222

3333

4444

Abbreviated

MAC

addresses

Attacker

bi tDegree.ca



1 1111


Numerous I nvalid

Source AddressesTABLE IS FULL

Dsniff (macof) can generate155,000 MAC entries on a switchper minute

It takes about 70 seconds to fillthe cam table

Once table is full, traffic without a

switch

ource resses


.(unknown unicasts)1111

2222

3333

4444

Abbreviated

MAC

addresses

Attacker


11/56

SwitchSecurity


bi tDegree.ca



1 1111


Numerous I nvalid

Source AddressesTABLE IS FULL

Once the CAM table is full, new validentries will not be accepted.

Switch must flood frames to thataddress out all ports.

This has two adverse effects: Traffic forwarding is inefficient

(for devices and links).

switch

ource resses


An intruding device can be

connected to any switch port and

capture traffic not normally seenon that port.

1111

2222

3333

4444

Abbreviated

MAC

addresses

Attacker

frames!

bi tDegree.ca

MAC Flooding

If the attack is launched before the beginningof the day, the CAM table would be full as the

.

If the initial, malicious flood of invalid CAMtable entries is a one-time event:

Eventually, the switch will age out older,invalid CAM table entries

New, legitimate devices will be able to

create an entry in the CAM

Traffic flooding will cease


Intruder may never be detected (networkseems normal).


12/56

SwitchSecurity


bi tDegree.ca


Port Security and

Authentication

bi tDegree.ca

Suggested Mitigation for MAC Flood Attacks

Port Security

Port security restricts port


access by MAC address. Port authentication


13/56

SwitchSecurity


bi tDegree.ca

Using Port Security on a Switch

The Port Security feature provides a way to restrict the hosts allowedto use a particular port.

This caps the maximum number of concurrent hosts on that port. In addition, hosts are identified by their MAC addresses, which

can be learned dynamically (the default)

can be configured statically

OR, a combination of both options above


bi tDegree.ca

Port Security: Secure MAC AddressesSecure MAC addresses are categorized as one of three types: Static

Configured usingswitchport port-security mac-address mac-address

Stored in the address table.

Preserved across reboots if running-config saved to startup-config.

Dynamic These are dynamically learned the default.

Stored only in the address table (lost when the switch restarts).

Sticky These are dynamically learned.

Stored in the address table.


Once learned, they are added to the running configuration as command:switchport port-security sticky mac-address mac-address

Of course, if the running-config is saved to startup-config thereafter,

learned sticky addresses will be preserved across restarts.

Note: At the time the sticky option is enabled, the interface adopts allexisting dynamic secure MAC addresses as sticky secure MAC

addresses, added to the running configuration as discussed above.


14/56

SwitchSecurity


bi tDegree.ca

Enabling Port Security on an Interface

Switch(config-if)# switchport port-security

Port security is enabled on an interface via this simple command.


bi tDegree.ca

Set Maximum Allowable MAC Addresses

Set the number of concurrent MAC addresses allowable on the port.

Switch(config-if)# switchport port-security maximumvalue

Default = 1

Highest valid value depends upon the platform (for C4500, max is 1024)

These addresses can be configured explicitly or can be learneddynamically (more next slide).

Default: As expected, addresses are learned dynamically from thesource MAC within the frames received on that interface.



15/56

SwitchSecurity


bi tDegree.ca

Statically Configuring MAC Addresses

Switch(config-if)#

switchport port-security mac-address mac-address

Allowable MAC address values are learned dynamically by default,but they can be statically configured using this command.

If the number of statically configured addresses is less than theallowable maximum in effect for the port (as discussed on previousslide), the remaining ones are learned dynamically.


bi tDegree.ca

Enabling Sticky MAC AddressesSw(config-if)#

switchport port-security mac-address sticky [MAC-address]

ou can a so con gure s c y earn ng o a resses. Dynamically learned (manual configuration is possible by providing

the optional MAC-address value, but this is not recommended)

Stored in the MAC address table

Added to the running-config

If the running-config is copied to the startup-config thereafter, learnedaddresses will survive reboots. Otherwise, they would be lost at reboot


time. At the time this command is given, all dynamically learned MACs are

converted to sticky secure MAC addresses.

If sticky learning is disabled (via the no form of this command), anysticky secure MAC addresses in the running-config at that time areconverted to dynamic secure ones.


16/56

SwitchSecurity


bi tDegree.ca

Configuring MAC Address Aging

Sets duration after which learned non-sticky MAC addresses are

Switch(config-if)# switchport port-security aging time value

. .

Value of 0 is the default, meaning NO aging.

Sw(config-if)#

switchport port-security aging type {absolute | inactivity}

Sets manner of aging: absolute aging (the default) means aged outfrom the time the address is first learned, whereas inactivity means


Sw(config-if)# switchport port-security aging static

Specifies that statically configured secure MAC addresses shouldalso be aged. Without this, only dynamically learned MACs areaged. Sticky MAC addresses are never aged out.

bi tDegree.ca

Port Security: Violation

If the station attempting toaccess the ort is different fromany of the identified secureMAC addresses, a securityviolation occurs.



