Understanding Switch Security 2003 Cisco Systems Inc All

Understanding Switch Security © 2003, Cisco Systems, Inc. All rights reserved. 2 -1

Overview of Switch Security • Most attention surrounds security attacks from outside the walls of an organization. • Inside the network is left largely unconsidered in most security discussions. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -2

Overview of Switch Security • The default state of networking equipment: • Firewalls (placed at the organizational borders) – Default: Secure and must be configured for communications. • Routers and switches (placed internal to an organization) – Default: Unsecured, and must be configured for security © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -3

Rogue Access Points • Rogue network devices can be: – Access switches – Wireless routers – Wireless access points – Hubs • These devices are typically connected at access level switches. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -4

Rogue Access Points • Mitigating STP manipulation – To enforce the placement of the root bridge – To enforce the STP domain borders • Use: – Root guard – BPDU guard © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -5

Problem: BPDUs BPDU Blocking and now listening to BPDUs X Portfast Forwards BPDUs to other switches. STP Reconvergence? • Enabling Port. Fast can create a security risk in a switched network. • A port configured with Port. Fast will go into blocking state if it receives a Bridge Protocol Data Unit (BPDU). • This could lead to false STP information that enters the switched network and causes unexpected STP behavior. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -6

Solution: BPDU Guard BPDU Err-Disable, Shutdown | No BPDUs sent Portfast & BPDU Guard Not supported with Packet Tracer Distribution 1(config)#interface range fa 0/10 - 24 Distribution 1(config-if-range)#spanning-tree bpduguard enable • • When the BPDU guard feature is enabled on the switch, STP shuts down Port. Fast enabled interfaces that receive BPDUs instead of putting them into a blocking state. BPDU guard will also keep switches added outside the wiring closet by users from impacting and possibly violating Spanning Tree Protocol. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -7

Root Guard Protect Potential Root Guard prevents a switch from becoming the root bridge. Typically access switches l Configured on switches that connect to this switch. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -8

Root Guard l Uplink. Fast must be disabled because it cannot be used with root guard. l Next Distribution 1(config)#interface fa 0/3 Distribution 1(config-if-range)#spanning-tree guard root Distribution 1(config)#interface gig 0/2 Distribution 1(config-if-range)#spanning-tree guard root Distribution 2(config)#interface fa 0/3 Distribution 2(config-if-range)#spanning-tree guard root Distribution 2(config)#interface gig 0/1 Distribution 2(config-if-range)#spanning-tree guard root Access 2(config)#no spanning-tree uplinkfast © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -9

Root Guard I will now transition to STP Inconsistent listening sate, then State – no traffic learning state, then is passed. forwarding sate. • Superior BPDU I no longer want to be root. I have I want to be been root bridge! reconfigured to be a nonroot bridge. This message appears after root guard blocks a port: %SPANTREE-2 -ROOTGUARDBLOCK: Port 0/3 tried to become non -designated in VLAN 1. Moved to root-inconsistent state © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -10

Switch Attack Categories • MAC layer attacks • VLAN attacks • Spoofing attacks • Attacks on switch devices © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -11

MAC Flooding Attack © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -12

Building the MAC Address Table Port Source MAC Add. 1 1111 3333 1111 switch • Switch learns Source MAC • Destination MAC is not in table, so floods it out all ports (unknown unicast) 1111 3333 Abbreviated MAC addresses 2222 © 2003, Cisco Systems, Inc. All rights reserved. 4444 BCMSN v 2. 0— 2 -13

Building the MAC Address Table Port Source MAC Add. 1 1111 6 3333 1111 3333 switch • Frame is sent from 3333 1111 3333 Abbreviated MAC addresses 2222 © 2003, Cisco Systems, Inc. All rights reserved. 4444 BCMSN v 2. 0— 2 -14

Building the MAC Address Table Port Source MAC Add. 1 1111 6 3333 1111 switch • Bidirectional Communications 1111 3333 Abbreviated MAC addresses 2222 © 2003, Cisco Systems, Inc. All rights reserved. 4444 BCMSN v 2. 0— 2 -15

Building the MAC Address Table Port Source MAC Add. 1 1111 Numerous Invalid 6 3333 Source Addresses 3333 Numerous Invalid Source Addresses switch • Common Layer 2 or switch attack • For: – Collecting a broad sample of traffic – Denial of Service (Do. S) attack 1111 3333 Abbreviated MAC addresses 2222 © 2003, Cisco Systems, Inc. All rights reserved. 4444 Attacker • Switch’s CAM tables are limited in size (1, 024 to over 16, 000 entries). • Tools such as dsniff can flood the CAM table in just over 1 minute. 16 BCMSN v 2. 0— 2 -16

