Switch Layer 2 Security

Layer 2 security:

Switch Security

   The lower the security problem, the more serious

   DMZ zone concept: Both UNTRUST and TRUST zones can actively access the DMZ zone, but the DMZ cannot actively access any zone.

【table of Contents】

1、MAC layer attacks

    ***method: 

    MAC address flooding ***

    MAC address spoofing ***

    

    solution:

    Allow traffic based on source MAC address: port security

    Limit traffic based on source MAC address: static CAM (method taken after discovery)

    Block unknown single / multicast frames

    802.1x port-based authentication

2、VLAN attacks

    ***method: 

    Host and SWITCH form a TRUNK interface

    

    solution: 

    switch mode access

    VACL

    PVLAN

3、spoof attacks

    3.1、DHCP spoof

    solution:

    DHCP snooping

    

    3.2、IP spoof

    solution:

    IP source protection

    

    3.3、ARP spoof

    solution:

    Statically bind ARP entries

    DAI

4、attacks on switch devices

Turn off unnecessary services, such as CDP

Limit broadcast / multicast traffic

Set the login password for the switch

Secure login using SSH

【original】

<Part-1.MAC layer ***>

   A、MAC Flooding MAC layer attacks

   Principle: The *** keeps changing the source MAC address, filling the memory table of the switch, and overflowing the memory of the switch

   Solution:

1. Allow traffic based on host MAC

　· 2 parameters can be defined: authorized MAC address / how many MAC addresses are allowed to learn (default = 1)

　· Actions against port security:

　　1.shutdown: Err-Disable port (default behavior) permanently or within a certain period, and send snmp trap

　　2.restrict: When the maximum number of MACs allowed to be learned is exceeded, the frames of unauthorized hosts are dropped and the violation counter is increased

　　3.protect: When the maximum number of MACs allowed to be learned is exceeded, the frames of unauthorized hosts are dropped

Sw1(config-if)#shutdown

Sw1 (config-if) #switchport mode access When port security is enabled, it must first be set to the access interface

Sw1 (config-if) #switchport port-security Enable port security (only one MAC can be learned by default)

Sw1 (config-if) #switchport port-security maximum 1 Specifies the maximum number of addresses allowed to learn, the default is 1

Sw1(config-if)#switchport port-security mac-address aaaa.bbbb.cccc

Sw1(config-if)#switchport port-security violation [protect|restrict|shutdown]指定行为

Sw1(config-if)#no shutdown

Sw1 (config-if) #switchport port-security aging time 1 (minutes) Set how long after the MAC address can be re-learned, that is, set the validity period of the existing MAC address. / * Can't use sticky and shutdown actions

Sw1 (config-if) #switchport port-security mac-address sticky Stick the dynamically learned address for permanent use

Sw1 # show port-security can see which interfaces have port security applied

Sw1 # show port-security address You can see the authorized MAC address

Sw1 # show port-security interface f0 / 1 You can see the specific status of the interface

Sw1#show interfaces fastEthernet 0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)  置为err-disabled状态

Usually interface security, shut down the interface first so that it will not learn automatically

Let the err-disable interface automatically recover

errdisable recovery cause psecure-violation

show errdisable recovery

2. Limit traffic based on the host MAC (can only be done on 3550)

　The MAC defined in the list will be restricted traffic

Sw1(config)#mac-address-table static 0010.7b80.7b9b vlan 1 drop

Sw1# show mac address-table

3. Block unknown single (group) broadcast diffusion (only available on 3550)

　For unknown MAC addresses, SW will forward them from other ports in this VLAN, but for some ports (port security only requires a MAC / has reached the maximum MAC), it is not necessary to forward these single (group) broadcasts. You can set this feature on these ports, usually combined with port security to do.

Sw1(config-if)#switchport block [unicast | multicast]

Rack08Sw1#show int f0/1 switchport 

...Unknown unicast blocked: enabled

...Unknown multicast blocked: disabled

4. 802.1x port-based authentication

A second-level access control method that authenticates users accessing an interface through an AAA server to determine whether a client can access the network.

Configuration:

SW(config)#aaa new-model

SW(config)#aaa authentication dot1x default group radius

SW(config)#dot1x system-auth-control

SW(config)#interface f0/1

SW(config-if)#dot1x port-control auto

＜part-2 VLAN attacks＞

     Explaining VLAN Hopping

     Principle: cause different VLANs to be able to visit each other

     Causes: 1. The initiator initiates the DTP frame and forms a trunk with the switch, which can intercept the trunk forwarding message. (The interface is not configured)

                      2. VLAN Hopping with Double Tagging *** is caused by TRUNK with the switch. (The interface is not configured)

     Solution:

1、switchport mode access

   switchport access vlan * / * This VLAN is an unused VLAN

2. Vlan's access-map (can be based on mac and ip)

VACL is also called VLAN mapping table, and can filter the traffic in a VLAN through VACL. VACL can be filtered based on the second layer of information, and can also be filtered based on the third layer of information.

