Content Overview This module defines the potential vulnerabilities related to VLANs within a network and possible solutions. Topics include port security for mitigation of MAC spoofing and flooding, using PVLANs and VACLs to control VLAN traffic, VLAN hopping, DHCP spoofing, ARP spoofing, and STP attacks. You learn about many potential problems and solutions; in particular, you learn how to secure switch access using vty ACLs and implementing SSH.
Content 8.1 Understanding Switch Security Issues 8.1.1 Overview of Switch Security Concerns A lot of industry attention dwells on security attacks from outside the walls of an organization and at the upper Open Systems Interconnection (OSI) layers. Network security often focuses on edge-routing devices and on filtering packets based on Layer 3 and 4 headers, ports, and stateful packet inspection. This includes all issues surrounding Layer 3 and above as traffic makes its way into the campus network from the Internet. Generally, most security discussions do not consider campus access devices and Layer 2 communication. The default state of networking equipment highlights this focus on external protection and internal open communication. Firewalls are placed at the organizational borders and default to a secure operational mode, allowing no communication until configured to do so. The default operational mode for routers and switches placed internal to an organization is to accommodate communication and forward all traffic, which often results in minimal security configuration and renders them targets for malicious attacks. If an attack is launched at Layer 2 on an internal campus device, the rest of the network can be quickly compromised, often without detection. Many security features are available for switches and routers, but they must be enabled to be effective. As with Layer 3, where security had to be tightened on devices within the campus as malicious activity increased, security measures must now be taken to guard against malicious activity at Layer 2. A new security focus centers on attacks launched by maliciously leveraging normal Layer 2 switch operations. Security features exist to protect switches and Layer 2 operations but, as with access control lists (ACLs) for upper-layer security, a policy must be established and appropriate features configured to protect against potential malicious acts while maintaining daily network operations.
Content 8.1 Understanding Switch Security Issues 8.1.2 Describing Unauthorized Access by Rogue Devices Rogue access comes in several forms. For example, because unauthorized rogue access points are inexpensive and readily available, employees sometimes plug them into existing LANs and build ad hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Employees generally do not enable any security settings on the rogue access point, so it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. Malicious rogue access points, while much less common than employee-installed ones, present an even greater risk and challenge because they are intentionally hidden from physical and network view. These rogue access points create an unsecured wireless LAN connection that puts the entire wired network at risk. Another security threat is rogue Layer 2 switches. An attacker with physical access to data cabling attaches a rogue switch that can be used to manipulate Spanning Tree Protocol (STP), hop VLANs, sniff traffic, and so on. This rogue switch can be a workstation with the ability to trunk and participate in other Layer 2 operations. To mitigate STP manipulation, use the root guard and BPDU guard enhancement commands to enforce the placement of the root bridge in the network and the STP domain borders. The STP BPDU guard allows network designers to keep the active network topology predictable. While BPDU guard may seem unnecessary given that the administrator can set the bridge priority to zero, there is still no guarantee that the bridge will be elected as the root bridge because there might be another bridge with priority zero and a lower bridge ID. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.
Content 8.1 Understanding Switch Security Issues 8.1.3 Switch Attack Categories Layer 2 malicious attacks are typically launched by a device connected to the campus network. This can be a physical rogue device placed on the network or an external intrusion that takes control of and launches attacks from a trusted device. In either case, the network sees all traffic as originating from a legitimate connected device. The following lists the types of attacks launched against switches and Layer 2: Figure describes attack methods and mitigation steps.
Content 8.1 Understanding Switch Security Issues 8.1.4 Describing a MAC Flooding Attack A common Layer 2 or switch attack is MAC flooding, which causes a switch’s CAM table to overflow, resulting in flooding regular data frames out all switch ports. This attack can be launched to collect a broad sample of traffic or as a denial of service (DoS) attack. A switch’s CAM tables are limited and, therefore, can contain only a limited number of entries at any one time. A network intruder can maliciously flood a switch with a large number of frames from a range of invalid source MAC addresses. If enough new entries are made before old ones expire, new valid entries are not accepted. Then, when traffic arrives at the switch for a legitimate device that is located on one of the switch ports that was not able to create a CAM table entry, the switch must flood frames to that address out all ports. This has two adverse effects: If the attack is launched before the beginning of the day, the CAM table in the switches would be full. As the majority of legitimate end devices are powered up, their source MAC addresses would not be entered into the CAM tables. If this represents a large number of network devices, the number of MAC addresses for which traffic will be flooded is high, and switch ports will carry flooded frames from a large number of devices. If the initial flood of invalid CAM table entries is a one-time event, the switch eventually ages out older, invalid CAM table entries, allowing new, legitimate devices to create an entry. Traffic flooding will cease and may never be detected, while the intruder captured a significant amount of data from the network. Figure shows the progression of a MAC flooding attack. To mitigate against MAC flooding, port security is configured to define the number of MAC addresses that are allowed on a given port. Port security can also specify which MAC address is allowed on a given port.
Content 8.1 Understanding Switch Security Issues 8.1.5 Describing Port Security Cisco Catalyst switches include port security as a feature. Port security restricts a switch port to a specific set or number of MAC addresses. Those addresses can be learned dynamically or configured statically. The port then provides access only to frames from those addresses. If, however, the number of addresses is limited to four but no specific MAC addresses are configured, the port allows any four MAC addresses to be learned dynamically, and port access is then limited to those four dynamically learned addresses. A port security feature called “sticky learning,” which is available on some switch platforms, combines the features of dynamically