Tải bản đầy đủ (.pptx) (36 trang)

Chapter 5 securing the data plane on cisco catalyst switches

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.6 MB, 36 trang )

Securing the Data Plane
on Cisco Catalyst
Switches

© 2012 Cisco and/or its affiliates. All rights reserved.

1


Contents
Topics covered in this chapter include the following:
• An introduction to fundamental switching concepts, starting with the
building blocks of VLANs and trunking
• An introduction to other building blocks of switching technology, including
Spanning Tree Protocol for high availability
• A revisit and further explanation of security threats that exploit
vulnerabilities in the switching infrastructure
• A description of how to plan and develop a strategy for protecting the
data plane
• A description of the Spanning Tree Protocol Toolkit found on Cisco IOS
routers that prevents STP operations from having an impact on the
security posture
• A review of port security and how to configure it, to illustrate security
controls that are aimed at mitigating MAC spoofing and other threats
© 2012 Cisco and/or its affiliates. All rights reserved.

2


Overview
• Overview of VLANs and Trunking


• Trunking and 802.1Q
• 802.1Q Tagging
• DTP (Dynamic Trunking Protocol)
• Native VLANs
• Configuring VLANs and Trunks
• Configuring Inter-VLAN Routing
• Spanning Tree Overview
• STP 802.1D, RSTP, PVRST+ …

© 2012 Cisco and/or its affiliates. All rights reserved.

3


Mitigating Layer 2 Attacks

© 2012 Cisco and/or its affiliates. All rights reserved.

4


Domino Effect If Layer 2 is Compromised

Layer 2 independence enables interoperability and interconnectivity.
However, from a security perspective, Layer 2 independence creates a challenge because a
compromise at one layer is not always known by the other layers.
If the initial attack comes in at Layer 2, the rest of the network can be compromised in an instant.
Network security is only as strong as the weakest link, and that link might be the data link layer

© 2012 Cisco and/or its affiliates. All rights reserved.


5


Layer 2 Best Practices
The following list suggests Layer 2 security best practices. All of these
suggestions are dependent upon your security policy.
• Manage switches in as secure a manner as possible (SSH, OOB, permit lists,
and so on).
• Whenever practical, declare the VLAN ID used on trunk ports with the
switchport trunk allowed vlan command
• Do not use VLAN 1 for anything.
• Set all user ports to nontrunking (unless you are using Cisco VoIP).
• Use port security where possible for access ports.
• Selectively use SNMP and treat community strings like root passwords.
• Enable STP attack mitigation (BPDU guard, root guard).
• Use Cisco Discovery Protocol only where necessary (with phones it is useful).
• Disable all unused ports and put them in an unused VLAN.
© 2012 Cisco and/or its affiliates. All rights reserved.

6


Layer 2 Protection Toolkit

Components of Layer 2 Protection Toolkit
© 2012 Cisco and/or its affiliates. All rights reserved.

7



Mitigating VLAN Attacks
• VLAN Hopping
– VLAN Hopping by Rogue Trunk
– VLAN Hopping by Double Tagging

© 2012 Cisco and/or its affiliates. All rights reserved.

8


Mitigating VLAN Hopping by Rogue Trunk
• By default most switches support Dynamic Trunk Protocol (DTP)

which automatically try to negotiate trunk links.
– An attacker could configure a host to spoof a switch and advertise itself as
being capable of using either ISL or 802.1q.
– If successful, the attacking system then becomes a member of all VLANs.

© 2012 Cisco and/or its affiliates. All rights reserved.

9


VLAN Hopping by Rogue Trunk
A VLAN hopping attack can be launched in one of two ways:
• Spoofing DTP messages from the attacking host to cause the
switch to enter trunking mode: From here, the attacker can send
traffic tagged with the target VLAN, and the switch then delivers the
packets to the destination.

• Introducing a rogue switch and turning trunking on: The attacker
can then access all the VLANs on the victim switch from the rogue
switch.

© 2012 Cisco and/or its affiliates. All rights reserved.

10


VLAN Hopping Attack - Double-Tagging
• Involves tagging transmitted frames with two 802.1q headers in

order to forward the frames to the wrong VLAN.
– The first switch strips the first tag off the frame and forwards the frame.
– The second switch then forwards the packet to the destination based on the
VLAN identifier in the second 802.1q header.

Mitigation
Mitigation techniques
techniques include
include ensuring
ensuring that
that the
the native
native VLAN
VLAN of
of the
the trunk
trunk ports
ports is

is
different
different from
from the
the native
native VLAN
VLAN of
of the
the user
user ports.
ports.
© 2012 Cisco and/or its affiliates. All rights reserved.