Building the MAC Address Table Port Source MAC Add. 1 1111 Numerous Invalid TABLE IS FULL 6 3333 Source Addresses switch 3333 Numerous Invalid Source Addresses • Dsniff (macof) can generate 155, 000 MAC entries on a switch per minute • It takes about 70 seconds to fill the cam table 1111 • Once table is full, traffic without a CAM entry floods on the VLAN. (unknown unicasts) 3333 Abbreviated MAC addresses 2222 © 2003, Cisco Systems, Inc. All rights reserved. 4444 Attacker BCMSN v 2. 0— 2 -17

Building the MAC Address Table Port Source MAC Add. 1 1111 Numerous Invalid TABLE IS FULL 6 3333 Source Addresses switch 3333 Numerous Invalid Source Addresses • Once the CAM table is full, new valid entries will not be accepted. • Switch must flood frames to that address out all ports. • This has two adverse effects: • The switch traffic forwarding is I see all inefficient and voluminous. 1111 frames! • An intruding device can be 3333 connected to any switch port and capture traffic not normally seen on that port. Abbreviated MAC addresses 2222 © 2003, Cisco Systems, Inc. All rights reserved. 4444 Attacker BCMSN v 2. 0— 2 -18

MAC Flooding • If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on. • If the initial, malicious flood of invalid CAM table entries is a one-time event: • Eventually, the switch will age out older, invalid CAM table entries • New, legitimate devices will be able to create an entry in the CAM • Traffic flooding will cease • Intruder may never be detected (network seems normal). © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -19

Port Security Port security restricts port access by MAC address. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -20

Configuring Port Security on a Switch(config-if)# switchport-security [maximum value] violation {protect | restrict | shutdown} mac -address mac-address • Enable port security. • Set MAC address limit. • Specify allowable MAC addresses. • Define violation actions. Switch(config-if)# switchport-security © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -21

Configuring Port Security on a Switch(config-if)# switchport-security maximum value • Set the number of allowed MAC address that the port can grant access. – Default = 1 – Range 1 to 1, 024 • These addresses can be configured explicitly or can be learned dynamically. • Default: Addresses are learned dynamically by hosts sending frames on that interface. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -22

Configuring Port Security on a Switch(config-if)# switchport-security mac-address sticky • You can configure MAC addresses to be sticky. – Dynamically learned or manually configured – Stored in the MAC address table – Added to the running-config • If the running-config is copied to the startup-config the interface does not need to dynamically relearn them when the switch restarts. • After using this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. – You must: copy running-config startup-config – If you do not save the configuration, they are lost. • If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. • Note: Sticky secure addresses can be manually configured, it is not recommended. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -23

Configuring Port Security on a Switch(config-if)# switchport-security aging time value • Learned addresses are not aged out by default but can be with this command. • Value from 1 to 1024 in minutes. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -24

Configuring Port Security on a Switch(config-if)# switchport-security mac-address • MAC addresses can be statically configured on an interface. • If the number of static addresses configured is less than the maximum number secured on the port the remaining address are learned dynamically. Switch(config-if)# switchport-security maximum value © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -25

Port Security: Secure MAC Addresses • The switch supports these types of secure MAC addresses: • Static – Configured using switchport-security mac-address – Stored in the address table – Added to running configuration. • Dynamic – These are dynamically configured – Stored only in the address table – Removed when the switch restarts • Sticky – These are dynamically configured – Stored in the address table – Added to the running configuration. – If running-config saved to startup-config, when the switch restarts, the interface does not need to dynamically reconfigure them. – Note: When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The interface adds all the sticky secure MAC addresses to the running configuration. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -26

Port Security: Violation • Station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -27

Port Security: Violation Switch(config-if)#switchport-security violation {protect | restrict | shutdown} • By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions: • Protect: • • • Port is allowed to stay up • Frames from the nonallowed address are dropped • There is no log of the violation Restrict: • Port is allowed to stay up • Frames from the nonallowed address are dropped • A log message is created and Simple Network Management Protocol (SNMP) trap and syslog message of the violation are kept/sent. Shut down (default): • Port is put into Errdisable state which effectively shuts down the port. • Frames from a nonallowed address: – Log entry is made, SNMP trap sent • Interface must be reenabled manually. (shutdown > no shutdown) © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -28

