Transcript private VLANs

Secure LAN Switching
• Layer 2 security
– Introduction
– Port-level controls
•
•
•
•
•
–
–
–
–
–
T. A. Yang
Storm control
Protected ports
Private VLAN
Port blocking
Port security
ACLs on switches
STP features for layer-2 security
DHCP features against snooping
IP source guard
Dynamic ARP Inspection (DAI)
Network Security
1
Switches and Layer 2 security
• Security of lower layer devices is important,
because some threats are initiated on Layer 2
rather than Layer 3 and above.
• Example: A firewall or a router cannot block a
compromised server on a DMZ LAN from
connecting to another server on the same
segment.  because the connection occurs
at Layer 2
• Focus of the chapter: Cisco Catalyst series
switches (principles applicable to other types
of switches)
T. A. Yang
Network Security
2
•
Source: http://www.cisco.com/ca/events/pdfs/L2-security-Bootcamp-final.pdf
T. A. Yang
Network Security
3
Switch and Layer 2 security
• Sample L2 attacks and their mitigations
See
http://www.cisco.com/ca/events/pdfs/L2-security-Bootcamp-final.pdf
(local copy)
T. A. Yang
Network Security
4
Port security
• A mechanism to restrict the MAC addresses that can connect via a
particular port of the switch
 Allows a range of MAC addresses to be specified for a particular port
 Only frames with a right MAC address can go through the switch.
• Useful for preventing MAC address flooding attacks
 CAM overflow: Content-Addressable Memory (aka. associated
memory)
 CAM table stores information such as MAC addresses available on
physical ports, with their associated VLAN params.
 CAM table has fixed size.
 When a CAM table is full, the switch is unable to create a new entry.
 It forwards a received frame to all ports, resulting in increased
traffic and allowing the attacker to examine all frames.
So, CAM overflow attacks may lead to subsequent DoS and traffic
analysis attacks (next slide)
T. A. Yang
Network Security
5
MAC Address Flooding
T. A. Yang
Network Security
6
MAC Address Flooding (cont.)
•

Counter-measures:
1. Hard-coding the MAC addresses that are allowed to
connect on a port, or
2. Limiting the number of hosts that are allowed to connect
on a port
Example 5-1: approach 1 + timed suspension
Console> (enable) set port security 2/1 enable
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08
Console> (enable) set port security 2/1 shutdown 600

Example 5-2: approach 2
Console> (enable) set port security 3/2 maximum 20
T. A. Yang
Network Security
7
IP permit lists
• Purpose: To restrict higher layer traffic, such asTelnet,
SSH, HTTP, and SNMP, from entering a switch
• Allows IP addresses to be specified that are allowed to
send these kinds of traffic through the switch
• Command: set ip permit enable
• Example 5-3
T. A. Yang
Network Security
8
•
•
Protocol Filtering
Purpose: To limit broadcast/multicasts for certain protocols
With Cisco Catalyst 5000 series of switches, packets
are classified into protocol groups:
1.
2.
•
IP
2. IPX
AppleTalk, DECnet, Banyan VINES
4. Other protocols
A port is configured to belong to one or more of these
groups.

For each of the groups a port belong to, the port is in one of
the following states (for that group):
On  Receive all broadcast/multicast traffic for that protocol
Off  no broadcast/multicast traffic for that protocol
Auto  auto-configured port
-
-
•
The port becomes a member of the protocol group only after the
device connected to the port transmits packets of that specific
protocol group.
Once the attached device stops transmitting packets for that protocol
for 60 minutes, the port is removed form that protocol group.
Example 5-4
T. A. Yang
Network Security
9
Controlling LAN floods
•
•
1.
2.
Attackers may cause frame flood (e.g., CAM flooding),
or send broadcast/multicast messages to flood the
LAN.
Counter-measures:
Protocol filtering
Setting up threshold limits for broadcast/multicast traffic on ports
–
Catalyst switches allow thresholds for broadcast traffic to be
set up on a per-port basis.
–
The thresholds can depend on either the bandwidth consumed
by broadcasts or the number of broadcast packets being sent
across a port.
–
‘Bandwidth consumed’ is a preferred measure. (Why?)
–
Example: Console> (enable) set port broadcast 2/1-6 75%
Other broadcast/multicast traffic is dropped when the bandwidth consumed by
broadcast/multicast traffic reaches 75%.
T. A. Yang
Network Security
10
VLAN
• Virtual LAN
• Source:
http://www.cisco.com/en/US/tech/tk389/tk689/tsd_technology_suppo
rt_protocol_home.html
– Group of devices on one or more LANs that are configured
(using management software) so that they can communicate as
if they were attached to the same wire, when in fact they are
located on a number of different LAN segments.