1. By calling the IP ACL, you can filter based on the IP address, protocol, and port number of the third layer.

2. By calling MAC ACL, you can filter based on MAC address, and you can also filter other non-IP traffic.

     Each VACL can contain multiple statements, and each statement can have three different operations for matching traffic:

     1. Forward forwarding, normal forwarding of data frames or data packets

     2. Drop drop, when the data flow matches a certain rejection statement, it will be dropped

     3. Redirection Redirect the forwarding direction of the data flow (only supported by high-end switches)

     Note: If the operation behavior of a statement is not specified, the default behavior is forward. If the data flow entering the VLAN does not match any of the previous statements, it will be discarded.

IP-based:

Config#access-list 1 permit 192.168.1.1 0.0.0.0

Config#vlan access-map wolf 10

Config-access-map#match ip address 1

Config-access-map#action drop

Config#vlan access-map wolf 20

Config-access-map#action forword

The default is forwarded show run, you can see there is action forword

Invoke: vlan filter wolf vlan-list 100 Invoke in global mode, to indicate in which VLAN to use, also for all ALL

Based on mac address (MAC address list):

1. Write the MAC address list first

mac access-list extended ccnp

 permit host 00e0.1e3d.d18c any

2. Write access-map again

vlan access-map wolf 10

 action drop

 match mac address ccnp

vlan access-map wolf 20

 action forward

3. Call:

Sw1(config)#vlan filter wolf vlan-list 10

                      Access-map name vlan number

Sw1 (config) #vlan filter wolf vlan-list all for all VLANs

Note: When doing this experiment, first clear ip arp 10.1.1.22 on each router

3、Private VLANS

Solve the limitation of the number of VLANs, and cannot access each other between the same VLAN

Primary VLAN is the actual VLAN

Secondary VLANs（ISOLATED VLAN、Community VLAN）

Secondary VLANs cannot communicate with each other, ISOLATED VLANs cannot communicate with each other, and Community VLANs can communicate with each other

     

  3.1 PVLAN Port Types

     Promiscuous: Communicate with all other ports    属于Primary VLAN

     Isolated:Communicate with only promiscuous ports  属于Secondary VLAN

     Community:Communicate with other members of community and all promiscuous ports.  属于Secondary VLAN

  3.2 networking

      Requirements: R1 can exchange visits with R2 / R3 / R4 / R5

            R2 and R3 can visit each other

            R4 and R5 cannot visit each other

            VLAN 501 (R2 and R3) and VLAN 502 (R4 and R5) cannot communicate with each other

           Small VLANs 501 and 502 belong to large VLAN 20

           Configuration steps: The lowest models are S3560, 3750, 6000; S3550 and S2950 only support ISOLATE-VLAN

           VTP mode transparent/off  

           vlan 20

           private-vlan primary

           vlan 501

           private-vlan community 

           vlan 502

           private-vlan isolated

           vlan 20

           private-vlan association 501,502

           int f 0/1

           switchport mode private-vlan promiscuous

           switchport private-vlan mapping 20 501,502

           int r f 0/2,f0/3

           switchport mode private-vlan host

           switchport private-vlan host-association 20 501

           int r f 0/4,f0/5

           switchport mode private-vlan host

           switchport private-vlan host-assciation 20 502

           show vlan private-vlan

           show int f 0/1 switchport 

           S2950, ​​S3550 and S3560 configuration ISOLATE-VLAN method

           int r f0/1,f0/3

           switchport mode access

           switchport access vlan 100

           switchport protected

           Note: The protected ports are not accessible, but the protected and common ports are accessible.

    3.3 Expansion of private-vlan

          interface vlan 20

            ip address 1.1.1.100 255.255.255.0

        After the SVI interface address is configured on the SW, only private-vlan can manage the int vlan 20, and nothing else. If you want the community and isolated VLAN to access the interface, add the following command:           

          interface vlan 20

             private-vlan mapping 501,502

        There is also the ip routing command on SW

    verification:

    show vlan private-vlan

＜part-3 Spoofing  attacks＞

1、 DHCP Spoof Attacks

Solution:

DHCP snooping

principle:

--After being enabled, you can divide the ports of the switch into trusted interfaces and Untrusted interfaces. By default, all the interfaces become Untrusted interfaces after being enabled on the switch. You need to manually set the trusted interfaces.

