Securing the Control Plane and Data Plane on Cisco Switches¶
Securing Spanning Tree Protocol¶
Frames to not contain a TTL
Switches will broadcast frames they don’t know the destination to
Can cause the original frame to be recreated millions of times
Spanning Tree Overview¶
Creates a tree of the network
Root of the tree is the rool bridge
Elected via lowest Bridge ID (BID)
BID is a combination MAC and priority
Communicate the information via BPDU
Each switch determines best path to root
That interface is the root port
Downstream ports are designated ports
End of convergence, there will be no loops
How Can Malicious Attackers Leverage STP?¶
Attacker sends BPDUs, switches must go into convergence, no switches forward frames, causing DoS.
image of bpdu
Attacker becomes Root Bridge, switches determines best path to attacker, attacker becoming MiTM, attacker can see all info.
image of root
Mitigating Attacks Against STP¶
Shutdown any interfaces not in use
Disable DTP (Dynamic Trunking Protocol):
switchport nonegotiate
Manually configure non-trunk ports as access ports:
switchport mode access
Enabling DTP and manually configuring access ports significantly protects network
Enabling BPDU Guard¶
Global Configuration:
(config)#spanning-tree portfast edge {bpduguard]bpdufilter} default
(config-if)#spanning-tree portfast edge
OR
Interface Configuration:
(config-if)#spanning-tree {bpduguard]bpdufilter} enable
Additional Mitigations¶
Manually configure bridge priority
Root primary command will only decrement switch to be the root of the current switches in the spanning tree
It is still technically possible for a device to become root if its priority is also 0, and has a lower MAC address
Configure root guard on all designated ports
Would cause the interface to ignore any BPDUs that have a BID lower than current root
Configure Switch as the Priority (PVST):
(config)#spanning-tree vlan 100-200 priority 0
### OR
(config)#spanning-tree vlan 100-200 root primary
Configure Switch as the Priority (MST):
(config)#spanning-tree mst 1 priority 0
### OR
(config)#spanning-tree mst 1 root primary
Configure Root Guard:
(config-if)#spanning-tree guard root
Securing Virtual Trunking Protocol¶
Virtual Trunking Protocol¶
Quickly propagate VLANs across switches without having to manually configure
Versions 1, 2 & 3
Server Mode
Changes are configured and then pushed out
Client Mode
Applies changes from a server, but cannot be manually changed by administrator
Transparent mode
Does not apply changes, but still forwards VTP messages to other switches
Revision number is important!
If VTP revision number is higher in message:
Switch will update its VLAN database
Include only the VLANs in the message
Not hard to overwrite a working VLAN database
Erasing startup-config does not remove VLANs
Mistake Waiting to Happen¶
Switch has different VLANs
Has a higher revision number
Still configured as VTP server
All switches would erase valid VLANs and add bogus VLANs
VTP Version 3¶
Primary VTP server
Can only be one VTP server
Use MD5 hashed password
GloboSwitch1#show vtp status
GloboSwitch1#conf t
GloboSwitchi(confia)#vtp domain GloboVTP
GloboSwitch1(config)#vtp version 3
GloboSwitch1(config)#vtp password Globo123
GloboSwitch1(config)#int range gi 0/2 -3
GloboSwitch1(config-if-range)#no vtp
GloboSwitch1(config-if-range)#switchport mode access
GloboSwitch1(config-if-range)#switchport nonegotiate
GloboSwitch1#vtp primary
Port Security¶
CAM Table¶
Associates MAC address, switch interface, & VLAN
Switches frames if it knows the port to send it too
Broadcasts frame in order to find port MAC address resides on
Updates table once port and MAC address are found
MAC Spoofing Attack¶
Attacker could spoof MAC
Switch would update CAM table with attackers port, and send future packets to it
Legitimate device will eventually respond, causing the switch to update CAM table
Attacker could continue to send spoof MAC addresses in order to keep the switch forwarding it frames
CAM Flooding Attack¶
When attacker sends so many frames with spoofed MAC addresses, that the CAM table is filled up and isn’t able to process frames in an efficient manner.
