Layer 2 security:
Switch Security
The lower the security problem, the more serious
DMZ zone concept: Both UNTRUST and TRUST zones can actively access the DMZ zone, but the DMZ cannot actively access any zone.
【table of Contents】
1、MAC layer attacks
***method:
MAC address flooding ***
MAC address spoofing ***
solution:
Allow traffic based on source MAC address: port security
Limit traffic based on source MAC address: static CAM (method taken after discovery)
Block unknown single / multicast frames
802.1x port-based authentication
2、VLAN attacks
***method:
Host and SWITCH form a TRUNK interface
solution:
switch mode access
VACL
PVLAN
3、spoof attacks
3.1、DHCP spoof
solution:
DHCP snooping
3.2、IP spoof
solution:
IP source protection
3.3、ARP spoof
solution:
Statically bind ARP entries
DAI
4、attacks on switch devices
Turn off unnecessary services, such as CDP
Limit broadcast / multicast traffic
Set the login password for the switch
Secure login using SSH
【original】
<Part-1.MAC layer ***>
A、MAC Flooding MAC layer attacks
Principle: The *** keeps changing the source MAC address, filling the memory table of the switch, and overflowing the memory of the switch
Solution:
1. Allow traffic based on host MAC
· 2 parameters can be defined: authorized MAC address / how many MAC addresses are allowed to learn (default = 1)
· Actions against port security:
1.shutdown: Err-Disable port (default behavior) permanently or within a certain period, and send snmp trap
2.restrict: When the maximum number of MACs allowed to be learned is exceeded, the frames of unauthorized hosts are dropped and the violation counter is increased
3.protect: When the maximum number of MACs allowed to be learned is exceeded, the frames of unauthorized hosts are dropped
Sw1(config-if)#shutdown
Sw1 (config-if) #switchport mode access When port security is enabled, it must first be set to the access interface
Sw1 (config-if) #switchport port-security Enable port security (only one MAC can be learned by default)
Sw1 (config-if) #switchport port-security maximum 1 Specifies the maximum number of addresses allowed to learn, the default is 1
Sw1(config-if)#switchport port-security mac-address aaaa.bbbb.cccc
Sw1(config-if)#switchport port-security violation [protect|restrict|shutdown]指定行为
Sw1(config-if)#no shutdown
Sw1 (config-if) #switchport port-security aging time 1 (minutes) Set how long after the MAC address can be re-learned, that is, set the validity period of the existing MAC address. / * Can't use sticky and shutdown actions
Sw1 (config-if) #switchport port-security mac-address sticky Stick the dynamically learned address for permanent use
Sw1 # show port-security can see which interfaces have port security applied
Sw1 # show port-security address You can see the authorized MAC address
Sw1 # show port-security interface f0 / 1 You can see the specific status of the interface
Sw1#show interfaces fastEthernet 0/1
FastEthernet0/1 is down, line protocol is down (err-disabled) 置为err-disabled状态
Usually interface security, shut down the interface first so that it will not learn automatically
Let the err-disable interface automatically recover
errdisable recovery cause psecure-violation
show errdisable recovery
2. Limit traffic based on the host MAC (can only be done on 3550)
The MAC defined in the list will be restricted traffic
Sw1(config)#mac-address-table static 0010.7b80.7b9b vlan 1 drop
Sw1# show mac address-table
3. Block unknown single (group) broadcast diffusion (only available on 3550)
For unknown MAC addresses, SW will forward them from other ports in this VLAN, but for some ports (port security only requires a MAC / has reached the maximum MAC), it is not necessary to forward these single (group) broadcasts. You can set this feature on these ports, usually combined with port security to do.
Sw1(config-if)#switchport block [unicast | multicast]
Rack08Sw1#show int f0/1 switchport
...Unknown unicast blocked: enabled
...Unknown multicast blocked: disabled
4. 802.1x port-based authentication
A second-level access control method that authenticates users accessing an interface through an AAA server to determine whether a client can access the network.
