Đang tải... (xem toàn văn)
Topics covered in this chapter include the following: An introduction to fundamental switching concepts, starting with the building blocks of VLANs and trunking; an introduction to other building blocks of switching technology, including Spanning Tree Protocol for high availability; a revisit and further explanation of security threats that exploit vulnerabilities in the switching infrastructure;...
Securing the Data Plane on Cisco Catalyst Switches © 2012 Cisco and/or its affiliates All rights reserved Contents Topics covered in this chapter include the following: • An introduction to fundamental switching concepts, starting with the building blocks of VLANs and trunking • An introduction to other building blocks of switching technology, including Spanning Tree Protocol for high availability • A revisit and further explanation of security threats that exploit vulnerabilities in the switching infrastructure • A description of how to plan and develop a strategy for protecting the data plane • A description of the Spanning Tree Protocol Toolkit found on Cisco IOS routers that prevents STP operations from having an impact on the security posture • A review of port security and how to configure it, to illustrate security controls that are aimed at mitigating MAC spoofing and other threats © 2012 Cisco and/or its affiliates All rights reserved Overview • Overview of VLANs and Trunking • Trunking and 802.1Q • 802.1Q Tagging • DTP (Dynamic Trunking Protocol) • Native VLANs • Configuring VLANs and Trunks • Configuring Inter-VLAN Routing • Spanning Tree Overview • STP 802.1D, RSTP, PVRST+ … © 2012 Cisco and/or its affiliates All rights reserved Mitigating Layer Attacks © 2012 Cisco and/or its affiliates All rights reserved Domino Effect If Layer is Compromised Layer independence enables interoperability and interconnectivity However, from a security perspective, Layer independence creates a challenge because a compromise at one layer is not always known by the other layers If the initial attack comes in at Layer 2, the rest of the network can be compromised in an instant © 2012 Cisco and/or its affiliates All rights reserved Layer Best Practices The following list suggests Layer security best practices All of these suggestions are dependent upon your security policy • Manage switches in as secure a manner as possible (SSH, OOB, permit lists, and so on) • Whenever practical, declare the VLAN ID used on trunk ports with the switchport trunk allowed vlan command • Do not use VLAN for anything • Set all user ports to nontrunking (unless you are using Cisco VoIP) • Use port security where possible for access ports • Selectively use SNMP and treat community strings like root passwords • Enable STP attack mitigation (BPDU guard, root guard) • Use Cisco Discovery Protocol only where necessary (with phones it is useful) • Disable all unused ports and put them in an unused VLAN © 2012 Cisco and/or its affiliates All rights reserved Layer Protection Toolkit Components of Layer Protection Toolkit © 2012 Cisco and/or its affiliates All rights reserved Mitigating VLAN Attacks • VLAN Hopping – VLAN Hopping by Rogue Trunk – VLAN Hopping by Double Tagging © 2012 Cisco and/or its affiliates All rights reserved Mitigating VLAN Hopping by Rogue Trunk • By default most switches support Dynamic Trunk Protocol (DTP) which automatically try to negotiate trunk links – An attacker could configure a host to spoof a switch and advertise itself as being capable of using either ISL or 802.1q – If successful, the attacking system then becomes a member of all VLANs © 2012 Cisco and/or its affiliates All rights reserved VLAN Hopping by Rogue Trunk A VLAN hopping attack can be launched in one of two ways: • Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode: From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination • Introducing a rogue switch and turning trunking on: The attacker can then access all the VLANs on the victim switch from the rogue switch © 2012 Cisco and/or its affiliates All rights reserved 10 MAC Address Spoofing © 2012 Cisco and/or its affiliates All rights reserved 22 MAC Address Spoofing Mitigation techniques include configuring port security © 2012 Cisco and/or its affiliates All rights reserved 23 Using Port Security • To prevent MAC spoofing and MAC table overflows, enable port security • Port Security can be used to statically specify MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses • By limiting the number of permitted MAC addresses on a port to one, port security can be used