Chap 8 -Minimising Service Loss & Data Theft

8/13/2019 Chap 8 -Minimising Service Loss & Data Theft

1/27

Chapter 8

Chapter 8Minimising Service Loss and Data Theft

Objectives

Understand Switch security issues

Protect against VLAN attacks Protect against spoof attacks

Secure network switches


2/27

Chapter 8

Layer 2 Malicious Attacks

Layer 2 malicious attacks are typically launched by a

device connected to the campus network. This can bea physical rogue device placed on the network or anexternal intrusion that takes control of and launchesattacks from a trusted device.

In either case, the network sees all traffic as

originating from a legitimate connected device. Thefollowing lists the types of attacks launched againstswitches and Layer 2:

1. MAC layer attacks2. VLAN attacks3. Spoof attacks4. Switch device attacks


3/27

Chapter 8

MAC Flood Attack

To mitigate against MAC flooding, port security is configured to definethe number of MAC addresses that are allowed on a given port. Port

security can also specify which MAC address is allowed on a given port.


4/27

Chapter 8

Switch Configuration Port Security

To limit the number of addresses that can be learned on an interfaceswitches provide a feature calledport security.The number of MAC addresses per port can be limited to 1.The first address dynamically learned by the switch becomes thesecure address.


5/27

Chapter 8

Static secure MAC addresses: MAC addresses are manually configuredby using the switchport port-security mac-address interfaceconfiguration comman

d. MAC addresses configured in this way arestored in the address table and are added to the running configurationon the switch.

Dynamic secure MAC addresses: MAC addresses are dynamicallylearned and stored only in the address table. MAC addressesconfigured in this way are removed when the switch restarts.

Sticky secure MAC addresses: You can configure a port to dynamicallylearn MAC addresses and then save these MAC addresses to therunning configuration.

Switch Configuration Port Security


6/27

Chapter 8

switchport mode access

Sets the interface mode as access; an interface in the default mode (dynamic

desirable) cannot be configured as a secure port.

switchport port-security

Enables port security on the interface switchport port-security maximum 6

Sets the maximum number of secure MAC addresses for the interface.

The range is 1 to 132; the default is 1.

switchport port-security aging time 5

Learned addresses are not aged out by default but can be with this command. Value

from 1 to 1024 in minutes.

switchport port-security mac-address 0000.0000.000b

Enter a static secure MAC address for the interface, repeating the

command as many times as necessary. You can use this command to enter the

maximum number of secure MAC addresses. If you configure fewer secure MAC

addresses than the maximum, the remaining MAC addresses are dynamicallylearned.

switchport port-security mac-address sticky

Enable dynamic learning of MAC address on the interface.

switchport port-security violation shutdown / Restrict / Protect

Set the violation mode, the action to be taken when a security violation is

detected.


7/27Chapter 8

Port Security: Violation

By default, if the maximum number of connections is achieved and a new MAC

address attempts to access the port, the switch must take one of the

following actions: Protect:Frames from the non-allowed address are dropped, but there is no

log of the violation. Theprotect argument is platform or version dependent.

Restrict:Frames from the non-allowed address are dropped, a log message

is created and Simple Network Management Protocol (SNMP) trap sent.

Shut down:If any frames are seen from a non-allowed address, theinterface is errdisabled, a logentry is made, SNMP trap sent and manualintervention (no shutdown) or errdisable recovery must be used to makethe interface usable. Port LED is switched off.

Switch(config-if)#switchport port-security violation{protect | restrict | shutdown}


8/27Chapter 8

AAA Network Configuration

Authentication, authorization, and accounting (AAA) network securityservices provide the primary framework through which access control isset up on a switch.AAA is an architectural framework for configuring a set of three

independent security functions in a consistent manner.


9/27Chapter 8

Until the workstation is authenticated, 802.1x access control allows

only Extensible Authentication Protocol over LAN (EAPOL) trafficthrough the port to which the workstation is connected.

After authentication succeeds, normal traffic can pass through theport.

802.1x Port-Based Authentication


10/27Chapter 8

Configure AAA & 802.1xClient Authenticator Authentication

Server

172.120.39.46

ALS1# configure terminalALS1 (config)#aaa new-modelALS1 (config)#radius-server host 172.120.39.46 auth-port 1812 key rad123

ALS1 (config)#aaa authentication dot1x default group radius localALS1 (config)#dot1x system-auth-controlALS1 (config)#int fa0/1ALS1 (config-if)#dot1x port-control auto | force-authorised | force-unauthorisedALS1 (config-if)#end

Fa0/1 Fa0/2

Port-based authentication can be handled by one or moreexternal RADIUS server.Note that although Cisco switches will allow otherauthentication methods, only RADIUS is supported for 802.1x.


11/27Chapter 8

VLAN Hopping Switch Spoofing

802.1qNative VLAN 10

VLAN 10 & 20

VLAN 10

VLAN 20

VLAN 20


In a switch spoofing attack, the network attacker configures a systemto spoof itself as a switch by performing Inter-Switch Link (ISL) or

802.1Q trunking, along with DTP negotiations, to establish a trunkconnection to the switch.