Configuration:
SW(config)#aaa new-model
SW(config)#aaa authentication dot1x default group radius
SW(config)#dot1x system-auth-control
SW(config)#interface f0/1
SW(config-if)#dot1x port-control auto
<part-2 VLAN attacks>
Explaining VLAN Hopping
Principle: cause different VLANs to be able to visit each other
Causes: 1. The initiator initiates the DTP frame and forms a trunk with the switch, which can intercept the trunk forwarding message. (The interface is not configured)
2. VLAN Hopping with Double Tagging *** is caused by TRUNK with the switch. (The interface is not configured)
Solution:
1、switchport mode access
switchport access vlan * / * This VLAN is an unused VLAN
2. Vlan's access-map (can be based on mac and ip)
VACL is also called VLAN mapping table, and can filter the traffic in a VLAN through VACL. VACL can be filtered based on the second layer of information, and can also be filtered based on the third layer of information.
1. By calling the IP ACL, you can filter based on the IP address, protocol, and port number of the third layer.
2. By calling MAC ACL, you can filter based on MAC address, and you can also filter other non-IP traffic.
Each VACL can contain multiple statements, and each statement can have three different operations for matching traffic:
1. Forward forwarding, normal forwarding of data frames or data packets
2. Drop drop, when the data flow matches a certain rejection statement, it will be dropped
3. Redirection Redirect the forwarding direction of the data flow (only supported by high-end switches)
Note: If the operation behavior of a statement is not specified, the default behavior is forward. If the data flow entering the VLAN does not match any of the previous statements, it will be discarded.
IP-based:
Config#access-list 1 permit 192.168.1.1 0.0.0.0
Config#vlan access-map wolf 10
Config-access-map#match ip address 1
Config-access-map#action drop
Config#vlan access-map wolf 20
Config-access-map#action forword
The default is forwarded show run, you can see there is action forword
Invoke: vlan filter wolf vlan-list 100 Invoke in global mode, to indicate in which VLAN to use, also for all ALL
Based on mac address (MAC address list):
1. Write the MAC address list first
mac access-list extended ccnp
permit host 00e0.1e3d.d18c any
2. Write access-map again
vlan access-map wolf 10
action drop
match mac address ccnp
vlan access-map wolf 20
action forward
3. Call:
Sw1(config)#vlan filter wolf vlan-list 10
Access-map name vlan number
Sw1 (config) #vlan filter wolf vlan-list all for all VLANs
Note: When doing this experiment, first clear ip arp 10.1.1.22 on each router
3、Private VLANS
Solve the limitation of the number of VLANs, and cannot access each other between the same VLAN
Primary VLAN is the actual VLAN
Secondary VLANs(ISOLATED VLAN、Community VLAN)
Secondary VLANs cannot communicate with each other, ISOLATED VLANs cannot communicate with each other, and Community VLANs can communicate with each other
3.1 PVLAN Port Types
Promiscuous: Communicate with all other ports 属于Primary VLAN
Isolated:Communicate with only promiscuous ports 属于Secondary VLAN
Community:Communicate with other members of community and all promiscuous ports. 属于Secondary VLAN
3.2 networking
Requirements: R1 can exchange visits with R2 / R3 / R4 / R5
R2 and R3 can visit each other
R4 and R5 cannot visit each other
VLAN 501 (R2 and R3) and VLAN 502 (R4 and R5) cannot communicate with each other
Small VLANs 501 and 502 belong to large VLAN 20
Configuration steps: The lowest models are S3560, 3750, 6000; S3550 and S2950 only support ISOLATE-VLAN
VTP mode transparent/off
vlan 20
private-vlan primary
vlan 501
private-vlan community
vlan 502
private-vlan isolated
vlan 20
private-vlan association 501,502
int f 0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 20 501,502
int r f 0/2,f0/3
switchport mode private-vlan host
switchport private-vlan host-association 20 501
int r f 0/4,f0/5
switchport mode private-vlan host
switchport private-vlan host-assciation 20 502
show vlan private-vlan
show int f 0/1 switchport
S2950, S3550 and S3560 configuration ISOLATE-VLAN method
int r f0/1,f0/3
switchport mode access
switchport access vlan 100
switchport protected
Note: The protected ports are not accessible, but the protected and common ports are accessible.
3.3 Expansion of private-vlan
interface vlan 20
ip address 1.1.1.100 255.255.255.0
After the SVI interface address is configured on the SW, only private-vlan can manage the int vlan 20, and nothing else. If you want the community and isolated VLAN to access the interface, add the following command:
interface vlan 20
private-vlan mapping 501,502
There is also the ip routing command on SW
verification:
show vlan private-vlan
<part-3 Spoofing attacks>
1、 DHCP Spoof Attacks
Solution:
DHCP snooping
principle:
--After being enabled, you can divide the ports of the switch into trusted interfaces and Untrusted interfaces. By default, all the interfaces become Untrusted interfaces after being enabled on the switch. You need to manually set the trusted interfaces.
