Secure your network with advanced Switching Security measures. Explore VLAN security, port security, and more for a robust and protected infrastructure.

Switching Security

Understanding Switch Security Issues

Overview

VLAN traffic, VLAN hopping, DHCP spoofing, Address Resolution Protocol (ARP) spoofing, at switch and its ports. You can take specific measures to guard against MAC flooding, which is a common Layer 2 malicious activity.

Objectives

Upon completing this lesson, you will be able to describe and implement security features in a switched network. This ability includes being able to meet this objectives: * Describe switch and layer 2 security as a subject of an overall security plan * Describe how a rouge device gains unauthorized access to a network * Categorize switch attack types and list mitigation options * Describe how a MAC flooding attack works to overflow a CAM Campus backbone Layer table * Describe how port security is used to block input from devices based on Layer 2 restrictions * Describe the procedure for configuring port security on a switch * Describe the methods that can be used for authentication using AAA * Describe port-based authentication using 802.1X

Overview of Switch Security issues

This topic describes switch and Layer 2 security as a subset of an overall network security plan

Much industry attention focuses on security attacks from outside the walls of an organization and at the upper Open System Interconnection (OSI) layers. Network security often focuses on edge routing devices and filtering of packets that are based on Layer 3 and Layer 4 headers, ports, stateful packet inspection, and so forth. This includes all issues related to layer 3and above, as traffic makes its way into the campus network from the internet. Campus access device and layer 2 communication are largely unconsidered in most security discussions.

The default state of networking equipment highlights this focus on external protection and internal open communication. Firewalls, placed at the organizational borders, arrive in a secure operational mode and allow no communication until they are configured to do so. Routers and switches that are internal to an organization and that are designed to accommodate communication, delivering needful campus traffic, have a default operational mode that forwards all traffic unless they are configured otherwise. Their function as devices that facilitate communication often result in minimal security configuration, and they become target for malicious attacks. If an attack is launched at layer 2 on an internal campus device, the rest of the network can be quickly compromised, often without detection.

Many security features are available for switches and routers, but they must be enabled to be effective. As with Layer 3, where security had to be tightened on devices within the campus as. Malicious activity that compromised this layer increased, now security measures must be taken to guard against malicious activity at Layer 2. A new security focus centers on attacks that are launched by maliciously using normal layer 2 switch operations. However, as with access control list (ACLs) for upper-layer security, a policy must be established and appropriate features configured to protect against potential malicious acts while maintaining daily network operations.

Security Infrastructure service

This topic describes the security design issues within an enterprise design network.

Security is an infrastructure service that increases the integrity of the networks by protecting network resources and users from internal and external threats. Without a full understanding of the threats that are involved, network security deployments tends to be incorrectly configured, too focused on security devices, or lacking in the appropriate threat-response options. You can evaluate and apply security on a module-by-module basis within the Cisco Enterprise Architecture. The following are some recommended-practice security consideration for each module:

The campus core layer in the campus infrastructure module switches packets as quickly as possible. It should not perform any security functions, because these would slow down packet switching.
The building distribution layer performs packet filtering to keep unnecessary traffic from the campus core layer. Packet filtering at the building distribution layer is a security function because it prevents some undesired access to other modules. Given that switches in this layer are usually Layer 3 – aware multilayer switches, the building distribution layer is often the first location that can filter based on network layer information.
At the building access layer access can be controlled at the port level with respect to the data link layer information (for example, MAC address).
The server farm module provides application services to end users and devices. Given the high degree of access that most employees have to these servers, they often become the primary target of internally originated attacks. Use host-and network-based intrusion prevention system (IPSs), private VLANs, and access control to provide a much more comprehensive response to attacks. An comboardintrusion detection system (IDS) within multilayer switches can inspect traffic flows on the server farm modules.
The server farm module typically includes a network management system that securely manages all devices and hosts within the enterprise architecture. Syslog provide important information regarding security violations and configuration changes by logging security related events (authentication and so on) other sever including an authentication, authorization, and accounting (AAA) security server can work in combination with the one-time password (OTP) server to provide a very high level of security to all local and remote users. AAA and OTP authentication reduce the likelihood of successful password attack.

