security best practices in catalyst campus switches...• security myths • management ... • vqp...
TRANSCRIPT
![Page 1: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/1.jpg)
1© 2001, Cisco Systems, Inc. All rights reserved.
PS-5433029_05_2001_c1
Security Best Practices in Catalyst Campus Switches
Mike Peeters
SE Toronto
![Page 2: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/2.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 2PS-5433029_05_2001_c1
Agenda
•• SSecurityecurity MMythsyths
• Management Channels
• VLAN Isolation
• Known Attacks
• Secure Switch Configuration
![Page 3: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/3.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 3PS-5433029_05_2001_c1
Security Myths
• MAC addresses cannot be spoofed
• A Switch protects against sniffers
• VLANs are completely isolated
![Page 4: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/4.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 4PS-5433029_05_2001_c1
Agenda
• Security Myths
•• MManagementanagement CChannelshannels
• VLAN Isolation
• Known Attacks
• Secure Switch Configuration
![Page 5: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/5.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 5PS-5433029_05_2001_c1
Management Channels
• Telnet: for command line interface
• SNMP: to read/write data from/to the switch
• VTP: VLAN Trunking Protocol
• VQP for VMPS Virtual Membership Policy Server
• CDP: Cisco Discovery Protocol
![Page 6: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/6.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 6PS-5433029_05_2001_c1
Using a Out of Band Management
• Cat 4000 has a dedicated physical Ethernet port for management
can be put in a separate VLAN or even to another physical LAN
• Cat 5k & Cat 6K have a logical Ethernet port for management
MUST be put in a VLAN
this should be a dedicated VLAN
![Page 7: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/7.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 7PS-5433029_05_2001_c1
Out of Band Management (Cont.)
• Use topological ACL to prevent IP spoofing for the management VLAN
• IPSec tunnel can provide authentication & confidentiality on the WAN
WAN
Network Management
ManagementVLAN or LAN
Inbound ACLdeny nms anypermit any any
Inbound ACLpermit nms anydeny any any
Inbound ACLdeny nms anypermit any any
Outbound ACLpermit nms anydeny any any
![Page 8: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/8.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 8PS-5433029_05_2001_c1
Management Channels: Telnet
• Telnet can give access to the command line from remote ( passwords are sent in clear text)
• two passwords:
login password
enable password
![Page 9: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/9.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 9PS-5433029_05_2001_c1
Management Channel: SSH
• On Cat 4K, 6K with CatOS 6.1 (or IOS 12.1(6)E) SSH can be used to replace Telnet
• On Cat 2950 EI and 3550 SSH is available on 12.1(11)EA1
• SSH is using 3DES to provide confidentiality to the Telnet session
![Page 10: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/10.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 10PS-5433029_05_2001_c1
Passwords
• Enable password should be different than login password
•• Physical access to console port means no Physical access to console port means no password needed upon rebootpassword needed upon reboot
• Passwords are stored in clear text on TFTP servers
• Passwords should be more creative than :Router, switch, sanfran, cisco, enable.....