-For the Untrusted interface, only DHCP request messages can be received, and no DHCP request messages will be sent to this interface. And drop the DHCP response message from the interface.
-There are no restrictions on the trusted interface and no detection.
Note: Early IOS does not support
Configuration example:
first step:
SW1 (config) #ip dhcp snooping must first open this command, equivalent to the main switch
SW1 (config) #ip dhcp snooping vlan 1 Then specify the VLAN, this step is also necessary, the default VLAN 1 interface is untrusted interface
Step 2: Specify the trusted interface, which is usually the trunk interface and the interface connected to the real DHCP server.
SW1(config-if)#ip dhcp snooping trust
The third step: the following commands must be added to the trusted DHCP server: (only needed if the remote router and switch are used as the DHCP server, if the device does DHCP service, it is not necessary to enable this command)
R1 (config) #ip dhcp relay information trust-all / * If SW closes option 82 (no ip dhcp snooping information option), this command may not be configured; in addition, if PVLAN technology is used, there is no need to open this command
SW1#show ip dhcp snooping binding
SW01#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
E8:40:40:E4:73:C2 10.1.1.94 1052 dhcp-snooping 1 FastEthernet0/23
Total number of bindings: 1
Key point: DHCP snooping will create a DHCP binding table on the connected switch, creating an entry for each assigned IP, including the client's IP address, MAC address, port number, VLAN number, lease and binding Type and other information. You can also manually add entries to this binding table.
SW1 # show ip dhcp snooping binding displays only dynamic binding items
SW1#show ip dhcp snooping database
SW1 # show ip source binding display dynamic and static binding items
SW1 (config) #ip dhcp snooping binding 1234.5678.abcd vlan 20 172.16.1.1 interface f0 / 5 statically bind an entry
Other commands:
SW1 (config) #ip dhcp snooping information option Enable option82 option, it is enabled by default
SW1 (config) #ip dhcp snooping limit rate 100 limits how many DHCP request packets can be received by the interface per second
SW01#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
E8:40:40:E4:73:C1 10.1.1.54 85809 dhcp-snooping 1 FastEthernet0/23
20:37:06:DC:36:40 10.1.1.56 86204 dhcp-snooping 1 FastEthernet0/19
Total number of bindings: 2
2. IPSG source protection (an extension of SNOOPING) --- preventing IP address spoofing at the network layer
Source protection feature can prevent illegal devices from stealing the IP of legitimate devices to access the network, and can only be used for Layer 2 ports
Need to use the IP binding table, there are two ways to obtain binding entries:
1. Statically bind IP source address
2. Use the dynamically generated source IP binding table in DHCP snooping technology
Principle: Once source protection is enabled on an interface, the interface rejects all IPs by default unless there is an IP address binding entry corresponding to the interface in the IP binding table.
SW1 (config) #ip source binding aaaa.bbbb.cccc vlan 1 100.1.1.1 interface f0 / 1 static binding
SW1(config)#ip dhcp snooping
SW1(config)#ip dhcp snooping vlan 1
SW1(config)#interface f0/10
SW1 (config-if) #ip verify source Turn on source protection, only check based on IP, so configure on 3560 and 3750
SW01#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
--------- ----------- ----------- --------------- ----------------- ---- ---
Fa0/23 ip active 10.1.1.94 1 disabled
SW1 (config-if) #ip verify source port-security Turn on source protection and check based on IP and MAC. The default is deny-any for all IPs and permit-any for mac actions. If port security is done, the action for mac is deny-any.
SW01#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
--------- ----------- ----------- --------------- ----------------- ---- ---
Fa0/23 ip-mac active 10.1.1.94 E8:40:40:E4:73:C2 1 disabled
Cisco 4500, 6500 and 7600 need to be started with the following command
SW1(config-if)#ip verify source vlan dhcp-snooping
SW1(config-if)#ip verify source vlan dhcp-snooping port-security
show ip verify source View allowed IP addresses and provide a basis for comparing source addresses
show ip source binding
ip source binding AAAA.BBBB.CCCC vlan 1 10.1.1.200 interface Fa0/9
SW01#show ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
E8:40:40:E4:73:C1 10.1.1.54 85259 dhcp-snooping 1 FastEthernet0/23
20:37:06:DC:36:40 10.1.1.56 85654 dhcp-snooping 1 FastEthernet0/19
AA:AA:BB:BB:CC:CC 10.1.1.200 infinite static 1 FastEthernet0/9
Total number of bindings: 3
3. DAI (dynamic arp inspection) prevents source IP address spoofing of ARP packets at the data link layer
It is a security feature that can verify ARP packets in the network and can prevent man-in-the-middle ***.