17/56

SwitchSecurity


bi tDegree.ca

Port Security: Violation

By default, if the maximum number of connections is achieved and a newMAC address attempts to access the port, the switch must take one of the

Switch(config-if)#switchport port-security violation

{protect | restrict | shutdown}

o ow ng ac ons:

Protect: Port is allowed to stay up

Frames from the nonallowed address are dropped

There is no log of the violation

Restrict: Port is allowed to stay up

Frames from the nonallowed address are dropped


A log message is created and Simple Network Management Protocol(SNMP) trap and syslog message of the violation are kept/sent.

Shut down (default): Port is put into Errdisable state which effectively shuts down the port.

Frames from a nonallowed address:

Log entry is made, SNMP trap sent

Interface must be re-enabled manually. (shutdown > no shutdown)

bi tDegree.ca

Port Security: Basic Configuration Steps



18/56

SwitchSecurity


bi tDegree.ca

Port Security Example:Static Addresses

X

Switch(config)# interface fa 0/1

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 3

Switch(config-if)# switchport port-security mac-address 0000.0000.000a

Switch confi -if switch ort ort-securit mac-address 0000.0000.000b


Restricts input to an interface by limiting and identifying MAC addresses of thestations allowed to access the port.

The port does not forward packets with source addresses outside the group ofdefined addresses.

. .

Switch(config-if)# switchport port-security mac-address 0000.0000.000c

bi tDegree.ca

Port Security: VerifySwitch#show port-security

Switch# show port-security

Secure Port MaxSecureAddr CurrentAddr Sec Violation Sec Action

(Count) (Count) (Count)

----------------------------------------------------------------------

Fa5/1 11 11 0 Shutdown

Fa5/5 15 5 0 Restrict

Fa5/11 5 4 0 Protect


----------------------------------------------------------------------

Total Addresses in System: 21

Max Addresses limit in System: 128


19/56

SwitchSecurity


bi tDegree.ca

Port Security: Verify

Switch# show port-security interface type mod/port

Displays security information for a specific interface

Switch# show port-security interface fastethernet 5/1

Port Security: Enabled

Port status: SecureUp

Violation mode: Shutdown

Maximum MAC Addresses: 11


Total MAC Addresses: 11

Configured MAC Addresses: 3

Aging time: 20 minsAging type: Inactivity

SecureStatic address aging: Enabled

Security Violation count: 0

bi tDegree.ca

Port Security: VerifySwitch#show port-security address

Displays MAC address table security information

Switch show ort-securit address

Secure Mac Address Table

------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)

1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)

1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)

1 0001.0001.1112 SecureConfigured Fa5/1 -

1 0001.0001.1113 SecureConfigured Fa5/1 -


. . ecure on gure a

1 0005.0005.0002 SecureConfigured Fa5/5 23

1 0005.0005.0003 SecureConfigured Fa5/5 23



-------------------------------------------------------------------

Total Addresses in System: 10

Max Addresses limit in System: 128 Inactivity aging configured


20/56

SwitchSecurity


bi tDegree.ca

Port Authentication

EAPOLAuthenticatedNormal traffic

Cisco Catalyst switches can support port-based authentication which is acombination of:

AAA authentication

Port security

Based on IEEE 802.1x standard which defines a client-server-basedaccess control and authentication rotocolthat restricts unauthorized


devices from connecting to a LAN through publicly accessible ports.

Until the client is authenticated, 802.1X access control allows onlyExtensible Authentication Protocol over LAN (EAPOL) traffic throughthe port to which the client is connected.

The authentication server authenticates each client connected to a switchport before making available any services offered by the switch or the LAN.

After authentication is successful, normal traffic can pass through the port.

bi tDegree.ca

Port Authentication

EAPOLAuthenticated

Client or server can initiatethe 802.1x session.

Switch port starts off in the unauthorized state EAPOL traffic only, no datatraffic.

If client supports 802.1x but switch does not, the client abandons 802.1xand communicates normally.

The manner in which 802.1x is enabled at the client, is OS-specific.

Normal traffic


. ,switch port remains in the unauthorized state and will not forward any trafficfrom the client.

Authorized state ends and reverts back to unauthorized state when: User logs out (client sends EAPOL-logoff message)

Switch times out the users authorized session due to inactivity

Ports link state transitions from up to down


21/56

SwitchSecurity


bi tDegree.ca

Port Authentication

Port based authentication canbe handled by one or moreRADIUS (Remote

Authentication Dial-In User EAPOLAuthenticated.

Note: Cisco does have otherauthentication methods

(TACACS) but only RADIUS issupported for 802.1x.

Normal traffic


bi tDegree.ca

Configuring 802.1x on the switch.1. Enable AAA on the switch (disabled by default)

Switch(config)# aaa new-model

2. Define the RADIUS servers

Switch(config)# radius-server host {hostname | ip-address}

[key string]

3. Define the authentication method

Switch(config)# aaa authentication dot1x default group radius


Causes all RADIUS authentication servers that are defined on theswitch (previous step) to be used for 802.1x authentication.