– based on logical instead of physical connections
– extremely flexible
T. A. Yang
Network Security
11
• Sample VLAN configurations
Source:
http://www.cisco.com/en/US/products/hw/switches/ps672/products_tech_note0
9186a0080093dca.shtml#ex1
T. A. Yang
Network Security
12
• Multiple-VLAN Network
T. A. Yang
Network Security
13
VLAN & Trunking
• A trunk is an interface on a switch that can carry
packets for any VLAN. When packets get sent between
switches, each packet gets tagged, based on the IEEE
standard for passing VLAN packets between bridges,
802.1Q. The receiving switch removes the tag and
forwards the packet to the correct port or VLAN in the
case of a broadcast packet.
• Be aware! “VLAN Insecurity” (by Rik Farrow):
http://www.rikfarrow.com/Network/net0103.html
“VLANs make it possible to share a switch among many LANs, by filtering
and limiting broadcast traffic.”
“But this form of isolation relies on software and configuration, not the
physical isolation that security people like myself really like to see.”
T. A. Yang
Network Security
14
Private VLANs
•
An enhancement to some Cisco switches
•
Traditional VLAN: no layer 2 segregation of
devices of the same VLAN
 So when one of the devices in a VLAN is
compromised, other devices on the same VLAN may
be compromised as well.
•
Purpose of private VLANs: To allow
restrictions to be placed on the Layer 2 traffic
of a VLAN.
T. A. Yang
Network Security
15
Private VLANs
•
Provides layer 2 isolation to quarantine hosts
from one another among ports within the same
PVLAN
•
Three types of private VLAN ports:
1. Promiscuous ports: communicate with all other
private VLAN ports
2. Community ports: communicate among
themselves and with their promiscuous ports
3. Isolated ports: have complete Layer 2 isolation
from other ports within the same private VLAN (e.g.,
Ethernet ports in hotel rooms)
T. A. Yang
Network Security
16
T. A. Yang
Network Security
17
Other security features in VLAN
• Port blocking
– When a packet’s MAC address can not be found in a
switch’s MAC address table, the switch will broadcast
(flood) unknown unicast and multicast traffic to all the
ports in the same VLAN
– This flooding can be blocked using port blocking
feature
• Port filtering based on MAC address
– A set of MAC addresses are allowed to access a port.
– Packets with source MAC addresses outside the set
are dropped.
T. A. Yang
Network Security
18
ACLs on Switches, 1/4
• Router ACL
– Switched virtual interfaces (SVI) are virtual layer 3
interfaces.
– Both standard and extended ACLs are supported on
SVI.
• MAC ACL
–
–
–
–
Aka Ethernet ACL
Filters non-IP traffic using MAC address filtering
Supports only inbound traffic
mac access-list extended
T. A. Yang
Network Security
19
ACLs on Switches, 2/4
• Port ACL
–
–
–
–
Supported on physical layer 2 interfaces
Supports only inbound traffic filtering
Supports standard, extended, and MAC-extended ACLs
Can filter both IP and non-IP traffic
• VLAN ACL (VACL)
– Aka VLAN map
– Filters all types of traffic bridged within a VLAN or routed
into or out of the VLAN
– Examples next page
T. A. Yang
Network Security
20
ACLs on Switches, 3/4
• VLAN ACL (VACL)
– Filters all types of traffic bridged within a VLAN
T. A. Yang
Network Security
21
ACLs on Switches, 4/4
• VLAN ACL (VACL)
– Filters all types of traffic routed into or out of the VLAN
– Order of processing: VACL for input VLAN, input IOS ACL,
Outbound IOS ACL, VACL for output VLAN
T. A. Yang
Network Security
22
L2 security using STP features
• Spanning Tree Protocol (STP)
• Source:
http://www.cisco.com/en/US/tech/tk389/tk621/tsd_technology_suppo
rt_protocol_home.html
– prevents loops from being formed when switches or
bridges are interconnected via multiple paths.
– implements the IEEE 802.1D algorithm by
exchanging BPDU messages with other switches to
detect loops, and then removes the loop by shutting
down selected bridge interfaces.
– guarantees that there is one and only one active path
between two network devices.
T. A. Yang
Network Security
23
Illustration of the STP
• http://en.wikipedia.org/wiki/Spanning_Tree_Protocol
• Root ports vs Designated ports
T. A. Yang
Network Security
24
The STP PortFast feature
• Source:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_not
e09186a008009482f.shtml
– STP configures meshed topology into a loop-free, tree-like topology.
– When the link on a bridge port goes up, STP calculation occurs on that
port. The result of the calculation is the transition of the port into
forwarding or blocking state. The result depends on the position of the
port in the network and the STP parameters.
– This calculation and transition period usually takes about 30 to 50
seconds. At that time, no user data pass via the port. Some user
applications can time out during the period.
– In order to allow immediate transition of the port into forwarding state,
enable the STP PortFast feature. PortFast immediately transitions the
port into STP forwarding mode upon linkup. The port still participates in
STP. So if the port is to be a part of the loop, the port eventually
transitions into STP blocking mode.
T. A. Yang
Network Security
25
The STP PortFast feature:
vulnerability
• Source:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_not
e09186a008009482f.shtml
– As long as the port participates in STP, some device can
assume the root bridge function and affect active STP topology.