By default, a trunk connection provides an attacker with access to allVLANs in the network.

S1 S2

Trunk

Trunk


12/27Chapter 8

VLAN Hopping Double Tagging

Data VLAN20 VLAN10


VLAN 10

Data VLAN20

Data

VLAN 10

VLAN 20

VLAN 20

1. Attacker sends a double-tagged broadcast packet into the local

access-LAN.2. Switch 1 forwards this across the trunk, removing the first tag, as

it matches the native VLAN.

3. Switch 2 receives the packet, and forwards it into VLAN 20.

S1 S2

AccessPort Trunk


13/27Chapter 8

Mitigating VLAN Hopping

Switch Spoofing:Configure all unused ports as accessports so that trunking

cannot be negotiated across those links.Place all unused ports in the shutdownstate and associatewith a VLAN designated only for unused ports, carrying nouser data traffic.

Switch Spoofing:Configure the native VLAN with an unused VLAN, which canthen be pruned off the trunk:

S1(conf)#vlan 800

S1(conf-vlan)# name bogus_native

S1(conf)#int fa0/1

S1(conf-if)#switchport trunk encap dot1q

S1(conf-if)#switchport trunk native vlan 800

S1(conf-if)#switchport trunk allowed vlan remove 800

S1(conf-if)# Switchport mode trunk


14/27Chapter 8

VLAN Access Control Lists

Router access control list (RACL):Applied to Layer 3 interfaces

such as SVI or L3 routed ports. It controls the access of routedtraffic between VLANs. RACLs are applied on interfaces for specificdirections (inbound or outbound). You can apply one access list in eachdirection.

Port access control list (PACL):Applied on a Layer 2 switch port,trunk port, or EtherChannel port. PACLs perform access control ontraffic entering a Layer 2 interface. With PACLs, you can filter IPtraffic by using IP access lists and non-IP traffic by using MACaddresses. When you apply a PACL to a trunk port, it filters trafficon all VLANs present on the trunk port.

VLAN access control list (VACL):Supported in software on Ciscomultilayer switches. Filtering based on Layer 2 or Layer 3 parameterswithin a VLAN. Unlike RACLs, VACLs are not defined by direction(input or output).


15/27Chapter 8

VACL Configuration

Computer

Computer

Server192.168.10.10/24VLAN 10

Host 1192.168.10.20/24

VLAN 10

Host 2192.168.20.20/24

VLAN 20

Deny all trafficfrom VLAN 20

reaching the VLAN10 server

DLS1

1.Create ACL to define traffic to block:DLS1(config)#ip access-list extended DENY_SERVERDLS1(conf-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 host 192.168.10.10

2. Create VLAN map to block and forward traffic:DLS1(config)# vlan access-map DENY_MAP 10DLS1(config-access-map)#match ip address DENY_SERVER

DLS1(config-access-map)#action dropDLS1(config-access-map)#vlan access-map DENY_MAP 20DLS1(config-access-map)#action forward

3. Apply VLAN map to VLAN 10DLS1(config)#vlan filter DENY_MAP vlan-list 10


16/27Chapter 8

Private VLANS

Used by Service providers to deploy host services and

network access where all devices reside in the samesubnetbut only communicate to a default gateway,backup servers, or another network.

Catalyst 6500/4500/3650 switches implement privatePVLANs, whereas the 2950 and 3550 supportprotected ports, which is functionality similar toPVLANs on a per-switch basis.

Advantages of pVLANs include:

1. Provides Security

2. Reduces the number of IP subnets

3. Reduces the VLANs utilisation by isolating trafficbetween network devices residing in the same VLAN


17/27Chapter 8

Private VLANs

Computer

Computer

Computer

Computer

Computer

Computer

R1

Fa0/1

Fa0/2

Fa0/3

Primary VLAN 100(Promiscuous)

SecondaryVLAN 10(Community)

Fa0/4

Fa0/5

Fa0/6

Fa0/7

SecondaryVLAN 20

(Community)

SecondaryVLAN 30(Isolated)

No

Yes

Yes

No

192.168.10.1/24

192.168.10.2/24

192.168.10.3/24

192.168.10.4/24

192.168.10.5/24

192.168.10.6/24

192.168.10.7/24


18/27Chapter 8

Private VLAN Configuration

DLS2(config)#vtp mode transparent

DLS2(config)#vlan 10

DLS2(config-vlan)#private-vlan community


DLS2(config-vlan)#private-vlan community


DLS2(config-vlan)#private-vlan isolated

DLS2(config-vlan)#exit


DLS2(config-vlan)#private-vlan primary

DLS2(config-vlan)#private-vlan association 10,20,30

Create Private VLANs:


19/27Chapter 8

Private VLAN Configuration

DLS2(config)#int fa0/1

DLS2(config)# switchport mode private-vlan promiscuous

DLS2(config)# switchport private-vlan mapping 100 10,20,30

DLS2(config)# int fa0/2

DLS2(config)# switchport mode private-vlan host

DLS2(config)# switchport private-vlan host-association 100 10

Populate Private VLANs:


20/27Chapter 8

1. An attacker activates a DHCPserver on a network segment.

2. The client broadcasts a requestfor DHCP configurationinformation.

3. The rogue DHCP serverresponds before the legitimateDHCP server can respond,assigning attacker-defined IPconfiguration information.