to control unauthorized expansion of the network © 2012 Cisco and/or its affiliates All rights reserved 24 Enable Port Security • Set the interface to access mode Switch(config-if)# switchport mode access • Enable port security on the interface Switch(config-if)# switchport port-security © 2012 Cisco and/or its affiliates All rights reserved 25 Configure Parameters • Set the maximum number of secure MAC addresses for the interface (optional) • The range is to 132 The default is Switch(config-if)# switchport port-security maximum value • Enter a static secure MAC address for the interface (optional) Switch(config-if)# switchport port-security mac-address mac-address • Enable sticky learning on the interface (optional) Switch(config-if)# switchport port-security mac-address sticky © 2012 Cisco and/or its affiliates All rights reserved 26 Establish the Violation Rules • Set the violation mode (optional) • The default is shutdown – shutdown is recommended rather than protect (dropping frames) – The restrict option might fail under the load of an attack Switch(config-if)# switchport port-security violation {protect | restrict | shutdown} © 2012 Cisco and/or its affiliates All rights reserved 27 Errdisable Recovery The errdisable recovery feature also allows you to monitor spanning tree violations © 2012 Cisco and/or its affiliates All rights reserved 28 Port Aging • Port security aging can be used to set the aging time for static and dynamic secure addresses on a port • Two types of aging are supported per port: – absolute - The secure addresses on the port are deleted after the specified aging time – inactivity - The secure addresses on the port are deleted only if they are inactive for the specified aging time Switch(config-if)# switchport port-security aging {static | time minutes | type {absolute | inactivity}} © 2012 Cisco and/or its affiliates All rights reserved 29 Sample Port Security Configuration S3 S2(config-if)# S2(config-if)# S2(config-if)# S2(config-if)# S2(config-if)# S2(config-if)# © 2012 Cisco and/or its affiliates All rights reserved switchport switchport switchport switchport switchport switchport mode access port-security port-security port-security port-security port-security maximum violation shutdown mac-address sticky aging time 120 30 show port-security Command SW2# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) -Fa0/12 0 Shutdown Total Addresses in System (excluding one mac per port) : Max Addresses limit in System (excluding one mac per port) : 1024 SW2# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : Total MAC Addresses : Configured MAC Addresses : Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : SW2# show port-security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age (mins) 0000.ffff.aaaa SecureConfigured Fa0/12 Total Addresses in System (excluding one mac per port) : Max Addresses limit in System (excluding one mac per port) : 1024 © 2012 Cisco and/or its affiliates All rights reserved 31 Using SNMP to Monitor Access to Switch Port © 2012 Cisco and/or its affiliates All rights reserved 32 MAC Address Notification • The MAC Address Notification feature sends SNMP traps to the network management station (NMS) whenever a new MAC address is added to or an old address is deleted from the forwarding tables Switch(config)# mac address-table notification © 2012 Cisco and/or its affiliates All rights reserved 33 Mitigating DHCP attacks • DHCP attacks : – DHCP starvation – DHCP rouge • Here are two ways to mitigate DHCP spoofing and starvation attacks: – Port security – DHCP snooping © 2012 Cisco and/or its affiliates All rights reserved 34 Mitigating ARP Spoofing IP Source Guard Dynamic ARP Inspection : Dynamic ARP Inspection (DAI) determines the validity of an ARP packet based on the MAC address-to-IP address bindings stored in a DHCP snooping database © 2012 Cisco and/or its affiliates All rights reserved 35 © 2012 Cisco and/or its affiliates All rights reserved 36 ... All rights reserved 29 Sample Port Security Configuration S3 S2(config-if)# S2(config-if)# S2(config-if)# S2(config-if)# S2(config-if)# S2(config-if)# © 2012 Cisco and/or its affiliates All rights... access port -security port -security port -security port -security port -security maximum violation shutdown mac-address sticky aging time 120 30 show port -security Command SW2# show port -security Secure... Switch(config-if)# switchport port -security mac-address mac-address • Enable sticky learning on the interface (optional) Switch(config-if)# switchport port -security mac-address sticky © 2012 Cisco