Usually need to be used in conjunction with DHCP snooping, because you need to use the binding table generated by DHCP snooping technology. Can also statically write the binding table of IP and MAC
Principle: After DAI is enabled, the interface needs to be divided into trusted and untrusted. By default, all interfaces are untrusted interfaces.
For the untrusted interface, to perform ARP inspection, only ARP packets matching the entries in the dhcp-snooping binding table are allowed to pass.
For trusted interfaces, ARP inspection is not required.
Define trusted and untrusted interfaces
trusted: does not control the sending and receiving of arp packets
untrusted: do not accept arp request messages
SW1(config)#ip arp inspection vlan 1
SW1 (config-if) #ip arp inspection trust Specify the trust interface for arp inspection, must do
SW1 (config-if) #ip arp inspection limit rate 100 limits the number of arp packets received per second
show ip arp inspection interfaces
show ip arp inspection vlan 1
A practical case: (not combined with DHCP snooping, use DAI alone)
arp access-list ARPTEST
permit ip host 162.16.40.1 mac host 0000.0c07.ac28
Source IP address Source MAC address
ip arp inspection vlan 1
ip arp inspection filter ARTTEST vlan 1 static
In another case, the IPSG static table entry can also achieve this function.
ip source binding aaaa.bbbb.cccc vlan 1 100.1.1.1 interface f0/1
Note: ARP packets are directly encapsulated into the second layer, so the above IPSG source protection technology cannot deal with ARP spoofing
<part-4 attacks on switch devices>
Turn off unnecessary services
1. CDP Agreement
show cdp neighbor detail
Interface IP address
IOS VERSION
NATIVE VLAN
VTP Domain
Solution:
1. Global shutdown no cdp run
2. For interface operation no cdp enable
2. Broadcast / multicast suppression
It is used to monitor the broadcast and multicast traffic flowing into the port, and discard the data packet after the threshold is exceeded.
3550 (config-if) # storm-control broadcast level 5 Monitor by percentage
3550 (config-if) # storm-control broadcast bps 10 According to the actual flow, please note that the unit is M
3、SSH(Secure Shell Protocol)
Describing Vulnerablities in the Telnet Protocol
The Telnet protocol is not secure, and user names and passwords are easily exposed. More advanced security protocols can be enabled.
SSH
Turn on the SSH device:
ip domain-name wolf.com
crypto key generate rsa general-keys modulus 1024
line vty 0 4
login local
transport input ssh
username wolf password cisco
Log in to the device:
SSH -l wolf 12.1.1.2
Prompt password: cisco
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Configuration case:
dhcp snooping
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping vlan 10,20
you are fa0 / 0
access port
ip dhcp limit rate 10
int gi0/0
uplink
switchport mode trunk
switchport trunk allowed vlan 10,20
ip dhcp snooping trunk
DAI
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping vlan 10,20
ip arp inspection vlan 10,20
you are fa0 / 0
access port
ip dhcp limit rate 10
int gi0/0
uplink
switchport mode trunk
switchport trunk allowed vlan 10,20
ip dhcp snooping trunk
ip arp inspection trunk
If there is static
arp access-list test
permit ip host 10.1.1.2 mac host 0017.5aa7.2d28
ip arp inspection filter test vlan 10
IP Source Guard
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping vlan 10,20
ip arp inspection vlan 10,20
int gi0/0
uplink
switchport mode trunk
switchport trunk allowed vlan 10,20
ip dhcp snooping trunk
ip arp inspection trunk
you are fa0 / 1
sw mo acc
sw ac vlan 2
sw port-securit
ip arp inspection limit rate 10
ip verify source port-security
ip dhcp snooping limit rate 10
show ip verify source
If static
ip source binding 0017.5aa7.2d28 vlan 2 10.1.1.2 interface fa0/2
you are fa0 / 2
ip verify source
Interface filtering.