4. Enable 802.1x on the switch (disabled by default)

Switch(config)# dot1x system-auth-control


22/56

SwitchSecurity


bi tDegree.ca

Configuring 802.1xon the switch.

5. Configure each switch port thatwill use 802.1x

EAPOLAuthenticated

Normal traffic

X

force-authorized (default): Port is forced to authorize the connected client. No authentication necessary: Disables 802.1X and causes the port to transition to the

authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1X-based authentication of

Switch(config)# interface type mod/num

Switch(config-if)# dot1x port-control [force-authorized |

force-unauthorized | auto}


. force-unauthorized:

Port is forced to never authorize with the any connected client.

Causes the port to remain in the unauthorized state, ignoring all attempts by the clientto authenticate. Port cannot send normal user traffic.

Auto: Port uses an 802.1x exchange (EAPOL) to move from unauthorized to authorized

state. Requires client to be 802.1x capable

bi tDegree.ca

Configuring 802.1x

on the switch.

6. Allows multiple hosts on a switchport.

If a switch is connected to another switch or a hub, 802.1x allows forall hosts on that port to receive the same authentication method.


Switch(config-if)# dot1x host-mode multi-host


Verify: show dot1x all


23/56

SwitchSecurity


bi tDegree.ca

Configuring 802.1xon the switch.

172.30.10.100

Switch(config)# aaa new-model

Switch(config)# radius-server host 172.30.10.100 key BigSecret

Switch(config)# aaa authentication dot1x default group radius

Switch(config)# dot1x system-auth-control

Switch(config)# interface range fa 0/1 - 40


Switch(config-if)# switchport access vlan 10

Switch(config-if)# switchport mode access

Switch(config-if)# dot1x port-control auto

bi tDegree.ca


ttac s


24/56

SwitchSecurity


bi tDegree.ca

VLAN Hopping Attacks

With trunking protocolspossibility of rogue traffichopping from one VLAN toanother.

Creates security vulnerabilities. These VLAN Hopping attacks

are best mitigated by closecontrol of trunk links:

VLAN Access Control Lists


(VACLs)

Private VLANs (pVLANs).

bi tDegree.ca

Explaining VLAN Hopping

VLAN hopping attack wherean end system sends packetsto, or collects packets from, aVLAN that should not beaccessible to that end system.

This is done by: Switch spoofing Double tagging



25/56

SwitchSecurity


bi tDegree.ca

VLAN Hopping: Switch Spoofing

Attacker configures a system tospoof itself as a switch by

emulating:

or 802.1 s gna ng

Dynamic Trunking Protocol

(DTP) signaling

Attacking system spoofs itself asa legitimate trunk negotiatingdevice.

Trunk link is negotiateddynamically.


Attacking device gains access todata on all VLANs carried by the

negotiated trunk.

Im a switch

bi tDegree.ca

VLAN Hopping: switchport mode accessSwitch(config)#interface range fa 0/11 - 15

Switch(config-if-range)#switchport mode access

Switch(config-if-range)#switchport access vlan 10

Both of these commands shouldbe used for access ports:

switchport mode access


switchport access vlan n


26/56

SwitchSecurity


bi tDegree.ca

VLAN Hopping: no switchport mode access

Switch(config)#interface range fa 0/11 - 15


Switch(config-if-range)#end

Switch#show interface fa 0/11 switchport

Name: Fa0/11

Switchport: Enabled

Administrative Mode: dynamic desirable

Operational Mode: down

Administrative Trunking Encapsulation: dot1q

Negotiation of Trunking: On


Access Mode VLAN: 10 (Accounting)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Without the switchport mode access command, this interface will

still try to negotiate trunking.

bi tDegree.ca

VLAN Hopping: switchport mode accessSwitch(config)#interface range fa 0/11 - 15


Name: Fa0/11

Switchport: Enabled

Administrative Mode: static access

Operational Mode: down

Administrative Trunking Encapsulation: dot1q

Negotiation of Trunking: Off

Access Mode VLAN: 10 (Accounting)


Now configure the range of interfaces for permanent non-trunking,access mode

Notice that negotiation of trunking has been turned off and that this portwill only be a non-trunking access port.


27/56

SwitchSecurity


bi tDegree.ca

VLAN Hopping with Double Tagging


Conditions for this exploit: Attacker is on an access port on VLAN x.

The ingress switch has an 802.1q trunk

for which, the native VLAN is x (the same as the attackers access

VLAN)

53

bi tDegree.ca


.1q trunkNative VLAN 10


Double tagging allows a rame to be orwarded to a destination VLAN otherthan the sources VLAN. Attackers workstation generates frames with two 802.1Q headers

Switch is fooled into forwarding the frames onto a VLAN that wouldotherwise be inaccessible to the attacker through legitimate means.


28/56

SwitchSecurity


bi tDegree.ca


.1q trunk

Native VLAN 10


First switch strips the first tag off the frame because the first tag

(VLAN 10) matches the trunks native VLAN ID Frame is forwarded with the inner 802.1Q tag

Second switch then forwards the packet to the destination based onthe VLAN identifier within the second 802.1Q header.

bi tDegree.ca

Mitigating VLAN Hopping: Access PortsSwitch(config)#interface range fa 0/11 - 15



Access Ports

Switch(config)#interface range fa 0/16 - 17

Switch(config-if-range)#shutdown




be negotiated across those links.

