1587050250_CH05.pdf
(
305 KB
)
Pobierz
648843093 UNPDF
This chapter covers the following key topics:
•
General Switch and Layer 2 Security
—This section discusses some of the basic
steps you can take to make Layer 2 environments and switches more secure.
•
Port Security
—This section discusses how to restrict access on a port basis.
•
IP Permit Lists
—This section talks about using IP permit lists to restrict access to
the switch for administrative purposes.
•
Protocol Filtering and Controlling LAN Floods
—This section talks about
controlling floods on LANs.
•
Private VLANs on Catalyst 6000
—This section deals with setting up private
VLANs on Catalyst 6000 switches to provide Layer 2 isolation to connected devices.
•
Port Authentication and Access Control Using the IEEE 802.1x Standard
—This
section talks about how the 802.1x protocol can be used to improve security in a
switched environment by providing access control on devices attaching to various
ports.
C
H
A
P
T
E
R
5
Secure LAN Switching
In order to provide comprehensive security on a network, it is important take the concept
of security to the last step and ensure that the Layer 2 devices such as the switches that
manage the LANs are also operating in a secure manner.
This chapter focuses on the Cisco Catalyst 5000/5500 series switches. We will discuss
private VLANs in the context of the 6000 series switches. Generally, similar concepts can
be implemented in other types of switches (such as the 1900, 2900, 3000, and 4000 series
switches) as well.
Security on the LAN is important because some security threats can be initiated on Layer 2
rather than at Layer 3 and above. An example of one such attack is one in which a compro-
mised server on a DMZ LAN is used to connect to another server on the same segment
despite access control lists on the firewall connected on the DMZ. Because the connection
occurs at Layer 2, without suitable measures to restrict traffic on this layer, this type of
access attempt cannot be blocked.
General Switch and Layer 2 Security
Some of the basic rules to keep in mind when setting up a secure Layer 2 switching
environment are as follows:
•
VLANs should be set up in ways that clearly separate the network’s various logical
components from each other. VLANs lend themselves to providing segregation
between logical workgroups. This is a first step toward segregating portions of the
network needing more security from portions needing lesser security. It is important
to have a good understanding of what VLANs are. VLANs are a logical grouping of
devices that might or might not be physically located close to each other.
•
If some ports are not being used, it is prudent to turn them off as well as place them
in a special VLAN used to collect unused ports. This VLAN should have no Layer 3
access.
106
Chapter 5: Secure LAN Switching
•
Although devices on a particular VLAN cannot access devices on another VLAN
unless specific mechanisms for doing so (such as trunking or a device routing between
the VLANs) are set up, VLANs should not be used as the sole mechanism for
providing security to a particular group of devices on a VLAN. VLAN protocols are
not constructed with security as the primary motivator behind them. The protocols
that are used to establish VLANs can be compromised rather easily from a security
perspective and allow loopholes into the network. As such, other mechanisms such as
those discussed next should be used to secure them.
•
Because VLANs are not a security feature, devices at different security levels should
be isolated on separate Layer 2 devices. For example, having the same switch chassis
on both the inside and outside of a firewall is not recommended. Two separate
switches should be used for the secure and insecure sides of the firewall.
•
Unless it is critical, Layer 3 connectivity such as Telnets and HTTP connections to a
Layer 2 switch should be restricted and very limited.
•
It is important to make sure that trunking does not become a security risk in the
switching environment. Trunks should not use port numbers that belong to a VLAN
that is in use anywhere on the switched network. This can erroneously allow packets
from the trunk port to reach other ports located in the same VLAN. Ports that do not
require trunking should have trunking disabled. An attacker can use trunking to hop
from one VLAN to another. The attacker can do this by pretending to be another
switch with ISL or 802.1q signaling along with Dynamic Trunking Protocol (DTP).
This allows the attacker’s machine to become a part of all the VLANs on the switch
being attacked. It is generally a good idea to set DTP on all ports not being used for
trunking. It’s also a good idea to use dedicated VLAN IDs for all trunks rather than
using VLAN IDs that are also being used for nontrunking ports. This can allow an
attacker to make itself part of a trunking VLAN rather easily and then use trunking to
hop onto other VLANs as well.
Generally, it is difficult to protect against attacks launched from hosts sitting on a LAN.
These hosts are often considered trusted entities. As such, if one of these hosts is used to
launch an attack, it becomes difficult to stop it. Therefore, it is important to make sure that
access to the LAN is secured and is provided only to trusted people.
Some of the features we will discuss in the upcoming sections show you ways to further
secure the switching environment.
The discussion in this chapter revolves around the use of Catalyst 5
xxx
and 6
xxx
switches.
The same principles can be applied to setting up security on other types of switches.