Port Security: Steps © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -29

Port Security: Static Addresses X Switch(config)# interface fa 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport-security maximum 3 Switch(config-if)# switchport-security mac-address 0000. 000 a Switch(config-if)# switchport-security mac-address 0000. 000 b Switch(config-if)# switchport-security mac-address 0000. 000 c • Restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. • The port does not forward packets with source addresses outside the group of defined addresses. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -30

Port Security: Verify Switch# show port-security • Displays security information for all interfaces Switch# show port-security Secure Port Max. Secure. Addr Current. Addr Sec Violation Sec Action (Count) ----------------------------------- Fa 5/1 11 0 Shutdown Fa 5/5 15 5 0 Restrict Fa 5/11 5 4 0 Protect -----------------------------------Total Addresses in System: 21 Max Addresses limit in System: 128 © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -31

Port Security: Verify Switch# show port-security interface type mod/port • Displays security information for a specific interface Switch# show port-security interface fastethernet 5/1 Port Security: Enabled Port status: Secure. Up Violation mode: Shutdown Maximum MAC Addresses: 11 Total MAC Addresses: 11 Configured MAC Addresses: 3 Aging time: 20 mins Aging type: Inactivity Secure. Static address aging: Enabled Security Violation count: 0 © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -32

Verifying Port Security (Cont. ) Switch#show port-security address • Displays MAC address table security information Switch#show port-security address Secure Mac Address Table ---------------------------------Vlan Mac Address Type Ports Remaining Age (mins) ------ ---- ------------1 0001 Secure. Dynamic Fa 5/1 15 (I) 1 0001. 0002 Secure. Dynamic Fa 5/1 15 (I) 1 0001. 1111 Secure. Configured Fa 5/1 16 (I) 1 0001. 1112 Secure. Configured Fa 5/1 1 0001. 1113 Secure. Configured Fa 5/1 1 0005. 0001 Secure. Configured Fa 5/5 23 1 0005. 0002 Secure. Configured Fa 5/5 23 1 0005. 0003 Secure. Configured Fa 5/5 23 1 0011. 0001 Secure. Configured Fa 5/11 25 (I) 1 0011. 0002 Secure. Configured Fa 5/11 25 (I) ---------------------------------Total Addresses in System: 10 Max Addresses limit in System: 128 © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -33

802. 1 x Port-Based Authentication Network access through switch requires authentication. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -34

Port Authentication EAPOL Authenticated Normal traffic • Cisco Catalyst switches can support-based authentication which is a combination of: • AAA authentication • Port security • Based on IEEE 802. 1 x standard which defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. • Until the client is authenticated, 802. 1 X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. • The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN. • After authentication is successful, normal traffic can pass through the port. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -35

Port Authentication EAPOL Authenticated Normal traffic • Client or server can initiate 802. 1 x session. • Switch port starts off in the unauthorized state – EAPOL traffic only, no data traffic. • If client supports 802. 1 x but switch does not, the client abandons 802. 1 x and communicates normally. – See you OS instructions for enabling 802. 1 x • If the switch is configured for 802. 1 x but the client does not support it, the switch port remains in the unauthorized state and will not forward any traffic from the client. • Authorized state ends and reverts back to unauthorized state when: – User logs out – Switch times out user’s authorized session © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -36

Port Authentication EAPOL Authenticated Normal traffic • Port based authentication can be handled by one or more RADIUS (Remote Authentication Dial-In User Service) servers. • Note: Cisco does have other authentication methods (TACACS) but only RADIUS is supported for 802. 1 x. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -37

Configuring 802. 1 x on the switch. 1. Enable AAA on the switch (disabled by default) Switch(config)# aaa new-model 2. Define the RADIUS servers Switch(config)# radius-server host {hostname | ip-address} [key string] 3. Define the authentication method Switch(config)# aaa authentication dot 1 x default group radius Causes all RADIUS authentication servers that are defined on the switch (previous step) to be used for 802. 1 x authentication. 4. Enable 802. 1 x on the switch (disabled by default) Switch(config)# dot 1 x system-auth-control © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -38