4. Host packets are redirected tothe attackers address as itemulates a default gateway forthe erroneous DHCP addressprovided to the client.

DHCP Snooping

Fa0/1

Client VLAN10

Legitimate

DHCPServer VLAN 10

RogueDHCPServer

Trunk

Fa0/2

Fa0/3

Fa0/1

Fa0/1

Fa0/2


21/27Chapter 8

Common Security Attacks Spoofing

Client

Legitimate

DHCPServer

RogueDHCPServer

DHCP snoopingallows theconfiguration of ports as trustedor untrusted.

Trusted ports can send DHCPrequests and acknowledgements.

Untrusted ports can forward onlyDHCP requests.

DHCP Snooping enables the switchto build a DHCP binding table that

maps a client MAC address, IPaddress, VLAN, and port ID.

Use the ip dhcp snoopingcommand.Trusted

UntrustedFa0/2

Fa0/3

Fa0/1

Fa0/1

Fa0/2

Trunk - Trusted


22/27

Chapter 8

Client VLAN10

Legitimate

DHCPServer VLAN 10

RogueDHCPServer

Trusted

Trunk

Untrusted

DHCP Snooping - Configuration

Fa0/2

Fa0/3

Fa0/1

Fa0/1

Fa0/2

ALS1(config)#ip dhcp snoopingALS1(config)#ip dhcp snooping vlan 10ALS1(config)#interface Fa0/1ALS1(config-if-range)#ip dhcp snooping trustALS1(config)#interface range fa0/2-3ALS1(config-if-range)#ip dhcp snooping limit rate 20ALS1(config-if-range)#ip verify source vlan dhcp-

snooping port-security

DLS1(config)#ip dhcp snoopingDLS1(config)#ip dhcp snooping vlan 10DLS1(config)#interface range Fa0/1-2DLS1(config-if-range)#ip dhcp snooping trust

ARP S fi


23/27

Chapter 8

ARP Spoofing

Computer

Computer

Host 2192.168.10.12/24

MAC: bbb.bbb.bbb

Attacker192.168.10.20/24

MAC: ccc.ccc.ccc

Host 1192.168.10.10/24MAC: aaa.aaa.aaa

DLS1

Computer

MAC IP192.168.10.12

Send ARP Request Send ARP Reply

bbb.bbb.bbb Send Gratuitous ARP

ccc.ccc.ccc

1. Host 1 sends an ARP broadcast to determine the MAC address of host withIP address 192.168.10.12.

2. Host 2 replies with its MAC address. Host 1 caches the ARP response, using itto populate the destination Layer 2 header of packets sent to 192.168.10.12.

3. The gratuitous ARP reply from the attacker causes the sender to store theMAC address of the attacking system in its ARP cache.

4. All packets destined for Host 2 are forwarded through the attacker system.


24/27

Chapter 8

Dynamic ARP Inspection (DAI)

Dynamic ARP Inspection (DAI) determines the validity of

an ARP packet based on the MAC address-to-IP addressbindings stored in a DHCP snooping database. To ensurethat only valid ARP requests and responses are relayed,DAI takes the following actions:

1. Forwards ARP packets received on a trustedinterface without any checks.

2. Intercepts all ARP packets on untrusted ports.

3. Verifies that each intercepted packet has a valid IP-

to-MAC address binding before forwarding packetsthat can update the local ARP cache.

4. Drops, logs, or drops and logs ARP packets with invalidIP-to-MAC address bindings.


25/27

Chapter 8

Client VLAN10

Legitimate

DHCPServer VLAN 10

RogueDHCPServer

Trusted

Trunk

Untrusted

Dynamic ARP Inspection - Configuration

Fa0/2

Fa0/3

Fa0/1

Fa0/1

Fa0/2

ALS1(config)#ip arp inspection vlan 10ALS1(config)#ip arp inspection validate src-macALS1(config)#ip arp inspection validate dst-macALS1(config)#ip arp inspection validate ip

ALS1(config)#interface Fa0/1ALS1(config-if-range)#ip arp inspection trust

DLS1(config)#ip arp inspection vlan 10DLS1(config)#interface range Fa0/1-2DLS1(config-if-range)#ip arp inspection trust


26/27

Chapter 8

Switch Security Summary

CDP packets can expose some network information.

Authentication information and data carried in Telnetsessions are vulnerable.

SSH provides a more secure option for Telnet. VTY ACLs should be used to limit Telnet access to

switch devices.

VTY ACL configuration commands use standard IP ACLlists.

Sound security measures and trimming of unusedapplications are the basis of best practices.


27/27

Any

Questions?

Chap 8 -Minimising Service Loss & Data Theft

Documents

Transcript of Chap 8 -Minimising Service Loss & Data Theft