![Page 11: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/11.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 11PS-5433029_05_2001_c1
Using Radius/TACACS+
Can use one time token for login/enable authentication
CATALYST>set authentication login tacacs+ enableset authentication enable tacacs+ enableset tacacs key mysecretset tacacs server 1.1.1.1set tacacs server 2.2.2.2
![Page 12: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/12.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 12PS-5433029_05_2001_c1
Management Channels: SNMP
• SNMP is used to:
send traps
get information from switch
set information to switch
• three community strings (RO, RW, RW-all). Defaults public, private
• use SNMPv1 => everything in clear including community string
• Catalyst switches support SNMP V3 (DES Encryption)
![Page 13: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/13.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 13PS-5433029_05_2001_c1
Restricting Telnet/SNMP Access
• Telnet and SNMP access can be restricted to 10 IP addresses
CATALYST>
set ip permit 192.168.1.0 255.255.255.0
set ip permit 192.168.100.1
set ip permit enable
![Page 14: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/14.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 14PS-5433029_05_2001_c1
VLAN Trunking Protocol (VTP)
• Used to distribute VLAN configuration among switches
• VTP is used over trunk ports• VTP can cause more problems than it
solves, consider if it is needed• If needed, VTP can (and should) be
authenticated:CatOS> (enable) set vtp [domain domain_name] [mode {client | server | transparent | off}] [passwd passwd][pruning {enable | disable}] [v2 {enable | disable}]IOS(config)#vtp password password-value
![Page 15: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/15.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 15PS-5433029_05_2001_c1
Potential VTP Attacks
• Most VTP attacks fall into the “nuisance” category of attacks
• DoS is possible by changing around the VLANs on multiple switches
• Disabling VTP:
CatOS> (enable) set vtp mode transparent | offIOS(config)#vtp mode transparent
![Page 16: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/16.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 16PS-5433029_05_2001_c1
Management Channels: VMPS
• VLAN Membership Policy Server is used to assign a VLAN to a port based on:
MAC address
NT or Novell usernames (with URT)
![Page 17: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/17.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 17PS-5433029_05_2001_c1
VMPS Architecture
VMPSdatabase
VMPSserver
VMPSclient
TFTP
Query
Reply
All VMPS traffic:•clear text•non authentication•UDP based (spoofing trivial)
All VMPS traffic:All VMPS traffic:••clear textclear text••non authenticationnon authentication••UDP based (spoofing trivial)UDP based (spoofing trivial)
![Page 18: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/18.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 18PS-5433029_05_2001_c1
Risks with VQP
• DoS: preventing people to join the right VLAN
• impersonation: joining a desirable but forbidden VLAN
![Page 19: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/19.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 19PS-5433029_05_2001_c1
Adding Security to VMPS
Use an out of band management channel
Note: MAC addresses can be forged...
![Page 20: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/20.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 20PS-5433029_05_2001_c1
Management Channels: CDP
• Can be used to learn sensible information about the CDP sender (IP address, software version, …)
• be sure to disable CDP on ALL non trunk ports
CATALYST>
set cdp disable all
set cdp enable 1/1
![Page 21: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/21.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 21PS-5433029_05_2001_c1
Agenda
• security myths
• management channels
•• VLAN isolationVLAN isolation
• known attacks
• secure switch configuration
![Page 22: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/22.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 22PS-5433029_05_2001_c1
VLAN Isolation
MYTH: VLAN MYTH: VLAN aa is completely isolated from is completely isolated from VLAN VLAN bb
I.e. without layer 3 device, no station on one VLAN can send data to another station on another VLAN
![Page 23: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/23.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 23PS-5433029_05_2001_c1
Trunk Port Refresher
• Trunk ports have access to all VLANs by default
• Used to route traffic for multiple VLANs across the same physical link (generally used between switches)
• Encapsulation can be 802.1Q or ISL
Trunk Port
![Page 24: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/24.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 24PS-5433029_05_2001_c1
Dynamic Trunk Protocol (DTP)
• What is DTP? Automates ISL/802.1Q trunk configuration
Operates between switches
Does not operate on routers
Not supported on 2900XL or 3500XL
• DTP synchronizes the trunking mode on link ends
• DTP prevents the need for management intervention on both sides
• DTP state on ISL/1Q trunking port can be set to “Auto”, “On”, “Off”, “Desirable”, or “Non-Negotiate”
DynamicTrunk
Protocol
![Page 25: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/25.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 25PS-5433029_05_2001_c1
DTP Administrative States
• Administrator configurable trunk statesON I want to be a trunk and I don’t care what you
think! (Used when the other end does not understand DTP)
OFF I don’t want to be a trunk and I don’t care what you think! (Used when the other end cannot do ISL or .1Q)
Desirable I’m willing to become a VLAN trunk; are you interested? (Used when you are interested in being a trunk)
Auto I’m willing to go with whatever you want! (This is the default on many switches!)
