This is my review and notes of Chapter 6 of “Implementing Cisco Switched Networks Foundation Learning Guide”.

Chapter 6: Securing the Campus Infrastructure

Wasn’t too much of a fan of this chapter. It could just be because I’m pretty over reading this book. I feel like this chapter was generally alright, and I would recommend it if you’re looking into security for your campus network, but I still felt like at points it waffled on, and particularly had content which I highly doubt will be in the exam. Specifically some features that are only available on certain Cisco high end platforms.

What’s probably going to be in the exam:
– Switch Security Fundamentals
– Different types of L2 attacks and mitigation
– Port Security
– Brief understanding of different attack types (Mac spoofing, VLAN hopping, ARP Spoofing, DHCP attacks)
– VACLs
– IP Source Guard
– Dynamic ARP Inspection
– DHCP Snooping
– Understanding/recommendations on services to lock down on Cisco devices e.g. CDP, HTTP
– AAA ← I haven’t done very good notes on this, but I think it’s probably going to be pretty important for the exam.
– 802.1X
– SPAN/RSPAN

What the chapter also covers:
– SPAN to monitor CPU
– ERSPAN
– L2 Tracelog
– IOS Embedded Event Manager
– Network Analysis Module

Security at each layer

CORE—————-Server Farm
|
|
Distribution
|
|
Access

Server Farm
Use host and network based IPS, private VLANs, ACLs and secure passwords

Core
– Do not implement any packet manipulation here.

Distribution
– Use access lists to provide security.

Access
– Use switch port security to control access to the network.

Layer 2 Attack Methods

– MAC layer attacks
– VLAN attacks
– Spoofing attacks
– Attacks on switch devices

Attack methods and steps to Mitigate

Mac address flooding
Switch mac address table gets filled up causing the switch to then behave like a hub and flood traffic out all ports.

Enable port security methods

VLAN hopping
By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing L3 security mechanisms.

Remove dynamic trunk negotiations on ports

Attacks between devices on a common VLAN
Different customers on same subnet in service provider network.

Implement Private VLANs.

DHCP starvation and DHCP spoofing
Attacker uses all available DHCP addresses or establishes itself as a DHCP server in man-in-the-middle attack.

Use DHCP snooping

STP compromises
Spoofs root bridge. If successful, attacker can see a variety of frames.

Proactively configure the Root Bridge and backup. Enable Root Guard.

MAC spoofing
Attacker spoofs valid host’s MAC addrss.

Use DHCP Snooping and Port Security.

ARP Spoofing
Attacker crafts ARP Replies intended for valid hosts.

Use Dynamic ARP Inspection, DHCP snooping, and port security.

CDP Manipulation
CDP info is sent in clear text and unauthenticated allowing it to be captured.

Disable CDP.

SSH and Telnet attacks
Telnet is in clear text.

Use SSH version 2, and only use Telnet with ACLs setup for specific hosts.

Port Security

S1(config-if)#switchport port-security ← Enables port security
S1(config-if)#switchport port-security maximum ← Specify max allowed MAC addresses
S1(config-if)#switchport port-security mac-address xxx ← Manually specify MAC
S1(config-if)#switchport port-security violation {shutdown | restrict | protect }

Shutdown – IF any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made, an SNMP trap is sent , and manual intervention or errdisable recovery must be used to make the interface useable. Shutdown mode is the default for violation.

Restrict – Frames from non-allowed address are dropped. A log message is created, and SNMP trap sent

Protect – Frames from the nonallowed address are dropped, but there is no log violation created.

Verify: S1(config-if)#show port-security [interface] [address]

Port Security with Mac Address Sticky

Port security can mitigate spoofing attacks by limiting access through each switch port to a single MAC address. This prevents intruders from using multiple MAC addresses over a short time period but does not limit port access to a specific MAC address.

Port security has a sticky MAC address feature that can limit switch port access to a single, specific MAC address without the network administrator having to gather the MAC address of every legitimate device and manually associate it with a particular switch port.

To Enable:
S1(config-if)#switchport port-security
S1(config-if)#switch port-security mac-address sticky

Verify with show run int x

Blocking Unicast Flooding on Desired Ports
This feature basically stops flooding of unicast frames when the switch doesn’t know where the destination MAC address is.

This is useful when other switch ports have been configured with a static mac address or mac address sticky, and is likely to be the only host on that port.

This stops devices on those ports receiving abiet not much, but unnecessary traffic caused by above.

