Lesson 5 SAFE Layer 2 Security in Depth © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.15-1

Overview © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.15-2

© 2005 Cisco Systems, Inc. All rights reserved. CSI v General Switch Operation Switches can be used to divide a physical network into multiple logical or virtual LANs through the use of Layer 2 traffic segmentation.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v ISL Tag and 802.1q Header Structure DA SA LEN AAAA03HASVLAN INDEX RES ISL Header Encapsulation FrameFCS TypeBPDU User TPIDVID Data PriorityCFI DA SA TCI TPID Length/Type (ISL Tag Header) (802.1q Header)

Switches Are Targets © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.14-5

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Switches Are Targets Threats to switches include: CAM table overflow VLAN hopping STP manipulation MAC address spoofing Private VLAN attacks DHCP starvation

© 2005 Cisco Systems, Inc. All rights reserved. CSI v MAC CAM Table Operation AB AB AB MAC A (i) (ii) (iii) Switch Port MAC 1 A 3 C 1A 2B 3C 1A 2B 3 C A B Port 3 Port 2 A B MAC B MAC C MAC B MAC C MAC B MAC C Port 1

© 2005 Cisco Systems, Inc. All rights reserved. CSI v CAM Table Overflow Attack Port 1 Switch Port MAC 1A 3X 3 Y 1A 3X 3 Y MAC A (i) (ii) MAC B MAC C Port 2 Port 3 Port 2 Port 3 A B AB ? X ? Y MAC B MAC C A B

© 2005 Cisco Systems, Inc. All rights reserved. CSI v VLAN Hopping with Double Encapsulated 802.1q Traffic 802.1q, 802.1q 802.1q Frame 2 1

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Traffic Interception Using Spanning Tree Protocol (b) X STP FF FF FF FF F F F B Root Bridge Network Attack Host (a) X

© 2005 Cisco Systems, Inc. All rights reserved. CSI v MAC Spoofing Attack (i) (ii) MAC (A) AB C Switch Port Host Switch Port Host AB C ABC 123 AC 13 B 2

© 2005 Cisco Systems, Inc. All rights reserved. CSI v MAC Spoofing Attack (Cont.) (iii) (iv) Destination MAC: A A, B C Switch Port Host Switch Port Host Destination MAC: A AB C AB C 123 ABC 123

© 2005 Cisco Systems, Inc. All rights reserved. CSI v PVLAN Proxy Attack Router MAC: C IP: 3 SRC: A1 DST: B 2 Isolated Port Promiscuous Port (b) (a) Router MAC: C IP: 3 SRC: A1 DST: C 2 SRC: A1 DST: B 2 Network Attacker MAC: A IP: 1 Isolated Port Promiscuous Port Network Attacker MAC: A IP: 1 Target MAC: B IP: 2 Target MAC: B IP: 2

© 2005 Cisco Systems, Inc. All rights reserved. CSI v DHCP Starvation A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. If enough requests are sent, network attackers can exhaust the address space available to the DHCP servers for a period of time. To mitigate DHCP starvation, limit the number of MAC addresses on a switch port.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Discovery Protocol CDP runs at Layer 2 and allows Cisco devices to identify themselves to other Cisco devices. Information sent through CDP is transmitted in clear text and is unauthenticated. Selectively disable CDP on interfaces where management is not being performed.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v VLAN Trunking Protocol VTP is a Layer 2 messaging protocol that allows network administrators to centrally manage the addition, deletion, and renaming of VLANs. VTP security is provided through a password. No vulnerabilities have been identified or published with regard to VTP at present. SAFE recommends that a VTP password be set throughout the VTP domain.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v EAPOL Authentication Authentication ServerAuthenticator Supplicant RADIUS or EAPOL Start EAPOL EAP-Request/Identity EAP-Response/Identity EAP-Request EAP-Response (Credentials) EAP-Success Access Blocked RADIUS-Access Request RADIUS-Access-Challenge RADIUS-Access-Request RADIUS-Access-Accept Access Allowed