Non-Negotiate I want to trunk, and this is what kind of trunk I will be! (Used when you want a specific type of trunk ISL or .1Q)
![Page 26: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/26.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 26PS-5433029_05_2001_c1
Basic VLAN Hopping Attack
• A station can spoof as a switch with ISL or 802.1Q signaling (DTP signaling is usually required as well)
• The station is then member of all VLANs• Requires a trunking favorable setting on the port (the SANS paper is
three years old)http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
Trunk Port
Trunk Port
![Page 27: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/27.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 27PS-5433029_05_2001_c1
Double Encapsulated 802.1Q VLAN Hopping Attack
• Send double encapsulated 802.1Q frames
• Switch performs only one level of decapsulation
• Unidirectional traffic only
• Works even if trunk ports are set to off
Attacker
Note: Only Works if Trunk Has the Same Native VLAN as the Attacker ( then the
trunk will not append a new tag)
Note: Only Works if Trunk Has the Same Native VLAN as the Attacker ( then the
trunk will not append a new tag) Victim
802.1q, 802.1q
802.1q, Frame
Strip off First, and Send Back out
Frame
![Page 28: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/28.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 28PS-5433029_05_2001_c1
Disabling Auto-Trunking
• Defaults change depending on switch; always check:
From the Cisco docs: “The default mode is dependent on the platform…”
To check from the CLI:
CatOS> (enable) set trunk <mod/port> offIOS(config-if)#switchport mode access
CatOS> (enable) show trunk [mod|mod/port]IOS(config-if)#show interface type number switchport
![Page 29: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/29.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 29PS-5433029_05_2001_c1
Security Best Practices for VLANs and Trunking
• Always use a dedicated VLAN ID ( native VLAN) for all trunk ports that is not defined as an access port on the switch
• Disable unused ports and put them in an unusedVLAN
• Be paranoid: Do not use VLAN 1 for anything
• Set all user ports to non-trunking(DTP Off)
![Page 30: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/30.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 30PS-5433029_05_2001_c1
Agenda
• security myths
• management channels
• VLAN isolation
•• known attacksknown attacks
• secure switch configuration
![Page 31: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/31.jpg)
31© 2001, Cisco Systems, Inc. All rights reserved.
PS-5433029_05_2001_c1
Spanning Tree Attacks
![Page 32: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/32.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 32PS-5433029_05_2001_c1
Spanning Tree
• Purpose: To maintain loop-free topologies in a redundant Layer 2 infrastructure
• Provides path recovery services
• Hackers are just starting to play around with STP; the “dsniff” of STP attacks has yet to be released
![Page 33: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/33.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 33PS-5433029_05_2001_c1
Spanning Tree Basics
Loop-Free Connectivity
XX
A Switch Is Elected as Root
FFFFF
FFBB
F
FF
A ‘Tree-Like’ Loop-Free Topology
Is Established
FF
ARootRoot
B
![Page 34: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/34.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 34PS-5433029_05_2001_c1
Spanning Tree Attack Example 1/2
• Send BPDU messages from attacker to force spanning tree recalculations
Impact likely to be DoS
• Send BPDU messages to become root bridge
Attacker
Access SwitchesRootRoot
FF
FF
FF
FF
XXBB
FF
STP
STP
![Page 35: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/35.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 35PS-5433029_05_2001_c1
BB
FF
Spanning Tree Attack Example 2/2
• Send BPDU messages from attacker to force spanning tree recalculations
Impact likely to be DoS
• Send BPDU messages to become root bridge
The hacker then sees frames he shouldn’t
MITM, DoS, etc. all possibleAny attack is very sensitive to the original topology, trunking, PVST, etc.Requires attacker to be dual homed to two different switches
Attacker
Access SwitchesRootRoot
FF
FF
FF
FF
FF
RootRoot
BBXX
![Page 36: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/36.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 36PS-5433029_05_2001_c1
Spanning Tree DoS Example
• Attacker sends BPDU advertising itself with a bridge priority of zero
GE
FE FE
ST
P
BB
FF
FF
FF
FF
FF
FF
RootRoot
BBXX
AccessSwitch
RootRoot
Attacker becomes root bridge
Spanning Tree recalculates
GE backbone becomes FE L
If attack is combined with macof, it could yield more packets available to sniff
![Page 37: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/37.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 37PS-5433029_05_2001_c1
STP Attack Mitigation
• Disable STP (It is not needed in loop free topologies)• BPDU Guard
Disables ports using portfast upon detection of a BPDU message on the portGlobally enabled on all ports running portfastAvailable in CatOS 5.4.1 for Cat 2K, 4K, 5K, and 6K; 12.0XE for native IOS 6K; 12.1(8a)EW for 4K Sup III; 12.1(4)EA1 for 3550; 12.1(6)EA2 for 2950
• Root GuardDisables ports who would become the root bridge due to their BPDU advertisementConfigured on a per port basisAvailable in CatOS 6.1.1 for Cat 29XX, 4K, 5K, and 6K; 12.0(7) XE for native IOS 6K, 12.1(8a)EW for 4K Sup III; 29/3500XL in 12.0(5)XU; 2950 in 12.0(5)WC(1); 3550 in 12.1(4)EA1; 2950 in 12.1(6)EA2
CatOS> (enable)set spantree portfast bpdu-guard enable
IOS(config)#spanning-tree portfast bpduguard
CatOS> (enable) set spantree guard root 1/1
IOS(config)#spanning-tree guard root (or rootguard)
![Page 38: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/38.jpg)
38© 2001, Cisco Systems, Inc. All rights reserved.