To Configure: int fa0/1, switchport block {unicast | multicast}

Understanding and Protecting Against VLAN Attacks

VLAN Hopping
Basically an attack method where a device is able to send/receive/capture packets in a VLAN that it should not be able to access. This attack is accomplished by tagging traffic with a specific VLAN ID, or by negotiating a trunk with a switch that has DTP enabled. This is done by switch spoofing or double tagging.

So as above, if a switch has port settings on default (aka DTP enabled) they could connect an unauthorised Cisco switch and negotiate a trunk, therefore having access to all VLANs, or a pc with an app that generates DTP packets.

Another method is double tagging. This is where the attacker sends in frames that have two 802.1Q tags configured. For this attack to work, the attacker needs the recipient to be connected via another switch. It also requires both switches to be connected in the same VLAN as the attacking switch port or native VLAN of the trunk between the switch and the attacked VLAN. I think what that means is if the attacker is in VLAN10 on switch A, switch B also needs to have a host in VLAN 10.

Possibly see Wikipedia for more: http://en.wikipedia.org/wiki/VLAN_hopping#Double_tagging

Mitigation
– Configure all unused ports as access ports
– Place unused ports in shutdown state and put them in a VLAN specifically for unused ports.

When configuring Trunk links:
– Configure the native VLAN to be different from any data VLANs
– Trunking set to On, or Nonegotiate
– Trunks configured to only carry specific VLANs

VLAN Access Control Lists

Cisco Multi-Layer Switches support 3 types of ACLs:
– Router Access Control List (RACL) – Supported in the TCAM Hardware. RACLs can be applied to any routed interface, e.g. SVIs, or L3 Router interfaces.
– Port Access Control List (PACL) – Filters at the port level. Can be applied on L2 switchport, trunk port, or EtherChannel. Act at the L2 port level but can filter based on L3/L4 info.
– VLAN Access Control List (VACL) – Aka VLAN access-maps, apply to all traffic in a VLAN. VACLs support filtering based on Ethertype, and MAC Addresses. VACLs are order-sensitive, similar to route-maps. VACLs can control traffic flowing within the VLAN or control switched traffic, whereas RACLs control only routed traffic.

Configuring VACLs
Apply to all traffic on the VLAN. You can configure VACLs for IP and MAC-layer traffic.
– VACLs follow Route-map conventions, in which map sequences are checked in order.
– There are a few actions such as Permit, Redirect, Deny, VACL Capture, and VACL redirect, which are only available on the Catalyst 6500.

S1(config)#access-list 100 permit ip 10.1.1.1 0.0.0.255 any ← Identifying L3 list
S1(config)#mac access-list extended BACKUP_SERVER ← Identifying L2 list
S1(config-ext-mac)#permit any host 0000.1111.2222
S1(config)#vlan access-map ABC 10 ← Definding the VACL
S1(config-map)#match ip address 100 ← Matching previous L3 ACL
S1(config-map)#action drop ← Action
S1(config-map)#vlan access-map ABC 20
S1(config-map)#match mac address BACKUP_SERVER ← Matching previous L2 ACL
S1(config-map)#action drop
S1(config-map)#vlan access-map ABC 30
S1(config-map)#action forward
S1(config-map)#vlan filter ABC vlan-list 10,20

Spoofing Attacks
– Port security prevents MAC flooding attacks
– DHCP snooping prevents client attacks on the DHCP server and switch.
– Dynamic ARP inspection adds security to ARP using DHCP snooping table to minimise the impact of ARP poisoning and spoofing the attacks.
– IP Source Guard prevents IP spoofing addresses using DHCP the snooping table.

DHCP Spoofing Attack
Basically the attacker has a rogue DHCP server attached to the same segment which replies to DHCP requests before the valid DHCP server does. The attacker DHCP server gives the victim the attackers DNS and Default Gateway settings effectively making the attacker a man-in-the-middle.

Another method of attack is sending thousands of DHCP requests, potentially then exhausting the available addresses in the DHCP address pool.

DHCP Snooping
DHCP Snooping is a feature that determines which switch ports are “trusted” and allowed to response to DHCP requests.
– Per-port security mechanism used to differentiate an untrusted switch port connected to an end user from a trusted switch port connected to a DHCP server or another switch.
– Can be enabled on a per-VLAN basis.
– Trusted ports can either have a DHCP server on it, or be an uplink port towards another DHCP server.
– If an attacker connects a rogue DHCP server on an untrusted port, in which it attempts to reply to a DHCP request, the port is shutdown.