Layer 2 Best Practices Scenarios © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Layer 2 Best Practices Scenarios The following cases are meant to highlight implementation of some of the Layer 2 mitigation techniques in specific situations. The various cases depend on three factors: The number of security zones in the network design The number of user groups in the network design The number of switch devices in the design

SAFE Best PracticesSingle Security Zone, One User Group, One Physical Switch (Case No. 1) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Single Security Zone, One User Group, One Switch Design DMZ or Internet

SAFE Best PracticesSingle Security Zone, One User Group, Multiple Physical Switches (Case No. 2) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Single Security Zone, One User Group, Multiple Physical Switches DMZ or Internet

SAFE Best PracticesSingle Security Zone, One User Group, Multiple Physical Switches (Case No. 3) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Single Security Zone, Multiple User Groups, Single Physical Switch User Group AUser Group C User Group BUser Group D or Legend: A B C D

SAFE Best PracticesSingle Security Zone, One User Group, Multiple Physical Switches (Case No. 4) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Single Security Zone, Multiple User Groups, Multiple Physical Switches User Group AUser Group C User Group BUser Group D Legend: or AB DD C

SAFE Best PracticesSingle Security Zones, One User Group, Multiple Physical Switches (Case No. 5) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Multiple Security Zones, One User Group, Single Physical Switch External (DMZ) VLAN 100 Internal VLAN 200

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Multiple Switch Network Separation External (DMZ) VLAN 100 Internal VLAN 200

SAFE Best PracticesSingle Security Zones, One User Group, Multiple Physical Switches (Case No. 6) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Multiple Security Zones, One User Group, Multiple Physical Switches Security Zone 1 or Security Zone 2

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Multiple Security Zones, One User Group, Multiple Physical SwitchesAlternative Design Security Zone 1 or Security Zone 2

SAFE Best PracticesSingle Security Zones, One User Group, Multiple Physical Switches (Case No. 7) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Multiple Security Zones, Multiple User Groups, Single Physical Switch User Group AUser Group C User Group BUser Group D User Group E Legend: A BC DD E

SAFE Best PracticesSingle Security Zones, One User Group, Multiple Physical Switches (Case No. 8) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Multiple Security Zones, Multiple User Groups, Multiple Physical Switches Security Zone 1 or Security Zone 2

Summary © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary Attacks that use Layer 2 to bypass VLAN restrictions are quickly gaining sophistication and popularity. Use SSH if possible or an out-of-band management system. Avoid the use of clear text management protocols, such as Telnet or SNMP v1. Use ACLs to restrict access to management port. Use SNMPv3 and treat community strings like root passwords. When SNMPv3 is used as a management protocol, restrict management access to the VLAN. Consider using DHCP snooping and IP source guard to mitigate DHCP starvation attacks. Always use a dedicated VLAN ID for all trunk ports. Avoid using VLAN 1.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary (Cont.) Set all user ports to nontrunking mode. Deploy port security for user ports where possible. Configure each port to associate a limited number of MAC addresses to mitigate MAC flooding and other network attacks. For the ARP security issues in your network, consider using DHCP snooping, along with DAI and IP source guard to protect against MAC spoofing and IP spoofing on the network. Use VACLs to prevent rogue DHCP servers by limiting replies to DHCP clients to valid DHCP servers on the network. Use DHCP snooping to block unauthorized DHCP servers from responding to DHCP request packets.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary (Cont.) Enable Spanning Tree Protocol attack mitigation techniques as BPDU Guard and Root Guard. Where appropriate, use private VLANs to further divide Layer 2 networks. Use CDP only where appropriate. Disable all unused ports and put them in an unused VLAN to prevent network intruders from plugging into unused ports and communicating with the rest of the network. Use Cisco IOS software ACLs on IP-forwarding devices to protect Layer 2 proxy on PVLANs. Eliminate native VLANs from 802.1q trunks. Use VTP passwords to authenticate VTP advertisements. Consider using Layer 2 port authentication, such as 802.1x, to authenticate clients who are attempting connectivity to a network. Procedures for change control and configuration analysis must be in place to ensure that changes result in a secure configuration.