Place all unused ports:

In the shutdown state

Associate with a VLAN designed only for unused ports, carrying no user

data traffic


29/56

SwitchSecurity


bi tDegree.ca

Mitigating VLAN Hopping:

Trunk Ports

Switch(config)#interface gig 0/1

Switch(config-if-range)#switchport mode trunk

Switch(config-if-range)#switchport trunk native vlan 2

Switch(config-if-range)#switchport trunk allowed vlan 2,10,20,99


Trunk Ports Trunking as on, rather than negotiated

The native VLAN to be different from any data VLANs (VLAN 1 is thedefault)

Specify the allowable VLAN range to be carried on the trunk

bi tDegree.ca

Types of ACLs



30/56

SwitchSecurity


bi tDegree.ca

Types of ACLs

Access control lists (ACLs) are useful for controlling access in a multilayerswitched network. This topic describes VACLs and their purpose as part ofVLAN security.

Cisco S stems multila er switches su ort three t es of ACLs Router access control lists (RACLs):

Supported in the TCAM hardware on Cisco multilayer switches.

In Catalyst switches, RACL can be applied to any routed interface, suchas a switch virtual interface (SVI) or Layer 3 routed port.

Port access control list (PACL): Filters traffic at the port level. PACLs can be applied on a Layer 2 switch

port, trunk port, or EtherChannel port.

Allow La er 3 filterin on La er 2 orts.


VACLs: VACLs, also known as VLAN access-maps, apply to all traffic in a VLAN.

VACLs support filtering based on Ethertype and MAC addresses. VACLsare order-sensitive, similar to Cisco IOSbased route maps.

VACLs are capable of controlling traffic flowing within the VLAN orcontrolling switched traffic, whereas RACLs control only routed traffic.

bi tDegree.ca

VACLs1. Define a VLAN access map.

Switch(config)# vlan access-map map_name [seq#]

VACLs (a.k.a. VLAN access maps) apply to all traffic on the VLAN. VACLs apply to:

IP traffic

MAC-Layer traffic

VACLs follow route-map conventions, in which map entries arechecked in sequence number order.


First, define the VLAN access map. If you dont specify a sequence number, the first route map condition

will be automatically numbered as 10.


31/56

SwitchSecurity


bi tDegree.ca

VACLs

2. Configure a match clause.

Switch(config-access-map)# match {ip address {1-199 |

1300-2699 | acl_name} | ipx address {800-999 | acl_name}|

l

Once you have entered the vlan access-map command, you can enter match

_

3. Configure an action clause

Switch(config-access-map)# action {drop [log]} | {forward

[capture]} | {redirect {{fastethernet | gigabitethernet |

tengigabitethernet} slot/port} | {port-channel channel_id}}


- .

Each accessaccess--mapmap command has a list of match and action commandsassociated with it.

The matchmatch commands specify the match criteriathe conditions that

should be tested to determine whether or not to take action.

The actionaction commands specify the actionsthe actions to perform if

the match criteria are met.

bi tDegree.ca

VLAN Map Configuration Guidelines If there is no VLAN ACL configured to deny traffic on a routed VLAN

interface (input or output), and noVLAN map configured, all traffic is

permitted.

.

The order of entries in a VLAN map is important.

A frame that comes into the switch is tested against the first entry in

the VLAN map.

If it matches, the action specified for that part of the VLAN map is

taken.

If there is no match, the packet is tested against the next entry in themap.


If the VLAN map has at least one match clause for the type of packet(IPor MAC) and the packet does not match any of these match clauses, the

default is to drop the packet.

If there is no match clause for that type of packetin the VLAN map, thedefault is to forward the packet.


32/56

SwitchSecurity


bi tDegree.ca

VACLs

Dont worry, several examples will help showhow this works


bi tDegree.ca

Configuring VACLs.1. Define a VLAN access map.

Switch(config)# vlan access-map map_name [seq#]

. .

Switch(config-access-map)# match {ip address {1-199 |

1300-2699 | acl_name} | ipx address {800-999 | acl_name}|

mac address acl_name}

3. Configure an action clause

Switch(config-access-map)# action {drop [log]} | {forward


[capture]} | {redirect {{fastethernet | gigabitethernet |tengigabitethernet} slot/port} | {port-channel channel_id}}