Port Security
107
Port Security
Port security
is a mechanism available on the Catalyst switches to restrict the MAC addresses
that can connect via a particular port of the switch. This feature allows a specific MAC
address or a range of MAC addresses to be defined and specified for a particular port. A port
set up for port security only allows machines with a MAC address belonging to the range
configured on it to connect to the LAN. The port compares the MAC address of any frame
arriving on it with the MAC addresses configured in its allowed list. If the address matches,
it allows the packet to go through, assuming that all other requirements are met. However,
if the MAC address does not belong to the configured list, the port can either simply drop
the packet (restrictive mode) or shut itself down for a configurable amount of time. This
feature also lets you specify the number of MAC addresses that can connect to a certain port.
MAC Address Floods and Port Security
Port security is especially useful in the face of MAC address flooding attacks. In these
attacks, an attacker tries to fill up a switch’s CAM tables by sending a large number of
frames to it with source MAC addresses that the switch is unaware of at that time. The
switch learns about these MAC addresses and puts them in its CAM table, thinking that
these MAC addresses actually exist on the port on which it is receiving them. In reality, this
port is under the attacker’s control and a machine connected to this port is being used to
send frames with spoofed MAC addresses to the switch. If the attacker keeps sending these
frames in a large-enough quantity, and the switch continues to learn of them, eventually the
switch’s CAM table becomes filled with entries for these bogus MAC addresses mapped to
the compromised port.
Under normal operations, when a machine receiving a frame responds to it, the switch
learns that the MAC address associated with that machine sits on the port on which it has
received the response frame. It puts this mapping in its CAM table, allowing it to send any
future frames destined for this MAC address directly to this port rather than flood all the
ports on the VLAN. However, in a situation where the CAM table is filled up, the switch is
unable to create this CAM entry. At this point, when the switch receives a legitimate frame
for which it does not know which port to forward the frame to, the switch floods all the
connected ports belonging to the VLAN on which it has received the frame. The switch
continues to flood the frames with destination addresses that do not have an entry in the
CAM tables to all the ports on the VLAN associated with the port it is receiving the frame
on. This causes two main problems:
•
Network traffic increases significantly due to the flooding done by the switch. This
can result in a denial of service (DoS) for legitimate users of the switched network.
•
The attacker can receive frames that are being flooded by the switch and use the
information contained in them for various types of attacks.
Figure 5-1 shows how MAC address flooding can cause CAM overflow and subsequent
DoS and traffic analysis attacks.
108
Chapter 5: Secure LAN Switching
Figure 5-1
MAC Address Flooding Causing CAM Overflow and Subsequent DoS and Traffic Analysis Attacks
MAC Address=B
MAC Address=C
4
C A
3
A B
Port 2
Port 3
G A
H C
1
MAC Address=A
MAC Address=D
Port 1
Port 4
E A
F A
X A
Port #
MAC
Address
D
G
H
E
F
X
2
CAM
Table
4
4
4
4
4
4
Figure 5-1 shows a series of steps that take place to orchestrate a MAC address flooding
attack. Given below is the list of steps that takes place as shown in the Figure 5-1:
Step 1
A compromised machine is attached to port 4. Frames sourced from
fictitious MAC address denoted by G, H, E and F etc. are sent on the
port 4. The actual MAC address of the compromised machine is denoted
by D.
Step 2
Due to the flooding of frames on port 4, the CAM table of the switch fills
up and it is unable to ‘learn’ any more MAC address and port mappings.
Step 3
A host situated on port 1 with a MAC address denoted by A, sends a
frame sourced from the MAC address A to MAC address B. The switch
is unable to learn and associate port 1 with the MAC address A since its
CAM table is full.
Step 4
Host on port 3 with a MAC address denoted by C sends a frame to MAC
address A. Since the switch does not have an entry in its CAM table for
A, it floods the frame to all its ports in that VLAN. This results in flooding
causing DOS as well as an opportunity for traffic analysis by the attacker
who receives the flooded frames on port 4 as well.
The danger of attacking a switch by flooding the CAM table can be avoided either by hard-
coding the MAC addresses that are allowed to connect on a port or by limiting the number
of hosts that are allowed to connect on a port. Both these features are part of the port
security feature set on Cisco switches.
Plik z chomika:
Caveman85
Inne pliki z tego folderu:
Cisco.Press.Penetration.Testing.and.Network.Defense.chm
(14976 KB)
Cisco.Press.IS.IS.Network.Design.Solutions.chm
(3096 KB)
Lab3-5.exe
(112 KB)
Practice_Lab4_Section_2.pdf
(31 KB)
Practice_Lab5_Section_3.pdf
(1392 KB)
Inne foldery tego chomika:
• Kurs Cisco CCNA v 3.1
Administrowanie Sieciami Komputerowymi - mgr inż Paweł Pławiak
CCNA
CCNA - CCSP - CNAP - CCSP - Cisco
CCNA - CCSP - CNAP - CCSP - Cisco2
Zgłoś jeśli
naruszono regulamin