Configuring 802. 1 x on the switch. X 5. Configure each switch port that will use 802. 1 x EAPOL Authenticated Normal traffic Switch(config)# interface type mod/num Switch(config-if)# dot 1 x port-control [force-authorized | force unauthorized | auto} • • • force-authorized (default): – Port is forced to authorize with the connected client. – No authentication necessary: Disables 802. 1 X and causes the port to transition to the authorized state without any authentication exchange required. – The port transmits and receives normal traffic without 802. 1 X-based authentication of the client. force-unauthorized: – Port is forced to never authorize with the any connected client. – Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. – Port cannot send normal user traffic. Auto: – Port uses an 802. 1 x exchange (EAPOL) to move from unauthorized to authorized state. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -39

Configuring 802. 1 x on the switch. 6. Allow multiple hosts on the a switch port. Switch(config)# interface type mod/num Switch(config-if)# dot 1 x host-mode multi-host • If a switch is connected to another switch or a hub 802. 1 x allows for all hosts on that port to receive the same authentication method. • Verify: show dot 1 x all © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -40

Configuring 802. 1 x on the switch. 172. 30. 100 Switch(config)# aaa new-model Switch(config)# radius-server host 172. 30. 100 key Big. Secret Switch(config)# aaa authentication dot 1 x default group radius Switch(config)# dotx system-auth-control Switch(config)# interface range fa 0/1 - 40 Switch(config-if)# switchport access vlan 10 Switch(config-if)# switchport mode access Switch(config-if)# dot 1 x port-control auto © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -41

Protecting Against VLAN Attacks © 2003, Cisco Systems, Inc. All rights reserved. 2 -42

VLAN Hopping Attacks • With trunking protocols possibility of rogue traffic “hopping” from one VLAN to another. • Creates security vulnerabilities. • These VLAN Hopping attacks are best mitigated by close control of trunk links: – VLAN Access Control Lists (VACLs) – Private VLANs (PVLANs). © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -43

Explaining VLAN Hopping • VLAN hopping attack where an end system sends packets to, or collects packets from, a VLAN that should not be accessible to that end system. • This is done by: – Switch spoofing – Double tagging © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -44

VLAN Hopping: Switch Spoofing • Attacker configures a system to spoof itself as a switch by emulating: – ISL or 802. 1 Q signaling – Dynamic Trunking Protocol (DTP) signaling • Attacking system spoofs itself as a legitimate trunk negotiating device. – Trunk link is negotiated dynamically. • Attacking device gains access to data on all VLANs carried by the negotiated trunk. “I’m a switch” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -45

VLAN Hopping: DTP Dynamic Auto Dynamic Desirable Trunk Access Dynamic Auto Access Trunk Access Dynamic Desirable Trunk Access Trunk Not recommended Access Not recommended Access Note: Table assumes DTP is enabled at both ends. • show dtp interface – to determine current setting © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -46

VLAN Hopping: switchport mode access l Both of these commands “should” be used for access ports: switchport mode access switchport access vlan n © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -47

VLAN Hopping: no switchport mode access l Without the switchport mode access command, this interface will still try to negotiate trunking. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -48

VLAN Hopping: switchport mode access l Now configure the range of interfaces for permanent nontrunking, access mode l Notice that negotiation of trunking has been turned off and that this port will only be a non-trunking access port. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -49

VLAN Hopping with Double Tagging © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -50

VLAN Hopping with Double Tagging • Double tagging allows a frame to be forwarded to a destination VLAN other than the source’s VLAN. • Attacker’s workstation generates frames with two 802. 1 Q headers • Switch forwards the frames onto a VLAN that would be inaccessible to the attacker through legitimate means. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -51

VLAN Hopping with Double Tagging • First switch strips the first tag off the frame because the first tag (VLAN 10) matches the trunk port – Frame is forwarded with the inner 802. 1 Q tag • Second switch then forwards the packet to the destination based on the VLAN identifier in the second 802. 1 Q header. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -52

Mitigating VLAN Hopping: Access Ports Switch(config)#interface range fa 0/11 - 15 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 10 Switch(config)#interface range fa 0/16 - 17 Switch(config-if-range)#shutdown Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport access vlan 999 • Access Ports – Configure all unused ports as access ports so that trunking cannot be negotiated across those links. – Place all unused ports: • In the shutdown state • Associate with a VLAN designed only for unused ports, carrying no user data traffic © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -53

Mitigating VLAN Hopping: Trunk Ports Switch(config)#interface gig 0/1 Switch(config-if-range)#switchport mode trunk Switch(config-if-range)#switchport trunk native vlan 2 Switch(config-if-range)#switchport trunk allowed vlan 2, 10, 20, 99 • Trunk Ports – Trunking as “on, ” rather than negotiated – The native VLAN to be different from any data VLANs (VLAN 1 is the default) – The specific VLAN range to be carried on the trunk © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -54