– To assume the root bridge function, the device would be
attached to the port and would run STP with a lower bridge
priority than that of the current root bridge.
– This is a simple form of a denial of service (DoS) attack on the
network. The temporary introduction and subsequent removal of
STP devices with low (0) bridge priority cause a permanent STP
recalculation.
T. A. Yang
Network Security
26
The STP PortFast feature:
vulnerability & mitigation
• Source:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_not
e09186a008009482f.shtml
– The STP PortFast BPDU guard enhancement allows network
designers to enforce the STP domain borders and keep the
active topology predictable.
– The devices behind the ports that have STP PortFast enabled
are not able to influence the STP topology.
– At the reception of BPDUs, the BPDU guard operation disables
the port that has PortFast configured.
T. A. Yang
Network Security
27
L2 security using STP features
• BPDU Guard
– Bridge protocol data units (BPDU) are messages
exchanged btwn bridges using STP to detect loops in
a network.
– BPDU Guard feature keeps the active topology
predictable and enhances switch network reliability by
enforcing the STP domain borders.
T. A. Yang
Network Security
28
L2 security using STP features
• Root Guard
– A feature preventing a bridge in a particular network
from becoming the root bridge of that network
– e.g., enable Root Guard on service provider (SP) side
switch interfaces that connect to a customer-side
switch
 If a switch outside the SP network becomes the
root switch, the interface is put in a blocked state,
and STP will select a new root switch.
– spanning tree guard root
T. A. Yang
Network Security
29
L2 security using STP features
• EtherChannel Guard
– “Cisco EtherChannel technology is a trunking
technology based on grouping several full-duplex
802.3 Ethernet links to provide fault-tolerant, highspeed links between switches, routers, and servers.”
(source: http://www.cisco.com/en/US/tech/tk389/tk213/technologies_white_paper09186a0080092944.shtml)
– EtherChannel parameters must be the same on both
sides (e.g., btwn a switch and a connected device)
– When the switch detects an EtherChannel
misconfiguration, the EtherChannel Guard places the
switch interface in the error-disabled state
T. A. Yang
Network Security
30
L2 security using STP features
• Loop Guard prevents alternative or root ports from
becoming designated ports, thus avoiding loops
•
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.s
html#loop_guard_description
– An STP loop is created when an STP blocking port in a redundant topology
erroneously transitions to the forwarding state.
– This usually happens because one of the ports of a physically redundant
topology (not necessarily the STP blocking port) no longer receives STP
BPDUs. In its operation, STP relies on continuous reception or transmission
of BPDUs based on the port role. The designated port transmits BPDUs, and
the non-designated port receives BPDUs.
– When one of the ports in a physically redundant topology no longer receives
BPDUs, the STP conceives that the topology is loop free. Eventually, the
blocking port from the alternate or backup port becomes designated and
moves to a forwarding state. This situation creates a loop.
T. A. Yang
Network Security
31
DHCP Snooping feature
• Protection from rogue DHCP servers
• Ports on a switch are divided into trusted and untrusted
ports.
– DHCP clients and other hosts are connected to the untrusted
ports.
– DHCP servers are connected to trusted ports.
• The switch maintains a DHCP binding database (aka
DHCP snooping table).
• Incoming packets received on untrusted ports are
dropped if the source MAC address does not match the
MAC in the binding table.
T. A. Yang
Network Security
32
IP Source Guard
• Protection from IP spoofing attacks when
a host tries to spoof and use the IP
address of another host
• Any IP traffic coming into the interface with
a source IP address other than that
assigned will be filtered out.
T. A. Yang
Network Security
33
Dynamic ARP Inspection (DAI)
• ARP (address resolution protocol) resolves a 32bit IP address into a 48-bit Ethernet address,
using an ARP Table.
• The ARP caches can be “poisoned” (an invalid
ARP entry is created in the table).
• Result: packet redirection to the attacker
• DAI locks down the IP-MAC mapping for hosts
so that the attacking ARP is denied and logged.
T. A. Yang
Network Security
34
Setting up a secure Layer 2 switching
environment
• Overview of Counter-measures:
 Use VLANs to create logical groupings of devices  Each of the
groups may have different security levels.
 Disable unused ports, and place them in a VLAN with no Layer 3
access.
 Besides VLANs, other mechanisms must be used (e.g., port
security)
 Separate devices should be used for zones at different security
levels.
 Disable Layer 3 connection (e.g., Telnet, HTTP) to the switch.
 Disable trunking on ports that do not require it (and place the
trunk port in its own VLAN).
T. A. Yang
Network Security
35
Need for other counter-measures
• How about attacks launched from hosts sitting
on a LAN?
- In general, those hosts are considered as trusted
entities.
- So it is difficult to stop a host when it becomes an
attacker.
- Solution: Make sure access to the LAN is secured.
 MAC address filtering (e.g., Cisco’s port security, DHCP)
T. A. Yang
Network Security
36