PS-5433029_05_2001_c1
VLAN Isolation
![Page 39: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/39.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 39PS-5433029_05_2001_c1
ARP Refresher
• An ARP request message should be placed in a hardware frame and broadcast to all computers on the network.
• Each computer receives the request and examines the IP address.
• The computer mentioned in the request sends a response; all other computers process and discard the request without sending a response.
![Page 40: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/40.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 40PS-5433029_05_2001_c1
Gratuitous ARP
• HOST W: Hey everyone I’m host W and my IP Address is 1.2.3.4 and my MAC address is 12:34:56:78:9A:BC
• Gratuitous ARP is used by hosts to "announce" their IP address to the local network and avoid duplicate IP addresses on the network. Routers and other network hardware may use cache information gained from gratuitous ARPs.
• Gratuitous ARP is a broadcast packet (like an ARP request)
![Page 41: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/41.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 41PS-5433029_05_2001_c1
Misuse of gratuitous ARP
• ARP has no security or ownership of IP or MAC addresses
• What if we did the following?
• Host W broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC
• (wait 5 seconds)
• Host W broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC
1.2.3.0/24
Host W
.4
.1
Host Y
.2
Host X
.3
![Page 42: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/42.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 42PS-5433029_05_2001_c1
A Test in the Lab• Host X and Y will likely ignore the message unless they
currently have an ARP table entry for 1.2.3.1
• When host Y requests the MAC of 1.2.3.1 the real router will reply and communications will work until the timer on the gratuitous ARP kicks off
• Even a static ARP entry for 1.2.3.1 on Y will get overwritten bythe gARP on some OSs (NT4,WIN2K for sure)
1.2.3.0/24
Host W
.4
.1
Host Y
.2
Host X
.3
![Page 43: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/43.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 43PS-5433029_05_2001_c1
Dug Song, Author of dsniff
Dsniff – a collection of tools to do :
• ARP spoofing
• MAC flooding
• Selective sniffing
• SSH / SSL Interception
www.monkey.org/~dugsong/dsniff
![Page 44: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/44.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 44PS-5433029_05_2001_c1
Arpspoof in Action
C:\>test
C:\>arp -d 15.1.1.1
C:\>ping -n 1 15.1.1.1
Pinging 15.1.1.1 with 32 bytes of data:
Reply from 15.1.1.1: bytes=32 time<10ms TTL=255
C:\>arp -a
Interface: 15.1.1.26 on Interface 2Internet Address Physical Address Type15.1.1.1 00-04-4e-f2-d8-01 dynamic15.1.1.25 00-10-83-34-29-72 dynamic
C:\>_
C:\>test
C:\>arp -d 15.1.1.1
C:\>ping -n 1 15.1.1.1
Pinging 15.1.1.1 with 32 bytes of data:
Reply from 15.1.1.1: bytes=32 time<10ms TTL=255
C:\>arp -a
Interface: 15.1.1.26 on Interface 2Internet Address Physical Address Type15.1.1.1 00-04-4e-f2-d8-01 dynamic15.1.1.25 00-10-83-34-29-72 dynamic
C:\>arp -a
Interface: 15.1.1.26 on Interface 2Internet Address Physical Address Type15.1.1.1 00-10-83-34-29-72 dynamic15.1.1.25 00-10-83-34-29-72 dynamic
[root@hacker-lnx dsniff-2.3]# ./arpspoof 15.1.1.10:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 15.1.1.1 is-at 0:4:4e:f2:d8:10:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 15.1.1.1 is-at 0:4:4e:f2:d8:10:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 15.1.1.1 is-at 0:4:4e:f2:d8:10:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply 15.1.1.1 is-at 0:4:4e:f2:d8:1
![Page 45: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/45.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 45PS-5433029_05_2001_c1
More on Arpspoof
• All Traffic now flows through machine running dsniff in a half-duplex manner
Not quite a sniffer but fairly close
• Port security doesn’t help
• Note that attack could be generated in the opposite direction by spoofing the destination host when the router sends its ARP request (more difficult because of race condition)
![Page 46: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/46.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 46PS-5433029_05_2001_c1
ARP Spoof Mitigation: Private VLANs
• What is a ‘Private’ VLAN?
