Overview
VLAN traffic, VLAN hopping, DHCP spoofing, Address Resolution Protocol (ARP) spoofing, at switch and its ports. You can take specific measures to guard against MAC flooding, which is a common Layer 2 malicious activity.
Objectives
Upon completing this lesson, you will be able to describe and implement security features in a switched network. This ability includes being able to meet this objectives: * Describe switch and layer 2 security as a subject of an overall security plan * Describe how a rouge device gains unauthorized access to a network * Categorize switch attack types and list mitigation options * Describe how a MAC flooding attack works to overflow a CAM Campus backbone Layer table * Describe how port security is used to block input from devices based on Layer 2 restrictions * Describe the procedure for configuring port security on a switch * Describe the methods that can be used for authentication using AAA * Describe port-based authentication using 802.1X
Overview of Switch Security issues
This topic describes switch and Layer 2 security as a subset of an overall network security plan
Much industry attention focuses on security attacks from outside the walls of an organization and at the upper Open System Interconnection (OSI) layers. Network security often focuses on edge routing devices and filtering of packets that are based on Layer 3 and Layer 4 headers, ports, stateful packet inspection, and so forth. This includes all issues related to layer 3and above, as traffic makes its way into the campus network from the internet. Campus access device and layer 2 communication are largely unconsidered in most security discussions.
The default state of networking equipment highlights this focus on external protection and internal open communication. Firewalls, placed at the organizational borders, arrive in a secure operational mode and allow no communication until they are configured to do so. Routers and switches that are internal to an organization and that are designed to accommodate communication, delivering needful campus traffic, have a default operational mode that forwards all traffic unless they are configured otherwise. Their function as devices that facilitate communication often result in minimal security configuration, and they become target for malicious attacks. If an attack is launched at layer 2 on an internal campus device, the rest of the network can be quickly compromised, often without detection.
Many security features are available for switches and routers, but they must be enabled to be effective. As with Layer 3, where security had to be tightened on devices within the campus as. Malicious activity that compromised this layer increased, now security measures must be taken to guard against malicious activity at Layer 2. A new security focus centers on attacks that are launched by maliciously using normal layer 2 switch operations. However, as with access control list (ACLs) for upper-layer security, a policy must be established and appropriate features configured to protect against potential malicious acts while maintaining daily network operations.
Security Infrastructure service
This topic describes the security design issues within an enterprise design network.
Security is an infrastructure service that increases the integrity of the networks by protecting network resources and users from internal and external threats. Without a full understanding of the threats that are involved, network security deployments tends to be incorrectly configured, too focused on security devices, or lacking in the appropriate threat-response options. You can evaluate and apply security on a module-by-module basis within the Cisco Enterprise Architecture. The following are some recommended-practice security consideration for each module:
Reason for internal security
This topic describes reasons for internal security
Unauthorized Access by Rogue Devices
This topic describes how a rogue device gains unauthorized access to a network.
Rogue access comes in several forms. For example, because unauthorized rogue access points are inexpensive and readily available, employees sometimes plug them into existing LANs and build ad hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions.
Malicious rogue access points, although much less common than employee-installed rogue access points, are also a security concern. These rogue access points create an unsecured wireless LAN connection that puts the entire wired network at risk. Malicious rogues present an even greater risk and challenge because they are intentionally hidden from physical and network view.
To mitigate Spanning Tree Protocol (STP) manipulation, use the root guard and the BPDU guard enhancement commands to enforce the placement of the root bridge in the network and to enforce the STP domain borders. The RootGuard feature is designed to provide a way to enforce the root bridge placement in the network. The STP BPDUGuard is designed to allow network designers to keep the active network topology predictable. Although BPDUGuard may seem unnecessary, given that the administrator can set the bridge priority to zero, there is still no guarantee that it will be elected as the root bridge, because there might be a bridge with priority zero and a lower bridge ID. BPDUGuard is best deployed toward user-facing ports to prevent rogue switch-network extensions by an attacker.
Switch Attack Categories
This topic categorizes switch attack types and lists mitigation options.
Switch Attack Categories
A device that is connected to the campus network typically launches Layer 2 malicious attacks. The attacks may originate from a physical rogue device that has been placed on the network for malicious purposes. The attack may also come from an external instruction that takes control of, and launches attacks from a trusted devices. In either case, the network sees all traffic as originating from a legitimate connected devices.
Attack that are launched against switches and Layer 2 can be grouped as follows:
Significant attacks in these categories are discussed in more detail in subsequent section of the course. Each attack method is accompanied by a standard measure for mitigating the security compromise.
The table describes attack methods and the steps to mitigation.
| Attack Method | Description | Steps to Mitigation | | ----------- | ----------- | | Mac address flooding | Frames with unique, invalid | Port security, MAC address VLAN access map. | source MAC addresses flood the switch, exhausting content-addressable memory (CAM) table space, disallowing new entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports. | | Paragraph | Text |