Transcript William Stallings, Cryptography and Network Security 3/e

– Chapter 5 –
Secure LAN Switching
• Layer 2 security
–
–
–
–
Port security
IP permit lists
Protocol filtering
Controlling LAN floods (using port filtering, protocol
filtering, etc.)
– Private VLANs
– Using IEEE 802.1x for port authentication and access
control
Network Security
1
Switch and Layer 2 security
• Security of lower layer devices is important, because
some threats are initiated on Layer 2 rather than
Layer 3 and above.
• Example: A firewall or a router cannot block a
compromised server on a DMZ LAN from connecting
to another server on the same segment.  because
the connection occurs at Layer 2
• More example attacks:
http://www.cisco.com/ca/events/pdfs/L2-security-Bootcamp-final.pdf
• Focus of the chapter: Cisco Catalyst 5000 series
switches
Network Security
2
Switch and Layer 2 security (cont.)
• Rules of thumb:
 Use VLANs to create logical groupings of devices  Each of the groups
may have different security levels.
 Disable unused ports, and place them in a VLAN with no Layer 3
access.
 Besides VLANs, other mechanisms must be used.
 Separate devices should be used for zones at different security levels.
 Disable Layer 3 connection (e.g., Telnet, HTTP) to the switch.
 Disable trunking on ports that do not require it.
- A trunk is an interface on a switch that can carry packets for any VLAN.
When packets get sent between switches, each packet gets tagged, based
on the IEEE standard for passing VLAN packets between bridges, 802.1Q.
The receiving switch removes the tag and forwards the packet to the correct
port or VLAN in the case of a broadcast packet.
 “VLAN Insecurity” (http://www.spirit.com/Network/net0103.html)
Network Security
3
Switch and Layer 2 security (cont.)
• How about attacks launched from hosts sitting
on a LAN?
- In general, those hosts are considered as trusted
entities.
- So it is difficult to stop a host when it becomes an
attacker.
- Solution: Make sure access to the LAN is secured.
 MAC address filtering (e.g., Cisco’s port security,
DHCP)
Network Security
4
Port security
• A mechanism to restrict the MAC addresses that can connect via a
particular port of the switch
 Allows a range of MAC addresses to be specified for a particular port
 Only frames with a right MAC address can go through the switch.
• Useful for preventing MAC address flooding attacks
 CAM overflow: Content-Addressable Memory (aka. associated memory)
 CAM table stores information such as MAC addresses available on
physical ports, with their associated VLAN params.
 CAM table has fixed size.
 When a CAM table is full, the switch is unable to create a new entry.
 It forwards a received frame to all ports, resulting in increased
traffic and allowing the attacker to examine all frames.
So, CAM overflow attacks may lead to subsequent DoS and traffic
analysis attacks (next slide)
Network Security
5
MAC Address Flooding
Network Security
6
MAC Address Flooding (cont.)
•
Counter-measures:
1. Hard-coding the MAC addresses that are allowed to
connect on a port, or
2. Limiting the number of hosts that are allowed to
connect on a port
 Example 5-1: approach 1 + timed suspension
 Example 5-2: approach 2
Network Security
7
IP permit lists
• Purpose: To restrict higher layer traffic, such asTelnet,
SSH, HTTP, and SNMP, from entering a switch
• Allows IP addresses to be specified that are allowed to
send these kinds of traffic through the switch
• Example 5-3
Network Security
8
•
•
Protocol Filtering
Purpose: To limit broadcast/multicasts for certain protocols
With Cisco Catalyst 5000 series of switches, packets
are classified into protocol groups:
1.
2.
•
IP
2. IPX
AppleTalk, DECnet, Banyan VINES
4. Other protocols
A port is configured to belong to one or more of these
groups.

For each of the groups a port belong to, the port is in one of
the following states (for that group):
On  Receive all broadcast/multicast traffic for that protocol
Off  no broadcast/multicast traffic for that protocol
Auto  auto-configured port
-
-
•
The port becomes a member of the protocol group only after the
device connected to the port transmits packets of that specific
protocol group.
Once the attached device stops transmitting packets for that protocol
for 60 minutes, the port is removed form that protocol group.
Example 5-4
Network Security
9
Controlling LAN floods
•
•
1.
2.
Attackers may cause frame flood (e.g., CAM flooding),
or send broadcast/multicast messages to flood the
LAN.
Counter-measures:
Protocol filtering
Setting up threshold limits for broadcast/multicast traffic on ports
–
Catalyst switches allow thresholds for broadcast traffic to be
set up on a per-port basis.
–
The thresholds can depend on either the bandwidth consumed
by broadcasts or the number of broadcast packets being sent
across a port.
–
‘Bandwidth consumed’ is a preferred measure. (Why?)
–
Example: Console> (enable) set port broadcast 2/1-6 75%
Other broadcast/multicast traffic is dropped when the bandwidth consumed by
broadcast/multicast traffic reaches 75%.
Network Security
10
Private VLANs
•
•
•
•
An enhancement to Catalyst 6000 switches
Traditional VLAN: no layer 2 segregation of devices of
the same VLAN  So when one of the devices in a
VLAN is compromised, other devices on the same
VLAN may be compromised as well.
Purpose of private VLANs: To allow restrictions to be
placed on the Layer 2 traffic of a VLAN.
Three types of private VLAN ports:
1.
2.
3.
Promiscuous ports: communicate with all other private VLAN
ports
Isolated ports: have complete Layer 2 isolation from other
ports within the same private VLAN
Community ports: communicate among themselves and with
their promiscuous ports
Network Security
11
Using IEEE 802.1x
• Purpose: (a) port authentication; (b) access control
• Other usage: used in 802.11i for WLAN security
Network Security
12
Summary
• Next: NAT and security
Network Security
13