A specific kind of VLAN (useful for DMZ, …)
IsolatedIsolated ports (usually hosts) cannot talk to each other but only to designated promiscuouspromiscuousports (usually routers or firewalls)
‘Private’ VLANs and normal VLANs can exist simultaneously in the same switch
![Page 47: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/47.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 47PS-5433029_05_2001_c1
PromiscuousPort
PromiscuousPort
Community‘A’
Community‘B’
IsolatedPorts
Primary VLAN
Community VLAN
Community VLAN
Isolated VLAN
Only One Subnet!
xx xx xx xx
ARP Spoof Mitigation: Private VLANs
Consider Local Proxy ARP as an option for host to host communication without broadcasts
![Page 48: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/48.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 48PS-5433029_05_2001_c1
Normal CAM Behaviour 1/3
MAC A MAC B
MAC C
Port 1Port 2
Port 3
MACMAC portportAA 11
CC 33A->B
A->B
A->B
B unknown…flood the frame
I see trafficto B !
![Page 49: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/49.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 49PS-5433029_05_2001_c1
Normal CAM Behaviour 2/3
MAC A MAC B
MAC C
Port 1Port 2
Port 3
MACMAC portportAA 11
CC 33B->A
B->A
A is on port 1learn:
B is on port 2
MACMAC portportAA 11BB 22CC 33
![Page 50: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/50.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 50PS-5433029_05_2001_c1
Normal CAM Behaviour 3/3
MAC A MAC B
MAC C
Port 1Port 2
Port 3
MACMAC portportAA 11BB 22CC 33
A->B
A->B
B is on port 2 I do not seetraffic to B !
![Page 51: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/51.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 51PS-5433029_05_2001_c1
CAM Overflow 1/3
• theoretical attack until May 1999
• macof cracker tool since May 1999 (about 100 lines of perl)
• based on the limited size of CAM
![Page 52: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/52.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 52PS-5433029_05_2001_c1
CAM Overflow 2/3
MAC A MAC B
MAC C
Port 1Port 2
Port 3
MACMAC portportAA 11BB 22CC 33
X->?
X is on port 3
MACMAC portportXX 33BB 22CC 33
MACMAC portportXX 33YY 33CC 33
Y->?
Y is on port 3
![Page 53: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/53.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 53PS-5433029_05_2001_c1
CAM Overflow 3/3
MAC A MAC B
MAC C
Port 1Port 2
Port 3
MACMAC portportXX 33YY 33CC 33
A->B
A->B
A->B
B unknown…flood the frame
I see trafficto B !