To configure:
S1(config)#ip dhcp snooping
S1(config)#ip dhcp snooping information option ← Enables DHCP option 82. Optional. Switch info such as port ID of the DHCP request.
S1(config-if)#ip dhcp snooping trust ← Enable on the DHCP server port or uplink port.
S1(config-if)#ip dhcp snooping limit rate rate ← Used to stop the DHCP server from being overwhelmed in the case of an attack to use up the DHCP pool.
S1(config)#ip dhcp snooping vlan number X ← Enable on a specific interface.
Verify: show ip dhcp snooping

ARP Spoofing Attack
In normal network operation, if a device doesn’t know the MAC address location of a host, it broadcasts an ARP request, asking for the MAC address of where the device is in the network.

ARP Spoofing is an attack where the attacker device sends out a gratuitous ARP (Unsolicited message/frame) with its’ own MAC address telling other hosts that it is the location for IP address X. Other hosts then install in their ARP caches that device X is at the MAC address of the attacker.

To prevent this, use Dynamic ARP inspection

Dynamic ARP inspection prevents man-in-the-middle attacks by not relaying invalid or gratuitous ARP replies out to other ports in the same VLAN.

– D ARP inspection intercepts all ARP requests and all replies on untrusted ports.
– Each intercepted packet is verified for valid IP-to-MAC bindings that are gathered via DHCP snooping.
– Denied ARP packets are either dropped or logged by the switch for auditing, so ARP poisoning attacks are stopped.
– Incoming ARP packets on trusted ports are not inspected.
– D ARP inspection can also rate-limit ARP requests from client ports to minimize port scanning mechanisms.

So to use DAI, you need to have DHCP snooping on. This is because it uses DHCP snooping to validate the DHCP/MAC address bindings.

In the case of static address configurations, DAI can also validate ARP packets against user-configured ARP ACLs.

Configuration
S1(config)#ip arp inspection vlan X
S1(config)#int x/x
S1(config-if)# ip arp inspection trust ← with arp inspection, you only need to do config on the trusted ports, such as trunk links. All other ports are automatically considered untrusted.
S1(config)#ip arp inspection validate [src-mac|dst-mac|ip] ← Configures DAI to drop ARP packets when the IP addresses are invalid, or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header.

Verify:
show ip arp inspection interfaces
show ip arp inspection vlan x
show ip dhcp snooping binding

Default action if the switch now receives a bogus ARP request is to simply drop the request. The switch can also be configured to err-disable or shut down the port and generate a syslog message.

IP Spoofing and IP Source Guard
IP spoofing is where an attacker is impersonating a legitimate host on the network.
– IP Source Guard prevents a malicious host from attacking the network by hijacking its neighbor’s IP address.
– Provides per-port IP traffic filtering of the assigned source IP addresses at wire speed.
– Dynamically maintains per-port VLAN ACLs based on IP-to-MAC-to-switch port bindings.
– IP Source Guard is typing deployed for untrusted switch ports in the access layer.

IP source Guard works closely with DHCP Snooping. This feature can be enabled on a DHCP snooping untrusted L2 port to prevent IP address spoofing.

When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port.

Methods of IP Source Guard filtering:
– Source IP address filter
– Source IP and MAC address filter

Configuration
S1(config)#ip dhcp snooping ← enables globally
S1(config)#ip dhcp snooping vlan X
S1(config-if)#ip verify source vlan dhcp-snooping ← Enables IP Source Guard filtering
OR S1(config)#ip verify source vlan dhcp-snooping port-security ← Above with MAC filtering.
S1(config)#ip source binding x.x.x.x ip vlan X interface fax/x ← Static binding on port.

Verify using ‘show ip source binding’

IP Source Guard can only be configured on L2 interfaces.

Securing Network Switches

This section covers protocols such as CDP, SSH, Telnet, VTY ACLs, HTTP Secure Server, AAA, and 802.1x.

Network Discovery Protocols
Covers CDP (Cisco Proprietary) and LLDP (IEEE equivalent).

CDP (Cisco Discovery Protocol)
– Enabled by default.
– ‘no cdp run’ – disables CDP globally
– ‘no cdp enable’ – disables on an interface
– ‘show cdp neighbor [detail]’ – Displays a summary of which devices are seen on which ports.

LLDP (Link Local Discovery Protocol)
– Disabled by default
– ‘lldp run’ enables globally
– ‘lldp enable’ enables on specific interface.
– ‘show lldp neighbor [detail]’ – Similar to CDP.

CDP is a powerful tool in the hands of an attacker, as it gives them a reconnaissance view of the network. Some programs such as CiscoWorks require the use of CDP (or at least are heavily limited without it), so rather than disable it globally, selectively disable it on all ports except trunk ports and management ports.

Telnet
– Convenient, but don’t use it. All data is in plain text. Use SSH instead.
– If Telnet must be used, configure VTY line ACLs to only allow connections from management IPs.