4. Apply a map to VLANs

Switch(config)# vlan filter map_name vlan-list list


33/56

SwitchSecurity


bi tDegree.ca

Example 1

Switch(config)# access-list 100 permit ip 10.1.9.0 0.0.0.255 any

Drop all traffic from network 10.1.9.0/24 on VLAN 10 and 20,

Drop all traffic to Backup Server 0000.1111.4444

Switch(config)#mac access-list extended BACKUP_SERVER

Switch(config-ext-mac)#permit any host 0000.1111.4444

Switch(config)# vlan access-map XYZ 10

Switch(config-map)#match ip address 100

Switch(config-map)# action drop

Switch(config-map)# vlan access-map XYZ 20


Switch(config-map)#match mac address BACKUP_SERVER

Switch(config-map)# action drop

Switch(config-map)# vlan access-map XYZ 30Switch(config-map)# action forward

Switch(config)# vlan filter XYZ vlan-list 10,20

bi tDegree.ca

Example 2

Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.255

Drop packets with source IP 10.1.0.0/16 in VLANs 1-4094. (Default) Drop all other IP packets: VLAN map has at least one match clause, IP address (Default) Forward all non-IP packets: Forward all other frames, no match clauses

Switch(config)# vlan access-map Check-10-1 10

Switch(config-access-map)#match ip address 1

Switch(config-access-map)# action drop

Switch(config)# vlan access-map Check-10-1 20

Switch(config-access-map)# action forward


w c con g v an er ec - - v an- s -


34/56

SwitchSecurity


bi tDegree.ca

Switch(config)# access-list 101permit udp any any

Switch(config)# ip access-list extended igmp-match

Switch confi -ext-nacl ermit i m an an

Forward all UDP packets Drop all IGMP packets Forward all TCP packets (Default) Drop all other IP packets: VLAN map has at least one match clause, tcp-match (Default) Forward all non-IP packets: Forward all other frames, no match clauses

ACLs

FYI Example 3

Switch(config)# ip access-list extended tcp-match

Switch(config-ext-nacl)#permit tcp any any

Switch(config)# vlan access-map drop-ip-default 10

Switch(config-access-map)#match ip address 101



2

VACLs


Switch(config-access-map)#match ip address igmp-match

Switch(config-access-map)# action drop


Switch(config-access-map)#match ip address tcp-match


Switch(config)# vlan filter drop-ip-default vlan-list 10-501

4

Filter

bi tDegree.ca

Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.0211 Forward MAC packets with decnet-iv or vines-ip protocols

(Default) Drop all other non-IP packets: VLAN map has at least one match clause, good-protocols

(Default) Forward all IP packets: Forward all other frames, no match clauses

FYI Example 4

Switch(config)#mac access-list extended good-hosts

Switch(config-ext-macl)#permit host 000.0c00.0111 any

Switch(config-ext-macl)#permit host 000.0c00.0211 any

Switch(config)#mac access-list extended good-protocols

Switch(config-ext-macl)#permit any any decnet-ip

Switch(config-ext-macl)#permit any any vines-ip

Switch(config)# vlan access-map drop-mac-default 10

MACACLs


Switch(config-access-map)#match mac address good-hostsSwitch(config-access-map)# action forward

Switch(config)# vlan access-map drop-mac-default 20

Switch(config-access-map)#match mac address good-protocols


Switch(config)# vlan filter drop-mac-default vlan-list 10-501

3

Filter


35/56

SwitchSecurity


bi tDegree.ca

Private VLANS (Quick Reminder)


bi tDegree.ca

Configuring pVLANsSwitch(config)# vlan 200

Switch(config-vlan)#private-vlan community

Switch(config)# vlan 201

Switch(config-vlan)#private-vlan community

Switch(confi )# vlan 300

Switch(config-vlan)#private-vlan isolated

Switch(config)# vlan 100

Switch(config-vlan)#private-vlan primary

Switch(config-vlan)#private-vlan association 200,201,300

Switch(config)# interface range fa 0/1 5

Switch(config-if)# switchport mode private-vlan promiscuous

Switch(config-if)# switchport private-vlan mapping 100 200,201,300


Switch(config-if)# switchport mode private-vlan host

Switch(config-if)# switchport private-vlan host-association 100 200


w c con g n er ace range a






Switch(config-if)# exit

Switch(config)# int vlan 100

Switch(config-if)#private-vlan mapping 200,201,300

Map secondary pVLANs

to SVI of primary so theycan be routed.


36/56

SwitchSecurity


bi tDegree.ca


t gat ng t er ttac s

bi tDegree.ca

DHCP Spoof Attacks The DHCP spoofing device replies to

client DHCP requests.

The intruders DHCP reply offers:

IP address/Mask

Default gateway

Domain Name System (DNS) server

Clients will then forward packets to the

attacking device, which will in turn sendthem to the desired destination.

This is referred to as a man-in-the-middle attack.



37/56

SwitchSecurity


bi tDegree.ca

DHCP Review


bi tDegree.ca

DHCP Discover: Host, I need an IP Address



38/56

SwitchSecurity


bi tDegree.ca

DHCP Discover: Host, I need an IP Address


bi tDegree.ca

DHCP Offer: Server, Ill offer one to you.



39/56

SwitchSecurity


bi tDegree.ca

DHCP Offer: Server, Ill offer one to you.


bi tDegree.ca

DHCP Request: Host, Ill take it.



40/56

SwitchSecurity


bi tDegree.ca

DHCP Request: Host, Ill take it.


bi tDegree.ca

DHCP ACK: Server, Its all yours.