![Page 54: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/54.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 54PS-5433029_05_2001_c1
MAC Flooding switches with Dsniff
[root@hacker-lnx dsniff-2.3]# ./macof101.59.29.36 -> 60.171.137.91 TCP D=55934 S=322 Syn Seq=1210303300 Len=0 Win=512145.123.46.9 -> 57.11.96.103 TCP D=44686 S=42409 Syn Seq=1106243396 Len=0 Win=52109.40.136.24 -> 51.158.227.98 TCP D=59038 S=21289 Syn Seq=2039821840 Len=0 Win2126.121.183.80 -> 151.241.231.59 TCP D=7519 S=34044 Syn Seq=310542747 Len=0 Win2211.28.168.72 -> 91.247.223.23 TCP D=62807 S=53618 Syn Seq=2084851907 Len=0 Win2183.159.196.56 -> 133.10.138.87 TCP D=23929 S=51034 Syn Seq=1263121444 Len=0 Wi219.113.88.77 -> 16.189.146.61 TCP D=1478 S=56820 Syn Seq=609596358 Len=0 Win=512237.162.172.114 -> 51.32.8.36 TCP D=38433 S=31784 Syn Seq=410116516 Len=0 Win2118.34.90.6 -> 61.169.58.50 TCP D=42232 S=31424 Syn Seq=1070019027 Len=0 Win=52
46.205.246.13 -> 72.165.185.7 TCP D=56224 S=34492 Syn Seq=937536798 Len=0 Win=52105.109.246.116 -> 252.233.209.72 TCP D=23840 S=45783 Syn Seq=1072699351 Len=0 260.244.56.84 -> 142.93.179.59 TCP D=3453 S=4112 Syn Seq=1964543236 Len=0 Win=512151.126.212.86 -> 106.205.161.66 TCP D=12959 S=42911 Syn Seq=1028677526 Len=0 W29.121.248.84 -> 199.35.30.115 TCP D=33377 S=31735 Syn Seq=1395858847 Len=0 Win=2226.216.132.20 -> 189.89.89.110 TCP D=26975 S=57485 Syn Seq=1783586857 Len=0 Wi2124.54.134.104 -> 235.83.143.109 TCP D=23135 S=55908 Syn Seq=852982595 Len=0 Wi227.54.72.62 -> 207.73.65.108 TCP D=54512 S=25534 Syn Seq=1571701185 Len=0 Win=2
246.109.199.72 -> 1.131.122.89 TCP D=61311 S=43891 Syn Seq=1443011876 Len=0 Win2251.49.6.89 -> 18.168.34.97 TCP D=25959 S=956 Syn Seq=6153014 Len=0 Win=512
51.105.154.55 -> 225.89.20.119 TCP D=33931 S=1893 Syn Seq=116924142 Len=0 Win=5282.2.236.125 -> 210.40.246.122 TCP D=43954 S=49355 Syn Seq=1263650806 Len=0 Win221.221.14.15 -> 9.240.58.59 TCP D=61408 S=26921 Syn Seq=464123137 Len=0 Win=51270.63.102.43 -> 69.88.108.26 TCP D=61968 S=53055 Syn Seq=682544782 Len=0 Win=512
![Page 55: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/55.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 55PS-5433029_05_2001_c1
CAM Table Full!• Dsniff (macof) can generate 155,000 MAC entries
on a switch per minute
• Assuming a perfect hash function the CAM table will total out at 128,000 (16,000 x 8) 131,052 to be exact
-Since hash isn’t perfect it actually takes 70 seconds to fill the cam table
• Once table is full, traffic without a CAM entry floods on the VLAN, existing traffic NOT
CAT6506 (enable) sho cam count dynamic
Total Matching CAM Entries = 131052
10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ?10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ?15.1.1.26 -> 15.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) ß OOPS15.1.1.25 -> 15.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) ß OOPS
Snoop output on non-SPAN port
![Page 56: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/56.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 56PS-5433029_05_2001_c1
MAC flooding mitigation
CATALYST>
set port security 3/21 enable age 10 maximum 5 violation restrict
CATALYST>
CATALYST>
CATALYST>
2001 Jul 03 15:40:32 %SECURITY-1-PORTSHUTDOWN:Port 3/21 shutdown due to no space
• Port SecurityBeware management
and performance hit
Lots of options besides
just “ON/OFF”
1025 MAC entries into
table + 1 per port
“Restrict” option will
fail under dsniff load
and disable the port
![Page 57: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/57.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 57PS-5433029_05_2001_c1
Selective Sniffing
• Once traffic is flooded through either of the previous two methods Dsniff obtains passwords
[root@hacker-lnx dsniff-2.3]# ./dsniff -cdsniff: listening on eth0-----------------07/17/01 10:09:48 tcp 15.1.1.26.1126 -> wwwin-apps.cisco.com.80
(http)GET /SERVICE/Paging/page/ HTTP/1.1Host: wwwin-apps.cisco.comAuthorization: Basic c2Nvdlgh39UNMRH4lejDmaA== [myuser:mypassword]
Supports more than 30 standardized / proprietary protocols: FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase et Microsoft SQL.