SSH
– Everything is encrypted.

Config:
S1(config)#username matt password cisco
S1(config)#ip domain-name abc.com
S1(config)#crypto key generate rsa
S1(config)#ip ssh version 2
S1(config)#line vty 0 15
S1(config-line)#login local
S1(config-line)#transport input ssh

VTY ACLs
S1(config)#access-list 100 permit ip 10.1.1.1 0.0.0.255 any
S1(config)#line vty 0 15
S1(config)#access-call 100 in

HTTP Secure Server
– Use HTTPS instead of unprotected HTTP by using the command ‘ip http secure-server’. Make sure to disable the unsecure by issuing ‘no ip http server’
– To use HTTPs, you need to have a certificate on the switch. This is done through ‘crypto key generate rsa’ (you need a domain name configured to do this though).
– Configure an ACL so only the management IPs can access the switch web server. Apply it using ‘http access-class XX’
– Configure users, if the switch needs configuration done via the web server. Apply it using ‘http authentication local’.

Authentication Authorisation Accounting (AAA)
See wiki for description of each: http://en.wikipedia.org/wiki/AAA_protocol

AAA is actually quite important. Although my notes here are small, it’s something that will probably be in the exam and something you should make sure you understand, and can configure.

Configuration
Varies depending on what exactly you’re trying to achieve.

Authentication example using Tacacs+:
S1(config)#aaa new-model ← Globally enables AAA
S1(config)#aaa authentication login TEST tacacs+
S1(config)#tacacs-server host 192.168.1.1
S1(config)#line vty 0 4
S1(config)#login authentication TEST

Authorisation example using Tacacs+:
S1(config)#aaa new-model
s1(config)#aaa authorization commands 0 default if-authenticated group tacas+
S1(config)#line vty 0 4
S1(config-line)#authorization commands 0 default.

Accounting example using Tacacs+:
S1(config)#aaa new-model
S1(config)#aaa accounting exec default start-stop group tacacs+
S1(config)#line vty 0 4
S1(config-line)#accounting exec default

Security Using IEEE 802.1X Port-Based Authentication
Basically when a device is attached to the network, a user needs to log in via their user credentials which are stored in an Authentication Server database typically done by RADIUS.

Until the workstation is authenticated, 8021X access control enable only Extensible Authentication Protocol over LAN (EAPOL) traffic on the port.

Configuration
dot1x port-control {auto | force-authorized | force-unauthorized}
force-authorized
– Disables 802.1x port-based authentication and causes the oprt to transition to the authorized state without any authentication exchange required.
– Default Setting

force-unauthorized
– Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate.
– Use this on ports where you don’t want any users to be able to connect from. I can’t see why you wouldn’t just shutdown the port instead…

auto
– Enables 802.1x port-based authentication.
– Port initializes in the unauthorised state, enabling only EAPOL packets
– The authentication process begins when either the link is brought up (authenticator initiation), or a client sends an EAPOL-start frame and the switch receives it (supplicant initiation).
– After this, the switch requests info identifying the client and this information is relayed between the switch and the authentication server.
– Clients are uniquely identified by their MAC address. This means that only an 802.1x capable host is connected to each access port.

When a client logs out, it sends an EAPOL-logout message, causing the switch port to transition to the unauthorised state.

Configuration

S1(config)#aaa new-model ← Enable AAA
S1(config)#radius-server host 10.1.1.1 auth-port 1821 key abc123
S1(config)#aaa authentication dot1x {default} group method1… ← Create an 802.1x port-based authentication method list
S1(config)#dot1x system-auth-control ← Enable 802.1x port authentication globally. Remember the global default for 802.1x is “force-authorized” which effectively allows anyone access on the ports.
S1(config)#int fa0/1
S1(config-if)#dot1x port-control auto ← Enabling authentication method on the interface

Switch Security Considerations
This section basically covers the thoughts and questions that should be asked when an organization is thinking about what it should cover in terms of security in their network.

One major point to consider is the a balance of reasonable network security against administrative overhead that is required for management of the network.

Cisco recommended minimum security configuration:
– Configure strong system passwords.
– Restrict management access using ACLs.
– Secure physical access to the console.
– Secure access to vty lines.
– Configure system warning banners.
– Disable unneeded or unused services.
– Trim and minimize the use of CDP/LLDP.
– Disable the inegreated HTTP daemon (where appropriate.)
– Configure basic system logging (syslog).
– Secure SNMP.
– Limit trunking connections and propagated VLANs.
– Secure STP.

