Switch Security BSCI v3.0—2-1 Types of Attacks • CAM table overflow • VLAN hopping • Spanning tree manipulation • MAC address spoofing • DHCP attacks CAM Table Overflow Attack 3/25 MAC X 3/25 MAC Y 3/25 MAC Z 3/25 VLAN 10 VLAN 10 XYZ BD Attacker sees traffic to servers B and D A C B D Port Security MAC A MAC D MAC E MAC F MAC A Attacker Attacker Secure MAC Addresses • Static • Dynamic • Sticky Default Settings Feature Default Setting Port security Maximum MAC addresses Violation mode Sticky address learning Port security aging Disabled Shutdown Disabled Disabled Aging time is When enabled, the default type is absolute Configuration Guidelines • Only on static access ports • Not on trunk or dynamic access ports • Not on SPAN port • Not on EtherChannel port • Not configurable on per-VLAN basis • No aging of sticky addresses • No simultaneous enabling of protect and restrict options Configuring Port Security switch(config-if)# switchport mode access  Set the interface mode as access switch(config-if)# switchport port-security  Enable port security on the interface switch(config-if)# switchport port-security maximum value  Set the maximum number of secure MAC addresses for the interface (optional) Configuring Port Security (Cont.) switch(config-if)# switchport port-security violation {protect | restrict | shutdown}  Set the violation mode (optional) switch(config-if)# switchport port-security mac-address mac-address  Enter a static secure MAC address for the interface (optional) switch(config-if)# switchport port-security mac-address sticky  Enable sticky learning on the interface (optional) Configuring Port Security Aging switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}}  Enable or disable static aging for the secure port, or set the aging time or type Implementing BPDUGuard to Mitigate Spanning Tree Manipulation Switch(config)#spanning-tree portfast bpduguard or Switch(config-if)#spanning-tree bpduguard enable  The BPDU – guard feature shuts down ports when ports receive BPDU Auto recovery from err-disable state • If the BPDU – guard feature has shutdown a port, the port can be restored to an operational state using the errordisable recovery procedure • Enable recovery cause is BPDU – guard : Switch(config)#errdisable recovery cause bpduguard • Set a global recovery timeout by using the command: Switch(config)#errdisable recovery interval seconds DHCP Attacks DHCP Server DHCP requests with spoofed MAC addresses Untrusted Attacker attempting to set up rogue DHCP server Attacker attempting to starve DHCP server DHCP Snooping • DHCP snooping allows the configuration of ports as trusted or untrusted • Untrusted ports cannot process DHCP replies • Configure DHCP snooping on uplinks to a DHCP server • Do not configure DHCP snooping on client ports Legitimate DHCP Server Rouge DHCP Attacker Client Mitigating DHCP Attacks Here are two ways to mitigate DHCP spoofing and starvation attacks: • Port security • DHCP snooping IEEE 802.1x • Standard set by the IEEE 802.1 working group • A framework designed to address and provide port-based access control using authentication • Layer protocol for transporting authentication messages between supplicant (user/PC) and authenticator (switch or access point) • Actual enforcement is via MAC-based filtering and port-state monitoring Concepts of 802.1x in Action Identity-Based Authentication Authorized User Valid Credentials √ X Invalid/No Credentials Unauthorized External Wireless User Corporate Network No Access Corporate Resources 802.1x and Port Security A = Attacker Hub I not know A, I know B Port unauthorized Port Security and Identity B = Legitimate User Cisco Secure ACS/RADIUS Implementing Switch Port Analyzer SPAN BSCI v3.0—2-26 Switch Port Analyzer • The Switch Port Analyzer (SPAN) feature is used to mirror traffic from one source switch port or VLAN to a destination port • It allows a monitoring device, such as a network analyzer or “sniffer”, to be attached to the destination port for capturing traffic • SPAN is available in two different forms:  SPAN: Both the SPAN source and destination are located on the same switch  Remote SPAN (RSPAN): The SPAN source and destination are located on different switches Mirrored traffic is copied over a special – purpose VLAN across trunks between switches from the source to the destination SPAN • Both the SPAN source and destination are located on the same switch SPAN Configuration Define the source of the SPAN session data: Switch(config)#monitor session-id source {vlan vlan-list | interface interface-number} [tx | rx | both] • session-id: Uniquely identify the SPAN session • source interface interface-number: Specify the interface which traffic incoming or outgoing traffic will be monitored • source vlan vlan-list: Specify the VLANs which traffic transit through will be monitored • tx | rx | both: Traffic can be selected for mirroring based on the direction it is traveling the SPAN source (tx: transmitted from the source, rx: received from the source, both: traffic in both directions) SPAN Configuration (Cont.) Identify the SPAN destination: Switch(config)#monitor session-id destination interface interface-number [encapsulation replicate][ingress {vlan vlan-id | dot1q vlan vlan-id | isl}] • session-id: Uniquely identify the SPAN session • destination interface interface-number: Identify the destination interface used by the session • encapsulation replicate: Capture any VLAN tagging information of the Layer Protocol packets • ingress vlan vlan-id: Allows sending traffic into the destination port Sending traffic will be sent untagged to VLAN vlan-id • ingress {dot1q vlan vlan-id | isl}: Allows sending traffic into the destination port Sending traffic will be sent with tag dot1q or ISL With dot1q tag, native VLAN is specified SPAN Configuration (Cont.) • Example: SW(config)#monitor session source interface g1/0/1 both SW(config)#monitor session destination interface g1/0/48 • Monitoring traffic going to and coming from a device connected to the interface g1/0/1 and the network analyzer is connected to the interface g1/0/48 ... Port Security switch( config-if)# switchport mode access  Set the interface mode as access switch( config-if)# switchport port -security  Enable port security on the interface switch( config-if)# switchport... (optional) switch( config-if)# switchport port -security mac-address mac-address  Enter a static secure MAC address for the interface (optional) switch( config-if)# switchport port -security mac-address... switchport port -security maximum value  Set the maximum number of secure MAC addresses for the interface (optional) Configuring Port Security (Cont.) switch( config-if)# switchport port -security violation