41/56

SwitchSecurity


bi tDegree.ca

DHCP ACK: Server, Its all yours.


bi tDegree.ca

Successful DHCP Completion



42/56

SwitchSecurity


bi tDegree.ca

DHCP Spoof Attacks

I need an IP

Here you go, Imight be first!

(Rouge)

,default gateway, andDNS server.

Here you go.(Legitimate)

Got it, thanks!

Already got theinfo.

I can now

forward these onto my leader.

(Rouge)


All default gatewayframes and DNS

requests sent toRogue.

bi tDegree.ca

DHCP Snooping DHCP snooping is a Cisco Catalyst

feature that determines which switch portscan respond to DHCP requests.

Ports are identified as trusted anduntrusted.

Trusted ports can source all DHCPmessages.

DHCP Server

Untrusted ports can source requests only. If a rogue device on an untrusted port

attempts to send a DHCP responsepacket into the network, the port isshut down.

A DHCP binding table is built for


. Client MAC address, IP address,lease time, binding type, VLANnumber, port IDare recorded.

From a DHCP snooping perspective,untrusted access ports should not sendany DHCP server responses, such asDHCPOFFER, DHCPACK, or DHCPNAK.


43/56

SwitchSecurity


bi tDegree.ca

DHCP Snooping

I need an IPaddress/mask,

Here you go, Imight be first!

(Rouge)

,and DNS server.

Here you go.(Legitimate)

Switch: This is an

untrusted port, I willblock this DHCP Offer

Thanks, got it.


Switch: This is a trusted port, I

will allow this DHCP Offer

bi tDegree.ca

Configuring DHCP Snooping.

1. Enable DHCP Snooping globally.

Switch(config)# ip dhcp snooping

. .

Switch(config)# ip dhcp snooping vlan-id[vlan-id]

3. Configure at least one trusted port. Use no keyword to revert to untrusted.


By default, all switch ports in these VLANs are untrusted.


Switch(config-if)# ip dhcp snooping trust

4. For untrusted ports rate-limit DHCP traffic.

Switch(config-if)# ip dhcp snooping limit rate rate

Used to prevent starvation attacks by limiting the number of DHCP requests

on an untrusted port. Should be less than 100 pps.


44/56

SwitchSecurity


bi tDegree.ca

DHCP Snooping By default all interfaces areuntrusted.

Switch(config)# ip dhcp snoopingSwitch(config)# ip dhcp snooping vlan 10 50

Switch(config)# interface fa 0/0Switch(config-if)# ip dhcp rate limit 20

Switch(config)# interface gig 0/1

Switch(config-if)# ip dhcp snooping trust

Gig0/1


bi tDegree.ca

Verifying DHCP Snooping

Switch# show ip dhcp snooping

Verifies the DHCP snooping configuration

Switch# show ip dhcp snoopingSwitch DHCP snooping is enabled

DHCP Snooping is configured on the following VLANs:

10 30-40 50Insertion of option 82 information is enabled.

Interface Trusted Rate limit (pps)


--------- ------- ----------------GigibitEthernet0/1 yes none

FastEthernet0/1 no 20

Switch#

88


45/56

SwitchSecurity


bi tDegree.ca

IP Source Guard

IP Source Guard is similar toDHCP snooping. Prevents traffic attacks caused

when a host tries to use the IP

IP source guard is configured onuntrusted L2 interfaces

address (spoofed address) of itsneighbor.

Switch blocks all IP traffic receivedon the interface, except for DHCPpackets allowed by DHCP

snooping.

IP Source Guard makes use of:


static IP source binding entries

bi tDegree.ca

IP Source Guard If DHCP snooping is enabled the

switch learns the MAC and IP

address of the hosts that useDHCP.


Source IP address must beidentical to the IP address

learned by DHCP snooping.

Source MAC address must be

identical to the source MAC

address learned by DHCPsnooping and by the switch

port (MAC address table).


For hosts that do not use DHCP astatic IP source binding can beconfigured.

If the IP address does not matcheither of these the switch drops theframe/packet.


46/56

SwitchSecurity


bi tDegree.ca

IP Source Guard

I got an IPaddress/mask, from

the DHCP Server.


Now I will pretend I am a

different Source IP Address.

Switch: This is an untrusted port, with

Source Guard. I checked my bindingtable and your Source IP Address does


not match the one via DHCP. So this

traffic is denied!

bi tDegree.ca

Configuring IP Source Guard.1. Enable DHCP Snooping globally.

Switch(config)# ip dhcp snooping

. .

Switch(config)# ip dhcp snooping vlan-id[vlan-id]

3. Enable IP Source Guard on one or more interfaces.


By default, all switch ports in these VLANs are untrusted.


Switch(config-if)# ip verify source [port security]

4. For hosts that do not use DHCP configure static IP source bindings.

Switch(config)# ip source binding mac-address vlan vlan-id

ip-address interface type mod/num

port security option inspects the MAC address too.