11


STP Attack
• The attacking host broadcasts

STP configuration and topology
change BPDUs to force
spanning-tree recalculations.
• The BPDUs sent by the attacking

host announce a lower bridge
priority in an attempt to be
elected as the root bridge.
• If successful, the attacking host

becomes the root bridge and

sees a variety of frames that
otherwise are not accessible.

© 2012 Cisco and/or its affiliates. All rights reserved.

12


PortFast
• It should only be used on access ports!
– If PortFast is enabled on a port connecting to another switch, there is a risk of
creating a spanning-tree loop.

Server

© 2012 Cisco and/or its affiliates. All rights reserved.

Workstation

13


Configure PortFast
• Enable PortFast on a Layer 2 access port and force it to enter the

forwarding state immediately.
Switch(config-if)#
spanning-tree portfast

• Disable PortFast on a Layer 2 access port. PortFast is disabled


by
default.
Switch(config-if)#
no spanning-tree portfast

Switch(config-if)#
• Globally
enable the PortFast feature on all nontrunking ports.
spanning-tree portfast default

Switch#

ã Determine
if PortFast
has been
configured on a port.
show running-config
interface
type slot/port
â 2012 Cisco and/or its affiliates. All rights reserved.

14


BPDU Guard
• To enable BPDU guard on all PortFast enabled ports, use the

global configuration command.
Switch(config)#

spanning-tree portfast bpduguard default
Root
Bridge

F

F

F

F

F

B
BPDU
Guard
Enabled

Attacker
© 2012 Cisco and/or its affiliates. All rights reserved.

STP
BPDU

15


BPDU Filtering
• To enable BPDU filtering on all PortFast enabled ports, use the


global configuration command:
Switch(config)#
spanning-tree portfast bpdufilter default

• To enable BPDU filtering on an interface, without having to enable

PortFast,
use the interface configuration command:
Switch(config-if)#
spanning-tree bpdufilter enable

© 2012 Cisco and/or its affiliates. All rights reserved.

16


Root Guard
• Root guard is best deployed toward ports that connect to switches

that should not be the root bridge using the interface configuration
command:
Switch(config-if)#
spanning-tree guard root
Root Bridge
Priority = 0
MAC Address =
0000.0c45.1a5d

F


F
F

F
Root
Guard
Enabled

F

Attacker

© 2012 Cisco and/or its affiliates. All rights reserved.

F

B

STP BPDU
Priority = 0
MAC Address = 0000.0c45.1234

17


Mitigating MAC
Spoofing and
MAC Table
Overflow Attacks


© 2012 Cisco and/or its affiliates. All rights reserved.

18


MAC Address Table Overflow Attack
• Attacker uses macof to generate
An
An attacker
attacker wishes
wishes to
to sniff
sniff packets
packets
destined
destined to
to Servers
Servers A
A and
and B.
B. To
To do
do
so,
so, he
he launches
launches aa MAC
MAC flood
flood attack.

attack.

multiple packets with spoofed
source MAC address.
• Over a short period of time, the

MAC address table fills and no
longer accepts new entries.

VLAN 10

– As long as the attack continues,
the MAC address table remains
full.
• Switch starts to broadcast (flood)

packets all packets that it
receives out every port, making it
behave like a hub.
• The attacker can now sniff

packets destined for the servers.
© 2012 Cisco and/or its affiliates. All rights reserved.

19


MAC Address Spoofing

© 2012 Cisco and/or its affiliates. All rights reserved.


20


MAC Address Spoofing

© 2012 Cisco and/or its affiliates. All rights reserved.

21


MAC Address Spoofing

© 2012 Cisco and/or its affiliates. All rights reserved.

22


MAC Address Spoofing

Mitigation
Mitigation techniques
techniques include
include configuring
configuring port
port security.
security.
© 2012 Cisco and/or its affiliates. All rights reserved.

23



Using Port Security
• To prevent MAC spoofing and

MAC table overflows, enable port
security.
• Port Security can be used to

statically specify MAC addresses
for a port or to permit the switch
to dynamically learn a limited
number of MAC addresses.
• By limiting the number of

permitted MAC addresses on a
port to one, port security can be
used to control unauthorized
expansion of the network.

© 2012 Cisco and/or its affiliates. All rights reserved.

24


Enable Port Security
• Set the interface to access mode.
Switch(config-if)#
switchport mode access


ã Enable port security on the interface.
Switch(config-if)#
switchport port-security

â 2012 Cisco and/or its affiliates. All rights reserved.

25


×