![Page 58: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/58.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 58PS-5433029_05_2001_c1
SSL / SSH Interception
• Using dnsspoof all web sites can resolve to the dsniff host IP address:
C:\>ping www.amazon.com
Pinging www.amazon.com [15.1.1.25] with 32 bytes of data:
Reply from 15.1.1.25: bytes=32 time<10ms TTL=249Reply from 15.1.1.25: bytes=32 time<10ms TTL=249Reply from 15.1.1.25: bytes=32 time<10ms TTL=249Reply from 15.1.1.25: bytes=32 time<10ms TTL=249
• Once that happens you can proxy all web connections through the dsniff host
![Page 59: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/59.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 59PS-5433029_05_2001_c1
SSL / SSH Interception
• Using dsniff (webmitm) most SSL sessions can be intercepted and bogus certificate credentials can be presented
![Page 60: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/60.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 60PS-5433029_05_2001_c1
SSL / SSH Interception
• Upon inspection they will look invalid but they would likely fool most users
![Page 61: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/61.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 61PS-5433029_05_2001_c1
Attack Summary
• Switches can be sniffed without SPAN
• ARP has no security
• Switches fail open under load
![Page 62: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/62.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 62PS-5433029_05_2001_c1
Private VLAN Attacks 1/2
PVLANs WorkDrop Packet
Attacker
Mac:A IP:1
S:A1 D:B2
Victim
Mac:B IP:2
Promiscuous Port
Isolated Port
Router
Mac:C IP:3
XX
![Page 63: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/63.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 63PS-5433029_05_2001_c1
Attacker
Mac:A IP:1
Victim
Mac:B IP:2
Promiscuous Port
Isolated Port
Private VLAN Attacks 2/2
• Only allows unidirectional traffic (Victim will ARP for A and fail)• If both hosts were compromised, setting static ARP entries for each
other via the router will allow bi-directional traffic• Most firewalls will not forward the packet like a router• Note: this is not a PVLAN vulnerability as it enforced the rules!
S:A1 D: C2
PVLANs WorkForward Packet
S:A1 D:C2
Routers Route:Forward Packet
S:A1 D:B2
S:A1 D: B2
Intended PVLAN Security Is Bypassed
Router
Mac:C IP:3
![Page 64: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/64.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 64PS-5433029_05_2001_c1
PVLAN Attack Mitigation
• Setup ACL on ingress router port:
IOS(config)#access-l 101 deny ip localsubnet lsubmask localsubnet lsubmasklog
IOS(config)#access-l 101 permit ip any any
IOS(config-if)#ip access-group 101 in
• All known PVLAN exploits will now fail
• VLAN ACL (VACL) could also be used
![Page 65: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/65.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 65PS-5433029_05_2001_c1
Agenda
•• SSecurityecurity MMythsyths
• Management Channels
• VLAN Isolation
• Known Attacks
• Secure Switch Configuration
![Page 66: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/66.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 66PS-5433029_05_2001_c1
Secure Management Channels
• Set login/enable passwords
• use out of band management
• Use SSH instead of Telnet
• change SNMP community string
• use set ip permit to restrict telnet/SNMP access
• disable CDP on station ports
• disable trunking on station ports
• use password authentication for VTP
• do not rely on port security
![Page 67: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/67.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 67PS-5433029_05_2001_c1
Secure Management Channels
• Use TACACS+ and one time passwords
• do not use VTP
• do not use CDP at all
• do not use VMPS
• put all unused ports to a dummy VLAN without any layer 3 device
PARANOID?PARANOID?