47/56

SwitchSecurity


bi tDegree.ca

IP Source Guard

Switch(config)# interface fa0/1

Switch(config-if)# ip verify source

Fa0/1

IP Source Guard

Gig0/1Switch(config)# ip dhcp snoopingSwitch(config)# ip dhcp snooping vlan 10 50

Switch(config)# interface gig 0/1Switch(config-if)# ip dhcp snooping trust

DHCP Snooping


bi tDegree.ca

IP Source Guard

Switch(confi )# interface fastethernet0/1

This example shows how to enable IP source guard with static sourceIP and MAC filtering on VLANs 10 and 11.

Switch(config-if)# ip verify source port-security

Switch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.2

interface gigabitethernet0/1

Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4

interface gigabitethernet0/1



48/56

SwitchSecurity


bi tDegree.ca

ARP Spoofing


bi tDegree.ca

ARP: A quick look

ARP Table

Destination MAC Address???

IP Packet put on hold

00-0C-04-17-91-CC

00-0C-04-38-44-AA IP Packet no longer on hold

Host Stevens

172.16.10.10

255.255.255.0

MAC 00-0C-04-17-91-CC

Host Cerf

172.16.10.25

255.255.255.0

MAC 00-0C-04-38-44-AA

172.16.10.3 00-0C-04-32-14-A1

172.16.10.19 00-0C-14-02-00-19

172.16.10.33 00-0C-A6-19-46-C1

DestinationSource

ARP Request: Who has IP Address172.16.10.25? Please send me yourMAC Address.

L2 Broadcast to alldevices on network

Hey thats me!

ARP Reply: Here ismy MAC Address

L2 Unicast only tosender of ARP Request

I will add that to

172.16.10.25 00-0C-04-38-44-AA


172.16.10.0/24Router A

Ethernet 0

172.16.10.1

255.255.255.0

MAC 03-0D-17-8A-F1-32

my ARP Table.

I will now use theMAC Address toforward the frame.

IP Packet now sent to Destination


49/56

SwitchSecurity


bi tDegree.ca

ARP Spoofing

In normal ARP operation, a host sends a broadcast to determine theMAC address of a host with a particular IP address.

The device at that IP address replies with its MAC address. The originating host caches the ARP response, using it to populate the

destination Layer 2 header of packets sent to that IP address.


By spoofing an ARP reply from a legitimate device with a gratuitousARP, an attacking device appears to be the destination host sought by

the senders. The ARP reply from the attacker causes the sender to store the MAC

address of the attacking system in its ARP cache.

All packets destined for those IP addresses will be forwarded throughthe attacker system.

bi tDegree.ca

What isGratuitous ARP?

HOST B: Hey everyone Im host A and my IP Address is10.1.1.2 and my MAC address is A.A.A.A

Gratuitous ARP is used by hosts to "announce" their IP


a ress to t e oca networ n an e ort to avoduplicate IP addresses on the network. Routers andother network hardware may use cache informationgained from gratuitous ARPs.

Gratuitous ARP is a broadcast packet (like an ARPrequest)

98


50/56

SwitchSecurity


bi tDegree.ca

ARP has no security or ownership of IP or MACaddresses.

Sent every 5 seconds

Host A now does an ARP

10.1.1.1 MAC C.C.C.C

frames to GW


. . . .

When the router

replies add toARP table.

When the Attacker repliesadd to ARP table.

bi tDegree.ca

Arpspoof in Action

C:\>test

C: >ar -d 15.1.1.1

[root@sconvery-lnx dsniff-2.3]# ./arpspoof 15.1.1.1

0:10:83:34:29:72 ff:ff:ff:ff:ff:ff 0806 42: arp reply

15.1.1.1 is-at 0:10:83:34:29:72

0:10:83:34:29:72 ff:ff:ff:ff:ff:ff 0806 42: arp reply. . .

C:\>ping -n 1 15.1.1.1

Pinging 15.1.1.1 with 32 bytes of data:

Reply from 15.1.1.1: bytes=32 timearp -a

Interface: 15.1.1.26 on Interface 2

15.1.1.1 is-at 0:10:83:34:29:72


15.1.1.1 is-at 0:10:83:34:29:72


15.1.1.1 is-at 0:10:83:34:29:72


n erne ress ys ca ress ype

15.1.1.1 00-04-4e-f2-d8-01 dynamic

15.1.1.25 00-10-83-34-29-72 dynamic

C:\>arp -a

Interface: 15.1.1.26 on Interface 2

Internet Address Physical Address Type

15.1.1.1 00-10-83-34-29-72 dynamic

15.1.1.25 00-10-83-34-29-72 dynamic


51/56

SwitchSecurity


bi tDegree.ca

Dynamic ARPInspection (DAI)

To prevent ARP spoofing or poisoning, a switch must ensure thatonly valid ARP requests and responses are relayed.

DAI at the switch prevents these attacks by intercepting andvalidating all ARP requests and responses.

Each intercepted ARP reply is verified for valid MAC addresstoIP address bindings before it is forwarded to a PC to update theARP cache.


ARP replies coming from invalid devices are dropped. DAI determines the validity of an ARP packet based on valid MAC

address-to-IP-address bindings database built by DHCP snoopingor static ARP entries.