Troubleshooting Performance and Connectivity

Techniques to Enhance Performance
I wasn’t going to include this, but I thought it was 3 good points for consideration within a production network:

– User performance
Based off the response time it takes for a user when using daily tools such as server databases. This variable gives the user their own perception of the reliability and performance of the network.

– Capacity Planning
This covers the idea of determining future network resource requirements to prevent a performance or availability impact on business-critical applications.

– Proactive fault management
– Responding to faults as they occur, and implementing solutions to prevent further faults in that area. This also comes under PPDIOO.

The next few pages of the book basically go into an analysis look of what things you should consider when looking at network performance, and trying to cover all necessary bases for a continual stable network.

Monitoring Performance with SPAN and VSPAN
Switched Port Analyzer is an important tool aiding in performance and troubleshooting in a network.

It’s basically mirrors all traffic in a VLAN or port[s] to a specific port. That port then usually has some form of network analyser (e.g. wireshark) connected to it.

Local SPAN is where the analyzer port and ports to be mirrored are all within the same switch.

VSPAN refers to mirroring of a VLAN to a single port.

SPAN supports capture of traffic in ingress, egress or both at the same time.

Configuration
S1(config)#monitor session 1 source interface fa0/1
S1(config)#monitor session 1 destination interface fa0/2
S1(config)#end
S1#show monitor session 1

Using SPAN to Monitor the CPU Interface of Switches
From what I understood, I believe this may only be on switches such as the Catalyst 4500 series.

It is helpful though as it gives you a view of what traffic is being processed by the SuperVisor CPU Engine.

cat4506(config)#monitor session 1 source cpu <>
cat4506(config)#monitor session 1 destination interface fa0/1
cat4506(config)#show monitor session 1

RSPAN (Remote Switched Port Analyser)
Similar to SPAN, but supports source ports, source VLANs, and destination ports on different switches, which provide remote monitoring of multiple switches across across a switched network.

– Each RSPAN session carries the SPAN traffic over a user-specified RSPAN VLAN. This VLAN is dedicated for that RSPAN session in all participating switches.

RSPAN consists of an RSPAN source session, an RSPAN VLAN, and an RSPAN destination session.

– It is advisable to configure separate RSPAN source sessions and destination sessions on different network devices.
– To configure an RSPAN source session on one network device, associate a set of source ports and VLANs with an RSPAN VLAN.
– To configure an RSPAN destination session on another device, associate the destination port with the RSPAN VLAN.

RSPAN Guidelines
– Configure the RSPAN VLANs in all source, intermediate, and destination network devices. If enabled, VTP can propagate configurations of VLANS numbered 1 through 1024 as RSPAN VLANs.
– Switches don’t impose a limit on the number of RSPAN VLANs allowed.
– Configure any VLAN as an RSPAN VLAN as long as all participating network devices support configuration of RSPAN VLANs, and use the same RSPAN VLAN for each RSPAN session.

Configuration

-Create the RSPAN transport VLAN:
S1(config)#vlan 901
S1(config)#remote span
S1(config)#end

– Configure the ports you want to mirror on the remote switch:
S1(config)#no monitor session 1
S1(config)#monitor session 1 source interface gigabitethernet0/1 tx
S1(config)#monitor session 1 source interface gigabitethernet0/2 rx
S1(config)#monitor session 1 source interface port-channel 2
S1(config)#monitor session 1 destination remote vlan 901
S1(config)#end

– Configure the destination Switch
S2(config)# monitor session 1 source remote vlan 901
S2(config)# monitor session 1 destination interface gigabitethernet0/1
S2(config)# end

Verify:
Show monitor

Monitoring performance with ERSPAN
Enhanced Remote SPAN.

Features:
– support for source ports, source VLANs, and destination ports on different switches, even across L3 links.
– Carries SPAN traffic over a GRE tunnel.
– Currently only supported on Catalyst 6500 switches.

Config not listed as I doubt this will be in the exam.

Monitoring Performance using VACLs with the Capture Option
– Currently only supported on Catalyst 6500 series.

Basically it’s using a VACL on a SPAN port to filter at Layers 2,3, or 4 to only match traffic the administrator is interested in.

Troubleshooting Using L2 Traceroute
Behaves similarly to traceroute for L3, in which you specify the source and dest MAC addresses, and it will tell you the path the device takes to reach the Dest.
– Requires all switches along the way support L2 tracelog.
– Requires CDP to be on with neighboring switches.

To execute:
S1# traceroute mac 0000.0000.0002 0000.0000.1234

Last things the chapter talks about is Cisco Embedded Event Manager, and Catalyst 6500 Network Analysis Module. Both of which I doubt will be in the Switch exam.