-For the Untrusted interface, only DHCP request messages can be received, and no DHCP request messages will be sent to this interface. And drop the DHCP response message from the interface.

-There are no restrictions on the trusted interface and no detection.

Note: Early IOS does not support

Configuration example:

first step:

SW1 (config) #ip dhcp snooping must first open this command, equivalent to the main switch

SW1 (config) #ip dhcp snooping vlan 1 Then specify the VLAN, this step is also necessary, the default VLAN 1 interface is untrusted interface

Step 2: Specify the trusted interface, which is usually the trunk interface and the interface connected to the real DHCP server.

SW1(config-if)#ip dhcp snooping trust

The third step: the following commands must be added to the trusted DHCP server: (only needed if the remote router and switch are used as the DHCP server, if the device does DHCP service, it is not necessary to enable this command)

R1 (config) #ip dhcp relay information trust-all / * If SW closes option 82 (no ip dhcp snooping information option), this command may not be configured; in addition, if PVLAN technology is used, there is no need to open this command

SW1#show ip dhcp snooping binding

SW01#show ip dhcp snooping binding 

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

E8:40:40:E4:73:C2   10.1.1.94        1052        dhcp-snooping   1    FastEthernet0/23

Total number of bindings: 1

Key point: DHCP snooping will create a DHCP binding table on the connected switch, creating an entry for each assigned IP, including the client's IP address, MAC address, port number, VLAN number, lease and binding Type and other information. You can also manually add entries to this binding table.

SW1 # show ip dhcp snooping binding displays only dynamic binding items

SW1#show ip dhcp snooping database

SW1 # show ip source binding display dynamic and static binding items 

SW1 (config) #ip dhcp snooping binding 1234.5678.abcd vlan 20 172.16.1.1 interface f0 / 5 statically bind an entry

Other commands:

SW1 (config) #ip dhcp snooping information option Enable option82 option, it is enabled by default

SW1 (config) #ip dhcp snooping limit rate 100 limits how many DHCP request packets can be received by the interface per second

SW01#show ip dhcp snooping binding 

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

E8:40:40:E4:73:C1   10.1.1.54        85809       dhcp-snooping   1     FastEthernet0/23

20:37:06:DC:36:40   10.1.1.56        86204       dhcp-snooping   1     FastEthernet0/19

Total number of bindings: 2

2. IPSG source protection (an extension of SNOOPING) --- preventing IP address spoofing at the network layer

Source protection feature can prevent illegal devices from stealing the IP of legitimate devices to access the network, and can only be used for Layer 2 ports

Need to use the IP binding table, there are two ways to obtain binding entries:

    1. Statically bind IP source address

    2. Use the dynamically generated source IP binding table in DHCP snooping technology

Principle: Once source protection is enabled on an interface, the interface rejects all IPs by default unless there is an IP address binding entry corresponding to the interface in the IP binding table.

SW1 (config) #ip source binding aaaa.bbbb.cccc vlan 1 100.1.1.1 interface f0 / 1 static binding

SW1(config)#ip dhcp snooping  

SW1(config)#ip dhcp snooping vlan 1

SW1(config)#interface f0/10

SW1 (config-if) #ip verify source Turn on source protection, only check based on IP, so configure on 3560 and 3750

SW01#show ip verify source 

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan   Log

---------  -----------  -----------  ---------------  -----------------  ----   ---

Fa0/23     ip           active       10.1.1.94                           1      disabled

SW1 (config-if) #ip verify source port-security Turn on source protection and check based on IP and MAC. The default is deny-any for all IPs and permit-any for mac actions. If port security is done, the action for mac is deny-any.

SW01#show ip verify source 

Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan   Log

---------  -----------  -----------  ---------------  -----------------  ----   ---

Fa0/23     ip-mac       active       10.1.1.94        E8:40:40:E4:73:C2  1      disabled

 Cisco 4500, 6500 and 7600 need to be started with the following command

SW1(config-if)#ip verify source vlan dhcp-snooping  

SW1(config-if)#ip verify source vlan dhcp-snooping port-security 

show ip verify source View allowed IP addresses and provide a basis for comparing source addresses

show ip source binding

ip source binding AAAA.BBBB.CCCC vlan 1 10.1.1.200 interface Fa0/9

SW01#show ip source binding 

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

E8:40:40:E4:73:C1   10.1.1.54        85259       dhcp-snooping   1     FastEthernet0/23

20:37:06:DC:36:40   10.1.1.56        85654       dhcp-snooping   1     FastEthernet0/19

AA:AA:BB:BB:CC:CC   10.1.1.200       infinite    static          1     FastEthernet0/9

Total number of bindings: 3

3. DAI (dynamic arp inspection) prevents source IP address spoofing of ARP packets at the data link layer

It is a security feature that can verify ARP packets in the network and can prevent man-in-the-middle ***.