In addition, in order to handle hosts that use statically configured IPaddresses, DAI can also validate ARP packets against user-configuredARP ACLs.

bi tDegree.ca

DAI associates each interfacewith a trusted state or an

Dynamic ARP Inspection

untrusted state.

Trusted interfaces bypass alldynamic ARP inspection.

Untrusted interfaces undergo DAIvalidation.



52/56

SwitchSecurity


bi tDegree.ca

I am running DHCP snooping with DAI. ThisARP Reply is coming from an untrusted

interface. Checked my database and itdoesnt match. Drop it.

Sent every 5 seconds

Host A now does an ARP

10.1.1.1 MAC C.C.C.C

Trusted

Untrusted

Untrusted


. . . .

When the router

replies add toARP table.

When the Attacker repliesswitch drops packet.

bi tDegree.ca

Configuring Dynamic ARP Inspection1. Enable DAI on one or more VLANs.

Switch(config)# ip arp inspection vlan vlan-range

. on gure rus e por s o overr e un rus e e au .


Switch(config-if)# ip arp inspection trust

Once DAI is enabled on a VLAN, the switch monitors untrustedmember ports to intercept and examine all ARP packets (requestsand replies):

Sender values are checked on requests while both Sender and


Target values are checked on replies. Packets with IP-to-MAC address bindings not found in its DHCP

snooping table are logged and discarded.


53/56

SwitchSecurity


bi tDegree.ca

Configuring Dynamic ARP Inspection

.fields inside the frame). One or more command options must be chosen.Each such command overrides any previous setting.

Sw(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}

scr-mac: Check the source MAC address in frame against the sender MAC address in the ARP

packet.

This check is performed on both ARP requests and replies. When enabled, packets with differentMAC addresses are classified as invalid and dropped.


dst-mac: Check the destination MAC address in frame against the target MAC address in the ARP

reply.

This check is performed for ARP replies ONLY. When enabled, packets with different MACaddresses are classified as invalid and dropped.

ip: Checks the ARP payload for invalid and unexpected IP addresses.

Such addresses include 0.0.0.0, 255.255.255.255 and all IP multicast addresses.

For ARP requests, Senders IP address is validated.

For ARP replies, both Senders IP and Targets IP address fields are validated.

bi tDegree.ca

Dynamic ARP InspectionSw1(config)# ip arp inspection vlan 10-50

Sw1(config)# int range gig 0/1 - 2

Sw1(config-if)# ip arp inspection trust

This example shows DAI enabled on SW1 forports in VLANs 10 through 50.

All hosts are DHCP-configured. All member ports are untrusted by default. Only Gig 0/1, 0/2 are configured as trusted.

these ports lead to the network core

f0/1

gig0/1 & 0/2

SW1



54/56

SwitchSecurity


bi tDegree.ca

ARP ACL for Dynamic ARP Inspection

4. For hosts that do not use DHCP, allowable MAC-IP bindings can beconfigured statically (as shown for DHCP snooping) or permitted viaan ARP ACL.

. .

Switch(config)# arp access-list acl-name

Switch(config-acl)# permit ip host sender-ipmac host

sender-mac

4.2 Apply the configured ARP ACL to DAI.

Switch(config)# ip arp inspection filter acl-name vlan

vlan-range [static]


If there is no match against the ARP ACL, the DHCP bindings database is

still checked next. However, if the static keyword is used, the DHCP bindings database will

not be checked.

In effect, this operates like an implicit deny statement at the end of the ARP

ACL.

bi tDegree.ca

DAI Rate Limiting, Errdisable, etc

Sw(config-if)# ip arp inspection limit

rate {pps [burst interval secs] | none}

, -against DoS attacks. Default = 15 pps, over a burstinterval of 1 sec

The burst interval is the consecutive interval in seconds, over which the

interface is monitored for an excessive ARP packet rate. Valid intervals are1 to 15.

The maximum configurable rate is 2048 pps.

Specifying rate none allows unlimited ARPs, turning off rate limiting.

When this rate is exceeded the ort is laced in errdisable mode.


Detailed information on dealing with errdisable:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml

Check cisco.com for more detail on using DAI including log bufferhandling, statistics, etc.


55/56

SwitchSecurity


bi tDegree.ca

DAI Verification (1)

SwitchA# show ip arp inspection interfaces

Interface Trust State Rate (pps) Burst Interval

--------------- ----------- ---------- --------------


Gi1/1 Trusted None N/A

Gi1/2 Untrusted 15 1

Fa2/1 Untrusted 15 1

Fa2/2 Untrusted 15 1

109

bi tDegree.ca


SwitchA# show ip arp inspection vlan 10

Source Mac Validation : Disabled

Destination Mac Validation : Disabled

IP Address Validation : Disabled


Vlan Configuration Operation ACL Match Static ACL

---- ------------- --------- --------- ----------

10 Enabled Active

Vlan ACL Logging DHCP Logging

---- ----------- ------------

10 Deny Deny

110


56/56

SwitchSecurity

bi tDegree.ca


SwitchA# show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

----------------- ---------- ---------- ----------- ---- --------------

-


. . .

111

Documents

11W NET3011 Ch6 SwSecurity 111