Types of ACLs © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -55

Types of ACLs • • • Access control lists (ACLs) are useful for controlling access in a multilayer switched network. This topic describes VACLs and their purpose as part of VLAN security. Cisco Systems multilayer switches support three types of ACLs Router access control lists (RACLs): – Supported in the TCAM hardware on Cisco multilayer switches. – In Catalyst switches, RACL can be applied to any routed interface, such as a switch virtual interface (SVI) or Layer 3 routed port. Port access control list (PACL): – Filters traffic at the port level. PACLs can be applied on a Layer 2 switch port, trunk port, or Ether. Channel port. – Allow Layer 3 filtering on Layer 2 ports. VACLs: – VACLs, also known as VLAN access-maps, apply to all traffic in a VLAN. – VACLs support filtering based on Ethertype and MAC addresses. VACLs are order-sensitive, similar to Cisco IOS–based route maps. – VACLs are capable of controlling traffic flowing within the VLAN or controlling switched traffic, whereas RACLs control only routed traffic. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -56

VACLs 1. Define a VLAN access map. Switch(config)# vlan access-map map_name [seq#] • VACLs (a. k. a. VLAN access maps) apply to all traffic on the VLAN. • VACLs apply to: – IP traffic – MAC-Layer traffic • VACLs follow route-map conventions, in which map sequences are checked in order. • First, define the VLAN access map. • If you don’t specify a sequence number, the first route map condition will be automatically numbered as 10. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -57

VACLs 2. Configure a match clause. Switch(config-access-map)# match {ip address {1 -199 | 1300 -2699 | acl_name} | ipx address {800 -999 | acl_name}| mac address acl_name} 3. Configure an action clause Switch(config-access-map)# action {drop [log]} | {forward [capture]} | {redirect {{fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel_id}} Once you have entered the vlan access-map command, you can enter match and action commands in the route-map configuration mode. • Each access-map command has a list of match and action commands associated with it. – The match commands specify the match criteria—the conditions that should match be tested to determine whether or not to take action. – The action commands specify the actions—the actions to perform if the match criteria are met. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -58

VLAN Map Configuration Guidelines • If there is no VLAN ACL configured to deny traffic on a routed VLAN interface (input or output), and no VLAN map configured, all traffic is permitted. • Each VLAN map consists of a series of entries. – The order of entries in an VLAN map is important. – A frame that comes into the switch is tested against the first entry in the VLAN map. – If it matches, the action specified for that part of the VLAN map is taken. – If there is no match, the packet is tested against the next entry in the map. • If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does not match any of these match clauses, the default is to drop the packet. • If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -59

Configuring VACLs. 1. Define a VLAN access map. Switch(config)# vlan access-map map_name [seq#] 2. Configure a match clause. Switch(config-access-map)# match {ip address {1 -199 | 1300 -2699 | acl_name} | ipx address {800 -999 | acl_name}| mac address acl_name} 3. Configure an action clause Switch(config-access-map)# action {drop [log]} | {forward [capture]} | {redirect {{fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel_id}} 4. Apply a map to VLANs Switch(config)# vlan filter map_name vlan_list © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -60

Example 1 l Drop all traffic from network 10. 1. 9. 0/24 on VLAN 10 and 20, l Drop all traffic to Backup Server 0000. 1111. 4444 © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -61

Example 2 l Drop packets with source IP 10. 1. 0. 0/16 in VLANs 1 -4094. l (Default) Drop all other IP packets: VLAN map has at least one match clause, IP address l (Default) Forward all non-IP packets: Forward all other “frames”, no match clauses © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -62

l l l Forward all UDP packets Drop all IGMP packets Forward all TCP packets (Default) Drop all other IP packets: VLAN map has at least one match clause, tcp-match (Default) Forward all non-IP packets: Forward all other “frames”, no match clauses © 2003, Cisco Systems, Inc. All rights reserved. FYI Example 3 BCMSN v 2. 0— 2 -63

Protecting Against Spoof Attacks © 2003, Cisco Systems, Inc. All rights reserved. 2 -64

DHCP Spoof Attacks • The DHCP spoofing device replies to client DHCP requests. • The intruder’s DHCP reply offers: • IP address/Mask • Default gateway • Domain Name System (DNS) server • Clients will then forward packets to the attacking device, which will in turn send them to the desired destination. • This is referred to as a “man-inthe-middle” attack. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -65