Usually need to be used in conjunction with DHCP snooping, because you need to use the binding table generated by DHCP snooping technology. Can also statically write the binding table of IP and MAC

Principle: After DAI is enabled, the interface needs to be divided into trusted and untrusted. By default, all interfaces are untrusted interfaces.

      For the untrusted interface, to perform ARP inspection, only ARP packets matching the entries in the dhcp-snooping binding table are allowed to pass.

      For trusted interfaces, ARP inspection is not required.

Define trusted and untrusted interfaces

  trusted: does not control the sending and receiving of arp packets

  untrusted: do not accept arp request messages

SW1(config)#ip arp inspection vlan 1

SW1 (config-if) #ip arp inspection trust Specify the trust interface for arp inspection, must do

SW1 (config-if) #ip arp inspection limit rate 100 limits the number of arp packets received per second

show ip arp inspection interfaces

show ip arp inspection vlan 1

A practical case: (not combined with DHCP snooping, use DAI alone)

 arp access-list ARPTEST

  permit ip host 162.16.40.1 mac host 0000.0c07.ac28

                             Source IP address Source MAC address

ip arp inspection vlan 1

  ip arp inspection filter ARTTEST vlan 1 static

In another case, the IPSG static table entry can also achieve this function.

  ip source binding aaaa.bbbb.cccc vlan 1 100.1.1.1 interface f0/1  

Note: ARP packets are directly encapsulated into the second layer, so the above IPSG source protection technology cannot deal with ARP spoofing

＜part-4 attacks on switch devices＞

    Turn off unnecessary services

1. CDP Agreement

   show cdp neighbor detail

   Interface IP address

   IOS    VERSION

   NATIVE VLAN

   VTP Domain

  Solution:

  1. Global shutdown no cdp run

  2. For interface operation no cdp enable

2. Broadcast / multicast suppression

It is used to monitor the broadcast and multicast traffic flowing into the port, and discard the data packet after the threshold is exceeded.

3550 (config-if) # storm-control broadcast level 5 Monitor by percentage

3550 （config-if） # storm-control broadcast bps 10 According to the actual flow, please note that the unit is M

3、SSH（Secure Shell Protocol）

Describing Vulnerablities in the Telnet Protocol

The Telnet protocol is not secure, and user names and passwords are easily exposed. More advanced security protocols can be enabled.

SSH

 Turn on the SSH device:

  ip domain-name wolf.com

  crypto key generate rsa general-keys modulus 1024 

  line vty 0 4

  login local

  transport input ssh

  username wolf password cisco

  Log in to the device:

  SSH -l wolf 12.1.1.2

  Prompt password: cisco

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Configuration case:

dhcp snooping

ip dhcp snooping 

ip dhcp snooping information option

ip dhcp snooping vlan 10,20

you are fa0 / 0

access port

ip dhcp limit rate 10

int gi0/0

uplink

switchport mode trunk

switchport trunk allowed vlan 10,20

ip dhcp snooping trunk

DAI

ip dhcp snooping 

ip dhcp snooping information option

ip dhcp snooping vlan 10,20

ip arp inspection vlan 10,20

you are fa0 / 0

access port

ip dhcp limit rate 10

int gi0/0

uplink

switchport mode trunk

switchport trunk allowed vlan 10,20

ip dhcp snooping trunk

ip arp inspection trunk

If there is static

arp access-list test

 permit ip host 10.1.1.2 mac host 0017.5aa7.2d28

ip arp inspection filter test vlan 10

IP Source Guard

ip dhcp snooping 

ip dhcp snooping information option

ip dhcp snooping vlan 10,20

ip arp inspection vlan 10,20

int gi0/0

uplink

switchport mode trunk

switchport trunk allowed vlan 10,20

ip dhcp snooping trunk

ip arp inspection trunk

you are fa0 / 1

sw mo acc

sw ac vlan 2

sw port-securit 

ip arp inspection limit rate 10

ip verify source port-security

ip dhcp snooping limit rate 10

show ip verify source 

If static

ip source binding 0017.5aa7.2d28 vlan 2 10.1.1.2 interface fa0/2

you are fa0 / 2

ip verify source 

Interface filtering.