![Page 68: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/68.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 68PS-5433029_05_2001_c1
News from the front : IEEE 802.1x
AuthenticationServer
23
802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting
to a LAN through publicly accessible ports
41
1 User activates link (i.e. PC Powers on)
2 Switch requests Authentication Server if user authorised to access LAN3
4
Authentication Server responds with authority access
Switch opens controlled port (if authorised) for user to access LAN
![Page 69: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/69.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 69PS-5433029_05_2001_c1
IEEE 802.1x(Terminology)
Authenticator PAE
Supplicant PAE (Port Access Entity)
EAPOL EAPOL
Extensible AuthenticationProtocol over LAN
Authentication Server
![Page 70: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/70.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 70PS-5433029_05_2001_c1
IEEE 802.1x(Switch Authentication)
Controlled
Un-Controlled
For each 802.1x switch port, the switch createsTWO virtual access points at each port
Uncontrolled port provides a path forEAPOL (Extensible AuthenticationProtocol over LAN) traffic ONLY
The controlled port is open only when thedevice connected to the port has been
authorized by 802.1x
EAPOLEAPOL
![Page 71: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/71.jpg)
71© 2001, Cisco Systems, Inc. All rights reserved.
PS-5433029_05_2001_c1
Summary
![Page 72: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/72.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 72PS-5433029_05_2001_c1
Layer 2 Security Best Practices 1/2
• Manage switches in as secure a manner as possible (SSH, OOB, permit lists, etc.)
• Always use a dedicated VLAN ID for all trunk ports
• Be paranoid: do not use VLAN 1 for anything
• Set all user ports to non trunking
• Deploy port-security where possible for user ports
• Selectively use SNMP and treat community strings like root passwords
• Have a plan for the ARP security issues in your network
![Page 73: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/73.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 73PS-5433029_05_2001_c1
Layer 2 Security Best Practices 2/2
• Enable STP attack mitigation (BPDU Guard, Root Guard)
• Use private VLANs where appropriate to further divide L2 networks
• Use MD5 authentication for VTP
• Use CDP only where necessary
• Disable all unused ports and put them in an unused VLAN
• Consider 802.1X for the future
All of the Preceding Features Are Dependant on Your Own Security Policy
All of the Preceding Features Are Dependant on Your Own Security Policy
![Page 74: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/74.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 74PS-5433029_05_2001_c1
Catalyst Switch Feature Support
Cat 2900 XL
Cat 2900 XL
Port SecurityPort Security
STP BPDU GuardSTP BPDU Guard
STP Root GuardSTP Root Guard
SSH SupportSSH Support
Wire Rate ACLsWire Rate ACLs
Private VLANsPrivate VLANs
Cat 3500 XL
Cat 3500 XL
Cat 29XX
G
Cat 29XX
G
Cat 2950Cat 2950
Cat 3550Cat 3550
CatOS 4000
CatOS 4000
CatOS 6000
CatOS 6000
IOS 4000IOS 4000
IOS 6000IOS 6000
802.1X Auth802.1X Auth
VMPS ClientVMPS Client
VMPS ServerVMPS Server
XX XXXX XXXX XX XXXX XXXX XX XX XX
XX XX XXXX XX XXXX XXXX XXXX XXXX XX XX
XX XX XX
XX XXXX XXXX XXXX XX XXXX XX XX
XX XXXX XX XXXX XX XXXX XX XX
XX XX
XX XX XX
XX XX
![Page 75: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/75.jpg)
© 2001, Cisco Systems, Inc. All rights reserved. 75PS-5433029_05_2001_c1
Further Reading
• SAFE Blueprintshttp://www.cisco.com/go/safe
• Improving Security on Cisco Routershttp://www.cisco.com/warp/public/707/21.html
• Securing Networks with Private VLANs and VLAN Access Control Lists
http://www.cisco.com/warp/public/473/90.shtml
• Links in this presentation:Port security: http://cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_4/config/sec_port.htmSANS VLAN paper (out of date): http://www.sans.org/newlook/resources/IDFAQ/vlan.htmPVLAN details: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/conf_gd/vlans.htm#xtocid854519
![Page 76: Security Best Practices in Catalyst Campus Switches...• Security Myths • Management ... • VQP for VMPS Virtual Membership Policy Server ... • Always use a dedicated VLAN ID](https://reader034.vdocuments.us/reader034/viewer/2022050309/5f70eb8028a48274911f029b/html5/thumbnails/76.jpg)
76Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved.