Understanding Switch Security Issues

Overview

VLAN traffic, VLAN hopping, DHCP spoofing, Address Resolution Protocol (ARP) spoofing, at switch and its ports. You can take specific measures to guard against MAC flooding, which is a common Layer 2 malicious activity.

Objectives

Upon completing this lesson, you will be able to describe and implement security features in a switched network. This ability includes being able to meet this objectives: * Describe switch and layer 2 security as a subject of an overall security plan * Describe how a rouge device gains unauthorized access to a network * Categorize switch attack types and list mitigation options * Describe how a MAC flooding attack works to overflow a CAM Campus backbone Layer table * Describe how port security is used to block input from devices based on Layer 2 restrictions * Describe the procedure for configuring port security on a switch * Describe the methods that can be used for authentication using AAA * Describe port-based authentication using 802.1X

Overview of Switch Security issues

This topic describes switch and Layer 2 security as a subset of an overall network security plan

Much industry attention focuses on security attacks from outside the walls of an organization and at the upper Open System Interconnection (OSI) layers. Network security often focuses on edge routing devices and filtering of packets that are based on Layer 3 and Layer 4 headers, ports, stateful packet inspection, and so forth. This includes all issues related to layer 3and above, as traffic makes its way into the campus network from the internet. Campus access device and layer 2 communication are largely unconsidered in most security discussions.

The default state of networking equipment highlights this focus on external protection and internal open communication. Firewalls, placed at the organizational borders, arrive in a secure operational mode and allow no communication until they are configured to do so. Routers and switches that are internal to an organization and that are designed to accommodate communication, delivering needful campus traffic, have a default operational mode that forwards all traffic unless they are configured otherwise. Their function as devices that facilitate communication often result in minimal security configuration, and they become target for malicious attacks. If an attack is launched at layer 2 on an internal campus device, the rest of the network can be quickly compromised, often without detection.

Many security features are available for switches and routers, but they must be enabled to be effective. As with Layer 3, where security had to be tightened on devices within the campus as. Malicious activity that compromised this layer increased, now security measures must be taken to guard against malicious activity at Layer 2. A new security focus centers on attacks that are launched by maliciously using normal layer 2 switch operations. However, as with access control list (ACLs) for upper-layer security, a policy must be established and appropriate features configured to protect against potential malicious acts while maintaining daily network operations.

Security Infrastructure service

This topic describes the security design issues within an enterprise design network.

Security is an infrastructure service that increases the integrity of the networks by protecting network resources and users from internal and external threats. Without a full understanding of the threats that are involved, network security deployments tends to be incorrectly configured, too focused on security devices, or lacking in the appropriate threat-response options. You can evaluate and apply security on a module-by-module basis within the Cisco Enterprise Architecture. The following are some recommended-practice security consideration for each module:

• The campus core layer in the campus infrastructure module switches packets as quickly as possible. It should not perform any security functions, because these would slow down packet switching.
• The building distribution layer performs packet filtering to keep unnecessary traffic from the campus core layer. Packet filtering at the building distribution layer is a security function because it prevents some undesired access to other modules. Given that switches in this layer are usually Layer 3 – aware multilayer switches, the building distribution layer is often the first location that can filter based on network layer information.
• At the building access layer access can be controlled at the port level with respect to the data link layer information (for example, MAC address).
• The server farm module provides application services to end users and devices. Given the high degree of access that most employees have to these servers, they often become the primary target of internally originated attacks. Use host-and network-based intrusion prevention system (IPSs), private VLANs, and access control to provide a much more comprehensive response to attacks. An comboardintrusion detection system (IDS) within multilayer switches can inspect traffic flows on the server farm modules.
• The server farm module typically includes a network management system that securely manages all devices and hosts within the enterprise architecture. Syslog provide important information regarding security violations and configuration changes by logging security related events (authentication and so on) other sever including an authentication, authorization, and accounting (AAA) security server can work in combination with the one-time password (OTP) server to provide a very high level of security to all local and remote users. AAA and OTP authentication reduce the likelihood of successful password attack.

Reason for internal security

This topic describes reasons for internal security

• Several reasons exist for strong protection of the enterprise campus infrastructure, including security in each individual element of the enterprise campus, where usually the most strategic assets reside.
• Relying on the security that has been established at the enterprise edge fails as soon as security there is compromised. Having several layers of security increases the protection of the enerprise campus, where usually the most strategic assets reside.
• If the enterprise allows visitors into buildings, potentially an attacker gain physical access to devices in the enterprise campus. Relying on physical security is not enough.
• Very often external access does not stop at the enterprise edge. Application require at least an indirect access to the enterprise campus resources, which means that strong security is necessary.

Unauthorized Access by Rogue Devices

This topic describes how a rogue device gains unauthorized access to a network.

Rogue access comes in several forms. For example, because unauthorized rogue access points are inexpensive and readily available, employees sometimes plug them into existing LANs and build ad hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions.

Malicious rogue access points, although much less common than employee-installed rogue access points, are also a security concern. These rogue access points create an unsecured wireless LAN connection that puts the entire wired network at risk. Malicious rogues present an even greater risk and challenge because they are intentionally hidden from physical and network view.

To mitigate Spanning Tree Protocol (STP) manipulation, use the root guard and the BPDU guard enhancement commands to enforce the placement of the root bridge in the network and to enforce the STP domain borders. The RootGuard feature is designed to provide a way to enforce the root bridge placement in the network. The STP BPDUGuard is designed to allow network designers to keep the active network topology predictable. Although BPDUGuard may seem unnecessary, given that the administrator can set the bridge priority to zero, there is still no guarantee that it will be elected as the root bridge, because there might be a bridge with priority zero and a lower bridge ID. BPDUGuard is best deployed toward user-facing ports to prevent rogue switch-network extensions by an attacker.

Switch Attack Categories

This topic categorizes switch attack types and lists mitigation options.

Switch Attack Categories

• MAC address-based attacks

• MAC address flooding

• VLAN attacks

• VLAN hopping

• Spoofing attacks

• Spoofing of DHCP, ARP, and MAC addressing

• Attacks on switch devices

• Cisco Discovery Protocol
• Management protocols

A device that is connected to the campus network typically launches Layer 2 malicious attacks. The attacks may originate from a physical rogue device that has been placed on the network for malicious purposes. The attack may also come from an external instruction that takes control of, and launches attacks from a trusted devices. In either case, the network sees all traffic as originating from a legitimate connected devices.

Attack that are launched against switches and Layer 2 can be grouped as follows:

• MAC layer attacks
• VLAN attacks
• Spoof attacks
• Attacks on switch devices

Significant attacks in these categories are discussed in more detail in subsequent section of the course. Each attack method is accompanied by a standard measure for mitigating the security compromise.

The table describes attack methods and the steps to mitigation.

| Attack Method | Description | Steps to Mitigation | | ----------- | ----------- | | Mac address flooding | Frames with unique, invalid | Port security, MAC address VLAN access map. | source MAC addresses flood the switch, exhausting content-addressable memory (CAM) table space, disallowing new entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports. | | Paragraph | Text |