DHCP Review © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -66

DHCP Discover: Host, “I need an IP Address…” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -67

DHCP Discover: Host, “I need an IP Address…” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -68

DHCP Offer: Server, “I’ll offer one to you. ” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -69

DHCP Offer: Server, “I’ll offer one to you. ” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -70

DHCP Request: Host, “I’ll take it. ” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -71

DHCP Request: Host, “I’ll take it. ” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -72

DHCP ACK: Server, “It’s all yours. ” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -73

DHCP ACK: Server, “It’s all yours. ” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -74

The result… © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -75

DHCP Spoof Attacks “Here you go, I might be first!” (Rouge) “I can now forward these on to my leader. ” (Rouge) “I need an IP address/mask, default gateway, and DNS server. ” “Got it, thanks!” “Here you go. ” (Legitimate) “Already got the info. ” All default gateway frames and DNS requests sent to Rogue. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -76

DHCP Snooping • DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. • Ports are identified as trusted and untrusted. • Trusted ports can source all DHCP messages – DHCP Server • Untrusted ports can source requests only – If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. – A DHCP binding table is built for untrusted ports. • Client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded. • From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOFFER, DHCPACK, or DHCPNAK. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -77

DHCP Snooping “Here you go, I might be first!” (Rouge) “I need an IP address/mask, default gateway, and DNS server. ” Switch: This is an untrusted port, I will block this DHCP Offer” “Thanks, got it. ” “Here you go. ” (Legitimate) Switch: This is a trusted port, I will allow this DHCP Offer” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -78

Configuring DHCP Snooping. 1. Enable DHCP Snooping globally. Switch(config)# ip dhcp snooping 2. Enable DHCP Snooping for specific VLANs. Switch(config)# ip dhcp snooping vlan-id [vlan-id] By default, all switch ports in these VLANs are untrusted. 3. Configure at least one trusted port. Use no keyword to revert to untrusted. Switch(config)# interface type mod/num Switch(config-if)# ip dhcp snooping trust 4. For untrusted ports specify the rate-limit DHCP traffic. Switch(config-if)# ip dhcp snooping limit rate Used to prevent starvation attacks by limiting the number of DHCP requests on an untrusted port. Should be less than 100 pps. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -79

DHCP Snooping By default all interfaces are untrusted. Fa 0/0 Switch(config)# ip dhcp snooping vlan 10 50 Switch(config)# interface fa 0/0 Switch(config-if)# ip dhcp rate limit 20 Gig 0/1 Switch(config)# interface gig 0/1 Switch(config-if)# ip dhcp snooping trust © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -80

Verifying DHCP Snooping Switch# show ip dhcp snooping • Verifies the DHCP snooping configuration © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -81

IP Source Guard • IP Source Guard is similar to DHCP snooping. • Prevents traffic attacks caused when a host tries to use the IP address (spoofed address) of its neighbor. • Switch blocks all IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. • IP Source Guard makes use of: IP source guard is configured on untrusted L 2 interfaces – the DHCP snooping database – static IP source binding entries © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -82

IP Source Guard • IP source guard is configured on untrusted L 2 interfaces If DHCP snooping is enabled the switch learns the MAC and IP address of the hosts that use DHCP. – Source IP address must be identical to the IP address learned by DHCP snooping. – Source MAC address must be identical to the source MAC address learned by DHCP snooping and by the switch port (MAC address table). • For hosts that do not use DHCP a static IP source binding can be configured. • If the IP address does not match either of these the switch drops the frame/packet. © 2003, Cisco Systems, Inc. All rights reserved. 83 BCMSN v 2. 0— 2 -83

IP Source Guard “I got an IP address/mask, from the DHCP Server. ” IP source guard is configured on untrusted L 2 interfaces “Now I will pretend I am a different Source IP Address. ” Switch: This is an untrusted port, with Source Guard. I checked my binding table and your Source IP Address does not match the one via DHCP. So this traffic is denied!” © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -84

Configuring IP Source Guard. 1. Enable DHCP Snooping globally. Switch(config)# ip dhcp snooping 2. Enable DHCP Snooping for specific VLANs. Switch(config)# ip dhcp snooping vlan-id [vlan-id] By default, all switch ports in these VLANs are untrusted. 3. Enable IP Source Guard on one or more interfaces. Switch(config)# interface type mod/num Switch(config-if)# ip verify source [port security] port security option inspects the MAC address too. 4. For hosts that do not use DHCP configure static IP source bindings. Switch(config)# ip source binding mac-address vlan-id ip address interface type mod/num © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -85