Port Security¶
Configures the interface to only allow certain MAC addresses
Can manually configure MAC addresses on interface. Is administratively difficult to do for all interfaces
Sticky MAC address allows port to dynamically learn MAC addresses as they are plugged in
(config-if)#switchport port-security
(config-if)#switchport port-security mac-address 48-bit MAC address
(config-if)#switchport port-security mac-address sticky
(config if)#switchport port-security maximum 5
(config-if)#exit
(config)#errdisable recovery cause psecure-violation
Additional Port Security Violation Actions:
Drop frames silently until the number of MAC addresses have been removed:
(config if)#switchport port-security violation protect
Drop frames until the number of MAC addresses have been removed, but creates a syslog and SNMP message:
(config if)#switchport port-security violation restrict
Default:
(config if)#switchport port-security violation shutdown
Age Out the MAC Addresses:
(config-if)#switchport port-security aging time 10
(config-if)#switchport port-security aging type {inactivitylabsolute}
DHCP Snooping¶
DHCP Security Risks¶
* Rogue DHCP server could start issuing IPs
Could place itself as the default gateway
Man-in-the-middle
Rogue DHCP server floods DHCP requests
Cause legitimate DHCP to run out of IPs
DHCP Starvation attack
Clients will only receive offer from the Rogue DHCP server
DHCP Snooping¶
Define interfaces connected to trusted DHCP servers
DHCP offers on untrusted interfaces will be dropped
Creates a DHCP database of clients.
Contains MAC, IP and VLAN ID
Rate limiting feature
Used to prevent DHCP starvation attacks
GloboAccess(config)#ip dhcp snooping vlan 100
GloboAccess(config)#int eth 0/0
GloboAccess(config-if)#ip dhcp snooping trust
GloboAccess(config-if)#exit
GloboAccess(config)#int range eth 0/0 -1
GloboAccess(config-if-range)#ip dhcp snooping limit rate 10
GloboAccess(config-if-range)#exit
GloboAccess(config)#ip dhcp snooping
Dynamic ARP Inspection¶
ARP Poisoning¶
Change ARP entry to point to their MAC for the victim’s IP address
Respond to a legitimate ARP request
Send a Gratuitous ARP packet
Dynamic ARP Inspection¶
Can leverage the DHCP snooping database
Would verify ARP replies to see if they match the database
If they ARP packets aren’t correct, they are dropped
All untrusted interfaces would be checked
Configuring Dynamic ARP Inspection¶
(config)#ip arp inspection vlan 90-100,200
(config)#arp access-list ARP-ACL
(config-arp-nacl)#permit ip host 192.168.1.10 mac host 0050.7966.6800
(config-arp-nacl)#exit
(config)#ip arp inspection filter ARP-ACL vlan 90-100,200
(config)#int ethernet 0/1
(config-ip)#ip arp inspection trust
Segmentation and Private VLANs¶
Segmentation¶
Better network performance
Reduced area of attack
Easier to monitor smaller segments
Each VLAN usually part of a single subnet
Devices can communicate with each other
Leave subnet to communicate outside VLAN
May want to segment VLAN even further
Private VLANs¶
Use traditional VLANs as Primary VLANs
Associate secondary VLANs to Primary VLANs
Promiscuous Port
Part of primary VLAN
Used by secondary VLANs to talk outside of their VLAN
VLAN 100
Community Port
Can communicate with any other device in the same community, but not other communities
VLANs 200, 300, 400, & 500
Isolated Port
Can’t communicate with any isolated or community port
VLAN 600
lab image lab file
GloboCore(config)#int vlan 100
GloboCore(config-if)#ip add 192.168.1.1 255.255.255.0
GloboCore(config-if)#no shut
GloboCore(config-if)#int lo 1
GloboCore(config-if)#ip add 10.10.10.1 255.255.255.255
GloboCore(config-if)#exit
GloboCore(config)#int eth 0/0