Reason for internal security

This topic describes reasons for internal security

Several reasons exist for strong protection of the enterprise campus infrastructure, including security in each individual element of the enterprise campus, where usually the most strategic assets reside.
Relying on the security that has been established at the enterprise edge fails as soon as security there is compromised. Having several layers of security increases the protection of the enerprise campus, where usually the most strategic assets reside.
If the enterprise allows visitors into buildings, potentially an attacker gain physical access to devices in the enterprise campus. Relying on physical security is not enough.
Very often external access does not stop at the enterprise edge. Application require at least an indirect access to the enterprise campus resources, which means that strong security is necessary.

Unauthorized Access by Rogue Devices

This topic describes how a rogue device gains unauthorized access to a network.

Rogue access comes in several forms. For example, because unauthorized rogue access points are inexpensive and readily available, employees sometimes plug them into existing LANs and build ad hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions.

Malicious rogue access points, although much less common than employee-installed rogue access points, are also a security concern. These rogue access points create an unsecured wireless LAN connection that puts the entire wired network at risk. Malicious rogues present an even greater risk and challenge because they are intentionally hidden from physical and network view.

To mitigate Spanning Tree Protocol (STP) manipulation, use the root guard and the BPDU guard enhancement commands to enforce the placement of the root bridge in the network and to enforce the STP domain borders. The RootGuard feature is designed to provide a way to enforce the root bridge placement in the network. The STP BPDUGuard is designed to allow network designers to keep the active network topology predictable. Although BPDUGuard may seem unnecessary, given that the administrator can set the bridge priority to zero, there is still no guarantee that it will be elected as the root bridge, because there might be a bridge with priority zero and a lower bridge ID. BPDUGuard is best deployed toward user-facing ports to prevent rogue switch-network extensions by an attacker.

Switch Attack Categories

This topic categorizes switch attack types and lists mitigation options.

Switch Attack Categories

MAC address-based attacks

MAC address flooding

VLAN attacks

VLAN hopping

Spoofing attacks

Spoofing of DHCP, ARP, and MAC addressing

Attacks on switch devices

Cisco Discovery Protocol
Management protocols

A device that is connected to the campus network typically launches Layer 2 malicious attacks. The attacks may originate from a physical rogue device that has been placed on the network for malicious purposes. The attack may also come from an external instruction that takes control of, and launches attacks from a trusted devices. In either case, the network sees all traffic as originating from a legitimate connected devices.

Attack that are launched against switches and Layer 2 can be grouped as follows:

MAC layer attacks
VLAN attacks
Spoof attacks
Attacks on switch devices

Significant attacks in these categories are discussed in more detail in subsequent section of the course. Each attack method is accompanied by a standard measure for mitigating the security compromise.

The table describes attack methods and the steps to mitigation.

MAC Flooding Attack

This topic describes how port security is used to block input from devices based on layer 2 restrictions.

A common Layer 2 or switch attack is MAC flooding, which results in an overflow of the CAM table of a switch. The overflow causes the flooding of regular data frames out all switch ports. This attack can be launched for the malicious purpose of collecting a broad sample of traffic or as a denial of service (DoS) attack.

The CAM tables of a switch are limited in size and therefore can contain only a limited number of entire at any one time. A network intruder can malicious flood a switch with a large number of frames from a range of invalid MAC address. If enough new entries are made before old ones expire, new valid entries will not be accepted. Then, when traffic arrives. At the switch for a legitimate device that is located on one of the switch ports that was not able to create a CAM table entry, the switch must flood the frames to that address out all ports. This has two adverse effects:

The switch traffic forwarding is inefficient and voluminous.
An intruding device can be connected to any switch port and capture traffic that is not normally detected on that port.

If the attack is launched before the beginning of the day, the CAM table would be full when the majority of the devices powered on. Then frames from those legitimate devices are unable to create CAM table entries as the power on. If this represents a large number of network devices, the number of MAC address that are flooded with traffic will be high, and any switch port will carry flooded frames from a large number of devices.

If the initial flood of invalid CAM table entries is a one-time event, the switch will eventually age out older, invalid CAM table entries, allowing new, legitimate devices to create entries.

Traffic flooding will cease and may never be detected, even though the intruder may have captured a significant amount of data from network.

As the figure shows, MAC flooding occurs in several steps. The table describes the progression of a MAC flooding attack.