IP Source Guard Switch(config)# interface fa 0/0 Switch(config-if)# ip verify source DHCP Snooping Fa 0/0 Gig 0/1 Switch(config)# ip dhcp snooping vlan 10 50 Switch(config)# interface gig 0/1 Switch(config-if)# ip dhcp snooping trust © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -86

IP Source Guard l This example shows how to enable IP source guard with static source IP and MAC filtering on VLANs 10 and 11. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -87

ARP Spoofing © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -88

ARP: A quick look 00 -0 C 04 -3844 -AA 00 -0 C 04 -1791 -CC IP Packet put on hold IP Packet no longer on hold Hey that’s me! 172. 16. 10. 25 00 -0 C-04 -38 -44 -AA L 2 Broadcast to all devices on network ARP Request: Who has IP Address 172. 16. 10. 25? Please send me your MAC Address. L 2 Unicast only to sender of ARP I will add that to Request my ARP Table. IP Packet now sent to Destination ARP Reply: Here is my MAC Address I will now use the MAC Address to forward the frame. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -89

ARP Spoofing • In normal ARP operation, a host sends a broadcast to determine the MAC address of a host with a particular IP address. • The device at that IP address replies with its MAC address. • The originating host caches the ARP response, using it to populate the destination Layer 2 header of packets sent to that IP address. • By spoofing an ARP reply from a legitimate device with a gratuitous ARP, an attacking device appears to be the destination host sought by the senders. • The ARP reply from the attacker causes the sender to store the MAC address of the attacking system in its ARP cache. • All packets destined for those IP addresses will be forwarded through the attacker system. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -90

What is Gratuitous ARP? • HOST B: “Hey everyone I’m host A and my IP Address is 10. 1. 1. 2 and my MAC address is A. A” • Gratuitous ARP is used by hosts to "announce" their IP address to the local network and avoid duplicate IP addresses on the network. Routers and other network hardware may use cache information gained from gratuitous ARPs. • Gratuitous ARP is a broadcast packet (like an ARP request) © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -91

ARP has no security or ownership of IP or MAC addresses. Sent every 5 seconds 10. 1. 1. 1 MAC C. C Host A now does an ARP Request for 10. 1. 1. 1. When the router replies add to ARP table. When the Attacker replies add to ARP table. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -92

Arpspoof in Action [root@sconvery-lnx dsniff-2. 3]#. /arpspoof 15. 1. 1. 1 0: 4: 43: f 2: d 8: 1 ff: ff: ff: ff 0806 42: arp reply C: >test 15. 1. 1. 1 is-at 0: 4: 4 e: f 2: d 8: 1 0: 4: 43: f 2: d 8: 1 ff: ff: ff: ff 0806 42: arp reply C: >arp -d 15. 1. 1. 1 is-at 0: 4: 4 e: f 2: d 8: 1 0: 4: 43: f 2: d 8: 1 ff: ff: ff: ff 0806 42: arp reply C: >ping -n 1 15. 1. 1. 1 is-at 0: 4: 4 e: f 2: d 8: 1 0: 4: 43: f 2: d 8: 1 ff: ff: ff: ff 0806 42: arp reply Pinging 15. 1. 1. 1 with 32 bytes of data: 15. 1. 1. 1 is-at 0: 4: 4 e: f 2: d 8: 1 Reply from 15. 1. 1. 1: bytes=32 time<10 ms TTL=255 C: >arp -a Interface: 15. 1. 1. 26 on Interface 2 Internet Address Physical Address Type 15. 1. 1. 1 00 -04 -4 e-f 2 -d 8 -01 dynamic 15. 1. 1. 25 00 -10 -83 -34 -29 -72 dynamic C: >arp -a Interface: 15. 1. 1. 26 on Interface 2 Internet Address Physical Address Type 15. 1. 1. 1 00 -10 -83 -34 -29 -72 dynamic 15. 1. 1. 25 00 -10 -83 -34 -29 -72 dynamic © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -93

Dynamic ARP Inspection (DAI) • To prevent ARP spoofing or “poisoning, ” a switch must ensure that only valid ARP requests and responses are relayed. • DAI prevents these attacks by intercepting and validating all ARP requests and responses. • Each intercepted ARP reply is verified for valid MAC address–to–IP address bindings before it is forwarded to a PC to update the ARP cache. • ARP replies coming from invalid devices are dropped. • DAI determines the validity of an ARP packet based on valid MAC address-to-IP-address bindings database built by DHCP snooping or static ARP entries. • In addition, in order to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets against user-configured ARP ACLs. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -94