GloboCore(config-if)#sw mode acc
GloboCore(config-if)#sw acc vlan 100
GloboCore(config-if)#no shut
GloboCore(config-if)#exit
GloboCore(config)#int vlan 100
GloboCore(config-if)#ip add 192.168.1.1 255.255.255.0
GloboCore(config-if)#no shut
GloboCore(config-if)#int lo 1
GloboCore(config-if)#ip add 10.10.10.1 255.255.255.255
GloboCore(config-if)#exit
GloboCore(config)#int eth 0/0
GloboCore(config-if)#sw mode acc
GloboCore(config-if)#sw acc vlan 100
GloboCore(config-if)#no shut
GloboCore(config-if)#exit
GloboAccess(config)#vtp mode transparent
GloboAccess(config)#vlan 200
GloboAccess(config-vlan)#private-vlan community
GloboAccess(config-vlan)#exit
GloboAccess(config)#vlan 600
GloboAccess(config-vlan)#private-vlan isolated
GloboAccess(config-vlan)#exit
GloboAccess(config)#vlan 100
GloboAccess(config-vlan)#private-vlan primary
GloboAccess(config-vlan)#private-vlan association 200,600
GloboAccess(config-vlan)#exit
GloboAccess(config)#int eth 0/0
GloboAccess(config-if)#switchport mode private-vlan promiscuous
GloboAccess(config-if)#switchport private-vlan mapping 100 200,600
GloboAccess(config-if)#no shut
GloboAccess(config-if)#exit
GloboAccess(config)#int range eth 0/1 -2
GloboAccess(config-if-range)#switchport mode private-vlan host
GloboAccess(config-if-range)#switchport private-vlan host-association 100 200
GloboAccess(config-if-range)#exit
GloboAccess(config)#int range eth 1/1 -2
GloboAccess(config-if-range)#switchport mode private-vlan host
GloboAccess(config-if-range)#switchport private-vlan host-association 100 600
Protecting Against Segmentation Attacks & Traffic Filtering at Layer 2¶
Attacks Against Segmentation¶
VLAN Hopping Attack
Establish trunk port with switch, then tag frames with any VLAN
Mitigate by disabling DTP
Double Tagging
Tag frame with the native VLAN, then tag with destination VLAN
Set native VLAN to unused VLAN:
#switchport trunk native vlan 999
ACLs¶
Use L3 and L4 ACLs on L2 ports
Use L2 ACL on L2 ports
#ip access-group NAME {inlout}
#mac access-group NAME in
Applying to VLAN interface only affects traffic entering or leaving VLAN
VACLs are applied to all traffic in a VLAN
ACLs to Define Traffic for Access MAP:
(config)#ip access-list extended telnet-Traffic
(config-ext-nacl)#permit tcp any any eq 23
(config-ext-nacl)#exit
(config)# ip access-list extended Microsoft-RPC
(config-ext-nacl)#permit tcp any any eq 135
(config-ext-nacl)#permit udp any any eq 135
(config-ext-nacl)#exit
(config)#access-list 112 permit ip any any
Sample VLAN Access-Map:
ACLs used to match traffic do not determine what happens to the traffic. Whatever references the ACL determines what happens to the traffic that matches any permit statements
(config)#vlan access-map VLAN-MAP 10
(config-access-map)#match ip address telnet-traffic
(config-access-map)#action drop
(config-access-map)#exit
(config)#vlan access-map VLAN-MAP 20
(config-access-map)#match ip address Microsoft-RPC
(config-access-map)#action drop log
(config-access-map)#exit
(config)#vlan access-map VLAN-MAP 30
(config-access-map)#match ip address 112
(config-access-map)#action forward
Apply the VLAN Access Map to VLANs:
(config)#vlan filter VLAN-MAP vlan-list 10,20-50,100
Storm Control¶
Broadcast storms can wreak havoc on a network
Storm control can be used to prevent storms
Monitors broadcast traffic on an interface
Hardware storm control will drop any future broadcast traffic
Software storm control will drop any future traffic
Configuring Storm Control¶
(config-if)#storm-control broadcast level 60 [lower level]
(config-if)#storm-control action shutdown
(config-if)#storm-control broadcast include multicast