Dynamic ARP Inspection • DAI associates each interface with a trusted state or an untrusted state. • Trusted interfaces bypass all DAI. • Untrusted interfaces undergo DAI validation. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -95

I am running DHCP snooping with DAI. This ARP Reply is coming from an untrusted interface. Checked my database and it doesn’t match. Drop it. Untrusted Trusted Untrusted Sent every 5 seconds 10. 1. 1. 1 MAC C. C Host A now does an ARP Request for 10. 1. 1. 1. When the router replies add to ARP table. When the Attacker replies switch drops packet. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -96

Configuring Dynamic ARP Inspection. 1. Enable DAI on one or more VLANs. Switch(config)# ip arp inspection vlan-range 2. Configure trusted ports. Switch(config)# interface type mod/num Switch(config-if)# ip arp inspection trust By default, all switch ports in these VLANs are untrusted. Step 3 next slide… © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -97

Configuring Dynamic ARP Inspection. By default, all switch ports in these VLANs are untrusted. 3. (Optional) Validate that the ARP reply is really coming from the address listed inside the frame. Must choose at least one. Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]} scr-mac: Check the source MAC address in frame against the sender MAC address in the ARP reply. l This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. dst-mac: Check the destination MAC address in frame against the target MAC address in the ARP reply l This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. ip: Check the sender’s IP address in all ARP requests; Check the sender IP address against the target IP address in all ARP replies l check the ARP body for invalid and unexpected IP addresses. Addresses include 0. 0, BCMSN v 2. 0— 2 -98 © 2003, Cisco Systems, Inc. All rights reserved. 255, and all IP multicast addresses.

Configuring Dynamic ARP Inspection. 4 a. For hosts that do not use DHCP configure ARP ACL to define static MAC-IP bindings that are permitted. Switch(config)# arp access-list acl-name Switch(config-acl)# permit ip host sender-ip mac host sender-mac 4 b. ARP ACL must be applied to the DAI. Switch(config)# ip arp inspection filter acl-name vlanrange [static] l If there is not a match with the ACL the DHCP bindings database is checked next. l If the static keyword is used the DHCP bindings database will not be checked. In effect this is like an implicit deny statement at the end of the ARP ACL. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -99

Dynamic ARP Inspection Switch(config)# ip arp inspection vlan 10 50 Switch(config)# interface gig 0/1 Switch(config-if)# ip arp inspection trust Fa 0/0 • This example shows how to configure DAI for hosts on VLANs 10 through 50. • All client ports are untrusted by default. • Only Gig 0/1 is trusted Gig 0/1 – Port where DHCP replies would be expected. © 2003, Cisco Systems, Inc. All rights reserved. 100 BCMSN v 2. 0— 2 -100

Securing Network Switches © 2003, Cisco Systems, Inc. All rights reserved. 2 -101

Describing Vulnerabilities in CDP © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -102

Describing Vulnerabilities in the Telnet Protocol The Telnet connection sends text unencrypted and potentially readable. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -103

Describing the Secure Shell Protocol SSH replaces the Telnet session with an encrypted connection. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -104

Describing vty ACLs • Set up standard IP ACL. • Use line configuration mode to filter access with the access-class command. • Set identical restrictions on every vty line. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -105

Describing Commands to Apply ACLs Switch(config)#access-list-number {permit | deny | remark} source [mask] • Configures a standard IP access list Switch(config)#line vty {vty# | vty-range} • Enters configuration mode for a vty or vty range Switch(config-line)#access-class access-list-number in|out • Restricts incoming or outgoing vty connections to addresses in the ACL © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -106

Best Practices: Switch Security • Secure switch access: • Set system passwords. • Secure physical access to the console. • Secure access via Telnet. • Use SSH when possible. • Configure system warning banners. • Use Syslog if available. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -107

Best Practices: Switch Security (Cont. ) • Secure switch protocols: • Trim CDP and use only as needed. • Secure spanning tree. Mitigate compromises through a switch: • Take precautions for trunk links. • Minimize physical port access. • Establish standard access port configuration for both unused and used ports. © 2003, Cisco Systems, Inc. All rights reserved. BCMSN v 2. 0— 2 -108